Meet Narelle Devine. From her tenure in the Royal Australian Navy, to her current role as CISO for the Department of Human Services, Narelle’s career has been one of service to Australia.
In this interview, Narelle shares her thoughts on cyber security best practices, what non-tech executives should know about this talent pool, and how / why the CISO should be integrated into the C-Suite.
Arielle: Cyber security is relatively new as a career path.
And, in fact, you became a CISO without direct cyber security experience. How did your tenure in the Navy prepare you to become a CISO?
ND: My career in the Navy provided me with cyber experience that I would not have seen anywhere else except the military. My preparation started while undertaking my Bachelor’s Degree where I majored in Information Systems and English.
That was followed by my first Master’s Degree, where I completed a Master of Science in Information Technology.
At the time, I was managing the networks of all ships in the Fleet and building systems that were resilient. As you can imagine, security was critical.
During the course of that study, I was introduced to the concept of ethical hacking and quickly realised this was an area that I was incredibly interested in.
After spending several years of my career as a Warfare Officer specialising in Communications and Electronic Warfare—fields that both gave me extensive technical knowledge—I was given the opportunity to be the Navy’s first Director of Cyber Warfare.
I worked in the Joint environment, shaping the way the ADF (Australian Defence Force) would embrace cyber warfare into the future. During this period I also completed my second Master’s Degree in Systems Engineering.
The networking and technical skills that I obtained, combined with the warfare training which involved understanding intelligence, tactics and the adversary, all have given me an excellent foundation as a CISO.
Arielle: How can others with a desire to move their career into the cyber security world learn from your story?
ND: Honestly, it was never my ultimate career plan to end up in cyber security. It didn’t exist when I entered the workforce but it was something I developed an interest in, and I took every opportunity that arose to develop those skills.
It is still relatively new, and the breadth of skills needed to run excellent cyber operations is vast. If you have the right aptitude and desire to learn, you can work in cyber security.
You might be an IT specialist who understands networks and coding. You may be an amazing manager who can coordinate investigations.
You may have excellent engagement skills and use them to increase cyber awareness—or to procure new technologies.
The only essential requirement is to be curious, a team player and willing to learn. Of course an interest in computers helps.
Arielle: You’re active in getting young women interested in your field, including speaking at the Women in Cyber Mentoring Event in Sydney last year. What trends you are noticing?
ND: IT is still a male dominated area but we are seeing more women entering the team with legal, psychology and project management skills.
Some of my best forensics and intelligence officers are women.
Interestingly, we are seeing more and more women showing amazing aptitude for penetration testing. The workplace is definitely evolving too with more flexible arrangements that suit staff with caring responsibilities.
Arielle: What do women in particular have to offer the field of cyber security?
ND: In my experience, I’ve noticed that women in the forensics, intelligence and incident response teams are more likely to think about human connections and social implications. I think they also bring a strong people focus to the different teams.
Each may have their time and place to be the right fit for a particular task but certainly the mixed gender teams bring a great blend of ideas, leadership styles, creativity, technical methodologies and culture that is hard to beat.
That being said, I am very blessed to have a team that work like a family with everyone caring for and looking out for each other, especially when we are in a high-pressure situation.
Arielle: On two of your podcasts with australiancybersecuritymagazine.com, you talked about how challenging it is to build a strong cyber security team.
You mentioned that traditional recruiting strategies aren’t effective and that the field needs to be “demystified.”
What advice would you give to CEOs and CHROs, for whom cyber security is a priority, especially those at smaller or less technically “sexy” businesses?
ND: Start with the CISO. Find a strong one who can provide reliable, timely, forthright and accurate advice.
For cyber security to work it needs to sit in the C-Suite, and the CEO and other executives must want to understand the cyber risk.
CISOs need to be able to communicate effectively in the boardroom and translate the technical reports so that they are able to understand to business risk and financial cost. An understanding of the threat is essential, and that will vary depending on the size and type of the business.
If your company owns a computer and has an internet connection, you really need to care about cyber security. What may seem like a large investment now will be insignificant compared to the potential costs should you have a major breach or compromise.
