In cybersecurity, one way to protect the organization is similar to Sun Tzu's Art of War, and to know the enemy. One way to protect yourself in cybersecurity is to have a healthy work/life balance.
"I think this is the best industry on the planet. I have always felt that I believe the opportunity for all people who want to work here if I, as a designer of Barbie doll dresses, can run cybersecurity well for some major brands. Well, I think what that says is this is both creative. It's creative and technical. It is broad and deep. It always changes; it's always evolving. You'll never be bored, and you'll never be unemployed."
Karen Worstell is a senior cybersecurity strategist at VMware. She shares the story of her time in the cybersecurity industry since the 1980s and has served as a data processing analyst, Chief Information Security Officer, and research and engineering consultant.
In this episode, you will learn the following:
1. How did Karen Worstell's journey in the cybersecurity industry help her grow as a person and leader?
2. What are the benefits of creativity in cybersecurity?
3. How does culture play a role in work-life balance for CISOs?
About Karen Worstell
Connect with us:
Loved this episode? Please leave us a review and rating on your favorite podcast platform!
Truth is I'm 98% right-brained. So the idea that I would be doing anything like computer science was not something that I anticipated as a young person. My name is Karen Moreell. I've been in the cybersecurity industry since the 1980s, and I currently serve as a senior cybersecurity strategist at VMware.Sarah McQuiggan:
Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things cybersecurity. Taking an in-depth look at the most pressing issues and trends across the industry,Jelle Wieringa:
A CISO within an organization is a challenging role. It can be stressful to protect and reduce the risk of a cyber attack, and it's crucial that everybody in cybersecurity not only works to protect the organization, but also their own health and wellbeing.Erich Kron:
Karen Worstell, a senior cybersecurity strategist, tells the story of her journey in the industry from being a data processing analyst to a chief information security officer. And the challenges with burnout and her incredible story.Sarah McQuiggan:
This is episode 13, securing your organization and protecting yourself with our special guest, Karen Worstell.Erich Kron:
Okay, so Jelle, I'm really excited about this talk today about this interview. This was a fantastic discussion and I think people are gonna really find a lot of value in this. I know that some of these are, are some long explanations, but I gotta tell you, every minute I was involved in this interview was worth it.Jelle Wieringa:
I gotta say there were parts where I was really speechless. It was really, really good. It's gonna be an episode people will enjoy and remember for a long time.Erich Kron:
Yeah, absolutely. Amazing stories. And part of that story was we initially asked Karen, , how did you end up in this industry and how has your journey and experience helped you grow as a person, a cybersecurity professional, and a leader?Karen Worstell:
Well, the truth is I'm 98% right brained. So the idea that I would be doing anything like computer science was not something that I anticipated as a young person. I loved music and art and my big passion growing up. I learned sew at a very young age, and I designed ball gowns for Barbie dolls. So that was the thing that I loved. I still love music. I play Celtic harp and piano. It was just not really in my plan, and fortunately, or unfortunately, depending on how you look at it, I had a father who really had expectations that his daughters would be scientists, and the plan was for me to attend university, and I was going to major in chemistry and I did that and I also was a performance person in music at the University of Washington. I really struggled with the curriculum my very first year taking all of the classes that were necessary to be in that field. And so physics and calculus and chemistry and all of that. Oh my gosh. It was the most difficult thing I'd ever done. And at that point in my life wasn't a lot because I was only 18. But when I, I went back to my dad one day and I said, "Dad," I said "all of my humanities classes, I'm straight ass. I don't even have to work to get A's, in humanities and social sciences. If I were to change my major and do something more aligned with my talent, I would be Phi Beta Kappa. So what do you think?" And he said, but who would pay for school? And it was like, well, you know, and I wasn't, at that point, I wasn't enough of a rebel to say, I'll pay for school, you know, do it myself. So I stayed and I, not only that, I got, I got a degree in biology, molecular biology, a degree in chemistry, and that was where I, I had no idea what I was gonna do with that, but I did really actually learn to like it. I just worked five times harder than everybody else in order to get through school. As it turns out, I had my first child right after graduation and so I took time off. I was a full-time mom for a while, and then came to the realization that I had made some life choices that if I did not change and get into a career that I was gonna be able to earn a salary at, I was gonna have serious difficulties. There's a whole nother story I've told on those lines, but I, I'll shorten it here. About that same time, my brother, my very geeky hacker brother, he was a hack, a full, a legit hacker. This was in the 19, early 1980s. He came over and he brought me a TRS ad model. One, laid it out across the kitchen table cuz that's how much space it took and said, sister, you need to learn to code. And I'll help you. And so I started working on the computer in between, chasing around two toddlers. Found out I was really good at coding and I liked it a lot. And it was a great combination of, for me, of the analytical skills that I had learned. And the creative skills that were more innate to me. And as it turned out, the