Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:40 PM
Connect Directly

How I Became a CISO: Janet Levesque, RSA

RSA's newest chief information security officer says she landed the job because of her ability to build relationships, not a background in crypto or a pile of certs.

One might assume that the CISO of RSA -- one of the world's premier suppliers of encryption technology -- would have been breaking codes in nursery school. Yet Janet Levesque, RSA's new CISO, did not start thinking about cryptography until quite a while later.

"It was certainly not an intentional path," she says of the years leading her to the top information security position. "It was an accidental path, which, over the years, I've become very passionate about."

During the course of her career, Levesque did roll up her sleeves and get her hands plenty dirty, but what really led her into security management was not getting her hands on the technology. It was asking the right questions and building the right relationships.

Though Levesque graduated from the University of Vermont with a liberal arts degree, her first job out of school was programming in COBOL, which she learned on the job. From there, she moved to an insurance company, working as an electronic data process (EDP) auditor, interviewing people in detail about how their systems worked. This led to IT risk management, in the salad days before Sarbanes-Oxley.

"Then, like many people, I decided to take a swing at the dot-com world." She ran IT for a grocery delivery service, doing a variety of hands-on technological work that she says she "had no business doing."

Like countless other dot-coms, the company burned $100 million in one year and then went out of business. "I got the experience of shutting down a company, literally turning off the lights. I got great hands-on experience and found I really enjoy it."

The opportunity to roll up her sleeves was a big asset to her next job -- at a credit card concierge service -- where she had to build a security program from nothing. And when she says "nothing," she means that the datacenter was not equipped with locks on the door, but it was equipped with an open container of alcohol.

Not surprisingly, RSA had higher security standards, yet the CISO position there is quite new. RSA did not create the job until 2011, a few months after the breach that exposed the company's intellectual property and raised questions about the sanctity of SecurID.

Levesque says the company was most interested in hiring her because of her relationship-building skills -- something that has become more important for RSA as it expands its hosting services business, and for CISOs across the board as companies outsource more of their IT functions.

Before she took the job, she made certain that she would not report to the CIO. Previously, as a director of IT security, she reported to the CIO, who reported to the CFO. At RSA, both she and the CIO report directly to the general manager. "It's hard to identify risk and controls in an IT department when your IT department is writing your check."

Levesque has managed to have this success without having a long string of abbreviations on her business card. She never bothered with a CISSP certification. She let her CISA lapse. On one hand, she acknowledges that certs set a baseline knowledge and can therefore help hiring managers weed out candidates. On the other hand, if people have time to take that many tests, how much time have they spent in the trenches?

Networking is important, says Levesque. Someone she knew socially helped get her resume seen when she applied for the RSA job. She successfully returned to the field after taking a few years off to be home with her young children, because a former boss who valued her talent employed her as a consultant, helping her to keep a hand in the industry.

If Levesque were not a security pro, she'd like to spend her time doing volunteer work to help underprivileged children and/or running a gourmet takeout restaurant.

In the meantime, "I love it" at RSA. "I'm having a really good time understanding the technology, understanding the services we have. I enjoy my colleagues... It's great working for a company that understands security."

This story is part of a new Dark Reading series about how to become a CISO. Catch up on last week's interview with the president of a security staffing firm, and come back next Monday to hear the origin story of Boston University's CISO -- from fixing his friends' toys as a kid through training Navy sailors about nuclear physics.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
10/27/2014 | 7:32:21 PM
I agree with some points and disagree with others
The structure of the CISO under the CIO is a conflict of interest as Levesque states, ".. [Levesque] made certain that she would not report to the CIO. Previously, as a director of IT security, she reported to the CIO, who reported to the CFO. At RSA, both she and the CIO report directly to the general manager. "It's hard to identify risk and controls in an IT department when your IT department is writing your check."

On the other hand in todays enrironment, while building relationships is important, its going to become more important to have the technical background.  You can't just say "We Make Hammers", like Home Depot.  Security is important to understand at a technical level.  

I also disagree that if you are becoming technically proficient by attaining certifications that they have not spent time in the trenches.  This could be true, but it could also be true that people building relationships are spending too much time "talking" and not enough time doing.  Certifications don't mean you know what you are doing, but its a baseline and a few minutes talking to anyone with any certification will let you know if they have real skils and have been in the trenches.
User Rank: Ninja
10/27/2014 | 6:29:50 PM
RSA Who?
While it's heartening to see a female over age 40 in a security management position, I'd like to see Ms. Levesque employed by a more reputable company, i.e. one that does not install back doors for routine government surveillance without a warrant.
<<   <   Page 2 / 2
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.