It is ok to show your vulnerability. We are all human. Remember, empathy is crucial to being an effective leader. Showing empathy to others is just as important to show the same empathy for yourself.
As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Frances Zelazny. She is a seasoned marketing strategist and business development professional with over 25 years of experience with successfully building and scaling startup technology companies. Zelazny is currently the CEO and Co-founder of Anonybit. Previously she was the CMO of Signals Analytics, where she drives the company’s transformational positioning as a category leader in the advanced analytics market, contributing to its aggressive growth. Prior to Signals Analytics, Frances served as CMO of BioCatch and also ran an independent consulting firm focused on helping early-stage and midsize companies with their business and marketing strategies. Prior to this, Frances was Corporate Vice President of Marketing & Strategic Operations for L-1 Identity Solutions (now Idemia), a premier biometrics and identity solutions company. Frances has a bachelor’s degree in Political Science from Hofstra University and a master’s degree in International Affairs from New York University.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
Sure! Being a child of a Holocaust survivor, I always had a keen sense of who I was and where I came from. Identity has been a core part of who I am, and I think this played out in different ways throughout my personal life and in my professional life, from my early career aspirations to go into foreign service and deal with different cultures, to my current status in the biometrics arena.
Growing up, I thought I would be a lawyer; in college I pivoted to international relations. I thought I was attracted to the idea of working with world leaders to tackle global challenges like social and economic and sustainability. Of course, life had other plans. I graduated college early and landed my first job at a financial services startup working directly with the CEO on building up the business and that’s where I discovered my true passion. I decided to pursue my graduate degree at NYU, going to school at night. I focused on international political economy, which helped to blend my interests in business and international relations into a unique career that continues to allow me to grow and learn alongside smart people with great ideas all over the world.
Since then, I’ve traveled the globe working with governments of developing countries to further their social and economic goals, drafted legislation on privacy for state governments, testified in front of numerous committees, and been involved with more than a dozen startups as an operator and as a mentor, coach, co-founder, and board members. It keeps me on my toes and it’s certainly never boring!
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
Reading The Foundling had a profound impact on me. Again, thinking about where I came from, knowing my history has been so important to me throughout my life. I couldn’t imagine somebody going through what this man has — losing your identity. But the process he’s gone through to figure out the truth and search for his real identity is so inspiring that it’s become one of my favorite stories.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
More identity than cybersecurity. Going back to how I wasa child of a Holocaust survivor, that made identity an integral part of my being — knowing who I was, who my family is and how they managed to survive the horrors of that time made a huge impact on me. Then, right after 9/11, I was the victim of a major bank card scam, where the ATM in my local deli was intercepted by hackers, so that the card information was actually pulled during the transmission, allowing criminals to make a new card with my information. I went to the police to report the case and they said there was nothing I could do; I went to the bank and within 20 minutes all the money was put back into my account! That’s when I realized that the stakes were really high both for unknowing consumers and the institutions. Would they just keep paying out every time there was a victim of fraud or would they try to actually try to solve the problem? By then I was already in biometrics so I knew that a solution was available, and it became a personal mission to get the word out.
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
From spelling errors to mistranslations (which is always a risk when working internationally) to winging it at press interviews or going undercover at trade shows to do competitive intelligence — you know, going up to competitor booths and hiding our name tags as if they didn’t see me walk over from my booth — funny stories are always abound. Add to that being a working mom pre-COVID-19 — changing diapers while on conference calls, pumping breast milk while on the road for business (things that have become a more normal occurrence with everyone working from home) — and it becomes truly embarrassing! At the end of the day, things happen, life happens, but you take it all in stride. The biggest takeaway from all these experiences is this; don’t be too hard on yourself, and don’t be afraid to make mistakes. Otherwise, how will you learn?
Are you working on any exciting new projects now? How do you think that will help people?
I’m now a co-founder of Anonybit, which was created to solve a major problem the biometric industry has long been facing — a trade-off between privacy and security. The problem is that personal data stored in centralized databases may be highly trustworthy, but is vulnerable to attack as we know every 2 seconds that a person becomes a victim. Essentially these single databases act as a honeypot for bad actors. If a hacker manages to successfully break into a system, all that personal data is in one place, waiting for them like a sitting duck. Meanwhile, device-side biometrics like FaceID may enhance privacy, but they are so easily circumvented that from a security point of view, it is just a block of Swiss cheese filled with holes. Most people do not think about this too much, but I can take your credit card and link it to my Apple Pay on my device, use my FaceID to make a payment, and no one will know it wasn’t you. This is because the phone is only sending a yes/no answer to the merchant or to the bank. It is very convenient for us to use FaceID but it is not very secure from an identity management point of view.
