Go Phish: Emma Leith, Director of Consulting, Bridewell

On the lighter side of things, we Go Phishing with Emma Leith, Director of Consulting, Bridewell, about what makes her tick.

What would you describe as your most memorable achievement in the cybersecurity industry?

I was proud to be involved in the creation of the financial sector cyber collaboration centre (FSCCC), a cross industry group involving public and private entities. It was devised with the aim of enhancing cyber-resilience across financial firms in the UK, and it works by combining, analysing and distributing cyberthreat information and supporting cyber incident response for the industry’s benefit. Before I joined, there was a four- or five-year period of trying to get this initiative off the ground, but over the course of two years I played a part in helping to make it a reality. 

What first made you think of a career in cybersecurity?

I had always loved computers, and after completing my mathematics degree, a role in IT was the natural next step. After about three years at my first company, my manager asked me if it was what I really wanted to do due to my wider skillset. I realised I wanted to maximise the use of my maths degree with computing. He recommended a MSc course at Royal Holloway which matched my ambition. It was focused on information security, an early term for cybersecurity, and run by the maths department. As soon as I saw the syllabus, I knew I wanted to enrol. My cyber career developed from there.

What style of management philosophy do you employ with your current position?

I’m a very driven individual, but I don’t think that should stand in the way of humility. I like to make sure I’m accessible and approachable to staff. I make an effort to adapt my leadership style based on the individuals I’m supporting. Seeing other people shine is something that really energises me; it’s a real sense of pride when I see someone who’s progressing well in their career. My view of success is having somebody that I currently manage then grasping the opportunity to climb the ranks and become my manager.

What do you think is the current hot cybersecurity talking point?

It has to be Artificial Intelligence (AI). It’s equally frightening and exciting to think how AI will change the cybersecurity industry. Bridewell is considering how it will both evolve and make it easier for cybercriminals to orchestrate attacks, but also help organisations to better defend themselves as well. We’re starting to see AI-driven innovations that can learn about internal systems and self-heal them for protection against the latest threats. AI will only be growing in its use, so it’s important for us to know how we can use it to our advantage.

How do you deal with stress and unwind outside the office?

I do need to have a mental check-in now and again to ensure I keep to my self-care habits during the busy times at work. I make sure to eat healthily and take regular breaks from my desk, even if it’s for just a few minutes. During the pandemic, I became the owner of two dogs, which helped me get into the routine of going for walks. It’s times out in the fresh air where I have my best thoughts. I practice mindfulness, which is a great stress reliever, and I’m a keen swimmer, cyclist and golfer. They’re all hobbies which can really help me to unwind.   

If you could go back and change one career decision, what would it be?

I don’t believe in having regrets as it’s not a worthwhile energy. I’m extremely fortunate to have followed this career path, and I’m incredibly proud that I became a CISO at the age of 34. Granted, I may not have been as generally positive in the early part of my career as I am now, but moving into a leadership role taught me the importance of adopting a positive attitude. I find that as a leader, positivity provokes better responses from staff, and helps to inspire them to achieve their goals. I love my career and I wouldn’t change anything about it.

What do you currently identify as the major areas of investment in the cybersecurity industry?

There’s so much investment going into detection and response strategies. With the way the world is now, it’s not about if a cyberattack will happen, but when. Detection allows organisations to identify and respond quickly to an attack to mitigate the risks. There’s also a lot of focus on securing new technologies. Clients are increasingly concerned about the accessibility of data with AI-driven solutions, alongside cloud and DevOps. We continuously look to modernise and stay relevant as these types of technology evolve to ensure our customers stay protected. Security is a key functionality in modern businesses, not a nice-to-have.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

Regulations do differ between different regions. The UK’s laws are quite different to those in Europe, and the same goes for the US, so different countries need to follow different standards – although there are global industry standards which thankfully most regulators align to. I think more important though is the differences in culture and how people interact with each other. Awareness, training and responsibility around cybersecurity will definitely vary in different regions. However, security needs to be everyone’s responsibility, regardless of the region. Cybercriminals are global. They don’t have respect for borders and will simply attack the most lucrative regions. Cyber awareness and training need to apply to every person, regardless of their roles and responsibilities.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

My responsibilities are ever-growing as Bridewell continues to scale to provide the best experience to customers. It’s a challenge, but at the same time I’ve had the opportunity to strengthen my leadership team to align with our expansion. Looking ahead, the empowering and growth in leadership skills of my team will enable me to take a more strategic role as a board member over the next 12 months. As the landscape continues to evolve, a key focus for me over the coming year will be ensuring that our services are repeatedly being enhanced and remain relevant for our customers and we always do our very best in providing a high-quality service.

What advice would you offer somebody aspiring to obtain a C-level position in the security industry?

Positivity and enthusiasm are so important. Any aspirational individual needs to think carefully about how they come across so they can help energise other people. If they find themselves in a role or at a company that doesn’t match that enthusiasm, then don’t be afraid to look elsewhere. C-level positions come with a lot of responsibility, not just in cybersecurity. So being aware of and contributing to areas outside of cybersecurity is important too. Leaders need to be accountable if things go wrong, but they equally need to be able to build a team that they can trust to do the hands-on work. Building a strong network and tapping into the knowledge of mentors can help them strike the right balance.