[00:00:00.120] - David Puner
You're listening to the Trust Issues podcast. I'm David Puner, a senior editorial manager at CyberArk, a
global leader in identity security.
[00:00:23.650] - David Puner
It may go without saying, but I'll say it. Being a chief information security officer, CISO, is a tough job.
High-profile tough. CISOs are on the frontlines protecting against the TBD unknown, day after day,
week after week, month after month. Threats are relentless. Work is unpredictable. Staff shortages
continue to fuel a vicious cycle of burnout. On top of it all, the buck stops with the CISO. When things
go wrong, they're positioned as being the throat to choke, as Forbes recently put it. It's no wonder
mental health issues such as depression and anxiety are surging in our industry.
[00:01:03.130] - David Puner
There's a lot of things that need to change, but fortunately, this once-taboo subject is starting to get
the attention it so desperately deserves thanks to security leaders who are stepping forward. Their
personal stories help humanize the cybersecurity team. They acknowledge that despite the sleepless
nights and heroic efforts, protectors of digital space are indeed human. As the stakes continuously
grow higher, so too does the need for true support, empathy, and action.
[00:01:34.940] - David Puner
This October is not only Cybersecurity Awareness Month, but also National Depression and Mental
Health Screening Month, a time to elevate this critical conversation, advocate against stigma, and
bring awareness to the various resources available to those who need them. I'm honored today to
host Trust Issues alongside our guest, Kirsten Davies, who's the CISO for Unilever and passionate
about humanizing the teams in our cybersecurity community.
[00:02:00.860] - David Puner
Unilever is, of course, a huge company with hundreds of brands and products beneath its umbrella.
To try to wrap your head around the potential scope of being its CISO is daunting, to say the least. As
Kirsten tells it, the responsibility and accountability in the CISO role are enormous, and burnout and
stress are at a crisis level. She feels this acutely. We get into that and lots of other things that are on
the mind of a big-time CISO with the same number of hours and minutes in her day that we all have.
[00:02:31.100] - David Puner
It was great to get the opportunity to talk with Kirsten. Her candor is admirable and her shoes are
large. Here's our conversation.
[00:02:53.100] - David Puner
You are the CISO for Unilever, which is a massive global consumer packaged goods company with
over 400 consumer goods brands and 148,000 employees. Some of the brands I'm sure people are
familiar with. Overly familiar with Hellmann's, Ben & Jerry's, Dove, Seventh Generation, Vaseline. There
are so many. To dive in and just start out broad, what does your role as Unilever CISO encompass,
and what's a typical day look like for you if there is such a thing?
[00:03:28.920] - Kirsten Davies
That's a great question. I wonder if you can ask any CISO what their typical day is. It varies. I think it's
one of the things that we love about the work is that there are new challenges that emerge every day.
Great company. We produce 50% of the world's ice cream. That's a heck of a lot of smiles. I'm telling
you, that's a heck of a lot of smiles all around the world. The remit for the program is end-to-end
cybersecurity risk for the organization. That includes the typical that you would expect. It's the
managed technology estate, the managed IT estate as it used to be known, but it goes much further
than that as well. We see risk in a very broad, holistic way at Unilever. So it's everything from the
regulatory and compliance challenges that we have globally from our footprints in over 180 countries
globally to the operational resilience of things like our core network, yes, but also our factories,
distribution centers, R&D, all of that kind of a thing.
[00:04:34.620] - Kirsten Davies
We also look at information protection and information security as one would expect that we would.
We look at the security and resilience of all of our technology touchpoints, all of our digital
interactions from our factories to our technology, traditional IT as well. Then finally, probably
something that we'll double-click into a little bit more in a bit is the culture. It's the capability, yes, of
my team, of the cybersecurity team, the core team itself, but also the security mindset of the
organization because that is critical from an enterprise cybersecurity risk perspective that the culture
embraces cybersecurity, cyber safety as part of their responsibilities.
[00:05:25.590] - David Puner
How big is your team? You've been with the company now for about a year or so. How have things
changed since you've arrived?
