Secret CSO: Joanna Burkey, HP Inc.

What do you feel is the most important aspect of your job? “… to make cybersecurity risk understandable throughout the enterprise…. if the heart of the enterprise – the people – don’t understand the 'why', we aren’t creating cybersecurity strategies for the long term.”

HP Inc.

Name: Joanna Burkey

Organisation: HP Inc.

Job title: CISO

Date started current role: April 2020

Location: Austin TX, USA

Joanna Burkey is the Chief Information Security Officer at HP Inc. – In this role, Burkey and her team have responsibility for HP Inc’s global cybersecurity program, including infrastructure, technology platforms, and business units. Her organisation has responsibility for identity, governance, compliance, security operations, strategy and architecture as well as business alignment. Burkey is an independent director at ReliabilityFirst, a member of the California-Israel Chamber of Commerce Cybersecurity Board and holds an NACD Directorship Certification from the National Association of Corporate Directors.

What was your first job? Once I was old enough to officially work, my very first job was for the local community college. I spent a summer inventorying everything at the college that wasn’t nailed down. I’m guessing some of the stickers I put on those desks are still there! My first job that was actually relevant to my field came years later – in the latter part of university, I worked for the State of Texas doing database maintenance for FoxPro systems.

How did you get involved in cybersecurity? I was very fortunate, because I rather fell into cyber. I started my career as a software engineer the late 90s. Not long after, I was seduced by the lure of the start-up culture, as were so many others at that time. In my short journey around a few start-ups, I began to work for a company developing a network security product. It was a revelation to me what an interesting area cybersecurity was! I’ve never left since. I've had a broad variety of roles in cyber but I've never left the domain.

What was your education? Do you hold any certifications? What are they? I was a computer science and mathematics major at university. My most recent certification was achieving Directorship Certification from the National Association of Corporate Directors (NACD).

Explain your career path. Did you take any detours? If so, discuss. When I look back on my career path, sometimes I think that it was all one big detour! The first several years of my career were all focused on software engineering and engineering management, but as I looked around the business, I realised how much I didn’t know about the company where I worked. So, I began a fifteen-year journey of changing roles quite frequently to get exposure to as many parts of the business as I could. This led me to some less-expected areas such as product strategy, as well as more obvious ones such as security evangelism.

It was never a master plan at the time, but all of these movements during the formative parts of my career led to a broad base of experience that I draw on frequently today. Specifically, as a CISO, having spent time on both the product and the practitioner side serves me well on a daily basis.

Was there anyone who has inspired or mentored you in your career? More than I can list here! I have learned something from all the managers and leaders that I’ve worked for, or with. And, of course, some of these lessons are what *not* to do! However, my original inspiration was my father and his unwavering message to me that I could do anything in the world that I wanted to do. Even when I, as a barely 48-inch tall ten year old, told him that I wanted to play basketball… he never blinked an eye, just said “okay” and taught me how to do a layup.

Fortunately, I landed in a field a bit more suited to me than professional sports. But his belief that I could do anything at all convinced me of the same. All of those years of being the only woman in the room didn’t faze me as much as it could have, as he had instilled in me the confidence that I belonged at the table just as much as anyone else. I’ve had the great fortune to work for so many great leaders since then, and have learned from them all, but this fundamental lesson will stick with me forever.

What do you feel is the most important aspect of your job? I believe one of the overarching mandates on the CISO, and their organisation, is to make cybersecurity risk understandable throughout the enterprise. If we miss this fundamental piece, much of the other work we do won’t outlast us! Well-crafted policies, strong defences, resilient infrastructures – all of these things are critical, but if the heart of the enterprise – the people – don’t understand the “why”, we aren’t creating cybersecurity strategies for the long term.

What metrics or KPIs do you use to measure security effectiveness? I believe in having a robust suite of metrics, KPIs, and KRIs in order to develop, operationalise and communicate cybersecurity strategy. I believe though that we can get overly focused on metrics because they are nice and quantitative, where the majority of what we do, and the risk we mitigate, is nuanced and complex. Therefore, the metrics are important, but they support the story – they don’t tell the story.

