The Big Interview: BAE Systems CISO Mary Haigh

"You can't run around with your hair on fire"

“We had Iggle Piggle on our team” says BAE Systems’ CISO Dr Mary Haigh, talking about the distinctly diverse team of cybersecurity professionals she’s assembled at the aerospace and defence firm.

Who?!

Iggle Piggle, she says, deadpan. 

It takes a moment to click, but she’s referring to a character in a BBC children’s programme “The Night Garden” – as she answers a question from The Stack about examples of unusual backgrounds across her team. 

He is now in another role at BAE Systems (and no-doubt out of costume), but it is fair to say that Dr Haigh’s team of security stars is unusually eclectic – and that’s very much by design, from a CISO who considers both diverse capabilities and a good culture utterly integral to what she does.

When recruiting for a Blue Team have you considered someone who's actually blue?

Others, drawn from outside traditional information security backgrounds. include “an amazing woman who ran PPE procurement for care homes for the NHS during Covid,” she says. “We just thought anyone who can organise, in that level of crisis, for that length of time, has got some really interesting transferable skills. We loved her attitude and I can't tell you how much a difference she's made to our team,” Dr Haigh tells The Stack

“I hire for attitude”, she adds. “Often the technical skills we can teach.”

“The one thing that is in common with every single one of my team, is that they have all got very high integrity. We don't have to shine a light on a risk [in cybersecurity], because people often don't know what questions to ask. So it's on us to raise the right things and this takes a lot of effort. 

“So integrity is massively important.”

An Astute class submarine under construction: Credit, BAE Systems.

BAE Systems, the £42 billion by market cap company, has a well-known track record of training and supporting engineering staff, including taking school-leavers right through to MSc level. That ethos stands firm in cybersecurity, where CISO Dr Mary Haigh (one of just eight women CISOs in FTSE 100 firms, last time we counted*) launched its RISE mentoring scheme in 2020 and where she has built a high-performing, diverse team.

Dr Haigh herself has an unusual background for a CISO.

Her doctorate was in 1/f noise (the phenomenon of the spectral density, S(f), of a signal) in semiconductors and she started her career as a research scientist with British defence lab spin-off QinetiQ; later heading up a team there developing and supporting cybersecurity products.

Asked how that scientific background has informed how she works as a security leader, she takes a moment to consider the question.

“I think the importance of data. There's always an enormous, great big long list of stuff you could do in cybersecurity, and I noticed that the loudest voice often tended to win; that made me really uncomfortable.

“We spent quite a lot of time on different ways of looking at data [to understand] how really should we be prioritising; once you've got data that you can then enter in the normal human conversations of persuading and influencing, but in the absence of data to back that up, it's just emotional opinion. I think that's a good way to handle things. I'm sure my physics backgrounds helped with structuring how you look at problems.”

She muses a moment longer: “I also think, as a female… it helped with the (she laughs) ‘don't mess with me; don't underestimate me; I can't think things through; don't patronise me!’"

"When I came into cyber, not knowing anything, I thought ‘for goodness sake Mary! You learned quantum physics; you can learn cyber!' I use it to give myself a good talking to when I doubt myself.”

At BAE Systems, her central team as CISO is approximately 30 people. 

Lines of business then also have their own security leaders who report back to her. A shared services group focuses on “doing the doing” including overseeing the SOC. Her team has diverse responsibilities that include “what does good look like in cybersecurity, the strategy, the Level 2 assurance checking across enterprise systems; making sure that the board and the Executive Committee are aware of our areas of risk,” Dr Haigh explains, describing it as “a lot of shining the lights in the right areas, and getting the right levers in place across the organisation.”

Dr Haigh herself reports to the CTIO and regularly briefs the board – often an initial challenge for CISOs unsure how to pitch their presentations. 

Like many CISOs, she says she uses NIST’s cybersecurity framework to help communicate at the board level. She tells The Stack: “You don't get to be on the board of BAE without being unbelievably sharp and bright. So they ask good questions” – adding crisply that “it doesn't matter who your board is; [you need to] explain things in business value terms.” 

See also: NIST’s CSF 2.0: Governance now at the heart of new cybersecurity framework. Is it helpful?

Back to that team-building element: As CISOs, she says, she hires both for technical attributes (a senior technical architect was initially a particularly challenging role to recruit for she says, as we discuss the extent to which a security skills shortage is “real”) and non-technical ones, because she wants to build a strong culture – and an inclusive sense of belonging. 

“Thinking about the makeup of your team [and building] culture is one of the most important things the CISO can do” she says; not just to minimise burnout and churn, or even that team performance, but also because the right culture also has an impact on how a security function gains influence, at the line of business and the board or executive committee. 

The door is not opened as wide as it should be

“I think we underestimate how transferable some skills are” she adds.

“The door to enter the cyber industry is not opened as wide as it should be. So we make our lives harder than they need to be. [For example] diversity takes many forms, but women are 50% of the population. So if you're not attracting them, you're missing a simple trick.”

What can help with both recruitment and retention here?

She says: “Mentoring can make an enormous difference. That's gone from strength to strength across multiple organisations [in BAE Systems.] 

“Also, making sure voices are heard and acknowledged. So watching out for meeting culture where people are interrupted… it's quite a fundamental emotion if you don't feel like you belong somewhere. we write case studies every quarter describing an unusual route to cyber.

“They're really important part of what we're saying: You can still belong [in cyber] even though you've come from all sorts of crazy backgrounds.”

Those "crazy backgrounds" can help people stay calm under pressure, she adds.

"Cybersecurity is hugely ambiguous, you have to be able to make decisions in an ambiguous environment where you don't always have all the answers. Stuff changes, then you need to pivot and you need to change. People say it's a dynamic space, but it really is. And you have to get comfortable with that. You can't run around with your hair on fire."

See also: UK defence is facing a “step-change” in how adversaries use digital and data: “Attitudes, culture” must change