Young. Female. CISO. What do these three have in common? Typically, not a lot. Estimates of women working in the security sector put it somewhere between 11% and 20%. Inside Templafy, the answer to the question is Ellen Benaim. She's the woman whom we've all come to associate with weekly security tips, best practices for staying secure, the customer security representative who regularly reassures the most vigilant enterprises that our solution more than meets their rigorous standards. We interviewed Ellen to get her perspectives on the role of CISO, how she got there, and what it means to her.
Ellen's career journey in Templafy
Ellen began her career in Templafy in June, 2018. From the outset, she worked to develop our security-first approach. She's a member of the Templafy Security Guild team and is responsible for the design, implementation, and monitoring of the information security program and the overall security strategy.
In March 2020, Ellen was promoted to Chief Information Security Officer: taking over the role of co-founder, Henrik Printzlau. A fantastic achievement. It demonstrates Ellen's drive and dedication, as well as the trust Templafy has placed in her ability and ambition.
Here, Ellen shares her answers on how she achieved her goal of becoming Templafy's Chief Information Security Officer.
Where did your interest in cybersecurity begin?
When I was in secondary school in Ireland at around age 15, IBM invited our class out to a roadshow where they showed us the inner workings of their server rooms. I thought it was very cool! I guess at that point, I didn't know specifically I wanted security. Still, I knew I wanted to go into technology. Thinking back, I realise it was good that IBM came to our all-girls' school because we could easily have been overlooked.
A lot of my inspiration for anything tech-related comes from my father. He started off as a software engineer and now he's the Head of Connectivity in Ireland's largest broadband provider. Myself and my dad would bore the other half of the family with our constant tech talks. Between that and the IBM trip, these are the experiences that set me off on this path.
"I tell this story to encourage people interested in security to put themselves out there and see how exciting the field really is." - Ellen Benaim
How was your IT education experience?
I studied business information systems at University College Cork. The course is a mixture of IT and business modules, and for the last two years, there was a focus on security. I knew by then that I wanted to go into security specifically.
For two years during my studies, I taught a group of 8 to 10-year old kids how to code through a course called CoderDojo. I wanted to encourage young girls and boys into tech and show them that it could be something fun. And then, for my final year project at university, I created a videogame that teaches kids how to be secure online by fighting a hacker. Players would gain knowledge as they progressed in the game, and they'd use that knowledge to defeat the hacker to win. I had to demo this game to school kids of about 11 years of age. I tell this story to encourage people interested in security to put themselves out there and see how exciting the field really is.
In terms of gender balance at university, the classes were mixed but predominately male. I think the split was 70/30. They had improved the balance by the time I was there, and I hope they're continuing to find a better balance.
How did you find your way to Templafy from Cork?
Out of university, people go on different career paths, and a lot of my peers went on to consultancy and IT firms in Dublin. Companies like Accenture, EY and Google are found there. But I knew that I wanted something different, so I came to Copenhagen, and I found Templafy.
How was your interview process in Templafy?
During my interview with Henrik Printzlau, he asked me what I want to do in five years. I said that I would love to become an expert in my field and to be able to lead a team through that expertise. He asked me to be more specific, and so I said I wanted to eventually become a CISO. Henrik then asked me if I knew what he did at the company, and I told him his LinkedIn stated he was co-founder. His responded saying, he was actually the CISO and that I'd just described taking his job! We had a good laugh over that. Neither of us knew how that was actually going to come to truth, but I know Henrik believed in my drive from the very beginning.
How did your career path progress over the two years you've been at Templafy?
I started working in Tech Support to learn the technical components of our solution. I got an excellent base knowledge, and from there, I moved to more of a security role. For the past year, I've worked together with Henrik to develop and implement our security control baseline, based on ISO 27001 and other leading standards. The controls we created were audited, and in July last, we got an excellent ISAE 3000 report. I've been leading the ISAE 3000 type 2 efforts, and we're expecting another good report at the end of March. We're always pushing to give our customers even more. That's the plan for the next year or two – to keep pushing our investment in security, pushing our security posture to market-leading levels for our customers, and also for ourselves.
Did you expect to become CISO so early in your career?
No, definitely not. I hadn't planned it to be so soon. Something Henrik said stuck with me. He said, "Why get grey hair waiting for a role when you can get grey hair doing the role." So, it is early, but also it came out of merit and drive and ambition. For me, it was a perfect alignment of both my drive and ambition and Templafy's drive and ambition for security. We are both ambitious, and this is the role that came with that. Taking this role so young makes it really important for me to succeed. What's also great is that they've given me the license to succeed in the way that I want. They didn't put any restrictions or directions on the role. I can take the lead with the scope and direction that I believe is right for the company, and that's what I wanted.
"If your interest is in tech, then just try, because you will be super surprised at how easy the technical aspects will come to you. And this goes for anyone of any age." - Ellen Benaim
How much value does Templafy place on security and the role of CISO?
A decision was recently made to have the CISO report directly to the board and have its own budget. I think this decision shows that this is a strategic direction that we want to go in. It's quite unique for a CISO not to have to report to a CTO or CIO, for example. I think it strongly demonstrates Templafy is giving security the value it deserves because we won't settle for less than enterprise-grade security. And then this decision really lends itself to putting trust in me to carry out that role. I think, as women, we often have this imposter syndrome that we can too easily doubt ourselves, and we can put up barriers where there may not be some. So the freedom given to me to make the security initiatives and direction is something I'm very pleased about.
Do you have a role model in cybersecurity?
Prior to starting in Templafy, I did an internship with an asset management company in Dublin, and I was part of their security team. There was a CIO, and there was also my manager, Denise. She was the Senior InfoSec manager for Europe. The company was very "old-school" in the sense that she was quite literally the only woman in the room whenever we went to meetings. She was amazing – it was so
obvious that she had all the trust and respect of everyone in the company. She is such a go-getter, not fazed by anything at all. And she would arrive with high heels, perfect hair, makeup – maybe to show the contrast with all the engineers in t-shirts! Anyway, I think that's what I looked up to: she was just wholly herself, and she had so much knowledge and respect. She taught me a lot.
I've been lucky to meet some great people along the way, and she is definitely a role model. And I have to mention Henrik, who has been my role model internally since starting here. I think it's great to be part of the growing numbers of women in the security field.
What is the biggest misconception about cybersecurity?
I think there's a misconception about security roles: that security officers are seen as the bad guys or the people who slow things down because they want to make sure everything is right and as secure as possible. And that somehow you need to be loud, aggressive and extrovert to succeed in this role. The fact is, you don't need to have a dictatorship style (and this goes for managers in general) to work in a security leadership role. There's a stereotype for security, and there's a stereotype for leadership roles. Still, the fact is, the more collaborative you are, the more you can talk to people around the office and engage what they see every day. That's much more effective than telling everyone what to do. So, if you have an interest in security but think that you are too much of an introvert, making security engineering at the back-end your only option; that's not the case at all. Team players who can collaborate are an excellent fit for security roles.
What advice would you give to other young women who share your cybersecurity ambitions?
For any women who might be on the fence about studying something technical, I want to say to them – just go for it! There's a lot of courses that mix tech with other courses – business, for example – but if your interest is in tech, then just try, because you will be super surprised at how easy the technical aspects will come to you. And this goes for anyone of any age. Tech isn't some sort of hidden language that you need to unlock your brain to learn. When you get down to it, it's accessible if you apply yourself and if you have the interest.