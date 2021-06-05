Acknowledging hard work and efforts is essential. We ask team members to execute on our strategies and bring life to ideas. Saying thank you, and acknowledging the efforts will ensure that team members feel valued.

As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Heather Paunet. She is the Senior Vice President of Product & Marketing at Untangle, responsible for building the right products for customers, taking into account customer needs and market trends. She has over 15 years’ experience driving the development and go-to-market of software solutions. Prior to joining Untangle, she held product leadership roles at Cisco Systems, and was Vice President of Product at various high-tech security and networking companies in the Silicon Valley.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I’m originally from Manchester in the UK. I went to an all girls grammar school, just as they added “Computer Studies” to their curriculum. I found that fascinating and also found it easier than other subjects. I put myself in for a programming competition when I was 16 with two other girls. The project was sponsored by Barclays Bank and the University of Kent as they were trying to get more young people interested in computing.

My project was a record keeping system for keeping track of branding numbers applied to horses. The three of us won second place and all 3 of us got offered a place at the University of Kent at Canterbury in England to take Computer Studies. I was the only one to accept the placement and studied Computer Science and Engineering.

Once I got to the University of Kent, after being educated thus far in an all girls school, I was suddenly in a completely male dominated environment. Out of 400 hundred students in Computer Science and engineering I was one of 4 girls. At my girls’ grammar school, the boys and girls schools were on opposite sides of the road, and I once got into trouble for talking to my brother at lunch time as it was not encouraged that the pupils from each side should interact. So, it was quite an experience to go from an all female environment to one with a 99% male percentage.

I think however, ultimately this set me up well. After 3 years of an environment being in the minority, and ultimately finding that quite normal, then every work placement since has given me a better balance than that. I’ve never felt gender balance was an issue. I learned how to interact in a male dominated environment right from my University days, and thus everything afterwards has stood out as more diverse.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

The Shawshank Redemption is a favourite movie of mine. It shows that hard work and patience pay off, and that you have to go through the hard work and hard times before you can really truly appreciate the end goal.

Is there a particular story that inspired you to pursue a career in cybersecurity?

A career in cybersecurity for me was something that came about when I was looking for a way to do something with my high tech training that would have a positive impact and do something good, rather than simply building something for profit. Cyber security companies generally want to make a profit of course, but in doing so, they protect individuals and corporations from falling victims to mal intentioned criminals.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

A mistake I made once was when I had a Product Management leadership role in a company of about 200 people led to me being referred to as “That woman from America”. This may not have been funny at the time, but ultimately became so, as I built bridges across the Atlantic ocean.

The engineering team was in the Czech Republic, and I was based in San Jose, California, USA. I met often with engineering managers and at the beginning did not know the rest of the engineering team too well, since they were 6000 miles away.

At one point, I found out that I was being referred to by some on the engineering team as ‘that woman from America’.

An example of this is when the engineering team asked (when I was not there) why they needed to work on a particular feature. The response was ‘because that woman from America asked for it’.

I realized that I had miscalculated my interaction, and had not spent any time at all looking at what might be different between my US office and the Czech office. People in the US work differently to people in other countries.

From that point, I made it a priority to be in the Czech office often, sometimes spending a weekend there at the end of my stay, learning about my team members, and learning about the Czech culture. I took part in volleyball matches on occasions, and I travelled for all important occasions such as holiday celebrations. I also took the time each visit to walk around the hallways of our engineering offices to say hello personally. I found that I had a much better working relationship after this, and I thoroughly enjoyed every visit I made to the Czech Republic because of those efforts and because of the friendships that I ultimately developed.

The term ‘that woman from America’ became somewhat of a joke after a while, and since then I have always made a big effort to make sure I communicate better and make sure people who count on me for leadership know who I am.

Are you working on any exciting new projects now? How do you think that will help people?

Of utmost importance at the moment is the work that we are doing at Untangle to address the fact that the Internet is becoming more and more encrypted.

Ten years ago, security vendors were able to look deep inside internet traffic as it passed through various security appliances and recognize dangers that could potentially cause issues.

