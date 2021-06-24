Recognize the stereotypes and misconceptions that people might have of you, and remember the ones that don’t get you are not your audience. I watched the first female Blue Angels talk about how a man told her once that she was a disgrace to the profession because she was a woman. She told him he was not her audience.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Karen Hsu, Chief Marketing Officer of Appdome, a SaaS company providing no code mobile application security. With over 20 years of experience in technology companies, Karen is co-inventor of 5 patents and has worked in a variety of engineering, marketing and sales roles to bring new products to market. Previously, Karen also founded BlockchainIntel, a company that worked to increase trust in Blockchain by preventing fraud, and the nonprofit organization Blockchain by Women, to increase diversity and education in the blockchain and digital currency space.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I born and raised in the suburbs of Chicago. My mother was a software engineer and my father was a chemical engineer. Because my mother was a software engineer, every month she was “on call” to fix bugs that brought the production system down. Because there was no internet at the time, she would have to drive into the office to fix production issues, even if they occurred in the middle of the night. A couple of times I went with her. She’d put a couple of chairs in a row for me, and I go to sleep on them until she was done. For a time as a child, I thought a lot of women were software developers because that is what I saw.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

As a kid, I read a lot of books about revolutionaries. I was so inspired by their dedication and selflessness that I wanted to be a revolutionary. While I started with biographies of political revolutionaries, I moved on to scientific revolutionaries like Marie Curie and those fighting for social justice.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Early in my career, we had a customer who had been slapped with a lawsuit for money laundering tied to child pornography. We dropped the customer, but it made me ill to realize that we’d been working with someone who potentially tried to use our solution for horrible, fraudulent means. I altered my career direction towards security and fraud prevention shortly afterwards by founding BlockchainIntel, which focused on preventing fraud.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

The first thing that comes to mind is not so much a mistake as it is funny to me. When I first started working in enterprise software, I realized how much more I was judged based on how l dressed and looked as opposed to what I was doing. When I was traveling to a sales meeting with Dell, people asked me if I would help them with their bags, thinking I worked for the airline. When I went to conferences where I was having business meetings, people would ask me where the refreshments or bathrooms were. I learned to stay focused and come prepared to every meeting regardless of misconceptions or preconceived notions.

Are you working on any exciting new projects now? How do you think that will help people?

I started a non-profit called Blockchain by Women to increase diversity and education in the blockchain space. I got tired of seeing white-male-only panels at blockchain conferences. I knew women and minorities who were equally, if not more experienced. Their perspectives, vital to future development of the blockchain industry, were being left out because they were not being shared. With Blockchain by Women, we hold regular panels where a diverse set of perspectives are shared on the latest blockchain developments, including security and risk related to cryptocurrency, blockchain and central bank digital currency projects. As the space has grown in investment, fraudsters and hackers are increasingly focusing on users and companies in this space.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

I am excited there are new ways to detect signals coming from fraudsters instead of waiting for the fraud to happen. For example, we can catch when bad actors are abusing elevated privileges of an app to then remotely control the app. We can see when fraudsters are trying to hide their malicious actions. We can also see when fraudsters are creating fake versions of legitimate apps.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

I am concerned about education of users and companies, the speed at which fraudsters and hackers are evolving, and how these hackers and fraudsters are using the same tools that legitimate developers are using. To address education, we need writers like you to continue to write articles for the public. We need educational events where people talk to each other about current risks and how to address them. To address fraudsters and hackers and the new ways they’re attacking and committing fraud, we need to use new technologies that can stop them before they commit fraud or launch attacks.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Accelerated by the pandemic, we are increasingly using our mobile devices to communicate, work, shop and get things done. As a result, fraudsters are increasingly targeting mobile apps. Existing mobile fraud prevention solutions are designed to protect networks and network resources first. While the fraud is occurring and fraud prevention systems are learning, mobile end users (i.e. people) are being impacted by the fraud. Also, when a bad act is identified and the system enforces protections against fraud, these enforcement points normally include blocking network traffic. Even though the network is protected, the target mobile end user and app remain at risk. As a result, fraudsters are using click bots, mobile malware, cheat engines, and large scale virtualized environments to carry out and launch credential stuffing, mobile app overlays, mobile app clones, fakes or trojans.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I started a company called BlockchainIntel to help identify fraud. We worked with law enforcement to track security breaches and fraud involving cryptocurrency. In one case, we tracked about 6M dollars in fraud through hundreds and hundreds of account transfers and multiple currency conversions. We were successfully able to track the stolen funds to an exchange account, which then led to a bank account. The main takeaway for me was that once fraud had been done, a lot of damage had been done. Many resources were spent on addressing the damage, finding and prosecuting the bad actors. It would have been a lot better and inexpensive to have avoided the fraud in the first place.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I have a system as well as tools to manage my credentials, keeping in mind not to use the same credentials more than once. I also have tools to alert me of potential fraud or security threats in my communication (e.g. emails). For secure communication of sensitive issues, I will use Signal and Keybase. Mostly, I am careful about who I am interacting with, especially those who I am sending funds to or receiving funds from.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Any phone service, email or SMS asking you to make payment, enter credentials via a link or share confidential information — Check all email addresses asking for payment or you to enter any sort of credentials. Any app that you are suggested to download — Many people download malware without knowing it. They think they’re downloading utility or productivity apps but they’re doing downloading malware. This malware is remotely controlled by bad actors who turn the mobile app into weapon against the user and the app publisher. Change in privileges on your device — Hackers will trick users into elevating administrative privileges that allow the hacker or fraudster to gain control remotely. For example, if you have not enabled Android Accessibility Services, a bad actor might be using your app to click, read/write SMS messages and email, intercept/read two-factor authentication codes, or steal keys.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Address weak application security and encryption — Use advanced white box cryptography and threat aware encryption keys to encrypt app sandbox, encrypt files, strings, resources, preferences, strings, xml, Java, DEX, DLL, native libraries (.so), and more with AES-256 encryption or FIPS 140–2 cryptography, no SDK and no coding required. Protect mobile app data from breaches and hacking attempts including tools and methods. Protect mobile apps from running in compromised environments. Hackers root Android and iOS devices to gain full administrative control over the device and compromise the mobile app security model. Ensure a secure communication channel between mobile apps and the application servers. Provide a multi-level defense against man-in-the-middle and other network-based attacks. Protect Android and iOS apps from malware that may be installed locally on the mobile device. Prevent harvesting of user generated data by keyloggers. Block overlay apps from displaying over your app and harvesting/stealing data.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Companies are not addressing data security and fraud together. Companies are often taking a reactive approach to fraud or looking at security from at a network level only.