There’s no one set of metrics that is a magic bullet. At HP Inc. we keep a platform of metrics data, where what we show in any given dashboard differs based on the audience – for example, what resonates with our CIO is not necessarily what’s going to resonate with the board. This approach allows for continuous improvement on what we track, where we show it, and how we communicate what it means.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Certainly no one is immune to the shortage in the cybersecurity field right now! I am incredibly fortunate at HP Inc. that we have a strong, dedicated, extremely capable team. But we are also looking to grow and sometimes that means getting creative as well. To address the gap, the cybersecurity industry needs to look beyond the usual skills and qualifications. Cybersecurity teams should seek transferable skills like expertise in risk management, business analysis, sales, project management, marketing, and communications. Some people may have knowledge of a given enterprise environment, experience in a complementary field, or creativity in strategic vision and long-term planning.

We also need a variety of experience levels and more diversity. This includes people moving from other industries, historically underserved populations, and workers without traditional degrees. Hiring managers must be intentional about what skills they really need to hire and consider what skills can be taught on the job.”

Cybersecurity is constantly changing – how do you keep learning? That’s one thing I love about this field – it is always changing! My first line of education always is my team. They are doing so much cool work, and I always learn when they share with me. I augment that with ongoing dialog across the industry – other CISOs, product specialists, venture capitalists – everyone sees something different in their world and if we keep exchanging with each other we will lift all boats. Because there is so much constantly changing and developing in cybersecurity, it can be tempting to focus all ongoing education only on cyber. I get a lot of benefit by opening the aperture on where I am reading and learning to make sure I’m focusing on domains outside of cyber as well. In addition to helping me be the best board member that I can, where my scope is not limited to cyber, it also refreshes my mind to get exposed to new topics, and I’m better able to do my primary job as well.

What conferences are on your must-attend list? Of course, RSA is always useful for maintaining connections and making new ones. It can also save a lot of travel to have one’s key partners all collected in one place for the week! I’m also a big fan of the smaller, more community-focused forums like B-Sides.

What is the best current trend in cybersecurity? The worst? The most concerning trend is that the move to the hybrid work model has led to risky behaviors – our recent HP Wolf Security Rebellions & Rejections report found 31% of office workers aged 18-24 had tried to circumvent security measures. The rush to remote working tempted many security teams to add more restrictions on employees as they work outside traditional on-premises infrastructure. But these security measures were designed for when remote working was the exception, so must be viewed through a new lens. This means acknowledging that real life, especially in a world of hybrid work, doesn't always mean people will follow policies.”

With that in mind, hybrid working is also ushering in the best current trend; the rise of collaborative security cultures where it’s understood that cybersecurity is an end-to-end discipline, and everyone has a role to play. Successful security teams are listening to end-users and understanding how security impacts them, then re-evaluating based on the needs of the enterprise and the hybrid worker.

What's the best career advice you ever received? Communicate the BLUF – “Bottom Line Up Front” – early and concisely. There’s no need to automatically segue into “because” unless you are asked for more – don’t talk past the close!

What advice would you give to aspiring security leaders? Understand the business of which you are a part. There is no one cybersecurity strategy for all enterprises because every company is different – similarly, you cannot effectively define and lead a security team without knowing your company’s strategy, risk appetite, and value proposition. The north star I’m always aiming for is the optimal intersection of cybersecurity program to company risk.

What has been your greatest career achievement? Any time I hear that I made a difference to someone – it doesn’t get any more fulfilling than that.

Looking back with 20:20 hindsight, what would you have done differently? Asked more questions. I’m not convinced you can ever ask too many.

What is your favourite quote? Maya Angelou — 'I've learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel.’ I am convinced that is one hundred percent true.

What are you reading now? Religions of Rome by Mary Beard. I recently read SPQR and no one writes history better, in my opinion. She can make actual history give historical fiction a run for its money. I love to read about ancient history, and see both the parallels to life today, and the vast differences.

In my spare time, I like to… When I’m not working, my decompression is knitting and cooking (not at the same time). It’s very gratifying to create something with one’s own hands… if the cybersecurity gig doesn’t work out, I probably have enough wool to open a craft store.

Most people don't know that I… Was a champion amateur mountain bike racer. I never had enough talent to take it any further, but for several years most weekends would find me and my bike getting muddy on a trail. I’m too old now to take some of those risks I took back then, but I still look with pride at some of the rocks I cleared on my steel hardtail bicycle.

Ask me to do anything but… Only eat one tortilla chip. Especially if there is queso in the vicinity