Our team recently met with Jelena Zelenovic, Senior Unit Head Op. Risk & CISO at the European Investment Bank. She tells us more about her current mission within EIB and discusses initiatives to promote the role of women in the financial services industry.

Can you tell us more about your professional career and your current missions within your company?

I have majored in IT engineering as an undergrad. Later I worked towards an executive MBA at the University of Toronto and received my CISA and CRISC certifications. I believe I was lucky from early in my career that I followed the path of cyber from the start, and was encouraged by my parents to follow the STEM studies, which I loved. I started as a consultant in the early stages of SOX and was lucky enough that I had a much-needed experience at that time. I was then supported by excellent managers to pursue it further and get my CISA certification. From then on, I just continued in the field, advancing as time passed. From one global organisation to another, I kept acquiring more knowledge and skills, which was (and still is) very crucial to continue in this fast-paced environment where things change almost daily. The career support, I also received moving to Europe, was again very beneficial. I was able to offer that knowledge to organisations here and to advance the practices further internally, all while growing my professional knowledge along the way. I believe, at a certain point, the opportunity showed up, and I was blessed enough to move as a CISO for the European Investment Bank. In general, in my case at least, I have spent my studies and my whole career in this field, and having the passion for what you do is the key to drive you forward to success.

As for missions, people usually associate our skills only with specific technical requirements. However, I think outside of our field, there is a stigma that a CISO is only technical and understands limited technical requirements for their job. I see the skills of CISO being quite diverse. I’d say that 50% are technical and 50% are people and business skills. Our role is very transversal, and we need to collaborate with the whole organisation, regardless of projects/initiative that comes our way. We need to, hence, understand business and their needs, requirements in terms of business, and terms of security. We need to ensure good relationships with everyone, such as DPOs, IT Security, various business units, CFOs, CEOs, and senior management in general. Our recommendations are not always welcomed by all and might seem inflexible, so we need to have an understanding as to how to cascade such blocking points to business and have them understand the reasons behind our actions. At the same time, we need to be understanding of others and their pressing matters. This is where we face the challenge, and need to know how to effectively and efficiently identify areas of critical importance, how to establish a partnership with key stakeholders, how to identify crown jewels within the organisational value chain, how to map business risk to technology risk, and finally, how to define and implement sound information security strategy that would foster security as a business enabler and not an obstacle. I’d say that the role of a CISO is not to manage technology, although information and communication technology is in the heart of corporate digital transformation. The crown jewel is information, and the role of a CISO is to manage the risk that could prevent organisations and people from making value out of information.


What are your biggest professional achievements? Why?

I love the job I do, and it has been something I have done all my life, from the very first day of my career. Hence, one can say that all the good, the bad, and the ugly that comes with it is good if you have the passion for what you do. I love challenges and constant learning that this field provides and requires from you. Working with technologies and people to solve the problems, all while educating the business about risks, is quite rewarding. The field of information security is a constant growth and constant challenge in managing the evolving threats; however, at the same time, immensely satisfying and rewarding. I think with this, as with any work, if a professional lacks challenge and a sense of purpose at their position, it will impact the satisfaction at the workplace. I believe the biggest achievements are taking risks that I have taken throughout my career and embarking the field and studies that are still to this day very much male dominated studies and profession. One anecdote from my personal life that I usually like to share is my decision to move continents, North America to Europe, to be (with my now) husband. I was not even sure what I am getting into regarding my career and the next steps, and I also left a very good job that I had in Toronto at the time, but I had confidence that I would make it. And with confidence and knowledge, one can do incredible things! I think the risks you take can pay off if you believe that you can succeed and you believe in yourself. Leaving the continent was perhaps one of the major milestones for me. While I have learned a lot in North America concerning our field of work, I was very glad to see that I can very much apply it all and share that knowledge back in Europe. It was an instrumental part of my career and learning, and I am grateful for all the experience growing up and later on acquiring knowledge during my education and vast experience of working after that in the global private sector in Toronto, and now in EU institutions (16 yrs and counting!).


How, almost on a daily basis, do you promote the role of women in the financial services industry? What else should be done?

