CISO Liz Joyce: Cybersecurity leadership requires more than technical chops
Liz Joyce, CISO, HPE
Liz Joyce has been fascinated by cybersecurity since her student days. She has had a ringside view of the evolving threat landscape as individual hackers and script kiddies have been replaced by hacktivists, state actors, organized cybercrime rings, and other cunning adversaries. As Hewlett Packard Enterprise’s chief information security officer, she not only has to consider these threats, but her team also has to deal with formidable management challenges, from workforce development to infusing a cybersecurity perspective across HPE. In an interview with enterprise.nxt, Joyce shares insights and advice from decades of experience in the field.
How did your career in information security get started?
I always loved math and science. I was kind of a science geek and loved to watch TV shows about science and go to lectures, even as a kid. That passion continued, and I decided to major in computer science in college. When I started, I thought about doing robotics, which was really interesting, but I found that the software side was far more interesting.
I did some post-graduate work with a research team in Europe that was looking at distributed networks. One of the facets of this research was security. It wasn't even called “cybersecurity” back then, but rather “information security.” It was fascinating—so much was unknown—but there was a real logic and different variables that I found to be a great academic challenge. I also realized that I wanted to take whatever I learned in academia and make sure that I applied it in the real world.
So I started working as a consultant and made sure I was with a tech company where I could apply what I knew, but that wasn’t enough. I wanted to work with other security specialists, so I moved on to a security company to continue that exposure. I discovered how you could really apply those challenges and see how security solved real-world problems, whether you were talking about satellite communications or in healthcare. Security was just everywhere. And that's what I think really grasped me. It was the size and scope of what you could do.
Early on, was there any event that crystallized the importance of your work?
At one point, I was part of a security operations team and we were delivering services to customers. I remember sitting on the operations floor and somebody taps me on the shoulder and says, “Liz, look up." We had set up a dashboard using data analytics, and it was the day the Code Red worm hit. The analytics were showing where issues were popping up, and it literally was like watching the earth turn red, starting in the Asia-Pacific area and then moving across the globe.
The scale and the impact of what we could do really hit me then. I realized how much of a difference you could make in solving a problem that wasn't isolated or individual but really on a global scale. It’s not only fascinating, but there is also the satisfaction of knowing that you’re helping protect people. While it sounds cliché, it’s about fighting the bad guys.
HPE Infrastructure Security solutions enable you to manage, monitor, and protect your hybrid IT systems and provide the first and only defense against firmware attacks.
How have the threats changed? What’s keeping security professionals and CISOs awake at night today?
So much has changed! I think it comes down to four key things: the scale of an attack, the speed of an attack, the attack’s sophistication, and the organization of the adversaries you are dealing with.
Consider how the scale has changed. When I started, a data breach or an event happened maybe once per year. It wasn’t on a weekly basis or even the daily headlines that we see today. And a breach of 10,000 records or 100,000 records was just shocking to people. Jump forward to today and we’re talking about 75 million or even 145 million records in a single incident. The scale has changed everything we do.
Then you look at the speed dynamic. Technology is wonderful. It makes our lives better, but at the same time, your adversary now has access to the same sophisticated technology. This means the bad guys are now coming at us through different channels and on different vectors, with intensified speed. Vulnerabilities used to be weaponized in months. Now, you have situations in which you're talking about weaponization within weeks, days, and sometimes even hours.
On top of that, there are variants. So even if you think you solved the problem, it's continuously changing, even down to malware that can now assess a system and decide which is going to be the most effective way to breach that system, such as harvesting credentials or using ransomware to lock it up. It’s a huge challenge.
As for sophistication and organization, we used to think of our attacker as being somewhat “noisy”—that whole notion of script kiddies and individuals carrying out an attack—but you generally could see them “knocking at the door,” which let us figure out they were there. Today, it's not that scenario anymore. Now, we’re dealing with hacktivists, nation states, and large cyber organized crime groups. They're getting a lot smarter, and they realize that defenders are trying to figure out attribution. So now, they're taking steps to cover their tracks so you don't even know they're there.
It's not an issue of if companies are going to have an incident, it's when they are going to have one. And it's not only about how you react, but also very importantly—and I think really lasting in its impact—is how you recover.
Liz JoyceChief information security officer, Hewlett Packard Enterprise
How do you keep on top of all this?
If you have the right people—smart, dedicated, and the types of people who can figure out issues—that's a huge part of solving the problem.
But there's a real challenge in hiring the right people, with the latest reports predicting millions of vacancies in cybersecurity jobs. For a company, it’s not only a question of finding the right people; you also have to think about how you retain those people because there's a lot of competition in this market. And you also have to think about how you can address this talent gap in the meantime by leveraging things like automation and orchestration to complement and strengthen the manpower of your security team.
What's your advice for companies desperately short of talented people in the field?
There are a few ways to approach the problem. First and foremost, you want to be recognized as a place that attracts the right sorts of skills and resources. This means using innovative technologies and innovative processes and having the support of the business. At HPE, we absolutely have that commitment. It makes a huge difference, because those folks who are part of the cybersecurity team know that they are contributing, they are valued, and they have support to get the job done.
