Getting to Know: Helen Rabe, CISO, BBC

Whatever you might be expecting the CISO of the BBC to be like, I’m confident that you’ll unlikely be conjuring up an accurate picture of Helen Rabe. Eleanor Dallaway makes it her business to paint a clear and colourful picture of the BBC’s powerhouse CISO

I’ve never even attempted to open a profile interview with a one-word description of my subject, but today it somehow feels appropriate. Helen is unapologetic. She’s unapologetic in her beliefs, in her character, in her role. And it’s an honour to introduce you to her.

During our time together, I share this observation with her: I’m not sure I’ve ever met anyone as unapologetic, authentically raw, and radically candid as you, I tell her. “Are you going to judge me for it?” she asks, and when I shake my head and tell her that, if anything, it makes me respect her more, she fires back: “Even if you did, I wouldn’t care. My most powerfully defining moment as a human being was the day I realised I love myself, I’m my own best friend, and I know that makes people very uncomfortable.”

I’m fascinated by this powerhouse who embodies so many contradicting traits. But I’ll allow those to unravel through the words of this interview. If you’re purely here for an insight into what it’s like to be the CISO at the BBC, you can skip ahead to the section titled ‘Joining the Beeb’. I have to say though, you’ll be missing out. Because Helen’s story is worth knowing.

Let’s take it from the start

Swept up in Helen’s Porsche as I jumped off a train at her local station, I was within minutes presented with some very colourful personal views on society and politics, and given a crash course in her personal life, too. I’m delighted. There’s nothing better than an interviewee with an apparent lack of filter: intelligence, an impressive vocabulary and a candid openness ooze out of Helen. As we get to the pub and she (very meticulously) parks her impressive wheels, I am practically beaming knowing I’ve got her undivided attention for the next few hours.

Helen is one of the most extroverted introverts I’ve interviewed. When I tell her this, she says that after our interview, she’ll be heading home to decompress. “I’ll read some of my Asterisk books or some comics or something, and just allow myself to decompress. It’s the paradox, right? People will meet me and say, ‘She is such an extrovert.’ My natural disposition is not at all extroverted.”

I’m interested in how her team would describe her. She pauses when I ask her this, before laughing out the answer: “anti-social.” But then she continues: “They’d tell you I’m tolerant. For me, tolerance is the ability to stand back, accept a situation that’s beyond your control, and understand that it’s not yours to own. Oh, and they’ll tell you I have Machiavellian tendencies. I observe, I watch, and I play political chess.  I understand that organisational politics are a necessary thing for us to navigate, and I know I’m their shield.

“I’m not built to be a leader, but I have a responsibility to my team and organisation.” She struggles with big groups of people, favours peace over bustle, and admits that she therefore has to mask a lot at work to “handle the volume of noise” she finds overwhelming.  Unsurprisingly, she describes that as both “challenging and exhausting,” yet when I ask whether she ever wishes she had a job where she doesn’t have to do that, which seems a reasonable question given what she has divulged, she looks at me like I’m mad. “I chose this career, I chose this job, and I love what I do,” she says.

“You know that ‘bring your authentic self to work’ thing? I can’t do that, and you shouldn’t encourage that. I’m candid and open with my team, but I am blunt with my candour, and that would crush the spirit of some people and inadvertently make people recoil into themselves.” Is the candour a cultural thing? I ask. Helen nods, “and it’s a Helen thing. Someone once said my epitaph is going to be ‘diplomatically assertive to the end!”

A feral beginning

If ‘diplomatically assertive’ is the end, then ‘feral’ was the beginning. Helen describes her childhood as a “feral adventure, a beautiful way to grow up.” The daughter of a mining engineer, she travelled a lot and, though born in Zimbabwe, grew up in a little town called Swakopmund in Namibia, right on the ocean. She recalls watching movie reels on a sheet on the wall, and fondly reminisces about weekend camping trips in the desert, fishing on the coast, and adventures in the Bush.

“You know that ‘bring your authentic self to work’ thing? I can’t do that, and you shouldn’t encourage that”

She flits from oxymoron to oxymoron when describing her childhood, using language like “light and fun” but also “unsettled and nomadic” and talking about how she was taught basic survival skills from a very young age, needed strong situational awareness, and owned a Swiss Army Knife by the age of seven.

Moving to South Africa sparked Helen’s interest in tech. “We got our first television, my parents got an Atari console, and my family became gamers.”