[00:05:35.790] - Kirsten Davies
Yeah, I sure have. I actually just celebrated my one-year anniversary, I think it was a week ago.
[00:05:40.440] - David Puner
Congratulations.
[00:05:41.430] - Kirsten Davies
Thank you. Yes. Made it. It's been such a unique challenge coming out of COVID, the lockdownlockdown
globally of COVID into this new emerging world of how do we do these things in hybrid
mode. How do we approach cybersecurity and how do we do business, right? There's a lot of
companies that are still figuring this out. While I don't publish the numbers of my team and have
never done so, I'd say that it's really an interesting conversation to have to say what are the things that
we're focused on and what has changed since I've been on board.
[00:06:25.800] - Kirsten Davies
Due credit and respect to my predecessors in this role. Nobody has an easy job as a CISO these days.
No one does. At no organization is this job easy. I'm standing on the shoulders of giants, as it were,
that have been evolving and managing and elevating the security posture of this organization. I've
picked up a bit where some of them have left off and some really great work that they were able to
accomplish in their tenures here.
[00:07:03.000] - Kirsten Davies
We're evolving right now. I'm reorganizing the team to reflect the broader remit that we have now that
I'm on board to reflect the rise of the CISO, as we call it, which is essentially I don't sit inside of IT. My
team sits alongside of IT. We sit alongside supply chain, we sit alongside the data office, and we work
and partner and influence and solution engineer alongside all of these teams. There's been a
fundamental shift, I would say, during my tenure here, and that has matched, as it should, the shift in
our organization, too.
[00:07:48.780] - Kirsten Davies
It's public knowledge that we're undergoing a massive transition at Unilever, where we have the focus
of five, the power of one, focus of five being the five different business groups that we have that are
end-to-end global. Ice cream being one of them, right? Health and well-being and nutrition, things like
that. We've we've necessarily needed to not only respond to that change but also partner in and
enable that change for Unilever to ensure the success of our business colleagues and us as a whole
as Unilever.
[00:08:21.890] - David Puner
Organizational change, that's something that isn't necessarily new to you. You've worked in some
other companies that people out there may have heard of like Estee Lauder, Barclays, Hewlett-
Packard, Booz Allen Hamilton, Deloitte. Big names, long list. How is organizational change something
that's been a hallmark to your career and what have you learned along the way that you're putting into
place now?
[00:08:48.140] - Kirsten Davies
I read an amazing series of books quite some time ago, Built to Last, and the subsequent book to that
was Built to Change. What's happened, and I'm sure you've seen this and your audience has seen this
over time, is that companies who have designed themselves for steadfastness and, quote-unquote,
"security" or foundational stability in the market, aka Kodak, have been left behind in a lot of the
changes that we have seen globally speaking, from the rapid pace of technology innovation to rapid
digitization of everything. Everything is connected now, right? To changing consumer habits and
buying patterns, to changes in the workforce where we have five generations in the workforce right
now. First time in history that that's ever happened short of being in small ma and pa companies,
right? And so the hallmark of my career has been change. I am a change manager. I'm a change
instigator, as it were, and I'm a change influencer.
[00:09:59.990] - Kirsten Davies
I think that we constantly, especially in the cybersecurity industry, but also in business, of course, but
we're speaking today about cybersecurity, we need to be evolving. Why? The threats are evolving. The
threat actors are evolving. The technology that they're using to attack is evolving. The velocity and the
rapid pace with which the change has come on the attackers' side needs to be met with a dynamic
workforce, a dynamic technical capability, and a dynamic culture in order for us to even just respond
in kind, let alone get ahead of these things.
[00:10:42.290] - Kirsten Davies
That's been part of it, too. We want to have these wonderful, challenging environments for our teams
because people get bored, right? Nobody wants to stare at a screen anymore and look for alerts.
People just get bored and there's fatigue in all of this, and so we need to be shifting and really just
inserting dynamism into our organization, into the processes that are there in order to just inject this
ability to be agile and to innovate all of the time.
[00:11:18.080] - David Puner
Do you think that it's possible to be a successful CISO if you're not a change instigator? Really like
that term, by the way.
