As SC Media celebrates its 30th anniversary, we asked luminary Catherine Allen, chairman and CEO of Shared Assessments and CEO of the Santa Fe Group to look back on her 30-plus years in the industry and talk about some of the strides women have made.
Catherine A. Allen, chairman and CEO of Shared Assessments and chairman and CEO, The Santa Fe Group
SC Media: How long have you been in security?
CA: I am not a security professional but rather a business executive that has promoted and integrated cybersecurity into my various career roles. As CEO of the Smart Card Forum and BITS. As the CEO of the Shared Assessments Program. As a cyber or digital director on corporate public boards. As a speaker and writer in the field.
SC: What have been most surprising aspects of your career and industry - industry direction, developments or career turns?
CA: How quickly cyber and privacy issues, combined with the emergence of social media, took technology out of the back room and into the board room. There is not a board meeting I have attended, or in speaking to other board members, where cybersecurity is not discussed. Some times in depth, sometimes as a point of concern.
SC: How has your discipline changed over the years?
CA: You must be more holistic in understanding the threats; risk management, privacy and data concerns, data analytics, compliance and legal issues, emerging technologies like IoT, AI and ML must all be understood and integrated into the cybersecurity policies and practices today.
SC: How has your discipline changed for women over the years? More opportunity? Different direction?
CA: I think women are naturals for the emerging cybersecurity leadership positions because of their ability to look at risk in a more holistic fashion, their concern about broader sets of stakeholders rather than shareholders, their natural tendency to work collegially in problem solving, and their ability to communicate.
SC: How has your career changed over the years?
CA: I am on a journey, not a destination. I actually majored in retailing and fashion design, and today I am CEO of a technology-based company in third party risk management and cybersecurity. I have been a retailer, professor, corporate executive, entrepreneur, corporate board director, author, speaker and mentor. I will always continue to mentor because it is the best way to leverage my experiences and knowledge to the new generation of professionals!
SC: Please tell us about some personal milestones re: your journey in security?
CA: 1) As founding CEO of the Smart Card Forum when I was an executive at Citibank, [I really got the opportunity to] understand and promote the role smart cards can play in access control and information security. 2) The work we did with Richard Clarke when he was the Cyber Czar in the Clinton and Bush White House when I was the CEO of BITS, the technology-based sister organization to the Financial Services Roundtable. We worked with the CISOs, CIOs and heads of Fraud of the 100 largest financial institutions in the U.S. After 9/11, at BITS we pivoted quickly to focus on cybersecurity, antiterrorism and privacy issues. We worked closely with the industry and government to set up DHS, the ISACs and FISSIC and FIBBIC for the financial industry. 3) The growth of The Santa Fe Group Shared Assessments Program to include cybersecurity, the cloud, business continuity and GDPR, among other things, in the tools and educational programs, as well as the certification requirements. 4) Being named the Chair of the Security Committee for El Paso Electric Company and setting up the Risk Committee at Synovus Financial Corporation as a board director. This not only was a best practice, but I served to educate the entire board on cybersecurity. I also am called on to speak at board education events on cybersecurity and what boards need to know. And 5) Being honored by SC Magazine for the contributions the Shared Assessments Program had made, as well as myself, to the industry around cybersecurity.
SC: Where are we now re: women in security?
Catherine Allen: Women are making inroads into senior positions marked by the growing number of CISOs, but overall the number of women in cyber has not dramatically increased. We need to understand why. There are more women in risk, privacy, compliance and IT, but still not enough to fill the job opportunities in cyber. Is it lack of exposure to the field? A desire to be in a more social driven environment? The burnout and 24/7 requirements? Sexual harassment and “boys club” atmosphere?
SC: What strides have been made?
CA: Many organizations have specifically targeted getting more women and minorities into the field, as well as the professional associations like the International Consortium of Minority Cybersecurity Professionals (ICMCP), and the Executive Women’s Forum, founded by Joyce Brocaglia. Community colleges and universities have developed cyber programs. The Shared Assessments Program has third party risk management, which includes cybersecurity and certifications, and encourages women to attend. Girls Who Code and the Girl Scouts both have programs to encourage girls to get interested in coding, IT and cybersecurity.
SC: Name some significant milestones for women in the security industry.
CA: Women who have emerged as CISOs of major organizations. The growth of the Executive Women’s Forum as well as corporate sponsorship of it. And women being the Cyber Czars at the White House under the Obama and Bush Administrations.
SC: What has the industry done right re: WIS?
CA: Acknowledging there needs to be more diversity in the industry and that diversity brings creative problem solving and perspective. Creating programs to encourage girls and women to enter the field. Women CISOs being mentors and bringing other women along. The role EWF has played in networking women in security.
SC: Where has the industry fallen short?
CA: The workplace is often hostile to women … especially if they have children. Long hours, lots of stress, 24/7 on call, sexual harassment, “boys club” attitudes, etc.
SC: Where do we go from here?
CA: Try to understand what is keeping more women from choosing the field, getting promoted and/or leaving the field mid-career. Once understood, do something about it.
SC: What needs to be done to elevate women, put them on equal footing with men? Where should resources and efforts be aimed? What issues need to be addressed?
CA: We have to start young to get girls interested in IT and math, then show them career options with internships and mentoring when they are in middle and high school, then give scholarships, mentoring and internships in college. Have active recruitment and mentoring programs in early career and support mid-career. All this has to be based on an understanding of the pivot points and attitudes at each stage.
SC: Where do you see the opportunities going forward?
CA: Demand will only increase for cybersecurity expertise. Some industries may be more conducive such as healthcare and financial services. The career needs to be reframed in how it helps society, not as warfare or gaming. Also roles in privacy, risk and compliance will continue to grow … combing cyber with those careers will help.
SC: What are some of the potential pitfalls?
CA: Thinking men and women go into cybersecurity for the same reasons. Making cybersecurity an isolated effort, rather than a team effort. Making the workplace continue to be toxic or unappealing to women.
