Podcasts
Security Unlocked: CISO Series with Bret Arsenault
Ep 4
Security Unlocked: CISO Series with Bret Arsenault 6.23.21
Ep 4 | 6.23.21

Leading an Inclusive Workforce: Emma Smith, Vodafone

Show Notes
Transcript

Bret Arsenault: Hi, I'm Bret Arsenault, Chief Information Security Officer at a little company called Microsoft. Recently I was approached by some customers who were really struggling with the complexities of the security threat landscape, in particular just looking for practical advice. With the increase in threats, with the changing landscape and digital transformation that's going on, people were really trying to understand from experts, what could they do practically that would actually help them in this new threat landscape we're living in today.

Bret Arsenault: And I realized how fortunate I am to have met with the some of the sharpest minds on this topic, whether it's competitors, vendors, internal Microsoft people, government people, who all share a vision for a mission on how to better protect ourselves. This created an opportunity to take some of those learnings and share them in this podcast series. Hopefully you'll find this interesting, I know I'll learn a lot from it.

Bret Arsenault: This week's guest is Emma Smith, the Global Cyber Security Director from Vodafone. Welcome, Emma.

Emma Smith: Thanks so much, Bret. Great to be here.

Bret Arsenault: As I was getting ready for this I was trying to remember where we actually first met. I mean I am so, [LAUGHS] so lucky to know you, and so many things I've learned. I was trying to go back to where we first met. Do you recall where that was?

Emma Smith: Well, I seem to remember it was like a round ta-- a CISO round table. I cannot remember what part of world we were in to be honest, but I think there were other CISOs there and it was a general therapy session, wasn't it?

Bret Arsenault: Yeah, oh yeah, yeah, yeah. And it was underground, I do remember that. We went down these funky stairs in this small room. Yeah, that was actually-- the food was really good, conversation was enlightening. As usual I ended up learning more than, than anyone so that's-- so I was appreciative of that fact. And Sandra was there as well.

Emma Smith: Yeah, that's right, that's right. And then I think after that you and I usually bump into each other whenever I'm in the, in the States or you're over here in Europe.

Bret Arsenault: Yeah, no it's been, it's been [LAUGHS] super fortunate actually to, to get to know you and watch the amazing things that you've been doing at Vodafone and helping Microsoft be better, so I thank you for, for both of those. Hey, just curious, you know, you have an interesting path on where you are today and in the role you're in. I'd love to have a little bit of perspective on the path that really got you into security in the first place.

Emma Smith: I started out when I was at school really wanting to be a police woman, and I was too short, so, so here I am [LAUGHS] 20 odd years later. I-- and I actually studied economics at university so I don't have necessarily the most traditional route into security. While I was at uni I wanted to go into politics then realized that would be awful. And moved, when I left university moved into internal audit. So, I basically learnt about security by auditing technology and spent the first ten, 12 years of my career basically doing technology audits. Starting on big ERP implementations. Everything that was going. And then just before the financial crisis I was asked to help them move into security in a bank and was there for seven years as a CISO and then joined Vodafone six years ago as a CISO.

Bret Arsenault: That's a pretty good tenure as a CISO, seven years and six years and running, that's awesome, congratulations.

Emma Smith: Yeah, thank you. I'm sure there's been a book running. Well, certainly when I was in my old company I think there was a book running on how long I'd last, so.

Bret Arsenault: Yeah, yeah, exactly what the-- what is the CISO career is so over. So, I think that's obviously a great, [LAUGHS] it's a great testament to your persistence and yeah, obviously capabilities in the space.

Emma Smith: I actually think it's really hard to make an impact if you've got a short tenure. You know, something-- to, to make security stick in a company it needs quite a bit of time and effort.

Bret Arsenault: Yeah, actually it's a really good point. I think that you know, that we always talk about it, it's a journey not a destination and in order to really get the things done that do they're hard. There just really, really hard things to work. And I think-- well, hopefully we'll talk a little bit today, not just technologically difficult, but culturally hard to go do and I think it does take a long time to make those things happen.

