Secret CSO: Anne Hardy, Talend

Name: Anne Hardy

Organisation: Talend

Job title: CISO

Date started current role: January 2020

Location: Redwood City, California

Anne Hardy is Talend’s chief information security officer (CISO). This new strategic role was created to address the increased security requirements of digital enterprises. She is responsible for Talend’s security strategy, managing security threats and vulnerabilities across Talend’s assets, technologies and processes, and ensuring compliance with relevant security and privacy laws. With over 25 years of technology experience, Hardy brings to Talend an extensive background in security technologies and architectures, data privacy standards, and software engineering.

What was your first job? My first full-time job was as a software developer at Alcatel Business Systems, a big telecoms company based in France. I had a contract with Alcatel while at university, they funded my degree in software engineering and networks, and in exchange I joined the firm for three years once my degree was completed. It was great as me and my husband weren’t from Paris, so we got the chance to experience the city. After the three years we decided we wanted to go abroad and we actually looked at China as Alcatel was opening an R+D centre there. After some debate we moved to the US for the first time.

How did you get involved in cybersecurity? My first role at Alcatel was not a security role at all, it was application software development. It wasn’t until around 12 years later that I moved into security and when it happened really it was a total accident. I started working at SAP in France within the research centre, and by chance one of the topics SAP wanted to invest in was cybersecurity – although at the time it was called “application security”. This ended up becoming the focus area for the centre because it became a business priority for SAP and there were lots of very capable students studying cybersecurity at a nearby school. In that role I was mainly responsible for hiring researchers and developing the centre.

While there I developed my knowledge of cybersecurity, since part of the role was to get funding for the centre from the European Commission for the academics and research projects. This meant I had to interact a lot with researchers while working on proposals, so I needed to know a fair bit of the technical background.

What was your education? Do you hold any certifications? What are they? I studied maths and physics when I was younger then went to an engineering school in France to get my degree in software engineering. Education is structured in quite a vocational way in France, and my school was extremely focused on educating engineers for the telco industry.

Explain your career path. Did you take any detours? If so, discuss. I never really thought about a specific career path or having big goals in mind. I was always quite spontaneous.

I was in software development for a long time, I then went into management and got an MBA. I joined a venture capital company for a year as a way to mix my MBA and technical background. After this I went back to IT at SAP and stayed there a long time, where I did research management for almost seven years in the French and US offices. Next I jumped into a marketing role for three years, helping with developer relations. This was my first job outside R+D and it was great to learn about the different perspectives of colleagues in product development and marketing.

Then I decided to do something else, I had a great relationship with the CTO at SAP and so I worked with him to manage culture and development in the organisation, before moving under the COO. My job was to understand how people were feeling at work and it gave me great insights into how to be a better manager. This was my segue to creating my own company, where I helped companies understand how to improve their measurement of the employee experience. I did this for three years before I closed the company and got my first CISO job.

This was another very spontaneous decision, I spoke to plenty of people in my network and everyone was talking about cybersecurity. Personally I felt there was so much work to do in privacy that I really wanted a role doing something in that space. My first CISO role was in in a start-up in San Francisco working on digital services for commercial buildings. I met the CTO of Talend one day when we were both taking part in a triathlon. He was French like me, they were looking for a CISO and it felt like the stars aligned at that moment.

Was there anyone who has inspired or mentored you in your career? At the start of my career I had bad managers and I think this actually helped me a lot. Essentially I was inspired to be nothing like them! After that I had very good managers who inspired me in a good way. It’s always been important to me to know that there are people I admire and look up to in the companies I work for. It’s hard for me to work in a company where I don’t like the leaders or I don’t like how they work. I like to be around people I can learn from.

What do you feel is the most important aspect of your job? I would say listening. And being able to work across and understand the spectrum of roles which exist in any company. Cybersecurity is moving from a place where we tell people what to do, to a place where we help people achieve what they need to and make the right calls and decisions. We need to help employees make good judgments that will not put the company at risk. That’s why listening is so important and I think this is relatively new in cybersecurity. It’s the same for CIOs, together we are moving from just imposing things to providing more of a framework that enables people to perform securely.

What metrics or KPIs do you use to measure security effectiveness? There are lots, as you might imagine. There are five or six that I really track and report on. These include security awareness, where we look at the phishing clickthrough rate and see how good we are as a company at not clicking. Then our ability to back up and restore our systems. I also track the degree of automation of configuration of systems because the more automated this is, the less error prone and more efficient we are. We also report on how effective we are at patching systems. Then third party risk and business continuity, so what is our coverage of business continuity plans, incident response plans, and how often we test.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, it is. It’s hard to hire people with the right skillsets for certain roles, like application security engineers for example. They are the people who help enable security through the application development lifecycle, so they need to understand app development methodology and security. There are not many universities or schools which provide cybersecurity studies alongside more traditional computer science degrees, so lots of candidates understand IT and the network, but not computer science and engineering at the level needed to talk to developers as peers. It’s been hard and Covid-19 hasn’t helped! It’s a risk to leave your current role in this environment so as well as the skills shortage there’s less liquidity in the labour market generally.

Cybersecurity is constantly changing – how do you keep learning? I learn a lot from the team at Talend. I also read a lot of Gartner resources and reports. I like to attend roundtables and industry discussions. I used to go to RSA too, that was the last in-person event I went to. Now I attend virtual events to listen to subject matter experts in different areas of security. I am also part of a group of CISOs in the Bay Area, where we all share best practice and advice.

What conferences are on your must-attend list? RSA for sure. Then I go to most of the important vendor conferences from Amazon, Microsoft, all the critical vendors on product infrastructure or general infrastructure. I also went to a virtual CISO summit by Gartner for the first time this year, there were some good insights there.

What is the best current trend in cybersecurity? The worst? The best is the fact that people now realise that cybersecurity is part of everyone’s job. It touches everything. For a long time it was hidden away in IT and thought of as an IT issue, or sometimes as a compliance problem. But now awareness is growing that being a good cybersecurity citizen is everyone’s job! The weak links are the employees and insiders who do something wrong or are not careful enough. We can put as many controls in as we want, but ultimately we rely a lot on employees. It’s great that more people are understanding that now.

The worst is probably that we don’t know what the worst is! Maybe one point is that the bad guys are really organised. There is lots of collaboration happening on their side, and probably less on the side of the enterprises needing to defend themselves.

What's the best career advice you ever received? Choose who you work with carefully. Accept that some people will be more difficult to work with and try to work around that for the good of professional relationship, and the company. It’s not necessarily that there’s something wrong, you might just have different work styles or even might just not get along. And that’s ok – as long as you can still get the work done.

What advice would you give to aspiring security leaders? Think about security as a service – it’s not about achieving total control.

What has been your greatest career achievement? I don’t really think in terms of achievements. So maybe that is my greatest achievement?! Or maybe having the courage to change career and change path, because I think that’s when I learned the most. So I’m proud of that. It’s easy to keep climbing and you will learn things in the process, but to get out of your comfort zone and learn something totally new and unknown is a big achievement for anyone. Getting out of SAP to start my own company too – I felt it was the right thing at the right time.

Looking back with 20:20 hindsight, what would you have done differently? In France the educational system molds you. When you’re a good student you don’t tend to choose – you are pushed in a certain direction. If you’re good at maths, that’s what you do. Later you sometimes wonder did I ever choose this?! I felt like I started to choose for myself at the stage of my first job. I wouldn’t say I regret anything, I’m lucky to be where I am and for the way in which things developed. If I were to advise a young me now, I would say take the time to think about what you really want to do, and that it’s ok to change. It took me a while to think about what would feel right for me at that time and then follow that path.