Some of my general principles, that apply to both genders, but I really encourage women to follow this even more so:

- Remain focused on your dream, your heart’s desire, your vision, your reason for being, your mission in your life; if you don’t know what that is, I strongly recommend that you work on this part of you. Get acquainted with yourself and know your intrinsic values, beliefs, morals, and what you will not settle for.

- Know and understand your role and your responsibilities.

- Be prepared to think strategically and conduct yourself in a manner that lends itself to the credibility and integrity of your work; in such facets as planning, developing, implementing, building, and all the while maintaining a standard of excellence.

- Surround yourself with allies and experts, but first and foremost, always trust yourself. If you have even the slightest niggle in the pit of your stomach, check and check again. Those that will surround you will complement, promote, and enhance your knowledge, your talents, your brilliance; they are people who will have your best interest at heart, those you can count on.

- Learn to rise after a defeat and keep moving forward; no time for self-pity; be fearless in knowing that you’ve got this, no matter what curve ball people or life will send your way.

- Be clear – on your life and work mission, remain compassionate, kind, empathetic, and generous through it all; it does not mean that you are weak.

- Remember to do all of the above and still maintain a healthy relationship with yourself, in life and work; this is the infamous word ‘BALANCE/SELF-CARE.’ It is an art, and well worth it. No pressure! This career, like life, is not for the faint at heart.

- Document everything you do. As a CISO, it is crucial that every step of the way is documented and can easily be traced back and referred to.

- Provide professional training sessions, be constantly aware that to have a robust HR infrastructure in Information Security, one must continuously build the capacity of the human capital in this high-risk area. Be mindful of the potential or existing risk factors. Be mindful of the warning signs! An analytical mind and spirit are critical. However, finely developed intuitive senses are also an asset in this industry.

I would like to add that I believe that we are gifted with the natural ability to plan, prepare and deliver in times of crisis intrinsically or when significant events occur. No matter how devastating, we have the innate ability to ‘roll with the punches’, while sustaining our credibility and integrity and remaining whole, no matter what work or life will throw our way. I am a firm believer that an ounce of prevention is worth a pound of cure and that it is critical to us, as women, to realise what all we have, over and above our intelligence. Of course, given opportunities and sometimes permitted to follow through on matters that are forward thinking.

There is a lot more to be done and I will share this exact next steps in the question following this one below!


Can you share with us some initiatives or projects you participated in, in order to promote the role of women?

Definitely as I am very much involved in this!  I was recently also elected as a President of Women4Cyber Chapter Luxembourg and Women Cyber Force Association, along with other 10 incredible female founding members. Women4Cyber is established as part of the European Cybersecurity Organisation’s Women4Cyber Foundation, Women4Cyber’s aim is to boost women’s participation in the field of cybersecurity. The idea of setting-up an Association (Women Cyber Force) dealing with this social and economic problem comes from the wish to bridge this gap, to find a concrete solution.

Women Cyber Force puts together cybersecurity professionals, with different nationalities, education, backgrounds, who want to raise up their voice and inspire and help future generations to better understand the importance of women in this sector. In Luxembourg, the female workforce's distribution is still very concentrated towards specific sectors (e.g., health sectors and education), and overall, women represent only 38% of employees, and less than a quarter of employees in ICT are women. In addition to the shortage of females in the field, the gender imbalance and pay grade variance in cybersecurity is evident across the globe, and it should not come as a surprise that Luxembourg would be dealing with the same matter at hand. Through the WCF--with 11 female founding members working in a range of fields from  ICT to legal--we want to create long-lasting career choices for women, either via mentoring and empowering or via keeping a network for future work opportunities within the field and helping each other.  More specifically, our objectives are to:

– Increase the role of women in the field of cybersecurity, by promoting professionals and facilitating access to professions in this field;

– Contribute to raising public awareness on this subject, in particular, by organizing conferences, communicating documentation and actions or partnerships in training;

– Create links in Luxembourg and abroad with any entity concerned and interested in this same subject of cybersecurity;

– Support EU’s gender strategies.

The group aims to make more urgent the goal of getting girls and women interested in cybersecurity. Mixed partnerships will help allow the initiative to run training courses, and the team is hoping as well to launch its first hackathon, more information about which should be forthcoming. For more information I strongly encourage all to visit us on our website: womencyberforce.lu and also to keep checking our news section as we have already some interesting materials for all to see!

Publié le 29 mars 2021