Women and Nonbinary People in Information Security: Magda Chelly

This is now my third year of interviewing women in information security for Tripwire’s The State of Security. My experience has been amazing so far. I have learned so much from so many people – a few of whom were transgender and one nonbinary. In response to this diversity of viewpoints, I decided to rename my spring 2019 series to be more inclusive. This is my 57th interview in this series. None of this would be possible without the encouragement of Joe Pettit. (So, Joe, I know you’re reading this, and I want to thank you.) Tripwire also has a reoccurring charity initiative called #Tripwire4Tech. Four charities have been supported by the initiative this year, two of which – Girls Who Code and Women in Technology – specifically help girls and women to pursue computer technology careers. So, without further ado, here’s the first interview for 2019. Magda Chelly is a friend of mine. We have done a little bit of writing and research work together. Now she has an exciting new CISO (Chief Information Security Officer) job! I was thrilled to get a chance to talk with her more in-depth. Kim Crawley: Tell me a bit about your professional background, Magda. Magda Chelly: I have a technical background with a telecommunications engineering degree and a Ph.D. in the same field. Since I was a student, I really enjoyed building things. I was developing websites, and I loved it. My favorite languages were HTML, PHP and CSS. After my engineering degree, I started breaking things. This did not immediately start my cybersecurity career. I have continued working on it as a passion. I was a consultant at the early stage of my career, then I moved to business and pre-sales roles across various industries. That gave me an amazing overview of different roles and perceptions. However, I did get bored. That was my trigger to go back to cyber for good as a professional. I am now a regional business information security officer for all Asia Pacific after being an ISO lead implementer and a CISO for various companies in Singapore. I have also worked on different projects – from security awareness programs to cybersecurity maturity assessments. KC: Excellent. Please tell me more about your new CISO role. MC: My first experience as a CISO started very quickly and unexpectedly. I was given the responsibility with a team and a bunch of vendors. When I started the project, I realized how broad my scope was as everything was to be built. And that became my best value for companies later on... Helping a business have the right balance between risk with the right processes, technical controls and general awareness was only effective with a holistic approach and different angles. My current role is in a mature environment where my tasks are... many but clearer. And I am also more experienced. That helps a lot. Of course, I am always staying vague due to confidentiality; however, I must say that every CISO assignment is different, and I discover a different maturity and culture within an organization. KC: What are some misconceptions people have about the CISO role?

"I think people tend to believe that a CISO needs only technical skills or needs only leadership skills. I would say that the best CISO profile would have a holistic understanding of the different areas in charge with a very good leadership acumen." –MC

The main added value of a CISO is discussing the right topic with the right audience using the right language. KC: Do there need to be more female and nonbinary gender CISOs? If so, how can we attract more to the role? How can we persuade C-Suites to hire women and nonbinary gender people for the position? MC: The current representation of women is not enough and does not encourage young female cybersecurity professionals as they do not see the future evolution of their careers. I think the situation is actually bad in general, and we need to work much more around inclusion and diversity in the industry. Gender should be equally represented if possible in the teams. Our communities and societies are not built with the same profiles or clones. We are where we are in the world because we are different, and those differences allow us to create amazing things and advance towards a greater world. In the case of cybersecurity, it would be a safer world. Attracting more diversity into cybersecurity is a popular topic nowadays, but how we actually act on is a slightly less discussed aspect.

"In the first place, bringing in different success stories is key. There is no one unique way to succeed in a cybersecurity role; there is no one unique path to education. There are commonalities, but that doesn’t define the norm especially in an industry like cybersecurity where many are self-taught." –MC

Showing success stories from various lifestyles and work styles opens new perspectives and brings new opportunities. The second practical aspect would be to judge a profile by the skills and realize that we do have unconscious biases. The hiring managers should have a discussion with the CISO or the team to understand what they really want and need. Are those driven by just some biased thoughts, or are those driven by key skills required to build a successful team? The third point that I would address is building a positive culture within the security team. I am now seeing more and more amazingly diverse and successful teams where the culture of “thank you,” “please,” “join us for lunch” are common team activities and kindness actions rather than individualism. KC: Excellent! Do you think the responsibilities of CISOs will change as time goes on? MC: The CISO role will evolve, and it is already taking a turning point, as the industries do not consider the CISO technical only anymore. The role of CISO must be defined as a business enabler. To achieve that in particular, it means that the CISO can include himself or herself within the company's operations and understand how it works. I always like to say have "a day in a life of." This helps tremendously to understand the others' jobs and therefore consequently change the culture and build an efficient cybersecurity programme. I personally involve myself in all business aspects. I want to understand how it operates, how salespeople work, why certain technical decisions have been made and so on. That allows me to have that holistic approach. Thus, the future CISO will need to have a security, technical and business understanding with a pragmatic and innovative approach to new emerging technologies. Understanding the business priorities, as well as the business risk appetite are crucial to move forward and understand where liabilities stand. KC: I've worked with you before, and you clearly have a lot of knowledge about security policy. Is there anything else you'd like to add before we go? MC: The general advice as a young CISO I would give to other security professionals is that there is an extremely important aspect about security that big companies tend to ignore. The cultural and working diversity between countries is very important to consider in order to build a resilient organization. The best CISOs will embed cybersecurity into the foundation of new initiatives and include them in the various organizational processes. Bringing usability, security, culture and business efficiency as the main goals of the CISO. It is not an easy task and the CISO job requires a lot of hard work, strategical thinking, and sometimes fighting the right thing to do before going live. I love my role, I try to always help bring that balance and sometimes, unfortunately, it is not that simple nor achievable. However, when your team understands your intentions, they will definitely support you.

Previous Interview

• Chrissy Morgan

Next Interview

• Ashanti

---

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.