Bret Arsenault: Just out of curiosity, and I think I like this about the mission statement you know, we have ours about empowering every person in organization to do more on the planet. And with Vodafone you know around this idea that when working together humanity and technology can find the answers and create a better future for all. That's quite an aspirational statement, I, I really love that. What, what does that mean for you personally, and how do you think about that in your role as CISO at Vodafone?

Emma Smith: We've got the luxury of being a global business and it gives us a really unique opportunity to drive positive impact. Because we're a connectivity business it means we really influence digital society, we can have an impact on how people live their digital lives. And so we've got a real focus around inclusion, how we really focus on digital society, and then where technology and connectivity can actually enhance people's lives, society, that futures that they have. And so being a part of a purpose-driven company's really important for me, it's the why you get out of bed every day, why do you focus on what you do, and so we've got a purpose. It's all about connecting people for a better future, and enabling inclusive and sustainable digital societies. And that takes you just beyond the day-to-day of everything you do and gives it greater purpose.

Emma Smith: So within that we tend to focus on three areas, Bret. We talk-- we think about digital society, inclusion for all, and the planet and that's how we sort of distill down the mission statement into some, some really clear practical actions. We've got a strong view that tech-- you know, we're, we're all part of a technology revolution, and it think by bringing together the people and culture skills we can make a really positive impact on the future.

Emma Smith: And I was going to just talk a bit about so what does it mean being a CISO with that backdrop? I've, I've always loved being in security because I think my role is all about protecting customers, the company, employees, our data from cyber attacks, and it's kind of the altruistic side of our job that really appeals to me. And so doing that in a company with a really strong cultural societal purpose, is, is hugely motivational, especially in a job, you know, that's pretty challenging. So, the culture's super-important to me.

Bret Arsenault: Well, it looks like you're getting to live some of the values that you wanted to when you joined-- wanted to join law enforcement whereas to protect and to serve, so I think that's a-- that's great that you're getting too do that.

Emma Smith: Yeah.

Bret Arsenault: One thing it'd be super-interesting from my perspective, being one of the largest telecos on the planet, and I like this idea that it's not about the telco it's about the connectivity right, and how you, and how you kind of connect everything. I think that's a fantastic way to think about it. When we think about the role of telcos over the years, and particularly the idea of the network, like there was private networks, public networks, and now these massive, you know, wireless infrastructure networks and the connectivity stuff that we do. The role of security which used to be very network bound has changed over time. And how do you think about that? Like, you're right in the heart of that change. How do you think about that role for you in particular how the network has changed and evolved over time? And what does that mean for you in the role at Vodafone internally, but also for the customers you're serving?

Emma Smith: So I'd say a traditional telco network it's changed from being that was-- one that was really centered around providing connectivity to customers and enterprises to access the Internet or for communication. So, it was more about traversal than a destination I think traditionally. And now you see telcos really moving to being more value adding on top of that connectivity service. We've seen, you know, introduction of, of hybrid multi-cloud platforms, new connectivity requirements. We've seen mobile age compute with 5G, so it changes the nature of the way we think about networks as a, as a telco provider. And then also as an internal enterprise, on an enterprise IT point of view, it changes the way we think about our own networks as well.

Emma Smith: So Zero Trust as you said at the beginning, it's fundamental, really important part of our strategy. We tend to think about it with two lenses, I'd say at a really high level so, we've got a workforce lens looking at the over-arching, how does it affect our workforce, how do we make sure that Zero Trust capabilities work for the end user wherever they are, with strong authentication but with a frictionless journey for them? And then we've got more of an enterprise level view where we look at all the tenants of Zero Trust and putting them in a way that can be applied to all the environments. And implementing Zero Trust as you, as you know in an existing relatively complex technical environment is quite challenging.

Emma Smith: So we're currently working on what's the right level, how do we orchestrate centralization, some of the key controls? What analytics will we do? How will we do the policy enforcement? So, I'd say we're on a journey to really sort of change, change the way we-- our security architecture has evolved over the years.

