Outside what box? What happens when smart women tackle tough InfoSec challenges
Editor’s note: In the second of a two-part series, BAI Banking Strategies Online retraces the steps taken by three female InfoSec executives that led to industry success. To read the first part, click here.
Working as a bank consultant on information security, Georgia Weidman, founder and chief technology officer of Bulb Security LLC and mobile security startup Shevirah, entered the IT security fold more readily than most.
Starting in computer science in graduate school at James Madison University, Weidman joined her school’s cyber defense team “despite not knowing anything about computer security.” Still, she managed to leverage her passion and facility for security into a job as a penetration tester. And that ultimately led to a gig doing security research for companies—including three of the country’s top 10 banks.
Like other female professionals who’ve risen in the ranks of financial InfoSec, Weidman not only spotted emerging opportunities in penetration testing and security research for banks, but also saw this as a place to apply her persistence, perseverance and alternative ideas.
“When I see a system I’m not limited by how everyone else is supposed to use it,” Weidman notes. “I focus on how I can get access to the data regardless of what’s in the way. Thinking outside the box is how successful attackers think, and thus how I must think to find the vulnerabilities before the bad guys do.”
Women executives in banking information security say collaboration and people skills also often make them better at their jobs, too. Being a leader in information security, “requires a dedication to learning and an insatiable curiosity to understand the next capability on the horizon and the emerging trends, threats and capabilities that will define those who stay ahead, and those who fall behind,” says Amy Brady, chief information officer for KeyCorp.
While it may sound a bit like bragging, Brady has a track record to back up her self-appraisal: “Like many women, I bring a thoughtful, analytical style to leadership marked more by listening, acting based on facts and finding common ground, rather than an approach characterized by hammering through a point of view. On the other hand, I’ve known many men who also have a thoughtful and balanced leadership approach and more than a few women leaders who take the bulldozer route.”
Shelbi Rombout, deputy chief information security officer for MasterCard of Purchase, N.Y, has also risen by learning a more collective and open approach. Early in her career, Rombout was tapped to help guide a failing project back on track. She quickly discovered the main obstacle— lack of process—but began strategizing without perspectives and buy-in from team members. Here’s what she learned: “Anyone can come in and solve a challenge. But if you build the processes with the team in mind, and with their contributions as part of it, everyone has skin in the game. I find that people approach something differently if they feel they have an ownership stake in it, versus being told what to do.”
When Viviane Stover arrived as InfoSec manager at Five Star Bank of Rochester, N.Y in May 2016, she was charged with getting several projects done in a short period of time, much of which involved working with various teams at the bank. That experience offered her a perspective complementary to Rombout’s.
“The biggest hurdle is often the resistance [you face] from people about why certain things need to be done,” She sees her job in a very “human sense,” getting to know her co-workers and helping them understand why they might need to change their behaviors for better security.
“We can have so many protections, but it only takes one individual clicking one bad link,” she points out. “Security is usually seen as a burden. But if a person knows why they need to change, they’re more willing to accept it.”
Despite these inroads, the increasing need for InfoSec talent, and the benefits female professionals bring to banking, banks can do better. According to the 2015 Women in Security white paper by Frost & Sullivan, women still only account for 10 percent of the overall information security workforce.
Brady acknowledges the relatively small percentage of female professionals who head IT and InfoSec departments across industries. “As disconcerting as those numbers may seem, I believe that as the demand for these positions continues to increase and move from the edges of technology to the mainstream curriculums, we’ll see an increase in women in these positions.”
Rombout agrees. “A few decades ago, I might’ve agreed that it was more challenging,” she says. “I know that for a long time, I was the only woman in the room when it came to technology or, later on, security. But I’ve seen a good change in this space in the past ten to 15 years.”
Rombout doesn’t need big data to make this fearless forecast: “We’re heading in the right direction when it comes to more women looking at technology and security as viable and thriving career paths.”
Karen Epper Hoffman has been writing about banking and technology issues for nearly a quarter of a century for publications including American Banker, Bloomberg Businessweek and Financial Times’ The Banker. She has also spoken and moderated panels at industry conferences. She lives in Olympia, Wash.