Jelena Zelenovic Matone: “The only way to do great work is to love what you do”

Jelena Zelenovic Matone is the CISO of the year 2019. She takes care of the European Investment Bank’s cybersecurity. We met her to learn about her story. An inspiring story that began with a key decision: moving from Canada to Europe.

“To succeed in this, or any field, one needs to take risks. One anecdote from my personal life that I want to share is my decision to move continents, North America to Europe, to be (with my now) husband. I was not even sure what I am getting into regarding my career and the next steps, and I also left a very good job that I had in Toronto at the time, but I had confidence that I would make it. I think the risks you take can pay off if you believe that you can succeed and you believe in yourself. Leaving the continent was perhaps one of the major milestones for me. While I have learned a lot in North America concerning our field of work, I was very glad to see that I can very much apply it all and share that knowledge back in Europe. It was an instrumental part of my career and learning, and I am grateful for all the experience growing up and later on acquiring knowledge during my education and vast experience (10 years) of working after that in the global private sector in Toronto,” Jelena says.

How did you become a CISO?

“I was sure you’d ask this question. Perhaps to start with something that might seem irrelevant, but for me, it built me to be who I am today. I am a survivor of the ex-Yugoslavian war, an immigrant to Canada at an early age, learning to speak another language quickly. The impact of the series of events was not an easy one; however, in retrospect, it taught me many things. I soon realised that my new country could provide me with the tools and education that would enable me to fulfil all of my lifelong heart’s desires, goals, and dreams. I have had the most amazing people support me on my journey: family, friends, and colleagues, who ‘had my back’ and vice versa. I have learned that people can take many things away from you along the way, but one thing they cannot take away is your education and your knowledge. The two important aspects mentioned can together provide you with respect and a network that is worth all your effort throughout the career,” tells Jelena.

And she adds: “I believe I was lucky from early in my career that I followed the path of cyber from the start. I started as a consultant in the early stages of SOX and was lucky enough that I had a much-needed experience at that time. I was then supported by excellent managers to pursue it further and get my CISA certification. From then on, I just continued in the field, advancing as time passed. From one global organisation to another, I kept acquiring more knowledge and skills, which was (and still is) very crucial to continue in this fast-paced environment where things change almost daily. The career support, I also received moving to Europe, was again very beneficial. I was able to offer that knowledge to organisations here and to advance the practices further internally, all while growing my professional knowledge along the way. I believe, at a certain point, the opportunity showed up, and I was blessed enough to move as a CISO for the European Investment Bank.”

“In general, in my case at least, I have spent my studies and my whole career in this field, and having the passion for what you do is the key to drive you forward to success.”

What are the most important skills for a CISO?

“People usually associate our skills only with specific technical requirements. I think outside of our field, there is a stigma that a CISO is only technical and understands limited technical requirements for their job. I see the skills of CISO being quite diverse. I’d say that 50% are technical and 50% are people and business skills. Our role is very transversal, and we need to collaborate with the whole organisation, regardless of projects/initiative that comes our way. We need to, hence, understand business and their needs, requirements in terms of business, and terms of security. We need to ensure good relationships with everyone, such as DPOs, IT Security, various business units, CFOs, CEOs, and senior management in general. Our recommendations are not always welcomed by all and might seem inflexible, so we need to have an understanding as to how to cascade such blocking points to business and have them understand the reasons behind our actions. At the same time, we need to be understanding of others and their pressing matters. This is where we face the challenge, and need to know how to effectively and efficiently identify areas of critical importance, how to establish a partnership with key stakeholders, how to identify crown jewels within the organisational value chain, how to map business risk to technology risk, and finally, how to define and implement sound information security strategy that would foster security as a business enabler and not an obstacle. I’d say that the role of a CISO is not to manage technology, although information and communication technology is in the heart of corporate digital transformation. The crown jewel is information, and the role of a CISO is to manage the risk that could prevent organisations and people from making value out of information.

