Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is cosponsored by Synopsys and IEEE Security and Privacy Magazine, where a portion of this interview will appear in print. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 137th in a monthly series of interviews with security gurus, and I’m pleased to have today with me Wafaa Mamilli. Hi, Wafaa.
Wafaa Mamilli: Hi, Gary.
McGraw: Wafaa Mamilli is vice president, chief information security officer at Eli Lilly and Company, where she leads a global enterprisewide information and products security organization. Wafaa started her career consulting in Paris prior to joining Lilly France in 1995. Before being named CISO, she held several international leadership responsibilities across Lilly, including a stint as information officer of the diabetes division. Mamilli embraces her international experience as she was born and raised in Morocco, lived in France, the U.K., and the Middle East before relocating to Indianapolis in 2008. Mamilli is multilingual and holds a master’s degree in computer sciences from INSEA Engineering College in Rabat, Morocco, and a master’s degree from ISTIC Rennes Université in France, as well as a general management certificate from the London Business School. In 2015, Mamilli graduated from the Harvard Business School Advanced Management Program. She is married and lives with two kids in Indianapolis. And that is the short version of your bio. Holy cow.
Mamilli: Thank you, Gary.
McGraw: So it’s great to have you on. Let’s start with your diverse and very deep experience in multiple cultures. In your business experience, what are the cultural differences in technology management between the U.K. and Paris and the Middle East and the U.S.?
Mamilli: Wow. I think at the end…first, Gary, thank you. I’m happy to be here. At the end, they end up being differences based on human differences. Our experiences make us who we are and influence the way we think. What I found is as you practice and you run businesses or you do business in any of those cultures, the culture of the place is going to prevail in the environment you’re in. So if you’re in, let’s say, a Moroccan environment—another disclaimer: I never really worked in Morocco—but I’d expect things like being nicer and lots of talking but never cutting to the chase, and the social side of life…
McGraw: Lots of tea.
Mamilli: Exactly. Yes, lots of mint tea especially. And then you go to another extreme, even in Europe, and you’re going to have almost stereotypes. If you’re in the business environment in Germany, then you’re going to have more of a disciplined way of doing business, running a business. I love France, and I spent a lot of years there, and I studied in French schools. I call them in a good way “the philosophers.” So you’re going to have a lot of debate in France, and I love that, and conceptual discussions. But at the end of it, it’s really the diversity of all those when you mix them up, and it becomes an outstanding richness when you have teams who bring who they are.
McGraw: OK, so let’s assume that that’s the first principal component in cultural difference. I’m not surprised to hear that at all. But I’m wondering in more specific terms whether people approach technology itself and the management of technology different in maybe European versus U.S. approach in your experience or not.
Mamilli: Yeah, they do. There are two dimensions, I would say. There is the risk aversion that plays in some places more than others. Entrepreneurial type of leapfrogging and leading the way, I found that more prevalent in the U.S. But more importantly, especially in the field I’m in now, where also the definition of privacy is very different from one place to the other, and it’s cultural. Privacy is a right when you are in Europe. People fought for it over centuries, not just decades. So it’s a right. And a company’s information might not be seen as a company’s information if it belongs to a person and you’re sitting in a European place. As we’re dealing with that, even in our environment, in information security, we have to take that into account and get to the right “yes” for the right reason for the business but, at the same time, understand where people are coming from, from wherever they live or they work.
McGraw: Yup, that makes perfect sense to me.
You’ve been a CISO and a vice president for 18 months, but you spent 22 years in a really distinguished career moving up from program management, where you started. So how did you set and recalibrate your career path from program management to where you are now?
Mamilli: It’s a never-ending process. I’ve always worked and lived with a sentence that my father used to tell us and I still tell my kids, which is “Learning is a never-ending process.” That helps with agility. So I didn’t know a lot early enough about what I wanted to do with my career, but I did know a few things. I knew I wanted to be challenged, I knew I wanted to keep learning, and I knew I wanted the breadth. I like the big picture. I like to understand the connections.
So that’s how I navigated my career. I didn’t do a good job of having a full career plan. I don’t think they work anyway. If you have something on paper, it never works out that way. I’ve been many times in first-time jobs at Lilly, the first CISO at this level at Lilly. First of the previous job, where I built our real-world dividends environment and hub for the company in Europe, the same. So I spent time more focusing on where can I learn, where can I foster my leadership capabilities, because in the end, those are the transferable skills you need.
And where I spent a lot of time as well, was making sure I really understood the business. I understood how balance statements and P&L and spreadsheets work. I understand how business leaders think. I get to get to the depth of the business we’re in. And that’s how that helped me throughout my career, because every job is preparing me for a job I didn’t even know existed.
McGraw: Great. Well, you’ve made many hops through the Lilly system for sure. Is that a Lilly thing, or is that a Wafaa thing, or is it some combination of both Lilly and Wafaa?
Mamilli: I think it’s a combination. Lilly is an amazing company that takes care of a lot of people with development and coaching and mentoring and sponsorship. And I definitely was privileged to have access to all of that throughout my career. Lilly also allows people (and allowed me definitely) to stretch as much as they can, moving internationally and moving from one business area to the other one.
And then I would say it’s a Wafaa thing as well because I bring to it my attitude. There is nothing impossible, and I’m going to engage and work hard and keep asking questions and learn. And you can notice that every few years, I work hard and I go back to school. I love it.
McGraw: You do.
Mamilli: Yeah, I love doing that, and I will continue to do that until I die, maybe not just retire.
McGraw: Well, let’s talk about learning. How easy has it been to learn “security”?
Mamilli: Oh my God, it’s been…I really feel it’s been the steepest learning curve of my life. And I think it was because I had a much bigger sense of urgency, where you don’t have time to learn to be a CISO. The day you are appointed to be a CISO, you’re the CISO. They forget that you need to learn. And so you’re accountable. That’s one.
And the other one, it’s the first field in my life where I really feel the ground is shifting under our feet every day. So I’ve always worked on this discipline of focus and execution. Strategy, translate strategy to execution, and go on and execute and then iterate. And then speed and agility, fine, we need to do that, but this is a world where you have to be very agile, because you’re learning something today in a threat intelligence conversation or something is going on, and then you have to go.
And you know that roadmap you’re telling your org to be focused on executing? You might have to trade a few things because you learned something new today, and it’s just very, very fast-paced. At the end of it, with all of that, the risk is never zero. So it’s a different type of job than I’ve ever done before.
McGraw: Yeah, and I guess you’ve built a network of people who are your peers that help you figure all that stuff out. I know that lots of CISOs talk to each other all the time.
Mamilli: Absolutely. This is the best community I’ve ever been in. And whatever I’m going to do next, this is the community I’ll miss the most. It’s very, very connected. So yes, I have about a ring away, I don’t know, 30 to 100 CISOs I can just ring, text, and everyone picks up or calls back. And as an anecdote from learning, when I took my job, 2 weeks after I took my job, I was in Terry Rice—Terry Rice is the CISO at Merck—and I was in his office in New Jersey spending a day with him in a full immersion session on information security. And so it’s that kind of commitment and the Jim Rouths of the world and the Steve Katzes and all of them. Yes, I am amazingly thankful and grateful for the learning and the network we have and the accessibility and the information sharing that we all do with each other.
McGraw: That’s cool. When you set out to develop metrics and measure security, what did you learn? Because I know that your approach to business management is very driven by metrics and measurement, and the question is, what makes security different or the same?
Mamilli: Yeah, I think the challenge in security is all the stuff. I think of security as a data business, so that’s what we have, and I’m sure we’re going to get to that a little bit. But on the metrics side, what I wanted because of my previous jobs, I wanted to make sure that we’re making a distinction between operational metrics and stuff that we, as an information security organization, internally at different levels use either to track operations or to make decisions versus what we’re going to show to an executive team.
And I run the test of why, why, why, why, why—five times. And if we can’t answer those—so what, what is it we’re trying to convey?—guess what: we don’t give them those numbers. “Less is more” is what we’re going after here.
McGraw: I think that’s great, and I do think that there is kind of a propensity left over from the old days of measuring stuff that doesn’t really matter. It’s just a measurement.
McGraw: It doesn’t tell you the why or even…
Mamilli: The other thing that I think we have to be careful about that I learned is sometimes you show a number, and if you’re not clear on the why, you find yourself in a rabbit hole of conversation that you lose control of.
McGraw: You can always change the numbers, and then they multiply differently.
Mamilli: Exactly. And then they’re trying to understand how the technology works or the connections or the network, or they’re designing the solution with you. So you’ve got to make sure who sees the numbers and why are they seeing them and what are you trying to convey. Then consistency of the story kicks in. Whatever you’re telling them, keep that. Again, less is more, do that often, and give them the insights, not just the information.
McGraw: You already sort of tipped your hand on this, but do you expect to stay in security, or is this another rung in the ladder up?
Mamilli: I don’t know. I love security. I really, I love it way more than I thought I would. I think about it as almost playing chess. And I think about it as a business risk management job, and I’m loving that. So I don’t know. I’m focusing on learning, building an organization that’s inspired, making a difference, not just at Lilly but in the community as well. Give back. And then we’ll see.
McGraw: We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
So you’ve studied business management at Harvard and at the School of Business in London.
Mamilli: London Business School.
McGraw: London Business School. I can never remember the order of those words. What was the most valuable thing you learned in those programs that you’re applying today as CISO?
Mamilli: I think the biggest thing is how businesses are run by CEOs. And as a matter of fact, I think every leader everywhere in any company needs really to understand, how do CEOs run the business? How do they look at the P&L? How do they look at the top line, and the bottom line? How do they make the calculation of all those ratios that sometimes Wall Street cares about or not?
For me, that was the most valuable thing. I can connect the dots, and I can…when I’m speaking to any of those senior executive leaders who I’m selling something to or I’m explaining a risk, I can take their view. Because I know I’m not an expert in what they do, but I understand what they do, and I know how they run those things. I’ve studied it, and I’ve applied it in different jobs. For me that was the biggest…you have to master finance if you want to be a leader anywhere. And I think of myself, I am a business leader with information security accountability.
McGraw: Yep. So I know the answer to this one already, but do CISOs need more business school, you think?
Mamilli: Absolutely. And I don’t know if it’s going to business school—we all learn in different ways—but you need the skills. If you don’t understand accounting, if you’ve never read reports, an annual report of your company, you have to go do it. If you’ve never listened to an investor call, if your company is publicly traded, go listen to that, because then you’ll see what’s in the head of the shareholders, what’s the pressure that your CEO is facing.
And make sure you understand outside in, what are the threats to your industry? Not to InfoSec—to what’s going on in your market. Of course, we have to understand InfoSec because that’s our field, but we have to…unless you’re running a security company, which I am not, you have to understand the field of business you’re in. So I need to understand pharma, I need to understand healthcare, I need to understand the U.S. market, the Asian market, European market, pricing pressures. And then after that, I need to make sure that I understand the information security field itself.
McGraw: Sounds fun. How did your work as information officer of the diabetes unit differ from your work now as CISO?
Mamilli: It was both very different and similar in a few things. So in my information officer role for diabetes, I had the privilege of running our digital diabetes program. It was a lot of innovation and dream thinking and then, of course, delivery and operations. But there was a lot of ideation. Doing that work was very, very close to the patients. That’s the piece that’s dramatically different.
It was very easy. We were launching at that time six drugs in 18 months, and we needed to make sure that we can speak with solutions to the patients. I needed to understand the drugs we were giving to the patients. I studied the scientific side of how they operate. So we were very core to what the company is doing.
This one, my job now, is core in a different way, so I had…and that was the first things I had to do when I took this job—I wasn’t expecting to take this kind of responsibility—is I had to work on making the connection between the patients and this job. I had to feel it in my heart, in my belly. And I do now, because we’re protecting the IP, the intellectual property, so that we can manufacture. We’re protecting manufacturing operations. We’re protecting commercial, pricing, so that Lilly can serve that patient.
And I had to work…it was a little more effort to work on it than the other one. The other one, I could go and meet with the doctors and the patients and see what’s going on on the ground because I was working with teams who were very close to that. That was a big difference. And of course, the other one is the nature of information security is you’re not controlling anything in your environment. The risks come from the outside. Again, that’s the ground shifting under your feet. I never had that before, and I certainly did not have it in the information officer role.
McGraw: Yeah, that’s an interesting version of the role. I was thinking it would be slightly more like CIO, but I guess it wasn’t.
Mamilli: It was the CIO for diabetes, in fact, but I didn’t have…it was the CIO with the business facing diabetes, so I wasn’t running the infrastructure…
Mamilli: I wasn’t running…it’s the thing I love about the CIO job, which is running that business facing innovation and the operations of delivering to the business, but you don’t have the infrastructure side. Someone else…I had a colleague who was running the operations infrastructure for the company. I didn’t have that in my job.
McGraw: Do you think that the CISO in general should report to the CIO or not? This is a big debate.
Mamilli: I think it can work either way. It can work either way. I do not today, but regardless of the line reports, the biggest thing is partnership. That was one of the first things I worked on when I took my job. You have to have a very strong, tight partnership with the IT organization, and we build that up. The second one is the relationship with the CIO and the information officers, all of them, to make sure that you can have the tough conversations; then you have healthy debate.
But the other side of my job as a CISO, of any CISO, should be about an honest way of looking at risk management and elevating the risks that need to be elevated. So if there is trust between the CIO and the CISO, and the company has it, and you have the right governance—it’s about governance of the program information security—you could be reporting to the CIO. And if you have an IT issue, you’re going to use your governance to make sure that the company knows about it.
Let’s say you’re having an IT cyber hygiene discipline issue. You need to be able to tell the company, “Hey, we’re having this issue, and we’re working on it, but we’re having it.” You can’t not say it because you’re working in IT. And it’s not a question of reporting. It’s a question of trust, governance, and capabilities of the two leaders. If a CISO cannot work for a CIO and the CIO is a great person, then we have an issue with the CISO.
McGraw: Sure. That makes sense. I mean, it’s…I guess the main philosophical conversation about this is whether you can audit the thing that you’re in sufficiently or not. And your answer addressed that by saying, well, it depends on…
Mamilli: That’s the governance.
McGraw: …the politics and governance.
Mamilli: Exactly. You have to be an honest and responsible leader, and if you have an issue, you have to have the capability and the openness in your organization to say, “I’m here. My job is risk management. My job is visibility to what’s going on. And yes, we have this risk, and we’re struggling with patching.”
One thing I hear from my peers sometimes when they report to IT is trade-off of budgets. Is the CIO going to be trading off CISO budget without the company knowing what’s going on? Well, for me, that’s a governance issue. It’s not a reporting issue. It’s a governance issue because I report to legal. My boss can still do that with my budget if we don’t have the right governance and structure.
McGraw: So in my CISO project work, which is going to be published soon, we ran around the country interviewing 25 CISOs, including you. Thanks for being part of that. One of the things that came up over and over was what I call the “missing middle management” problem in security. And you and I talked about that when we were together. So, very briefly, we’ve got some great executives, and we’ve got some great worker bees but a very thin rank of management in the middle. Have you noted this problem yourself in the field?
Mamilli: Absolutely, yes. And I think it’s historical. It’s because the way security people go up in information security is they go through technology ranks—and by the way, infrastructure, not even the business facing technology in organizations. It’s mostly infrastructure. That’s number one. And number two, I don’t think as a community in different organizations, we had done a good job in people development, understanding that leadership is expected as well. It’s not just about delivering the technology; it’s about leadership, influence, communication, presentation, storytelling.
I can share with you an example of a few things we’re doing at Lilly. I’m taking my full middle management team or leadership team, and I’m taking them through education sessions and training on storytelling, presentations. How do you show up in meetings? Let’s decode executive presence. What is executive presence? Let’s decode it. This is what makes it yes or no.
We’ve been doing that for about a year now, and we’re not done. We still have a ways to go. We’re pulling as well people from other organizations so that we mix a diversity of ties and experiences. Bringing a marketer to my team, as an example, was an excellent impact in how we think about workforce customer experience. That’s what marketers do, where we bring that thinking inside InfoSec as well.
McGraw: So do you think that this kind of missing middle management thing is exclusively a security problem, or is it a broader tech management issue?
Mamilli: I think it was in IT for a while. It was in all what I’m going to call “support services.” So every function has a core and then has the others. I think I’ve seen IT evolve in developing these skills just because IT had to have, for decades now, what they call business relationship management, account management, strategic partners. And so they’ve developed those a little further. We still have that issue there. We have the same conversations in strategic business relationships in HR or finance. I get myself into a lot of these conversations.
I think InfoSec, I found, has it a little deeper because, again, it’s historical. It’s mostly…it’s closer to what infrastructure, generally speaking, has than IT. You have IT in IT. You have HR in HR. It’s the back office of the back office. And as a result, we didn’t think would…technology is very valuable, but it’s amazingly powerful when you integrate the skills of technology and leadership and influence. And that’s the piece that’s missing. And I found information security having a bigger gap.
McGraw: I think that’s interesting. A little slight change of gears but a related topic: Women make up about 11% of the workforce in information security, according to some people. So what are you doing both inside and outside of Lilly to develop and retain more women in the workforce in information security?
Mamilli: Excellent question, and we have a lot of reasons why that’s happening. So what I’m doing, well, first, I do my duty myself by going and talking to places: high schools, colleges. I’m on the board of the Indiana University cyber security program. We’re engaged with the Purdue CERIAS program as well, helping them to bring diversity to the firms. We joined the Executive Women’s Forum, and I’m a member of that board, and I help mentor some of those women.
I brought up as well the women in my organization to be very engaged. I personally reviewed each of their development plans and career plans to make sure that we’re having the right conversations in, do we understand what they want, and can we trust them a little more and take more risks on them? And then I think it’s going to come to, how fast are we going to be able to change the curve? We’re going to have to market information security in a different way than I understood it when I was offered the job.
McGraw: Probably with a little bit of trepidation or, like, “ew.”
Mamilli: It was “No, thank you.”
McGraw: Yeah, ew.
Mamilli: And it’s just because I was ignorant. I did not know that information security was business risk management. We have to talk about it that way. We have to explain to women and even girls still early enough in their middle school. I don’t think it’s high school; I think from middle school, and then high school, of course, that first they are different fields. You don’t have to have a hoodie. If you want to have a hoodie, fine, but you don’t have to have that to come and work.
And yes, you go talk to people. I was at this high school, and there was this good girl in technology, and she was studying in computer science class and said, “Well, I don’t want to do anything like this, because I want to talk to people.” Because she’s thinking that’s all we’re doing in InfoSec is sitting in a back office and looking at our computers and cables.
We have to have more women who are as well-standing, and that’s what we’re trying to do with the EWF, and definitely several of my peers were men. I can tell you I connected with a lot of CISO women, and we go together and do this. We go to events; we go, we mentor. I mentor people from different companies, not just ours, to get them. And even if they go and they become CISOs elsewhere, I’ll be happy.
McGraw: Of course. So kind of a funny question—I’m not sure how to put this properly—but do women have an easier or a harder time interfacing with senior leadership? Whatever that means.
Mamilli: The women…I think generally speaking, again, it’s stereotyping. It’s interesting; something happens in the life of women, because women tend to be better when they’re kids. When they’re girls and teenagers, they tend to be better at communication and socializing and things like that. And something happens to them when we bring them to work where we make them more shy, less confident.
I think it’s about confidence. What I can tell you—again, I’m stereotyping, I know—but if you have a woman who’s going to present something, she’s going to be sick to her stomach, and she’s going to be preparing and rehearsing, because it’s that confidence level that’s going to play. And sometimes she’s not going to know how to hold herself in the conversation physically.
Even just so that the voice—there’s something in our voice. I will never have a voice that holds or that projects in the same way as a man. I would not pretend to, and I will not. So I’m aware of that, and when I’m talking, I try to use my tone and stance and things like that. I think it’s more of a question of confidence and opportunity. We have to hire and allow women and show them that yeah, you can do a good job of integrating your personal life and professional life and have the career you want to be dreaming about.
McGraw: Right. Well, I think you’re setting quite a great example, so well done on that.
Mamilli: Thank you.
McGraw: The last question, which is a total flyer and has nothing to do with information security or business really: So you’ve lived in some places with amazing cuisine in your life. What do you miss more: French cooking from Paris or North African food from Morocco?
Mamilli: Oh, this is a tough question, Gary. Come on. It’s very, very simple. I really miss the French baguettes. You go and you get from any place—and by the way, you eat half of it before making it home because you’re going to be walking. So I would walk in there. And then from Morocco it’s the freshness of cuisines…
McGraw: The incredible spice as well.
Mamilli: Exactly. And it’s fine and fresh and all those carrots and tomatoes. And now I’m hungry and I’m very far from Morocco and from France.
McGraw: Sorry about that. I knew you were going to say both.
Well, thanks for your time. It’s been a really fun conversation today.
Mamilli: My pleasure. Thank you, Gary.
McGraw: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is cosponsored by Synopsys and IEEE Security and Privacy Magazine and syndicated by Search Security. The July/August issue of IEEE S&P Magazine is a special issue devoted to post-quantum cryptography. It also features our interview with Kelly Lum, aka Aloria. Show notes, links, and an online discussion can be found on the Silver Bullet web page at www.synopsys.com/silverbullet. This is Gary McGraw.