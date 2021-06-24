…Don’t take crap from anybody. There is acknowledging that people are smarter than you or have a different idea than you and that you can agree to disagree. But there’s absolutely no reason to think that you are less than who you are because of that.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Jen Ayers.

Jennifer Ayers is the Chief Operating Officer at DNSFilter (www.dnsfilter.com). The former Vice President of OverWatch and Security Response at CrowdStrike has over 20 years of cybersecurity experience. Prior to her role with CrowdStrike’s OverWatch team, Jennifer was the Director of Product Management at CrowdStrike and spent three years at FireEye on the Security Operations side. Jennifer also held multiple roles for GE as a cyber leader in incident response, computer forensics, and supplier security.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

It’s kind of a curvy story — just as many are. I grew up in Southern California, the oldest of five kids. As a kid, I actually wanted to be a doctor. However, I joined the U.S. Army right out of high school and spent a little over four years there. That is where I did a lot of my growing up. When I left, I began working for G.E. One of the reasons I went into the military was in hopes of starting my college education immediately after, only to have G.E. take care of my degree in business. I started out in their network operations team for about six months before moving over to their information security program. At the time I was one of three people working on their Information Security program.

After thirteen years working at GE and building out their security programs, I left to work for a company called Mandiant. It was quite an enlightening experience to go from a corporate enterprise background and moving into a vendor space. That is where I really was able to develop my passion for cybersecurity. It was really about learning that there was a much bigger world to protect outside of the domain in which we are operating in. As part of Mandiant, which was later acquired by FireEye, I helped build out their managed computer incident response team. At FireEye, I moved a bit into the intel space and worked in their threat intelligence organization.

I moved over to CrowdStrike in 2015 as a project manager for their threat intelligence. That lasted a pretty short time before I started to lead the development of their Security Response Team program, which focused on the Falcon platform. I joined DNSFilter as the Chief Operating Officer in early 2021. We are a very small startup that focuses on security via DNS. So I can honestly say I’ve done everything here, but cyber so far (which is definitely what I was looking for). This role has given me an opportunity to better stretch myself as a leader from a business leadership perspective.

And the key benefit of working here at DNS filter is really the great people and the great culture, and absolutely the great product that we have. I understand this space and have a technical depth and knowledge that I can certainly bring to the table and in return, I get to learn how to be a better business leader.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

The funny thing is, I actually never have an answer to this question. I don’t watch a lot of TV. The only podcast that I actually listened to is the White Rabbit podcast — and that’s because it’s run by a friend. I’m very much the type of person, I think, that prefers to experience things more so than read things.

A book that did have an impact on my life is called The Nibble Theory. It’s actually a really good book talks about the sphere of influence and self-awareness and how you influence others. I’m a visual person — I need to see it and I need to hear it. That truly helps me retain information better than just the written word. So I like to throw myself into full-fledged experience, and that’s where I see the most impact.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Oh, that’s a tough one. There are a lot of those. I’ll start with the one that I have carried with me from early on in my career coming out of the military. It was actually a piece of advice that someone that worked there gave me (and I’m actually still friends with her to this day).

She told me, “You know, just to let you know, nobody’s going to put on your gravestone — ‘Jen was a good GE employee.’” And the reason why she told me that was because I think all of us in a way have a tendency to forget that there’s life outside of work. It wasn’t until a few years later that I realized that I was actually missing out on paying attention to some activities that were going on in my son’s life. He was fairly young at the time. I kind of realized that we as adults are going to be working a really, really, really long time after we turn 18. So at a minimum, find something that you’re happy with doing. But if you’re miserable doing something, it’s just a job and no one’s gonna put on your gravestone “Someone said I was a good employee” — go find what makes you happy.

Are you working on any exciting new projects now? How do you think that will help people?

