Advice from a young, female CISO: Key lessons learned

Ellen Benaim, the newest CISO at Copenhagen-based SaaS provider Templafy, started her career at the company in June 2018 as technical support, but from the moment she sat down in an interview with Henrik Printzlau, the company’s co-founder and former CISO, she knew that she wanted to become CISO at Templafy one day. That day came in March 2020.

In this interview with Help Net Security, she talks about her take on the CISO role and offers advice for those who aspire to fulfill it one day.

Tell me about your career progression at Templafy.

I’ve always had a passion for IT and, more specifically, the security aspects behind the technology we all use each day. In my position as tech support I learned the technical components of our platform and guided users through problems they were facing. But, as I developed my knowledge base, I also started to dive into the security aspects of Templafy’s platform and organization. The company then created the first Information Security Officer role, which I stepped into to work on building out a security-first approach. This was wildly successful for the entire company and our users, which allowed me to continue growing the team.

Finally, just 22 months after I started at the company, Henrik moved on from his role as CISO and I was honored and thrilled to achieve my career goal, becoming Templafy’s first female CISO. It has been a whirlwind taking on this role through the pandemic, especially considering the exponential growth the tech and SaaS industry has seen over the last year and a half. However, it’s been a wonderful journey so far, and I am thrilled to see how far we will take Templafy.

You succeeded Templafy’s Henrik Printzlau in the CISO role. What preceded the handover and how did you prepare for it?

Henrik always knew my goal was to be a CISO – in fact we talked about it during my job interview. He asked me about my goal for the next five years and I answered honestly, stating that I wanted to be an expert in my field and eventually become a CISO. Of course, at that moment I did not realize the full scope of Henrik’s role in the company as his LinkedIn profile simply stated that he was the co-founder. He laughed and let me know that he was the CISO and that I’d just told him I wanted his job. This was the beginning of a great partnership between the two of us.

Henrik understood and respected my goals, allowing me to learn the system from the ground up, and providing me the opportunity to dive into new, exciting aspects of Templafy’s security systems. Over the years, I have worked closely alongside Henrik to push Templafy’s investment in security and grow our security posture. Henrik has been a great mentor of mine since day one, and the relationship and trust we built with each other and with our teams made the handover seamless when he did decide to move on to focus more on the larger strategy of the company. He helped me prepare for the CISO role, coaching and teaching me over the course of two years, allowing me to feel confident following in his footsteps.

What are, in your opinion, the necessary traits of a successful CISO?

There’s a big misconception that security officers are the bad guys or the people who slow things down in an organization. While it’s true that security leaders want to make sure everything is right and as secure as possible, it doesn’t mean they’re the “security police” that many people assume them to be. In addition to the “bad guy” persona, CISOs are stereotyped as loud, aggressive, arrogant, and controlling. However, CISOs don’t have to be dominating, overbearing rulers to be effective security leaders. In fact, sometimes the traits of a successful CISO are quite the opposite.

In my experience leading teams, I’ve found that collaboration, communication, and engagement are crucial traits to succeed as a CISO. It’s not the CISO’s role to “control” the security of a company, but rather enable their organization to be more secure. This requires active listening skills and partnering with all parts of the business to understand their goals and pain points to see where security can work with others instead of against them. Successful CISOs are team players that work alongside their peers for the good of the company.

Another common misconception is that strong leaders are completely responsible for the success of their company. The truth is leaders can’t do it alone. Security is a team effort; we are only as strong as our weakest link. It’s important to foster an environment of openness and collaboration and trust your team to do the work they’ve been hired to do. You will be surprised by how many security advocates you will have by using this approach.

What are the joys of your work and what are the things you would rather avoid – or change/improve (if possible)?

It brings me joy to know that I work for a company that values security as well as my role as CISO. A perfect example of this is a recent decision that was made to have me report directly to the board (and not the CTO or CIO) and for the security team to have its own budget. This decision demonstrates how the company is giving security the value it deserves. Templafy won’t settle for less than enterprise-grade security, and the actions of our leadership team exemplify that. The perception of information security as a strategic investment and business enabler is the change I advocate for in the industry.

Even further, I’m incredibly proud of the security ecosystem we’ve built at Templafy. I thoroughly enjoy the challenge I face each day to continue pushing our security posture to market-leading levels not only for our customers, but also ourselves.

What have you learned from the (formal or informal) mentors you had throughout your career? Are you mentoring anyone?

Early in my career, I interned with an asset management company in Dublin and worked on their security team. My manager during the internship was the Senior InfoSec manager for Europe and quite literally the only woman in the room in any meeting we attended. Regardless of which room that was, it was always so apparent that she had all the trust and respect of everyone in the company. I looked up to her authenticity as she was just unapologetically herself. She taught me that you don’t need to be a jack of all trades in security but instead it is important to focus on what you do know and to build a security team around you that can fill in the gaps.

Henrik is another great mentor and role model of mine. I’ve been lucky to train and learn under his direction over the last two years. It’s true that you are more likely to succeed when you have the support and faith of other leaders. Henrik has believed in my drive since the very beginning, and I’m confident that his mentorship has played a role in my success.