Today, it is much harder to look inside internet traffic. Whilst there are concerns about security and potential attacks, which require looking into and blocking dangerous traffic, there are also concerns about privacy. For privacy reasons, people don’t want it to be possible to look into internet traffic. Newer techniques are now required to address this, which include the ability to spot dangerous traffic with very minimal visible data to go off.

Keeping one step ahead of attackers helps keep organizations safe, and I’m pleased to be part of that at Untangle where we are always looking to modernize our approaches.

What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

It’s exciting to see the sheer amount of cyber security vendors that are around at the moment. From the last couple of times I attended RSA (which had 36,000 attendees and 658 exhibitors in 2020) I could see that as an industry the number of vendors has grown exponentially.

What’s exciting is seeing how they approach cyber security. Having that amount of companies making cyber security their focus means that a lot of innovation can happen to build the fortresses that will protect businesses around the world.

Secondly, it’s exciting to see how those security vendors come together in partnerships, and see acquisitions happen from year to year changing the vendor landscape.

In cyber security it’s not enough to put in place a solution and then forget about it. It’s much more effective to have a layered approach to security where if one barrier is taken down, a second, third, fourth etc, is there to provide further defense, so vendors tackling it differently and then coming together make a huge difference to their strength.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

At the top of the list is the concept that we’re learning now about cyber criminals who are doing attacks with a sense of moral entitlement.

The cyber criminal group, DarkSide for example, view themselves as a business and may not feel that what they are doing is wrong. This means that any business that is profitable is vulnerable, except where DarkSide feels they would be breaking their own moral code. For example, they won’t attack hospitals, non-profits, medical companies, education, etc.

In addition, once they make money out of their attacks, they are known for giving some of their gains to charities, although some decline the gift. This is a new type of attacker, one with some morals, which makes companies not on their ‘don’t attack’ list vulnerable to attacks with potentially business crippling effects.

My second concern would be the rapid rate of adoption as new technologies are designed to block attacks. While cybersecurity vendors continually come up with new solutions to guard against data breaches, there are cybersecurity adversaries that are working just as hard to break down those solutions and find new ways to get ahead of those vendors.

Thirdly, I have concerns about organizations that, even when there are best practices to ensure protection from today’s potential attacks, do not follow best practices. For example, in the recent April 2021 Pulse Secure attack, not only did attackers find and exploit the newly discovered vulnerability, but they were also able to exploit three further vulnerabilities by looking for organizations that had not followed best practices to keep Pulse Secure software up to date. These further vulnerabilities had already been addressed by Pulse Secure, and would not have been exploitable if the organizations had upgraded their systems.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

I see that we need to keep a huge eye on the impact of the Internet of Things growing. As the IoT becomes more widely adopted, more ‘things’ are being put onto the internet. This gives incredible benefits on being able to monitor and control them easily (think smart homes), but it also exposes these ‘things’ to potential attacks if they are discovered. In the recent Colonial Pipeline attack for example, sensors, thermostats, valves and pumps are constantly being monitored to ensure that the pipeline runs efficiently. The smart tech that makes them run so efficiently, is also what can expose them to potential hacks if not well enough secured.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

At Untangle, I can see a snapshot of attacks that are blocked on a daily basis and I am happy to be a part of blocking those. For example, across 40,000 + Untangle NG Firewall appliances, I can see that between 2000 and 4000 potential attacks were detected per day in May this year. We can see trojans, malware and viruses incoming constantly that were blocked by Untangle appliances.

Sometimes, I watch the numbers as they scroll through and my takeaway is that we can’t stop. The attacks keep coming 24×7 and keep evolving as well, so we need to keep building layers into our software stack to keep our customers and their data protected.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

For work purposes, I use (WireGuard) VPN software to connect to my corporate network. Any time that I am online working in my home office, I will ensure my VPN is on.

