Secret CSO: Amanda Fennell, Relativity

What advice would you give to aspiring security leaders? “Embrace your differences. We need more opinions that are different than what we are used to hearing.”

IDGConnect_secretcso_suppliedart_amandafennellrelativity_1200x800
Relativity

Name: Amanda Fennell

Organisation: Relativity

Job title: Chief Security Officer

Date started current role: January 2018

Location: Based in Chicago- Remote worker

Amanda Fennell joined the Relativity team in 2018 as a chief security officer. In her role, she is responsible for championing and directing cyber, product security, and compliance strategy. Before joining Relativity, Fennell served as the global head of cyber response and digital forensics at Zurich Insurance Company.

What was your first job?  Barista at an espresso bar

How did you get involved in cybersecurity? I changed majors in graduate school. I was in a program for archaeology (paleo hominid biology) but soon found out it was not as booming a field as one would expect (kidding). I wanted to find an industry where I could still be an investigator putting together the story behind a fragment of evidence which led me to cybersecurity. I found my school offered a masters in cybersecurity at the time called High Tech Investigations. Transferred and got recruited my first semester.

What was your education? Do you hold any certifications? What are they? I have an Undergrad degree in archaeology and a Master’s degree in Forensic Science: High Tech Crime. Certifications journey was EnCe, CHFI, CISSP, ACE, and a few more when I got antsy. 

Explain your career path. Did you take any detours? If so, discuss. I’m sure it seemed a meandering path to go from an auto mechanic (how I put myself through school) to archaeology and then cybersecurity; but in all honesty, it has been the same basic skill of putting together pieces of a puzzle to see what happened and reduce the risk of it happening again. After being in cyber it was a path of professional services, government contracting, consulting, managed services in security, and then the customer side before arriving at Relativity. The biggest jump in my career was in coming to Relativity because the founder took a chance on someone who had not been a chief officer before.

Was there anyone who has inspired or mentored you in your career? I want to mention someone who inspired me. Over our careers we often come across someone who gave us an opportunity and really grew us in a role.  When I went to Zurich I had the opportunity to finally work for Troy Mattern, whom I had worked for indirectly for several years. Troy took me off what felt like the bench and really put me in the game of creating a program, growing and maturing it, and being people-centric. He has always and still does inspire me to emulate his integrity and passion for security in my daily work.

What do you feel is the most important aspect of your job? The people. I spend a significant part of my role working with and supporting people. Security is something that should be a partner to the business and not a blocker. Weaving it into what we do but also supporting my team and colleagues is of paramount importance.

What metrics or KPIs do you use to measure security effectiveness? Each area of security has different ways of measuring efficacy. In product, it’s more focused on potential vulnerabilities, in cyber, it’s often measured with maturity models, NIST Cyber Security Framework or so on. Everyone wants to measure 1) how good are they and 2) how do they compare to others? For our cyber team, we measure on all of these and review it often but more than anything, we measure our people’s happiness. We do annual and quarterly internal check-ins that measure if our people feel like they have a strong voice, are they happy, do they have the tools they need to be amazing? We can measure the tools, and the process efficacy, as well as our maturity, but I care more most about the people running all of it.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We do not suffer from a talent shortage and often have such a compelling company and brand with exciting challenges that we fill open roles pretty quickly!

Cybersecurity is constantly changing – how do you keep learning?  My team. We talk everyday about hot topics in security whether it be in email, conversations, or informally on Slack. Our intel threat team updates us weekly on new trends and we host internal hackathons. 

What conferences are on your must-attend list? These years it is actually legal tech-based conferences, including our own Relativity Fest user conference. Cyber has really become a hot topic in this industry that is embraced by our partners and customers.

What is the best current trend in cybersecurity? The worst? The best trend is in automating as much as is reasonable so that analysts can get to work on more fun and challenging work. The worst trend is in the fear mongering around the “people are the weakest link” mantra.

What's the best career advice you ever received? John Lionato was my VP at Symantec. I left under the best of circumstances and on my exit interview he said the best advice a security person could follow was a quote from Horatio Hornblower: “Never run on deck. It makes everyone else nervous.”

What advice would you give to aspiring security leaders? Embrace your differences. We need more opinions that are different than what we are used to hearing. We will only ever iterate and become better if we have fresh perspectives at every turn. Also, learn to enjoy the debates: Don’t take it personal when someone challenges you. Instead, see it as an opportunity to open up a dialogue and become better.

What has been your greatest career achievement? Recalibrating what a successful mother looks like. I stopped thinking my children would suffer with me working a lot or traveling a lot. In the end, I realised that what my children would learn by watching me is to love your job and try to accomplish great things, not feel guilty for wanting to work hard.

Looking back with 20:20 hindsight, what would you have done differently? I would have jumped sooner into leadership and gone slower once I got into it. After taking on the CSO role at Relativity, I learned how rewarding it can be to work with a large team and accomplish so many new things.  What I also learned is that I went too fast when given the resources I needed and I should have worked harder to align with key stakeholders in the business to accomplish my roadmap and agenda beforehand.

What is your favourite quote?I will paraphrase to make it a bit more relevant but Teddy Roosevelt once said something similar to: “The best executive is the one who has sense enough to pick good people to do what one wants done, and self-restraint to keep from meddling with them while they do it.” I like to ensure our team is staffed with the best and I want to ensure that they have the tools and power to do amazing things.

What are you reading now? Currently, I am reading: Do Androids Dream of Electric Sheep? after a close friend (and colleague) decided we should revisit classics. I hadn’t read this before and loved Bladerunner, so here we are!

In my spare time, I like to… A lot. I also like to go on random trips by getting in the car and heading in a direction for a day. Keeps the kids guessing.

Most people don't know that I… first got interested in computers by watching The Matrix. What can I say? Rage against the Machine + hacking seemed too cool to pass by!

Ask me to do anything but… Watch a presentation that the presenter isn’t really interested in the audience. I feel like presenting in any capacity is an opportunity to form a connection between humans and to truly share an idea, concept, or material you are passionate about is a gift. When I see a presenter reading a ton of words from the slide and not engaging, I feel sad at the missed opportunity.