Security Leadership: How to Recruit More WomenUBS's Poon on How to Make a Difference as a Security Practitioner
Faced by a growing skills shortage and no easy fixes, industry leaders across Asia Pacific are making new efforts to inspire more women to join information security, and now organizations such as (ISC)Â² offer scholarships.
Add Vivian Poon to this list of leaders. As stream lead in perimeter security at investment bank UBS in Hong Kong, Poon is vocal about the need to attract more women to the security profession.
"Information security is definitely a high-pressure job, but there must be a concerted effort to build awareness, so that women take up risk management, governance, security, forensics and other functions, as they have the acumen for dealing with crises," Poon says.
Currently, infosec has less than 20 percent female representation, she says. "This must grow. Organizations and industry bodies must run mentoring programs for women engineers to opt for infosec functions, given the domain's growing importance," she says.
"Women can handle these challenges well and collaborate with risk and compliance teams in establishing a governance structure, thanks to their natural instinct in resolving crises," argues Poon.
In this interview with Information Security Media Group, Poon supports the industry's view: To fight attackers better, get women who have better acumen that can be put to use in security. She offers insights on:
- Factors essential to succeed as infosec practitioners
- Pre-requisites of women infosec professionals
- How to attract women to infosec careers
As head of network security operations, Poon manages a team of network engineers to support the global networks at UBS, covering IP telephony, trader voice, wireless, routing and switching, firewalls, data security appliances, network management tools and network security products.
She worked with start-ups such as DoubleClick and Asurion; and financial institutions including Morgan Stanley, Goldman Sachs, Citibank and Credit Suisse.
Poon has been the speaker at various industry forums including (ISC)Â² and is the performing member of the Hong Kong Symphonic Winds, besides being the Board of Director of Women in Aviation, International (Hong Kong Chapter).
Succeeding in InfoSec
GEETHA NANDIKOTKUR: You've held multiple portfolios and handled security for long. What's your take having seen success in infosec as a woman practitioner?
VIVIAN POON: Infosec is not one person's job; nor is it one team's job. It is everyone's job. It's not a siloed function. The first step is to adapt to the corporate culture, which has aligned with security culture. The sooner you adapt, the better you see the impact. Most important is how soon women create awareness of infosec policies among employees to spread the culture of security and protect information leakage. It's essential to establish a culture that enables employees to communicate security concerns proactively - this can be easily managed by women. Success also depends on changing the security mind-set of users which would help policy enforcement and avoid data leakage and security incidents. I support IBM's recently launched survey on women in security - to fight attackers better, get women in security with better acumen which can be put to use in security.
In my current role and in an investment bank of this kind, training's mandatory for all employees periodically; security is an essential part of this.
Women are good at handling risk and governance. For instance, I handle multiple geographies as head of APAC network operations- my challenge is dealing with global policies and 20 regulatory frameworks which conflict on varied aspects. Adhering to these in protecting customer data calls for a strict governance mechanism to handle compliance without disrupting data. Women can collaborate with risk and compliance teams to establish a governance structure - owing to their natural instinct in resolving crises.
Pre-requisites for Women
NANDIKOTKUR: What are the must-have skills of women most sought after in handling infosec?
POON: The first requisite is that women must be optimistic. Emotional intelligence and technical skills are very important. Above all, the right attitude to understand the domain is mandatory. It's not easy to handle vulnerabilities and constantly be a watchdog. If in a leadership role, team management gets more critical. I see most enterprises have less than 20 percent women. I manage about 60 plus engineers across APAC region and outsourced team members indirectly to ensure the network is safe, transactions are secure with no downtime. It's about how meticulous the approach is in addressing issues; women are very practical and systematic in building this.
There are new threats, new technologies and new controls every day. Only if an infosec professional keeps challenging the status quo, keeps on learning about new technologies and vulnerabilities found, shares the knowledge with other security professionals and works on solutions, can one can be successful. I do it because I just love it and as I do it, I love it even more. Communication skills are most important - to explain the issues, the impact, the solutions to stakeholders effectively.
The attitude exposes women to board-level discussions, too. In my firm, the Group Internal Audit organization is organized to align with the firm's organizational structure while covering risks and security which comprises 20 percent women as committee members.
Attracting Women to InfoSec
NANDIKOTKUR: What factors would attract women to the InfoSec profession?
POON: Infosec's definitely a high-pressure job. But it can be a cool career if professionals understand the wider portfolio of its functions. Functions like a forensic analyst, web penetration tester, computer crime investigator, network security engineer would definitely attract women. The industry and enterprises haven't done enough to encourage women into infosec. Only now are efforts made to consciously rope in women. Since it's a very broad field, we must create awareness about its various cool careers.
Girls should be encouraged to choose science and technology courses at the undergraduate level for exposure to technology and its variants. The industry should roll out mentorship programs for women engineers to take up risk management roles which they would be good at, compared to their male counterparts. Certifications specific to risk management must be introduced.