However, I also have an NG Firewall installed on my Home Network. I have family members including children who use our home network. It’s easy to click around when reading email, which may contain phishing links, and when browsing the internet and coming across malware on a website. Having a NG Firewall which includes virus blocker, web malware protection etc. makes me feel a lot more comfortable that my home network is secure.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

One of the most common forms of attack is a phishing attack that comes through an email message. Signs that may trick the recipient are fairly easy to spot for those that pay attention to this. Checking that an email address is properly formed, and that an email is really who you think it is from is important. For example if you have a colleague whose email address is [email protected] and the message actually comes from [email protected], this is a subtle way that an attacker might try and gain your trust by pretending to be your colleague.

Checking for multiple spelling mistakes or bad grammar within an email that you think is from a trusted friend or colleague can indicate it isn’t really from them.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

All companies should have an Incident Response process ready in case of any type of cyber attack. This includes essential steps to

Contain the breach, so that it doesn’t spread to other devices

Activate backup systems to take systems back to a time before the breach happened

Review and change credentials, and change passwords for account that can access the affected systems

Review vulnerabilities that may have caused the breach, and can be closed off for the future

Keep training employees to make sure they are not the weak leak (for example by clicking on links in emails that contain malware)

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

An example of a mistake that companies continue to make is one that affected the restaurant Chain Landry’s a couple of years ago. Landry’s had a breach in 2015 that affected their point-of-sale terminals. After the breach, Landry’s put in place systems so that this type of breach would not happen again. However a couple of years later, they were breached again, but this time from a different point of entry that was still not protected.

Companies can ensure protection by auditing their whole networking infrastructure and assessing everything that might be vulnerable and then making a plan, preferably a plan with a multi-layered approach to ensure that there are not exposed attack surfaces. It’s much more effective to have a layered approach to security where if one barrier is taken down, a second, third, fourth etc, is there to provide further defense.

Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I am satisfied with women in STEM. My perspective may be different from some, in that I have always found myself in a diverse work culture. For example, when working at Cisco Systems as a software engineer, we had multiple software engineers who were female and I don’t recall even thinking about it. When I later moved into Product Management, my boss was female and I recall being on a team of 5 with 3 women Product Managers and 2 male Product Managers.

Now, a few years later at Untangle, I find myself on the executive team, where we have two male executives and 3 female executives.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

Myths within the cybersecurity industry are no different in my eyes with regards to gender. For example, I would encourage every woman, and every man who is interested in a high tech career where they want to do something that matters and makes a difference to look at cybersecurity. For any technical minded individual, it’s a great opportunity to do something in tech that makes a difference to people’s lives and to the success of many businesses.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why?

My leadership lessons learned are

People are different. To me, this is not about them being male or female, but it’s about people being individual no matter what their genders are. When in a leadership role, it’s important to understand how different people think and behave, what resonates with them. For example, someone who is more analytical in nature will be different to someone who is less so.

Being present is one of the most important factors. In my current role, and in previous roles, I have appreciated when my boss, or the leader of my department has made themselves accessible. I’ve also felt less content in my role when I have had bosses that constantly cancel scheduled 1:1’s and not finding time to respond to even emails or chat messages. Many executives get very busy, and I certainly do too, but for me, when it’s time for 1:1 with a team member, all the business gets laid on the table next to me, whilst I clear my head and give my full attention to my team members.

Listening is important. When an important decision is needed, even if there is a set direction, listening to the team and hearing their points of view will lead for better execution on the direction once decided.

Acknowledging hard work and efforts is essential. We ask team members to execute on our strategies and bring life to ideas. Saying thank you, and acknowledging the efforts will ensure that team members feel valued.

Communicating more often that you think you need to is likely not too much. Often, as a leader, you may talk to other executives and know in your mind exactly what you are striving for together over the next few months. Sharing that and making sure team members understand the big picture and what their day to day efforts are ultimately a part of will incentivize them to contribute to that shared goal.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why?

I would choose Elon Musk. He’s unconventional in many ways, but his bold pursuit of doing what others would not dare to take on within technology is very inspiring to me. He doesn’t come across as a traditional leader, yet he has a huge public following and the world watches with anticipation what he does. I’d love to ask him what he considers are important leadership skills. I’d love to ask him how his ideas come to him, and I’d love to get an idea of what types of things that are not yet mainstream news that he might be thinking about.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!