It’s not enough for men to try and treat women ‘equal’ — men must lean in, be proactive, and sponsor other up and coming women leaders if they want to see change.
As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Christine Gadsby, VP, Product Security at BlackBerry.
Gadsby played a critical role in creating BlackBerry’s 30-day Android patching strategy, Customer Advisory program, and leads BlackBerry’s open source software vulnerability management strategy. She has presented security response strategies to high assurance governments including the NSA, CESG, CSE and GCHQ, as well as several enterprise organizations. She has contributed to publications such as CSO magazine and Dark Reading and has spoken as an industry expert at several security industry conferences including RSA, Black Hat, IotSF and FIRST. She sits on several boards of industry response organizations and programs.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I grew up south of Seattle, Washington. When I was around three years old, my Dad gave up a career in TV and radio to lead a homeless shelter and serve in non-profit public relations. So, we didn’t have much growing up at all. I didn’t realize until I was older how much that shaped my work ethic and desire to be a servant leader.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
Right now, I am reading, for the third time, Hit Refresh by Satya Nadella. Six months or so ago I saw a recording of Satya Nadella speak on having a ‘Growth Mindset’ in everything you do, and that simple thing has been so powerful in my own ability to lead. It motivated me to read his book. My oldest daughter [out of 4] is disabled, so I identify with Satya and his real-life challenges, I share many of them.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
The truth is I didn’t start out having an interest in Cybersecurity. There was no money for college when I graduated high school, so I went to work instead. By the time I went back to school and enrolled in college, I was a single Mom of two daughters and had to work two jobs while taking care of them full-time. I asked my college counselor what degree I should get to ensure I could support my girls on my own. She said “There are three things that aren’t going away: technology, the internet, and crime, pick your favorite and you will always have a job”. So, I got a degree in Information Technology and Business Management. Like a lot of people, I was exposed to the security side by accident while working in a different role, I fell in love with it, and crossed over. I haven’t ever looked back. I love what I do, and I couldn’t imagine doing anything else.
Are you working on any exciting new projects now? How do you think that will help people?
I am proud of a program I started in my organization called The Leadership Bench program. It focuses on taking potential future leaders within my organization and challenging them with stretch goals that face other business units within our company in order to develop their leadership abilities. The stretch goals are company impacting so they are exposed to executives outside of our immediate group. Our current candidates are 90% female or minorities, so it’s really serving an important impact. Businesses don’t succeed without talented people making a difference.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
1. You are ALWAYS learning something. With every new attack or research paper, there is always something to learn.
2. Regardless if you are on the offense or defense side of Cybersecurity, you are truly making a difference. Being a part of Cybersecurity is like virtual crime fighting. It’s nice to know what you are doing is helping to keep others safe. BlackBerry believes in a prevent-first security approach, rather than leading with a detect and respond approach offered by others. As the security team skills and capacity gap widens, BlackBerry AI is the solution that evolves faster, responds faster, and never gets tired of fighting against cybersecurity threats. Our mission in 2021 is to be the world’s leading provider of end-to-end mobility solutions that are the most secure and trusted. That is a big mission, but it is one we believe in and work towards every day.
3. The opportunities are endless — The role you are doing right now could change into something else. The skills you are building now can take you down another career path in Cybersecurity.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
- Criminals are outpacing our ability to mature as an ecosystem. Our ability as an industry to coordinate and share information with one another is challenged by the nature of vulnerabilities and liability. We need to be better, as Cybersecurity leaders, about sharing lessons learned with each other.
- Additionally, cybersecurity attacks have ramped up in volume and ferocity since the COVID-19 pandemic began a year ago. The recent Colonial Pipeline attack should serve as an important wake-up call for all those who have a role to play in securing critical embedded systems that these days threat actors will stop at nothing to cause harm, sometimes regardless of whether there is a financial gain to be had. The only way to keep the enemy out is to ensure you have good cyber hygiene practices in place, as well as cutting edge AI-based cybersecurity solutions that can detect, protect and deter these sort of attacks in the future.
- Lastly, the security industry is desperately lacking people resources and there is a noticeable shortage in skilled AI cybersecurity professionals. This is something that we see ourselves and continually hear from our own customers and partners. To address this shortage, we have launched numerous internal training programs and helped a handful of universities beef up their cybersecurity offerings. Last year, we announced a partnership with The University of Windsor to help develop and deliver a cybersecurity curriculum for the University’s Graduate Master’s Program in Applied Computing. The curriculum, called BlackBerry Bootcamp, will be taught as part of a required Network Security course, and completion of the curriculum will account for a portion of the student’s final grade. BlackBerry Bootcamp covers a range of cybersecurity topics including AI, digital identity protection and privacy, software engineering, the latest techniques of cybercriminals, advanced threat detection technologies, and more.
In terms of specific areas within the cybersecurity industry where the dearth of talent is particularly acute, we find that professionals with strong backgrounds in AI and ML are in high demand yet relatively difficult to find. We also notice the lack of women participating in the cybersecurity workforce. To address this, we partnered with the Girl Guides of Canada to create the Digital Defenders program aimed at getting girls interested in cybersecurity as a future career path from a young age.
We as an industry need to move quickly to attack this talent gap on all fronts. Importantly, by sparking interest in the field at a young age, we hope that by the time these same young people start looking at the next stage in their education, they gravitate to the higher education institutions out there that offer AI and cybersecurity as a dedicated discipline.
