Secret CSO: Christine Bejerasco, WithSecure

Name: Christine Bejerasco

Organisation: WithSecure

Job title: CISO

Date started current role: January 2023

Location: Helsinki

Christine Bejerasco has been in the cybersecurity industry for 19 years. She started during the era of network worms. She has seen the threat landscape evolve with the technologies that have been introduced, as well as changes in regulations and user behaviour. Bejerasco has worked in various capacities during these times, from analysing threats, to building protection capabilities, to leading teams to effectively deliver these capabilities. Prior to becoming CISO at WithSecure, she held the role of CTO, looking at the intersection of threats, technologies and user-behaviour to build future-proof cyber security solutions. Now, as CISO, she brings her experience into practice by exploring ways to help organisations evolve and become more resilient to cyber threats.

What was your first job? How did you get involved in cybersecurity? I’ve worked in cyber security since graduating from university. I started out as an antivirus engineer, analysing threats and building detection and clean-up tools during the time when file infectors were still prevalent. I eventually shifted to focus on web security upon realising that more threats had been using the web as an infection vector. All throughout my career, I have built protection capabilities, designed systems to operationalise protection, led and trained teams to continuously improve protection capabilities and racked up wins in defeating cyber threats.

What was your education? Do you hold any certifications? What are they? I hold a Bachelor of Science degree from the University of the Philippines.  In addition, I am a certified ethical hacker and incident responder.

Explain your career path. Did you take any detours? If so, discuss. Back in 2003 when I graduated in Computer Science from the University of the Philippines, I spent some time considering my options. There were a lot of entry-level coding and tech support positions that would have been steady work, but these roles didn’t light the fire for me. Then a friend tipped me off about an opening for an antivirus engineer. The idea of protecting networks and overcoming challenges really struck a chord and cybersecurity has been my path ever since.

My journey has been largely shaped by the changes in the IT world, and my own skills and experience have increased. For example, I shifted from combatting risks like drive-by-downloads to developing automated tools for identifying compromised websites as web 2.0 picked up steam.

In general, I like the combination of technical, inspirational, and bringing people together. As such, technical leadership slowly became a natural path for me, as well as educating various audiences related to cybersecurity.

Was there anyone who has inspired or mentored you in your career? I still have a mentor, especially now I’m in the executive team where the level of abstraction and vocabulary is very different from what I’m used to. Mostly I’ve been fortunate to have leaders who took a chance on me and opened doors to roles I wouldn’t have had if they hadn’t taken that risk. They have been some of the more inspirational leaders I’ve met.

What do you feel is the most important aspect of your job?  Embedding cyber security thinking into everything we do. We can no longer separate our real world into physical and digital, they are blended. As such, building a secure-by-design ogranisation everywhere is essential. It’s important that I help implement that no matter which role I’m in, and help others implement it in their spaces too.

What metrics or KPIs do you use to measure security effectiveness? I use a few:
- Number of relevant assets with protection layers
- Number of cyber risks mitigated
- Number of hours/days before an attack is spotted, then stopped
- Number of initial infections that didn’t take vs. real incidents (if possible, to measure)
- Trendline for cost for real attack recovery in the organisation

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It is. Cyber security has gone from being completely external to an organisation, to becoming a fully integrated function, so businesses are hiring offensive security consultants, incident responders and looking to building internal Security Operations Centers. These are all skills we are also hiring for.

Cybersecurity is constantly changing – how do you keep learning? I stay on top of technological trends and how market adoption of those trends is influencing the new threats coming out. It’s an interesting, continuous game of opportunistic players, as well as persistent actors, who are motivated to get the assets they value and so find ways to get them.

I’m also motivated to find practical, simpler, and more cost-effective ways to stay secure, and that’s always a moving target. It’s not hard to keep leaning when the topic is interesting.

What conferences are on your must-attend list? To be honest, I don’t have a “must attend” list anymore. Many conferences nowadays have a cyber security angle, simply because the world is catching on to the importance of the topic. Many conferences also have loads of tech start-ups that are building many different things via new concepts such as web 3.0, the metaverse, and augmented/virtual reality. And that’s an exciting area to perform threat modelling.

What is the best current trend in cybersecurity? The worst? The best trend is the rise of regulations that necessitate the need for security to ensure the safety of our digital society. The worst is the geopolitical conflict that complicates our capacity for law enforcement cooperation to take down criminal gangs.

What's the best career advice you ever received? As you progress higher, you need to be more of a generalist than a specialist.

What advice would you give to aspiring security leaders? Think about human psychology and group behaviour. Cyber security needs to be embedded into the way we live, work and interact with each other. We can’t expect people to go out of their way to secure something; it won’t be a priority for them unless it’s their day job. We need to shape the path to make it natural for them to stay secure.

What has been your greatest career achievement? I am most proud of what we did in the Tactical Defence Unit (TacDef) – now known as WithSecure Intelligence – when I was leading the unit in 2019-2021. In an organisation that built many different products that relied on common services, there was much firefighting and things falling between the cracks when I started. At the time, TacDef served four different business units within the organisation, the stakeholders were unhappy about the performance and employee morale was low. Upon getting the head position of the unit, I knew that I had to make changes. Turning firefighting into continuous operations that include a high level of automation using tools that the organisation already had, has been a delight. Harvesting data from operations and making that visible to stakeholders also made it easy for them to understand what they are paying for. The unit has since evolved into WithSecure Intelligence and I’m really proud of the ground-breaking work we’re doing.

Alongside that, raising new leaders who started out not knowing what stakeholders meant, to those who now own their areas of expertise, and live and breathe continuous improvement has been a highlight of my time leading the unit.

Looking back with 20:20 hindsight, what would you have done differently? I can’t really think of any.