You are going to face adversity — keep moving forward. Like other female founders, we faced a disproportionate impact on our business due to COVID. Instead of getting bogged down about what wasn’t going right, I kept my eye on the long-term and ensured we made the right short-term decisions to continue to protect the business to ensure we could meet our long-term goals. And it worked — we were able to grow our team throughout the pandemic and will achieve record breaking growth again this year across multiple metrics.
The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Brittany Greenfield of Wabbi.
A Duke undergrad and MIT Sloan MBA, Brittany has spent her career identifying new market opportunities, and building and executing the strategies to bring them to life at companies including OpenAir, NetSuite, Kronos, Cisco, and Cybereason. She founded Wabbi, a 2021 RSA Innovation Sandbox finalist, to help enterprises integrate and scale application security across their modern development environments.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I was lucky from a young age that my parents instilled in me a deep love of exploring new things, whether traveling abroad or just seeking out new experiences at home. It certainly has shaped my personality as I prefer to be a “path-less-taken” person, having designed my own major at Duke where I looked at how technology drives innovation in legacy industries (at the time I looked specifically at Biotech and Pharma). I took the same approach when I entered the workforce in “The Cloud” at a time when I had to explain to my friends I was not working for The Weather Service. This has carried through my career, as I started in technical implementation roles, before moving into the GTM side of the business with a focus (not surprisingly) on exploring new markets and coming up with plans to tackle them. As one investor recently pointed out to me, I shouldn’t be surprised that I became a founder as I’ve been identifying problems and coming up with solutions my entire career!
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
When I first started Wabbi, somebody told me to read The Hard Things about Hard Things: Building a Business When There Are No Easy Answers by Ben Horowitz. Having worked both in startups and large enterprises, and being later in my career, I had no preconceived notions that starting a company would be easy, despite how glamorized the startup life has become. As Ben notes often, “there is no formula,” which is why sharing the blood, sweat, and tears stories is the most important way founders can support other founders. It’s easy to give a checklist or framework for “how to build a startup” (yes, in the dark times I may have bought one or two of those books), but that’s not actually how any founder succeeds. It’s in the sleepless nights and making the best decision possible when no good ones exist. The book resonated with me so much not because it told me that being a founder was going to be hard, but because it told me that the hard things are hard for every founder, not just me — and that I would survive them.
Another founder later recommended that I read it, and when I told him I had already, he said to read it again, and I did. It was a whole different book and set of lessons because I’d now lived so many of the stories Ben had. In fact, it’s probably time for me to read it again.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
It wasn’t as much a specific story, as an experience. I’ve proudly admitted that I was a cybersecurity outsider for the majority of my career, and it wasn’t until I was working on IoT with Cisco that I realized cyber was about more than just the three-letter agencies and nation-state actors going head-to-head, but rather just a fundamental underpinning in today’s digital economy. This led me to get into the endpoint detection and response (EDR) space, and as I got to know the broader cybersecurity market, I was frustrated that so much cyber activity was focused on building walls and moats, instead of trying to fix the root cause — which, when 9 out of 10 breaches begin due to software defects, means starting with the code. It would be like installing a home security system, but not checking if your front door is locked, or even if it has the right kind of lock on it. This is what led me to the Application Security industry, and ultimately to found Wabbi.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
What excites me is that cybersecurity has finally become dinner table conversation, not just because it has had a number of front page incidents, but rather because people are starting to understand that it is a fundamental underpinning of our lives today, from our infrastructure to our dinner tables. This means that companies will start seeing good cyber programs not just through the lens of risk reduction and compliance, but as a strategic driver of business growth and innovation.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
- Confusing being “In Compliance” with Good Cybersecurity. Compliance is the low bar of “things I have to do,” whereas a good cybersecurity program aligns with the overall business goals of the organization (not just the fear of getting breached). Compliance-centric cybersecurity programs leave companies with a false sense thinking that because they “checked-the-box” they are protected. By aligning cybersecurity strategy with organizational strategy, it moves cybersec policies out of the binary view of “in compliance” or “not in compliance” and ensures risks are accepted or rejected based on overall business risk, while still being in compliance.
- Talent shortage. There is a shortage of three million cybersecurity professionals globally. Consequently, this doesn’t just mean that companies don’t have enough cybersecurity personnel, but that there is also a high churn rate as these professionals are often overworked. This turnover comes at a high cost not just to the profits and losses, but as a lot of institutional knowledge and process becomes lost. Orchestration solutions can scale cybersecurity teams beyond their physical resources, not only automating routine processes to ensure predictability and consistency, but also by directing their attention to where it is needed most to keep them focused on their overall goal of deploying a successful cybersecurity strategy.