Arielle: What should they know about retention and training that is different to the norm?
ND: People with cyber security skills are still relatively rare and it makes sense, if you are big enough, to balance experienced staff with enthusiastic newcomers so you can ‘grow your own talent’.
As a government department we are competing with big organisations, often with bigger budgets than ours.
Investing in high quality training and ongoing development opportunities is paramount to keeping staff long enough to skills transfer to the up-and-comers. Having a pragmatic approach to staff movements also creates a culture that supports the career aspirations of our staff, because as long as they stay in the cyber security ecosystem, the sector benefits.
Since this is an emerging field, it’s important to think through all the factors that could attract and retain the right people. I’ve mentioned training and development, but culture is also critical.
If people feel supported and valued in their team, they are more likely to turn up every day and try their hardest. This comes from strong leadership, open communication, transparency of priorities, celebrating successes, and looking at failures or challenges as opportunities to learn.
Overall, it’s important to keep them interested. You will be dealing with people who are inquisitive by nature and looking to try new things.
If you are able to let them be creative and give them the scope to do some interesting things, without breaking your network, of course, they will often not want to move on, even if the pay cheque is bigger.
Arielle: How important is networking, and what advice do you have for recruiters and hiring managers?
ND: I am a big supporter of providing opportunities for staff to work with other organisations or have others come to ours to continue their learning and development.
Working together strengthens relationships with other agencies and corporate organisations, all of which can be an asset when things are not going well.
Recruiters and hiring managers need to understand the different opportunities that exist in different sectors and how diverse the roles can be, before they will be likely to find good matches for potential employees.
Some will be motivated by money, but others by the scope of work and the opportunities those provide. Understanding the motivation of the candidate also helps.
Arielle: I recently listened to your joint interview with Sandra Ragg, where you both speak of the need to create a work environment where everyone can achieve their best results.
This strikes as very untraditional for government work.
How did this approach evolve, and what recommendations can you make to CHROs around shaping their culture to build a highly productive cyber team?
ND: The traditional government working style doesn’t align with the reality of a cyber operations centre. Unfortunately cyber criminals do not work during core business hours so our staff don’t either.
If there is an incident we need to investigate to protect Australians, the community rightly expects we will be relentless in our efforts. We protect a great deal of sensitive personal data of almost all Australians, as well as $170 billion of taxpayer money. So we need to be working round the clock.
This means the team needs different things from their other departmental colleagues, such as flexible working arrangements, shift provisions, overtime, a work environment that suits 24/7 operations, and a management team that accommodates those hours.
Arielle: The traditional C-Suite has evolved in recent years and continues to reinvent itself.
As part of this, we’ve seen many new C-titles appear besides CISO. There’s CSO, CDO, CGO, CXO just to name a few.
What’s your take on this … is this happening for the better?
ND: I think it is for the better. The introduction of the CISO has been a great addition for cyber security so I’m going to assume that other fields have had similar success by creating a C-Suite leader.
Of course, there is always the concern that the executive becomes too big, and for smaller organisations it then becomes a choice of which ones to include and not to include.
Arielle: How do you see the structure of the C-suite evolving in the next 5 years?
ND: I think in the next 5 years some of the evolving C-Suite titles will vanish. There is quite a bit of crossover in some areas.
I think the likely future executive group will start to formalise somewhat depending on the size of the organisation and the business functions. I think at the moment there are a lot of models being tried, particularly for the CISO, and I don’t think it is one size fits all.
For an organisation that uses but doesn’t build or develop IT I can see the benefit in the CISO reporting to the CEO or COO. But for organisations such as ours that have a huge IT shop, having it report to the CIO makes a lot of sense.
I think the models will need to be flexible but I think there will be some better guidance based on the experiences of the coming years with these additional functions.
Arielle: In your experience, do CEOs generally “get” the importance of the CISO role?
ND: In big organisations – yes. In small and medium organisations I think they are still largely trying to find the right balance between the investment needed and the return.
Arielle: What are some of the myths that a CISO typically has to dispel when they enter an organisation? It would be great to speak from your personal experience here.