We definitely have a few things in the works right now at DNSFilter, in terms of very innovative ways to do security via DNS. There are things that, as a professional, you just inherently take for granted that don’t exist in a small startup company like this. Everybody’s willing to learn. But I think the most shocking part of it to me was how many ideas that folks here have that needed to be bubbled to the top. We have some really good innovative ideas that I won’t go into too many details on. But, let’s just say we’re taking an industry that has had security in it for 30 plus years, that has not changed in the least bit, and looking at doing it better, and slightly different. You don’t have to change DNS in itself, because DNS is the fundamental core of how the internet works, for lack of a better term, or how the resolution is ultimately done. But you don’t exactly have to secure it the same way that it’s always been. You can actually take that and do security via DNS. So our mission I think, for this year, and maybe the next couple of years is to challenge the way the industry has approached security.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

I think the fact that the general awareness has increased tenfold around what cybersecurity is is very exciting. But cybersecurity has been around for a really, really, really long time. So it’s not net new, in a sense that this stuff has just started happening, or just started happening with the 2016 election. It’s been happening for probably between 15–18 years in terms of most known instances, and who knows what happened before that. But the reality is, it’s exciting because it’s getting visibility. People are becoming more aware of threats that people, like myself and other security practitioners, have been protecting against for decades. The fact that the world is now becoming aware that the internet, while highly useful, is not always your friend.

We’ve moved the internet, especially over the last year, to different levels than what it had ever been in the past. And the downside is, despite the warnings, despite the advice, despite the tools and the regulations that have been put in place, we continue to press forward into this boundary-less space without protection. And I think it’s really good that the real threats are starting to come to light. We’re going to start to see policy generated around these types of threats, that we are going to move from that physical security game of old spy and cold war type techniques and things like that, and start moving that into cyberspace where it ultimately needs to be.

You don’t really know about a threat unless you ultimately become aware of a threat, right? You don’t know that that predator is sitting on the side unless you have gotten some sort of indication. Maybe it’s your instinct, maybe it’s a sound, maybe it’s a smell or something that triggers to you that you are ultimately in danger. I don’t mean to cause all sorts of fear, uncertainty, and doubt, because there are tons of ways to protect yourself. There are tons of ways to be able to protect your company. And there are tons of ways that we can protect our country. However, one of the most important things to me that needs to happen is cybersecurity needs to be considered part of a business process, not some offshoot in an IT department. Security needs to be considered just like sales, marketing, and business development.

I see it starting to come to the forefront that more investment needs to be placed in this. It’s not just a tool problem. It is people, process, and tools. You cannot just buy the latest hot security product out there and expect it to work. You need the people that can come in and run the product. You need the people that can educate your business and that can educate your users and your customers on how to leverage that type of protection.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

The truth is, if you have something somebody wants, they’re going to stop at nothing to get it. If destruction is their mission, then they’re going to do everything they can to destroy whatever the objective is. If intellectual property theft is their mission, they’re going to do whatever they can to take that, if extortion is their mission to get you to pay money, or to get you to pay the ransom, they’re going to do that. The key thing is there are a lot of threats out there and handling them one by one is never going to win you that game. So take a step back and go back to the basics of your security program. Go back to the basic things, especially now that we’re moving out of the office space and the traditional boundaries and into this virtual space. Go back and look at how your environment is set up, make sure that you can secure your users anytime, anywhere from any device. Make sure that you are being fair, and implementing security, but not preventing the business from being able to do business, because that will ultimately end up in a battle that will never be won. There are tons of choices that will allow you to pick the best one for what your business requires right now. Security is expensive, but it’s not that expensive. There are a lot of things out there today that allows you to essentially customize and choose what is going to allow you to do your business in the most secure fashion.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Yes, of course, I have a personal story as I’ve been doing this for a long time. But I think the downside is that I can’t really necessarily talk about them in detail. One thing I can share is that in my previous role at CrowdStrike, our number one goal was to effectively stop threats. You are a needle in a needle factory, looking through billions of events and data to find that one anomalous thing that told you that something was bad. It is not something that you can determine by an AI as this is not something that you can automate. These are the types of behaviors that humans emit. Because effectively what we did was hunt other humans. So every day of my life for five years, we helped customers protect themselves against breaches and identified when there was suspicious behavior going on, and notify the customer and work with the customer right away to disrupt that adversary activity. You may or may not even notice the chances are fairly high that you will not be able to prove that an adversary is getting in, especially once they’re already in, but the name of the game is to make sure they cannot achieve their objectives. And that’s what we did every single day.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

