I worked my way through college at a Research and Development lab for a company that milled flour and made baking mixes for consumers as well as restaurants. I obtained my degree in Chemistry and the lab job included running the analyticals to write the product nutritionals (%fat, %carbs, %protein, etc.). At almost 6’ tall, I was significantly taller than my manager and when she went to read the instrumentation, her results varied significantly than mine. I used a software application to calibrate the instruments to remove the human error. It worked well and they asked me to do this for the instruments in their Quality Assurance lab. This was the only time I have ever “coded”. I really enjoyed what I did and when their IT Manager resigned, they offered me the job and provided me with training. I became immersed in the world of networking. It was a dual shop of Novell and Microsoft. I remember now how I would wait while imaging a new machine to pop in the next Windows 95 floppy disk. Things have changed a lot since then.
Several years later, my husband was stationed overseas and we moved to Germany. I had applied for and accepted a Department of Defense position. I was in learning mode as I waited for my secret clearance to be approved. I was learning more each day about routers and firewalls. I was a sponge and couldn’t get enough. When the clearance came through, I began managing the security patches for all the assets at a major hospital in Germany. The war in Afghanistan began in 2001 and reservists across all branches of service were being activated and coming to the hospital to clear for deployment. This was my first exposure to security. Soldiers had personal laptops, Army issued laptops, Air Force issued laptops – all with different images on them and all needing access to the same data. I had a crash course on active directory, group permissions and file permissions. I also was very well educated in certificates and certificate management by assisting with a PKI rollout for CAC card authentication. Management of the several dedicated applications also fell on my shoulders. The fundamentals of security across all domains was part of my daily routine and I loved it. This was also my introduction to compliance and regulatory certifications. HIPAA compliance and JCAHO certification are key in the healthcare field and I would revisit them several times throughout my career.
I returned to Texas nearly four years later and began a job that started my career philosophy that in order to grow, you need to be challenged. You need to step outside of your comfort zone and take risks. I have heard this many times in my life and I absolutely agree. I am a Windows gal, with DOS a close second. This role was my first exposure to UNIX. Learning a new platform and what it takes to secure it is something that was very intriguing to me, yet made me a bit uncomfortable. Maintaining that intrigue and discomfort is something I continue to do to this day with my career. This was also my first exposure to SOX compliance and IT controls and I fell in love. I started to learn everything I could about SOX compliance.
A few years later I found myself back in healthcare and in a highly visible leadership role, reporting directly to the CISO. I was finding my feet as a leader the breadth of my responsibilities was wide. Managing a full IT outsource across a variety of hospitals and clinics was exciting and a bit uncomfortable. Vendor management, service level credits, ticket resolution, on-shore/off-shore, SOC/NOC; I was growing and finding my voice for defining security and privacy controls for a large enterprise. I was back in the compliance world and here is where I became introduced to my first framework, ITIL. Managing risk was the name of the game and ITIL was the referee. I thrived on applying best practices for the delivery of these services and making sure they were right for our different entities, whether a rural, non-profit clinic with paper records or a multi-clinic commercial hospital with a mature EHR. I started to build my network with mentors, peers and friends that I would continue to work with over the next decade. I was also exposed to the type of leader I never wanted to be, one who manages by fear and anger. Yelling in the work place and belittling individuals in front of their peers was unfortunately a common occurrence, and one I was adamant not to exhibit myself. It took a few years for me to be strong enough to confront that style rather than sit in silence and hope it doesn’t get directed at me.
I left healthcare for my first experience in retail, owning risk management and security. This brought even more compliance requirements (hello PCI) and even more visibility as I now reported to the CTO of a nationally recognized, publically traded retail chain. Understanding the risk that standard infrastructure maintenance could bring to the business was a wild ride. Implementing a password vault to streamline access controls and create a true role-based access/least privilege environment was a tough, year-long project that allowed me to hone my skills on new fronts. I also had my leadership style mature. This department had become a parking lot for employees that were no longer contributing or were waiting or retirement. I wrote my first ever performance improvement plan and managed an employee out the door. Five more followed and I was very adept at writing improvement plans and training plans. I also promoted three individuals that were carrying the weight of the work for the department. One of those individuals is someone that I would reach back for as I moved throughout my career and would happily work with again. I also became aware of what metrics were important to executive leadership and how they should be presented. It was also my first (not last) experience with a breach. Long stressful hours utilizing our incident response plan became the new normal. All cycles of a true CSIRT were present and it was exhausting and exhilarating. Getting in the weeds of the configuration of all layers of infrastructure protection every day gave me a new appreciation for all the different engineers, managers and directors and the decisions they made daily. A key foundation of my leadership approach was born. Always provide feedback. Positive feedback can make an underappreciated engineer feel amazing. What I call “growth feedback” can make a frustrated or underachieving analyst feel heard and feel supported by leadership with a path to become great. I will always have the tough conversations. Having received those from my managers have made me step up my game when needed and those course corrections have enabled me to continue to grow. They are also the most memorable for me. This was also the time in my life when work life balance began to be more important as my husband and I had our first daughter. Fortunately, I had excellent benefits and on-site daycare that was amazing.