Some of my general principles:

1. Remain focused on your dream, your heart’s desire, your vision, your reason for being, your mission in your life; if you don’t know what that is, I strongly recommend that you work on this part of you. Get acquainted with yourself and know your intrinsic values, beliefs, morals, and what you will not settle for.
2. Know and understand your role and your responsibilities.
3. Be prepared to think strategically and conduct yourself in a manner that lends itself to the credibility and integrity of your work; in such facets as planning, developing, implementing, building, and all the while maintaining a standard of excellence.
4. Surround yourself with allies and experts, but first and foremost, always trust yourself. If you have even the slightest niggle in the pit of your stomach, check and check again. Those that will surround you will complement, promote, and enhance your knowledge, your talents, your brilliance; they are people who will have your best interest at heart, those you can count on.
5. Learn to rise after a defeat and keep moving forward; no time for self-pity; be fearless in knowing that you’ve got this, no matter what curve ball people or life will send your way.
6. Be clear – on your life and work mission, remain compassionate, kind, empathetic, and generous through it all; it does not mean that you are weak.
7. Remember to do all of the above and still maintain a healthy relationship with yourself, in life and work; this is the infamous word ‘BALANCE/SELF-CARE.’ It is an art, and well worth it. No pressure! This career, like life, is not for the faint at heart.
8. Document everything you do. As a CISO, it is crucial that every step of the way is documented and can easily be traced back and referred to.
9. Provide professional training sessions, be constantly aware that to have a robust HR infrastructure in Information Security, one must continuously build the capacity of the human capital in this high-risk area. Be mindful of the potential or existing risk factors. Be mindful of the warning signs! An analytical mind and spirit are critical. However, finely developed intuitive senses are also an asset in this industry.”

How did the COVID-19 impact your work as a CISO?

“The first thoughts that went through everyone’s minds were to ensure business continuity without significant downtime. Now, looking back and ensuring continuity since we didn’t have that time luxury to reflect during the initial moments of this crisis, monitoring the awareness of our users and what is happening around was the most crucial task to be aware of (these are things like user awareness, ensuring protection over our most important assets, monitoring of various applications, diverse and urgent needs to perform risk assessments, etc.).” Jelena says.

“It is critical to note the importance of a close relationship with IT security and data protection officers in our field as well. This is the crucial and most helpful part of our daily job, so huge thanks to my colleagues in these offices as well since they have greatly benefited to the success of all our work during this time, and in times prior to COVID-19. It can also be said that we see the increased reliance on the network with our peers on a global level and exchange information that will help us all.

The biggest challenges, in addition to the ones I have already mentioned, and which we may all be facing more or less, are, I would say, more on the side of operational risks, hence indirectly impacting cyber risks. Consider the psychological impact on people who are 24/7 at home, relying on the Internet for any social interaction, people who have to deal with various jobs: housework, children, hence increasing the risk of greater dependence on the Internet for shows, entertainment and thus cyber risks. Consider indirect cyber risks: resources and well-trained backups for critical functions. Now the question arises: Do we have enough people in critical positions, those we rely on 24/7? It can be said that we “settled down” a bit in a way that we are all globally getting used to the new status quo, with one caveat, continuous monitoring, and user awareness training along with ensuring compliance over-critical internal and external controls/regulations.”

How do you think this crisis will impact the cybersecurity landscape?

What is clear from learning that we will enter a new status quo and that the world will no longer be the same is the fact that hackers are targeting and relying on people’s increased dependence on digital measures. We must, I would say more than ever, think about maintaining basic cyber hygiene, from monitoring networks and users, ensuring timely patching, following best practices that are continually evolving – be it by the state or relying heavily on our colleagues in this field globally, as well as performing continuous information security awareness training.

We must not forget the fact that the Internet now becomes the only way to communicate effectively with other people, be it for family reasons, business, or any other. Information security user awareness will be of the utmost importance! We may focus more on educating our users about what we mean when we say ‘secure way of working’, as well as what they are allowed to do in that period. The basics of VPN importance on our laptops, endpoint security, phishing traps, and simple googling are critical components to watch out for. Another angle for long-term focus should be on crisis recovery and business continuity. All this will start a new wave of innovations and accelerate the dismissal of outdated/obsolete technologies.

