by Jeremy Daniel

Old Mutual CISO Kerissa Varma on the burning need for women in security

Apr 28, 20218 mins
Diversity and InclusionSecurity

Cybersecurity needs women, says Varma, the first president of the Southern Africa branch of Women in CyberSecurity (WiCyS). Here's why women should push for security jobs, and some advice for everyone in the field.

kerissa varma
Credit: Kerissa Varma

Kerissa Varma, the first president of the recently established Southern Africa branch of Women in CyberSecurity (WiCyS), has spent more than 16 years in security technology, in 2019 becoming the CISO of international banking and insurance giant Old Mutual. She’s a highly visible technology executive, with one of the top jobs in the sector, but things could have gone another way.

As a youth Varma was a good student, she says, “and like so many Indian families in South Africa, when you get good grades you become a doctor or lawyer.” But instead she spent four years in Malaysia on a bursary to study software engineering with high specialization. This led to an offer from Telkom in South Africa, which she accepted. 

Having joined the Telkom IT team fresh out of university and wanting to practice software engineering, I was taken aback when the Head of Cybersecurity said “No, you’re coming to security.” So that’s what happened and I’ve spent my whole career in cybersecurity and I love it,” Varma says.

Varma has worked in government, telecommunications, banking and insurance. In joining Old Mutual five years ago, she headed risk management for the organisation, then went into an executive role and eventually took on the CISO role. 

While serendipity played a big role in Varma’s path to cybersecurity, she is now working to attract women to the field in a more programmatic way.

She’s now a driving force behind WiCyS Southern Africa, founded in February this year. WiCys is a US-based, non-profit organization dedicated to the recruitment, retention and advancement of women in the cybersecurity field. 

The following is an edited version of our conversation.

Why did you launch WiCyS in Southern Africa in 2021?

This has been a really big passion of mine. Women in Cybersecurity (WiCys) is a global institution with affiliates all over the world. So we’ve just brought it to Southern Africa for the first time, and I was elected as the first president of this affiliate and couldn’t be more excited about bringing this capability to Southern Africa. 

There’s a burning need to have more women in cybersecurity in the region. We have done a lot to improve gender equality in cybersecurity but if you look deeply at the statistics, you see we have very few women in senior leadership roles and deeply technical roles in cybersecurity. 

So while we are getting better in certain areas in terms of getting women into the field, there’s still a long way to go. My passion is to start changing that and that was where the launch of WiCys SA came from. The aim is to stand on the shoulders of a global organisation and truly make a change in Africa.

What are the hurdles to getting more women involved in cybersecurity in Southern Africa?

Many women don’t put up their hands for these roles and without doing that, you’re never going to get selected. There are just not enough women getting in line to do these deeply technical and senior roles in cybersecurity. There may be societal norms that still play a role or we may have women that just lack the confidence to stand up for what they want. This is not just an issue in South Africa, but the continent as a whole. 

What initiatives and resources do you plan for the group to encourage and promote the careers of women in the field?

The international group of WiCys is backed by some of the largest technology giants in the world. Big security vendors are definitely supporting this initiative which give it the scale to truly make a difference. There are conferences and webinars all the time. Obviously, a lot of what is happening is in the USA. We want to make it more African. Start getting local women in there. We want to build partnerships with universities and get people to start contributing from an African context. 

Since we launched, big technology vendors who have a presence in Africa have been reaching out and saying “Yes I want to sponsor bursaries and get more women trained”. The support for the initiative and the response from women in the sector has been truly humbling. There is a real passion from people who want to make a change in Africa. It’s a burning need that hasn’t been addressed yet.

What is it about cybersecurity that makes it a good fit for women to join?

Cybersecurity is such a diverse field. In my team I’ve got someone with a marketing background and another who has a military one. Multiple backgrounds and skills lend themselves to careers in cybersecurity. Women are often great problem solvers with  lateral thinking, coupled with a broad base of knowledge, makes them perfect candidates. We need diversity because our attackers are diverse. Our diversity is critical to be able to respond to changing threats. Women generally are pretty adaptable. We lead very well from that perspective.

What are the biggest cyber security challenges in the region at the moment and how are they different from what security professionals faced a year or so ago?

Globally cyberthreats have grown. It’s the same threats…not something fantastic that has come up, but it’s the scale of it that has really shocked the world.

What came to the fore last year was Ransomware-as-a-service. Bad actors who don’t have the time or tech capability to launch these attacks are outsourcing them. It’s so bad that some of these companies are now guaranteeing revenue from these attacks. They are saying I will improve your current revenue by 30%. It’s highly organized and professional, they even have a call centre and how-to  guide to help  you pay the ransom easily.

How has the pandemic in particular affected cybersecurity?

A lot of hospitals have been targeted by ransomware because attackers know these are critical services right now with the current COVID-19 epidemic and with the hospitals being so important to countries … targeting a hospital has become a lucrative option. 

For anyone out there wondering how to protect yourself from this level of attacks, I tell them it’s still the basics. Strong passwords, don’t share your passwords, two Factor Authentication where you can… It’s that good hygiene items that really do go a long way.

I always say that the role of the CISO today is to promote trust. That’s my day job — to ensure that when our customers need us, we are there and we are able to service them safely and securely. That trust is critical.  Large organisations’ security teams can’t do this alone. The task is too big. At Old Mutual, I believe, we have an entire workforce that is security enabled, that knows how to be safe and protect information and that is critical. So if you ask me who is my security team, the entire staff complement. That’s the only way you can win and succeed at this. Otherwise it’s too complex a task.

What has been the biggest challenge for you, personally, in your career?

I think in taking on a challenging role like one of a CISO — I had to take a breath and ask if I really wanted to do this. Whether I wanted the pressure and stress that typically comes standard with this type of role. I decided we needed more female CISOs and that I needed to put myself forward and set boundaries so that I could manage the impact. I am very blessed to have some great support structures both at home and at work which I rely on heavily to achieve what I need to on a daily basis.

And yes there are stressful periods but it ebbs and flows. Your weekend has to be yours when you can take it – the downtime is critical. You prioritise yourself making sure you are strong enough to tackle future challenges.

What advice would you give to women interested in developing a career in cybersecurity?

Go for it, you won’t regret it! Get into the industry using people who are already in it to understand the field and what it entails. Find a good mentor who is in cyber and start having a conversation with them.

There’s a story of one of the best ethical hackers of medical devices out there (pacemakers etc.). She started her career by watching YouTube videos. She was in the medical industry and she thought something has to change as things were fragile and insecure. She started on YouTube and reading online and she’s one of the leading ethical hackers on medical devices today. You don’t need much, just an interest and a passion. There is so much info that you can use. Start learning.