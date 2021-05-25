Find your way to be heard. I have a quiet voice; the use of Zoom has made it even more difficult to be heard over the more dominant male voices on the call. I now speak and repeat myself until I’m heard. I command that I am listened to until I have made my point too — otherwise you are interrupted mid-sentence and loose track. This takes a lot of confidence to be so assertive — it has taken me decades to find that assertiveness — be great if women’s voices were given space. It is one of the reasons I prefer to write than talk.

Susan’s first career was as an analytical chemist, then for the last 25 years she has worked in the cybersecurity and digital identity space. She is currently the R&D Director at Avoco Secure and creates content for Infosec and others on cybersecurity matters.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was born into a large family with an Irish father and English mother. I grew up in Newcastle upon Tyne in the north of England. My family were about as poor as you can get in the UK, and as kids, we often had to ‘make do and mend’ with hand me down clothes and shoes. I had a mixed education, receiving a full scholarship to a private school at 11, but was unable to take up the offer as we couldn’t afford various accoutrements of that type of education. I left home at 16 and my older sister took me in. I had to work two jobs to pay my way, but I did manage to get into university at 18. I subsequently dropped out of university to spend time on activism (this was the early 1980s, a very difficult time in the UK). I became pregnant at 20 and ended up eventually back at university a few years later, by then, a single parent. I started a degree in chemistry when my daughter was 4. I graduated and worked in the chemical industry for several years before teaching science. At around 31, I co-founded a software company with my partner that focused on encryption and access control. We did this while renting a local authority flat, the software was originally developed out of the bedroom of that flat. We both had to work full-time while building the business; not having any safety net in terms of savings or family that could help out meant it was really tough. We eventually took a chance and sent the software for review by SC Computing Magazine, and they gave it 5-stars! That was picked up by two Fortune 500 companies who bought corporate wide licenses and that gave us the revenue to leave our jobs and do the business full-time. A lot has happened since then, much water under the bridge enough to write a book in fact. Since then, I have been involved in two more start-ups and work for Avoco Secure, an identity data orchestration platform in product R&D. I also write a regular column on security matters for Infosec Institute. I am an advisory board member of Surfshark and Think Digital Partners a government security conference company. I’m a pantheist and I try to be a decent human and work to minimise my negative impact. I try to help where I can and help out when I can with a great charity called Journey to Justice in the UK.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

Contact with Jodie Foster. This is the film of the Carl Sagan novel of the same name. It is about a young female cosmologist who has a dream and the hurdles she faces as a female in a very male-dominated industry. As an ex-scientist and long-time technologist, I have experienced some quite shocking instances of sexism and even misogyny that have had a negative impact on my experience of working in those industries. In the film, the character played by Jodie Foster wins out and also learns a lesson about fortitude. The film resonates with me on a very personal level, and I hope with all my heart that men and women can find a place where all personalities and people from all walks of life can use their talents optimally.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My partner (a lecturer at the time) and I had a dream to create our own software company. At the time, my partner was looking at ways to prevent students from having access to exam papers. Encryption seemed to be the key. This was back in the days before ubiquitous internet access.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

I’ve made a lot of mistakes! This wasn’t funny at the time, but we have laughed subsequently. A colleague and I were at a customer’s site. We were working on installing some encryption software. We thought we knew Unix — we didn’t… In the end, after much sweating and furtive glances, we found that we had accidentally deleted the operating system. Not sure exactly what happened. The client was actually very calm and fine about it — we must’ve looked mortified, and they probably felt sorry for us. Amazingly, we kept the client.

The lesson learned — don’t pretend to know something you don’t — ask questions, fess up and do your homework well in advance.

Are you working on any exciting new projects now? How do you think that will help people?

