Information Security

Defending the digital infrastructure

Sergey Nivens - Fotolia

Polycom CISO focused on ISO 27001 certification, data privacy

Tasked with security and compliance, Lucia Milica Turpin watches over internal systems and remote communications customers entrust to the video conferencing company.

With a background in systems engineering, Lucia Milica Turpin gained familiarity with information technology and customer program management at Hewlett Packard Enterprise Services. She joined Polycom Inc., the video conferencing company based in San Jose, Calif., in 2013. Combining years of technical and educational training -- including a Master of Business Administration and a law degree -- Turpin took to the challenges of IT security with ease, initially as IT director of global systems operations and end-user services, and then senior director of IT governance and strategy. "Everybody who knows me tells me I'm a professional student," she said. "I have gone to undergraduate, graduate and law school while working full time. Now, when I run into friends or colleagues, they ask if I'm heading to astronaut school next."

The work ethic paid off. Turpin became vice president and CISO of Polycom in 2017. Today, she oversees a mix of on-premises and cloud assets at the company's Denver location and is responsible for data privacy, security incident management, IT and data governance, strategy and compliance such as SOX 404, ISO 27001 certification and HIPAA.

What are the unique security challenges at Polycom, and how are you addressing them?

Lucia Milica Turpin: Polycom works with a wide array of customers with varying security requirements; this includes federal agencies, finance, healthcare and small businesses. We must develop stable and secure communication and collaboration solutions that use voice, video and content over a variety of protocols that have significant security and privacy implications across many different markets.

To enable our customers to deploy these systems, we have addressed many of these concerns by implementing security and encryption controls that allow our customers to deploy these solutions in a secure manner -- enabling them to keep this information private -- and be compliant with their security policies. We also have a robust software development lifecycle that includes security in all phases.

What attracted you to the security field?

Turpin: I wasn't planning on pursuing a career in security, although it was a natural progression. I started as a systems engineer many years ago, and access control was part of my expertise. I have also pursued a legal education and have been fascinated by data privacy. Although I focus on technology, I have also personally [concentrated] on data privacy and regulation -- through my legal education. So these two passions converged at some point in my tenure at Polycom.

Lucia Turpin, CISO at PolycomLucia Turpin

Throughout my career, I always seemed to be the liaison between IT and the legal department and was paving the path toward the legal side of cybersecurity and data privacy. I got more and more involved with security, and my combination of legal and IT background put me in a unique position to build our capability and move us toward ISO 27001 certification. Polycom [has finished] the process of achieving ISO 27001 certification, which is a global security standard that sets out requirements for an information security management system. Certifications such as this provide assurance to existing and potential customers that Polycom has established and implemented best practice information security processes to safeguard a company's intellectual property and customer data. Additionally, it provides assurance that our products are designed, developed and implemented using the ISO 27001 product development process.

In parallel with your career, you created and ran an organization for women MBAs. Could you discuss the goals of the Women MBA Connect organization and what you learned there?

Turpin: The organization's purpose was to create a platform for women to continue their education and follow their goals -- it was about learning from one another. We had many speakers who were executive women, and we typically tried to understand what topics or areas of focus were of interest to our members.

Board members and the executive teams need to become more fluent in security, which will partly be driven by legislation.
Lucia Milica Turpinvice president and CISO, Polycom

Did that include professional barriers?

Turpin: I do think there are some barriers for women. However, in my own life, I look at them as opportunities. When I encounter something like that, it tells me that perhaps the workplace is not a fit for me.

Separately, I do feel women are better at multitasking and juggling a lot more things. So I think in my own life, because of that, I was able to pursue a legal career while working full time and having a family.

What issues do you see for CISOs in the coming years?

Turpin: The security landscape is rapidly changing from many angles -- types of threats, attack surfaces as well as regulatory requirements. Internet of things security will become a greater concern. Board members and the executive teams need to become more fluent in security, which will partly be driven by legislation

Article 2 of 5

Next Steps

Why the CISO role is still hard to define

How to facilitate cooperation between privacy and infosec

The CISO reporting structure evolves

This was last published in May 2017

Dig Deeper on Careers and certifications

Get More Information Security

Access to all of our back issues View All