Today’s consumers are demanding more. They are demanding more control over the use of their data and more accountability from the entities that they give their data to. In fact, an overwhelming majority of consumers are more loyal to a company that has more privacy controls, which shows that investing in privacy does pay off. As a result of this, the continued data breaches and increased data protection regulations, governments and businesses alike are rethinking how they store and manage personal information. They struggle with ensuring the integrity of the interactions they have while minimizing the
data they collect and keep. Anonybit goes to the root of the problem and eliminates the trade-offs that are typically made.
Instead of storing personal data in central honeypots or relying on device-based authenticators that are not secure, Anonybit breaks up the information into anonymized bits and decentralizes it in the cloud via a network of nodes (it does not use blockchain which many of your readers have probably heard of). Using advanced multi-party computing techniques, Anonybit is able to provide strong authentication to validate that a person is indeed who they claim to be without storing all that information in one place. It is completely privacy-by-design, with no single point of failure. Nothing for a hacker to find and nothing for a hacker to steal.
Industry players — biometric solution providers, identity service providers and others — build decentralized solutions on top of Anonybit’s infrastructure — answering the call for greater consumer privacy and greater digital security. Together, we are able to have our cake and eat it too.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
- We’re living in an exciting time for security and privacy. These are scary times for sure, but recent events have propelled security into the spotlight in a way that it can no longer be avoided. The pandemic forced the entire world to go remote, which almost instantly led to a massive surge in cyberattacks, in part because it was so easy for hackers to infiltrate home VPNs. These events literally brought the issue of cybersecurity home. Then you have the Solarwinds breach, which impacted so many government agencies and has since received Congressional attention, and in the last several days the ransomware attack on the fuel pipeline. Cybersecurity is becoming a national priority but it will only be fixed when addressing the identity elements. The two cannot be separated. be solved by in.
- Now is where we’ll start to see the convergence of different disciplines — privacy and data protection, identity and cybersecurity will all converge. Businesses, government agencies — everyone is realizing that there is a fine line between maintaining as much control over the process and the responsibility to ensure that data does not get stolen. Most consumers are reading just the headlines, but underneath are very real decisions and considerations that have to be made. Building a tech stack that balances all the different requirements is critical.
- There are now so many different solutions out there with all kinds of capabilities, but as with sports, these solutions need to constantly be tested and fine-tuned. Technologies that support zero trust models in particular — meaning anything inside or outside a company’s perimeters should not be automatically trusted, but must be verified before granting access to connect to its systems — are gaining traction, and will be interesting to see how these players will enter the fold. But even with zero-trust, strong authentication is key. It is not enough to verify devices. It is important to know WHO is behind a device and it has to be based on biometrics, the only link to the person’s physical identity. Everything else (location, past behaviors, device information, etc.) are just substitutes for the real identity that can be spoofed.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
- My number one concern and I have spoken about this many times is the notion that compliance doesn’t equal security. Compliance means an organization meets the minimum security requirements for specific regulations at a given moment. You can check all the right boxes, but that does not mean anyone is completely secure. Take the big Target breach of 2013 as an example. The retailer had earned its cybersecurity certification against the payment card industry standard earlier that year, but a bad actor was still able to infiltrate its point of sale system. The fact is, most regulations do not prescribe HOW something should be done. They tend to provide broad strokes and then leave it up to the practitioners to figure it out. Some will be more attuned to the risks than others; some will be more budget-conscious or resource-strapped, and others simply will not know what the best practice is, and think that if they are compliant then they are secure.
- We as a society are only as secure as our weakest link . Backdoors abound, and hackers are growing more sophisticated in both their attack methods and their ability to piece together information to get in and impersonate someone. The use of automated bots by hackers has been proliferating in recent years, which can be used for a plethora of things, such as scouring the internet to find vulnerabilities in seconds, or to test stolen passwords on different accounts at the same time. It’s so important to stay informed of the latest threats and how they are evolving so businesses can defend against them. It’s also important to invest in basic, ongoing cybersecurity training for employees so they don’t accidentally break down defenses and implement technology stacks that address many of the human weaknesses. No matter how much training for example, more than 25% of employees still fall for phishing emails.
