May Brooks has been a seasoned Information Security consultant and lecturer since 2003. She began her Cyber security career in the IDF and after leaving the army in 2006 she served as a Security architect, consultant and CISO.
In 2017 May founded Helena – a security consulting firm specializing in building and managing awareness campaigns and professional security services (CISO as a Service, ISO27001 compliance, Security assessments, BCP etc). The company provides its services to dozens of Israeli and global companies.
May is also involved in various cyber volunteer work: lecturing in schools, advancing women in Cyber and President of the (ISC)2 Israeli chapter.
May is an international lecturer and public speaker – she brings her personal knowledge and experience combined with public information, academic findings and research to the stage, to produce engaging lectures that capture the audience.
The CISO’s role is a very high-pressure, high-stakes job. What is the right profile for this job?
The Job of a CISO is never boring. The challenges are endless and I know that no matter how strong my security framework is, the bad guys only need to succeed once.
There are a few things that help me cope with these challenges:
- Have a strong relationship with the board and C-level executives. One of the things I invest in is getting management on my side. It is vital in order to get both the resources needed for a successful security program and their support when communicating with internal parties that may not have security on their mind.
- Remember it’s a Marathon and not a Sprint. Being a CISO is very stressful, but you cannot burn yourself out. For example, when I get the results of a Penetration Test I ordered my initial response is to pull all-nighters to mitigate the findings ASAP. However, I remind myself that although findings have to be addressed and soon, we need to set a work plan – one that we can live with and work on and not respond to from a panic state of mind (that is unless there’s reason to panic…).
To do the job successfully a CISO needs to have a set of skills. We need to understand technology but even more important in my eyes is to understand the business, its opportunities, challenges, goals, competitors, etc. Taking these aspects into account will help the CISO build a strong, business oriented security plan.
The new CISO needs to understand business, and I encourage aspiring CISOs to think about getting an MBA; I feel that my MBA allows me to communicate with executives, understand the business and build a stronger security plan – customized for the specific business.
As mentioned, the work of CISOs is high pressured – as a woman in cyber security how do you create a work-life balance?
First of all, I believe that creating a work-life balance is not a “woman” thing – most people would like to have more balance in their lives. In the past I thought that there was no way you could really balance work-life as a CISO, however that changed for me. Although there’s always a lot of pressure as a CISO, the workload and pressure do not lighten when you work 14 hour days, nor do they enhance when you’re working 8 hour days.
I believe that if you manage your time correctly you can focus better and achieve more. Research shows that working long days reduces productivity. In the past 2 years I reduced my working hours dramatically, but I experienced an increase in my productivity.
There are days that I stay long hours – but only when it is absolutely required.
I think that one of the things that deter women from the industry is the long work hours. From my experience, with enough determination and time management skills (which can and should be developed) one can achieve balance, and it is in all our interest. As a CISO – there’ll always be more work to do…
How do you communicate information security issues to the board?
As I mentioned before, having the support of the board and C-level is crucial for a successful security plan.
The first thing I do when starting the role of a CISO is to organise a Security Steering Committee (if there wasn’t one already) and introduce myself and my security vision. It is vital for me to get the buy-in of management so that I can realise that vision.
In every presentation I give to the board, whether as CISO or as an external consultant, I begin by talking about the impact security has on the business. I use examples from the same industry to get their buy-in. Seeing the numbers makes it real for executives and having the CISO understand the business needs is vital to get managers’ trust.
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
For me, as I believe for most CISOs, it’s easier to invest in new technologies than trying to change the security culture within the organization. However, enhancing security awareness among employees is, in my eyes, one of the most important things a CISO should do and in the last few years that has been my greatest goal as a CISO.
Hard in training – Easy in battle. I want my employees to become the strongest link rather than the weakest one.
Building a strong awareness program is not a “one size fits all” thing. You must build the program in accordance to your business and even differentiate between different parts and teams within the business. I usually separate between: Management, HR& Legal, Sales & CS and R&D. When I build a customized plan, each team feels that I understand their specific requirements and challenges, making it easier for me to get their support. For example, when using a phishing simulator I can send targeted simulations:
- “Email Password change request” – to all employees except R&D.
- “GitHub Password change request” to R&D.
One of the strongest tools I have found in building awareness campaigns is talking about personal issues. People care more about their personal life than the business and when I educate them about staying safe online at home, when online shopping, on vacation, maintaining privacy on social media etc, it changes their personal behaviour and the business benefits from better educated employees and reduced mistakes.
Threats are everywhere and always changing. How to address this difficult reality?
One of the things I love about this industry is the fact that it is ever changing. My way of dealing with this challenge comprises two things:
- Remaining updated – I spend a lot of time researching new threats. I am active in various professional groups and always on the lookout for the threats relevant for my company.
- Do not be captured in the paradigm – it’s easy to fall in love with a workplan, after all we spent a lot of time and energy building it. However this is not a privilege CISOs have. I review my workplans every quarter to assure that they are still relevant and accurate to my business needs and current threat map.
I’m not saying that annual and multi-year plans are not worthwhile, we need them, especially for long term projects. But we have to remember that this industry changes so rapidly that by December 2019 I’m sure my annual workplan that I just approved and spent a lot of time and thought on, will change, and that’s part of what I love about this industry.
You’ve been in the industry for 15 years. What are some of the biggest changes you’ve seen in terms not only of threats, but also how cybersecurity is viewed in an organization?
When I started in this industry back in 2003, most people had no idea what Information Security is. Most SMB\SME organizations did not have a security function. Firewalls, Antivirus etc, were under the domain of the IT department.
I think the more time goes by, the risk is becoming clearer not only to IT and Security professionals, but to everyone.
In the past few years I have seen an increase in the number of businesses that understand the need for a professional CISO to lead the security posture of the company. Not one that configures the tools and technologies that are in place, but someone who will look at the business as a whole, understand the specific risks and build a security plan in accordance.
The changes in regulators and their demands from directors and officers not just from IT and security professionals also changes the way security is regarded by managers and executives.
15 years ago while serving as an officer in the IDF, a fellow officer in my unit asked me if I would like to stay on for two additional years of service, and to go into Information Security. I had a vague idea what information security was, and I was planning to go to med-school, but it sounded intresting so I decided to go for it. 15 years later – I absolutely love what I do. This industry is ever changing. The challenges are endless. I had the privelige of serving in different roles, in different industries, I’ve been a consultant, project manger, architect and CISO and each role was challenging in its own right.
I cannot wait to see what the future (and the hackers ) have in store.