Bret Arsenault: Yeah, I think it's been fascinating to think even for us in turn, the idea managing network infrastructure just the combinatorics of it are so different than managing every endpoint whether it's a user endpoint of cloud service endpoint, and the control planes are so different now, I think that's-- it's a pretty fascinating space, which tends to lead you to, you know, one of the things we think a lot about particularly around computing on mobile and, and in particular in the last year with so many people working remotely as part of, you know, response to the pandemic, is the whole aspect of 5G and what we think about 5G doing from a-- you know, it's great to have connectivity but I need connectivity with security. And so, how do you think about the role of 5G playing out both for our users and for, you know, for enterprises in this space?

Emma Smith: Yeah, and I think, I think with the pandemic it's changed the way we think about working hasn't it as well. So, I think layer those both together, we've very much got a hybrid office and, and working environment. We've still got about 95% of our people working remotely around the world. But we've re-written all of our remote working policies. We need to bring out three workers types, the ones who need to be on site, like network engineers, network operations, certainly when there's any physical work that, that needs to touch the network. And then we've also got people who are already home-based. So for those people that those categories feel little change. But then we've got what were traditionally our office workers who have been remote working for the last 15 or so 16 months, and we're moving to a far more flexible way of working for them.

Emma Smith: So it will be coming into the office, we'll all be about coming into the office because there's a reason to collaborate, a reason to be together, or it's a more effective work environment for that person. So, I think that flexibility will change, it's changed habits already, but it's also meaning that we're looking at the security implications. So, you know, we all used to rely on the corporate network as a control plane for so many years, and some of the physical security controls that we had in place around offices, and so that's really a changed thing, also as,as we talked about before, so is Cloud. So, that's really reinforced the strategy of Zero Trust. It's also really focused our minds on what the digital experience is for employees, not just the friction of having passwords and how they access the services, but what's, what's the experience and can you get the same culture remotely that you would get from people coming into an office?

Bret Arsenault: So, there's this idea like on the experience where is it a fulcrum based problem where there's on one side users love it, and on the other side IT trust it, or is it something where we can raise the bar on both?

Emma Smith: I mean I think we can raise the bar on both, and we've still got people who are at both extremes. We've got some people who love it and some people who are desperate to be back in an office world seeing their colleagues again. So, so, I think we can push the balance and end up with a really great experience that's also great technically and from a security point of view.

Emma Smith: And then you asked me about 5G. I mean, 5G's a huge enabler for the flexibility and remote working that we've talked about and, and Zero Trust. So, if Zero Trust is about having an agnostic network, then why would we rely on fixed connectivity when we've got the power of 5G? And I think we're at the tipping point of really, as a-- as, you know, across the world are starting to really exploit 5G. But speed is massively increased, a reduction in latency, and then the ability to do computing on the edge of the network. Obviously, that has implications for the way we secure the networks and those services, but the opportunities are huge, you know, from manufacturing, the IoT connectivity, the automotive businesses, medical health, etc., so huge opportunities across so many sectors and I think 5G, it will be a huge game changer for us all.

Bret Arsenault: I'm curious that you mentioned IoT, and I think every security person in every business that I know, whether they're in high tech manufacturing, services, transportation, there's always the question about what about legacy? Like, how do you think about the legacy applications infrastructure? Maybe you don't have any, I know I have some. And so, if I think about, you know, how do I think about legacy applications and infrastructure with the promise of what we can do relative to-- like, how do you think about that balance for you inside of Vodafone?

Emma Smith: One of the first things we did was actually write a life-cycle management policy. So, I think it sounds like a bit of a no-brainer, but a lot of companies don't have them. So, first of all make it and writing that policy and making it a technology policy, not a security policy, because this is about performance, it's about cost-management, efficiency, it's not just about security, and often I think life-cycle can get pointed at security when really it's about, you know, modernizing and, and simplifying the infrastructure and the technologies we use.

