One might assume that the CISO of RSA -- one of the world's premier suppliers of encryption technology -- would have been breaking codes in nursery school. Yet Janet Levesque, RSA's new CISO, did not start thinking about cryptography until quite a while later.
"It was certainly not an intentional path," she says of the years leading her to the top information security position. "It was an accidental path, which, over the years, I've become very passionate about."
During the course of her career, Levesque did roll up her sleeves and get her hands plenty dirty, but what really led her into security management was not getting her hands on the technology. It was asking the right questions and building the right relationships.
Though Levesque graduated from the University of Vermont with a liberal arts degree, her first job out of school was programming in COBOL, which she learned on the job. From there, she moved to an insurance company, working as an electronic data process (EDP) auditor, interviewing people in detail about how their systems worked. This led to IT risk management, in the salad days before Sarbanes-Oxley.
"Then, like many people, I decided to take a swing at the dot-com world." She ran IT for a grocery delivery service, doing a variety of hands-on technological work that she says she "had no business doing."
Like countless other dot-coms, the company burned $100 million in one year and then went out of business. "I got the experience of shutting down a company, literally turning off the lights. I got great hands-on experience and found I really enjoy it."
The opportunity to roll up her sleeves was a big asset to her next job -- at a credit card concierge service -- where she had to build a security program from nothing. And when she says "nothing," she means that the datacenter was not equipped with locks on the door, but it was equipped with an open container of alcohol.
Not surprisingly, RSA had higher security standards, yet the CISO position there is quite new. RSA did not create the job until 2011, a few months after the breach that exposed the company's intellectual property and raised questions about the sanctity of SecurID.
Levesque says the company was most interested in hiring her because of her relationship-building skills -- something that has become more important for RSA as it expands its hosting services business, and for CISOs across the board as companies outsource more of their IT functions.
Before she took the job, she made certain that she would not report to the CIO. Previously, as a director of IT security, she reported to the CIO, who reported to the CFO. At RSA, both she and the CIO report directly to the general manager. "It's hard to identify risk and controls in an IT department when your IT department is writing your check."
Levesque has managed to have this success without having a long string of abbreviations on her business card. She never bothered with a CISSP certification. She let her CISA lapse. On one hand, she acknowledges that certs set a baseline knowledge and can therefore help hiring managers weed out candidates. On the other hand, if people have time to take that many tests, how much time have they spent in the trenches?
Networking is important, says Levesque. Someone she knew socially helped get her resume seen when she applied for the RSA job. She successfully returned to the field after taking a few years off to be home with her young children, because a former boss who valued her talent employed her as a consultant, helping her to keep a hand in the industry.
If Levesque were not a security pro, she'd like to spend her time doing volunteer work to help underprivileged children and/or running a gourmet takeout restaurant.
In the meantime, "I love it" at RSA. "I'm having a really good time understanding the technology, understanding the services we have. I enjoy my colleagues... It's great working for a company that understands security."
This story is part of a new Dark Reading series about how to become a CISO. Catch up on last week's interview with the president of a security staffing firm, and come back next Monday to hear the origin story of Boston University's CISO -- from fixing his friends' toys as a kid through training Navy sailors about nuclear physics.