CSO Spotlight: Nasrin Rexai, General Electric

Nasrin Rezai is GE’s Global Chief Information and Product Cyber Security Officer, responsible for all aspects of cybersecurity strategy and operations for GE products and enterprise, including incident response, threat intelligence, security services, architecture, commercial OT security and regulatory & compliance. Her previous roles include Global CISO for GE Capital and head of Corporate Governance, Technology Risk and M&A security, for the industrial GE businesses. Prior to GE, she served as SVP, Chief Tech Risk Officer in the Enterprise Risk Management Organization at State Street and as CTO of Security at Cisco. Throughout her career, Nasrin has promoted engineering and architecture in designing security solutions for large enterprises.

What was your first job? I was hired as an entry-level software developer at Hewlett Packard [HP] following my internship there.

How did you get involved in cybersecurity? I was working at Cisco in engineering and architecture roles, but I was always looking to find a specialized niche with a broader reach than just technology. I was introduced to cybersecurity as a key differentiator for customers and fell in love with the protection aspect – 14 years later, it’s still my fascination.

Tell us about your career path. I started as an entry-level developer, moved into project management, then IT management – not really a detour per se, but I did zig zag into a business leadership role for some time, which was hugely beneficial to me as it helped me broaden my horizons, and helped me understand how businesses need to run. I’ve been in various cybersecurity roles for about 14 years now.

Was there anyone who has inspired or mentored you in your career? At HP, one of our female leaders took me under her wing and pulled me out of my developer role into technical project management.  She said she saw potential in me and she helped foster it by putting me in charge of my first large-scale project, which really kicked off my career growth and gave me the confidence to take on bigger and bigger projects. It’s so important for leaders to observe junior talent and look for that untapped potential – sometimes all it takes is a little nudge and someone can achieve great things.

What do you feel is the most important aspect of your job? Most important is to continually mature and up-level GE’s cyber capabilities, embed them in GE business practices (the art of cyber risk management), and ultimately enable secure business growth. This is our customers’ and regulators’ expectation of GE as we continue our digital industrial transformation.

What metrics or KPIs do you use to measure security effectiveness? We measure both lagging and leading indicators across the spectrum — we have goals around risk management, threat detection and resiliency around readiness to make sure it’s from the top down. We track critical success measures and initiatives that will close gaps around critical risks.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Attracting and retaining the very best cyber talent is one of our top priorities. As we expand and redefine our strategy, we’re looking to fill roles that are outside the traditional response and risk/compliance areas — now we’re looking for people with software engineering and cybersecurity backgrounds. We’re looking for product cybersecurity people who understand the manufacturing and the cyberspace — it’s bridging IT and OT. One of the ways we address the gap is by taking some non-traditional approaches to our hiring — we have apprenticeship programs that we offer to people with technical skillsets who might not have a formal education, and programs for GE employees who have an interest in cyber. We’re always looking for creative ways to close the gap.

Cybersecurity is constantly changing – how do you keep learning? Every day it’s something new — I’m learning from real-life scenarios, learning from my GE colleagues, learning from peers in industry. In my role, I know that I need to be flexible and ready to adapt to change. I need to be extremely curious and open-minded — sometimes the most important lessons are going to come from the least-expected places.

What is the best current trend in cybersecurity? The worst? I’ll start with the worst: The increase in attacks has made life a lot harder, but it’s also forced us to get smarter. That leads me to the best: The global attention that cybersecurity has received in the past few years has been the silver lining of the increase in attacks — it’s made cyber a board-level topic, which is critical in helping us embed cyber in business models.  

What’s the best career advice you ever received? Be an authentic leader, one with moral courage, approach uncertainty with confidence, and constantly search for opportunities for change.

What advice would you give to aspiring security leaders? To be the best cybersecurity advisor, you must have a deep understanding of the business you’re defending. Know what motivates your colleagues in the business — it’ll be easier to help them look at security holistically, and for you to help design secure innovative solutions.

What has been your greatest career achievement? I’m proud of being the first female CISO at GE.

Looking back with 20:20 hindsight, what would you have done differently? I wouldn’t have sweat the small stuff. I would have taken everything that went wrong as another lesson rather than feeling beaten up over things that had relatively little consequence in the grand scheme of things.

This interview is part of CSO’s regular Spotlight series, which focuses on the career paths of security leaders. If you know someone (or are someone) with a story worth telling, please contact kate_hoy@idg.com.