local university opened up a computer science program and I wasn't sure how I was gonna do it cuz I had no money. But I applied and I got in and I got in with a lot of grants and then scholarships and I ended up doing computer science and, okay so the cybersecurity piece came in cuz nobody called it cybersecurity then. We only had, there were only three products on the market. There was ACF two raff and government furnish crypto gear. That was it for security products. And it was even when we got credit for hacking the school's backs machine. So I think I got hooked on it when my software engineering professor encrypted the final. and the rule was that had we built the code break tools all semester that were assigned as part of our regular homework, we would have the toolkit necessary to take the final, and it gave us 24 hours to take the final. There were 10 questions with 10 different encryption algorithms and 10 different keys. So not only did we have to do the security thing to get into the exam and take the questions, but then, you know, we had to do the coding that was required in. In the exam. So it was really, I was super hooked. Like I was so hooked. That was the most fun I'd ever had in school. So when it came time for me to do a thesis, he gave me a problem, which ended up being cdma, that sprint sprints algorithm that they used for their mobile communications. But it was building fast wireless hardware encryption techniques. So when I finished. I got hired immediately by the Boeing company and I was technically a data processing analyst. My job was security administration for the government classified projects that they were working on at the time. And that's how I got started off when I got hired by the Boeing company. And I did roles in the government projects for the Boeing company and eventually evolved into research and engineering, consulting and operational roles as a chief information security officer for multiple brands.Erich Kron:
So I think it's great cuz every hero needs to have an origin story and I really like hers. There's some things that you can really learn from that and, and one of the key things that I go back to, and this is a life lesson that I've learned, is that just because you can do good at something doesn't mean you should do that. Sometimes you can just work harder. But there's a lot to be said for being in a role where it's not just hard work every day. And, and I think a lot of younger people especially haven't experienced that in their lives, but it was very clear with her going to school that she was doing an uphill battle in her initial degree stuff, because while she was good enough to pass, like she said, she had to work five times harder than anyone else.Jelle Wieringa:
Yeah. And and she also says she's right brained. And you don't see that too often in security, unfortunately. And I actually think that creativity is really cool cause hackers are creative, right? That's what they have to do to get in. So if you're a security practitioner, you actually can benefit or a CISO can benefit from that creativity, from being creative for yourself. You better understand them. You can better think like them. And that helps. And especially when we see CISOs moving up in an organization and becoming part of the C-suite. And we often see that the analytical side is actually analytical side is more appreciated. And the creative side is kind of pushed aside here. I feel that creativity should have a right, well, it has a rightful place in security and should be valued. And if you can combine the left and the right side, right, creativity and analytics, you're a powerful person.Erich Kron:
But I think it's fascinating and it's very useful to have all those different views of things. I wanted to know what is her view of the cybersecurity world as it stands, and this is how she replied.Karen Worstell:
I think this is the best industry in the planet. I have always felt that. I believe the opportunity for. all people who want to work here. If I as a designer of Barbie doll dresses, can run cybersecurity well for some major brands. Well, I think what that says is this is both creative. It's creative and technical it is broad and deep. It always changes, it's always evolving. You'll never be bored and you'll never be unemployed. So yeah, I just encourage people who wanna get involved in that. There's so many different organizations who are helping to create ways for people to switch careers or to build the skillset they need to get an entry level job. And yes, we still have some things we need to work on in terms of recruitment and all of that kind of stuff in the industry, but yeah, this is the best place you could possibly work. And I would. Highly, highly encourage people to pursue a career if they have any interest.Erich Kron:
You know, I, I have to agree. I think this is fantastic, and I like the way she put that at the end, if you have an interest, because I have talked to people and as we see cybersecurity becoming more and more popular as a field, I see a lot of people in schools, for example, telling kids that, you know, you graduate and you get a six figure job. And so they go through all this kind of stuff and find out that it's, it's not a Monday through Friday, eight to five job. So there has to be some caution in there. But I agree, I think it's a wonderful job because not only do I feel challenged, but I also feel like I'm actually making a difference.Jelle Wieringa:
I think it's that making a difference. I speak to a lot of cybersecurity practitioners that are not just in it for the. They're in it for, a bigger goal, right? We wanna actually make the world a safer place. We want to help people, , and we do that through cybersecurity. And I gotta say, her enthusiasm about this is inspiring. She's so right. Cybersecurity offers so many challenges. It has so many different aspects to it. It's the same reason why I chose to come into this field and why I'm probably gonna stay in it for the rest of my life.Erich Kron:
So, another thing about this industry, though that's interesting is ethics play a really strong role and I wanted to know a little bit, how does she view the work ethic in the cybersecurity industry?Karen Worstell:
Having a work ethic that is like above and beyond is a very admirable thing, but we have elevated it to that being the thing and at any expense. And I'll tell you the thing that really brought it home for me, because now that I talk about this so much, I hear from people a lot and I want to hear from them. And one of my former employees from another company called me one day and he had just read something I wrote and we got to chatting. It was so great to catch up with him and he goes, I wanted to tell you that I resonate with your story just like you just told me. And he said, but I didn't get the message when I was working and I broke my heart. And I thought he meant broke his heart. Like I'm heartbroken. No, he had a heart transplant. He's in his early fifties and I'm like, when are we going to get it? It's a corporate thing and it's an individual thing. It's the way we do performance management. It's the way we set standards and expectations. It's the way we continually push people to do more with less. It's the way we tell a ciso, I get that you have a 100 million budget ask in order to go fix security, but we're gonna give you 50. Go do it with 50. And the group of people here in cyber security happens to be a group of people who I call us protector defenders. We care beyond caring. We want to fix things. We want to prevent problems from happening. We wanna make things better to the point where we forget we're self forgetting. And now that I, like I said, I talk about this a lot. I hear about it a lot and I appreciate you for doing this and talking about it today. The stakes have actually gotten higher now that we see that a chief information security officer or chief security officer can be convicted on federal charges for concealing a ransomware attack. Now the stakes are even higher. So what are we going to do? And that's why, for me personally, this is a mission and the definition of a crisis is danger plus opportunity. And yes, we are in dangerous times. and we have an abundant opportunity in front of us to make things better, and that's what I hope we'll do.Erich Kron:
Yeah. You know, I, can honestly say Jelle I feel seen on this. I've let jobs get to me to the point that I was first one in the building. I was leaving after the cleaning crew at the end of the day and I think it's important that we note that this role can drive people, especially driven people to the point of hurting themselves. And I love to see now in a lot of the conferences and such, they're having more of a mental health focus in a lot of tracks and even, uh, areas of these conferences where we can look at this and we can go, you know, what being who we are and in the job that we have, where it's just nonstop. We need to remember to care about ourselves because our own ethics will push us right over the edge and that doesn't help anyone.Jelle Wieringa:
Yeah. So I looked up the definition for work ethic, and it is an attitude of dedication and diligence towards one's work. And I think. That's not complete. The definition is lacking. It should include and life balance because it is that balance between work and life that makes sure that even though you can work very hard, if you have that dedication both in your work and your life, it makes sure that you actually come back to the office the next day and you don't end up in a burnout.Erich Kron:
talking about the work life balance thing, you know, we had a little bit of a, a culture discussion here, and I know that's becoming a, a hot topic. When I talk to people and I'm at conferences, we're starting to recognize that culture is this thing that's behind a lot of things. And so I asked her, I said, where does culture fit in with the role of the CISO when it comes to the work life balanceKaren Worstell:
That's a really great question. I do think there's two pieces to it, and I'll try to be super brief. There's the me problem and the we problem that the cultural expectations that can be set up by the. We create a culture of work, right? Or a culture of leisure that the generally accepted practice, if I go take six weeks of vacation, I'm not gonna come back and find my job is gone. Right? Those kinds of, I'm not gonna find myself like not able to take other opportunities. I'm not gonna have people wondering if I'm really up for the job. You know, that is a we thing. The me thing is driven internally, so we have to look at both of them, and I'm not sure I, I've never seen a study about that before. I, I think cyber security leaders in general are certainly overtax. And that is universal and they're under-resourced and overtaxed and I don't know how much vacation helps that, you know, and nobody does.Erich Kron:
You know, I think that's very interesting. What she's talking about here is really just wonderful to listen to, to hear, and to think about. Cuz we don't often stop and think about the culture of, of we and me, like she put it there.Jelle Wieringa:
The one thing I've learned is that a healthy culture is a healthy organization. And when you look at work life balance, for instance, that is part or actually should be part of the culture in your organization. Because in the end, happy people, that's what you wanna strive for. Happy people are productive people. In the end, as an organization, that's what you want. But if you go on, we're in cybersecurity, we want a healthy security culture as well. And that all has to do with people being able to do that, being, having the mental resilience by being rested to participate in that. You need vacation days, you need pto. But I think the return of what you're getting from that is way bigger because, well, you get rested people, happy people, people don't leave your organization, people that are willing to work for you because you take care of them.Erich Kron:
With all of these different roles that she's had in these big organizations, especially as a CISO, we wanted to know how has she seen the role of a CISO change over the past years? And this is always interesting to get, especially from the inside out.Karen Worstell:
Well, in full transparency, I will say that I pretty much stopped being a CISO before I actually got to the, have a seat at the boardroom. So I'm speaking largely through what I get from speaking to other people's experience in that space. My own is not directly there. I definitely had involvement with the entire C-suite, but to actually walk into a board meeting and give them a presentation is not something I did as a ciso. That being said, things have changed rather dramatically because first of all, the landscape of of cyber. Has changed dramatically over the years. And we had nation, I mean, I, I can remember nation state briefings I had in Boeing days, and knowing that these were the kinds of things that we could potentially deal with, right? But to see the scale and magnitude of how that has come against us in all spheres of business, state and local government and personal lives is really something is just breathtaking. And so, of course, the role had to evolve as the, as the stakes were raised. And I would say midway through my career was the first time I heard the words that I would be the "throat to choke." So if something went down, I mean, it was made that explicitly clear to me that if we had a major security incident, that I would be the one to hang. And that was a very sobering. Moment for me because there are so many things outside this sphere of control of a cso, particularly today because when I, my most successful role, I believe as a CSO was when I ran all of IT risk management and did the CSO job at at t Wireless. And the reason I say that was successful was we had crystal clear expectations about what it was we were going to accomplish. So there was no equivalence, no, no equivocating I should say, about what my job was going to be. That was super clear. Boundaries were super clear. Goals were super clear, and my boss put everything I needed under me. Under me. I didn't have to deal with silos. I didn't have to deal with people on the network side who didn't wanna do the job. That just didn't happen. And, and so CISOs today deal with a whole range of expectations of what the job should be. So, you know, we, we see some people at the very large companies who have major roles as chief information security officers, but that same title is applied to someone who may have a much smaller scope of control and a much more narrower expectation about the things that they're going to have decision making capabilities about. So the range of the job is kind of all over the place, and I think that working against us, when we start talking about conversations about who should go in and talk to the board, Because unless you've got that scope of accountability and the span of control to be able to get the job done and to have the telemetry and the metrics and everything rolling up to you so you know what the business is doing, it's really hard to go in and give a meaningful briefing.Erich Kron:
That's interesting. You know, this, this role has evolved and I think I agree with her in the fact that I think we're still kind of all over the place. The term CISO doesn't mean the same thing in every organization from small to large, and the roles aren't exactly the same, but I think it's becoming better defined than it has in the past. And I'm really liking that we're being given the authority, like she said at her at and t wireless job that she, she didn't have to deal with, well this, these people don't want to do this. And all the siloing, that still kind of happens on occasion.Jelle Wieringa:
What I see happening is I see that the title CISO is still there, but in an organization there's other people that have part of what used to be part of the role of CISO are now kind segmented off that and given to other people. So I think we have, what we're seeing in organizations is that they're splitting of the different responsibilities that are in a CISO suite, in a CISO role and allocating them to other people. That is a good thing because it makes, being a CISO, you can actually handle all the stuff that comes your way. Cuz one of the biggest things as a CSO is you're overwhelmed with work.Erich Kron:
She mentioned it you know, the throat to choke, that's always been something that, unfortunately, that role has, has kind of carried that. And I know some people that were CISOs at some pretty major organizations, they had a breach. Now the interesting thing though is that there's differing opinions as to whether or not that's the right way to go. So I wanted to find out from her, should a CISO stay on when an organization is breached?Karen Worstell:
I wish I could be so optimistic. But the truth is that what just happened with Joe Sullivan and what just happened at Twitter with Peiter Zatko, tells me that we're heading in the opposite direction. And I am on a mission to change that because losing the institutional knowledge by firing somebody as the sacrificial lamb is not a smart move. But you know, somebody's like heads must roll. You wanna have the PR statement that says, well, we fixed that problem, we got rid of the CISO, or we charged them with a crime. And that's where things are headed, in my opinion. And I think it's about time to recognize that a true chief information security officer is not the person that you can point to that says, I'm so glad they're taking care of cyber security, that I don't have to. That is the person who is the subject matter expert with the role and responsibility for coordinating among all of the accountable executives how the job gets done. That's their focus. But to make them the only accountable individual is one of the gravest mistakes that has evolved over time. And ultimately, I believe what we will start to see and the the outcome, you know, there's always a silver lining in a terrible situation. So