Emma Smith: And then I think gathering the data about what really is the situation, because actually if there's not transparency in the company and it's not an overt decision, then I think we're not really facing into it and tackling the situation. So, for me that means understanding what legacy is though. What is the situation? Why can't we upgrade it, decommission it, migrate it, whatever needs doing to it? Why? What are the blockers? Is it cost? Is it prioritization? Is it stability of service? And really getting behind that, and I think when you then have got that position it gives you a better sort of footing to be able to challenge and say, "Well, why is that okay? Can't we do anything about it?" And then I think if you still end up in that sort of well, it's going to take us three years to decommission or to build new, then you can start to look into mitigations and how do we protect those assets and services you know, segregation, access control, hardening them as much as we can. Can we put any endpoint protection or EDR? Can we get extended support? What extra monitoring?

Emma Smith: So, the, so, the strategy is to then mitigate the risk or reduce the risk if we can't fully mitigate it for that legacy. So, to me all of those decisions need to be made in a really collaborative way in a very overt way, so that everybody knows what risk is being signed up to and the decisions are made consciously.

Bret Arsenault: That's a brilliant way to think about it though, because most people have-- well, most organizations the workers will have a policy on legacy and life expectancy but it's usually around hardware infrastructure, not usually about user experience or the other things that, that really I think make a difference as well. And particularly as you think about the modern-- and I think your angle on modernization is really key. Like what is-- we like the, the idea of a chief experience officer. Like, what is the experience that we expect our users or our customers to have and how do we maintain that bar? That's a great way to think about it.

Bret Arsenault: I love the comments around this idea of a life-cycle management policy that's not about being based on security, but experience and overall modernization approach. And I do think people have a much better way of thinking about looking forward then thinking back, like so you-- it's just like no one wants to be the sustained engineering person they want to work on the next product of the next coolest technology, been my experience in, in tech. But how do you think about that relative to Cloud? Like, you know, we're on this maturity curve with Cloud. But how's Cloud impacted you and the things you're doing at Vodafone?

Emma Smith: Cloud to me is a massive enabler from a security point of view and I think maybe I don't know, give it ten years ago we might have all been a bit apprehensive about Cloud, perhaps not in Microsoft but there was a lot of security practitioners who were worried about it, but for us it's a huge enabler and done right can bring some huge security benefits. So, connecting back to legacy I think there's an opportunity to even sometimes transform platforms and, and migrate them across to a Cloud environment to allow you to put some of those extra layers of protection even if they're not fully modernized. And there's some real incentives with some of the Cloud providers to do that, so I think that-- that's an opportunity there.

Emma Smith: But then more generally the benefits of Cloud, obviously, the, the scale and flexibility that it brings. From a security point of view it, for us allows greater consistency, even using a hybrid Cloud model where we use multiple Clouds for different purposes, it's allowing us to drive greater consistency and standardization around the subset infrastructure layers and some of the standards that are used for development. We've got pre-built code and, and scripting ready for any new environment and we use one compliance tool that runs across all of our Cloud environments, for example. So, enabling all of that is a lot quicker than it would have been in a more traditional sort on-prem environment.

Emma Smith: For us, it's been a blend of using strong native Cloud controls with some additional layers that we aggregate ourselves, and then it's also brought opportunity to partner with the Cloud providers on, on different opportunities whether it's big data or business intelligence. And then for the telcos network virtualization has been huge, a huge opportunity, so, so taking some of the traditional hardware functions and virtualizing them has, has led to much greater efficiency.

Emma Smith: And then last I'd probably-- just sorry, just talk about DevSecOps. So, we're really pushing DevSecOps inside Vodafone where we really empower our developers to understand security. We equip them with the tools and the, and the technology and the training, so that security isn't done by security it's done by, by the developers, and that the more we can integrate the security control so that the developers get the alerts before we get the alerts, the more they'll get, they'll get used to get familiar and get confident and feel empowered to, to use the tooling that we give them.

Bret Arsenault: Yeah, I think that's been a big push I think in the industry and for us as well, which is how do you help developers fall into the pit of success, right? And so by, by moving it all, as we say, shift left with the things that you just talked about. I do think that people need to understand that it's not a check you run at the end it's something you just build into the design environment and, and actually they said help them be successful without having to become the security expert, right? I think that's, that's key.

