Career Notes 1.30.22
Ep 85 | 1.30.22

Helen Patton: A platform to talk about security. [CISO]


Helen Patton: Hello. My name is Helen Patton and I am an advisory CISO at Cisco. 

Helen Patton: I grew up in the country in Australia, in the seventies and eighties. So I'm dating myself tremendously and, computers were not a thing where I was growing up. I thought I might be a landscape architect. I thought I might be an English teacher. I thought I might be an economist. I I'm okay at math, but I don't love it, but I like the human interaction, which actually served me really well in security once I got there. But no idea about computers, networks, certainly not security when I was growing up. It was a combination of dumb luck and a little bit of hard work and serendipity. 

Helen Patton: I left high school and I did what a lot of Australians do and I took a gap year and I started working in a bank. And I really enjoyed having money because I was working, and I didn't want to go back to school full time. So I started doing a business degree part-time and this was in Sydney, Australia. About that time, I met this American Navy guy, and we became very good friends and wouldn't you know, it, the next thing I know, I'm married and I'm living in Ohio when I was very young and I had no degree. I had no idea what it was like to live in the United States. 

Helen Patton: And so I started doing temp work around Columbus, Ohio, trying to work out which end was up. And I ended up in a job at the Ohio restaurant association as a membership administrator. Right at the time, they were doing a database conversion, they had an old IBM 36 mini mainframe. This was in the early 90s and they wanted to convert it to this new fangled client server, SQL6, I think database. And I was the only person in the office under the age of about 40. And so they figured I must be somewhat comfortable with computers. Like, I don't know why they thought that, but they did. And so they assigned me to work with this consulting company that was doing the conversion and the consulting company hired me off the back of that gig. 

Helen Patton: So I accidentally got into IT and I was really fortunate. The guy who ran the company. It was a small business. He taught me on the job. So I spent most of the early 90s on my hands and knees underneath desks of small nonprofits in Ohio doing very small network implementations, getting people comfortable with understanding what Windows 3.1.1 is, and why they needed a PC on their desk. 

Helen Patton: I moved from there to a software development company where I was responsible for infrastructure and the help desk. I was in the fortunate, but unfortunate position of being responsible for networks, servers, desktops, no one had laptops really back then, right when viruses started coming about. So the, ILOVEYOU virus, slammer worms, those kinds of things. And it ticked me off because I would walk in with my day planned out, because I'm a planner, I would walk in with my day planned out and someone clicked on something or did something. My CIO, who I reported to at the time said, damn, we need a security program or disaster recovery program and Helen, you're it.  

Helen Patton: I left that company and went to work for BankOne as a disaster recovery planner and five days after I joined bank one, there was a merger with JP Morgan. So to my surprise, and by accident, I'm now working for one of the biggest Wall Street banks. I had four different jobs over the 10 years when I was at JP. Got to run a global team. It was more of a technology risk officer kind of role, then a cyber, you know, sec ops kind of role. Left there to be the CISO at the Ohio State University.  

Helen Patton: I had no idea what I was getting myself in for. So keeping in mind, JP Morgan's the biggest, one of the biggest banks in the world. I quite naive really thought, oh, I'm going from this really rigorous security organization to an organization where the primary business purpose is teaching kids in classrooms. Like how technically difficult could that be? That was my thought. I had no idea.  

Helen Patton: And I would argue now that being a CISO or a security person in higher ed is 10 times more difficult than being a security person in a Wall Street bank for a number of reasons. One, we have all kinds of technology and all kinds of devices. It's more like running a city. We had a hotel. We had an airport. We had a nuclear reactor. We had multiple entertainment centers for football and concerts. Eight hospitals, all kinds of stuff. Right. And people go, oh, you're higher ed? And I'm like, yeah, no really. You think grades and scheduling? I was like, oh God, I was so wrong. And then, and add to that, you go from a culture where at JP Morgan, when Jamie Diamond says make it so. People would go, okay. And they would right. Or they'd be fired. Like that was your choice. In higher ed, it's very much bottom up. So I'd go to someone and say, you really should not have local admin rights. And they're like, yeah make me. 

Helen Patton: I went from being able to do this top down command control kind of approach to security, to doing a very psychologically-driven, "How do I get people to want to do cyber?" Cause if they don't want to do it, they don't have to, kind of culture. And you're in an industry where the purpose of the industry is to share data with as many people as you possibly can. Whereas in banking, the idea is not to share data with anybody unless they absolutely have to know it.  

Helen Patton: I talk about this in the book that I wrote. And, and this is the question of how do you know when it's time to move on from one role to another role? I had reached a point at Ohio State where I felt like I had done what I had set out to do. I had made the changes that I wanted. I had. Created a team that I felt when I left would, was strong enough that they would continue. Not that they do what I was doing, cause they'd get a new leader, but that the program was solid. And I felt that OSU is at a point where the skills I brought to the role were not what they needed in a leader going forward. Then there was a question of, well, if I'm not doing that, then where do I go? And I really loved the culture at Duo in Cisco. I really enjoy working with Wendy Nather and the rest of the advisory CISO team in that it gives me a platform to talk about security things with all industries and all geographies. And, um, with Cisco, I get to work with really smart people who are doing really interesting work and I'm excited to share that. 

Helen Patton: I would like to tell you, I think I'm collaborative. Uh, I look to get as much input from as many stakeholders as possible before I make a decision and move. Having said that though, I, once a decision is made, I tend to be quite forceful about making that happen. So, I am action oriented, but I'm, I'm, data-driven in my action. And I would, one of the things I miss actually about being an advisory CISO is I don't have a team of people reporting to me anymore because I do really like coaching people and developing people up. 

Helen Patton: I think Australians are more direct than Americans. When I became a leader that served me well, when I wasn't a leader, I was seen as too brash. So it depended on where I was in my career path, whether that was a good thing or a bad thing to come across as unfiltered, if you will. I do think Australians are not afraid of doing the things that I think need to be done, even if that means walking on the grass.  

Helen Patton: I would like people to think that I would like to think that they feel like I gave back to the community. And which is again, one of the reasons that I've written a book, but did I, that I did things that were just a little bit bigger than my own self-interest. That's what I'd like.