With extensive experience in information technology and cybersecurity, Guðrún Valdís Jónsdóttir is a highly skilled and experienced security professional who brings a unique blend of technical expertise and business acumen to her current role as CISO (Chief Information Security Officer). She is highly regarded for her ability to understand complex security issues and articulate them in a manner that is easily understandable to both technical and non-technical audiences.
Today in her role as a CISO, she is responsible not only to oversee the company’s overall security posture but also develop and implement effective security strategies to protect the organization’s assets and data.
Known for her strategic thinking, technical expertise, and her ability to translate complex security concepts into actionable steps for her team and stakeholders, Guðrún was selected as the Finalist of the Women in Tech awards for the Nordic region, where she was chosen as ‘The Rising Star of the Year’. Under her leadership, Guðrún’s team has established a robust and proactive approach to cybersecurity, effectively mitigating risks and ensuring the security of its operations.
Guðrún is dedicated to supporting young women in the tech sector and currently serves as a Board Member and Vice Chairman of Vertonet and Board Member and CFO of Young Professional Women in Iceland. She graduated from Princeton University with a bachelor’s degree in Computer Science.
Join us in learning more about her journey, and the choices that led to where she is today.
My first question is about your childhood dreams and the problems you wanted to solve back then. What made you curious as a child?
The first thing that comes to mind is the things I liked at school. I always enjoyed studying and learning new things. But I remember being particularly excited about STEM subjects, especially math. I loved math throughout elementary, middle, and high school. Although I wasn’t a fan of the lab aspect of chemistry, I also enjoyed theoretical physics and chemistry. In essence, I liked solving problems that required logical thinking and had a clear right answer. These were typically my favorite subjects when I was younger.
How did you narrow down to your current job as a CISO (Chief Information Security Officer) at SYNDIS? Can you describe your journey to get there?
My journey for the current role as CISO at Syndis, as well as for Security Management consultant work started with my love for math and logical thinking in my earlier years. While studying at Princeton University, I was originally planning to go into biology or molecular biology, but after taking an intro to computer science class, I switched my major to computer science.
I was drawn to the problem-solving aspect of coding and the satisfaction of making things work.
In college, I took a selective course in information security and became very interested in the field. I also ended up writing my senior thesis on an information security-related topic and even considered continuing my studies for a Ph.D. However, I saw a job opportunity for a cyber associate program at Aon in New York and decided to apply. It was a 40-week program, which allowed me to try different aspects of information security such as penetration testing, proactive security consulting, digital forensics, and incident response. After the program, I chose to work in the penetration testing department because I enjoyed the challenge of “ethical hacking” and getting paid to break into things.
I really loved it at Aon, and penetration testing is the coolest job ever. I think it was really good to have a computer science background because I did a lot of penetration testing on websites, and we also reviewed the code behind it. This helped us find bugs in the code while dynamically testing the website at the same time. I learned a lot about security and the most common vulnerabilities that companies are exposed to, as well as the most common mistakes that programmers make. During COVID, I moved back to Iceland and started as a penetration tester, but eventually pivoted into security management. This was a pivotal step in my career, as I took on a role that was less technical and more about managing people and operations.
Could you tell us more about the 40-week program and what were the qualifications for the candidates?
In terms of the 40-week program at Aon, it was meant for recent college graduates who didn’t have a lot of experience in information security. Aon had acquired a cyber security firm called Stroz Friedberg and the program was a part of their cyber solutions department. They hired mostly recent college graduates, with some having academic experience in security-related fields and others, like myself, having a computer science or software engineering background. If someone is interested in joining such a program, I would recommend gaining some knowledge and experience in the field through classes or internships and highlighting that in the application.
That’s great. Not only do such programs give you the opportunity to try different things, but also, they make you workforce ready. It can be a good route for those who are planning a career switch to try and see if it is something they enjoy.
How do you see the shift from being a technical, hands-on ethical hacker to now being in a management position? Do you miss programming and all the cool stuff? And do you enjoy the work that you’re doing now?
