Secret CSO: Cathy Pitt, Plex Systems Inc.

Was there anyone who has inspired or mentored you in your career? “…find a mentor who is interested in helping you understand and appreciate the big picture and where you fit into it.”

Plex Systems Inc.

Name: Cathy Pitt

Organisation: Plex Systems Inc.

Job title: Global Vice President, Chief Security Officer

Date started current role: November 2019

Location: Elizabeth, Colorado

Cathy Pitt is the chief security officer at Plex Systems, Inc. She has decades of experience in information security, risk and compliance, with a demonstrated history of leading and working in and with a variety of industries including services, education and healthcare. Pitt is a recognised leader in risk management, global compliance with requirements including GDPR and PCI DSS, and technical security controls selection and deployment.

What was your first job? My first real job was in the Canadian Armed Forces, more specifically in the Navy. It was my first exposure to technology, and I found out pretty quickly that I loved learning how things work and troubleshooting complex problems.

How did you get involved in cybersecurity? As a consultant at Digital Equipment Corporation (before it became Compaq and then HP), I was part of a small group that supported the AltaVista Firewall. Back then, firewalls WERE cybersecurity - or at least that’s what we thought. My wakeup call was when a few of us decided to study for this new certification called CISSP (Certified Information Systems Security Professional) and we discovered that our beloved firewall was only one small part of information security!

What was your education? Do you hold any certifications? What are they? Because I took the military route out of high school, then put off school to raise a family, I started my higher education journey later in life. But once I started, I couldn’t stop. It turns out, I’m a school-a-holic! After receiving a Bachelor of Science Degree in Information Technology, I went on to get an MBA, a Master of Science in Computer Science, and a Master of Administration in Criminal Justice. I made it several quarters into a Doctorate in Homeland Security before I ran out of steam (and money!). I carried that passion for learning over to certifications. I did the CISSP when it first came out and then I went on a tear. I completed a variety of security certifications, including SSCP, CHP, CISA, CISM, TICSA (now defunct), Security+, ITIL Master, and several others within a very short time. I’m a huge advocate of certifications as drivers to grow skills when the candidate studies for them, but not so much an advocate for the boot camp route. It’s all about the learning; the cert is just the icing on the cake!

Explain your career path. Did you take any detours? If so, discuss. After I left the military, I was fortunate to get a job at Digital Equipment Corporation (DEC) as a customer response representative (CRR). My job was to take the initial problem statement from the customer, document it (on paper), and pass it along to a technician who would troubleshoot the problem. DEC had established one of the first remote support organisations, providing support to enterprise customers and field service reps who were at customer sites. This was before the advent of personal computers, so every problem was a serious outage that could take days and even weeks to troubleshoot to the component level. It didn’t take long for me to decide I’d rather be fixing the problems than just documenting them and passing them along to someone who could! In the end, I was the first person at DEC to progress through the ranks from CRR to Distinguished Technologist! I had a lot of help along the way. (Surround yourself with smart people!)

As far as detours, I did a six-year stint as a Reserve Deputy Sheriff and even took a year to co-author an InfoSec book. Both were great opportunities to meet new people in different fields, get different perspectives and grow in information security.

Was there anyone who has inspired or mentored you in your career? I met my husband, Steve, when we were both in the military. He was a Data Systems Technician in the US Navy and when we both decided to leave, he started with DEC first and I followed. He inspired my love of tech! I loved watching him fix things and he taught me the basics.

I also was very fortunate to get to work with Edna Conway while I was at Cisco. Edna did a presentation on supply chain security at a women’s forum I attended, and she really inspired me to go after what I wanted in my career. She was my Grace Hopper!

I had several mentors in technology, but never one for leadership or business. Without someone to help guide my career trajectory, I spent too much time trying to find my own way and tripping on obstacles along the journey. Mostly, I found it difficult to transition my mindset from micro (the technical) to macro (the business) and think of security as an enterprise function.

My advice to anyone who asks about building a career is: First and foremost, find a mentor who is interested in helping you understand and appreciate the big picture and where you fit into it. Doing it alone is doing it the hard way. Find a good mentor and someone who will advocate for you.

What do you feel is the most important aspect of your job? As Plex’s Chief Security Officer, I focus on keeping our customers’ experiences safe and secure so they can focus on designing and building amazing things. There’s a lot that goes into that beyond technological controls. Cybersecurity is not just technology; it’s also about people and process. It’s about how people act, how they react and what they do daily to support the security function. But the most important underlying aspect of my job is to continue driving passion around securing the customer experience into the Plex DNA! 

What metrics or KPIs do you use to measure security effectiveness? I look at indicators, including external reputation management tools, internal scanning tools, employee reports of possible phish mails, customer questions, and anything else that shows me where we need to put additional attention.  

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I’ve been so fortunate at Plex! When I joined, there were already several folks who knew the ins and outs and gave me the time I needed to come up to speed on Plex and develop a go-forward strategy. Our executive team supported me and I was able to bring in talented people I knew from previous roles. But the skills shortage is real and it is impacting everyone. In particular, it’s very competitive when looking for strong cloud security experience, and really strong security architects. On the bright side, when you start with smart people who have strong foundational skills and the eagerness to learn, you can build your own talent!