ND: The biggest mindset change is that cyber is an investment, not an insurance policy. As you grow the cyber capability of any organisation you will have more visibility and therefore likely find more issues.
That doesn’t mean that there is suddenly more cyber activity in your network – it just means that now you know about it.
Arielle: How this might differ in a pure corporate setting, particularly a small / medium business?
ND: I think the principles remain the same; however the strategy that is established may be quite different.
There is some basic cyber hygiene that can be done through making good choices when configuring a commercial off-the-shelf IT service. Combined with instilling good cyber behaviours this can be very effective.
Arielle: Is there a particular communication challenge for CISOs? (For example, the need to make technical knowledge easily understood by all stakeholders, including the individual employee).
ND: Do not underestimate the value of having communication specialists in your team.
If you can teach them enough technical knowledge for them to ask questions and then develop content in a way that makes sense to someone with no cyber knowledge, then you have a valuable resource.
It is often difficult for some IT experts to understand that not everyone thinks the same as them, or has the same level of passion. So an ‘advocate’ for the unaware is a useful addition to the team.
I have found the more I speak publicly, engage in social media channels and attend events, people want more information and their questions give me great clues on where they want the veil lifted.
The key here is listening more than talking. That gives insight into information gaps and helps you work out what is the most important thing to let people know. Using all the channels you can, such as internal communication channels, social media and traditional media, all contribute to the ongoing discussion.
The challenge for all people in this space is to be able to be open, transparent and engaging without disclosing operational capabilities and increasing your own attack surface – it is often a delicate balance.
Arielle: In terms of your own career development, who have been your best mentors along the way and why?
ND: I have worked for some exceptional senior officers in the military that I have learnt a lot from. I don’t think it is until you step away from the ADF you truly value the investment in leadership and management that the military provides.
These officers taught me how to make difficult decisions under pressure, and the importance of having those first few immediate actions drilled to a point of them being completely instinctive.
I’ve also been fortunate throughout my career to spend time overseas where I have met and worked alongside some amazing technical minds. Because of this, I acquired detailed technical skills that I would not have had the opportunity to get otherwise.
They taught me that while you don’t need to (and shouldn’t be) hands on keyboard as a cyber executive, you do need to know enough about the network and the technologies to be able to engage fully with your staff, and to be able to make sound technical decisions. You then need to be able to understand the business and translate those decisions into risk statements that are understandable to the rest of the board.
My fellow CISOs also offer a lot of knowledge and wisdom. Not just in government but across the private sector. Many of them have been in these roles longer than me, and are very willing to share their experiences and provide advice.
While the role is new and we are all on this journey together, I find great comfort from the guidance I get from those that have been doing it for longer.
Also, I have some mentors completely outside of the military/technical/CISO space—people who are exceptional at communications, branding and public speaking. These areas are certainly not things that I have formal education in or years of experience. The advice that they have given me, particularly over the last 18 months since the public profile of the Cyber Branch in the department has increased, has been extraordinary.
Arielle: Anything else you think our audience should know about your work, your career experience or the cyber security realm?
ND: Absolutely. First off, I think being a CISO in particular is something that requires a unique skill set. The reality is you need a technical understanding, be able to understand business risk while also being able to effectively communicate and manage people.
It is a rare blend – and does not lend itself to a single path of study.
The military was an excellent base because you can have a diverse career where courtesy of changing roles every couple of years you are exposed to both technical and managerial positions.
Second, cyber security is a very dynamic field. You need to want to keep learning and continually change your workforce to meet the changing threat environment.
But this alone will not see you be successful.
Relationships are everything. You need excellent relationships across the network operations staff, as they are truly the first line of defence, even with a large cyber footprint. Your entire organisation needs to be cyber aware – it will only take one person to click on the link to undo an enormous amount of hard work in your cyber area.
Lastly, you need to share and collaborate with a wide variety of like-minded people and organisations, and you need the confidence and trust of your peers to be able to disclose your vulnerabilities and successes for the good of the larger cyber eco system.