Published on the 27/03/2024 | Written by Heather Wright
Engagement, hardening boundaries, and mental health priorities…
Maryam Bechtel says there are three key lessons she’s learned in her two years as a CISO: Engage the business, prioritise external-facing parameters and boundaries, and focus on your – and your team’s – mental health.
Bechtel took on the CISO role at electricity provider and gas supplier AGL in 2022, after three years as NBN’s head of IT security operations.
“You really have to prioritise, make time and build the capability to have a strong business engagement.”
She says taking up any CISO role is a baptism of fire and it’s easy to get caught up in the day to day work, making focusing on business engagement – something she acknowledges is often discussed, but not always done – something of a challenge.
“I knew business engagement was important. I talked about it. But I immediately went into fire fighting mode, dealing with the daily challenges and just keeping on top of everything that was happening.
“You really have to prioritise, make time and build the capability to have a strong business engagement.”
She’s proud of the capability achieved at AGL in the last two years, particularly around engagement, saying the organisation has come a long way in changing and elevating the conversation around risk, ownership of that risk and the responsibilities with the business.
“We’ve really taken cyber from just guards to business enablers and drivers.
“The conversation has changed and it’s really great to see business stakeholders and executives talking about cyber and why it is important, when a couple of years ago it might have been cyber doing their own thing in the ivory tower and not being part of anything business related.”
She says building engagement is always a two way street, and knowing who you are building engagement with is an important aspect, with different approaches often required in dealing with different stakeholders.
Some stakeholders may already be cyber savvy and understand the risk. For them, building engagement is about looking at the metrics and risks and seeing where cyber can add value and be a business enabler, and working together collaboratively.
However, even in 2024, Bechtel says there are some stakeholders remain ‘semi-hostile’ to cyber and don’t want involvement.
“They don’t think it is their problem, and don’t want you to talk to them about it. So you have to have a different approach there and you have to have really frank conversations with the CEO and board on what the role of cyber is, what the ownership of cyber is and what the parameters for success are.”
Having a strong relationship with the CEO is key for a CISO, she says. Recent cyber incidents in Australia have helped push security to front of mind with CEOs, aiding CISOs in their role.
Through it all, having joint targets can ensure stakeholders feel part of the journey, rather than feeling security is ‘being done to them’.
And if all else fails, Bechtel notes that you should never let a crisis go to waste – and you can ‘generate’ your own crisis by doing red teaming exercises.
“That at least generates conversation and sense of urgency that something needs to be done, because sometimes people go into complacency mode: ‘we are fine, why do we have to change anything?’ So do red teaming and tell them why.”
She’s also an advocate for putting a lot of focus on hardening external facing boundaries.
“The first point of attack and entry a lot of the time goes unnoticed in the day-to-day operations. We know our landscape is very complex and threats evolve everyday, and in complex organisations like AGL the boundaries are very much grey areas as well, so really prioritising, focusing and having a drive to have a very hard shell is very important. Prioritise that and make purposeful decisions about your program of work to strengthen and stop that first entry point.”
In its submission to the 20232030 Australian cyber security strategy discussion paper last year, AGL called for the federal government to set a better example when it came to cybersecurity, hardening government systems and demonstrating what good cyber security looks like.
Her third tip for attendees at the Gartner Security and Risk Summit in Sydney might have been a non-tech topic, but it’s certainly a hot one currently: Having a focus on your, and your team’s, mental health.
In fact, Bechtel went as far as to call it the most important lesson she’s learned.“You go through ups and downs a lot in your cyber career, sometimes it’s super stressful, sometime’s it’s ok. At some point, I had to accept that becoming a CISO or working in cyber security is a stressful role,” she says.
Surviving that stress requires CISOs and their teams to focus on skills that enable them to manage stress, from physical health to skills such as meditation, taking mini breaks and taking your annual leave, and making your tool box of mental health aid non-negotiable.
“There is no way around it. If you don’t have anything in the bank when a cyber incident happens then we are all in trouble.
“And that culture of being so busy, of not having lunch for six months, is not culture we want to encourage and I won’t tolerate it. You have to be taking your lunch, you have to be taking breaks, and focusing on prioritising yourself.”
She admits she sometimes has to call people out on the topic in a world where being ‘busy’ can be a badge of honour.
“It’s not [a badge of honour]. Because if you are stressed, if you are at your capacity in normal time how are you doing to deal if an incident happens?”
Bechtel prides herself on being ‘intentional’ – having established a career based on continuously checking that her role was what she needed at any given time.
When she started out doing a Batchelor in computer science, she expected to become an application developer, but quickly realised that wasn’t making her happy. She started looking for a new area and ‘stumbled’ onto cybersecurity.
“It was love at first sight,” she says now. “I found it really cool. I found it sexy and exciting and decided this was the major for me.”
In her early 20s, penetration testing and white hat hacking was, she says, ‘super exciting’. And when she wanted to take it further and do a Masters she packed her bags and went to the only university offering the degree – in Stockholm.“After finishing my masters I knew I had a really strong academic background but really have to get a lot of experience,” she says. She wanted to sample cyber’s many domains before going deep into one so headed into consultancy, where being a jack of all trades is the name of the day.
After more than 10 years in consulting, she realised that rather than just handing over reports to clients, she wanted to be at the coalface, having an impact on organisations and leading them through their security uplift and capability development, while also giving back to society.
The role at NBN follows, with ‘a lot of fire fighting’, which gave her familiarity with the challenges involved in everyday operations.
“It was a great step for the CISO role because then you know what the challenges are of dealing with technology operations and all the things that go with it,” she says.
“My takeaway is always be purposeful and know why you are doing things,” she says, noting that sometimes the why changes.
With that in mind, it’s no surprise that when asked what she most wants to see CISOs implement her response was to call on them to do regular life audits.
“Where are you sitting with your career goals, personal life, physical and mental health, social life. Really map it all out. Are you set up for success and going where you want to go or do you need to change something?
“We regularly have to do that. There is no black and white, sometimes something has to give. Not everything can be perfect, but you just have to be intentional about where you are prioritising at certain points and what can take back seat changes over time as well.
“That can give you confidence and a sense that you are in control which will help with the stress level as well because you know what you are doing and why you are doing something.”