Helen credits moving around as a child with her personal resilience, but also the reason that she doesn’t make friends easily. “They didn’t stick around because of how nomadic my life was, so I grew up self-sufficient, accustomed to not having a dependency on friends.” Even today, Helen has only a small but tight-knit group of friends. “They accept me for who I am, they don’t expect me to respond to text messages instantly, and they get that my time is very precious, so they’re not a drain on me.” I have to contain a giggle; I don’t think it has ever even entered my consciousness that friends could be a drain.

Finding her way

In a classically nomadic move, Helen travelled to the UK on her own on a two-year holiday Visa in the 90s. She had dipped her toes into the tech world before leaving South Africa, building VIP databases for a hotel. “Before that, I was a qualified junior firefighter,” she says as if it’s barely worthy of note. “We’d just come out of apartheid, the sanctions were being lifted, and as I had a British grandmother, I thought I’d try the UK.”

She started temping as a PA, but, showing aptitude for database work, she moved into business analysis and then quickly progressed through business analysis, project management, and service delivery management. “I did the full IT systems life cycle in the Nineties and Noughties. I was working on network projects with a security component, and even though it was on the periphery, I was fascinated. But there were so many barriers to entry, and I didn’t have the tech experience, so I couldn’t get close to it.”

And then serendipity threw her a bone. A cybersecurity compromise at the company where she was working allowed her to manage the response. This lived experience then opened the door for Helen to contract as a ‘fixer’, someone who would go into financial services companies after they’d been compromised to keep the breach confidential and perform remediation. “I built up a reputation, and out of the blue, I got a call to support Costa Coffee on a cyber issue.”

After her remediation work, she wrote a report of recommendations advising on a governance structure and the creation of an ISMS aligned with corporate strategy. “The MD at the time asked me if I could do it, so I said yes – I’m an opportunist by nature.” Helen grabbed the Head of Information Security role at Costa with both hands, “and loved it”.

This turned out to be the first in a succession of increasingly coveted roles. Helen next landed as the CISO of EMEA for CBRE and departed only when she stopped being able to see the outcomes of what she’d designed due to a global centralisation restructure.

That brings us to 2019, when Helen accepts the role of Global CSO at Abcam, a life sciences company in Cambridge that develops and manufactures antibodies. “Let’s roll forward to March 2020, Covid hits, and antibodies just became one of Google’s most-searched words. We were supporting COVID-19 research, and the Nation-State threat became very real. We had to grow up very quickly,” she recalls. “My time was spent building out controls and maturity. It was consistently busy, and doing everything virtually was even more challenging.”

Reflecting on her first three CISO roles, Helen finds a common thread among them: “I was building greenfield, low-maturity environments into mature, controlled environments.” And then came the BBC, which can only be described as an “established powerhouse.”

Joining the ‘Beeb’

“I didn’t go to the interview at the BBC to get the job. I went because I thought it would be good muscle memory.” Despite being headhunted for what is undeniably a dream job for any CISO, Helen didn’t even contemplate getting it. She recalls telling her mum (who she lives with) that she’d been offered the role. “She said, ‘Are you alright? You don’t look thrilled, and all I could think was I’ve got to do the job now. I’ve made my bed, now I have to lie in it.”

“All I could think was I’ve got to do the job [of CISO of the BBC] now. I’ve made my bed, now I have to lie in it.”

Shock aside, she was, of course, elated. I’m desperate to understand how it felt that first day walking into that iconic building. “I was starstruck. The meeting rooms were named after BBC personalities, and I remember answering a phone call one day and describing my location as “in between Mary Berry and David Attenborough,” she laughs. “Sometimes you see well-known personalities just casually walking around. It’s just a privilege to be part of,” she says.

But there’s also a notable discomfort when she’s talking about her role at the BBC that I can’t initially put my finger on. Ten minutes later, it becomes clear. “I sometimes cringe at my job title. I’ll go to an event, and people go quiet, maybe because they’re sitting at a table with the CISO of the BBC who, according to their perception, is elevated above them.”

She explains that her role comes with automatic kudos, which she finds uncomfortable. “I don’t like the ivory tower pedestal thing,” she says, “because that’s a long way to fall.” And besides, she adds, “I’m successful because of my team (which, by the way, consists of 80 ‘exceptional’ people), so at least put them on the pedestal with me.”

At the BBC, CISOs don’t have a 100-day plan as they do in so many other companies. When she joined, the CTO (who she reports to) was clear: “This is complex, it’s noisy, and for the next few months, just meet people, and learn. I knew right away that you can’t walk into the BBC and be a revolutionary. It wouldn’t be a successful strategy.”

