Elke Bachler – our Chief Information Security Officer – talks about her serendipitous career approach, why you don’t need to be a computer scientist to work in IT, and why she finds information security so exciting.
I am a big believer in serendipity. Many of us get a lot of opportunities and we can train ourselves to see and take them when they come along. After university I was offered a job at a management consultancy. They were on the lookout for people with diverse backgrounds and thinking, and deliberately didn’t just recruit computer scientists because they wanted balanced teams. I got excellent training and the opportunity to learn new things and work with many different organisations.
I've always liked IT but chose to do something else at university. I don’t think you need to have studied computing to have a career in IT. The industry moves so quickly that even if you studied computer science at university, a large amount of what you’ve learnt is either not relevant in a business environment or goes out of date quickly. You absolutely understand how these things work but you don't necessarily understand how to make them work and deliver business benefits. The important thing is that you need to be interested in and enjoy working with technology, and you need to be happy to carry on learning all the time.
Eight out of ten people who work in IT never go anywhere near cutting code, but are doing all sorts of other critical jobs from project management, to design, to understanding requirements to testing. I haven't cut code since I was 25...a few years ago now!
LinkedIn liability
My move into information security (InfoSec) was also serendipitous. It started off as a change job, because I was asked to help set up a new information security function. Initially it was setting up the function that interested me, but when I got going I found InfoSec so exciting. It is one of those areas that once you get into, it really changes how you see the world. Suddenly you see how data flow everywhere and how people put themselves at risk. It does mean I spend a lot of my time scaring people. I was on LinkedIn recently and someone had posted a picture of their child's degree certificate – it was a First from Oxford. I thought this is lovely, but you have their name, date of birth and degree for everyone to see and you probably shouldn't post that. I dropped them a message and they took the whole link down. It is all about keeping information secure irrespective of what format it's in and where it is. You want to make sure that wherever the data go they are protected.
Varied role
Since joining Hiscox in January 2018, much of my role involves putting information security on the business agenda. People are recognising the risk and what could happen if it goes wrong. I think it's important for people to understand that information security is not just about IT and that it is not just my team’s job to make it happen. It ranges from how people manage their own email traffic, remain aware of phishing and report incidents; it’s project managers and architects designing security into processes from the outset; it’s people who do procurement making sure that contracts with suppliers are drafted with data security in mind; and so on. At Hiscox we don't just think about data on our own systems and in our own offices, we also have to think about the third parties with whom we share data; and our customers and how we help them stay secure.
For me, it continues to be a varied and hugely exciting area to be involved in. Technology is no longer simply an enabler but a driver of business strategy. Making sure the right information is available to the right people and processes at the right time is critical to making that happen. Working in technology, an area that has dramatically changed our lives and will continue to do so in ways we can’t even imagine, feels pretty good.