19 Nov GE Power’s Teresa Zielinski: CISOs Are Collaborators And Business Enablers
Advice for the world’s future security leaders
–Di Freeze, Managing Editor
Denver, Colo. – Nov. 19, 2019
In her role as SVP, global CISO (chief information security officer) & product security for GE Power, Teresa Zielinski is responsible for helping secure a company that provides power for a third of the world.
“That scope is massive in itself,” she says. “Then we have varying business structures within GE Power. There’s our gas business. We have the largest gas turbine in the world. And it’s efficient. We won the Guinness Book of Records for efficiency. We have the nuclear business. We have our power conversion and steam. We’re in over 150 countries. We have over 65,000 employees and over 20 billion in revenue.”
Because of the size of the infrastructure, GE Power utilizes an estimated 2,000 applications to support the business. “We have multiple servers, over a hundred different manufacturing sites, a lot of regulatory and different needs, and risk profiles, like the nuclear business, for example. That differs across the landscape.”
So how does someone become a CISO for a company like GE Power? Zielinski, who took the time at FutureCon Boston to answer our questions, studied math and physics in college and earned a B.S. before earning a master’s in statistics. She began her career as a statistical analyst for the New York State Department of Health. “I was in a year of doctorate and I wasn’t sure what I was going to do, so I kept Continuing Studies,” she said.
Although she liked what she was doing, she didn’t feel challenged enough and interviewed for an analytical consulting position. It ended up being a full-time position and she was offered a direct hire into GE. “It was a little odd how I got there, but the background and the fit was a great mix.”
That was 22 years ago. She said the path to becoming a CISO wasn’t a well thought out plan but was a great avenue. “From the analytics role, I studied and learned the IT world by having to develop metrics and share this with the leaders of the company. You have to understand networks, assets, servers and systems in-depth, if you’re really looking at studying them, putting metrics together, and improving them.”
That quickly led to a black belt role, which was one of her favorites. “It was a lot of continuous improvement and challenges across the different areas on how to work to fix them.”
Her other roles included engineering operations, working with PLM environments; a quality leader role, looking at infrastructure, user services and ERP; and build and infrastructure manager. “We deployed large scale projects to our energy and oil and gas customers,” she said. “It was a fun journey along the way, in various roles to learn the business.”
Her career turn towards cybersecurity occurred around 2008. “We had a target against some sensitive data. That was right around when APT — advanced persistent threat — was ramping up in the world. We formed a team to look at what happened, and I was asked to help the team solve it. It was challenging because it was a new world to us, and we couldn’t answer any of the questions. We knew at that point and time that we had to ramp up our cyber expertise and our processes and teams.”
After that, a larger team was formed within GE Aviation. Zielinski was asked to lead security architecture and solutions. “Diving into that role was a great challenge. Then, one of our businesses split out for Power. I was asked to join that and be the CISO. I got to create and build the team from scratch, to align to the business and the needs at the time.”
She describes the role of CISO back then as very technical. “Over the years it’s evolved from technical, to having to really be a business leader, to having to talk to the board. It’s a challenging role because you need to have a mix of everything to really succeed.”
Zielinski works closely with others at GE in similar roles, including Deneen DeFiore, who serves as SVP and global chief information & product security officer at GE Aviation. “We’re kind of our own mini world. We have a healthcare business, a renewables business, a capital business, research. It’s a must that we collaborate, and not just internally. We collaborate on how to do things, and then we also use different tools from one another, so it’s a great partnership.”
They also regularly collaborate with external CISOs, including competitors. “We’re just better together,” she says. “There are certain things, obviously, that are sensitive to how we do work, but at the end of the day, we are all fighting the same fight. We’re all fighting the bad guys.”
Collaboration with customers is also extremely important. “In the manufacturing world, supply chain risks are growing. We have regulatory requirements. We want to work closely with our customers on those solutions.”
The Cloud and IoT
Zielinski is often asked what she thinks about the security of transitioning infrastructure to the cloud, as large enterprises are starting to do. “I do think we have an ability to make it more secure, but it’s all about how you do it,” she says. “A lot of the bigger companies, like Amazon and Azure and other companies that have cloud platforms and provide cloud security, spend 35 percent of their budget on security, as compared to manufacturers, with maybe an average of 8 percent, depending on the different businesses. It’s in their best interest to make sure their platforms are secure. They have a lot of tools and very fast patching — faster than you can do in the enterprise — and a lot of detection and analytics to understand threats. Security is built in. It’s a matter, though, of how you approach your journey to move data and applications to the cloud.”
The proliferation of IoT devices, many of which don’t have enough security baked in at the onset, is another concern. “I think it will evolve,” she says. “I look back at a lot of the stuff we’re evolving into from the manufacturing shop floor. A lot of those devices, big turbines, were never meant to be connected. When I look at the product’s security side of the job — that’s looking at the basics. How do we patch? You can’t just patch a server like you do in 30 days. It’s downtime, and that takes months, and outages. It’s availability and uptime. So, it will evolve. The shop floor, and connected devices, to get analytics off a turbine, they’re starting to connect. For manufacturing, it’s really IIoT — Industrial Internet of Things. Industrial control systems, or SCADA systems that connect the machines and devices together. They’re the ones that really manipulate and run the turbines. We have to look at how we protect them and evolve that connectivity and that supply chain piece as well.”
Recruitment and Women in Cyber
Zielinski has given a lot of thought to how to get people involved in cybersecurity at an earlier age and would encourage anybody in school to take a class and learn some computer science. “I was always very technical and had an analytical background. It was easy for me, a natural fit. But a lot of people are afraid of it. The introduction to STEM that we’re doing more and more is great.”
GE does a lot of recruitment at different colleges around the area. “I’m on the board of SUNY Albany. We’re helping them look at curriculum. They already have a bachelor’s and they’re going to be developing a master’s in cybersecurity. We also do round tables with girls, and we’ve gone to Penn State. I think a lot of women are interested but a little nervous to take the step. Actually going there and talking to them one-on-one has made a difference.”
The last step is retaining them. “Once they come in, how do they grow? What’s their career path? How do they know it’s a fit for them? I chair the Executive Women’s Forum across GE. It’s one of the largest forums out there. There are over 500 people that attend a global conference every year. All women. It’s amazing and it’s growing. That speaks to the interest, and the fact that everybody’s coming together to attend these conferences shows that it’s a real need.”
Zielinski says women need to know about the many facets of cybersecurity. “It’s not just the absolute coding, operations, threat detection. There’s compliance, risk, regulatory, identity, application security. More folks are getting excited about IT. They’re looking at the opportunity, saying, ‘I could do that too.’ Women have a natural ability for social etiquette, communications, emotional intelligence. They connect dots a lot and see the big picture, which helps the broader team.”
She has two leaders on her staff who are women and says that four of 12 members of their board of directors are women. “I think that says a lot. There’s the cyber piece, and there’s just the entire profile of the company and diverse talent.”
When it comes to hiring, women or men, she says it helps that her team is global. “I have some people that are in upstate New York, but we have folks in Atlanta, and international, so we have metropolitan and we have the outskirts. It really mimics the profile of our power business. We get to really look at people globally and then make the best fit for what hub they should sit at based on the business and their work scope. So, the global nature and our remote capabilities today make it easy.”
Advice for Future CISOs
For those thinking about a career as a CISO, Zielinski says it’s vital to understand the business. “When I jumped into cyber, it took me a little longer to learn that. You want to come in and quickly close the vulnerability, quickly understand how to do software development more securely. You want to come in and really focus on cyber, because that’s the exciting piece, and that’s what your job is about. But understanding the business is key because then you can see the big picture.
Prioritization is also crucial. “A lot of people set their plans for the year and say, ‘This is what I’m going to do: one, two, three.’ For cyber, you have to do that, but we’re not easily forgiven when a bad thing happens. You need to be connected to your leadership on what you’re focused on, where you’re spending your time and money, because in the end, we’re not unicorns, we can’t prevent everything. We can react and respond in an appropriate way. You have to know where your strategy is for your business. Are you aligned? And then how do you prioritize your work? Obviously, there are a lot of day-to-day challenges in cyber.
She also says it’s important for CISOs to enable the business. “That sounds weird, because we are securing the business, but there are a lot of things we do. Everyone takes risks every single day. We work in risky countries. We have to understand what the business wants to do, and then, how to enable it. Is the risk more than the deal? Is that when we say no? Once you partner with your leaders and you’re aligned, a lot of the times it’s not no, but it’s how. How can we help them get there? Maybe you have to add in more money and people, because it’s riskier. You might have to factor in other controls that you normally wouldn’t do on general type of data. Understanding that risk profile is key. Then when you do have to say no, they’re going to trust you, because most of the time you’re helping them get work done. Are you talking to your executives? Are you talking to your peers? Do they know you? How do you help enable them day to day? That’s what we’re all here to do — help the business.”
–Di Freeze is Managing Editor at Cybersecurity Ventures.
SPONSORED BY FORTINET
From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure.
We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control–while providing easier administration.
Our flagship enterprise firewall platform, FortiGate, is available in a wide range of sizes and form factors to fit any environment and provides a broad array of next-generation security and networking functions.
The Fortinet corporate brochure explains how we deliver comprehensive network, endpoint, application, and access security.
Learn more at Fortinet.com.