Kathleen Kotwica, Executive Vice President and Chief Knowledge Strategist at the Security Executive Council, talks to Security magazine about her journey into security and the challenges faced when conducting research within the industry.
Security magazine: Could you tell me a bit more about your journey into security and what led you to your current position in the field?
Kotwica: I was at DePaul University, finishing up my dissertation, when I got a job at [Boston] Children's Hospital. It was in a lab and we didn't have web as we know it there yet, so I had to go to the hospital library often to do research. Eventually, they got a kiosk that anyone could use to go search the web with this thing called Netscape and I just became absolutely fascinated with this idea that you could get information at anytime from anywhere. I was on my way to become a lifetime academic and researcher but when this came around I thought, “I really want to do research in this area.”
My husband, who's an IT guy, gets all kinds of tech magazines and there was one called Webmaster. I started reading it and one day, and I saw an ad from the publishing company looking for an intern to work on the web team and also someone who could do research. I reached out, met with the VP of online and got hired. Part of my job was to read all magazines they produce because what I did on the web team was put the content together in such a way it was easier for people to find it. Eventually, they started up a magazine called CSO and I started to just learn by reading what corporate security even was; I had never heard of it.
I spent about seven years there, done pretty much everything I thought I could do, and ended up going and getting a job at a consulting company as an information architect. There was this need for someone that could take all that information and make it usable, findable [and] easier to digest. About six months in, I get a call from Bob Hayes, current Managing Director of the Security Executive Council, and a colleague recommended me for a job he had.
In my job [now], I've done a lot of things. I have to research what is corporate security, what the operations [are] like, what they do within a company, and I interact every day with CSOs. This has been 16 years I've been at the Security Executive Council.
Security magazine: It seems there is a lack of research available on security programs and security leaders. I'm wondering if this absence of information might be due to the industry itself trying to be secure and keep the information close to home?
Kotwica: Yeah, that's exactly one of the things that makes it a challenge for us. We sometimes [have] a hard time getting people to share. For example, we have a large benchmark that we run on operations, staffing, budgeting. Everyone wants that data, but we have a very hard time [with] people taking that particular survey. We try to do many different kinds of research to involve people.
We're very open about sharing our research and we're hoping that generates more activity, but it is a bit of a struggle. One of the things we find that really helps security the most is the high-level items like executive communication, measuring value and communicating that value, operational excellence, being risk-based versus historical, strategic planning. All of that really comes down to marketing the security program in the company and by marketing, I mean understanding your customer, communicating to your customer in the right way so that they understand, showing what you offer, showing the value and the value proposition of what you offer.
Security magazine: Along with those challenges, what areas of security research do you think are underfunded and should have more attention?
Kotwica: Well, I think the entire world of corporate security research is underfunded. If you do Google search or whatever search engine you use and look for corporate security information or research, and I'm not talking cyber because there's tons of that and input information security, there's very little. It’s kind of a challenge, as far as research goes. There's no universal solution. There's no one way to bring a security organization together operationally, due to many factors. Due to the size of the company, what industry they're in, what the risk appetite is of the company and the corporate culture.
Often, people want to know, “What is the best way to,” and then fill-in-the-blank, “structure our workplace violence program or [build a] travel security program?” Unfortunately we can't just give them something and say, “This is exactly what you need to do,” because it's very important that they understand where this company is, how it thinks about security, what its security needs are.
Listen to this episode of Security's Women in Security podcasts now: