We sat down with Clare Patterson of Shell and spoke about D&I in the cybersecurity industry. Clare has some great advice about managing teams and creating an inclusive culture, even if those teams are spread across the globe. A global traveller, Clare is on a mission to visit 100 countries by the time she turns 50 years old, and she enjoys hiking/walking in the hills and mountains of other countries, as well as skiing and scuba diving.
Tell us about your career progression into your current role.
I secured a graduate role in a consultancy firm, starting in audit, then moving into cybersecurity. During the dot com era in the late ‘90s, I was helping a lot of companies build websites. E-commerce became the new buzzword! But when that bubble inevitably burst, I focused more on telecoms and regulatory work.
I then made the big decision to move to Australia in 2002; still consulting but for a variety of organizations. I came back in 2005 and noticed a big focus on SOXs, so spent a lot of time helping big corporations become SOXs compliant. I took on some larger program management engagements with clients before cybersecurity became a hot topic, and this is what led me to work at Shell. Since being at Shell, I’ve moved from leading the cybersecurity program to looking after IT Infrastructure, to my current role which is looking after IT for Shell Energy Trading and Supply Back Office Business.
How do you think living abroad has helped in your career?
It forces you out of your comfort zone and opens your eyes to different ways of doing things. When you first go to a new country, you’re an unknown quantity to the team you are working with, so you need to build up your brand quickly. It also helps you to understand your own cultures and values better as you have the opportunity to reflect back on your own assumptions and ways of seeing the world. For me, going to Australia at that particular point in my career gave me a chance to step-up and play a more senior role in a smaller market. This meant that when I returned to London, I had the experience and skills that helped me secure a role at the next level in a larger market.
You went to school for cybersecurity before there was a ton of awareness and discussion around the topic. How has the world of cybersecurity evolved since then?
One of the key things that’s changed is the way businesses outsource their cybersecurity to the cloud or third parties. In some ways, third-party companies can be a lot more geared up to protect your data and services. Particularly if you’re a smaller company, you’ll likely get better service and reliability using a large cloud provider. That said, you do find more of a concentration of a few key providers, so that brings its own risk. Where I see problems is when companies think that using a third-party provider solves all of their problems. You still need to be aware of the risks of what you’re doing and where you are putting your data.
Cybersecurity was still very niche when I studied in the early/mid ‘90s. The threats were still quite hypothetical and it was much more focused toward military and security services. We would talk about things like, having password complexity because people might be able to guess your passwords. That would take quite a long time in the ‘90s, whereas now, that’s fairly easy to cover with today’s computing power. Today, no one really thinks “if we were attacked”. Everybody now realizes that you’re going to be attacked so it’s about ensuring you have the right protection in place.
The other thing that’s evolved is on the impact side. In the ‘90s, hackers could steal information (and some did) or potentially cause some issues. But now, the scale and dependence on IT has grown significantly so that the impact a cyber-attack has on an organization can be so much more significant than when I started in the field.
Finally, in the ‘90s we used to talk about the perimeter of the organization. That’s not so relevant anymore because businesses are so much more interconnected and dependent on third parties that you no longer have this view that you can put a “castle wall” around your organization – the people who work for you and the way you work with third parties is much more dynamic. So is your data; customers perhaps generate some of your data or you get it from other third parties. Things are far more interconnected than they’ve ever been before, which brings new challenges to the world of cybersecurity.
What about the demographics of cybersecurity professionals? How has that evolved?
When I started, only a small group of professionals worked in cybersecurity, so everybody knew everyone. It was quite technical and very male-dominated. Now, the number of people who work in cybersecurity or identify themselves as a ‘security specialist’ has grown enormously. I’m really pleased to see that it’s attracting a more diverse group of people with a much wider range of skills. This means that cybersecurity teams are being more innovative. I strongly believe that the broader your mix of skills and people, the better your chance of protecting your company.
Do you believe the glass ceiling exists for minorities in the workplace?