Cybersecurity will likely lag again. We will need to react even faster. Remote and business interactions will identify new opportunities, new ways of working that we would not otherwise notice. Companies will take their business continuity plans seriously and take the time to review them, as many have certainly now realised how much more work is needed on these plans.

As businesses may face initial challenges, now they finally understand the importance of security strategies and their need to change as the workforce becomes more remote. I would like to add that I think that Cyber Insurance will continue to grow as a good alternative for mitigating losses.

Let me just say that I am a great optimist and I think that such events will affect the growth of professional being and that everything that brings ‘noise’ is very interesting for all of us, not only in our domain but also in other professions.

How do you see the future of cybersecurity in Luxembourg?

I am very optimistic about the future of cybersecurity in Luxembourg or anywhere, for that matter, as in our field, we have no borders. It is embedded in almost every step of our daily lives nowadays. With digitisation only advancing as we speak, IoT, AI, quantum computing, it is with no surprise that in Luxembourg as in any other country, we will need cybersecurity professionals more than ever! With an increase in data breaches, identity thefts, financial hacks, our field, and the need for it is growing at a swift pace. Hackers will continue to improve their already sophisticated methods, mostly in the health sector for the time being [unfortunately] but also in other industries such as the financial sector.

The market is facing a lack of talents… What would you say to convince a teenager or student to start an IT curriculum?

We can practically say that the use of the Internet is one of the most critical global economic developments and international security factors. The political tensions between countries, along with leadership changes in other key states, make it that much harder for cybersecurity cooperation among nations. And this will not end any time soon. It can only continue to advance as technologies advance. Just think of the global economy, be it banking, transportation, health sector, energy, all depends on rapid, real-time communications, and massive data storage and processing capabilities. Militaries in most developed countries now rely on long-range Internet connectivity to manage both peacetime and wartime operations. Think of humanitarians, medical researchers, environmentalists that make heavy use of ICT. According to Global Snapshot: The CISO in 2020, 62% of CISOs think the global cybersecurity talent shortage will get worse over the next five years. All of these reasons alone should give confidence to new generations to realise how much demand there is for them in this field.

Each one of us is a masterpiece in our unique ways. We are capable of unlimited potential. I was also blessed to have many great managers and colleagues that have shaped me and made me grow in the right direction, so I am glad that we ask this question as some teenagers might be inspired by reading it and might think of their next steps in terms of education and field they will choose.

Now to encourage even more so women, I would like to add that I believe that we are gifted with the natural ability to plan, prepare and deliver in times of crisis intrinsically or when significant events occur. No matter how devastating, we have the innate ability to ‘roll with the punches’, while sustaining our credibility and integrity and remaining whole, no matter what work or life will throw our way. I am a firm believer that an ounce of prevention is worth a pound of cure and that it is critical to us, as women, to realise what all we have, over and above our intelligence. Of course, given opportunities and sometimes permitted to follow through on matters that are forward thinking.

I believe in the next generations to come, in their diversity, newly acquired skills that we did not have back then, their capacities, abilities, and competencies. I believe that if you believe in yourselves, the sky is the limit.

What do you really like in your job?

I love the job I do, and it has been something I have done all my life, from the very first day of my career. Hence, one can say that all the good, the bad, and the ugly that comes with it is good if you have the passion for what you do. I love challenges and constant learning that this field provides and requires from you. Working with technologies and people to solve the problems, all while educating the business about risks, is quite rewarding. The field of information security is a constant growth and constant challenge in managing the evolving threats; however, at the same time, immensely satisfying and rewarding. I think with this, as with any work, if a professional lacks challenge and a sense of purpose at their position, it will impact the satisfaction at the workplace.

“Your work is going to fill a large part of your life, and the only way to be truly satisfied is to do what you believe is great work. And the only way to do great work is to love what you do.” – Steve Jobs