Obviously, you can also leverage other consulting skills, and again I have the luxury of being in a company that has resources to do this with our Pointnext team and our partner ecosystem. We also constantly seek to enhance and grow our team and provide new opportunities, whether it's rotation or sharing of ideas that gives people a reason to want to stay and be part of the team.
From a longer term perspective, we as an industry really need to think about fostering more diverse cybersecurity talent pool. For example, women compose only 14 percent of the cybersecurity workforce. It’s my belief that we in cybersecurity need to commit to reducing barriers and biases—whether institutional or social, whether conscious or unconscious—to encourage more minorities and women in the field and ensure that it’s an equal playing field. This will be key to closing this talent gap.
What sorts of outside-of-the-box approaches do you use to recruit?
There's been a lot of focus on internships and training programs to source new cybersecurity employees. But I would say what has changed is the profile of prospective employees.
Previously, it was pretty narrow. There were certain technical skills and criteria, and that's still hugely valuable. But we’ve taken an approach now that's far more diverse in looking at certain capabilities. For instance, we’ll look for people who are good at pattern recognition or analytics and then provide them the training and path to be part of the team. That translates really well into a broader set of cybersecurity skills and requirements that companies need today.
Aside from the support of the business, what does leadership need to further the mission of cybersecurity?
If you have a cyber-savvy organization, where everybody views it as part of their job to think about the security of the company in everything they do, that dramatically helps protect the company. Whether it's somebody in administration or accounting or your engineers and your R&D department, it doesn't matter. The classic phrase, “All you need is one person to click on a suspect link,” really rings true, because it can undermine a lot of other cybersecurity controls that are in place. But if you have a whole organization that embraces a cybersecurity-aware culture, it makes a really significant difference.
Three key security priorities are protection in the core, detection, and recovery. Yet in the technology media, it seems a lot of attention is focused on detection or protecting the core, not so much on recovery.
Recovery is just as important. The reason why: It's not an issue of if companies are going to have an incident, it's when they are going to have one. And it's not only about how you react, but also very importantly—and I think really lasting in its impact—is how you recover. That could entail going through some business continuity process, and what you're trying to do is recover data or ensure that you have sustained the operation.
If you look at recent attacks such as WannaCry and NotPetya, you can see how negatively impacting that was for some companies and institutions around the globe, for the people that were relying on them for services. It wasn't just a few hours or days they were impacted—it was weeks and months.
How you recover from such attacks so that you can continue to function is just way too important. There's no point in going through an instance or an event and then being down and out and unable to continue operations after the fact.
What do you like to read?
My husband has helped me adopt a love of sci-fi. I used to be all about the classics when I was younger, but he's helped me appreciate sci-fi. In one way, it lets you disconnect from the day to day, but in another it helps you look at the new possibilities. This relates to why I love science and technology. I used to prefer just looking at technology in the real world, but now I do quite enjoy it now in the fictional world, too.
And the other one reading interest relates to my kids. I have young children, so there are a lot of stories about dancing animals and singing things these days. My children have actually broadened my repertoire of reading. It has certainly been enjoyable!
Where do you see the information security field in five or 10 years’ time?
There will be many more technical challenges. We're looking at leveraging AI far more extensively. AI has immense potential to accelerate response times, provide more context about complex situations, and automate mundane processes—freeing up analysts to focus on hairier security concerns.
But with AI, you also gain other things you now need to protect: the AI algorithm itself and its data. We need to ensure that these are not manipulated to cause unforeseen outcomes. As AI becomes increasingly integrated into our daily lives, these assets will become very valuable gold mines for malicious actors—and this is something we practitioners need to start thinking about now. This is true for each new emerging technology: They have the power to help us be better security practitioners but also become very desirable assets for hackers and, in their hands, equally powerful weapons.
A larger, more encompassing issue is how cybersecurity is viewed. There needs to be big shift from regarding cybersecurity as solely a technical issue to thinking of cybersecurity from a risk perspective and a core requirement in everything we do. It should be just integrated into how you look at and evaluate risk across your company or even across an industry. It should be not just a technical risk but part of the enterprise risk management process.
Additionally, cybersecurity needs to be built into everything we do—you can’t just come along after the fact and tag on a "security feature." People need to embed it into services and products from the get-go and even the processes we rely on to build these things. To do this, we need to really transform cybersecurity from an afterthought into an enterprise culture and mindset.
A CISO's perspective: Lessons for leaders
- To address an acute shortage of cybersecurity talent, companies must commit to reducing barriers and biases to encourage more minorities and women to enter the field.
- AI presents opportunities to speed response times and free up analysts to focus on high-priority matters but also presents an opportunity for malicious actors. Cybersecurity professionals need to stay on top of this emerging technology.
- Cybersecurity is more than just a technical issue requiring technical solutions. Management needs to consider it from a risk perspective and incorporate a cybersecurity perspective into core business activities and planning.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.