Q&A with CISO Jennifer West on Her Priorities and Building a Collaborative Security Culture

When it comes to transforming security teams and building collaborative security cultures, chief information security officer (CISO) Jennifer West has an impressive record. From her current position as CISO and privacy officer at Redlands, Calif. based geographic information systems software provider ESRI, and her crucial roles as CISO at ServiceMaster and Smith & Nephew, she actively designs and builds successful security teams, tools and culture.

In each of these positions, Jennifer focused on putting into place a foundation of both process and technology integration, with the emphasis on compliance, governance, risk management, data protection, and information security. In this interview, we spoke with Jennifer about her current priorities as CISO at ESRI and how she has built healthy collaborative security cultures at multiple organizations.

Here is an edited version of our conversation.

How did you get started in enterprise technology and security?

I’ve been in IT for most of my career. IT was not something I set out to do as a career. My degree is in accounting, and I also went back and studied nursing. I’m very math and science-oriented, but somehow, I got in on the front end of trends like online banking, and I grew really interested in how the backend of the business worked to make that front-end user interface for the customer work.

I learned that I excelled at audit and compliance work, especially being able to track processes end to end. I taught myself how to code so I could understand how the user experience was built. In the regulated environments of public companies, I excelled at learning specific details about controls. Where they existed and didn’t exist. How to solve gaps to meet the control, and how to create compensating controls. I ended up in security because a past leader saw my natural inclination toward auditing. My audit perspective has changed over time with security. Compliance does not mean a secured environment; I have learned to find a balance between security requirements and meeting the goals of audit or compliance requirements.

Starting out in banking, I was used to working in highly regulated industries. After having worked at two companies, First Tennessee Bank and FedEx, and working in various IT and business positions, I joined ServiceMaster in 2012. I was looking forward to moving out of IT and being in a business partner role. I felt that was a good fit for my skillset because I had developed the art of being able to speak IT just enough for the business to understand. Being the bridge for the communication gap between the business and IT allowed for the right projects or remediations to be prioritized

However, I had been at this position for a very short time when their CISO left the company. A past leader of mine saw a skillset in me I didn’t realize I had which was being their CISO. I was hesitant to take the job because the security team seemed to be the team that everyone avoided, and they represented the “office of no.”

How little I trusted myself and the leader that promoted me at the time! I ended up taking the position, and it literally changed the course of my life. Today, I love what I do. I can’t imagine not being a CISO, or in a similar role. I find security a fascinating and vast topic along with being challenged almost every day. With the topic of security and privacy, you must pivot between different incidents, environments, technologies, personalities, and perspectives daily. This helps to keep me sharp and, on my toes, and always learning. I’m very passionate about making sure people understand what the security team is doing instead of fearing what we’re doing. I really enjoy the people that work in security, too. They are very passionate about making sure we keep our country safe, our customers’ data safe and figuring out how to play a part in keeping the world secure. This aligns with my personal self.

You had some apprehension about accepting a CISO role. Did that anxiety prove warranted? Did your concerns present themselves in the way you thought they would, or was it different than you envisioned?

I took the position understanding the challenges about how some in the organization felt about the security team and a CISO in general. I decided that I was going to do things differently than past teams and leaders somehow. I was going to find a way to turn my organization into the “Office of Yes…and.” This along with developing a security team that is approachable and collaborative. I also learned early on that I needed to be willing to accept some risks otherwise not acceptable to some security professionals, find ways to implement compensating controls, be rational about risk and be flexible on security architecture where possible. Sometimes great gets in the way of good for security teams, especially when they lead with fear instead of education.

It wasn’t easy. It was and is very uphill journey at times, but I’ve managed to succeed with the help of great people I get the honor to lead and collaborate with daily. I’ve kept true to who I am and the way I like to lead. Today, at ESRI, it has been especially great because ESRI has the same philosophy, and it has matched my leadership style very well. I always say to my team, “do what is right. do your best that is all that we can offer, and to be the change.”

How did you evolve the CISO office from the ‘Office of No’ to the ‘Office of ‘Yes … and?’

At ServiceMaster, it took a lot of work because the culture was very deep-rooted. The company had existed for a long time, and I was also new to the company and the CISO role. The day I took the job, I established the fact that the culture was going to change, that it wasn’t going to stay the culture of “no” and I was willing to do my part in the transition. I started by transforming the team with new talent and investing in the existing talent. I spent time with the security team and cross team members on what a positive culture meant. Working together we demonstrated what it meant to come at problems from a positive place, and how we can get more done collaborating instead of mandating.

Also, during that time, Gene Kim released a book called ‘The Phoenix Project.’ Gene’s book literally outlined precisely what I was dealing with our team and our infrastructure team at the time. The book fundamentally changed the way that we looked at things and moving more toward a DevSecOps model. To me, the very thing that makes DevSecOps work is collaboration. This was a change in my thinking too. We were all in it together learning new methods, it took a year or so for the book to really sink into my way of leading.

Also, at ServiceMaster, we had a very forward-thinking CIO. He was pushing the company toward a true DevSecOps and agile methodology which gave me the ability to learn a lot from him. He originally recommended the book to me and since then I have recommended it to every team I lead.

