Kirsten Davies has had an impressive journey as an information security executive. After starting her career as an independent consultant around IT transformations, she was recruited by Deloitte Australia to help client companies shape transformational work around finance, HR, and IT, while understanding and mitigating the risks behind implementing or sunsetting large enterprise systems such as ERP. This early work provided Davies her entry into cybersecurity.
Since 2009, Davies has been a veritable globe-trotter, having held senior cybersecurity positions at Siemens, Hewlett-Packard/HPE, and currently, at Barclays Africa Group in Cape Town, South Africa, where she is Chief Security Officer.
From her childhood into adult years, Davies’ journeys have taken her from the U.S. and Canada to Australia, as well as numerous countries in Europe, before joining Barclays Africa Group in February 2017. To help put this into perspective, Davies flew more than 200,000 miles last year, spending the equivalent of three months in the air.
Throughout her travels, Davies has learned invaluable cultural nuances with respect to cybersecurity and has also been able to apply some of these across her various stops. “It’s a constant engagement mechanism to build awareness, understanding, and partnerships. We don’t own what we have to secure, such as the IT infrastructure. So you’re constantly building awareness and partnerships to execute.”
Davies is also reminded that people are people wherever you go and not to make assumptions as to where they are on their own respective awareness journeys in information security.
“When engaging on subjects of security with CEOs or board members, that’s the first lesson I’ve learned. The second lesson is that you can’t presume where the organization is, either, in its maturity level for IT or for security. You can come in and be a rock star but if the IT is outsourced, there are multiple layers of legacy IT at varying degrees of process maturity, or if the enterprise has a very basic or non-existent security culture, you’re starting from the drawing board.”
Meanwhile, the more companies that Davies has worked for, the more she realizes that CISOs have one of the toughest jobs there is. “It’s a core function, not a business unit and not just IT. We can often be treated like we’re not core, like a blocker, but we have to get things right – the partnerships, the execution, the board visibility and support – because if there’s an event, the impact on the enterprise can be huge.”
There’s also more need than ever for CISOs to have a high EQ or emotional intelligence to help partner in enterprise risk strategy. “We’ve been the quiet protectors behind the keyboards and buried away to scan and fix the code,” said Davies. “But security is not an IT problem – it’s an enterprise risk problem – and we have to increasingly be on the front foot, in the middle of strategy discussions because our mandate is at the center of organizational strategy.”
Opportunities to add new tools to the toolbox
Davies sees the experiences she gleans from each of her information security roles as an opportunity to add new tools to her toolbox.
“As a professional and as an executive, I would think that everyone has the same mindset that the last opportunity builds on the next opportunity you have,” said Davies. “Having worked in so many different countries, I’ve been able to add new tools to my toolbox and I apply them each day in my role. Some of the tools get worn out and have to be discarded. But with other things, you can say 'I picked up this tool in Germany and I can use this tool in South Africa.' That’s very much part of the day-to-day in my job. I do believe wholeheartedly that my work across the world has helped me to step into my new role.”
It’s all a part of Davies’ passion for continuous learning.
Kirsten Davies, along with other leading security executives, will be speaking at the upcoming Washington, D.C. CISO Executive Leadership Summit on September 21, 2017.