Posted by on Sep 26, 2016
Christine Whalley is the director of governance and IT risk management at Pfizer, the American global pharmaceutical corporation headquartered in New York City. Not only does Christine possess a wealth of experience in managing IT risk and governance, she is also a keen educator.
Christine has been hand-picked by the Virus Bulletin team to deliver the opening keynote at this year's Virus Bulletin International Conference (VB2016) in Denver, 5-7 October.
With VB2016 only a little over a week away, Christine kindly gave us a bit of insight into what makes her tick, and how she perceives cybersecurity today.
What did you want to be as a kid?
As a kid I really wanted to be a detective but I had no interest in being a police officer. I am still a huge fan of mysteries and criminal dramas in all forms. As I was considering whether to go to university, I considered working in horticulture or computer repair but I got very little encouragement or support. I tossed about the idea of being an executive secretary - or personal assistant. I like organizing and getting things done, but honestly I like being a trusted advisor with the ability to influence.
Did you like/hate school?
I love school in all forms, even including my latest journey through law school. Mathematics was one of my favourite subjects growing up. There was something strangely pleasing about the structure and the application of theorems and formulas for solving problems, which is why I think I was drawn to computer science and the law over time.
Tell us about a favourite job
I have been privileged to have had a variety of jobs and roles across a plethora of industries throughout my career to date. I have worked with law enforcement, military, government organizations, non-profits, manufacturing, financial institutions, and now healthcare. It has taught me that the grass is always greener where you are not and there is always something new to try. I try to do something a bit different every 18 – 24 months, moving onto a new challenge to solve. My most favourite job is the one that lets me do what I do best – organize, architect, and educate.
Which five guests - across all time - would come to your ultimate dinner party?
This is an interesting question and there are so many different directions I could go in. After a bit of dreamy-eyed grandeur, I decided that I really would not feel comfortable if I went outside my normal dinner party role –which is catering the event so that I can fade into the background and observe my guest. I like to listen to their conversations and occasionally seed the dialogue with a question or two and see where it leads. It seemed a bit less dramatic if I went with my first instinct, which was to bring together five members of my family from across prior generations. There are so many things I should have asked when I was growing up. But I thought I would try to show a bit more imagination and decided I would invite the following individuals, who must attend in modern dress, and leave it to the reader to imagine the ideas and conversations that would result:
What do you love and hate about working in the cybersecurity industry?
I love the influence that human behaviours have on the industry. I love the challenges of solving difficult problems. I enjoy seeing the things I explored early in my career coming back around, like behaviour analytics and machine learning, but now with the explosion of devices that can collect and share astronomical sets of data providing insights and capabilities that we only imagined and tinkered with just 20 years ago. We are in an amazing time but we face some hard decisions ahead of where to strike the balance between security, privacy, and convenience.
I dislike the fact that, while things are always changing, they are also very much the same and we are still struggling with the same issues that have plagued the field since the beginning - not really so dissimilar, I suppose, from the physical world equivalents. We are still having the same conversations and trying to solve the same problems – admittedly with better tools, toys, and capabilities. This is one of the reasons why I changed my focus from technical solutions to governance, risk, and compliance. It is a chance for me to change the conversation from finding the better mouse trap to managing the risk.
Are there any cybersecurity issues that we overestimate or underestimate in terms of priority/importance?
I think we overestimate the effectiveness of any given tool or capability within our cybersecurity portfolio to protect our information and our devices. We, including myself, delude ourselves that somewhere out there is that silver bullet, some "automagic" thing that will solve our cybersecurity woes. We underestimate the impact people's behaviour and motivations have on our ability to provide security. Our society is made up of a variety of roles including explorers, innovators, builders, leaders, doers, and followers. And every one of those people has a different set of motivations and experiences. With this eclectic melting pot and the speed with which we (and our devices) can collect, analyse, assimilate and react to information, it seems inevitable that mistakes will be made and gauntlets will be thrown.
Can you give us any hints about your keynote for VB2016?
Hmmm – I feel like I have given a fair number of clues here about where I may head with the keynote. Perhaps it is best to leave a bit of mystery for the audience. Besides, that gives me the luxury of finishing my talk or changing it completely.
What is the biggest change you have seen in cybersecurity in the last 5 years?
I know we have made great strides in our cybersecurity capabilities but I think the biggest change is in how cybersecurity is viewed and who's talking about it. Cybersecurity is no longer relegated to conversations among researchers, hackers, security professionals and technology teams. Boards of directors and executives discuss cybersecurity and they don't just want to know about how much malware is being blocked or how many incidents occurred. They want to know what is at risk and what can be done to better manage those risks.
Do you think we are winning the fight against malicious online activity?
I expect it depends on how you define 'winning'. I think we are making great strides and have better ways to detect, adapt, and respond to malicious activity. We have found ways to significantly minimize the disruption and limit the damage. I am cautiously optimistic. But have we significantly deterred malicious online activity? No, I don't think so. That does not mean we should stop trying but we may want to divert some of our forces to study and disrupt the motivations of these perpetrators. While enabled by technology, cybersecurity is, at its core, a people problem and we should not forget that.