Security Current improves the way security, privacy and risk executives around the world collaborate to protect their organizations and their information. Its CISO-driven proprietary content and events provide insight, actionable advice and analysis giving executives the latest information to make knowledgeable decisions.
CISOs are grouped together because of their technical and security skills but each of them takes a unique path to their position. Kirsten Davies, the SVP and CISO at the Estee Lauder Companies, might just have one of the most uncommon journeys if not the longest. In her early years she was interested in music, language, and the visual arts. She plays the piano, the flute, sings, and writes songs. At the age of four she was performing on stage.
Cybersecurity and the arts don’t seem to have a lot in common but Davies believes that her early exposure to music and language has done much to shape her strengths. “It opens up a world for you that allows your brain to think in very, very different ways,” she says. “A creative person can be extremely analytical, able to synthesize things, see harmonies, and recognize patterns. The ability to view motifs and to pull out anomalies are skills that are critical in our cyber analyst world, and in coding, and essentially in AI [artificial intelligence].
Davies introduction to technology was borne from her love of the arts. “I just started learning how to code websites so I could create things that I wanted. I would draw something, and then I learned how to create it on a computer.” That evolved into initially being a consultant helping companies shape transformational work around finance, HR, and IT.
While working on these IT transformation efforts Davies recognized that there was a lot of risk associated with these large enterprise systems. “I stumbled into security from the risk side of the house.”
Davies’ cybersecurity journey has been a global one. She has held senior positions at Siemens, Hewlett-Packard, Barclays Africa Group and now Estee Lauder. In her career she has worked in Australia, Germany, England, South Africa, Canada and the United States. Her globetrotting isn’t limited to just where her office is located. In 2016 Davies flew more than 200,000 miles, spending the equivalent of three months in the air.
Throughout her travels, Davies has learned invaluable cultural nuances with respect to cybersecurity and has also been able to apply some of these across her various stops. “It’s a constant engagement mechanism to build awareness, understanding, and partnerships. We don’t own what we have to secure, such as the IT infrastructure. So you’re constantly building awareness and partnerships to execute.”
Davies has seen much of the world, and her combined experiences have shaped her into the professional that she is. “Having had to morph and to be a chameleon in a lot of different environments has really helped me with my security journey,” she says. “I think about problems very differently.”
Connecting the Dots
“I’m a very outside the box thinker,” is how Davies describes herself. By thinking differently she brings a perspective that allows her to look beyond organizational silos. One thing that she has noticed is there is a correlation between the modus operandi of fraudsters and cyber threat actors. They are both after financial reward either directly or by capturing data that can ultimately by sold and they are using a lot of the same techniques. “When you look at these things in silos, you miss the opportunity for the multiplication factor and to really provide a lot of threat fidelity to that,” she says. Making connections across multiple disciplines, cybersecurity, information resilience, fraud, investigations, and physical security allow for those to converge into a comprehensive risk management program. “It’s been a change management thing just to get people thinking security is not physical and it’s not just cyber, it’s all of it.”
Her philosophy is that security people are “professional dot connectors.” By looking at the problem holistically CISOs have an opportunity to bring together business, IT, security, operations, and internal and external audit in order to “help translate tech into a risk discussion.” Davies reiterates that “cyber is more about enterprise risk management than anything else. You can never make a company 100 percent secure,” Davies said. You can, however, make risks transparent by highlighting them and helping the business to prioritize what is most important.
Culture, People, and Processes
Skills shortage in cybersecurity is a prime concern, and Davies has been deeply engaged in this. “I think in the different roles that I’ve been blessed to be able to have, I’ve seen that on the ground.” It helps that she is fascinated with the people and process side of the cyber security equation. She believes that the industry is beginning to do something about this. “I see that from a very strategic sense. Whether that’s taking a blended approach to leveraging highly advanced supervised learning, and AI, and all of that from a capability perspective. Essentially, it’s not just replacing humans, it’s enabling humans to do much more value-add work and allowing tools to do the commodity work, and to learn and respond a lot more quickly than we can.”
While at Barclays she created and piloted a program called the Africa Converged Security Academy. The bank, working with Rhodes University in South Africa, developed a 14-week curriculum to see if they could “create entry level cyber analysts” in order to start to address at a grassroots level the shortage of skilled personnel. There were over 700 applicants for just 20 positions in the pilot program, 19 of whom were offered entry level jobs in her security program upon graduation. She says much was learned along the way on how to teach people about the security field, and that the pilot was a tremendous success.
CISO and Emotional Intelligence
Davies’ vast experience leads her to realize that CISOs have one of the toughest jobs there is primarily because in many ways it is a thankless job. Most of the action is when things go wrong. “It’s a core function, not a business unit and not just IT. We can often be treated like we’re not core, like a blocker, but we have to get things right – the partnerships, the execution, the board visibility and support – because if there’s an event, the impact on the enterprise can be huge.” She believes that CISOs need to be strategic in how they build, innovate, and run their programs.
CISOs need to develop their emotional intelligence (EQ) in order to be a strong partner in the development and implementation of the enterprise risk strategy. “We’ve been the quiet protectors behind the keyboards and buried away to scan and fix the code,” said Davies. “But security is not an IT problem – it’s an enterprise risk problem – and we have to increasingly be on the front foot, in the middle of strategy discussions because our mandate is at the center of organizational strategy.” She also said that a key to success is CISOs have to have things that they can says, “Yes, I just did that.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.