The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Hedda Peters.

Hedda Peters is the Head of Enforcement Products at Arkose Labs, where she helps drive the vision and execution of the product roadmap for the Arkose Labs enforcement challenge. Her career started in online marketing in Europe, where she experienced the effects of bot traffic on an entire industry first hand. Changing continents as well as industries set the tracks to a further career in software development, where she finally joined the product team in the then-young startup Arkose Labs in 2017 in Australia. Her diverse background and experience makes Hedda particularly passionate about ensuring a good user experience for users across all demographics, regions and abilities.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up in regional Germany, then moved to the city to study and for a bit more excitement in my life. I caught the travel bug and explored North America and Europe extensively, and eventually put down roots in Australia. As I swapped and changed continents, my career adapted in unexpected ways; from campaign manager, to business development, to technical translator, to data analysis, to product management — just to name a few. In hindsight, all these experiences are now turning out to be invaluable, it helps to drive your product forward when you understand the perspective of your stakeholders and users — because you’ve been in their shoes yourself.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I recently read the work of Robert Lanza on the topic of Biocentrism. Not only is it a fascinating philosophical dive into an alternative understanding of the world around us. But also, in his books he shares stories of serendipitous encounters that shaped the further unfolding of his career. This resonates with me, because I believe everything happens for a reason. At many points in my personal or professional life similar encounters have led me to pivot in a different direction — and in hindsight, always in the right direction.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

One story comes to mind: During a job interview, I was asked a question to tease out whether I would be susceptible to bribes offered by fraudsters. It was at that moment that I realized just how high the stakes in the cyber security industry really are. Many attackers are so determined that they will try to exploit all avenues to defraud their target — and at times will go as far as tempting or threatening the people that work on the good side. I knew then that this opportunity in front of me was not an ordinary job — it turned out to be my calling, and my chance to make a real difference in the cyber security industry.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

About a month into my technical translator job at a big software development company, I had a casual conversation at the watercooler with somebody I didn’t know yet. He asked me what job I was doing and, hearing that I was still new, how I was settling in. I don’t know what possessed me to blurt out that I was about to miss an important release deadline for my first assignment. Little did I know that I was talking to the CTO no less… What a way to make a first impression on the big boss! Luckily, he was a good sport about it, and I remember him chuckling and saying “We’ve got bigger fish to fry”. Even still, I was mortified! But I ended up staying with that company for 8 years in varying roles, and never missed a release deadline again.

Are you working on any exciting new projects now? How do you think that will help people?

Right now, accessibility is a hot topic for Arkose Labs. We have recently refactored our enforcement challenges to support an even wider range of assistive technologies. It was immensely valuable to collaborate with our customers and accessibility experts on this project, because accessibility is equally tricky as it is important.

I find it hugely satisfying to know that our efforts in this area will make a real difference in somebody’s life, and that we’re doing our share to ensure that users with a wide range of abilities can navigate the web.

The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

On the most basic level, it is rewarding to know that the entire cyber security industry is fighting the good fight. We are working to prevent ordinary web users from getting fleeced, or businesses from losing money to fraud. Of course cyber security is a business unto itself, but that doesn’t change the fact that we are doing something good.

Taking that thought a step further, we should also not forget the downstream effects of these crimes. Prevention is inherently difficult to quantify, but a simple string of what-if questions shows the potential. If a business is cheated out of revenue, perhaps they won’t create or maintain jobs and people will find themselves unemployed. Perhaps those people are tempted to partake in other criminal activities to make ends meet. On the flipside, what is this fraud money being used for instead? Not just to fund a comfortable lifestyle for an individual criminal, but possibly to fund a whole gamut of other criminal activity. This message of the far-reaching benefit of crime prevention, far beyond the original crime, hit home for me when listening to a talk by Neil Walsh, the Chief of Cybercrime and Anti-Money Laundering at the United Nations.

I am also amazed by the talent and innovation that I see in this space. I am honored to work with some incredible people, and the speed and creativity in this big cat-and-mouse game are mind-blowing.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

A good cyber security strategy is important, but users need to uphold their end of the bargain as well. Too many people fall prey to social engineering, don’t follow basic password hygiene, or consider 2FA a bother. While some security solutions can minimise the fallout, certain attack vectors such as credential stuffing could never be successful at a large scale in the first place if users just followed best practice. We need to continue to educate people, and lower the hurdle with simple tools to use.

Zooming out a lot, I’m concerned about the cyber crime landscape on the whole. As more aspects of our lives move online, the attack surface continues to grow and become more complex. At the same time, the motivation for cyber crime is high, but also multi-faceted. While some criminals are simply driven by greed, we know that others are forced to play a role in those activities to simply make a living. I expect that some part of the solution to cyber crime lies outside of the industry itself, by continuing to improve the socio-economic situation of everyone globally.