That’s a tough one! I think it depends which workplaces. When any minority group struggles to get their voice heard, they have to play along with the rules from the dominant group. That has to be very tough, to have to fit into something that doesn’t naturally play to your strengths. In terms of gender, there’s a big change in how a group operates when a small percentage of that group are women (1% - 2%) versus when there’s more of a gender balance. There’s a lot of research to support the claim that having a sufficient balance of different people helps to create an open and inclusive environment.
I don’t want to say the glass ceiling exists because I think it can almost be a self-fulfilling prophecy – people will decide not to go for something because they think their career is capped off at a certain point. I’d like to think that anyone who is ambitious can make it. But it is certainly tougher for those groups who are underrepresented.
If you look at a white middle class male, you might think he has a career advantage, because he fits into the majority. But he may feel that he’s in the minority because he doesn’t play golf, or maybe all of his peers went to a particular school, etc. Everybody creates their own perception of whether they fit into a group or not.
What's your advice for building a network and building your personal "brand"?
Firstly, you need to do things that you enjoy. If you feel like building a network is a chore, you’re doing the wrong activities! You should do things that are actually of interest to you. For some people, that’s going out and drinking, trying restaurants, etc. For others that’s learning by attending more technical conferences. Some might enjoy online communities and networking that way. You have to find a way of doing it that is interesting to you and doesn’t feel like work. Build a network with people that you can help. You should have a mindset of, “how can I help this person”? Rather than the other way around. Spend time with people you enjoy and value. But keep in mind, that’s not going to be everybody you meet!
How do you differentiate between "diversity" and "inclusion"?
There is an attitude to go out and do the Noah’s ark approach; get a certain percentage of people from each race, each age, each gender, etc and tick the boxes so that you have a variety of people at the table. But that doesn’t truly mean there is diversity of thought or that people actually feel included in their work environment. People tend to focus more on diversity from a numbers perspective, but we need to focus on diversity of thought in the workplace and making sure people feel included there. It’s difficult to do effectively. Every one of us feels more comfortable in an environment that suits us. By nature, if you create an environment that’s extremely diverse, it means that people will feel less comfortable. Not many people necessary want to do that as a first step!
You need to recognize differences in style and how people want to interact at work. I manage a global team of people in Australia, Singapore, Dubai, Europe, and the US. There’s a very different mix of cultures and differences in how meetings are run. As a Brit, I notice it when I go to a meeting with Americans it’s quite different than a meeting in India. The way they speak to one another, how they organize the session/topics are different. You have to think about how you can accommodate how you work and enable peoples’ voices to be heard. Think about how you can be flexible, because the approach you use for one group might not work for another. Also, call it out if you see areas where that’s not happening. Some people are more introverted, they are in an underrepresented group, or culturally it’s not acceptable for them to speak their mind freely- think about how you can create a platform for these people to share their ideas. Perhaps, taking suggestions ahead of the meeting, or structuring a meeting so that it enables each person on the team to talk. The more aware you can be of the dangers of not considering it, the better chance you’ve got of helping more voices into the room and helping people feel like they can contribute and are included.
As a business leader in a global organization, how do you promote both diversity and inclusion?
It’s about having respect for cultural differences. Different countries have different views as to how they see their boss, what information they share with colleagues, etc. I read many books on this and it helped me get some background. But, of course, each individual will have their own context. More and more, in a business like ours, individuals might be from one country but have grown up in another, or had a parent from a different country, so you really get quite a cultural blend. You need to have your eyes open to the individual needs of everyone on your team. Make an effort to appreciate the various cultures and backgrounds of your team members and be humble when you know you’re going to get it wrong sometimes as well.
It’s also good to discuss what people’s personal objectives are. I know my team’s interests and hobbies, which helps me relate to them across cultural barriers. This creates an environment where you see people as people, rather than someone you have to deal with from another country at work. This helps our work discussions and builds strong relationships, which reflects in our team performance.
Thank you Clare for a fantastic, refreshing interview!Posted about 1 year ago