Secret CSO: Bridget Kenyon, Thales eSecurity

Secret CSO: Bridget Kenyon, Thales eSecurity

Name: Bridget Kenyon

Company: Thales eSecurity

Job title: Global Chief Information Security Officer

Date started current role: November 2017

Location: Cambridge, UK

Passionate about information security, Bridget Kenyon has served as head of information security at University College London and a security researcher at DERA. Today, Bridget is the Global CISO at Thales eSecurity, which provides data security solutions and services.

What was your first job? My first job was as a graduate engineer at an aerospace company in Birmingham called Lucas Aerospace.

How did you get involved in cybersecurity? After a couple of years working at Lucas, I decided to start looking for new opportunities and came across an entry level role at DERA. I applied to be a part of the Network Vulnerabilities Team and worked on a number of different projects during my time there.

What was your education? Do you hold any certifications? What are they? At school I was always interested in the more technical A Levels such as Physics and Maths, which led me to go on and complete an undergraduate Master's in Physics with Astrophysics at the University of Birmingham. I also have Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) qualifications.

Explain your career path. Did you take any detours? If so, discuss. Once I'd built up my technical experience working in network vulnerabilities, I got a job as a systems specialist at Aston University, before becoming an IT development officer at University of Birmingham.

After around five years of hands-on IT roles, I became the information security officer at University of Warwick where I was responsible for agreeing policy, reviewing security for the academic, administrative and technical departments, and providing expert advice during security incidents.

I then moved from the West Midlands to Cambridge and worked as a consultant on payment card security, during which time I got involved with the International Standards Organization (ISO). My role with ISO still runs in parallel with my day job and involves international collaboration and negotiation to drive forward all of the standards in the Information Security Management stable, including ISO/IEC 27001.

Was there anyone who has inspired or mentored you in your career? I've been lucky enough to have some amazing line managers throughout my career, including Gavin McLachlan at University College London who was very supportive and great at helping me to understand that security is about people, not technology. I also worked with Mary Visser at the University of Warwick who made me realise you don't just have to copy men, you can be yourself and still do a great job. While working at the ISO, Edward Humphries has been a great mentor as convenor of the whole sub-committee.

While I haven't worked with her, I also very much admire Neira Jones. She has done a lot of work in payment card security and is a great source of positivity, which comes across every time she gets on stage to speak. She is a fantastic role model.

What do you feel is the most important aspect of your job? Working out how to deal with existing priorities when it comes to managing security and liaising with customers, to ensure both parties have a workable common understanding of responsibility and actions to be taken. It's also extremely important to engage with the wider business community and work out how security can support and inform different parts of the organisation.

What metrics or KPIs do you use to measure security effectiveness? For those at the executive level, I monitor and measure three different areas:

Asset protection - how are certification activities progressing and how mature are we as a business in identifying and managing information risk? What is the awareness across the organisation, and how much value are we getting from security technologies?

Threat level - how hostile is the world? Using threat level indicators from a variety of different sources, including government agencies and the Internet Storm Centre (ISC). Of course, this also includes threat level indicators from the wider Thales Group, as well as attack and alert data from within Thales eSecurity itself.

Compliance - monitoring contractual compliance, including customer requirements; legal compliance, including regulations such as GDPR; and finally, compliance with Thales Group.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, it is, especially in developer and security engineering roles. It's interesting that although the nature of the organisation is to provide tools and software for security, it's not just the security function that is affected by the skills shortage; it is felt across the business. In today's environment, it is challenging to attract and retain staff. Even when you find a strong pool of talent - such as we have in Cambridge - other organisations catch on and begin opening offices in the same location.

Cybersecurity is constantly changing - how do you keep learning? With the information security industry constantly changing, to continue learning you have to ensure you are doing so for a purpose and that you remain interested. A great place to learn is blogs and mailing lists, as well as looking at information put up by authorities like the NCSC. I also find huge value in networking with current and previous colleagues in my sector and other sectors.

What conferences are on your must-attend list? Infosecurity Europe - everyone is there, and the talks are good quality. I also attend the UCISA security conference, which focuses specifically on higher and further education, as I know a lot of the people who go along from previous roles. TEISS and ISACA are usually on my list as well.

What is the best current trend in cybersecurity? The worst? The best trend is that people are finally starting to realise that information security is not about one person typing away in the corner, making sure everyone else is safe. It's slowly coming to light that security is not just a problem for the IT team, but a concept that needs to be driven from the very top of an organization to achieve genuine value.

The worst trend is the term ‘cyber security' as it seems to have turned the clock back on awareness. When people think about cyber security they think of technology, but technology won't solve the security problem, people will!

What's the best career advice you ever received? If what you're doing isn't working, try something, anything, else -- don't keep trying the same thing! If you're telling people the same thing repeatedly and it has no effect, something different might just work, even if you're not sure.

What advice would you give to aspiring security leaders? Be aware that as you move towards a leadership role, it's very likely that you will lose contact with the technology, as you simply won't have the time to keep up with it. If you're interested in strategy and want to learn about how people think, as well as organisational risk, it's perfect.

What has been your greatest career achievement? Building the information security capability at UCL. I started with a computer emergency response team, where the remit was all around patching, malware and antivirus. During my time there I set up and defined seven different security services and recruited individuals to provide those services. Seeing how that team worked and provided meaningful information to the execs was a real achievement.

Looking back with 20:20 hindsight, what would you have done differently? I would have tried to be more patient. I was always very keen to try and do everything at once and didn't necessarily put in enough ground work before trying to introduce innovations.

What is your favorite quote?"Do what you can, with what you have, where you are." Theodore Roosevelt

What are you reading now? Ready Player One, by Ernest Cline

In my spare time, I like to… Garden. I've got a huge spreadsheet listing around 200 different plants I want to grow.

Most people don't know that I… Love baking! I often bring things into work and my favourite thing to bake is a Jewish bread called Challah.

Ask me to do anything but… Something that should be automated - anything where I think ‘a computer should be doing this' - and it would probably do it better than me!


« CIO Spotlight: Kevin Cornwall, Avaya


The CMO Files: Michelle Johnson Cobb, Skybox Security »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?