Secret CSO: Ellen Benaim, Templafy

Name: Ellen Benaim

Organisation: Templafy

Job title: CISO

Date started current role: March 2020

Location: Copenhagen, Denmark

Ellen Benaim is the CISO at Templafy. Prior to that, she worked at Apple and Hudson Advisors. Benaim is responsible for establishing and maintaining a corporate-wide information security and governance program to ensure the confidentiality, integrity, availability, and privacy of Templafy’s solution and organisation.

What was your first job? My first full-time professional job was at Apple, where I worked as a technical advisor. Having a customer-facing role at a company that highly values their customers helped to shape my customer-centric and empathic mindset.

How did you get involved in cybersecurity? My first introduction to the cybersecurity space came about when I visited a data centre during an IBM workshop my high school went to when I was 16. I was fascinated by the server technology they were showing us. Also, my dad heavily influenced me with our technology talks and working in broadband and networking.

What was your education? Do you hold any certifications? What are they? I received my bachelor’s degree in business information systems from University College Cork in Ireland, where I studied security the last two years and took classes in encryption and access control. However, a lot of my security knowledge comes from on-the-job experience. It is important to be constantly learning within the security space. In my opinion, the ability to communicate your experience is more important than obtaining certifications.

Explain your career path. Did you take any detours? If so, discuss. As I mentioned before, my very first technology-focused job was for Apple, where I worked as a technological advisor while in college. The job wasn’t security-focused, but it dealt heavily with engaging customers and interacting with products. This job really helped me discover that I enjoy helping people work through technical issues.

At Apple, we handled a lot of personal client data, and it really drew my attention to the importance of system security. It was in this role that I truly discovered my resolve in helping organisations to understand that security can be balanced with productivity and that securing systems doesn’t have to be rigid as is tradition.

Was there anyone who has inspired or mentored you in your career? I have met a lot of great people throughout my career. For starters, I did an internship with an asset management company in Dublin where I was a part of the security team. There, I met Denise, my manager, who served as the senior infosec manager for Europe.

The company was very old school in the sense that Denise was quite literally the only woman in the room during high-level meetings. She inspired me because it was obvious she had all the trust and respect of everyone in the company. I really look up to her because she is a go-getter and not fazed by anything at all. She taught me a lot on a professional level, from soft stills to how to build and lead a motivated team.

What do you feel is the most important aspect of your job? The most important aspect of my job is making sure every employee feels as if security is applicable to them, and that they are aware of their responsibility. Organisations must be able to trust their employees with incredibly sensitive information. It is critical to create a security-focused culture that empowers all employees to make the right choices when it comes to security using their own informed judgement. One way that Templafy helps employees to feel empowered around the subject matter of security is by holding a weekly meeting that devotes around 5-10 minutes focused on security.

What metrics or KPIs do you use to measure security effectiveness? Vulnerability and incident management metrics, along with genuine security awareness indicators, are key to an effective security program.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Templafy has not seen a huge impact from the security skills shortage. Our team actually just filled a security role within our organisation.

I think the security skills gap dilemma exists because many companies are looking for a certain degree, when many workers capable of working a security job do not have that specific degree. However, recently I have seen many companies in Europe, outside of the tech industry, become less reliant on degrees for security-focused jobs. 

Cybersecurity is constantly changing – how do you keep learning? Because cybersecurity is constantly changing, security professionals need to be constantly engaged in their own learning and growth. The most important factor is to have a basic knowledge of security. After that, it is all about reading articles, peer-reviewed papers and putting your learnings into practice in your everyday work.

What conferences are on your must-attend list? There are many great security-focused conferences. Any conference that covers relevant topics from SANS to IAPP is a good choice.

What is the best current trend in cybersecurity? The worst? The best trend in security at the moment is the availability of so many different security programs. Security control implementation is much quicker than it used to be because of new technology that has come into effect. New technology can really help security professionals ground their judgement in data and make informed decisions.

On the other hand, the worst trend in security is the public pressure put on security professionals in light of high-profile data breaches. While I think it is good to highlight these issues, it also is causing too much noise in the space, making it difficult for security professionals to remain focused and maintain a level-head making critical decisions.

What's the best career advice you ever received? The most valuable advice I’ve received is to not be afraid to accept a challenge. Challenges often lead you to where you want to go, and they help you to gain valuable insights on the way.

CISOs need to be able to operate in real time, in terms of being agile and adaptable and taking action without having all the information needed immediately available. Getting this piece of advice early on allowed me to face the challenges of this role, head on.

What advice would you give to aspiring security leaders? If those in the technology sector are interested in getting into security, my advice would be to just dive right into it. There are so many resources available to help those interested get started and willing peers to reach out to for advice.
If you want to be a cybersecurity leader, you can’t be afraid of what you don’t know. It is important to focus on what you do know and to determine how your security team can compliment you -- you don’t need to be a jack of all trades. It is more important to build a fully functional security team than to know everything there is to know about security.

What has been your greatest career achievement? My greatest career achievement has been my growth within Templafy, a company that perfectly aligns with my drive and ambition towards security. Being promoted to the CISO and leading a great team of security professionals in rapid succession has been challenging at times but I am definitely proud of how far I have come in my career.

Looking back with 20:20 hindsight, what would you have done differently? Looking back on my career thus far, if I could go back, I would have made sure to slow down and enjoy the little wins more.