UPDATED 16:00 EDT / JULY 22 2019

SECURITY

CISO to STEM ladies: Cybersecurity needs you

What is cybersecurity? A mystic realm where hoodie-wearing hackers in dark rooms weave their protective magic? Or an attitude of awareness and responsibility from everyone?

The answer is, of course, the latter. Cybersecurity has come into the spotlight as businesses understand that each and every employee must do their part. But while the world is picking up the security baton, changing the professional face of the industry is a work in progress. With a few notable exceptions, attendance at security-focused AWS re:Inforce 2019 was overwhelmingly white and male. While women may be used to being a minority in cybersecurity, it doesn’t mean they aren’t working for change.

“I certainly have grown a little bit accustomed to it, but not so accustomed that I’m not motivated on a daily basis to bring more women in,” said Katie Jenkins (pictured), senior vice president and chief information security officer at Liberty Mutual Insurance. “The diversity of thought, no matter how that diversity is expressed, is really important to doing the work that we do.”

Jenkins spoke with John Furrier (@furrier) and Dave Vellante (@dvellante), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the recent AWS re:Inforce event in Boston. They discussed the cultural changes of shifting away from fear-based motivators to collaborative incentives around cybersecurity, the costs of cybersecurity, and Liberty Mutual’s take on shared security responsibility (see the full interview with transcript here).

This week, theCUBE spotlights Katie Jenkins in our Women in Tech feature.

Security requires people skills

“I think a great security professional is a great communicator, a great collaborator,” Jenkins said. She actively searches for women and minorities with the skill sets she needs, and it’s not only security experts on her must-hire list.

“I need technologists, I need developers, I need process experts. I need people that think very deeply about assurance-type controls,” she stated.

An understanding of how people think and act — human psychology — is another important skill in cybersecurity. And it’s one that can’t be skipped when the focus is on technology at the expense of user experience. Jenkins’ team recently transformed a clunky, unfriendly system that Liberty Mutual managers once used to approve employee security access. The old system was “ugly,” according to Jenkins, and users would be so frustrated by the confusing interface that they would give up, abandoning the task they were attempting. Not so with the new design.

“[The] user experience expertise that overlaid in how we developed our new platform just makes all the difference,” Jenkins said.

From STEM student to CISO

Jenkins was a female pioneer on the STEM path. She started her career with a degree in mathematics, then spent two decades working in risk and compliance practice management in various industries. Her past experiences include working with business advisory services powerhouse PricewaterhouseCoopers LLP, network infrastructure and domain registry authority Verisign Inc., and communications giant AT&T Inc. She has been with her current employer, global insurance provider the Liberty Mutual Group, for most of the past decade.

As director of information security, Jenkins oversaw the company’s commercial insurance security and risk management. Wanting to stay ahead in the rapidly changing security landscape, Jenkins enrolled in the Executive Master’s in Cybersecurity program at Brown University. As well as giving her “a big picture context and inspiration for how we can strengthen and broaden our approach to the public cloud,” the degree was a boost to her career. Shortly after graduation, she was promoted to VP and senior director of cloud and security enablement. A year later, she became a senior VP and Liberty Mutual’s CISO.

Jenkin’s appointment as CISO was part of a transformation strategy that is bringing the 107-year-old company into the digital era.

“Liberty Mutual has made a very significant commitment to moving to the public cloud for our technology and computing needs,” Jenkins stated.

Three years into the journey, the company has approximately 25% of its workload in the cloud. “It’s really been a catalyst for not just transforming our technology organization, but transforming … the ways security engages with our development community,” Jenkins said.

No-fear security

“Enablement” is the word Jenkins chooses to describe what cloud security means for her. “The public cloud offers us a really interesting opportunity to reinvent security,” she said. “We have an opportunity to leverage automation, to make our work easier … through using automation and enforcement. It’s an exciting opportunity to further develop our security capabilities.”

Part of this reinvention is changing the image of security. Rather than a minefield to treat with caution, “security is an area of partnership. There’s very little of what we do in security that’s just done by security practitioners,” Jenkins said.

Instead of installing a culture of fear around security, she advocates security training and awareness across the board.

“We need to both empower our developers to do their work in a secure manner and … empower our whole workforce and our trusted third parties to make good decisions,” she said.

Trust is a keyword when selecting providers, with CISOs responsible for securing the ecosystem. “We are really giving a lot of thought to the area of third-party risk management and if we understand not just the elements of cyber risk and engaging with a third party, but privacy and continuity kind of risks too,” Jenkins stated.

Shared responsibility in the cloud

Liberty Mutual cloud provider Amazon Web Services Inc. recently announced a new shared responsibility security model for the cloud. In this model, Amazon takes responsibility for security of the cloud — hardware, software, and global infrastructure — while customers take responsibility for security in the cloud — their data, operating system, network, firewall, applications, etc.

As an insurance company, Liberty Mutual holds a lot of personal information from customers. With the shared responsibility model, Amazon focuses on protecting areas such as compute, storage, and the database layer. And Liberty Mutual focuses on data privacy.

“Our duty is to protect policyholder data. It doesn’t matter if it’s in the cloud or if it’s in our data centers. We have that duty to protect,” Jenkins said.

Shared responsibility is also part of the Liberty Mutual culture. Jenkins reports regularly to the board of directors and engages with them on security strategy, tactics and results.

“I feel pretty lucky to both have the opportunity and get to speak pretty deeply to our program,” Jenkins said. “[The board of directors] want to see demonstrated progress against areas that we’ve self-identified that we’d like to improve. But they’re also looking to see that I have a vision for where we’re going, being fully cognizant of the work that we’ve done in the public cloud. And they want to understand that the level of trust they have in our security program on-premise will perpetuate and advance into the cloud.”

Here’s the complete discussion, part of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event:

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU