Product Security and Psychology with Helen Negre, CISO Siemens USA

Helen Negre is the Chief Cybersecurity Officer for Siemens USA, overseeing IT, OT security, and product security strategy and operations in the critical infrastructure and transportation sectors. She sits on the Siemens Product Security Board in the Data Privacy Working Group, and is passionate about ensuring the utmost security in Siemens products.

Helen sat with the Left to our Own Devices podcast to discuss product security, learning, and her journey.

Like many seasoned security professionals, Helen Negre has been protecting devices and the data they hold since long before the term ‘cybersecurity’ was coined. In fact, she was working with securing devices in the tech field before she had a degree. However, shortly after studies in Computer Science and engineering, she turned to psychology– allowing her to understand not only how people penetrate secured systems but why.

“I was working in tech before I even got my degree,” said Helen. “For me, and I think for a lot of people, early on before cybersecurity was a thing or information security had been developed, you were working with computers and your job was to make sure things didn’t go down.” As challenging as that was during that time, it was a whole other concern to ensure that private data stayed private- meaning it was the job of technology professionals to make sure that nobody could tamper with the environment. 

Helen reflected “Honestly, that’s security, but we didn’t have a word for it then. It was just a part of being a systems administrator, being in IT.” However, the human factor would keep her away at night. She aimed to educate people around her on what they’re using and how to think about cybersecurity. Teaching people how to help people use their tech, how to be safe on the internet, and looking at new ways of approaching things. 

This led her down a journey of curiosity that eventually led to Digital Forensics and countless other projects that have seen her secure thousands of products. 

Product security in itself is not anything new. We’ve been deploying connected devices for some time. What’s different now is that the conversation is being forced through legislation- requiring companies to take more accountability in a standardized format. 

“It’s been there, but it hasn’t been given the global attention,” said Helen. “I think that the global attention is coming from the realization that these products make up the backbone of our economy, of our way of living. Our world is so interconnected that these products are vital to our continued existence.” Decades ago, technology was limited to some specific advanced machinery. 

It’s not difficult to make a personal connection to this technology and want to protect it on a personal level. To understand the importance of product security is to understand how embedded it already is in our day-to-day lives, whether people are aware of it or not. If something were to happen, it wouldn’t just be a day of no work, critical systems that we rely on to survive will fail.

Security posture is not about the latest tools or even the level of security on a system. According to Helen, based on various studies, 40-50% of cybersecurity incidents are traced back to human error. It can be as simple as someone clicking on a wrong link, accidentally issuing new credentials to an imposter, or an insider selling private data for personal gain. Helen stressed, “While technology poses its challenges it still needs a human to interact with that technology, both on the offensive and the defensive perspective.”

It’s on all of us to make sure that beyond implemented tools, people know what to look out for. Similar to ‘if you see something, say something’ campaigns, “You really need to make sure that you have a robust security posture on your technological defenses, but also in those training programs,” Helen continued. “You really want to make every person in your organization feel like they are a champion of cybersecurity, like it’s their responsibility to keep the organization safe.” 

Much of the conversations around product security and securing critical infrastructure has come from the executive level of the US government- much of it directly from President Biden. 

However, impactful security is only possible with collaboration, bringing its own logistical challenges. As the federal government looks to gain better insights from the private sector, they came to Siemens to help bring together the ecosystem.

At Cybershield 2023, they focused on technology for a major product that keeps economies moving but is often overlooked- rail. 

Trains, which carry food, cargo, and people are data centers on rails, connecting with numerous other connected devices along its route. For trains that carry passengers, there’s a lot of technology on board, including location data, entertainment, and safety-critical systems. 

When it comes to ensuring the safety and proper operation of trains, Helen stated, “We are given the responsibility with our customers, the railway operators. And the responsibility of making sure that that is always a safe environment.” Public-private partnerships allow enterprises like Siemens to partner with the federal government to keep the ecosystem defended, ensuring that operators take proactive measures rather than reactive ones. On the governmental side, it allows for agencies to have a plan to continue growing robust and secure infrastructure.

Assisting government in creating impactful legislation is vital but there is also a recognition that bolstered cybersecurity comes with a cost that small to medium businesses can shoulder. While Siemens and other enterprises can make the security investment, how can other companies keep up? 

“Cyber threats don’t discriminate based on size,” said Helen. “This becomes more of a topic when we’re talking about supply chain security- these smaller companies might be our vendors. There’s more and more legislation where we have government entities trying to get ahead of the cybersecurity threat, yet it is harder and harder for smaller companies to meet that need. I’ve spoken to smaller companies and I’ve heard things like a fine is going to be less than the implementation.”

When companies have to decide whether to implement security or take a fine for not complying, it goes beyond their own organization to threaten the entire ecosystem. Siemens works with companies to create a secure supplier management plan and know what milestones will give the most ROI by breaking it down into smaller pieces.

Beginning any new professional journey is a challenge but when it comes to cybersecurity, there’s an opportunity for everyone, since it’s a discipline that thrives on new perspectives. While experience in cybersecurity or IT systems is helpful, what’s needed most in an age of a skill shortage is people who are curious. 

As a member of the Siemens Mobility Women’s Empowerment Network, Helen shared some tips for beginning and growing a cybersecurity career. They include:

• Resilience– Remain true to your unique perspective and leverage it to expand the minds of others.
• Mentorships– Listen to those who have walked the path that you are now on and want to see you succeed.
• Curiosity– Tomorrow’s solutions will require strategies we have yet to build.
• Merge technological know-how and vision – Understand what’s practiced today within technology and envision what can be achieved through new approaches. 
• See challenges as stepping stones– Everyone makes mistakes and falls back, learn from them. 

While Helen Negre’s accomplishments are nothing short of impressive, her message of education, collaboration, and curiosity is what’s needed to continue improving our defense capabilities and shaping the leaders of tomorrow.