6 minute read
Dr Lesley Seebeck
Honorary Professor at The Australian National University Founder and CEO of Cyber21
There’s a story about former British prime minister, Harold MacMillan: when asked what his biggest challenge was, he is said to have responded, “Events, dear boy, events.” That rings true in cybersecurity. It is full of constant movement, noise and magic, or on a dark day, fear, uncertainty and doubt. And it’s easy to get lost in that noise. The biggest challenge is finding the space to think and act more strategically rather than responding continuously to events.
That space is to be found at intersection of the social, the business and the technology. We—as a community, society, and those of us on the hook—are slowly building the conceptual tools to think about the problems at hand, help people understand the challenges and resolve the organising principles that help them shape effective responses.
I think this will mean that cybersecurity—and security more generally—slowly become much more integrated with the general business and work of organisations, not seen as ‘that techie problem’ over on the side.
I’m the founder and CEO of Cyber21, and Honorary Professor of Cybersecurity at the Australian National University, where until late 2020 I headed the Cyber Institute. When MacMillan was Britain’s PM one of his biggest challenges would have been the Cold War, and one my most memorable security experiences dates from those days. I joined the Department of Defence before the end of the Cold War, and I recall looking at reports of Soviet fishing vessels and their activities in the waters around Australia.
Somewhat later in my career—after working in intelligence, central policy, a couple of universities and the private sector—I joined the Department of Finance heading the area responsible for the defence and national security budgets. I wasn’t an expert—I knew Defence, for example, but had no idea about how the Budget worked—and so I learnt to trust and work through the team. Further, it’s important to build a culture of trust and candour, and you can’t do that without integrity and empathy.
I joined the Bureau of Meteorology in 2014, where as Chief Information Officer I lead the response to their security issues. That experience reinforced the importance of people, culture and organisation systems, and demonstrated how technology systems left to their own devices will evolve organically.
One of the most important things I’ve learnt in my career is to find good people to work for and with, and build a team that challenges you, in all the good ways.
I don’t have any specific security credentials. My job has been to set parameters, understand and translate the big picture, set priorities, build capability and enable others to do the jobs they need to do, and to both challenge and support them.
My first degree was in physics and my PhD in IT. So I have enough knowledge to understand concepts, ask good questions and learn, continuously learn. I have a masters in defence studies and an MBA. Those, and my work experience, round out my capabilities from an organisational and strategic/threat environment perspective.
I think I did reasonably well, given the environment at the time. I probably could have paid more attention, and become more practiced and confident in coding, and kept up-to-date, for example.
If offered the choice, I’d like to go back to maths. I don’t think maths is positioned, or taught, as well as it should be. It took me a long time before I realised how creative it could be. But the humanities are important, as well. I do worry that the drive to value STEM above and at the cost of the humanities is bad policy, and bad for good policy-making and security.
STEM will generally tell you what and how, while the humanities will tell you what and why. So we need a mix of both: in policy, in security and for how we think about and manage all our technologies.
Should I have some gained some security qualifications? There’s no doubt they would add to what I know and give me some specific cred I may lack. But there is a constant calculation: where do I best add value; where is my time best spent; and where are my own strengths best placed?
There are others who are better placed and with more knowledge than I have. I would prefer to build a great team rather than attempt everything myself. And being in a team that works really well together, that gets things done, that gets the best out of everyone: that’s a feeling that once you’ve experienced it, you are always looking to replicate.
Working with great people is hard to beat: working with and talking to people who challenge you, in good ways, and who have a sense of fun, and watching them grow and develop. And I like ideas, insights, different ways of looking at and solving problems.
Also, diversity of thinking is important to understanding threats and to assess responses. The literature shows better decisions emerge from a diverse group. However, a diverse group may make an outcome more difficult to achieve. People may feel uncomfortable having their views tested. But ease, speed and comfort are not guarantors of a good decision, regardless of how good we may feel about it. There are many things in life and in policy where ease and convenience work against good outcomes, particularly at a societal level.
The second reason why diversity is important is that we are all users of technology. Increasingly, cybersecurity issues are shaping how technology is accessed, how it is used, and what it is used for. Just as we have security by design, and privacy by design, we need to have users at the centre of that design. If we don’t, and we ignore them, users will look to break systems, and in so doing undermine organisational security settings.
One of the best ways to understand users is to have diversity: diversity of experiences, of knowledge and of power balances represented on teams, especially those setting policy and shaping systems. Both these point to having diversity as a means of building trust with users and with others in the organisation. It’s always useful to have people on your team who talk the language of business, of users, of finance, of leadership. That sort of rapport and understanding goes a long to building trust in the organisation.
My career journey has been more the cumulative result of small steps, coincidences and opportunities. I’ve always been interested in strategy and systems, in the intersection between technology and organisations, in defence and national security. But because I take opportunities where I see them and am not afraid to try new things, I’ve built a career that lets me bridge policy, technology, finance, systems, strategy, management, etc.
I’m interested in all the things that can make prioritisation difficult. I read widely. In particular, I look for things that help me think about how problems are structured, and for threads that, if pulled, can yield useful insights. I have a few sources I visit on a reasonably regular basis, often because they will point me in interesting directions rather than necessarily give me immediate answers. Writing helps me process issues and refine arguments.
I believe the personal attributes/skills that have been most important in my various roles have been my ability to think strategically, to set a direction and motivate people to that end. It’s not enough to identify a problem, respond to issues, and make sure things are working. The question is always going to be—or should be—what do we want to look like in five, ten, even 50 years, why, and how are we going to get there?
And secondly, communication. People will not hear you unless you say things in ways they will listen to, and even then, only after the first 100 or 200 times. And they are more likely to listen to people they trust.
I learnt and developed my skills slowly, by asking questions, through bitter experience and by having a few trusted advisers who will tell me what works, what doesn’t and what I can do better.
www.linkedin.com/in/lesley-seebeck-346542a/