Yeah, those are good questions. I do sometimes miss penetration testing and hacking. It usually makes for pretty cool stories and it’s really exciting when you manage to get sensitive information or even gain control of almost the entire company, which I don’t get in my current job. However, I had a hard time picturing myself in that role in the future. I knew that I am a people person and I like interacting with people. I knew that the security management role would give me more of that, as I have to interact with almost everyone to handle different aspects of the company. So, I knew that for myself personally, that’s something I wanted to do. It was interesting to move out of the very technical stuff into a role that requires dealing with things at a higher level. However, I’m very happy that I had gained technical knowledge prior to going into security management, as that helps me understand the underlying reasons for various risks and the technical precautions we must enforce to strengthen our security posture. So, my belief is that technical background can only help if people are considering a career in security management.
Through my current role as a security consultant, I’m also a CISO of two other companies in Iceland, as part of Syndis‘s service offering. I end up interacting with many people, and now I‘m responsible for making sure that the web app or network gets penetration tested, instead of being the one testing it myself. I’m also responsible for performing risk assessments, implementing policies, and various other things. I enjoy what I’m doing now especially because it has added a lot of variety to my work.
What is the biggest challenge you face at work and how do you overcome it?
The biggest challenge that I’ve felt so far is bouncing a lot of things at the same time, especially if companies don’t have a very mature security program. Then you need to be working on improving multiple things simultaneously. Also, sometimes it’s hard to get buy-in from upper management and to make them realize the importance of cyber security. For example, they may have misconceptions that it is unlikely that they get hacked in the future since they have been operating for 10 years and have never been hacked. But that is not the case. Similarly, another challenge is getting buy-in from the technical side, including programmers or system admins, and making them understand why compliance and policies matter.
Now that you have moved to a leadership position, what according to you are the key factors for a good leader?
One of the big factors for a good leader is cultivating a positive security culture. This means that the leader should work to make people see that security is a supporting unit and not a hindrance to their work. The leader should aim to make processes and procedures as easy for people to follow as possible and to avoid making people’s jobs harder or more miserable.
A good leader should also work to build trust and mutual respect and to create an atmosphere where people feel comfortable coming forward and admitting mistakes. As a leader in security, I’m here to help you make your jobs safer and decrease the likelihood of you making mistakes that could lead to something bad for the company. So, if mistakes are made in the team, I want to know about it as soon as possible so I can start working on damage control, instead of suggesting they get fired or punished or anything like that.
Additionally, a good security leader should work to help people see that security is a team effort and that they need the support of others to be successful.
Whom do you look up to as your mentor? And what inspires you in life?
For the mentorship aspect, I’ve been fortunate in my career to work with some truly phenomenal people, both when I worked at Aon in the US and in my current role. One of my closest co-workers here, Ebenezer, has over a decade of experience as a CISO, and I feel so lucky to be able to seek help and guidance whenever I need it. His mentorship has been incredibly helpful for me in growing in my career and learning a lot quickly.
Another thing that inspires me is my involvement in two organizations: UAK and Vertonet. I’m a board member of both. Vertonet is a supporting group for Women in Technology in Iceland. We have regular events where women come together, have speakers, and visit companies to learn about their operations and technical jobs. This is a great place for women to network and get help, and I’ve seen firsthand how it has helped many women realize their career goals or learn about new opportunities.
I also try to do outreach and mentorship whenever I can, as there are fewer women and minorities in the infosec field. For example, I was the first woman to be hired at my current company, and now there are six of us, which is better, but still a slow increase.
Sometimes I also host science trips where students from universities in Iceland visit companies and learn about what they do, and I try to use these opportunities to inspire and mentor young women interested in the field.
How do you reward yourself for your accomplishments? Do you do it organically or is that something that doesn’t come to your mind?
No, I’m bad at it. I think it’s so easy to get stuck in your hamster wheel and get busy with a lot of things going on, both at our jobs and in our personal lives. Since I’m working for a few organizations, I’m sometimes juggling a million things. So, it’s easy to get lost and forget to reward yourself or celebrate your accomplishments. Actually, it was just last year when I realized that I need to start celebrating the little victories more often and more intentionally.
So how do you handle doing so many things simultaneously? What is your technique behind time management and stress management?
