It’s Lynx’s mission to provide the diverse cybersecurity resources and tools companies need to demonstrate mature GRC practices that deliver measurable business value. As Lynx’s Senior Director Risk & Technology Services, Robyn Yaniero Marsi provides the leadership, expertise, resources, and guidance our clients need to succeed. Her recent recognition as a top woman in cybersecurity is a testament to the value she has delivered over her 30+ year career.
In this interview, Robyn shares how a degree in education evolved into a cybersecurity career and offers her advice on how companies can build best-in-class GRC programs through innovation, diversity, and inclusiveness.
What made you pursue a career in cybersecurity?
I didn’t set out to pursue a career in cybersecurity, the career pursued me. Until I joined Lynx in 2021, I spent my entire career in the financial services industry. The majority of those years were spent in risk and compliance and third-party risk management roles. Back in 2007, cybersecurity wasn’t a well-defined focus of third-party risk management. Over time, the shift from risk and compliance to cybersecurity was a natural progression.
At AIG, I was responsible for managing the technology team in charge of building and implementing an enterprise-wide governance, risk, and compliance platform across 13 lines of business. The experience taught me that a successful GRC program is built at the intersection of business and technology. With the best of both worlds at my fingertips, I was able to understand the requirements of many business groups and also hear their concerns firsthand. Those dialogues made it clear that GRC is so much more than technology.
Today this deep understanding of business and technology issues helps me be a more effective advisor. I can listen to the business needs and concerns of our clients, translate that information into GRC requirements, and help drive clients to the right technology solutions.
If you had it to do over again, would you still pursue a career in cybersecurity?
Absolutely, because cybersecurity is innovative. It’s evolving. There’s so much to do. Just like technology, the cybersecurity domain is always growing and expanding. I don’t think it’s an area or a field that is going to become irrelevant one day. That makes cybersecurity an exciting and fulfilling career.
What value does diversity in leadership bring to cybersecurity?
In any field, diversity in leadership brings a wealth of knowledge, experience, and varying perspectives to an organization. Also, diverse leadership can boost employee retention rates. People want to feel accepted as part of an inclusive culture, free to express their unique ideas, and grow.
Diversity is especially important to cybersecurity because security teams have to be agile, adaptive, and open to new ways of thinking. A diverse management team encourages a diverse workforce. In a continually evolving field, new perspectives help organizations stay one step ahead of threat actors. When leaders treat resources as assets to the organization, employees feel encouraged to use their full skillsets and employ “out-of-the-box” creativity. Not getting boxed into a single lane of thinking can be a company’s greatest asset.
What hurdles need to be overcome to encourage a more diverse cybersecurity talent pool?
I think there’s always been a stigma around technology, especially when it comes to women. In my own case, I was never really interested in technology. So how did I become one of the very few women in technology, let alone cybersecurity? Honestly, very few cybersecurity professionals begin their educational journey thinking, “I want to be a cybersecurity expert!” I didn’t. I earned my degree in early education, which prepared me to be a teacher.
Today many universities are launching formal information security degree and certification programs, but the field is still relatively new. With a narrow talent pipeline, we can’t expect to solve the diversity dilemma by posting job descriptions that demand a technical college degree, multiple certifications, and years of cybersecurity. Instead, companies should recruit people with the right soft skills and an interest and aptitude for learning the technology side of security.
The best cybersecurity professionals are good collaborators, communicators, and critical thinkers. We need to get more creative in how we identify and pursue candidates with these qualities. Outreach programs can help inform underrepresented communities about the incredible variety of career opportunities in cybersecurity. Better outreach paired with paid internship programs will create new paths minorities can use to join the cybersecurity workforce without formal education or experience.
In my opinion, all companies should be investing in cybersecurity upskilling and reskilling programs. This is the best way to close the cyber-skills gap. Internal training, education, and certification programs will help a wider demographic of recent graduates, veterans, people transitioning from other careers, and employees with an interest in cybersecurity learn and grow into more skilled cybersecurity roles.
What factors weighed into your decision to join Lynx?
When I was laid off by AIG in 2020, I decided to take early retirement. I needed a break from corporate life and cybersecurity. At the time, I was serving on the Lynx Advisory Board and had been since a friend introduced me to Aric Perminter in the early 2000s.
When the Lynx COO asked if I would join the company, the word “YES” automatically flowed from my mouth. I knew in an instant, I couldn’t pass on the opportunity to work for a smaller company that was living up to its potential to do big things unencumbered by corporate red tape.
I was truly energized by the offer, knowing that I could bring all that I learned in my 33-year career to an organization that would value me and my expertise—even though I had no consultancy experience or strings of letters after my name.
Today, I can honestly say that I was absolutely right about my decision to join Lynx. Being a part of the team that helps clients realize their GRC goals and invests in diverse cybersecurity workforce development has more than surpassed my expectations over the last two years.
What GRC issues are companies struggling most to overcome in 2023 and why?
In general, keeping pace with GRC requirements is a constant battle. GRC is always changing because technologies and security threats are always evolving. Cybersecurity teams can easily become overwhelmed by rapidly changing business requirements, like digital transformation and remote work, and emerging technologies, like the Internet of Things (IoT), artificial intelligence, the Metaverse, virtual reality, and cloud computing. As more people and data go online, cybercriminals gain more avenues to exploit.
A well-functioning cybersecurity program is critical to an effective GRC strategy. But that strategy should start from the top and be integrated into the entire business. Instead, governance is still very fragmented in most companies. People are not connecting the dots, so companies are not getting measurable results from their investments. Having the right technologies isn’t enough. Companies need to invest in people and diversity to bring forth the best solutions in a constantly evolving risk and compliance landscape.