- Too much data, not enough information. Cybersecurity offerings have grown exponentially over the last decade, which gives companies the ability to deliver highly tailored cybersecurity programs, however this unintentionally creates data silos that work against their goals. Organizations need to resist the temptation to chase after the latest and greatest technology, and go back to the basics — people, process, THEN tools. This will enable them to ensure that they’re not just getting more data, but rather actionable information that has a specific workflow so they can maximize the value of the tools they do select.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
The major breaches of the last year have highlighted the need to focus not just on perimeter security, but the overall software supply chain. There’s a misconceived notion with 90% of today’s software leveraging open-source or shared components, that just making those more secure will improve a company’s overall security posture. The reality is actually the exact opposite. Every company — even those in the same industry — has a different cyber risk profile that aligns with their corporate strategy. Therefore as vulnerabilities become known, they must evaluate them in the context of their own organization, even down to the application-level.
The false sense of confidence that thinking more shared components equals more security, is one of the biggest threats on the horizon because it will leave organizations continually defensive, rather than being proactive. It’s time for companies to re-evaluate their application security programs as being about more than just vulnerability management, but rather everything that touches the application, from the code to configurations to the humans that use the applications. When everything we do today — from the gas in our cars to the meat on our tables — is powered by applications, we need to start treating our AppSec programs that way.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
Security is no longer a siloed responsibility, but a critical element of application delivery. The problem now is the DevSecOps “hairball” that results from too many tools and too many people involved in every step of the pipeline. The average organization today has between 25–49 security tools from up to 10 different vendors. As the DevOps tool chain has proliferated, so too have the tools to secure them. Unfortunately, there are a lot of point solutions rather than one tool that handles the process end-to-end. This leaves organizations inundated with data, but with little to no actionable information to inform their decisions. To truly cut through the DevSecOps noise, organizations need to focus on three elements: people, processes and tools.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
It would be hard for anybody to say they’re satisfied with the status quo regarding women in STEM — and as an extrapolation of that, the tech industry. After a decade of positive progress, before the pandemic, we began to see declines again in women pursuing careers in tech. Despite studies showing time and time again there is no gap in performance, interest in careers in tech has been waning as young women progress through school. Ensuring we close the gap on all underrepresented demographics in tech, not just women, is critical to not just improving corporate performance through diversity, but also driving social change. In Massachusetts, entry-and mid-level tech positions pay nearly two times the state’s average salary. Corporations have to change the way they hire, train, and retain underrepresented groups to ensure we’re not just fixing the “broken rung,” but making sure they get on the ladder to begin with.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
I think the number one misconception is that you have to have been a hacker to be able to work in security. But cybersecurity is about so much more than just the attackers and defenders — it can also be about how it aligns with a company’s overall risk strategy, and how to execute it. When you take this lens on working in the cybersecurity industry, it opens the opportunities up to a group with a diverse set of experiences and interests in helping businesses (their own and their customers) to achieve their overall goals.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- You are going to face adversity — keep moving forward. Like other female founders, we faced a disproportionate impact on our business due to COVID. Instead of getting bogged down about what wasn’t going right, I kept my eye on the long-term and ensured we made the right short-term decisions to continue to protect the business to ensure we could meet our long-term goals. And it worked — we were able to grow our team throughout the pandemic and will achieve record breaking growth again this year across multiple metrics.
- There is room for all of us. As we climb the ladder, it can be easy to confuse lack of representation with “no room.” Consequently, I think that there’s a myth that women compete with each other for “THE” spot, but the strong female leaders I know never compete to put others down, but rather to bring out the best in each other. They are each other’s biggest advocates. When one of us succeeds, we all succeed.
- Actually use your mentors! Mentorship is important for everybody, and I think one of the biggest challenges women face in finding mentors is not finding them, but actually using them as they don’t want to impose upon them and their busy lives. However, anybody that mentors does it not for their own benefit, but yours. Somebody has done it for us, and we are paying it forward. Don’t be afraid to ask for time — they are working with you because they believe in you.
- Carve out your own path. Don’t change to fit the mold. The right people will respect and support you for being you, and the wrong people aren’t worth your time. It’s not always going to be easy to follow this — and there will certainly be times you don’t — but if you let that be your compass, that’s when you will succeed. I wish there was just one story I could share about this, but it’s just something we face everyday, and remembering your true north gets you through the challenging times.
- Stop thinking “I don’t fit.” A classic HBR study notes that women feel they need to be 100% qualified to apply for a job, while men only think they need to be 60% qualified. Unfortunately, this trait translates across careers — not just in the application process, whether it’s in the manifestation of imposter syndrome or just not speaking up. So stop thinking about the reasons you “don’t fit,” and start thinking about the reasons you do. Remember you were hired (or invited to a meeting, or asked your opinion, etc.) for a reason. You don’t even need to know what it is, just remember that it exists and for that reason you do fit.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂
Phil Knight. I think we could swap a story or two on why founding a company on our own terms makes alligator wrestling look like a sure thing.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!