HP CISO seeks to transform cybersecurity

Driven by digital imperatives, more IT leaders have shed their order-taking shackles to become full-fledged business partners. Cybersecurity leaders are increasingly taking the same tack.

Joanna Burkey, who rejoined HP one year ago, is one CISO leading the charge. Burkey, who spent nearly 13 years in various roles at HP before exiting to lead cybersecurity at Siemens for 5 years, found a cyber program with a strong operational focus. But Burkey believed HP could benefit more if she served as a strategic partner to the business.

“Where we had room to expand our focus was on enabling the business,” Burkey tells CIO.com. “We need a seat at the business strategy table; it’s not enough to have a seat at the IT table.”

The cyber seat at the executive table

It’s a seat Burkey has grabbed with zeal as the company works through a multi-year transformation under President and CEO Enrique Lores. It’s also a belief that Burkey says she shares with fellow CISOs. In recent years, existential threats posed by data breaches have pressured CEOs and boards of directors to bring information security leaders into the corporate fold. And many CISOs are seizing the opportunity to help influence and shape the business strategy.

This includes transforming the role from one that simply says yes or no to technology solution suggestions, to one that also poses questions, according to Burkey. CISOs also must cease measuring their impact simply by threat prevention metrics and instead craft narratives about how threat vectors and attacks affect the company’s approach to risk management.

In short, it’s about weaving esoteric metrics into business language so that CISOs can hold productive conversations with business peers about risk appetite and strategy. “It is a very tempting thing to look at the metrics above all else, but metrics are not meaningful unless they feed into the risk conversation,” Burkey says. And that narrative will help “widen the aperture for the right cyber decisions.”

Diversity in cybersecurity must improve

Burkey views diversity as key to effectively leading HP’s cybersecurity transformation. A diverse team comprising the full gamut of perspectives is better positioned to solve problems and share information that is so critical to digital defense. To that end, Burkey is seeking more women, people of color, and other talent from underrepresented populations to fill positions in cybersecurity forensics and threat intelligence, as well as cloud specialists who are willing to learn cybersecurity. She is also targeting talent with softer skills, such as staff who can conduct business case analyses and facilitate stakeholder management.

In particular, Burkey needs people who can properly articulate risk in the context of an enterprise risk framework — skills that go beyond the whack-a-mole threat talents possessed by traditional cybersecurity professionals. “We have talent gaps to fill,” Burkey says.

But Burkey knows full well the diversity issues the cybersecurity space faces, particularly where gender is concerned. She recalls being the “only woman in the room” in various roles during her career and went so far as to “change myself to adapt to it.” Over time she realized that in doing what she felt she needed to do to be successful, she was being “inauthentic to herself.” No longer.

But this may be easier said than done for women, as the gender gap persists. Women account for only 24% of those working in cybersecurity, according to cyber consortium ISC2. The disparity is more abysmal higher up the corporate ladder. Women account for only 13% of CISO roles at Fortune 500 companies, and only 9% for the UK FTSE 100 in Europe. Those numbers compare to the 11% of CIOs and 9% of CTOs who are women, per Gartner’s figures.

Burkey says it continues to be harder to get young women into science, technology, and engineering fields, though she is trying to change that at HP by describing roles in ways that will resonate, even for less experienced talent. For example, she notes that some women and other underserved prospects avoid the cyber industry because many of the job descriptions are loaded with technical requirements that seem to target middle-aged cyber professionals.

“I have a technical background, but I’m barely in the top 5 in CISO skills,” Burkey says of the various certifications and other requirements job postings include. “We need to change how we talk about these roles and the industry.”

Meanwhile, Burkey offers the following tips for women seeking to shine in leadership roles over the course of their careers.

Be your authentic self. As tempting as it may be to act like your colleagues to fit in, Burkey tells staff she mentors to be true to themselves. She learned this lesson early in her career while trying to act more like people that “didn’t look like me and act like me.”

Embrace lateral movement. Some people plot each step along their career, part of some master plan or goal, but Burkey says it’s okay to move laterally; you’ll acquire new skills at each stop. Burkey, for instance, worked in software engineering, R&D, product management and strategy, and several other roles before landing in cybersecurity leadership. She even once demoted herself from management because an individual contributor position intrigued her. “It can turn into an experience that you can draw on for the rest of your career,” Burkey says.

Network, network, network. Most people network for career opportunities, but you should also network to grow your knowledge because you will use it one day, Burkey says. Burkey has never held a financial role, but she made a point of networking with finance experts, which she says has provided her a working knowledge that has helped her not only manage her own cybersecurity budget but better speak to the business.

After all, cybersecurity is, like insurance and other sectors, about “maximizing business performance,” Burkey says. “It’s all about money.”