Interview: Claudia Natanson, CISO, Diageo

The message Natanson imparts at Diageo, to ‘Store and protect data responsibly’, is a perfect fit with the company’s focus on delivering and marketing its products in a responsible fashion
The message Natanson imparts at Diageo, to ‘Store and protect data responsibly’, is a perfect fit with the company’s focus on delivering and marketing its products in a responsible fashion
Dr Claudia Natanson, Diageo
Dr Claudia Natanson, Diageo
Securing important data and protecting Diageo’s ‘crown jewels’ (intellectual property) are the two most important information security concerns for Diageo
Securing important data and protecting Diageo’s ‘crown jewels’ (intellectual property) are the two most important information security concerns for Diageo
Claudia longs to enjoy the Jamaican sunshine again, if only she had the time...
Claudia longs to enjoy the Jamaican sunshine again, if only she had the time...

When Claudia Natanson isn’t playing tennis, the piano, or the violin, she is working. She might be doing her day job, at total beverage alcohol company Diageo, she might have her FIRST hat on – she is an ex board member and Steering Committee member of the world Forum of Incident Response and Security Teams (FIRST) – or perhaps she is working on the next meeting of FIRST’s Corporate Executive Programme, of which she is the programme chair.

Whatever she’s doing, I’m fairly sure she’ll be doing it with a smile. Claudia welcomes me into Diageo’s London offices, which are, by the way, very impressive. Her warmth and enthusiasm are immediately apparent, and I can tell by the way she is greeted by everyone on our brief walk to the meeting room, that she is incredibly popular with her colleagues.

“I’ve been at Diageo about five and a half years”, she says. “The challenge for me was coming in to a branded company.” When Natanson joined, her initial challenge was that of improving the information security programme. She wanted to create a programme that would not be perceived as a “barrier to business. I wanted something that could blend in to the creative world Diageo is in, but at the same time, meet compliance.”

Natanson, recognising that creativity and branding is the name of the game at Diageo, decided to approach the introduction of a security programme in the same way. “I decided that security would become another brand, so that people could connect and relate to it. The responsibility agenda for Diageo is huge – promoting the concept of drinking responsibly. It is a part of our values, and a part of our goals to make sure that we not only act responsibly, but that we deliver and market our products responsibly.” Employees at Diageo could therefore identify with the ‘Store and protect data responsibly’ message that Natanson created with the security brand.

“I’m very passionate about awareness, and I just keep finding more ideas. Now we’re getting into the virtualisation space, we’re excited about that. Our online compliance training is fun. That’s what we have to do to get people involved, because anything less than that in Diageo would just pale in comparison to all the things that marketing does.”

Getting the execs on your side

Natanson is as passionate about the importance of getting the execs on board with the security programme as she is about the concept of branding and marketing security. “Get the execs on board and everything happens. This is so important”, she laughs.

This isn’t just down to their power over decision making and budget, it’s also about “modelling behaviour. When we put on security road shows, we have the Market Presidents and CIO opening the events”. The security road shows are global, and consist of different functional stalls providing huge learning opportunities to educate the workforce about compliance responsibilities and information security in general. One stall, for example, features a password strength testing centre. “For those markets where we are challenged by location, we have virtualised the road shows.

It’s important, emphasised Natanson, that you create a security programme that is acceptable to every geography. “People have to open their minds and understand why we need to do the things we’re doing”. The secret, she says, is in achieving a happy compromise between the security group and the business.

Sleepless nights

Securing important data and protecting Diageo’s ‘crown jewels’ (intellectual property) are the two most important information security concerns for Diageo, concludes Natanson. “Personal data is the most important data to any organisation, because this relates to the ICO. All organisations have to class that as first priority.

“Your intellectual and your proprietary information are your crown jewels. The way the world has moved to a data world means that securing data has to be your first priority, and that’s why we need to get the message out about why it’s so important that it is handled with care”.

People, says Natanson, are “the weakest link, and hackers realise that. Firstly, before going through all of the technology, we need people to be the first line of defence. Getting that right keeps me awake at night”. It’s hard to imagine Natanson stressed and worried. Her entire demeanour suggests she is calm, laid-back, happy and confident (perhaps it’s her Jamaican roots).

Natanson emphasises how hard it is to allow and utilise benefits of new technology, whilst remaining protected, when “technology is a moving target, evolving all the time. Often, when new technologies come out and hit the market, the first concern is about the aesthetic appeal. Often it’s all about marketing, never about security.”

Team Security

Natanson feels that she and her 12 colleagues in the Diageo information security team have full backing from the Diageo Executive and the Diageo Board. “Every single member of the Diageo Executive, including the CEO and the chairman, sets aside time with me each year, where we talk about the security programme, and how best for them to role model it. They want to lead by example, and they take it very seriously.”

One of the hardest parts of the CISO job, Natanson argues, “is to get the kind of support you need to do your job, because security is often seen as an overhead, rather than contributing to bottom line growth”. Natanson contends that this is a misconception, insisting that the bottom line growth could be extremely hindered by “non-compliance fees that are far from small”.

Natanson reports to the CIO Brian Franz, and the executive sponsor, Deirdre Mahlan, who is a CFO. “Between the two, I’m kept on my toes”, she says, laughing heartedly.

Despite having the full support of the Diageo Executive, Natanson admits that like many other large organisations, our team focuses our plans around our budget allocation. “We can always find ways of doing the things that need to be done”, she says optimistically. “Diageo is very, very supportive. As a team, we constantly review our priorities”.

The information security team works alongside IT as one team, “because a lot of things we need to execute come through them”.

The beginning

A career in information security has not always been Natanson’s goal. At university, she studied geology and nuclear chemistry, followed by an MSc in computer science and finally, a PhD in computers and education.

“For half my life I was a nuclear scientist at the United Nations’ Atomic Spectroscopic Laboratory. Over the years working in an atomic lab, it dawned on me that the world was going to be taken over by computers, and I challenged myself to find out how.

To understand that, I needed to know about computers, and I couldn’t say that I did.” It was then that Natanson decided to go back to university (University of Birmingham), to do her Master’s in computer science, and PhD in computers and education.

"I feel that my male colleagues have always listened to what I have to say"

“After that, I did a number of industrial qualifications, and then British Telecommunications (BT) asked me to come and work for them to do target testing; testing their networks and systems to see if they can actually stand up to vulnerabilities or attacks.”

Her eight and a half year tenure at BT thus began. “BT is a critical national infrastructure, so the way that you run things, the way that you adhere to standards, the kind of flexibility that you might normally have is not there. The critical national infrastructure is a more hardened sort of programme that you have to have in place.”

Natanson remembers how BT had very little information security practice at this time. “There was very little information security in any organisation. I think security evolved from the system’s administrator, trying to make sure that the system was configured properly. At that time, people had a lot of closed networks, and no internet. Suddenly, you had organisations becoming connected to the internet, a completely different ball game”.

While at BT, Natanson was responsible for the implementation and roll out of security for BT’s over 200 000 connections. “At BT I set up the UK’s first commercial incident response team, the BT CERT, and the computer emergency response team is part of the same conference, which is a forum of incident response and security teams.

“FIRST came together in 1990 shortly after the first incident, the 1988 Morris worm. In trying to get rid of the worm, we had a number of teams coming together to try to actually mitigate the risk to the rest of the internet. FIRST is a global collaboration of incident response teams. I thought it was very important that BT had its own incident response team. I set that up, and then went on to set up the security services, because I felt that as the internet became more important, organisations would want to have a way in which they could manage some of the incidents”.

Corporate executive programme

While Natanson still has an active role in FIRST, where she was a board member and Steering Committee member, her role as programme chair of the corporate executive programme ensures she is kept busy and well connected.

“About five years ago, I realised that security was becoming more risk-based. People, especially those who were more technically-minded, were unable to translate – in business language – what that risk is to the business. Many industry experts struggled to articulate it; and many didn’t know how to get the board involved or the execs onto the programme”. As Natanson had had success in these areas, she wanted to share her experience with others. “I thought that if we got all those people in a room who had had success with that, and those who were still struggling to do that, then we’d have a very good forum.”

Natanson thus created the corporate executive programme as an offspring from the Forum of Internet Response and Security Teams, “because at that time I was sitting on both the board and the steering committee of FIRST. I think it’s important for us to understand how the policies we put in place play out in real life, and the forum addresses that. A lot of people don’t think about that because they are probably working within the security zone alone”.

The CEP has now been running for five to six years, and is an annual event. “We try to bring together not just security people, but CIOs and CEOs. It’s a C-level forum, really, but also chief marketing officers are there”.

A man’s world

When Natanson decided to get into computers, she was unaware of the great gender imbalance in the industry, “but it became very evident in my Master’s class”, she says.

“I don’t know why there are very few women. I’ve never ever felt any resistance from male colleagues, never”, she insists. “I’ve always sat in rooms full of men, I’m the chair of the CEP, and I deliver stuff. I feel that my male colleagues have always listened to what I have to say”.

During the eight years she worked at BT, Natanson worked with only one woman. “I don’t understand it at all, there’s no resistance.”

Natanson does suggest that the situation is improving, however, and cites more women attending information security conferences. “I also think that a lot of organisations, whether science-focussed or not, have begun to create the opportunities and the environment for women to be able to take up opportunities; flexible working and the era of remote working certainly helps.”

More of the same

One of the skills required for the role of CISO is the ability to make future risk assessments and predictions. Claudia is strong in her convictions when asked what’s in store for the information security threat landscape over the next year or two. “More of the same unfortunately. More technology, more glitzy and exciting things that people want to do. Also, the growth of social networking and collaboration and exchange of data is going to continue to increase.

"Not every risk has to be mitigated, but every risk has to be managed"

“The approach that we have to continue to take as security practitioners is risk and reward. Not every risk has to be mitigated, but every risk has to be managed. You will always have to understand that risk, the impact to the business, and have that discussion with the business. This is not a bad thing, because it brings security to the table as an equal partner in the discussion on business. Suddenly, you’re not just seen as an overhead, but as part of the whole business profile that is needed as an entity to make a business strive”.

Moving from the ‘machine in the corner’ to the table is a big change, and is sometimes a struggle for security professionals. “Now you have to understand how to articulate yourself in business speak, and that’s what the CEP is about. For some people, this is a transition they are uncomfortable with.”

Highs and lows

It somehow seems silly asking Natanson, who has achieved and pioneered so much throughout her career, what her biggest career regret is. Surely she is satisfied with her achievements? “What I really regret is that I don’t have enough time to do more. There are so many things that I wanted to do – go into the army, for example”.

Naming her Master’s as her biggest achievement, “I found that really very hard”, she admits that she does pressure herself too much with creating new ideas.

“Where do I see myself in ten years?”, she mulls, “I really don’t know. I’m so passionate about what I do, I think I’ll probably still be passionate about what I do, and finding some other angle to come at it from. I’m originally from Jamaica, but have worked most of my life outside of Jamaica. It would be great to think that I’ll be enjoying some of that sunshine, but I never have any time”. And so the regret of lack of time continues.

It strikes me as a somewhat beautiful regret. Here is a woman who has never wished her life away, but instead is desperate to cram it full of achievements and creativity. There’s no doubt in my mind that ten years from now she will be passionate about whatever she’s doing, nor do I doubt that whatever she’s doing, she’ll be doing it smiling.

What’s hot on Infosecurity Magazine?