When it comes to tools, there are so many options out there. It really depends on what level of business you are at to determine the best fit for you. There are three different types of levels that you need to take a look at and I’ll start with probably the most fundamental level that exists, and that’s called the user. Users are the genetic makeup of every company because they’re the people that effectively work there. They’re the customers that buy your stuff. They’re the suppliers that you ultimately do business with and the partners that you ultimately resell for. So making sure you understand who your users are, and what your users do, and what they need to do is probably one of the most critical aspects. Your users are ultimately your weakest link, right? My job is to help educate you on the things you should do and the things you shouldn’t do. The second piece of that is system security. Endpoints like your server environment, cloud environments, the things that people access to perform the function of their job, or the transactional systems that do the financial processing for credit card transactions.

The third thing is network security. And this is one of the ones that I think has probably had the most dramatic change, I would say, between the last eight years or so where we’ve seen the most dramatic shift. And you can equate that to remote working, office closures, VPN type of solution, new things that allow people the flexibility of working mobile devices, iPads, Android devices, connectivity from anything that can refer to the Wi-Fi connection. Network security has essentially morphed from something very tight perimeter of when you walked in that office door, and you only had your company and your company networks. When you went home, which was your home network, that boundary is gone and doesn’t exist anymore.

2020 blew that boundary out of the water like no tomorrow. We saw companies that had never had remote work plans in their life immediately having to make remote accessibility for their employees to be able to keep them on the payroll. We saw probably the most influx of insecure methodologies to doing that in 2020. And of course, the biggest level of targeted attacks or ransomware attacks that anybody’s ever seen.

I think those are the three areas that I would say are the most critical. And I didn’t pinpoint a specific tool because there are hundreds of tools in each of those different spaces. It is about doing the appropriate research, it is about understanding the affordability, and it is about finding a solution that is going to give you basic security and allow you to mature your security program.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

We encounter that on a day-to-day basis with bizarre random LinkedIn connections or emails. When we get emails from our boss, but it doesn’t exactly sound like something that our boss would directly say. Your instinct, believe it or not, may or may not be more right than you think. When that little thing is off? That’s the moment when you should question something. When you get that email, it doesn’t hurt to reach out to that person directly and ask them if they sent that. That one-step validation hurts nothing If you get LinkedIn contacts that you don’t know, it’s okay to ignore it. Because if they really want to contact you, they’re going to find another way. If it’s really somebody you know or somebody that you met, you would recognize the name. The most important thing for me to be able to have a little bit more touchpoint and validation, and that is that they actually send me a message as part of that connection request. Your instinct is usually going to be relatively good in most cases when something on the social side is not okay. And I think we have to get over our fear of being perceived as paranoid by just taking that extra step and asking that question.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

The easiest thing to reference at this point is, you know, every year a number of companies CrowdStrike, IBM, Dell, and others produce these annual reports talking about the key threat vectors that they have observed — the key entry points of breaches. I think that sometimes that type of information isn’t paid attention to enough. For example, I would say last year in 2020, especially pre-pandemic so many companies had to adjust to that remote workforce that they went on, like Google, and searched for the fastest way for remote access, and just bought and implemented the first thing they found with no thought about the security of that specific tool or product. I think we just have to be more careful in crisis to have security as part of our fundamental checkboxes, more so than the afterthought. But every time we react like that, and we miss that security checkpoint, we are leaving gaping opportunities for organizations like e-crime to come in and ransom your environment.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

So as a woman in STEM, the answer is — no. There aren’t enough of me. I was actually just having this conversation with a friend the other day about panel interviews with cybersecurity professionals. And they commented that it seems like every panel is missing a woman, there are not enough women on these panels, they’re being excluded. And it is probably because there are not that many of us. Unconscious bias is too easy to get into, and I’ve even been guilty of that myself.

