As security practitioners, we all spend a lot of time educating others on why security is important. That is why I always look for people who are happy to over-communicate and be that great ambassador for security to the other departments.
The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading Cybersecurity Industry”, we had the pleasure of interviewing Kathy Wang, CISO at Very Good Security (VGS).
Kathy Wang is CISO at Very Good Security, and is a recognized thought-leader in information security with a strong background in research and security leadership. She has worked in government, commercial, and technology startup environments, and advises security services/products startup companies. Kathy is also an internationally-recognized malware expert, who has researched, developed, evaluated, and operationalized various solutions for detecting and preventing client-side attacks used by advanced persistent threats (APT), as they target common platforms (e.g., browser, email, mobile phones). She has spoken internationally at many conferences and on many panels, including RSA, DEFCON, AusCERT, and REcon. Kathy has co-authored a book, Beautiful Security, and holds a BS and MS in Electrical Engineering from The University of Michigan, Ann Arbor.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
It’s great to talk to you today — thank you for the opportunity. Although I’ve lived in Northern Virginia for the past 20+ years, I consider myself a Midwesterner. I was raised in the state of Michigan, where I went through Michigan’s public schools from K-12 and then to the University of Michigan for college.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
When I was a kid, I went through a phase where I found a great series of biographies about famous women throughout both U.S. and world history, and then proceeded to read every single one of those books I could find in the local library. Many of these women were famous scientists who had to blaze their own trails, and I think that made a very positive impression on me.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My first formal security job was as a security analyst at Counterpane, which was Bruce Schneier’s startup company. At Counterpane, I focused on learning about TCP/IP protocols, and how insecure some of these protocols were, and more importantly, why and how. My interest in network security led me to develop some open source tools, which then led me to focus on security research. I’ve never looked back since.
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
When I was starting out as a security researcher, I didn’t think a lot of people would attend my DEFCON 12 talk. It turns out my talk was in a huge tent set up at Alexis Park Hotel, and it was probably 100 degrees in that tent. At one point, an audience member asked me a question about another similar open source fingerprinting tool, and I might have been slightly ungracious about its capabilities compared to my tool. After the talk, the researcher who wrote that tool came up to me to introduce himself and I was just completely mortified — I never imagined that he’d be at my talk! The lesson learned is that the security research community is small, and you never know who is listening.
Are you working on any exciting new projects now? How do you think that will help people?
As CISO at Very Good Security, my team and I are directly responsible for the security and compliance of our data security product. We help many customers process and store their sensitive data in our infrastructure so that they can focus on their bottom line business objectives. This means our efforts center around reducing risks on our infrastructure, and we work on rolling out initiatives to further our Zero Data mission.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
I’ve always been excited by this industry — that’s why I’m still here. It’s also hard to pick just 3 things, but if I have to limit it to 3, currently, that would be the focus on automated remediation that helps to scale security teams, securing software supply chains (we have seen so many recent data breaches that involve compromise of software supply chains), and next-generation SIEMs, where we are seeing better tie-in of logging/monitoring with automated security response.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
There are still too few women and underrepresented groups in this industry, especially at the mid-career level and up. I’m also concerned about another trend that really has been around for a while — it’s so great that the bar to writing software has been lowered so that more people than ever before can author applications, but at the same time, that shift did not correspond with increased visibility for security practitioners to see how those applications access data (which could increase success among authors). My third concern is that even though the holy grail of security is to raise the bar so that the attackers ultimately decide to give up and move on, and we’ve been saying this for years, this is still not necessarily the current result. I haven’t met a single person who has answers to all of these concerns.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
Definitely software supply chain compromises. This should lead to securing CI/CD pipeline from end to end — and not just running tools inside the pipeline, but protecting the entire pipeline from end to end, including the processes.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
A lot of people think of the massively public breaches when they get this question, but a much more common scenario is the internal discovery of unauthorized access, due to infrastructure misconfigurations, for example. There are a surprising number of developers who store secrets in places that are not intended for secret storage. As a serial CISO, my team and I have definitely rolled out architectures that are designed to limit the blast radius of these types of breaches. In fact, everything we do is focused on limiting the blast radius of potential attacks that might result in a breach of sensitive data. If you’re looking for a single takeaway, it’s that if security processes are too difficult to follow, people will work around them, and that is detrimental to all.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Logging/monitoring, because you can’t assess impact without proper implementation of logging, authentication services (there are so many ways that this can be done ineffectively), vulnerability management for visibility; and automated code scanning to scale the team, because security teams will never be as large as development teams.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
There’s a lot to look for. Examples might include unusual user activities, access of canary tokens, traffic pattern changes, software supply chain breaches that could impact your org… this list can go on for a while.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Impact analysis is important — customers deserve to know if they’ve been impacted within a reasonable amount of time. However, after impact analysis, it’s important to conduct a postmortem to determine remediation steps and strive to ensure that the same type of incident does not occur again.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
A big mistake I’ve seen companies make is not being transparent and trying to sweep exposures under the rug. Have an incident response plan and runbooks documented and communicated so that you’re not trying to figure this out during an incident — that’s literally the worst time to be figuring things out.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
I’m a big believer in diversity hiring (gender, race, neurodiversity) and it’s an area that our industry needs to continue improving on. From past experience, I have noticed that many women are wary of being the first woman on a security team. It isn’t until there are at least 3–4 women on the team that the tide starts to turn where there are significantly more women applicants to a role. That suggests that there need to be more resources for women in STEM to make it more accessible. In fields other than STEM, where the ratio is much higher for women, there’s less of this type of psychological safety issue that I just described.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
One of the many security industry myths has to be that everyone knows what security means, and what the expected outcomes are. Many of us spend a significant amount of time educating others on why good security practices matter. Another myth is believing that people will follow policy. Policy can be more effective for trust, but harder to verify and enforce. It’s also completely true that good security takes user experience into consideration — without good user experience, people work around security.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- Transparency — I always try to be as transparent with my team as much as possible and do everything I can to empower my team to do their best work. This goes a long way in building trust.
- Escalate quickly — The most successful security engineers know when to escalate an issue and take action.
- Over-communicate — As security practitioners, we all spend a lot of time educating others on why security is important. That is why I always look for people who are happy to over-communicate and be that great ambassador for security to the other departments.
- Big picture thinking — What is being done to address the common issues that arise?
- Bias for action — Security is a very operational field, and it’s important to respond quickly to varying situations.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂
Given that we’ve been in a pandemic for over a year, I’d be happy just to have an in-person breakfast or lunch with my extended family and friends. It would also be awesome to get together with my team for a meal soon!
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!