Emma Smith: And make it as easy as possible. You know, building all the tools so that it's lift and shift and then they can focus on the, the functionality and the, the customer facing value, it means that they're happier as well.

Bret Arsenault: Well, I think that's a good example though when we think about-- you know, we have this concept of making sure that people are productive, secure and healthy and sort of the three, three things, you know, that I think we've really learned a lot about focusing on what health means both physical and mental health during the pandemic. But I think that we often think of that as an information worker and your comments around, the DevSecOps is another example of, you know, what does it mean to be productive as a developer? What does it mean to be productive as a sales person? What does it mean to be productive, you know, in any role that you happen to have?

Bret Arsenault: When you think about balancing off that idea of secure and productive and healthy, are there tools you're thinking about? Like, you mentioned something things. Like, this one compliance thing you mention is great, but are there other tools you're thinking about how to help people remain and, and be productive?

Emma Smith: Yeah, we are. I mean, I think passwords are everybody's, you know, they're the work of the Devil aren't they. Security hate passwords and all the workforce hate passwords, and our customers hate passwords, so a bit like you, we're on a journey around authentication to try and remove passwords from our environments and make authentication both secure and simple for, for the workforce, so that, that to me is really important. And when you talk to people about negative sentiment around security it's off-- passwords come up time and time again, so I think there's something we can do there. As we know attackers love passwords, so we need to get them out of the equation.

Bret Arsenault: Yeah, there's at least one group that likes passwords, right? [LAUGHS].

Emma Smith: [LAUGHS]. Exactly, exactly. So, we're all learning the hard way.

Bret Arsenault: I think this idea about passwords is great. This is a-- everybody hates them except for one group our enemy-- our enemies are cyber-criminals who love them, and yet they seem to work really well. Like, they collaborate very effectively and very well. So, what do we as security practitioners should do to collaborate as effectively as the people who we're protecting ourselves from?

Emma Smith: I think that's a great point, Bret. Especially as we're all remote and not bumping into each other physically as much as we used to. So, so for me we've got to remember to keep sharing learnings and, and threats. I think threat intelligence teams have always worked well to share. We've got to keep pushing that and keep promoting it. And then absolutely not compete on the security controls or the practices we're putting in place. So, the more we can share those cross sector with our, with our colleagues from other companies the better. So, I think what-- fighting as one security community is far more powerful than trying to do it on our own.

Bret Arsenault: No, I think that's super-important and I think we tend to be better at doing that under time of crisis as opposed to pro-actively doing that. Like, we reach out when we need to. And so how do we-- you know, I think we need to keep thinking about, how do we do that sharing ahead of time before the crisis happens or the other components? And, and hopefully talks like this or things that we do or just the-- you know, I know you and I have had a great opportunity to do these things, but you are right, I think there's something we're going to have to do that's not just crisis based, but how do we continue to share, stay ahead of the people we're protecting ourselves against? I think that's a great, great code-- including working with both public and private sector.

Emma Smith: Yeah, I totally agree. And then reporting issues, so trying to really reward good practice around a culture that, that wants people to call out things that look unusual or suspicious so that, not, not just phishing but just general reporting of, of kind of bad practice. But we've embedded things like the phishing reporting button, like a lot of companies have and then make very visible the reporting that we get, and when it leads to, to a good find. I'll give a bit of a plug for AIP shall I? We worked hard on, on implementing AIP at Vodafone. We worked hard both on the security controls but more so on the user journey. So, we really wanted-- I said to the team, "I want one-click encryption and classification." So, I want employees to with one-click be able to classify sensitive information. And so, with that target we used agile methodology to go round and round and round and tailor the functionality to do that, and it's meant a much better user experience and greater adoption of AIP.

Bret Arsenault: Yeah, just for people who don't know AIP is our Azure Information Protection. But this is a really good example where I'm going to-- I'll be the negative person about AIP, and I know this is going to get me in trouble but, you know, there's a lot of security jobs, just not a lot of job security, so we'll think about how that plays out. I think the thing though, I don't mean to be negative but like it is great that we integrate that so users label and do all those things, and then the work that we're doing using AI and Artificial Intelligence to auto-do that and auto-classify so that users just have to confirm-- just like the thing you said with developers. Like, we have the corpus and so we, we are working on it and I know that other entities are, but this idea that we auto-classify and we can get to a 99.9% confidence in it, just like we can in natural language recognition.

