From her time as an FBI Special Agent to her current role as CISO, Jill Knesek has built a career tackling cyber threats, offering expertise on everything from ransomware mitigation to how to develop successful cybersecurity teams.
Knesek has spent 15 years in CISO positions at Cheetah Digital, Mattel and BT Global Services.
Now CISO at financial services firm BlackLine, Knesek has built a security team from the ground up over the past three years.
During her conversation with Infosecurity, Knesek shared insights into how to get the human factor of cybersecurity right, working with the executive team, embedding AI and addressing the ongoing threat from ransomware.
Infosecurity Magazine: What does the cybersecurity team set up at BlackLine look like?
Jill Knesek: I have a team of 30 professionals split up into three major pillars. I have my governance, risk and compliance (GRC) organization where we are very focused on cybersecurity certifications.
Our customers care a lot about how we manage our security since we have access to their financial data.
We do a lot of our own internal development and have implemented four or five different products. Those products are constantly going through code reviews. I have a full application security team for this work.
Finally, we have a security operations team that manages all the IT infrastructure, across our corporate infrastructure, our products and in the cloud and our SaaS solutions.
It gives each pillar a focus, but there are a lot of crossovers. This means there is a lot of collaboration, including between our software engineering and our cloud infrastructure teams.
IM: Given the skills gap often discussed in cybersecurity, how challenging was it to develop this team and do you have everything you need in place?
JK: I’ve been here three years, and I always look at it that once you’ve spent three years somewhere, you feel like you've got a team that's got your fingerprint on it.
I’m very close to having it where we need to be. There’s a couple of open roles where, as we move towards more sophisticated implementations, we’re looking for some high-level technical skillsets.
As in all organizations, you sometimes hire some people that aren’t a great fit or maybe don’t have the right skill set. But there are always opportunities to cross-train, retrain and find other opportunities for them.
It's hard to find the right skills in a one-hour interview. I try to make sure that our technical staff are doing a deep dive on the technical skills and I interview every hire we make here.
I'm also really involved in getting the right personality fits for our team. We need people who are passionate, who are curious. I really look for the soft skills and I think that helps make sure they’re going to be a good fit with the rest of the organization, regardless of their technical level.
IM: What advice do you have for CISOs looking develop their own cybersecurity team?
JK: If somebody's got a technical background, they are always going to be able to learn something new, pick-up new technologies. Most of the vendors that we work with offer training and there's certainly a lot of certification opportunities.
I try not to get too hung up on whether they have specific technical skills. It’s really about their style, their work ethic and their ability and willingness to try new things.
It's kind of fun to bring in people who are at a junior level in engineering and be able to mould and hone their skills. We've taken the time to help grow their career and get them the right skills and tools to do the work they need to do. This approach means you often get more loyalty and so you don't have as much turnover.
“The biggest thing for me is once you get good people on board, you find a way to keep them.”
The biggest thing for me is once you get good people on board, you find a way to keep them. That means always giving them exciting new projects, challenging them and giving them access to training.
I do a one-to-one with every one of 30 security team members at least once per quarter, where it's not just talking about work and projects. I think having a personal relationship with your staff and making sure they feel welcome and very much a part of what you're trying to accomplish is super important.
IM: How do you maintain your relationship with the Blackline senior executives and board members?
JK: First of all, being able to actually communicate in business terminology is really important. One of the things I learned at places like BT Global was that these relationships are a huge opportunity to really define security using risk management terminology.
Every executive understands there's business risks; there's financial risks and technology risks.
The other thing is I'm brutally honest and very transparent. I've been very clear when I talk to the board about the types of metrics that I look at.
“Being open to feedback, having a relationship with them and a strong dialogue that is transparent is important to gaining the trust of the board.”
I work really hard to make sure that we're consistent in our messaging, that we talk about our wins and areas where we have had challenges or we need to improve.
I listen very carefully to the feedback from the board. At BlackLine we have a very technically minded board and we have regular ongoing conversations.
Sometimes you only have 20 minutes per quarter with the board and you really need to hit the high notes.
I think being open to feedback, having a relationship with them and a strong dialogue that is transparent is important to gaining the trust of the board.
IM: In the financial services sector, what are some of the biggest security challenges you’re seeing and what is your top cybersecurity priority?
JK: Ransomware is always at the top of the threats we face. It's the one that can cause the most disruption and have the highest costs.
With phishing as the vehicle for most ransomware attacks, I have implemented a lot of technology and the tooling to catch the obvious messages.
We also spend a lot of time on training, security awareness and have a phishing simulation program. I make sure that I communicate regularly with the entire employee base here at Blackline so that they understand their role in the security program.
"It's not just about us using tools."
Also, we’re moving into the cloud security piece very quickly. This means making sure we’ve got the right tooling, the right partnerships and that the team are comfortable with using the tools and technologies. This will enable us to quickly react and respond to an incident.
IM: Are you using AI tooling within the security team? Do you have any concerns about AI being used in the wider business context as a risk factor?
JK: We're starting to get some of the AI capabilities, but we're not completely there yet. We're still looking at what's available and we want to make sure that we get tools that are going to last.
What we don't want to do is jump on the bleeding edge of this technology, we want to make sure that we're thoughtful about where we implement it.
But certainly, some of our new cloud security capabilities are inclusive of AI functionality.
As far as AI within the company, it's something that we're pushing forward to our products, but also in our corporate infrastructure. We have a CIO that I report into and he's certainly pushing for leveraging AI where feasible.
But he also has a very strong security minded background and he and I work closely together to make sure that anything we’re implementing and introducing into the environment goes through our vendor risk program and have access controls in place.
AI for me, like probably any CISO, is a double-edged sword. We know that there's a lot of great things that we can do with it. We can leverage it in a way that makes ourselves more capable and gives teams more bandwidth to do interesting work.
At the same time, AI makes cyber-attacks better, such as phishing attacks. Therefore, it’s important we train our employees and keep people aware of how AI can impact us both positively and in our risk of posture.
IM: If you could give one piece of advice to fellow CISOs/cybersecurity practitioners, what would it be?
JK: Keep it simple, there’s so many tools and technologies, new acronyms and certifications. I focus on the basic security hygiene things that need to be implemented and build on that.
If you try to overthink it sometimes you miss the obvious things.
Having a good security awareness program is really important. Having good endpoint protection and antivirus programs where you don't have low hanging fruit out there is also really important. You can probably address 80% percent of the attack vectors if you just do those simple things.
If you’re not getting the basics right, you’re asking for trouble.