the, the outcome that I believe that we are going to see is that not only the C-suite, the chief operating officer, the CIO, the CFO, The chief audit, executive share in the responsibility of making sure that the security program is appropriate and in place and operational all of the time, right. That there's a duty of care and a duty of loyalty that they are operating under, but that the board of directors and this is already coded now into regulations, but the board of directors is sharing in that accountability. So that when something big goes down, the chief information security officer's job is to make sure that everybody's apprised exactly where we stand and where we are at risk as much as they're able to do so. But it's up to the business to fund and enable the right things to be done for cybersecurity. And if they don't, they should be liable for that. And I believe that's where this is going.Erich Kron:
Yeah, that's always been a problem for me. And it kind of goes back to one thing that she said before, and that is you end up with these silos. So you're in security leadership, you see the things that need to be done, you're jumping up and down, you're yelling, this needs to happen, and yet someone else is going, no, no, no. And then when it all hits the fan, they go, well, you're responsible for all this. A And I think that shift is something that's a big issue in those roles and spreading that, out across the organization, keeping the institutional knowledge of the people that have been there for a while and not just having that role there as a sacrificial lamb, I think is a much better approach.Jelle Wieringa:
Yeah, this, this has always been one of those hot potato topics, right? Is my personal view is this, I think first of all, it's about responsibility versus accountability. Yes, a CISO can be held responsible for the security at an organization, and if there's a breach, yes, he has a responsibility in in that too. But the accountability should be shared by the C-suite. It should be that way. And look, what, what are you gonna do? Your organizations get breached. You get hacked. And what? You're gonna fire, your CISO, who's gonna take care of the mess? Who's gonna clean that up? Right? Your CISO usually plays a very big role in turning the situation around you need them. And then what if are you going to do? You're gonna tell your customers, look, we fired our cso. So everything is good now. So the laws of reputation, the laws of trust, laws of possible revenue, that's all good, all, gone. Cause we fired the CISO. That's not how it works. You need a cso. You need to enable them that if something went wrong in the organization, he can take his responsibility. He can do his responsibility and clean things up and get you up and running quickly enough. And after that is all done, sure you can talk about whose real responsibility it is and what the outcome of that is. But firing someone will only hurt the business more. You're losing such a valuable person. You don't wanna do that, it's one of those things where we need to make sure that everybody is on the same page because cybersecurity is simply, is too important for any organization to mess this up.Erich Kron:
Yeah. Agreed. And it honestly is becoming part of everybody's role within the organization. And I think that CISO role of being the sacrificial lamb is something that's always bothered me in this. And One of the questions that we ask most of our guests, what do you see as the greatest threat to organizations in the next 10 years?Karen Worstell:
Technical debt. Since the beginning of IT the focus has always been to deliver new capability, deliver new services to improve whatever, to build competitive advantage. That's where the focus of the investment has been, and that has come. Without the necessary extra investment to maintain that or secure it over time. So we've talked for decades about a growing security gap, which is here is the capability that we're building, and by the way, the security gap is not keeping up. And so it's just getting wider and wider. That gap is technical debt. And I know for a fact that closing the technical debt gap has a payback that people cannot quite imagine. And the reason I know this is because when we did it at AT&T Wireless and we, we had to do it. So there was plenty of motive. Incentive, let's call it for the executive team to make this happen. When we closed the technical gap on security, what we ended up seeing happen was break fix went away. We started deploying defect free code. We reduced the amount of time for delivering new services to, for example, onboarding employees Went from three weeks to five hours. But that realization, we haven't got it there yet. That's not where people wanna invest their dollars. They wanna invest their dollars in ways that grow the business, not in ways that fix what they did five years ago. That's why I call that the biggest risk.Erich Kron:
Wow. it's always interesting to hear the insight from folks and I would agree with that. I think technical debt is something that, it's a word we hear a lot, but we don't give a lot of thought to. Well, I wanna thank you for joining us in this episode. And I invite you to listen to some of the other episodes as well and Jelle is there anything you'd like to say on the way out?.Jelle Wieringa:
It was a remarkable episode, which I love doing this, and let's hope that in the future, all of the next episodes that we're gonna do have the same impact.Erich Kron:
All right, well, having said that, goodbye everyone and say goodbye Jelle.Jelle Wieringa:
Goodbye Jelle.Sarah McQuiggan:
Coming up on our next episode of Security MastermindsRoger Grimes:
and every single client where I installed all the best advanced security stuff, they all still got compromised, how they get compromised, social engineering and unpatched software.Sarah McQuiggan:
We invite you to join us with our special guest, Roger Grimes, Data Driven Evangelist for KnowBe4 you've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.