In today’s fast-moving business world, adaptability is crucial for a company’s success. Our ‘Gamechangers in Resilience’ interview series honors influential leaders who excel in being flexible and resilient at work and in their communities.
These exceptional individuals not only help their teams and communities thrive during tough times but also inspire others by their own example. iluminr recognizes their accomplishments, shares their experiences, and salutes their unwavering commitment to success, even when faced with significant challenges.
October is Cybersecurity Awareness Month, a time when we focus on the critical importance of safeguarding our digital world. At iluminr, we are proud to support this initiative by highlighting the exceptional stories of cybersecurity leaders. These individuals have not only protected their organizations and communities but have also fostered an environment where innovation and growth thrive in the midst of cybersecurity challenges. Their inspiring journeys serve as a testament to the power of resilience in the realm of cybersecurity.
An experienced business owner and leader, Karla Reffold is passionate about values-led leadership and people development. Karla founded the international recruitment business, BeecherMadden in 2010 before it was acquired in 2017. In 2020 she joined Orpheus Cyber as COO. Orpheus are a threat intelligence company with a SAAS platform that helps organisations manage their own risk, and that of their third parties, with an easy-to-understand cyber risk score.
Karla is an industry awards judge, the host of industry interviews on the Cyber Talks media platform, the Capital Tea podcast and the Zero Hour Podcast. She is also an experienced speaker, on the topic of cybersecurity and women in technology.
In 2019, Karla was recognized in SC Magazine’s Top 50 Women in Security.
This May, Karla joined our panel discussion The Big Resilience Reset: Cybersecurity SOS to provide insights on how leading firms prioritize the things that matter for cyber resilience. This article is an expansion of that dialogue.
Q: With your diverse background in operations, marketing, and sales, how did you transition into the cybersecurity field, and what motivated you to take on your current role?
Karla: I started working in cybersecurity in 2012 when a client suggested I pivot from Governance Risk, and Compliance (GRC) to “this new cyber thing.” It turned out to be a great choice and one I made very quickly. I had a recruitment business that serviced the cybersecurity industry so I always felt like I was on the periphery of the industry, albeit with a great overview of the market. Having run a business already, moving into a COO role was a pretty easy step.
But in my current role, I’m truly in the industry working in cyber threat intelligence. Working in a cybersecurity business was a big motivator for taking the role. Being able to use my business skills and the great network I’d built to provide a solution that helps companies defend themselves.
Q: Orpheus Cyber focuses on cyber threat intelligence and risk rating. Can you share some insights into how the cyber threat landscape has evolved over the years and the unique challenges it presents for organizations today?
Karla: The issue used to be how to get enough intelligence as organizations weren’t always willing to share what they knew. But that has changed over the years. I think cybersecurity professionals are great problem solvers, so they fixed that issue!
What we have now is a landscape that changes often and changes fast and access to a large amount of cyber threat information. The challenge really is how to know what to listen to and how to prioritize. Orpheus can help with that but even we have to sometimes balances a clients desire for as much information as possible, alongside their need for truly actionable intelligence.
Q: In your experience, how can organizations strike a balance between innovation and security when implementing cutting-edge technologies to enhance their cyber resilience?
Karla: Almost everything in technology has a risk so that balance comes from deciding your risk appetite and managing your risks according to that. In risk ratings, one company’s score might be way beyond what they find acceptable but that same score might be acceptable to another company. I think that’s exactly how it should work.
AI comes to mind when talking about innovation at the moment and the same thing applies. What risks can you identify from using a new AI tool in your business? How can you mitigate those risks? If they can’t be mitigated will you accept them? Is the innovation worth taking the risk for? Those are the key questions companies need to answer.
Q: How do you see the intersection of HR and cybersecurity evolving, and what should organizations consider when nurturing a cybersecurity-aware culture among their employees?
Karla: I’m not sure that these teams have gotten close enough yet. We blame HR for poor hiring practices in cybersecurity and we pass the responsibility for cybersecurity culture back to cyber teams.
I think there is a lot these teams could learn from each other.
Q: You are also a LinkedIn Learning Instructor. What cybersecurity topics do you find most crucial for professionals to learn about, and what advice would you give to individuals looking to build a career in cybersecurity?
Karla: Cyber threat intelligence 😉
Although I do believe everything starts from the threat and you can’t have an effective security career without understanding that. And anything about risk management and resilience. If we understand how companies think about risk, we can understand how to speak to the business more effectively and mitigate more risks.
If we recognize resilience being the end-goal of cybersecurity, we can implement better security programs.
Q: You also serve as a non-executive director and board advisor for multiple companies in the cybersecurity, recruitment, and consulting sectors. How do you think about the board’s role in driving change?
Karla: If the board doesn’t care, the company won’t care. That goes for everything in the business, not just cybersecurity.
Boards are being forced to care with the new SEC rules and because of how serious a risk a cyber attack is. We have a little way to go to make sure the board understands what to do about security and for security to understand how to educate the board but I think we are closer to closing that gap than we ever have been.
Q: How have conversations in the boardroom around cyber evolved in recent years?
Karla: People used to complain that the board ask absolute questions – are we secure or not? And had little education on the complexities of cybersecurity.
Asking things like “why can’t we just patch everything?” I don’t hear those type of complaints anymore. Now the conversation is more about who is educating the board. Is it the CISO or internal team or are they taking outside advice?
That can have a big impact on how successful the CISO can be.
Q: Why is talking about diversity important for the cybersecurity industry, and why is it essential for the field’s success?
Karla: There are more studies than I can list that explain why diverse teams make better decisions and have better business outcomes.
If I think about cyber threat intelligence, we need a diverse team so that we can analyse more effectively.
People who speak different languages or have different backgrounds can understand threat actors and their motivations in different ways. We can’t risk group think here as we might miss something that allows the threat actors to get ahead.
Q: What is the leadership playbook you are writing for yourself in real-time?
Karla: The question I am always asking myself is:
How am I helping this person develop in their career?
I try and understand their goals and balance the work I need with projects or feedback that move them closer to whatever their goal is.
That plays out differently for almost everyone I have ever worked with but it really comes back to that question every time.