I returned to work with wonderful people that I had met years earlier and returned to the healthcare world. The compliance landscape in healthcare had changed and HITECH and data privacy was hot. I was now managing people across the US in a virtual work space. Cloud technology was just starting to gain momentum and I worked steadily over a year to help define and build a HIPAA and FISMA compliant cloud service offering. I also began writing test questions for the ISC2 CISSP exam. Working with psychometricians and understanding how to write technology questions that were translated into many different languages made me a bit uncomfortable but in a great way. This was also the first time I became aware of my gender in the cyber field. I often find myself as the token woman at these workshops and I would actively work for the first day to prove my worth and debunk the general consensus that I was there solely because of my gender. I’m pleased to say that after a couple of workshops, my reputation as a strong item writer and group lead had been established. I went on to write for their cloud and healthcare exams as an expert on Risk Management, Access Control and Regulatory Compliance. I added numerous experts to my network and I continue to call on them for mentoring and advice. I also proudly provide the same to them. I continue to write for ISC2 today.
This was their first ever CISO and I had very specific goals. I got to build a security and compliance team from the ground up. I assessed the existing in-house talent, policies and processes – more documentation than I had ever seen before. Stale, irrelevant documentation that was almost worse than not having anything. I gained an appreciation for the need to have current network maps, documented data flows and executive approval for processes. This is now fundamental for whatever department I manage. Refreshing documentation to align with technology and resource changes in invaluable. I was very focused on understanding data flows and maturing the DLP toolset and resources utilizing them. Cyber security was beginning to be the new buzz term. Executives wanted to know more about emerging threats and how we are protecting against them. They were starting be more interested in our security posture and it was refreshing to see. It was at this time that I joined the FBI North Texas InfraGard Board chapter as their Sector Chief Coordinator for Healthcare and Public Health. I have volunteered for the chapter for several years now and I am currently the President of the Board.
I found myself in my second CISO role for a large luxury retail organization. My role was created as a result of a breach. I had a vision to build security as a culture and not a definition of compliance. I reported directly to the CIO who liked my strategy and vision. Again, I found myself building a team from the ground up and refreshing documentation. Again, I found myself working the incident response plan as a result of a breach. I was getting way too much experience in that field, but it did lead me to more involvement in cyber insurance and coverage. This was a very cyber focused team with 24X7 operational incident response.
My first major project was replacing an antiquated SIEM with Splunk and that certainly helped when needing to activate IR. I managed a strong team that handled compliance, security and risk management. ITIL was rolled out and beginning to maturity. IDAM was upgraded and expanded. I had the resources to have a third party social engineering risk assessment. The results of that assessment allowed me to build a monthly social engineering campaign. You can put as many technical controls in place as you want and have an unlimited budget, but you will always have the exposure of the human element. People are curious and even with the best security awareness campaign in place, they will still open the malicious attachment or take the click bait. I also was a stakeholder for our first move away from waterfall project management. I got a crash course on Agile scrum and was participating in daily standups and analyzing burn down charts. My daily vocabulary now included product backlog, sprints and stories. I became devsecops and had to define and approve our cloud strategy. It was high pressure and fast paced and I loved it!
‘’And the good girls go to heaven, but the bad girls go everywhere...’’ – This is what I have read when I was trying to know Lisa better on her Twitter account. Controversial, courageous, and ambitious, this woman has a lot to share with us about her experience, and how she climbed the corporate ladder in security. I chatted with Lisa for hours about life, politics, and technology as well as about how to tackle the challenges in a male-dominated industry.
Franziska Bühler currently works as a Senior Systems Engineer in Switzerland.
Her main areas of responsibility are web server security and everything related to the access layer. In Switzerland, this typically includes authentication and web application firewalls.
She holds a Bachelor of Science degree in computer science with a specialization in IT security. She is also a Certified OSSTMM Professional Security Tester (OPST), accredited by ISECOM (Institute for Security and Open Methodologies).