Essential steps:

Have a proactive approach. Rather than let fraud happen, stop mobile fraud at its source by blocking abuses of applications and operating systems, and denying fraudsters the ability to weaponize Android and iOS apps against the publisher. This means mobile apps can independently recognize and defend themselves against the top methods used to attempt, commit, and carry out fraud. With a preemptive approach, companies can prevent reputation loss, lost funds and resources to addressing fraud. Put the mobile end user and the user experience first. Preserve the trusted user experience, fair play, and legitimate app use, block mobile app cheaters, and ensure that mobile end users avoid identity theft, account takeovers, lost funds and other forms of mobile fraud. Look for solutions that ensure rapid deployment of your cybersecurity solution. Look for security and fraud prevention solutions that ensure that security and fraud prevention objectives can be achieved without any dependence on engineering teams or development resources. Make sure the solutions have guaranteed compatibility with any Android and iOS app ensures that no matter what the fraud, from weaponized mobile apps, to click bots, sneaker bots, overlay attacks, and cheat engines.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I am not satisfied with the status quo regarding women in STEM. I am still surprised to see that:

Few women are in the C-Suite at security companies. I am the only woman on the leadership team at my security company.

Only 2.3% of VC-backed startups are founded by women. I was turned down by a number of VCs so can vouch for that number.

Women are not recognized as thought leaders or entrepreneurs. They are not asked to speak on panels at conferences or be part of founding teams.

We need to change all the above. When grooming the next group of leaders, companies need to look at everyone as being eligible for promotion. We need to change attitudes. Existing leaders and co-workers need to stop stupid questions like:

What you makes you think you can do this if you don’t have the experience?

You just had a baby. Why are you at this management training?

Who’s watching your child(ren) when you travel? Or at work?

I felt all the time I was expected to drop out of the workforce instead of encouraged and mentored like my male counterparts. Here are specific changes:

To combat the sexual harassment and bias, we need to actively seek diversity in the workforce and hire people that might be different from us. Once we have a diverse workforce, we need to work on creating opportunities for women and calling out people who shut down opportunities for women. Increase the role of women as influencers, mentors, thought leaders. This means inviting women to speak at conferences and make internal presentations, not just men.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

One of the myths I’ve heard is that women are not interested in security. In my experience, women oftentimes are the most concerned about security.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Don’t be afraid to fail. I have seen women who because they had fewer opportunities, beat themselves up when they made mistakes. Give to get. Share with your network or community. Help them when you can. Don’t be afraid to ask for help. Recognize the stereotypes and misconceptions that people might have of you, and remember the ones that don’t get you are not your audience. I watched the first female Blue Angels talk about how a man told her once that she was a disgrace to the profession because she was a woman. She told him he was not her audience. Maintain a network you can reach out to for advice, to give advice, for recommendations on who to hire, etc. I have worked at over a dozen different companies. With the exception of a couple of companies, I was introduced to these companies through my network. Through these connections, you can get hired, funded, and acquired. Coach leaders to coach leaders. Motivate your team to not only get a job done, but do things that will get them and others to the next level. We all are inundated by demands from our managers, customers, partners. And our focus is often to get the job done and move on. I ask my team to ask themselves and share: what did you learn from the experience that will help make us and the next project more successful?

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!