Bret Arsenault: We need to get that same confidence interval relative to industries to auto-classify so that we don't put that-- you know, so, so it's great that we've automated it, we need to go one more step and then actually automate it and integrate it as part of an Artificial Intelligence system, so.

Emma Smith: Totally agree. And then the, and the next product road map item that we'll give you is how do you integrate the, who should have access and the sharing, because that's the hardest thing with, with any sort of information protection is, is the sharing and how you do that in a way that's simple but also the right people, so, yeah, I agree.

Bret Arsenault: Yeah it think that's a great-- and that's a, that whole classic do we over-share, under-share? And that's a whole another topic we could do a podcast on if we wanted to, which would be fantastic. Lots of companies have cultural inclusion perspectives, diversity inclusion perspectives. The last year has sort of been I would say, a transitional and transformer year for many people because I think that while we-- and you've done a lot of disaster planning and and resiliency planning. I know we all were doing like-- crisis management is in my remit and I know that's been in yours. We did all the planning for Avian flu as an example, but it didn't come to reality the way that pandemic did. And then you add to that the social injustice issues that are going on globally, and so you sort of had this again, really marked year in really help-- helping people both personally as individuals, as families, as companies, as countries, as a global environment think about, what are the implication of you know, how we work and what does that mean and what do we do?

Bret Arsenault: What are the similar things you've learned in the last year, either personally or obviously, most importantly for in this conversation, the company around what the pandemic's taught you around how people work and how to think about those things, and, and all the aspects regarding them?

Emma Smith: I mean, there are so many things, so many things I wish I'd known about, about 16 months ago. I think overall every day and every person's experience can be so different even though it's the same, [LAUGHS] because we're-- you're probably sitting at the same desk in front of the v-- C-screen that you have been for the last 16 months, and yet the way you feel and the experience you have can be so different. So, I've definitely observed people going through highs and lows more so than before, and then being maybe a bit more visible when you normalize in an office on video. And then to shore teams affected by the weather and the seasons. So, you know, we, we both live in seasonally affected [LAUGHS] parts of the world. It was really cold, dark, bleak, wet winter and, and you know, you could see people really experiencing that. And typically employee surveys are more positive the closer people are to the equator anyway.

Emma Smith: So, I think for sure it's felt more extreme during, during the pandemic. And then I think being in VC it's harder to pick up and read emotions and sentiment, and takes body, body and eyes a lot more effort than it would do if you were in a meeting room. Now, we were a company who already did a lot by video conference, because we have people all over the world. It's been a bit of a leveler because there hasn't been groups of people sat in headquarters in a meeting room with lots of people remote, it's been everybody remote, and so that's brought an opportunity to hear different voices in meetings than might have been before and a real positive I think from, from doing things in a different way. It's definitely underpinned our strategy on Zero Trust and made it, made it the right thing to do and made us want to go faster and faster on that. I think we've been course-correcting all the time so you know, thinking about what would I have done differently? It's very difficult to pick out one thing because we've course-corrected all the time by running poll surveys, checking in with how people are doing. Offering mental health support and advice. We've done resiliency training for people.

Emma Smith: So, I'd say it's the people impact that's been significant, the technology impact has been for us, touch wood, a lot smoother. And so, how you support the team and get the same culture and people feeling in the same way they did before in this environment is the big challenge. Some people are loving working at home, really want to keep the flexibility, other people are desperate to get back to the office. So, I think we've definitely seen that split far more so than when everybody was in the office.

Bret Arsenault: Yeah, it's interesting you say that. It's in some ways it's brought people together, but in other cases it has created these more stark divides like this like, due to the point you just brought up. I have people who are, "I'd love never to come back in the office." I get, "Please let me back in the office." And so, some of it's cultural like geographically cultural, equatorial, as you said, and I think those are interesting perspectives. That's one of those important things about inclusion. How do we keep the benefits of that, and then how do we think about inclusion in general? I'd, I'd love your thoughts because you've-- you know, you've always had great topics on this.