I work in the area of digital identity — specifically consumer ID, using data to verify a person is who they say they are. There are lots of exciting things happening in identity now as it is central to security and safe transactions. I am working with certain financial institutions to try to deliver a seamless user experience using already KYC checked bank data to make the trust part of an online experience much better: if the data is already checked by a bank, then a retailer can use this to create more trusted interactions with customers. Open Banking has driven this and makes the whole system available to a wide user base as the open banking APIs are already built by thousands of banks. This should also reduce the number of accounts we all have as this replaces the need to always make a new account with every retail site you buy from. It should also cut down on synthetic identity opportunities, credential stuffing attacks, and account takeovers.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

Keeping up with the cybercriminals: Whatever clever method or security tool that comes out of the woodwork, it always seems that the cybercriminals are one step ahead. It truly is a war of attrition. Even smart tech like machine learning, which is helping massively in the fight against payment fraud (for example), is an invitation to cybercriminals to up the ante at their side. Deep fakes are one such area where the technology has major potential for making areas such as identity verification a target — as the industry increasingly uses facial recognition for verification and authentication, it is likely that cybercriminals will circumvent security by using the same tech. Saying that, there are some real clever bods in the security industry, we just have to recognise the risk vs. benefit model of modern cybercrime prevention. Lack of diverse thinking and disciplines in design groups: The UX of security is an area I have had a lot of experience in and it’s an area that often gets overlooked. An example is the authentication aspect of a user account. If the user experience is too complicated, then people will often find ways around any barriers to use. The Google uptake of two-factor was very low because that extra step was just too far for most users. It comes down to understanding human behaviour and how humans address risk vs. benefit. Design teams need to be diverse to ensure that they encompass all possible behaviours and issues. For example, a disabled user may struggle with certain authentication measures. I wrote more about this in an Infosec post here: https://resources.infosecinstitute.com/topic/the-user-experience-of-security/ The human needs to be in the middle of the machine: I am a huge fan of the application of the tenets of evolutionary anthropology to security and product design. By understanding human behaviour better, we can perhaps understand cybercriminal behaviour too, and use knowledge against them, as they use our own behaviour against ourselves — phishing and other social engineering being a case in point.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

A mix of smart tech and social engineering. Cybercriminals have had enormous success when using social engineering tricks. The Covid-19 pandemic highlighted this with massive increases in scams and phishing that had a pandemic-related theme. Mix that with some emerging tech like deep fakes and you have a perfect storm. I believe this heady mix will be used increasingly with an identity flavour. Using social engineering to trick systems and/or individuals to issue a verified (and therefore trusted) digital identity using deep fakes and so on. Once an identity is verified it is trusted and will be a valuable commodity. I believe that verified ID as it becomes more common in the consumer world will be a critical target and one that will take synthetic IDs to a whole new level. I predict a move to a model of zero trust for identity turning the principle of “never trust, always verify into “always verify, never store”.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

A very large network of libraries in the UK was being continuously hacked. They had a lot of public terminals and it was extremely difficult for them to lock down the computers, whilst allowing access to their customers. This was an early case of the importance of ‘privileged access’ and control over the actions allowed on a desktop. Many critical actions were too easily bypassed. I helped install a system that was granular enough to allow access to those who needed it, allow customers to use the computer for allowed apps, but prevent any system changes, etc.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Two-factor authentication — I use a TOTP authenticator app wherever possible, but I do know that this is a hurdle for many folks. I shy away from password managers.

I use a VPN for browsing privacy and it has a built-in dashboard that alerts me of possible data breaches that include my email address/password/credit cards — — I am very paranoid about this aspect of my security as I have been a victim of an attempted identity theft (I managed to stop it before it went too far).

Caution and awareness are also vital tools in protecting myself. I have also been a victim of spear phishing on several occasions, and someone tried to extort money by opening a fake Facebook page to blackmail me. I don’t use Facebook at all and try to limit my social media use now — apart from LinkedIn. You have to remain highly vigilant to use the internet safely.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

It depends on the type of breach. A person might not even know until it is too late. Warning signs take many forms depending on what has happened — vigilance should become a natural state, which is awful, but necessary:

You may notice that some small amounts of money have been taken from your bank account or credit card that you can’t remember making. A technique used by fraudsters is ‘silent fraud’ where small amounts are taken out across many accounts to help keep the fraud under the radar. Malware infection on a laptop can easily happen, even if you are running anti-virus software. A tell-tale sign is the slowing down of your computer or apps not opening correctly. I regularly manually check my laptop for suspicious applications running but the lay person probably wouldn’t want to go that far. Identity theft and synthetic IDs that are created using some of your data give off signals, but they can be subtle. Watch out for unusual activity on financial cards, unusual letters arriving for accounts you haven’t created — this is one of the ways I circumvented the identity theft attempt in my name. I received a letter from a credit file agency showing an account in my name had been partially opened with them — the letter contained the second factor code needed to initiate the account. I called the agency and had the account stopped.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Ideally, you should have an incident response plan to follow Make sure it is an actual breach — sometimes cybercriminals will use decoy tactics to take attention away from another area of attack — triage the breach The breach then needs to be contained; this might mean isolating the impacted areas of the network to minimise the impact of the breach You need to deal with the infection or breach, again this depends on what the cause is Collect data on the incident. Artefacts are important as they can be used to understand how to prevent further breaches/incidents Make sure that employees understand what happened and why and how to prevent it happening again if it originated from an employee You may also need to adhere to compliance regs such as provide a public breach notification and contact the authorities If this involved customers data, the company should contact affected customers promptly with advice on what to look out for and how to protect themselves

