Tech Talent Spotlight: Esther Hitch

Esther Hitch | Cyber Director @ BDO Digital | Strategic Leadership, Information Security 

This month, we had the privilege of interviewing Esther Hitch, a highly accomplished Cyber Director at BDO Digital. With a rich background in strategic leadership and information security, Esther brings a unique blend of expertise and experience to her role. Her career path is marked by significant achievements, including her time in the British Army, where she developed strong governance and risk management skills. Esther’s transition into cybersecurity was inspired by her work in information security and governance within the military, where she led international transformation projects.  

As a seasoned professional, Esther specialises in developing resilient, business-aligned cybersecurity solutions. Her focus on creating collaboration and diversity within organisations is crucial for enhancing cyber security and operational resilience.  

When I was younger, I never imagined a career in Cyber or Consultancy. Cyber, as we know it today, didn't even exist in the ‘90s. I had always planned to become a Barrister. I was the first in my family to attend university, where I completed my Law degree and passed the Bar. However, halfway through my Bar studies, I started daydreaming about taking a few years out to do something else before returning to Law. When my first round of pupillage applications (on-the-job training to become a fully-qualified Barrister) was rejected, it solidified my decision to take a detour. 

I recalled a TV advert about the British Army from when I was 16. It excited me at the time, but I dismissed the idea instantly because I was set on becoming a Barrister. Now, I allowed myself to explore it. I did all the research, visits, and test centres on my own without telling anyone, well aware that I didn't fit the typical mould of a soldier. I wanted the Army to decide if I was right for them, and not be talked out of it by my well-meaning family or friends. They were shocked, concerned and bemused when I eventually told them I had been offered a place at the Royal Military Academy Sandhurst to become a commissioned officer in the British Army! 

After completing my year-long commissioning course at Sandhurst, I joined the Royal Corps of Signals in 2006 as a Second Lieutenant, learning to plan, deploy, manage and protect radio, trunk, and satellite networks, along with learning computing fundamentals. It was a fascinating new world to me. As a commissioned officer, there was a constant emphasis on leadership and management skills alongside technical skills. The responsibility in the military is immense, not just on operations overseas, but in the everyday duty of care we have for each other. Being responsible for my soldiers and officers during their best and worst moments in all aspects of their lives was both beautiful and sometimes devastating. This aspect of the job has stayed with me the most. 

People often ask if the Army changed me and I always say, "Yes, but not in the way you would think." Instead of hardening me, it softened me. It made me more aware of how much we all have in common, far more than what makes us different. 

I only ever intended to do the minimum commission of 3 years and then return to Law however, those 3 years effortlessly turned into 14. Every year I stayed was a conscious decision, and they were easy decisions as I was given so many incredible opportunities with every new posting. I was able to do such a broad range of jobs from providing a headquarters with full CIS (Communication and Information Systems) for hundreds of military staff in a field with secret-level video conferencing for Generals, to auditing communications outposts all over the world. I also directly supported a digital transformation in the huge HQ that plans and directs all the UK’s military operations, trained new soldiers through their basic training to ‘graduation’, paraded at Buckingham Palace and led parades at Windsor Castle and the Tower of London.  

There were many reasons for me finally deciding to leave the Army, and one of them was that I was a year away from 40 years old and knew that I wanted a ‘corporate’ career next, so I realised I shouldn’t delay getting started on that. The Army does provide support in training and resettlement when you are ready to leave, and I was sure I wanted to be a Head of InfoSec or a deputy CISO somewhere. But despite me feeling like I was very much connected to the civilian world throughout my time in the Army, I struggled to get traction in the jobs market as all I knew to do was apply for jobs online and through LinkedIn. I had no connections, no network and no clue. I got my first corporate job, at Deloitte in their cyber risk team, through a series of lucky coincidences so I will be forever grateful to Deloitte for that. My new corporate lifestyle was like a breath of fresh air; comfy offices, glam bathrooms, sleek branding, being able to wear my own clothes and not have my hair in a bun 24/7!  

The work was interesting and varied, and the teams were all high-performing and highly dedicated; nobody ever said ‘no’ to work. I had to learn fast about all things business, industries, sectors, regulations, civilian cyber qualifications and accreditations but I threw myself into it all. Over my 4 years at Deloitte I worked full-time (plus!) and gained my CISM, CISSP, COBIT, and CompTIA Security+ certifications as well as achieving full membership of CIISec and completing my MA and my MBA. 

When I was approached for my current role at BDO I instantly knew it was the job for me and the only one I interviewed for. Though part of me did feel sad to leave Deloitte, I was so excited for the opportunity of growing a cyber team at BDO Digital and all the hard work, excitement and responsibility that comes with it. I’ve been here for nearly a year now and it has lived up to my expectations! 

I do feel that my military background really helps me to focus on fundamentals. I’ve found there can be a lot of ‘noise’ in corporate environments. Sometimes it can be others trying to influence an outcome in their favour, or a client who isn’t sure of what they need, and I just take it back to basics; does this serve the strategy/vision/goal? I passionately believe that with the ever-evolving cyber landscape, staying true to the basics is the strongest place to operate from. And that is having a clearly defined strategy that supports the business strategy, comprehensive risk management and effective governance. Following on from that is a lesson that I quickly learned as an Army officer providing comms for Generals: cyber professionals take orders from the business, not the other way round. All we can do is advocate and advise and then it is for the business to make a risk-informed decision.  