[00:11:26.720] - Kirsten Davies
Well, I'm not going to make a commentary on my colleagues for that. I think for me to be a successful
CISO, I need to be able to embrace change very closely. Often, as has been the hallmark of my career,
I've been brought in to change things for whatever reason.
[00:11:47.690] - Kirsten Davies
We were transforming the Global Information Security Program at Siemens, 335,000 employees,
double that in business partner connections at the time, right? Enormous ask. There were 26 people
that had the title of CISO across Siemens when I came on board and was supporting and helping and
leading and serving that organization.
[00:12:06.620] - Kirsten Davies
Likewise, when I went to Hewlett-Packard Enterprise, they were right in the middle of the split. The
largest business split in the history of business at the time was the HPE-HPI split, right? Having
stayed on the HPE side, which is what I was hired to come in and do, we were needing to restrategize.
What did cybersecurity look like for the enterprise side, being a service delivery partner to Inc as it
was standing up for the printers and personal devices?
[00:12:39.350] - Kirsten Davies
A very dear friend of mine is the CISO there now who we exchanged… Almost I feel like we changed
seats from Siemens to HP and all of that kind of a thing and she's the CISO now at HP Inc.
[00:12:51.550] - Kirsten Davies
It's been a hallmark of my career, which is we need to do things differently and we don't always have
the answers from the very beginning. But it's an evolution as the change happens. I think that
everybody has a little piece of the solution, and so it's also about bringing in all of those threads of
logic, the threads of analysis, the threads of insight, and bringing those things together to make
something that's much more holistic and dynamic than it was before we started.
[00:13:21.010] - David Puner
In order to do that, you need people who come from various backgrounds that can look at things
through different filters. Obviously, one of the things we hear about a lot, we talk about a lot within the
industry is the talent shortage, the skills gap. How are you navigating that? How are you getting
creative when it comes to hiring and finding cyber talent?
[00:13:43.180] - Kirsten Davies
Yeah, also one of the things I'm very passionate about, not having grown up in IT, not having been
dyed in the wool architecture.
[00:13:57.310] - David Puner
Did I read somewhere that you wanted to be a spy at some point?
[00:14:00.430] - Kirsten Davies
Yes, I did. Now I just work against the bad guys. But maybe it's the same thing at the end of the day.
I'm not sure. I actually was a professional musician, singer-songwriter for a while, and there's other
interviews that I've done that talk about that career progression. But the bottom line premise for me
has been anybody can get into this field if they have the right training, number one, and number two,
the right opportunity, and number three, yes, coaching, mentoring. There's such a broader risk
landscape now in cybersecurity than just the deep technical aspects that will always be a core of
what we do.
[00:14:42.430] - Kirsten Davies
But when it comes to a talent perspective, that's also been one of the hypotheses turned proven facts
that I've pursued, which is anybody can get into this career and be successful at it. There's a number
of companies that are doing this now.
[00:14:59.140] - Kirsten Davies
We're working with an amazing organization out of Nigeria that is working with women between the
ages of, I think it's 16 to 27 and developing some just amazing talent right in Nigeria. We're working
with them. There's another company in the United States that's taken an approach to developing rural
talent based upon some tax input, some mayoral things, government things in the state, and then
retraining veterans and nurses and educators to be doing cybersecurity. Likewise, I built a pilot
program in South Africa when I was with Barclays, with the support of the bank, with the support of
the South African governments and Rhodes University to create an incubation function, as it were to
develop some entry-level cybersecurity talent from people who are going to be losing their jobs due to
automation.
[00:16:01.120] - Kirsten Davies
I believe wholeheartedly this can be done. We need to be doing this at scale. That's one of the things
as an industry, I really feel that that we as executives in the industry really need to embrace this and
tackle this. I'm doing my part. I've proven the model could work. I didn't start in tech, and yet here I am,
and so I really feel like anybody can do this with the right opportunities, training, mentoring, all of that.
[00:16:28.270] - David Puner
Entry level would be the key.
[00:16:30.160] - Kirsten Davies
Yeah, no, it's true. It's true. I think one of the challenges is there's a multifocal challenge that we have.