At BlackBerry, we strive to attract top talent in as many forums as possible — LinkedIn, Twitter, Indeed, Recruitment Fairs, University & College Campuses, Employee Referrals, etc. — in an effort to recruit the best and brightest to help us further our work in AI, cybersecurity and of the transformative automotive technologies that will quite literally drive our future.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
Attackers abilities to modify, inject, or augment components along the software supply chain — attacks that qualify as acts of war. The supply chain is incredibly complex, made up of numerous vendors, processes, standards, technologies, all coming together to make modern systems. Being able to catalog and enumerate your software bills of materials is a critical activity and very challenging with a complex supply chain; but this is essential — how can you defend something if you don’t understand its composition? Companies need to be ready to hold their software supply chain accountable for the security posture they as consumers inherit.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
Users can monitor for things like unusually slow or laggy computers, is something hogging my system resources? Maybe a piece of malware is running in the background abusing their system, mining cryptocurrency as an example. Be vigilant for things like unknown application icons appearing on their desktop or smartphones — where did those apps come from? Pay attention to security warnings from your browser, they are built to protect you.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Most important is to share information. I think companies panic and aren’t sure what to do or who to tell when this happens. We need to do a better job sharing threat intelligence between the public and private sectors.
Communication is the number one stumbling block during an incident. I think in many cases companies don’t know who to tell, what to tell them, how to react, how to execute effectively internally, to bring together the large set of stakeholders required to tackle these highly impactful security incidents. Companies need to be prepared with an incident response process and immediately trigger it when it looks like something is questionable. Companies need to be prepared with policy, process, templates to be able to quickly communicate impact to their customers especially when sensitive data is in play. Understanding the requirements of your customers, legal requirements based on the jurisdictions you operate in, this all needs to be well understood in advance so you can effectively execute during times of crisis to protect your customers, your business and your overall corporate reputation.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
There are so many challenges facing modern companies developing complex systems. One of the biggest I see is a lack of a security maturity model — that’s a roadmap you can create to develop a security mindset in your organization. The industry continues to evolve and too many teams get trapped in the daily grind, repeating process without improving and maturing it.
Second, a general ‘security ego’ — thinking a security crisis will never happen to us, it will never happen to me, we have ‘built a fortress’ around our company’s crown jewels. I’ve met so many incredibly smart people in this industry due to the expertise required — and many of those come with big egos and they miss things because they aren’t looking over their shoulder. As a leader you have to remember a criminal only has to be right once, you have to be right every time which means you have to constantly be humble and have a ‘learn it all’ mindset. Always question your security maturity, build a true Security Maturity model, never stop learning from others smarter than you.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
Absolutely not — I think we struggle as an industry to get rid of the stigma that STEM is only ‘cool’ for guys. We need to celebrate the female champions with careers in the STEM field and talk about their roles and what they do more. Almost every great article you read is about an accomplished man in STEM. There are women doing great things too, but we need to find them and focus on sharing their stories. We need to provide young ladies more inspiring leaders to model their own interests after.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
You don’t need to be a complete geek or computer nerd to work in this industry. This is a business and needs great people to focus on Cybersecurity that have complementing skills — like Project Managers and Business Analysts, even finance people that can learn how a Cybersecurity business model functions. There is so much opportunity in this industry and I think we scare people away who don’t want to be ‘technical’.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
Here are my top 5 leadership lessons I have learned being a woman leader in technology
- Always remember that many of the most powerful women in this industry have had to fight their way to the top, and you should ask them how they did it. You will learn something. I’ve had to work twice as hard to be taken half as seriously since I have become a leader, and I am not alone. I find the more I ask other women leaders to share some of those stories, the more I learn. The more I share my stories, I build up other leaders. I once walked into a conference room of all male Lawyers to present a security strategy. I was running late and had just got off a flight and headed there straight from the airport. I walked into the room and one of the men immediately asked me for coffee, assuming I was there as part of the breakfast service. I let it roll off and made a joke so I didn’t make him feel uncomfortable. The stories of how Women leaders in Technology have had to deal with adversity are powerful.
- It’s not enough for men to try and treat women ‘equal’ — men must lean in, be proactive, and sponsor other up and coming women leaders if they want to see change. Every woman I have ever mentored has horror stories of times they were treated unfairly simply because they were a woman. Here is the leadership lesson –in most of those situations the unfair treatment was unintentional, it was simply subconscious bias. One of the hardest things I have ever had to do in my career was pull a male peer aside after a meeting where he jokingly made comments that didn’t sit right with me. I was so scared but what resulted was an amazing conversation, and many conversations that followed because he simply didn’t understand how his comments were taken from a women’s point of view. He never intended to create a culture of bias but understood that he in fact, did. From there forward he became a champion of change and has had several conversations with other male leaders about their own behavior. In a conference room full of male leaders, the one woman at the table immediately knows she’s the only female there, and her guard is up, she is trying to fit in. Help her feel equal.
- Powerful women leaders need to be intentional and mentor their male counterparts in how to sponsor and raise up other women. What do women need from their male counterparts to become leaders in technology? You would be amazed at how many men I have asked this question to that have confessed they have no idea how to help. They agree there is a huge gap for women, and that we face challenges, but they don’t know how to solve the problem. We as women need to share more of what we need to feel equal and men need to be willing to ask.
- More women leaders start with women leaders. Every woman leader in this industry has something to share with other women leaders passionate about a more equal future. I have found in speaking with other women leaders it has sparked many great ideas on things we can accomplish together.
- As a woman in this industry, I have to search out opportunities to grow other empowered leaders of change, regardless of race or gender.
The Bench Leadership program I started in my own organization was started to ensure others had a path to learning leadership skills. So much of learning and growing as a leader is situational, we need to create those opportunities proactively.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them ☺
Satya Nadella — he has inspired so many of the leadership and parenting qualities that have changed my life. Raising four daughters with my oldest being disabled has been a challenge, but I know he knows!
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!