Lastly, I believe that collaboration and sharing information is key. Trying to solve a problem based on only half of the information is at best inefficient, at worst will lead to inaccurate conclusions. This includes transparency, for example, quickly sharing information about a breach.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

As certain user demographics become more careful with their data, others seem to become more careless. Many expose ever-increasing portions of their lives on social media, and certain parts of the world aren’t even online to start sharing data yet. Overall, the rapidly growing volume and interconnectedness makes user data difficult to manage, and any single breach can have far-reaching consequences. Companies need a plan on how to manage and protect personally identifiable information of their users. They should also be aware that they may be subject to the EU data privacy laws (GDPR), which are far stricter than elsewhere, even if they are not based in European Union.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

One of the first cyber attacks that I worked on was bouts of inventory blocking on an airline. The attacker would repeatedly start to book seats on selected routes, but never complete the payment, leaving the seats in a reserved status. Entire flight routes appeared to be booked to regular customers, when really the airline hadn’t sold a single ticket yet — a huge problem for the airline. The attack itself wasn’t too difficult to mitigate. But I distinctly remember the adrenaline rush these situations caused me, and the exhilaration when I stopped it. Frankly, I realized that this kind of excitement would give me grey hair sooner than I would like, so I moved off the front lines of fraud mitigation and focused on product management — working with a cool head on making our product most effective against the attacks I’ve witnessed first hand.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

There are many, but the biggest bang for your buck is surely a simple password manager. I don’t think I have to explain it in too much depth — it securely stores and manages all your credentials, allowing you to create highly complex and unique passwords, thereby reducing the impact should a single password ever be compromised. I am surprised by how many people are still not using them. A co-worker often includes the question “how do you organize your passwords” in job interviews, and I was baffled to find that many candidates (interviewing for a role at a security company!) fessed up to not using a password manager.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Many banks or big tech corporations have pretty good monitoring and alerting in place for unusual activity. Don’t dismiss those alerts if and when you get them.

Be aware of phishing emails or text messages. They range from hilariously amateurish to frighteningly sophisticated, but almost always have certain giveaways that you can learn to look out for — such as spelling mistakes, creating a sense of urgency, being unexpected, and linking to unusual domains. If in doubt, contact the alleged sender directly.

It may also be worthwhile to subscribe to services such as haveibeenpwned.com, which monitor your email addresses and phone numbers for appearing in data breaches. Some password managers offer similar functionality. This gives you a chance to at least do damage control as soon as a breach becomes known.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

First and foremost: Act quickly to stop the bleeding if possible and be fully transparent to your customers, right away. Remember that customers will forgive a crisis if it is handled well. Then, analyze the full extent and root cause of the incident to prevent a recurrence. Ideally, all this is part of the company’s playbook for dealing with such a crisis — if not, now is the time to create or update it.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Complacency is surely among the most common mistakes. Often the risk was known and there was an intention of mitigating it — but it never received the attention it deserved, in favour of pursuing higher value activities. In a nutshell, risks are often not properly managed.

Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

We are going in the right direction, but there is more room for improvement. I would like to see more spotlight on unconscious bias, to help reset how we evaluate other people during university, job interviews, etc. I’m fully aware that people from within minority groups are not immune from unconscious bias either, so I think this could actively promote a level playing field for everyone. I also believe that there is only so much we can do in one generation. Other changes need to start a lot earlier, in the way we raise our children. “Teach girls bravery, not perfection” is the title of a talk by Reshma Saujani that sums this up nicely. We need to instil confidence from a young age, and keep their minds open to all the possibilities. I certainly do what I can with my two girls — ask me again in about 20 years and I can tell you how it went!

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

I have yet to see an actual hacker in a hoodie! But seriously, the cyber security industry is welcoming and fun. Don’t be put off by fancy buzz words, or by preconceived ideas of what is required to be successful — there are many different ways and skill sets that can lead into this dynamic industry.

What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Your job is not to make everyone happy. Take all facts and opinions into account, but accept that your decisions might have to disappoint somebody occasionally.

Stand up for what you know is right. I ruffled some feathers when I restarted my career after maternity leave and negotiated for a work-from-home program. Strictly speaking, I didn’t even need it — but I was in the right position to instigate some changes that I knew would benefit others who would come after me.

Don’t fret over little mistakes. Yes, often women are judged more harshly. But it doesn’t help if you do the same thing yourself. Learn from your mistakes and move on.

Rid yourself of the “guilty mum” complex. I might miss the mother’s day breakfast at school, but I’m teaching my girls valuable role model lessons about sharing family responsibilities and independence.

Embrace your differences as assets. It is no secret that diversity is key, and that includes career experiences. I may not have the most streamlined cyber security career, but my diverse experiences allow me to see things from more diverse perspectives.

Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why?

I would have to say Angela Merkel. I’m amazed at her unwavering calm and practical approach in the face of what sometimes seemed like absolute madness on the world’s political stage.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!