Perhaps because ServiceMaster was in a broader cultural change, that helped to present an opening for you to change the culture successfully?

It did. It did. ServiceMaster also had a lot of employee turnover. It was unfortunate, but it also allowed me to transform the team. A handful of those security professionals are still at ServiceMaster today, and I think that’s awesome. They carried forward the program we worked hard to build and do great things with it. I learned as much from this transformation and the people I worked with as I hoped they learned from me.

It was an exciting journey. I feel like I learned a lot, not only about people but business and how to look at things a little differently.

How did you successfully get to that organizational culture that encouraged others in the organization to collaborate with the security team?

My team worked at turning security into an opportunity to educate. For example, when the team ran a vulnerability report, previously, they would simply hand the report over to the infrastructure team, expecting them to remediate. Instead, we started analyzing the report, playing a subject matter expert and decided to only open tickets for the infrastructure team for those items that were truly necessary to address. We would consolidate issues, so if there was one patch necessary to solve 50 vulnerabilities, we only opened a single ticket. We also co-mingled security team members with the infrastructure team. We made sure to physically sit people next to each other so that they had to start collaborating and learning from each other, actively breaking down long standing walls. We also moved to open seating. I’ll tell you. It was a tough journey. But it was worthwhile.

There was a specific day that I recall when I looked at the floor from my office, and I witnessed people walking up to our monitors working together on an alert that they saw. Everyone was invested in making sure that we’re doing the right thing.

I remember just pushing my chair back and realizing that what we were doing was working. It was very cool to see that journey, and it’s continued throughout my career. We have that same collaboration here at ESRI. You just get more done being friendly and collaborative. No problem is insurmountable with the right attitude and balance of risk.

I also think moving security professionals into more of a subject matter expert role instead of a monitor role and helping them to embrace the areas where we focus. I organized the team in a way such that we have siloes within different security topics, enabling each of those people to become masters at what they do, which then gives them a great platform to work with other teams and teach them while they ask them to do work for security

This strategy works. I don’t believe in FUD (fear, uncertainty, and doubt), or delivering security through mandates. I think we accomplish so much more by teaching people what we’re trying to prevent or what we’re trying to do and the why. That way, next time, maybe they build it into what they’re doing. Security must be built in, not an afterthought or add on. Everyone must be invested, not just the security team. This drives collaboration and shifting left.

What are your top priorities at ESRI?

Moving to ESRI has also been a challenging scenario, but I love a good challenge. The security team at ESRI had supported multiple CISOs or temporary leadership for the five years before I joined. The security program culture needed to move from the office of no to become more collaborative. Fortunately, my prior experiences aligned with what ESRI required for the task at hand. Also, ESRI was willing to make security a priority, this made the battle a little less difficult. They craved change and new perspective and for the most part have welcomed this with open arms.

Transforming the security team when it came to both talent and culture has been one of the top priorities. Following that, it’s focusing on maturing security foundations, tools and technology partners such as SailPoint. We needed to get more out of our security strategic partnerships and optimize the tools we have.

Adding privacy to the security mix has been a great opportunity for me and my team. There are so many similarities in privacy and security. In fact, I may be talking to you more about privacy in the coming years than security. I view this like a piece of candy, privacy is the soft center with floating data and security is the hard-protecting outer shell.

What would your advice be to others who need to work on improving their security culture in their organization?

My advice would be, don’t be afraid of change and driving hard for it. You can’t be faint of heart. Some days feel like you’re standing at the foot of Mount Everest, and you have no idea how you’re going to climb it. You also know you have many people depending on you including the company and your customers. But the only way to get up it is one step at a time, and eventually, you will be able to sit back and start to see glimmers of progress. Let yourself be vulnerable, which most security professionals are not willing to do. Fail fast and move forward. This is how we learn and succeed. Standing at the top of the mountain cannot be your only goal, perfecting the journey and collaboration to get there is the most important part.

When you see the change starting to work, when you see true collaboration and that you’ve made a difference for the company and your customer, it just motivates you to want to keep going. Also, surround yourself with people who have a genuine burning in their soul to get those wins and keep moving forward. To me the best analogy for anyone that plays golf is that perfect hit and the sound of the club meeting the ball for the perfect ping. This is why you keep playing. I am terrible at golf but love to play. If I even have one good hit, I cannot wait to get back out and play. Celebrate your wins and the wins of your team, even if they seem small.

What do you consider to be indicators of good security culture?

I’ll share a recent example with you. We conduct a monthly leadership meeting with all managers and senior leaders from each team within our IT organization. We give presentations about our specific teams and what they’re working on.

As all the teams were going through their presentations last month, I noticed that each presentation included a security element. Such as something they were currently working on for the security organization or with the security organization. None of this was planned! It all happened organically.

It’s just that moment that all the work, my team, these masters of their domains had been working on with other teams in the organization came out within presentations from the other teams and leaders. It was the best moment I’ve had at ESRI. It’s that moment that you know your team is winning. You just got to keep fighting the battles, being positive and keep making progress on step at a time. Keep seeking the perfect ping!