The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Judy Sunblade, VP Revenue Growth & Enablement, WhiteHat Security.

Judy Sunblade brings over 20 years of leadership experience in technology and security companies. She specializes in sales and marketing strategy and revenue growth models that ignite sales, drive customer value and grow revenue. She is responsible for marketing, pipeline generation and revenue enablement for WhiteHat.

Prior to joining WhiteHat, Judy eld the enablement teams at Veracode, Monotype and Forrester. She holds an MBA from Simmons University and a BS from Susquehanna University.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up in a New England seaside town where playing outside was encouraged, curiosity was developed and giving back to the community and having an impact was required. Leadership skills were developed on the field or court as was discipline and improving performance. I’m always interested in process improvement and increasing performance. I received my BS in Business Marketing and an MBA from Simmons University. My career to date has been focused in on project management of enterprise applications/systems, management consulting, sales into enablement and enablement into revenue growth and growth marketing.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I just finished Think Again, by Adam Grant. Game changer! “If knowledge is power, knowing what we don’t know is wisdom.” And “Listen to ideas that make you think hard — not just opinions that make you feel good.” Most people fall into thinking and talking as a preacher, prosecutor, or politician. We should have a shift in mindset, a more collaborative culture, and creative thinking. We need to think more like a scientist and a seeker of truth. Treat emerging ideas as a hunch or hypothesis and test it with data. Focus on outcomes instead of opinions.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I got into cybersecurity through creating an enablement program for a Cybersecurity company and it was there that I fell in love with the criticality of cybersecurity and the everchanging landscape of cybersecurity, along with the outside influences on breaches and security.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

I spent hours creating a massive spreadsheet that was time sensitive. Somehow, I closed out of it without saving it and had to pull an all-nighter to meet the deadline. Save your work!

Are you working on any exciting new projects now? How do you think that will help people?

We are working on unkinking the lead to revenue process to drive organic leads during a pandemic, ultimately leading to accelerating revenue. There are so many interdependencies on interconnected systems and data. We need to be able to trust the data and to be data driven.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

One of the most exciting, and critically needed, changes we are seeing in the industry is the increasing diversity of those entering security companies. The future of innovation does not solely rely on just the latest technology, but it lies in our approach towards the teams we are building and expertise we are tapping into. Without diverse approaches, experiences and people, the security industry, which should be the first to lead innovative change, will fall behind. I got involved in cybersecurity by following my passion of helping high growth organizations to accelerate their sales by implementing sales best practices and a robust revenue enablement process. It was important to me to find a company whose culture and sales philosophy matched mine, and that includes empowering women to be workforce leaders. This is what makes the work I do in cybersecurity so exciting!

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

One thing that concerns me is that the state of web application security is generally very poor. The majority of applications are continuously exposed and easily exploitable by attack vectors that organizations are failing to control. In environments such as these, risks that come from either internal or third-party compromise are put at the bottom of the priority list. Sometimes, they are intentionally ignored because businesses deem them as unlikely to be exploited. My biggest concern is that organizations are compromising the safety of their applications based on their own shallow assessments or “gut feel,” rather than relying on the data that is showing the dangerous risks and consequences. Our research team at WhiteHat found earlier this year that healthcare applications have seen a dramatic rise in the window of exposure in 2020. The Window of Exposure (WoE) can be seen as how long an application has an exploitable vulnerability. The amount of healthcare applications with a WoE of at least a year grew from roughly 45% in previous years to 60%. If we don’t address it proactively, this problem will grow. Organizations also deem the security of their applications as too expensive to defend.

Another thing that concerns me is that organizations that weren’t digitally savvy before the pandemic are having a difficult time adjusting and keeping their businesses safe from attacks. Digital transformation is a process that can take years to spearhead and roll out. When the pandemic hit, suddenly, companies had to move their entire business operations online. This isn’t a surprise, but we’ve found through our research that organizations in industries that had less experience being online (such as public administration and manufacturing), saw an increasing WoE, with 71% of applications in the Public Administration space now having a WoE of 1 full year.

To address this, organizations need to look at their WoE and use it as a key metric that allows them to benchmark against their peers in the industry. Your WoE data is a key sign of breach exposure.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

One of the challenges that comes with an increasingly digital and global economy is that there is now an increase in attacks against third-party applications that can provide easier entryways for attackers to squeeze in and access an organization’s data. Supply chain type attacks are most definitely a critical threat on the horizon that companies need to prepare for by investing in the security of all their connected applications. The Manufacturing vertical continues to be severely affected, seeing 70% of applications in the industry having a WoE of 1 entire year. More simply said, 70% of applications in Manufacturing have at least 1 open, serious exploitable vulnerability throughout the year. When we dig in deeper to the root causes, we see that the increased proliferation of OT and IoT devices inadvertently open up the connected OT and IoT systems to attacks.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Our marketing time is always increasing the awareness of breaches in cybersecurity and providing ways to prevent breaches. Breaches only happen in production so making sure our customers are securing their production applications. All not just business critical as most hackers get in through non-business critical apps.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