Everything’s a challenge

I ask Helen what the biggest challenge is as the BBC’s CISO, and strap in for her response “Everything,” she says, unsurprisingly “There’s Nation State threat, because the editorials from Gaza and Israel, for example, cause so much contention We then have insider threat, thinking especially about our freelance network, and we have very high-value targets like Tim Davie,” the Director General of The BBC, to name a few of the things that keep her awake at night.

“Let me tell you a story,” she starts. “When the MOVEit breach happened, Joe Tidy [the BBC’s cybersecurity reporter] contacted the attack group, and let me tell you, I was not thrilled by that,” Helen asks for the rest of that story to stay off the record, which, of course, I oblige.

She describes a “strong demarcation line between the editorial team and the rest of the BBC.” Helen treats me to the inside story of Joe Tidy’s approach from cyber attackers looking to buy his BBC credentials, which made for a fantastic article. “I told him he was being MFA bombed, I instructed my SOC to get in touch with him and reduce his access rights to the least privileged known to man.

“I told Joe, ‘Here’s the challenge I have. When you write and publish this, I’m going to receive calls from these people: Tim Davie, one of the Board, my CTO, our CEO… So do me a favour and hold off until we can handle that onslaught,” she recalls. “When we’ve done crisis scenarios in the past, Tim has always had a strong ‘we do not pay’ line on ransoms. It was important that it came across in Joe’s feature.

“This isn’t something that other CISOs deal with,” she sighs, which triggers her next story. “One day, I was sitting having lunch with a vendor, and my phone started blowing up. The Guardian has contacted our comms team with a story they’re going to run about the BBC being compromised through an AI agent.” She raises her eyebrows, and I pause, willing her to continue. “I was pretty damn sure that hadn’t happened. My team would have been all over it, so I immediately reached out to my team to unravel it.” It turned out that the firmware on Freeview boxes had been compromised, affecting all channels across Europe, including Sky, BBC, and others. “The channels hadn’t been compromised, so to single out the BBC was horrible journalism. That’s the kind of stuff I have to get involved in.”

Accountability: It’s a misnomer

Having spent almost two decades interviewing CISOs, I’m rarely presented with an opinion, thought process, or challenge that is entirely new to me. Helen’s take on security accountability is the exception.

“Security risk can be a misnomer because there’s a belief that once you’ve put a risk on my security risk register, that somehow becomes mine, as the CISO. But no, that isn’t the case. My responsibility is to hold you accountable for fixing a risk in the time you say you will.” I need more on this, I say, curious to understand the depths of this theory.

“Security risk can be a misnomer because there’s a belief that once you’ve put a risk on my security risk register, that somehow becomes mine, as the CISO. But no, that isn’t the case.”

“Let’s say you’re doing a project, and you’re running up against a timeline as the project manager. You’ve discovered that to deliver on time, you may need to go live without some of the necessary security controls in place.” I nod along, understanding that this must be an all-too-common scenario. “You’d ask me for clearance, and the security team will evaluate it and present the exposure to you. We’re not saying no, we’re just making you aware of the exposure and asking whether you’re prepared to accept that risk in the time it takes to remediate.” I can see where this is going.

“We’re saying if you go ahead, you are accepting the risk that you are introducing to the business for the period of exposure, and we agree on a deadline. If that deadline comes and you’ve done nothing, we categorise that exposure and put you on a naughty list.” Helen’s team would be responsible for communicating that to the core risk owner for that function.

”We’ll tell them they have a high risk exposure and remind them that the risk is theirs. If anything happens through that vulnerability during that exposure, my team has done its job. We assessed the risk, we made it clear what you were carrying, we monitored it.”

Sometimes the risk owner asks for an extension, and in the case of a high-risk exposure, Helen would bring it to the executive committee for visibility. “If the business is being exposed and the risk is high, it needs to be known at the executive level.” So what happens if something goes wrong during that exposure period? “Do you mean if the business comes down on me and asks how I’m going to fix it?” Exactly that, I nod. “I’d say, ‘I’m sorry, what must I fix? You introduced a risk through business processes. I qualified that risk for you, so what exactly are you asking me to fix?’” In role-playing this scenario, I’m getting a taste of just how steadfast and candid Helen can be. I wouldn’t want to argue with her. “But as security, we’re always the first port of call for the backlash,” she bemoans.