Cybersecurity is constantly changing – how do you keep learning? I subscribe to many great sites that offer insight into new threats. I make an effort to read for at least an hour and learn something new every day. I take advantage of the amazing info shared on the Internet; it’s the kind of training that you used to have to pay big bucks for and travel to a classroom to get. We’re so lucky today to have it all at our fingertips and for free.

What conferences are on your must-attend list? Pre-Covid, I was a regular DefCon devotee! I enjoyed hearing the raw, unfiltered truth from different perspectives. Nowadays, I look for opportunities to learn more on the latest trends and tips from the best in the industry, wherever they are speaking.

What is the best current trend in cybersecurity? The worst? In my view, vendor (third party) risk management is finally starting to get the attention it deserves. When you search the Internet for breaches caused by vendors (e.g., Target, Uber, Home Depot, Netflix), it’s clear that we haven’t been as diligent as we should. We must demand more from our vendors. Just in the last year, I’ve seen greater attention in this area and a lot of it has been driven by external compliance requirements such as GDPR.

On the downside, we seem to be collectively going about managing risk in the most painful way possible. For example, every company seems to have created their own Data Processing Agreement (DPA) and every new vendor negotiation leads to a legal battle of who’s DPA will be used. I’ve walked away from several vendors who refused to negotiate in good faith.

Additionally, many companies have created their own detailed vendor security questionnaires, insisting that prospective vendors complete their questionnaire instead of accepting one of the common ones the vendor completed just for that purpose. I just read that said 71% of companies use their own questionnaire, many consisting of 250+ questions! We’re all drowning in this self-imposed busy-work continuum that no one has the time or the resources to deal with. But we insist that it’s simply the price of doing business. We are put between a rock and a hard place. I do the same thing to our prospective vendors. I have to, to ensure they’re as secure as we are!

And, of course, there are some innovative vendor risk management companies that have developed tools to reduce some of the pain, but they can be extremely expensive and out-of-reach to many small to mid-sized companies that don’t have multi-million-dollar security budgets.

We need to come to an agreement that will free up resources and allow companies to focus on improving security controls, making us all more secure. Perhaps designing and implementing a single, robust industry-recognised certification to be accepted in lieu of a questionnaire or lengthy DPA is the answer. Or maybe a single, universally accepted questionnaire that all companies complete once and commit to keeping updated. Whatever it is, the current wild-west strategy is untenable for so many and it’s ultimately working against our mutual goal of strong security.

What's the best career advice you ever received? Go for it!

What advice would you give to aspiring security leaders?  Think of the job like being a football coach. You have to see the big picture, including the politics and viewpoints and pressures from the top of the organisation! What keeps them up at night? You have to have your eye on the competition so you can come up with the best defence. You have to know what a good quarterback looks like and what a great running back looks like, even if you’ve never have played either position yourself. You have to know how all the positions must work together to win the game. You recruit the very best talent you can afford. You build a great, talented, cohesive team, and you cultivate a relationship with the top of the organisation and the sponsors that’s built on trust. And you get out there and win! 

As a CSO, you need to be well-rounded. Think big picture but don’t miss the minutia. If you’re a deep-tech person, learn the business and if you’re a business-focused person, learn the tech. And keep learning. Every day. You have to know it all – but don’t expect to be the BEST at it all - you likely won’t be! Your success will be in surrounding yourself with people smarter than you and listening to them. And of course, you need to be a strong communicator, evangelist, and yes, a great coach!

What has been your greatest career achievement? I’ve always enjoyed mentoring people and getting them jazzed about security. As an adjunct professor, I remember the first class I taught where one of my students told me that she’d signed up for my class just because there were no other classes available. By the end of the course, she’d changed her major to Information Security because she said I made her see how exciting the field was. That stands out as a big win when I look back! Publishing a book and having an ISACA reviewer call it a “must read for anyone getting into the field of security”- that’s right up there, too!

Looking back with 20:20 hindsight, what would you have done differently? I’d say I definitely stayed in the same place for too long. Not that I did the same job for all of those years, but I did those jobs for the same company, in the same place, and mostly with the same people.  

Companies like fresh ideas and often feel that they can’t get that from long-time employees. You can get all the degrees and certifications you want, but a lot of companies - especially the older companies - will often value external hires for that “freshness” more than existing employees for their experience, loyalty and dedication. But, what’s old in one place is new in another so take your hard-earned skills and vast experience somewhere where they’ll be valued as fresh. And that, by the way, is why having a career mentor is so important!

What is your favourite quote? “God, grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference.” I’m still waiting…

What are you reading now? The Hidden Life of Trees, by Peter Wohlleben.

In my spare time, I like to… take care of all of my rescue animals.

Most people don't know that I… rescue farm animals. Who knew that cows are so awesome and have such unique personalities?!?

Ask me to do anything but… give up my animals!