One of the tools that WhiteHat Security uses to address application security challenges within organizations is the Sentinel Dynamic, our cloud-based SaaS platform that scans for vulnerabilities in websites and web applications. To break down how the tool works, Sentinel Dynamic combines WhiteHat automated Sentinel Scanner with a team of expert security threat researchers who will provide only verified results with actionable reports. It begins with Onboarding, in which an organization’s security team provides URLs, logins and their schedules. Then the Initial Scanning phase can begin, and this is where discovery, fine tuning and configuration takes place. In the third step lies the website assessment, with unlimited assessments and vulnerability detection and lastly, security teams can see the results in the Sentinel portal with customized results. So, on a broad level, this security tool provides the features of continuous assessment, vulnerability verification (which is a huge time-saver for security personnel), on-demand retests and access to WhiteHat Security Engineers.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

As we’ve seen in recent events and cyber security crises in the past year, cybercriminals are highly motivated by money. We’ve seen, unfortunately, a rise of ransomware attacks against healthcare organizations and hospitals as COVID-19 raged on throughout our world. Due to the detrimental effects health information and a shutdown of systems can cause, ransomware payments have been exceedingly high. Outside the obvious impacts attacks can have in the healthcare sector, data theft, property theft, reputational damage and disruption of business operations are common effects of an application being compromised.

One thing to keep in mind as a security leader within an organization and as a consumer, is that applications are not always completely compromised when attacked. Threat actors are strategic and may sometimes target applications in support of operations bigger than just a breach of data. For example, individual users can be targeted in blackmail campaigns or phishing attacks. In this case, an organization may not even be aware that anything was compromised, as the attackers went directly to the users and not the application’s operators.

One thing I would recommend is to pay attention to any security updates sent from an organization to its customers. Especially when it comes to applications that are holding highly personal and financial information, consumers should be on top of making sure their passwords are complex and features such as two-factor authentication are set up.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Besides testing mobile and web apps for security vulnerabilities, organizations should move their attention to any backend or linked web servers, using a thorough DAST assessment.

Another proactive measure to immediately implement is proper employee training. Humans are often the weakest link in any security chain. Employee training and employing services should be implemented that test human susceptibility to social engineering attacks. These include email spear phishing, phone calls or internal access control issues.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Many organization’s skip over the critical business value and ROI that cybersecurity brings, not realizing that cybersecurity should be a proactive measure, rather than a reactive one once the damage is done. This damage translates not only up to millions of dollars, but trust and reputation among your customer base which can takes years to rebuild.

It is extremely important to have cybersecurity throughout the whole process. At WhiteHat we focus on application security and securing the applications that you have in production. That is the area where you are the most vulnerable — in production. You want to make sure that you have the doors and windows of your house locked, making sure that your production systems are secure.

You also want to move into the development side, making sure you are writing secure code. Hackers are trying to break in all the time. They are relentless, especially as we are well into the second year of this pandemic. So, implementing security into all stages of the product lifecycle are critical to properly safeguarding your organization’s most valuable assets.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

Biggest piece of advice when I talk to women who want to get into cybersecurity is not to be afraid of the word cybersecurity or the way the technology is presented. When you look at a cybersecurity company, there still are the primary business functions, from sales to marketing, that you can enter into. And, if you’re technical there’s engineering, there’s product development. People, especially women, get scared away when they hear cybersecurity. Many people think it is all technical, and it doesn’t have to be. My advice would be to follow where they’re passionate and enter through that avenue.

Looking at the industry as a whole, women make up 40% in the workforce, yet are only 25% in tech roles. And the higher you go up, the worse you get. I think we need to do better as women to make sure that we’re nurturing and cultivating other women to follow behind us and also to make sure that we’re helping them to get ahead. I would encourage women to be confident in engaging in a conversation and having your points heard, even when people may disagree. It’s okay to disagree. As you go up into the executive ranks, you want to have healthy conversations, and I think a lot of times, women are afraid to have those because their feelings might be hurt. We have to find that compromise. I’m proud to say that at WhiteHat Security, more than 60 percent of the executive leadership team are women. We need to fight for equality for girls, young women and women in all aspects so that going forward it is easier for them to capitalize on careers in tech.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

One of the biggest myths I want to dispel is that women need to remain competitive towards each other in order to climb to the top. One thing I’ve noticed throughout my career is that when men get promoted, they will usually bring their colleagues up with them. On the other hand, with women, I’ve noticed that there’s a competition and reluctance to bring other women up as they climb the ladder as well. I think the myth that there’s a shortage of roles and promotions available for women is a lie. The lack of women in leadership positions and technology positions is not because the roles aren’t there. There’s an abundance of opportunity, and we as women need to do a better job at making sure we’re bringing other women along with us as we succeed.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Be your authentic self Honest and open communications Empower and mentor other women Focus on outcomes with true metrics Promote your teams’ impact and results on an ongoing basis

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-).

Gloria Steinem. It’s 2021 and women are still not on equal footing (pay gap, # of Fortune 500 CEO’s that are women, etc.). Would be interested in how she’s committed to the cause and her suggestions on how to close the gap.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!