One of the things that I’m working on changing both with myself and you know, subsequently here as a company, is the only way to make those changes is to change the standard. And as a woman in cybersecurity as a woman in tech, we have a fundamentally different way of how we do things. For example, with writing our own resumes — we don’t brag about ourselves enough. It’s just not in our nature to use words like I’m the best, right? So, how do we make sure that diverse candidates are being bubbled to the top? So for me, if I look at a resume, if you’re a woman you can interview first. If your resume meets the criteria, you’re in the candidate pool and you go straight to interview. And that’s the only way that I can think to do this. It is a drastic measure, I’m sure there are probably more appropriate ways. And I’m sure there’s somebody in this world, that’s going to be completely offended by what I just said. But I have an opportunity to change that dynamic within, you know, within a realm that I now control, and it is the only way that I can ensure that we as a company are giving women in this space a fair chance at being seen and heard and given an opportunity. We just need to be a little bit bolder, and I’m going to be the variable by just saying “okay, you get to go to the front of the line.” It doesn’t mean you’ll get the job, but you’ll get out of the front of the line.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

There are no innocents in this game. That is probably the biggest one. One of the most interesting things to me, especially back in the Snowden days, you go to another country and the first thing they bring up is about how the NSA is spying on everybody.

There are no innocents in this game.

Every single government does it. If they have the capability, they do it. The second myth I would probably dispel is security. There’s always been a little bit of a push and pull between security and privacy. And I think people think that the whole purpose of security is to spy on people. And the reality is: we don’t have time for that. We’re worried about protecting our systems and protecting our environments. Unless you’re violating some sort of policy and somebody specifically asked me, like HR or someone asked me to do some level of an investigation, you’re not on my priority list. I don’t care if you’re talking to your mom on chat or checking your messages. What I care about is making sure that you’re not clicking on links that ultimately lead to the download of malware that ultimately will cause my business to be disrupted. That’s what I care about, not what you’re doing specifically. It’s easy to get swallowed into the idea that Big Brother is watching you, but when it comes to security we have a priority list.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

It took me a long time to get to where I am today. How do you balance self-awareness and confidence against arrogance? How do you balance that? And I think one of the things that I’ve maintained and has been the most important thing to me as a woman in tech.

Two, I guess I should say is don’t take crap from anybody. There is acknowledging that people are smarter than you or have a different idea than you and that you can agree to disagree. But there’s absolutely no reason to think that you are less than who you are because of that.

Another is realizing that it’s okay to be who you are. I thought, for years, not to become an executive. I did not want to become an executive. I felt like it wasn’t that I didn’t have an upward trajectory in my career or wasn’t offered it, it was just, I turned it down, repeatedly. The reason for that was because my perception of people at the executive level was, to kind of put it bluntly based on my experience at GE based off of my experience at FireEye, was even to sell your soul a little bit. The idea that you had to do things or agree to things or promote things or buying to ideas that you didn’t necessarily believe in because you were an executive.

I was working with this gentleman at CrowdStrike, his name is Dimitri Alperovitch. Dimitri told me I had to become a VP. “You have to become a VP, you will become a VP.” Oh, he pushed me — even though I did not want it. He gave me the promotion anyways. I realized I could be VP and still be who I am. What I needed was a company that respected me for who I was. The key thing to my success there was the fact that people respected me. They respected me before I became a VP, and then they respected me after I became a VP, because I didn’t fundamentally change who I was and I wasn’t going to change who I was. So I would say those two things are probably the most important, don’t lose sight of who you are and don’t take crap from anybody, because it’s not necessary.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

My wish has always been to sit with Ruth Bader Ginsberg. Unfortunately, she’s no longer with us. Had I had a window, a sliver of a moment to have had breakfast with Ruth Bader Ginsburg, I would have done so in a heartbeat. Just to listen.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!