Infosec Hall of Fame Inductee Lili-Ann Mitchell: Marrying corporate and cybersecurity
Lili-Ann Mitchell is a security veteran with 25 years working in incident response. She is a strong advocate of making security more effective through collaborative working and learning together. Lili-Ann is a passionate learner and has recently completed her CISM exam with help from the Infosec CISM Boot Camp.
An illustrious career spanning 25 years in security
"I have worked for 25 years in corporate security. My latest objective is to fill the gaps between cyber and corporate security to evolve a unified security risk approach and leverage both sectors." - Lili-Ann Mitchell
Lili-Ann Mitchell is the global head of security of Bombardier Recreational Products (BRP) and president of consultation agency Lili-Ann Mitchell Inc.
Lili-Ann has a master's degree in criminology and is a fan of continuous development and building upon her already vast knowledge. As head of global security for BRP since 2015, she has led the corporate's global effort in security and incident and crisis management. The remit of this role is wide and includes development, maintenance, training, testing and incident management and recovery. Cybersecurity is another string to Lili-Ann's security bow, adding cyber to her wealth of risk management knowledge. To help develop and demonstrate these cyber skills, Lili-Ann successfully achieved CISM certification in April 2021. To help her meet the exacting requirements of the CISM exam, Lili-Ann used the Infosec CISM boot camp, which she described as "instrumental to my success!"
From corporate security to cyber security
The knowledge gained through the CISM exam process has given Lili-Ann the confidence and knowledge to lead cyber incidents and provide guidance to the IS&T team, including at the executive level. Using her newfound skills in July 2021, Lili-Ann performed a tabletop exercise on a cyberattack.
One of the main objectives of sitting the CISM exam was to allow Lili-Ann to support mandates to combine cyber and security expertise and deliverables. As Lili-Ann told Infosec, "my current and future peers believe I am opening the way to new ways for security professionals."
The merger of two worlds: Corporate security and the CISM
Lili-Ann's education in cybersecurity goes back to her completing the Certified Protection Professional (CPP) exam in 1999. Her security career has always involved incident management, giving her a wealth of practical experience solving security issues. This hands-on experience led Lili-Ann to look at the CISM exam to connect her managerial role in cybersecurity to the more technical aspects of incident management. Lili-Ann told Infosec that, "after researching CISM, I realized that there was a high degree of connection between corporate security roles and the CISM and so I thought, OK, I think I can do that."
During the Covid-19 pandemic, Lili-Ann's professional coach encouraged her to go for CISM status, which Lili-Ann had been thinking about for five years. Lili-Ann chose to use the Infosec CISM Boot Camp to help her prepare for the exam.
"The teacher was awesome," Lili-Ann said. "The Boot Camp was highly efficient, only needing one week of my time. It's awesome because you close everything for that week. If it was a day here and there, I don't think it would be as efficient. So, for one week, the schedule is eight to four, eight to five, and questions to do at night. I loved it. It was tough, but the speed and the content made it digestible."
Lili-Ann noted that before the Boot Camp, she was averaging a 60% success rate on test exams, but she was able to hit 85% after the Boot Camp. "...the Boot Camp was really powerful for me to focus my efforts and to be able to pass the exam. So, honestly, I would not have succeeded without the Boot Camp."
Continuous learning to create better security practitioners
"I don't want new cybersecurity or security professionals walking in a silo mode. I want them to be exposed to the integration so that we can be recognized as better professionals in our security field." - Lili-Ann Mitchell
The integration of corporate security and cybersecurity is an important goal for Lili-Ann. She told Infosec that during her 25 years of experience in the field, she found that security roles don't have the same profile as those in areas such as regulation. Lili-Ann wants to change this and to improve the authority of cybersecurity professionals. However, she recognizes that this is only achievable through collaboration across the security industry: "There's no point fighting between each other. We are in the same bucket, in peoples' heads, as security professionals, so let's work together to bring this up instead of fighting for half of it."
An illustrious career and a continuous learner: Mentoring, Women in Security and collaboration
One of the pivotal moments in Lili-Ann's career was when the company she worked for, Alcan, merged with Rio Tinto in the mid-2000s. This allowed Lili-Ann and her team to "define the approach of security for Rio and become the corporate security at Rio Tinto." It was this transition that set in motion the importance of team collaboration in Lili-Ann's mind. A poignant note on this event was made by Lili-Ann describing this time:
"Sometimes a milestone is where you have a big success. I think for me, this milestone was an eye-opener of how we have difficulties working together. The challenge of integrating two teams of corporate security and cybersecurity was an eye-opener on the level of challenges, and an eye-opener on the future road that we need to take."
Lili-Ann told Infosec about a recruitment issue that will chime with many women attempting to enter the security sector. She told us of her first mentor, who was her CSO and manager. "This man was instrumental in hiring me and interviewed me along with another man; in the interview for the job, the other interviewer was against hiring me because he believed that as a young woman, I would end up having kids and leaving. My mentor-to-be said to the other interviewer, 'So what? She can develop our program and make a difference for the next 25 to 30 years.'"
Lili-Ann got the job and managed to have two children and develop the company program, including running 150 facilities in the Asia-Pac region, significantly improving the organization's incident response capability.
This simple act of being non-prejudiced by the CSO has inspired Lili-Ann to work with Women in Security to encourage young women to enter the profession.
Lili-Ann is a passionate learner, and she has channeled this into a mentoring role. She is currently designing a college degree program on cyber and integrated security at Sherbrooke in Quebec, Canada, titled "Cybersecurity and Integrated Security."
The further of security is collaborative
Lili-Ann does not see herself as a "typical IS&T or cybersecurity professional." However, she wants to continue to build on her cybersecurity knowledge. Her ideal role would be at the CSO level to combine her cyber and management skills. Her ideal position is as a number two in an organization where she can learn and bring convergence to a CISO role.
Lili-Ann's mantra is to involve people from across different sectors through convergence and working together. She is determined to continue to push this vital aspect of cybersecurity success.
"Now I see the future potential to evolve, to make security practitioners better," Lili-Ann said. "This is, for me, critical; other categories of work are easily recognized, but security is not necessarily as credible. By working together and being better security practitioners, we can gain more credibility as professionals."