Emma Smith: We're doing a-- we're going to be doing a little pilot at the end of June where we're going to try and run one of my leadership team meetings as we would have done before. So, providing the government rules allow us to, to do that-- we'll, those based in the UK will be back in the office, and then our remote team will join. And we're going to use it as an experiment and learn fast, so let's try and run the leadership team meeting in the same way we have been doing, but with half of the team remote and half of the team physically present and does it work and does it change? And we're going to use that as a test to say, right, how do we then need to adjust as we start, start moving back towards having meetings physically present in the office?

Emma Smith: So, I think there's some experimentation needed to, to then figure out what works, what doesn't. And then we're consciously not going back into the office to all sit in lines of desks with headsets on on video calls because you may as well do that at home. So, for us it's definitely about being more purpose led and why you're in a-- why do you need to be physically together? And then really changing probably the office space so that it's more adaptable and more, more used for collaboration and creation events than it was before.

Bret Arsenault: I'd love your view on the-- from an industry perspective on how we think about inclusion though. I'd love to hear your views on that.

Emma Smith: I think I mean it's a topic that I think I always like to talk about when I'm being interviewed anywhere, because it's close, close to my heart. And having joined-- I took over CISO about 13, 14 years ago and, and when I went to my first industry event I think there were only six women out of 120 in the room. So I, I felt it quite, quite pointedly [LAUGHS] when I first moved into being CISO. Just before this I was just doing some training actually called Withstander Training, and it's all about how to be a withstander. So, if you witness any kind of bad behavior, any kind of micro-aggression, what are the techniques that you can use to intervene? And, and there was a really good model that they shared around how to do that. So, you know, you could either do it by deflection, so you kind of move, move the topic to talk about something else if you didn't feel comfortable overtly saying something.

Emma Smith: You can call it out and explain how it makes you feel or why you may, may feel it and think that it's wrong. You can es...escalate, you know, if you don't feel comfortable dealing with something go, go and tell a manager, go and get some support in doing that. But making sure that you actually do tackle micro-aggressions when you see them, even when they're not directed towards you, in particular tackle those micro-aggressions. So, we've got a big push in Vodafone to create this allyship and withstander mentality. And I think that to me is, is going to be a game changer because the micro-aggressions are the things that just sit below the surface, they might not always be obvious but can really affect how people feel. So, so, to me, having people who come to work, feel comfortable being themselves, are when people are at their best and that's what we're really striving for on inclusion.

Emma Smith: I went to my training course earlier, so I'll be putting that into more practice. And it think it's about tra...training people on how to intervene comfortably is really important so they feel comfortable intervening. And then just generally I-- we, we definitely do have a lot of focus on diversity and inclusion and how do we hire, retain, and, and progress people of different backgrounds, different ethnicity, different gender, different age, and I think we've got a big focus on that. Now, it's, it's harder to measure some of that data. So in Europe for example, we have to have consent, it's optional whether people want to give their demographic information, and their personal information. So, we're doing a big push to say, please share it with us, we'll keep it anonymous but we need to know how well we're doing on all these different topics. And having that data is going to be really important because it will tell us, are we doing well on recruitment, are we doing well on retention, or where are the hotspots and problems, and are all teams doing well?

Emma Smith: So, I think a data driven view that tells you about how does your current company reflect the society that you operate in is really important. And then yes, diversity and things like recruitment, but for me, it's all about inclusion and making people really feel valued, being themselves and confident at work.

Bret Arsenault: Yeah, no, I love that. And I think, you know, we've talked about recruitment and retention, and I think it was most well said by someone I respect highly who said that, you know, people will always come where they're invited, they stay where they belong. And I think that we, we have to stay on that, we have to stay on that path for sure.

Emma Smith: We have a phrase which is, you can invite me to the dance but did you actually ask me to dance?

Bret Arsenault: I do love the analogy. I think it's actually a really, a really, really good one.

Emma Smith: Absolutely, absolutely.

Bret Arsenault: So, this is the part where in this podcast there's a couple of things we do, one is what book are you currently reading and what book would you recommend?

Emma Smith: I have just started reading a book by Michael Lewis called, "The Premonition" and it's about the pandemic. Michael Lewis wrote the "The Big Short" if you remember.

Bret Arsenault: Yes.

Emma Smith: So I've just, just started reading that. And the book I'd recommend is, "Why We Sleep" by Matthew Walker. I read it about two and a half, three years ago and I've always known that sleep is really important, I think my granddad drilled it into me when I was young, but this really made me prioritize my sleep. I was traveling a huge amount at the time and it gave me data points to validate how, how important sleep is on health, effectiveness, general wellbeing. So, I think it's a great read.

Bret Arsenault: Hey, in priority, like this is a-- like, you've been doing this like, for almost 14 years and obviously in different sectors and you have an amazing background. What would be your practical advice like, given all the experience you have, I would ask this, this question which would in priority what would be the three things you'd tell security practitioners to go do today, and the one thing they should avoid?

Emma Smith: Three things. I might, I might give you four-in-one. Always focus on the security basics, no matter how exciting other stuff is, or how many new gadgets, tools and things there are out there, always focus on patching hardening, vulnerability management, access control. Get those foundations in place and don't take your eye off the ball. I'd say then the second one is great detection and [LAUGHS] response... because we all need it. So practice simulations, play books, have a team, be prepared, you know the drill. And then I'd say I am pretty frugal, so really make the tools work for you, the technologies that you do have. Are they actually mitigating risk, and are you really getting value for money, and if not decommission them. Because the simplicity of the security tool stack makes our lives a lot easier, and if they're not really adding a control layer then why have we got them?

Emma Smith: And then I have to have a people one which I'd say as security leaders it's really important we talk to the rest of the company and make security relevant to your company whatever that culture, purpose, mission is, adjusting security to be relevant. And then the one thing always avoid, never over-report your security posture or program progress. I call it water-melon reporting. Do not do water-melon reporting. [LAUGHS].

Bret Arsenault: And what are water-melon reporting for people who aren't familiar with the term?

Emma Smith: It's green on the outside so everything looks good, but when you dig deeper and cut it in half it's bright red.

Bret Arsenault: Yeah, exactly [LAUGHS]. Brilliant, that's such a great way to finish and I love, I love that you took four because I think they're actually completely accurate and perfect. I love the basics, the focus on, you know, the idea of response and resilience and detection, not just the protection side because we see a lot of people do that. Leverage what you have and simplify it, I think that's totally true. I 100% agree and simplification is the best way to get there. I think people, myself included, can over-- be overly complex and that's the enemy of what we're trying to do. And then the leadership point is, is so spot on and depending what part of the audience it's always important to, you know, supply, make that story relevant to the people you're talking to. So, that's awesome and I, I, I won't forget the watermelon scorecard, so I will make sure I keep that in mind.

Bret Arsenault: Emma thank you so much for your time and sharing your insights, we're so lucky to have you on the call today, appreciate it.

Emma Smith: My pleasure Bret. Thank you so much, appreciate it. Enjoyed talking to you.

Bret Arsenault: Yeah, thanks so much.

Bret Arsenault: Thanks for listening. I look forward to our next episode. And remember stay safe, and stay secure.

Security Unlocked: CISO Series with Bret Arsenault
Podcast Info
HOST(S):
Bret Arsenault
As Microsoft's Chief Information Security Officer, Bret Arsenault keeps Microsoft's data secure from cyber-threats, while ensuring compliance with evolving regulations. Bret leads crisis management, business continuity and resilience for Microsoft, including its Covid-19 response program. He is Chairman of Microsoft's Information Risk Management Council, advises Fortune 100 leaders and boards and is a founding member of Security 50 and the Executive Security Action Forum (ESAF).
Schedule: Wednesdays (biweekly)
Credits: Executive Producer is Bruce Bracken, Co-Executive Producers are Kathleen Kearney and Nic Fillingham, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft