Q&A: Lucia Milica

Lucia Milica, global resident CISO at Proofpoint, talks about how the CISO role has evolved and the challenges that CISOs face when interacting with the leadership team. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.

Lindsey O’Donnell-Welch: I would love to hear more about your own background.

Lucia Milică: So for me, I started into this space very early on, I began coding when I was 12. I am born and raised in Romania. So I began coding at 12. And I studied computer science in high school, I moved to the Bay Area very early on, and my first job was doing Y2K compliance for Wells Fargo Bank. So that was sort of the beginning, into the tech sector. But I think what’s unique about my skill set, I’m passionate about law and technology. I love them both equally. Cybersecurity and privacy are both very near and dear to my heart. Now, taking a step back and looking back when I first started, I wouldn’t necessarily have thought that I would end up in cybersecurity, primarily because cybersecurity was not a defined space nearly 30 years ago. So technology was a big area of influence. And for me, it was really the blend of technology, business, and law that I think ultimately have led me to where I am today.

I do feel that in many ways, I am a product of the CISO evolution, just kind of reflecting back at my career. So as I mentioned, I started early on doing coding, I got into IT infrastructure, so started as a systems engineer, as a sysadmin first, and over time, sort of graduated to a systems engineer role, like everybody else early in the days in the 90s, spent a lot of time with the MCSE certifications, and all the various different technology that sort of brought me up to being a systems engineer. But if I kind of take a step back and look at the pivotal steps, it’s really moving in from systems engineering to more specifically around Active Directory and Exchange. And if we think of the threat landscape today, email is still one of the top threat vectors across the board and I’ve been focusing so much as an Active Directory engineer and expert, it was very much focused around access controls, authorization needs based permission, RBAC, I spent many years doing RBAC implementations. And this is way before we talked about needs-based permissions. So that was a big stepping stone. From there it was always a natural progression towards eDiscovery, and records retention. And it was probably my love for law in the background that has played a little bit into that. I didn’t go to law school until years later. But at the same time, while I worked full time, I went to school at night. So all of my degrees were done as I continued to grow and progress in my career. And I feel like each one of my degrees really helped from undergrad to my MBA to my JD later on, and Masters in cyber, they all helped along the way with putting the business in perspective and understanding both the tech and the business side of the equation and really honing into the risk. But as I moved on from the natural extension from email, and running Exchange systems and architecting new technology, that sort of morphed over time to, as I mentioned, e-discovery and that investigation side of the house. I think that first stepping stone towards security, it was still very early on, and that sort of move towards more investigations, Governance Risk and Compliance became a big piece of it. But then from there, the next piece was getting more involved into M&A and integration as a result of M&A, that came into who’s accessing what, network connectivity, safety, etc. to IP protections or intellectual property protections, and over time, got into running a lot more of the IT infrastructure space and being the only person with a security background in the room, it was a natural progression in my career into, you know, taking over security, taking over intellectual property. It was around that time when I started law school, that a lot was happening around data, supply chain vendor risk became a bigger concern. And I was one of those people that raised my hand to take it over. Like, let me figure it out first. So through that, they all helped more the CISO that I later became, but those are all I think, stepping stone that that made me a well rounded technology and business leader, where I could bring all of those pieces into one.

Lindsey O’Donnell-Welch: Was there any pivotal moment that made you decide to go down the CISO track?

Lucia Milică: That’s probably now about 10 plus years ago. So at the time, I was running security without the CISO title. So I built security from the ground up, I was the security person and the privacy person, but I just had a VP of infrastructure type of role. And it was that time that I got more and more down to the data governance track, that I realized that okay, this is a conflict of interest, it was probably very early on and it was in law school, that I started thinking more in terms of risk, probably was my first year of law school, that I raised my hand to my CIO, and I said, “Look, I can do it all, so there’s not a problem. Can I do it?” I believe that it is not right for me to own everything. I think we’re getting into a point of conflict of interest. And if I am to take those like, which side do you want to be? Do you want to have security only, do you want to have security and privacy, privacy only or IT infrastructure, and that was a pivotal moment, when I said, “Well, I love IT infrastructure.” And at that point, I was in it for over 20 years. So that’s how long that’s been. I felt like I knew IT. But security and privacy were something that I was so passionate about it, that’s when I basically raised my hand and said, “I would love to just own security and privacy.” And we need the right checks and balances, we need to ensure that we there is no conflict of interest in between. But I can put in all of those processes. And at the time, I was building data governance and overall security and privacy governance and implementing ISO 27001. And I was going through the various different layers of protection and checks and balances, it was very clear that I needed to decouple my ownership of IT infrastructure from the security side. And that was probably while I was trying to do everything prior to that, that was a defining moment where I said, “I’m only going to do this, this is where my passion lies. And this is where I think I can be more impactful for the organization.”

Lindsey O’Donnell-Welch: What are some of your responsibilities?

Lucia Milică: So I’ll tell you my day to day in my previous role compared to my day to day in this role, because I think it’s really important. So in my previous role, I own all aspects of data privacy and security, from corporate security to product security. So DevSecOps, privacy and security by design, and data governance, across the board and a day in the life was anything from meeting with execs trying to drive product consensus, trying to drive a culture of security, understanding what are the business goals and trying to achieve how I could enable those business goals securely, and really sort of that building that consensus and risk profile for the organization. I do feel that an effective CISO should have a strong business acumen. And so a lot of my job was probably interacting with the executive team and their deputies, their direct reports in the organization in terms of driving awareness, data ownership, controls, etc. And then there’s the other aspect of it, of course, is you’re always on call 24/7, working with your security operations team, making sure they have the eyes on the glass to see what’s happening. So sort of a constant shift between business strategy, business enablement to threats and trying to make those decisions in near real time. Now, fast forward to today, in my current role, I run a team of advisory CISOs across the globe, so I don’t have the internal operations responsibility as I did in the previous role. In this role, I’m primarily focused on the eight CISOs in my team around the globe, and we spend our time advising customer CISOs across the globe, which is a value-add for them as being customers, around what is top of mind, what are the top threats, what are some of the best practices that we as operational CISOs – every one of this was my team had been operational CISOs prior, so they’ve had experience in those roles – our CISO community broadly, in terms of what’s top of mind, what are some of those best practices? So a lot of what I do today is coaching and educating… and it doesn’t matter where you are on the spectrum, I can be talking to a Fortune 10 global CISO or I can talk to someone where the company has 3,000 to 5,000 employees, right? So doesn’t really matter for us aware on the scale, but if someone has a challenge or a program, they’re trying to undertake, like, “hey, I need better board metrics, you know, what are some of the other CISOs doing? What are your best practices? What have you learned about it? Can you help me on my board deck?” As an example, or “I’m undertaking a Data Governance Program end to end, what have you learned? Or what are others doing? How have you tackled this challenge? How are you working with execs?” So it’s really being that trusted partner and sounding board to our overall sense of community that set the core of my role today. And that has been definitely a shift in mentality when I took this role. I wasn’t quite 100 percent sure that this was the right next steps, but I was very much driven by wanting to be impactful, and be able to help more than one company at a time. Being in the operational role was fantastic, right? Because you can get into the depth of that technology can really shape how you mature the security program and drive the culture of security. But you do so one company at a time. So that’s time that you invest in transforming that program; in this role, it gives me the opportunity to impact more than one company at a time. And really, I wanted to, to use my knowledge and experience to be impactful and be able to give back to the CISO community.