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Relying too much on endpoint anti-virus software — modern malware uses a myriad of techniques to avoid detection. There isn’t a one-size-fits for malware protection, it takes many layers to stop infection from security awareness of the entire workforce and vendor ecosystem to the use of tools such as smart spam filters and content filtering.

Not using second factor for application access — most applications now apply a 2FA and if it’s available, configure its use, especially for work access.

Printing is also a forgotten security gap — secure cloud printers can be very useful for preventing accidental and malicious data exposure.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I’d be naïve if I thought that the status quo was so much better than it was 30 years ago when I entered STEM. I have had some pretty shocking experiences in my career, from being told to ‘wear a skirt to work or be sacked’ to being sexually harassed at work to being ignored in a meeting even though I was the most senior person in the room. I have also been shouted at a lot, including recently, even though I am a director — I had one man shout at me and then apologise to my fellow director (not me) for doing that. I tend not to experience extreme sexism now, but that is likely because I am a middle-aged woman and because I now know how to handle any sexist shenanigans, I simply nip them in the bud by being super assertive (or aggressive as my male colleagues might say…). However, I am still, to this day, invariably the only woman in the room. This may seem like nothing to anyone who hasn’t experienced being the ‘other’; but I am acutely aware of it when I am that other. It makes me feel like I need to prove myself as I represent a minority, it makes me sad that this still happens.

Changing this seems to be taking a long, long time. I am hopeful that my granddaughter who is a pre-teen will not experience it, but I suspect she will. I have no simple answers — I have tried myself; it isn’t easy to attract women into the industry. It will take a concerted effort by all and that means that men must help — and on this latter point, I am noting a lot more men are now intolerant of sexism which I applaud them for and thank them.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

Cybersecurity is not an industry that has a single role. It is a community of people who work across all aspects of security, from developers who make software and configure systems to administrators to managers, analysts, marketing specialists, and content creators. Disciplines such as anthropology and psychology are finally being recognised as an essential ingredient in the fight against cybercrime. They all come together to educate and participate in thwarting cybercrime attempts. It is an amazing industry to work in and can be incredibly interesting, especially the human-side of cybercrime — behavioural ecology is an area that I expect will be an essential part of cybersecurity as we move into more sophisticated social engineering attack landscape.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Find ways to manage your anger. You often come across situations as a woman in a managerial position where your views are dismissed in front of people or even actively stolen and presented by a man as theirs (I have had this happen to me on numerous occasions and always amazed at the lack of shame by the person doing that). Find your way to be heard. I have a quiet voice; the use of Zoom has made it even more difficult to be heard over the more dominant male voices on the call. I now speak and repeat myself until I’m heard. I command that I am listened to until I have made my point too — otherwise you are interrupted mid-sentence and loose track. This takes a lot of confidence to be so assertive — it has taken me decades to find that assertiveness — be great if women’s voices were given space. It is one of the reasons I prefer to write than talk. You don’t have to be ‘one of the boys’. Be yourself, don’t try and be one of the boys just because you feel you need to fit in — it is too stressful long term. Find ways of being who you are and capitalising on your personal strengths Be assertive: You will need to be assertive many times in your career, it’s a good idea to practise this one. It took me many years to pluck up my courage to speak out when I was unhappy about a situation and I still sometimes find myself so shocked at another person’s behaviour that I miss the opportunity to confront it effectively. Become the best you can be at your chosen domain. Nothing is as confidence boosting as just being incredibly good at what you do.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I’d love to have a cup of tea and maybe a gluten free cake with Susan Wojcicki of YouTube. She has made it to the top of a very male-dominated industry, and I’d love to ask her how she coped with some of the issues on the way.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!