Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/27/2014
05:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How I Became a CISO: Janet Levesque, RSA

RSA's newest chief information security officer says she landed the job because of her ability to build relationships, not a background in crypto or a pile of certs.

One might assume that the CISO of RSA -- one of the world's premier suppliers of encryption technology -- would have been breaking codes in nursery school. Yet Janet Levesque, RSA's new CISO, did not start thinking about cryptography until quite a while later.

"It was certainly not an intentional path," she says of the years leading her to the top information security position. "It was an accidental path, which, over the years, I've become very passionate about."

During the course of her career, Levesque did roll up her sleeves and get her hands plenty dirty, but what really led her into security management was not getting her hands on the technology. It was asking the right questions and building the right relationships.

Though Levesque graduated from the University of Vermont with a liberal arts degree, her first job out of school was programming in COBOL, which she learned on the job. From there, she moved to an insurance company, working as an electronic data process (EDP) auditor, interviewing people in detail about how their systems worked. This led to IT risk management, in the salad days before Sarbanes-Oxley.

"Then, like many people, I decided to take a swing at the dot-com world." She ran IT for a grocery delivery service, doing a variety of hands-on technological work that she says she "had no business doing."

Like countless other dot-coms, the company burned $100 million in one year and then went out of business. "I got the experience of shutting down a company, literally turning off the lights. I got great hands-on experience and found I really enjoy it."

The opportunity to roll up her sleeves was a big asset to her next job -- at a credit card concierge service -- where she had to build a security program from nothing. And when she says "nothing," she means that the datacenter was not equipped with locks on the door, but it was equipped with an open container of alcohol.

Not surprisingly, RSA had higher security standards, yet the CISO position there is quite new. RSA did not create the job until 2011, a few months after the breach that exposed the company's intellectual property and raised questions about the sanctity of SecurID.

Levesque says the company was most interested in hiring her because of her relationship-building skills -- something that has become more important for RSA as it expands its hosting services business, and for CISOs across the board as companies outsource more of their IT functions.

Before she took the job, she made certain that she would not report to the CIO. Previously, as a director of IT security, she reported to the CIO, who reported to the CFO. At RSA, both she and the CIO report directly to the general manager. "It's hard to identify risk and controls in an IT department when your IT department is writing your check."

Levesque has managed to have this success without having a long string of abbreviations on her business card. She never bothered with a CISSP certification. She let her CISA lapse. On one hand, she acknowledges that certs set a baseline knowledge and can therefore help hiring managers weed out candidates. On the other hand, if people have time to take that many tests, how much time have they spent in the trenches?

Networking is important, says Levesque. Someone she knew socially helped get her resume seen when she applied for the RSA job. She successfully returned to the field after taking a few years off to be home with her young children, because a former boss who valued her talent employed her as a consultant, helping her to keep a hand in the industry.

If Levesque were not a security pro, she'd like to spend her time doing volunteer work to help underprivileged children and/or running a gourmet takeout restaurant.

In the meantime, "I love it" at RSA. "I'm having a really good time understanding the technology, understanding the services we have. I enjoy my colleagues... It's great working for a company that understands security."

This story is part of a new Dark Reading series about how to become a CISO. Catch up on last week's interview with the president of a security staffing firm, and come back next Monday to hear the origin story of Boston University's CISO -- from fixing his friends' toys as a kid through training Navy sailors about nuclear physics.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
dfallin640
100%
0%
dfallin640,
User Rank: Apprentice
10/27/2014 | 7:32:21 PM
I agree with some points and disagree with others
The structure of the CISO under the CIO is a conflict of interest as Levesque states, ".. [Levesque] made certain that she would not report to the CIO. Previously, as a director of IT security, she reported to the CIO, who reported to the CFO. At RSA, both she and the CIO report directly to the general manager. "It's hard to identify risk and controls in an IT department when your IT department is writing your check."

On the other hand in todays enrironment, while building relationships is important, its going to become more important to have the technical background.  You can't just say "We Make Hammers", like Home Depot.  Security is important to understand at a technical level.  

I also disagree that if you are becoming technically proficient by attaining certifications that they have not spent time in the trenches.  This could be true, but it could also be true that people building relationships are spending too much time "talking" and not enough time doing.  Certifications don't mean you know what you are doing, but its a baseline and a few minutes talking to anyone with any certification will let you know if they have real skils and have been in the trenches.
asksqn
25%
75%
asksqn,
User Rank: Ninja
10/27/2014 | 6:29:50 PM
RSA Who?
While it's heartening to see a female over age 40 in a security management position, I'd like to see Ms. Levesque employed by a more reputable company, i.e. one that does not install back doors for routine government surveillance without a warrant.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.
CVE-2020-13439
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.
CVE-2020-13440
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.
CVE-2020-13433
PUBLISHED: 2020-05-24
Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.
CVE-2020-13434
PUBLISHED: 2020-05-24
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.