I’ve been lucky to meet some great people along the way, and I do hope to educate younger generations and share what I’ve been able to learn from my own mentors. In fact, during my studies, I regularly taught kids how to code through a course called CoderDojo. Additionally, for a university project, I created a video game that teaches kids how to be secure online by fighting a hacker that’s still available on the windows store. Players would gain knowledge as they progressed in the game, and they’d use that knowledge to defeat the hacker to win. I’ve enjoyed teaching and hope that through future mentorships and community involvement, I can inspire and encourage kids to pursue careers in technology.

Additionally, I have participated in a few events with Fearless into Tech and Women in Tech Denmark and have enjoyed having open conversations to help make the tech industry more attractive to all. I also was invited to speak at my former university, University College Cork, and SDA Bocconi School of Management – and the latter has a master’s program in cybersecurity with an almost 50:50 gender split which is truly inspiring. Representation in tech is key and inspiring women to join the industry will always be a goal of mine.

What studies/courses/experiences/books/online resources have had a great impact on how you think about cybersecurity and leadership?

I studied business information systems at University College Cork, which provided me with a great foundation for IT, business modules, and security. While that basic knowledge has been extremely valuable, a lot of my security knowledge comes from on-the-job experience.

Like all technology industries, cybersecurity is constantly changing. Because of the evolving trends and risks, it’s important to be constantly learning and engaging in growth opportunities. There are many sub-disciplines within the cybersecurity field, however, many such jobs share a common technical foundation and knowledge from the courses listed below are a great compliment to hands-on experience:

• OSCP (Offensive Security Certified Professional)
• CISA (Certified Information Security Auditor)
• GCIH (GIAC Certified Incident Handler)
• Certified Information Systems Security Professional (CISSP)
• Information Systems Security Architecture Professional (CISSP-ISSAP)
• Information Systems Security Engineering Professional (CISSP-ISSEP)
• Information Systems Security Management Professional (CISSP-ISSMP)

There are also many tools and resources on the OWASP foundation website to help with general programming/software development concepts and software analytics skills. Outside professional resources, I always recommend following the many great articles, peer-reviewed papers, and security blogs available online.

In my opinion, the ability to demonstrate your experience on the job is more important than obtaining certifications, just ensure your goal is attainment of knowledge rather than certifications alone and choose quality courses accordingly.

Do you suffer from imposter syndrome? If yes, how do you beat it back?

Like many other young women working in a male-dominated field, I often suffer from imposter syndrome and allow myself to doubt my talent and skills too easily. When you begin to succeed in a place where the long-standing narrative of the industry has been that you don’t belong/can succeed there, doubt is a very natural response.

The lack of role models for marginalized communities has a major impact on making people feel like they do – or don’t – belong in these corporate environments. This is why representation in tech is very important, to make the sector more welcoming and equal place for the benefit of all.

When imposter syndrome does begin to creep in, I remember what I am experiencing is natural and a moment that can be managed by focusing on what I do know and letting go of other people’s perceptions that I can’t control. I beat the syndrome by reminding myself that I earned the CISO role. I think back to the fact that Templafy has given me the license to succeed in the way that I want, allowing me to take the lead with the scope and direction that I believe is right for the company. I’ve received the freedom and trust to make security initiatives and lead a great team for a reason.

It’s natural for anyone at any level to experience doubt and fear, but it’s crucial to overcome these moments and not let them control/define you. I expect challenges, uncertainty, and failure because that’s just life, but I always strive to let my drive and ambition lead me through moments of imposter syndrome. The difference between good and great leaders are those that accept failure and let their experiences push them forward.

What advice would you give to women and generally younger people working in cybersecurity?

I would encourage anyone with an interest in cybersecurity to go for it – regardless of their age or current professional role. There are a lot of courses and resources available that provide the foundation necessary to understand the technical aspects of cybersecurity and many transferrable skills to segue into security.

The key is to find a mentor or peer who you can spar with, there are always leaders within organizations and in the tech community in general who are willing to teach those passionate about cybersecurity. Don’t be afraid to ask for help and don’t be afraid to accept a challenge. I believe tech is accessible to anyone willing to commit to it and have a passion for learning, regardless of gender or age.

What advice have you received throughout the years that has resonated strongly with you (it doesn’t have to be related to cybersecurity)?

While I always planned on becoming a CISO, I never thought it would happen so early in my career. However, this changed after a piece of advice that Henrick once gave me. Early on in my time at Templafy, he said, “‘Why get grey hair waiting for a role when you can get grey hair doing the role.’” This encouraged me to forget about uncertainty and accept the challenge.

It’s easy to worry about work and fearing all the unknowns of the day-to-day but getting this piece of advice early on prepared me to face the challenges of this role, head-on. CISOs need to be able to operate in real-time, in terms of being agile and adaptable and to act without having all the information needed immediately available.

On the flip side, I would give this advice to executive or managers who are not certain if their colleagues are “old enough” or “qualified enough”: once you give them trust and the support to do their best work, you will be endlessly rewarded.