For a retired CISO, Renee Guttmann keeps awfully busy. She runs her own cybersecurity consulting company, Cisohive. She’s an advisor to six different venture capital companies. She’s a regular on the cybersecurity speaker circuit, and on May 9, she’ll be appearing on the main stage at RSA Conference alongside Charles Blauner, Marene Allison, and Tim McKnight, talking about her 30-year career in cybersecurity. She also happens to be one of my all-time favorite people in cyber.
Renee is formidable. Her reputation as a thought leader, an influencer, and a trailblazer precedes her. She’s known for her roles as the CISO of Campbell Soup Company, Royal Caribbean Cruises, The Coca-Cola Company, and Time Warner.
As the world celebrates International Women’s Day, I had the chance to catch up with Renee. I learned that she’s thinking a great deal about her legacy and that her favorite song, “My Wish” by Rascal Flatts, speaks to what she hopes to leave as her legacy. As she described how she entered cybersecurity and quoted lyrics from the song, I realized “My Wish” was very much a reflection of her career.
I hope the days come easy and the moments pass slow
And each road leads you where you want to go
And if you're faced with a choice, and you have to choose
I hope you choose the one that means the most to you
And if one door opens to another door closed
I hope you keep on walkin' 'till you find the window
If it's cold outside, show the world the warmth of your smile
“My Wish” by Rascal Flatts
Here, Renee shares the hardest lesson she had to learn as a CISO, why she had to study federal sentencing guidelines for computer-related crimes early on in her career, the women in tech that she admires, and much, much more.
ExtraHop: What did you enjoy the most about being a CISO?
Guttmann: At every company I joined, being CISO was like being handed a lump of clay and having the opportunity to shape it to suit the specific needs of the organizations I was part of. For example, when I was at Coca-Cola, I inherited business continuity as part of the CISO role, but the company didn’t have a privacy program at the time. So when I started asking what we were doing about privacy, the leadership gave me the opportunity to establish a privacy program within information security.
The other thing I loved was having the opportunity to shape an industry 30 years ago, being one of the first women in a CISO role, and just being part of this community.
ExtraHop: What would you say was your impact on the industry?
Guttman: Apart from being one of the first women and paving the way for other women, I was an early adopter of a lot of foundational cybersecurity technology. Jim Routh and I were the first or second early adopters of technologies that were new at the time. We took chances. I remember bringing SSL VPN to one of the companies I worked for when it came out. People thought I was a lunatic. They said it would never work. People were always telling me things wouldn’t work. Jim and I pushed the envelope on technology that’s now commonplace, like GRC tools. I was the fifth person to buy Archer. We pushed the industry to find better ways of doing things, particularly for end users. SSL VPN is a great example of that; they were much easier for people to use than traditional VPNs at the time.
ExtraHop: What prompted you to become a CISO in the first place?
Guttmann: The opportunity came to me. I had been working for a pharmaceutical company running their email program, and I had experience with firewalls and SecurID. One day, the company did a reduction in force following a merger, and my job went to the incumbent from the other company. When I found out I was being terminated, I walked across the hall to the security department and asked if they had any openings. They said, “Yes, you know SecurID. You know firewalls. Come on in.” It was a gift, and I never looked back.
ExtraHop: What was the hardest experience you had to navigate as a CISO, and what did you learn from it?
Guttmann: The hardest lesson I had to learn was how to have difficult conversations and how to politely and respectfully say no. I learned this lesson in 2000, when I realized I would reach a point in time when I would disagree with my boss, the CIO. So I said to him one day, “We’re going to end up in a place where you and I disagree; let’s create a policy that if we can’t agree on something important, we have to take it to the head of legal and the CFO, and they get to decide.”
I only had to call on that policy once, in 2003, when my boss was out of town. The individual standing in for my boss wanted to put a web server on the internet without a firewall. I told him he had to put it behind a firewall. He said he’d harden the web server to get around implementing a firewall. I said, “No, it doesn’t work like that,” and I showed him a paper copy of the policy the CIO and I had drafted. I told him that we had to take this to the CFO and head of legal to resolve, and the minute I said that, he told me, “I’ll have it behind a firewall in two weeks,” and he did.
ExtraHop: Speaking of difficult conversations and difficult situations, what impact will the legal actions that the SEC and other federal officials are taking against CISOs have on the profession?
Guttmann: The first thing I had to learn in security 30 years ago was the federal sentencing guidelines for computer-related crimes. It’s because we were in this e-discovery mode and having a lot of discussions about email and data retention policies. It always occurred to me that there would come a point in time when, as CISOs, because of what we do, we’d be in a place where people would judge us, would view our work as serious, and hold us accountable. I never ever doubted we’d hit this point in time.
What concerns me is that so many security leaders who I meet up with at industry events tell me they want to leave the profession. Accountability for cyber risk isn’t all on us. We’re accountable for recognizing when there is an issue. We’re accountable for making the risk known, and we can recommend how to fix it, but we don’t necessarily own it. We need to create tools and processes to help people stay in the profession. For example, use a risk registry and implement processes for getting an officer of the company to sign off on risk acceptances. I see the role of CISO as much more of a risk officer now.
ExtraHop: On International Women’s Day, are there women (besides yourself, of course) the cybersecurity industry should acknowledge for paving the way?
Guttman: Joyce Brocaglia, for starting the Executive Women’s Forum. Rhonda MacLean, who was one of the first female CISOs; she worked for Boeing, Barclay’s, and Bank of America. And Eva Chen, the co-founder and CEO of Trend Micro. They were the people who I drew my courage from. We all get our courage somewhere, and these are the women who shaped me.