Insider Risk is becoming much more complex and nuanced, and goes beyond DLP (Data Loss Prevention) and phishing campaigns. It now requires a far more sophisticated and comprehensive approach. Too many businesses wrongly believe that they are not in scope for APTs (Advanced Persistent Threats) or that the only use case relevant to them is of an employee that has been terminated.  

Additionally, I have concerns that the over-hyped capabilities of AI is putting businesses at risk from hasty or unnecessary adoption. I have been approaching our clients on the above two issues from a risk-centric perspective and together we validate where their business is in relation to these risks and go from there. As I mentioned before, I find it more meaningful to break such discussions down from the point of the view of what the business wants to achieve. 

As I was in a specialised branch of the Army, I regularly had to translate specialist concepts to senior stakeholders outside of my branch, so I have had lots of practice! Fundamentally, you need to gauge your audience and try to put yourself in their shoes in terms of what their levels of knowledge may be, but also combined with ‘what do they feel they need to know’ as well as ‘what do I think they need to know’. I also talk in principles or capability instead of using product names and that usually helps me to automatically remove the jargon from my content, especially as I see so many tech people use technology/brand names as shorthand for the capability/technology. The Army also taught me how to deliver basic instructing courses, which included guidance around the various learning styles we all respond best to, so I do try to bear that in mind in my mode, tempo, format and style of delivery so that I can make sure my message lands. 

It’s not easy as you will have to work twice as hard and be twice as good to avoid being overlooked (and even more so if you are also from another underrepresented group) so, build your network! This network will have many layers, each with different purposes. You need a group of people with whom you can share challenges and successes and to keep your motivation and engagement high when things get tricky. Another group will be influential and can coach and sponsor your progression, and so on. It’s too easy for women to slip through the cracks when it comes to career progression, so having a network gives you informal mentoring and growth opportunities. Note that I am not saying your network has to be all women. The gender of your network, and that of your most trusted layer, can be of any gender that works for you. Personally, I do seek out mostly women for my networks as it is such a refreshing change for me to be around women, but I do have some great male role models, allies and friends who I trust and value completely. 

Frankly, it’s isolating and uninspiring. I have also had some unacceptable experiences being a woman trying to build my network and work in a male-dominated industry. This then means I have to balance being vigilant but not overly second-guessing people’s intentions.  I also have to always be mindful and proactive about helping other women to stay motivated, trying to protect them from unacceptable experiences and sponsoring them. I dream and hope that one day there will be a generation of women who can go to work and just...focus on doing their job and the usual career challenges. But, looking at the poor rate of progress so far, I doubt that will be in my lifetime. 

Regulations and guidelines such as DORA, NIS2 and Corporate Governance Code have shown the appetite of governments and institutions in ensuring more accountability at Board level more broadly as well as for cyber security breaches and gaps in resilience. And, as cyber threats become more sophisticated and global, there will be a greater need for international cooperation and information sharing between countries, sectors and organisations to combat these threats effectively. At BDO Digital, my cyber team can draw on the skills and experience of the entire Digital team, covering many specialisms in order to give our clients a well-rounded and end-to-end service. We can provide guidance on compliance requirements and assist with the implementation of necessary controls and processes, conduct comprehensive risk assessments to identify potential vulnerabilities and develop tailored risk management strategies to mitigate these risks. We also work with our clients to develop and test incident response plans, ensuring they are prepared to respond effectively to cyber incidents and minimise the impact on their operations. We are regularly asked to provide Board training and awareness sessions to support the Board in leading the strategic direction and priorities of security within the organisation. We also offer many advanced cybersecurity technologies to enhance their security posture and continuous monitoring services to detect and respond to threats in real-time, as well as regular reviews and updates to our clients’ cybersecurity strategies to ensure they remain effective against evolving threats. 

It’s really hard to narrow it down from my top 3, but Dr Joy Buolamwini, who is a leading figure in the field of AI ethics, particularly known for her research on algorithmic bias. Her work has highlighted how facial recognition technology can be biased against people of colour and women. Dr Buolamwini also founded the Algorithmic Justice League, an organisation that aims to raise awareness about the social implications of AI and promote equitable and accountable technology. Dr Buolamwini’s work is so critical to ensuring technology serves all people fairly and equitably, which undoubtedly is not easy work, so I would ask her how she stays resilient in the face of resistance to her work, particularly in this populist era where opinions and anecdotal evidence sometimes carry more weight than actual scientific research. 

Whether you aspire to a leadership position or are about to start your career, a network of trusted people is so important, so build that, but you must also use them. You may end up in situations where your gut is telling you something is wrong but you don’t want to believe it, and so share and sense check with somebody you trust. Also, look out for others.  

At some point, sooner than you realise, you won’t be the newest or most junior person, so don’t underestimate how quickly you can be a role model or a trusted support for another young woman. Apart from it being the right thing to do, the decades will fly by and you will find yourself with a solid group of other very senior women (senior like you, because, yes, you made it to be a woman in a senior leadership position! Look at you! I knew you would do it!) who you share history with. I know my advice is very people-centred, but the tech stuff, the courses, the different specialisms you can take, etc, all that will fall into place and is secondary to having a strong group of people around you on your journey.  

We want to thank Esther once again for taking the time to share her incredible journey and insights.  

If you would like to hear more from Esther, follow her on LinkedIn