Budgets are infamously constrained in cybersecurity and I hate to lean on budgets, but the budget
unlock is such an important thing. For every dollar that we get, we need to have a multiplier effect on
the dollar, the pound, the euro that we have to spend on cybersecurity. We have often then been really
funneled into a pathway that says we have to hire the most experienced person that we possibly can
afford because we need them to hit the ground running. That's always been the case. Well, guess
what? We've created this monster of an environment where people hop from job to job based upon
pay, right? They hop job to job based on other things as well. But it's the organizations that can afford
to pay higher rates for cybersecurity will poach and I don't blame them and at the same time I'm like,
"Stop, just stop." Right?
[00:17:43.210] - Kirsten Davies
I get it. We have a high competition factor for pay. We have, therefore, a high competition factor for
people with experience. Because if you're expecting the people to be able to hit the ground running,
guess what we're not doing? We're not investing in entry-level talent. We're not investing in businessside
talent that only requires a little bit of contextual cyber education.
[00:18:10.640] - Kirsten Davies
For example, having people from in manufacturing, hiring people in from the supply chain side.
They're engineers. They understand it. They just need to understand MITRE attack, threat pathways.
They need to understand the cyber side of it, and that can be a multiplier effect for their
understanding of how a manufacturing belt works, how the robotics arms work, how driverless cars
work in the sense of moving inventory around.
[00:18:46.770] - Kirsten Davies
I think we need to be much more creative around that. The problems of it have been around budget,
filled with headcount approvals, filled with shortage of talent in the market. I believe that we as the
biggies, the bigger organizations, we really need to be addressing this and start investing in and
recruiting in the startup, right, the entry-level talent. I know that there's a lot of organizations that are
doing it, which is good. We needed to be doing this 10 years ago, but we're getting there.
[00:19:27.990] - David Puner
Great. Thank you for that. Moving on to a different subject, sort of. All of them are related, of course,
though. You speak quite a bit about personal resilience. How is that particularly pertinent to the CISO
role right now?
[00:19:43.590] - Kirsten Davies
It's a topic that's very near and dear to my heart. With the advent of the global pandemic and the
lockdowns and everybody having to necessarily have an all hands on deck approach to provisioning
IT, provisioning access. How do we get people working in different ways? Some companies are
digitally native, and I think that they came out of that much more rapidly and they were able to get to a
BAU much more rapidly than other companies were able to do so. What I've seen has been the
hallmark, though, is a couple of things. In 2016, there was a study that came out that named the
number out of four CISOs that are abusing alcohol and prescription medication in order to deal with
the level of stress of the day. That was in 2016. That was pre-COVID. I think it was one out of four.
Somebody asked me about that and they said, "What do you think of this?" And I said, "That's all? I
think it's actually more than that," tongue-in-cheek but literally.
[00:20:50.190] - Kirsten Davies
Pre-COVID, we knew that we already had an issue with this, that the stress levels and the
responsibility and the accountability in this role are enormous. You feel a bit like Atlas with the weight
of the world on your shoulders at times. Then you add COVID into this, and a lot of us as the CISOs
were the tip of the point of the spear when it came to really driving availability and resilience. We were
partnering with our CIO organizations. We were working with our business partners globally. We were
caretaking people, caretaking any number of outages and stress factors that were there.
[00:21:29.700] - Kirsten Davies
When the businesses that we serve were able to get to a little bit of a level of exhale and find a
rhythm, what I witnessed was nobody was taking care of the cyber security teams, and the CISOs who
had been the tip of the point of the spear for so long were now at crisis levels of adrenaline, crisis
levels of stress, really overwhelming levels of feeling responsible and accountable. It's that fight or
flight mentality, right, that we go through.
[00:22:07.320] - Kirsten Davies
Post-COVID now, which I, fingers crossed, say that we're in a post-COVID world. To a certain extent
we are. I see teams working just as hard as they were during that crisis. The hours that we put in as
CISOs are unsustainable. The hours our teams are putting in, completely unsustainable. Yet the
attacks still come because the threat actors are still out there, right? Everything is still there. I talk
about this a bit, and I've been public about it because I feel like sometimes it's a bit of a taboo topic to
talk about mental health and mental resilience and personal resilience. But I'll tell you what, there are
some folks out there who are really struggling and we need the support of one another. We need to be
able to talk about this much more openly.
