Strategic Investments CISOs Should Make for Long-term Success

LaLisha Hurt (LH): What strategic investments are you looking to make in the short- and long-term for the city of Philadelphia?

Jessica Hoffman (JH): First, I have to say that I love Philly. I’ve been coming here since I was in grade school living in Jersey. But if you had told me I would be the Deputy Chief Information Security Officer for the city one day, I would have thought you were nuts.

Being a part of the City of Philadelphia’s security team is a big responsibility. It’s the sixth-most populous city in the US, and of course a huge part of early American history. Many cities of late have been targets of cyber attacks halting services causing the citizens to suffer. Taking that into consideration, my short- and long-term goals for the city are to emphasize the things we do great and work on the things we need to mature.

For instance, most private businesses have larger security budgets — or at least a much less painful procurement process. That’s great, but it doesn’t always benefit the company. Instead of chasing the next best tool or focusing on innovating everything, I think it’s important we focus on basic cyber hygiene and security training. The city already does a lot of that well, but I believe it’s equally important to return to those basics regularly to remind folks why we are doing those things. How something as simple as regular patching and vulnerability scanning can deter a massive attack.

Long-term goals are to leave the city in a better place than when I came. And help train the next generation of cyber professionals who will continue to fight against cyber attacks.

LH: You mentioned the importance of training the next generation of cyber security professionals. What are your thoughts on how to bridge the talent gap?

JH: This is such a relevant topic that I don’t believe can get enough coverage. Cyber positions are so specific in nature it’s almost impossible for someone to jump right in, regardless of how much schooling and/or certifications they have. In fact, I’m more inclined to hire someone who is teachable and eager to succeed more than someone with 17 certifications and a degree. Why? Because once the hands-on training starts, then someone can obtain meaningful certificates. Notice I said “meaningful” and not “let me get as many certs as possible.” The latter is certainly an individual choice, but if you’re breaking into the industry and looking to start your career, it’s logical to focus on one pathway versus multiple.

At the city we have a very diverse team of races, gender, ages, and backgrounds. I’m extremely grateful to have this opportunity to work with and mentor folks who contribute invaluable views. When it comes to closing the cyber work gap shortage I think employers should keep these things in mind:

1. The best candidate is not always the most experienced or has the most formal education.
2. The best candidate certainly doesn’t and shouldn’t look like everyone else in your organization.

Between mentorship programs, in-house placement into cyber, job fairs, and various non-profits that are specifically looking to position the best talent, employers have options. Changing the mindset of what a security professional looks like on paper and beyond is the bigger challenge, in my opinion.

LH: How has your background in audit risk and compliance equipped you for the job demands of deputy CISO?

JH: Great question! Again, if you’d told my 21-year-old self that I would be an auditor one day, I wouldn’t have just thought you were nuts I would have laughed hysterically and walked away. And then probably gone to the library or called around to understand what a risk and compliance auditor was! We didn’t have Google handy back then…

I’ve noticed that a lot of CISOs come from an audit and compliance background. That’s reassuring to me because sometimes I do suffer from imposter syndrome. Not for long though, because I know I have much to learn and I’m eager to learn it. However, having the experience of 1) communicating with executives regarding audit findings, 2) working with various sized businesses, audiences and industries, 3) being the “only” in the room more often than not, and 4) understanding NIST, SOC, ISO, HIPAA and other compliance standards gives me the confidence I need to stand up in the board room and deliver.

That confidence came from my auditing experience directly. I can’t say that I would be so well-rounded in my thought processes and expectations had I not been focused on risk and compliance these past 10 years — not to mention the listening and deciphering skills one needs when interviewing for control compliance. That right there is an amazing skill that I often like to compare to the role of a researcher or lawyer. You have to listen for what is not being said as much as what is.