Dr Saritha Arunkumar, global technical leader for IBM Cloud – Security speaks to SC Media UK about her rise to the top and how to get more women into tech
With over 20 years under her belt at the Big Blue, Saritha has made it her life’s work to educate on cyber threats and behaviours at the board level and beyond.
She can regularly be found running simulated ransomware attacks with C-Suites – drumming home the message that security is no longer just the CISO’s domain.
A trusted advisor and IBM ‘Master Inventor’, Saritha is also a role model to women around the world, most recently being recognised with the Princess Royal Silver Medal for her outstanding personal contribution to UK engineering.
So, Saritha, what drew you to technology and cybersecurity?
I was always interested in technology. I used to do computer courses, even at primary school.
When I was doing my engineering degree, I was doing computing on the side. I was fascinated by programming and the engineering aspects of it.
My very first job was working on security projects for a public sector company in India. I was the only woman in my department, but a lot of the time that’s how it is. I didn’t know what security was and I learnt on the job. Words like ‘cryptography’ were to Greek to me. It was a really good foundation. I’ve never looked back.
What’s the biggest challenge for CISOs right now?
CISOs need to get buy in from the entire board of directors and management.
It can be very difficult for the CISO to convince the board about why security spend is important. What is the value-add? How is it making a business impact? How is it making a reputational impact?
They have a very challenging job. That’s where people like me come in; we become trusted advisers to them. The more confidantes they have, the better; the easier it is to open up and discuss pain points.
Have you got any tips for CISOs?
Yes, C-suites need to develop an excellent ‘security culture’. An optimised security culture will ensure good leadership, effective communication, appropriate policies and make sure that everyone is accountable for their actions.
One person needs to be designated as the leader of the crisis management team. Then they build a ‘fusion’ team – which is a combination of different business units coming together. Accountability is important.
I call it LACP: Leadership, Accountability, Communication, Policies.
An organisation needs to have clear plans for security communication across the board (in the event of an attack or otherwise). And having policies is essential – whether it’s information security policies, general system policies, or overall policies.
All organisations need to think about having business playbook. When there is a ransomware attack, what is the business action? Who takes a decision on whether to pay?
In addition, it’s important to carry out continuous awareness programmes and training – for everybody, not just the C-suite. No one's going to click on a phishing email without thinking if they are being trained over and over again.
How do we encourage more women into cyber?
A lot of women think that cybersecurity is a difficult field to work in. That’s often their first reservation. To circumvent this, we run IBM events and talks around this topic. When you’re hired in cybersecurity, you are not always expected to be a cybersecurity expert. You are taught on the job.
Women in cyber should be doing more to help others to understand how accessible a cyber career can be. In many cases, we don’t require specific qualifications these days. Everything is being done on a much more agile basis.
Women should talk more about what they do. The more that younger women see cyber roles as obtainable, the more women will enter the industry.