Devo CISO: ‘Commitment is important for a career in cybersecurity’

9 Jun 2023

Kayla Williams of Devo Technology discusses her role as chief information security officer and how generative AI has affected the cybersecurity industry.

Kayla Williams is the chief information security officer at Devo Technology, a cybersecurity company that provides cloud-native logging and security analytics for organisations. Williams has more than 15 years of experience in IT and second-line-of-defence functions across several industries.

Prior to Devo, she worked as the director of governance, risk and compliance (GRC) for LogMeIn, a global SaaS company, where she developed and implemented the information security policy framework, as well as the security, compliance and technical privacy risk framework.

As Devo’s CISO, Williams guides the overall corporate security strategy, including the information security and technical privacy programs, and GRC. She advises more than 100 customers on how to best use the Devo platform for automation while increasing risk coverage and reducing security operations centre (SOC) fatigue.

“My main goal is to ensure that our customers know Devo is a business partner that is secure and trustworthy.”

With a background in enterprise risk management and security compliance, Williams believes she brings “a unique perspective to the CISO role in that I have complementary experience understanding the business context and how security plays an important role in process improvement and building brand reputation”.

“That’s why I’m passionate about ensuring the organisations I work for hear their security risks in language they can understand and implement security controls such as identity and access management, data identification and classification, and making sure dark data is accounted for and appropriately managed.”

‘One important step to bringing more women into the cybersecurity workforce is to re-evaluate hiring practices’

What are some of the biggest challenges you’re facing in the current IT landscape and how are you addressing them?

Women are vastly underrepresented in cybersecurity – last year, women held only 25pc of cybersecurity jobs. Being the ‘odd one out’ is something I’ve dealt with throughout my career. Now as a mentor and a leader, I am working to change that and increase representation in IT and cybersecurity.

One important step to bringing more women into the cybersecurity workforce is to re-evaluate hiring practices. Removing college requirements from job postings opens up a new talent pool. Many women return to the workforce in their 30s or 40s, seeking to explore new career paths. However, they may experience ‘impostor syndrome’ and fear that they lack the necessary technical skills or background to pursue a career in IT or security. This perception can discourage them from applying, even though they may possess complementary skill sets that would be valuable to an organisation.

I look for candidates by focusing on keywords in their resumes instead of ensuring they meet a strict list of requirements. For example, do they volunteer, or have they created something outside of work? Showing successful implementation of an initiative demonstrates follow-through and commitment, which are both important to a career in cyber.

What are your thoughts on digital transformation in a broad sense within your industry?

The software-as-a-service (SaaS) industry’s digital transformation needs are constantly changing due to the introduction of new technologies and increasing amounts of data. As such, organisations need to be able to adjust their digital transformation strategy and resources when needed. New technologies also bring new challenges – whether it’s adapting revenue and product models when new capabilities are introduced or aligning strategic partnerships to capitalise on new opportunities, gathering customer and prospect feedback is key to assessing whether your strategy will play well in the marketplace.

Additionally, to keep up with the ever-changing technology landscape, it’s essential to adapt to any legal or regulatory changes and ensure organisations are in compliance with global data and privacy laws. This means staying informed of pending legislation for software companies and auditing internal security protocols.

Sustainability has become a key objective for businesses in recent years. What are your thoughts on how this can be addressed from an IT perspective?

With any equipment changes or overhauls, it’s important to cut down on the destruction of hardware and instead practice degaussing, recycling and reusing end-user devices.

Utilising data centres – instead of using an in-house centre – helps reduce the energy consumption needed to cool equipment and power hardware. From a business perspective, it also keeps costs down for customers. As we enter the age of artificial intelligence (AI), utilising data centres will become increasingly important with the influx of new data generated by IoT devices and AI solutions.

What big tech trends do you believe are changing the world and your industry specifically?

The explosion of generative AI tools has taken our industry by storm over the past six months. It’s an exciting trend and one that has many possible implications for cybersecurity professionals. For example, Microsoft designed a chatbot called the Microsoft Security Copilot which draws on the large language model GPT-4 as well as a security-specific model to summarise security incidents or exposure to a vulnerability.

However, because these kinds of emerging technologies are being made available to the public, we’re also seeing a lot of unauthorised and unmonitored AI usage in the workplace. According to a recent survey commissioned by Devo, almost all (96pc) IT security professionals admit to someone at their organisation using AI tools not provided by their company, including 80pc who admit to using such tools themselves. The enterprise is behind on implementing controls around rogue AI use, raising questions about whether organisations should restrict their usage.

What are your thoughts on how we can address the security challenges currently facing your industry?

The SOC industry is facing a major problem of understaffing and high turnover rates, leading to burnout and a weakened security posture for organisations. In our annual SOC Performance Report, respondents cited information overload (31pc), increasing workload (30pc) and an inability to recruit and retain talent (29pc) as the most glaring issues in their SOC – and noted that 71pc of experienced SOC staff are likely to quit their jobs due to the combination of these challenges.

To address this issue, there is a need for more holistic and intelligent deployments of analytics and automation to reduce the burden of manual work on analysts and empower them to be more effective while boosting morale.

One approach to address this issue is the adoption of automation, AI and machine-learning technologies by organisations to augment the roles of security analysts. I anticipate this trend to grow and even accelerate as the threat landscape continues to expand. By using AI-powered automation to flag false positives, analysts are able to avoid manual investigation of every alert and focus on the most high-risk items. This not only reduces their workload, but also increases their efficiency and effectiveness in detecting and mediating threats. As we move toward an area of an autonomous SOC, it gives SOC teams the breathing room they need while offering end-to-end support in detecting and mediating threats. It is a win-win for modern organisations.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.