[00:23:05.870] - David Puner
What do you think is key to a solution?
[00:23:08.510] - Kirsten Davies
There's a couple of things, and I think that's a great question. I think we all need to discover what that
looks like for us individually and for our teams as leaders. Transparency is key. I personally had to
have a conversation with my team when I was going through some health challenges. And then my
mom has been going through some health challenges and I had to be transparent with my team and
go, "You know what? I'm having some challenges here in my personal life and it's going to bleed over
into my professional life." Not because I'm weak, not because I can't manage or I can't handle it. Just
because we can't, post-COVID, separate our personal lives from our professional lives anymore.
Everything's merged. I'm on the podcast with you from my home office.
[00:24:01.490] - David Puner
Which is in Nashville, I should point out.
[00:24:02.840] - Kirsten Davies
Which is in Nashville, Tennessee, and my job is in London, right? So it's impossible anymore to
separate those two things. I think there's there's an amount of self-awareness and transparency that's
needed with our teams. I think that that also creates a pathway for our teams to be honest with us
and to let us know when they're struggling. Even just with the visibility, it creates an opportunity for
discussion, for solution, for even just empathy. Empathy because we're all going through something.
We're human. We're all going through something right now.
[00:24:41.660] - Kirsten Davies
I think that's key right there. I think we need to model the behavior… This goes with the transparency.
We need to model the behavior that we expect of our teams, which is difficult in a global environment.
I'm emailing at very odd hours for a team that's… some of my team sitting in India. But we need to
model the behavior that gives them permission to be human, which is family first, right? Take your
vacations. If I'm emailing you on an off hour, I don't expect your response until you're actually back in
office or back on, quote-unquote, "normal" office hours. I think just those simple keys are super
helpful to it. I think honestly, we need to lean into and get support from our HR business partners as
well, because we're seeing that this is really a challenge for big corporates and big organizations and
people. We're human. We're human first. We're workers later, right? We're human first, and we need
support for the human experience that we've all gone through.
[00:25:50.990] - David Puner
A bio of yours, I've read, says you design and lead holistic digital trust programs. You, of course, had
us at trust. But what does this mean and how does trust factor into what you do?
[00:26:05.360] - Kirsten Davies
That's a great question. Trust is at the core of everything that we need, both in human interactions, in
digital interactions, right, and in corporate legislative, every interaction. The depth that we build that
trust is going to equal the lengths to which we will excel in relationships, in corporate initiatives, and
things like that. Let me give you a specific example. Statistically, it has been shown that consumers
will leave their favorite company, favorite brand, favorite product if they lose trust in that. Some of
that is the safety of the product, right? So the ingredients and things like that. Some of it is in, well,
how I interacted as a consumer with that company. If there's a data breach on an e-commerce
platform, right, statistically, it's shown that the measure with which consumers lose the trust in the
organization or in the product is the level with which they will vote with their feet, as we say. Stay or
leave, right?
[00:27:24.410] - Kirsten Davies
One of the things I love about Unilever is our commitment to product safety, product quality, and the
safety of our colleagues in factories. Right? We have leveraged that to be also the way in which we
talk about cyber safety and the trust that we build in all of our interactions. Digital interactions, data
flows, handshakes of applications themselves or OT environment, things like that. Some of the things,
they won't be aware of, the things that are happening behind the scenes, but that's what we want to
build in every interaction we have with regulators, with shareholders, with consumers, with our
customer bases, with each other as colleagues as well. We want to be able to and we should be able
to trust that our interactions are secure, that they are risk managed, right, that privacy data is kept
private, things like that.
[00:28:21.770] - Kirsten Davies
Is there a such thing as 100%? No. No, I'm not saying that. What I'm saying is that is our job is to build
trust everywhere we go. That positively directly impacts the reputation of the organizations that we
serve. Everyone has a responsibility to ensure that the organization remains cyber safe, and that
covers email phishing, to vishing, smishing, to factories, to infrastructure, to everything, data
everywhere, right? That is super, super important for organizations to embrace. It's not the CISO's job
or the CISO's program job to do everything security. It's everyone's job. Everyone's job.
[00:29:15.080] - Kirsten Davies
For sure. From a cultural standpoint, which is something you had mentioned earlier on in the
discussion, how far have things come along since you've joined the organization?
[00:29:27.200] - Kirsten Davies
Yeah, the team has done a great job. Again, standing on the shoulders of giants that came before me.
One of the things I walked into in the role was quite a strong awareness and training area that we've
simply just made stronger now, right? We've done more. We have an amazing campaign we're about
ready to launch. I cannot tell you what it is, but I am so super excited. We're leveraging some of our
brand names. It's an internal cyber awareness campaign. We've got the-
[00:29:58.100] - David Puner
Does it involve ice cream?
[00:30:00.140] - Kirsten Davies
It does, actually, it does. We got permission from the brands to use their brands. We've got
permission from some different folks, corporate comms and from our PR teams to do some pretty
unconventional things because things aren't always what they seem.
[00:30:19.620] - David Puner
Sounds fantastic. Looking forward to having you back on again so we can hear how that went and get
all the details about it. We'll have to talk to you a little bit about your passion projects. You've got
many of them. Are there any in particular right now that you're feeling particularly passionate about?
[00:30:33.800] - Kirsten Davies
I'm particularly passionate about fighting cancer. My mom has been stricken by it and I am
particularly passionate about this. I've been involved with the Breast Cancer Research Foundation
since being at Estee Lauder companies. As a matter of fact, shortly there's the Tech Day of Pink that
the CIO there started as his passion project, which I love. People and companies around the world are
committing their technology teams to wearing pink on a specific day. I'm also involved locally in
Nashville with the Nashville Wine Auction that is wine and cancer research. I love it. It's a great
company of worlds for me that's there. But we do a lot of some great foundations here in Nashville
that we support, not the least of which is the St. Jude Children's Hospital, the Vanderbilt research
community that's there.
[00:31:32.450] - Kirsten Davies
Secondly, as things would have it, I've been blessed to be placed in a leadership position as a woman
in a field where there are not a lot of women in my role, right? I never saw myself as a female CISO or
a female practitioner. I'm just a practitioner. However, I think that when you sit in this chair, when one
sits in this chair, and when one has the rare opportunity to kind of lift your head up and look around a
little bit, I have become increasingly passionate about women in not just in this field, but women in
technology and opportunities for women around the world.
[00:32:23.280] - Kirsten Davies
I've partnered in with Nomi Network, which is in India, and we adopt a whole village of women and
provide for them education and opportunities for raising their own income, right, and providing them
an opportunity that's outside of some of the crime and stuff that happens in underdeveloped areas of
the world. Which leads secondly, to I'm super, super passionate about fighting human trafficking. I'm
a direct sponsor and partner with A21. There's many organizations out there, but I think you can kind
of see the theme of opportunities that I've had, even with my background, which would not have led
me to a technology field or a CISO career.
[00:33:14.490] - Kirsten Davies
Opportunities that I had as a woman, even though I didn't see myself as being the female X, right, the
female fill-in-the-blank, I've taken upon that as just there's a responsibility and there's a weight that
comes with that. That it's an honor to be able to carry that weight and to do the best that I can to
make a difference in women's lives around the world. Women and girls and people in general, yes, but
women and girls especially.
[00:33:44.010] - David Puner
You had mentioned coffee before we started recording, and I can imagine that plays a very significant
role in your day-to-day. We appreciate you being caffeinated today and talking with us.
[00:33:56.760] - Kirsten Davies
Thank you for having me. What a pleasure to be on this. Thank you so much.
[00:34:12.270] - David Puner
Thanks for listening to today's episode of Trust Issues. We'd love to hear from you. If you have a
question, comment, constructive comment preferably, but it's up to you, or an episode suggestion,
please drop us an email at trustissues@cyberark.com. And make sure you're following us wherever
you listen to podcasts.