Board-ering on Discomfort

Speaking of the executive level, I ask Helen about her relationship with the Board. “They support me,” she says, “but there will always be challenges with that measure of transparency.” Again, I push her for more. “When you’re bringing risk to that level, it makes people nervous and uncomfortable. It’s my job to explain that remediating risk doesn’t sit with security; it sits with the business. Of course, I have to socialise that messaging with the chief risk owners before.”

What’s her advice for getting Board buy-in? “Don’t communicate with surprises, and don’t miss your risk owners on the way to having a conversation with the executive team. Also, it’s important to be in lock step with your boss,” she says.

“Don’t miss your risk owners on the way to having a conversation with the executive team”

I ask every profile interviewee about their future goals and plans, and almost unanimously, they tell me they can’t imagine being anywhere but where they are now. It’s a diplomatic response. But diplomacy isn’t something that Helen submits to. “Every so often, my ego catches me, and I worry that there’s no role that can top being the CISO for the BBC,” she pauses, “but I’m ready for something different, and I’d like to go out to the Middle East. I love deserts, they’re the most peaceful environment in the world for me, and I’d like to do something different working in that culture.” Another CISO role, I probe? “Maybe, or maybe a consulting firm that would palm me out as an interim CISO,” she considers. “Long term, I’d like to do non-executive work too. Whatever the future looks like, cyber will be it.”

The only career that she considers may have tempted her away from cyber is the military. “I think I’m built for that.” I couldn’t agree more. “I never panic; I’m not a drama person.”

Her personal legend

Helen teaches me about the concept of a personal legend, which she has taken from the book The Alchemist. “It took me a long time to figure out that my personal legend is that I’m the person who takes care of my family.” Even today, Helen lives with her Mum and “wouldn’t have it any other way.” They enjoy Star Wars marathons together and indulge in comic books and all things Marvel. “From a young age, I looked after my baby brothers. I push myself in my career so that I have the financial recourse to be able to support them and make sure they’re always safe.” Helen speaks about her family consistently throughout our time together, like threads that weave through the fabric of her story. She asks that much of it stay off the record, but I’m glad she shared it because I feel I understand her on a much deeper level.

“I’ve no desire to retire,” she tells me, even though I’d never have dreamed of asking this. “But when I do, it will likely be in Switzerland,” she adds. Her nomadic upbringing has led Helen to live a life that will never be static. Namibia earns the titles of “home” and “favourite place in the world”, but Helen counters that nowhere will ever really be home.

At the beginning of this interview, I observed that Helen is a woman of many contradictions. She describes her childhood as both “wonderful” but also “full of tension.” She describes how she loves herself, but at times talks about herself critically: “I have a skill for knowing what your Achilles’ heel is and I can use it to cut you off at the knees. I have a temper and can be cruel,” she admits. “In my twenties, I confused confidence for arrogance, and I was brash – driven by a fight-or-flight survival instinct I had from growing up.”

But with maturity came self-awareness, and Helen is proud of the work she has done to build her emotional intelligence. “I’ve realised there’s strength in vulnerability and if anyone tries to weaponise that or judge me, that says more about them.”

She describes herself as a bit of a loner, “resilient because I’m often alone,” but it’s abundantly clear that her family are her world, and she notes that she’s “loyal to my own detriment sometimes.” But that statement too is swiftly followed by: “I wish I’d learnt earlier in life to be my own best friend.” A carousel of contradictory statements.

Her proudest achievement might surprise you. “I’ve chosen not to have kids. But I turned out to be a better parent than I ever thought I would be.” Helen has children “through acquisition” (her words, not mine), and despite the relationship not lasting with their father, the bond she built with them has transcended the chapters that have come since. “I have four children in my life, none of whom are mine biologically, but who lean into me and feel safe to do so. It’s a privilege.”

Of course, when I push her on whether she feels proud to wear the badge of CISO for the BBC, she says yes, but that it’s more about the journey and how she got here. “This little girl was growing up in the Bush, picking up semi-precious stones, fishing with her dad, checking out animals and listening to BBC World Service on the radio.” She pauses. “And now here I am. There’s pride in that journey.” And so there bloody well should be.

As we jump back in the Porsche, I sneak in one final, but very big, question: Are you happy? “Yeah,” Helen says, “but for me, happiness isn’t a constant. I’ve got a lot to be grateful for and happy about. But that doesn’t mean I don’t have peaks and troughs. I never want a flatline life.” And getting to know Helen this one afternoon in her hometown, I can say, without doubt, that is one thing she’ll never have. Her personal legend would never allow it.