For my time management, I have a personal calendar and a work calendar, everything that I need to do or attend goes in there. As the years go on, I’ve gotten better at time management and I think I have pretty good scheduling skills in general. But of course, I end up feeling overwhelmed sometimes when a lot is going on at work. However, I have a good support system with my family and friends. My friend group is really good at reminding each other to slow down when they notice that someone is in too deep and stressing out so much that they don’t even feel good anymore.
So having a good support network that reminds you to slow down is very important to me.
Do you have a morning routine? How do you spend quality time with yourself?
My biggest morning routine is just to eat breakfast because I’m a horrible person when I have not eaten, and no one would want to be around me. So that’s one consistent thing that I do every morning.
I played soccer for 15 years of my life, from the age of 10 through high school and college up to when I was 25 years old. It was very challenging to manage both the academic environment and yet not skip any soccer practice. It was non-negotiable. Having done that throughout my life has really helped me with time management.
So physical activity is really good for me and if I go too long without it I feel myself getting annoyed and being far from the best version of myself. Now I always try to go out on a run or a walk or just move my body. So that’s something that really helps me with stress and feels better mentally.
Absolutely! And playing sports can also help us deal with failures.
Yes, absolutely. It gives you the grit that you need to not give up during tough times. It teaches you how to lose, which sucks, but it makes you experience that feeling and how you don’t want to feel it again. It also shows you the importance of preparation and how it affects the outcome.
Playing soccer has also helped me with team-building skills and interactions. When you play on a team, you also learn to handle different people and personalities and what works for each of them. So yeah, sports played a very big part in my life in terms of all of this.
How do you cope with failures, and can you share some tips or advice around it for people who face failures?
In most cases, when I make mistakes, I will be the person thinking a lot about the mistake I made and being like, “Oh my God, that was so bad or embarrassing.” But turns out no one else is thinking about it like that, everyone is just thinking about themselves. Obviously, as long as the mistake is not the worst thing in the world to have ever happened, no one is still thinking about it shortly after it happened.
So, it’s not the end of the world if you fail. Just get back up, prove yourself again, learn from your mistake, and move on. I know it’s hard, but I try to remind myself of this, and it has helped me the most during tough times.
Lately, AI is bringing a lot of changes – we have more advanced algorithms coming into play. In your opinion how will AI improve or worsen security in the future?
That’s a good question. It probably depends on the aspect you’re looking at it from. The first thing that comes to mind when you said this is the new ChatGPT. We were just talking about it at work earlier today. So, you have one end of the spectrum where it’s like leveraging AI in infosec, and then you also have the aspect of incorporating AI into infosec.
But the newest advancements in AI and chatGPT are just crazy. I think it’s going to revolutionize a lot of fields, not just knowledge or infrastructure, but all the incredible abilities it has.
You can’t just use that and get rid of the humans, not yet at least. After all, it’s still not perfect, because it’s not working off of a perfect set of data. But I think it’s going to minimize our work and make it a lot more efficient. Perhaps you can’t get perfect answers, but you can get a lot of inspiration from there that relates to infosec, for example, writing policies, procedures, reports, or writing scripts to help you manage other essentials at work. Of course, It’s a cool starting point, but we need to make a conscious decision on to what extent we want to use it.
According to you what will be the biggest boom this year in terms of technology?
I think it’s going to be exciting to follow the development of AI this year as it has been growing so fast. And now, the use of ChatGPT is in the hands of the public, so I’m really excited to follow that development and see how people will use it in their daily lives and in their careers. So that’s something that I will be definitely following this year.
What is your definition of fun and how do you have fun on a day-to-day basis?
My definition of fun, I guess is just forgetting about everything and letting myself be in that specific moment. To me, it often looks like hanging out with the people that I love – my friends and family, and spending time with them.
What’s the definition of success to you and what is your life advice to our readers?
One aspect of success to me is just accomplishing goals that you set for yourself. For example, a goal could just be that I’m not going to do anything this weekend, or it could be that I want to get a specific job or a promotion. And then accomplishing these goals is a success. But I think success looks different to everyone and people’s goals are different, so I also think it‘s important not to compare your own success to someone else’s.