- There is no silver bullet or one stop shop when it comes to cybersecurity — everyone needs to consider different vectors and understand the tradeoffs we are making with the decisions we face. Oftentimes people will choose solutions that are convenient for them, but convenience doesn’t necessarily mean security. With regulations forcing enterprises to think differently about how they store and manage personal data along with the confluence of data breaches and digital transformation driving new ways of interacting, it’s more important than ever to erase moral ambiguity and invest in solutions that truly balance security, privacy and usability.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
The issue of privacy and identity is becoming an emergency. Data breaches containing personally identifiable and medical information occur at such alarming frequency that people are getting numb. Just a few weeks ago 3.28 billion passwords linked to 2.18 billion unique email addresses were exposed in what’s now considered one of the largest data dumps of breached usernames and passwords. Telehealth services immediately became vulnerable to attack once providers began relying on it more heavily to treat patients. There’s been a 2,000% increase in malicious files containing “Zoom” in their names, and there’s a 40% increase in unsecured remote desktop protocol (RDP) machines for remote working, despite the rise in at-home data breaches, which only increases the attack surface for hackers. And it only continues to worsen. Even after COVID, it’s expected that we will be relying on digital technologies more heavily, and will operate in hybrid settings from here on out. Therefore it’s imperative that businesses allocate budgets toward investing in proper security and privacy technologies.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
During my time at BioCatch, I helped apply behavioral biometrics to identify social engineering scams — aka those annoying scam calls you get asking for money, phishing emails redirecting you to make a transaction or to a fake website that will steal your information once you enter and use them to break into your accounts. Using behavioral biometrics, one can spot the difference in what’s considered the normal behaviors of a genuine user and immediately flag the issue in real-time.
On the physical biometrics side, my company was one of the first to deploy facial recognition to identify terrorists and to enable one of the first facial-recognition enabled ATM machines. I also had a front row seat to the development of the Aadhaar program in India, considered the gold standard in many respects to how developing countries should manage identity, and was involved with an initiative in Africa where microloans, genetically modified seeds and other interventions were able to be given to farmers who were biometrically enrolled.
These experiences taught me that there is so much promise with biometrics, to protect the “good guy” to enable seamless and fast-track processes, to provide that instant gratification when we want to pay for something but don’t want to carry cash or credit cards. There is so much potential for these technologies but in order for them to be played out, we must address the final mile — the protection and security of the data. These are not hypothetical issues — five years ago the Office of Personnel Management was breached and more than 5 million user fingerprints were stolen. We should take that as a clear and present signal to do better.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
Sure! While this seems obvious, do not respond to emails or texts from strange people, or click on links that come with them. You’d be surprised how many people fall for these attacks. Vaccine-related phishing scams have jumped 26% in the last three months alone, so if you see a suspicious email or text, ignore it or report to IT if at work. One time I got an email from a cousin that only sent me SMS messages before. I recognized that something was wrong and called before clicking on the “supposed” folder containing photos of his new child. Another obvious tip is to avoid any messages that come with an urgency to claim or transfer money and if there are ever any questions, ask to call the person back. Most likely they will hang up or not give you a phone number.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
- Manage customer communications — be upfront and honest so customers can take immediate action to protect themselves.
- Follow up with real solutions to regain consumer trust.
- Fortify systems — invest in strong authentication and decentralize as much as possible to avoid it happening again.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
I’ve seen businesses fortify their front door only to leave the back door open. As mentioned before, many entities incorrectly equate compliance to security, or rely on device-based authentication only to have it be circumvented. Or they have very strong VPN solutions but no identity verification of who is behind a device or a session. These days, it’s important to take an identity-first, zero-trust mentality and assume people on the other side are anything but human.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
Personally, I am not at all satisfied. Stereotypes continue to be prevalent in our industry, and equality of opportunity is still lacking. Just 20% of the cybersecurity industry is made up of women. Improving the number of opportunities for women in the space has never been more key. The industry as a whole needs to find ways to engage girls in these topics in a way that speaks to them and their interests, highlighting role models for the next generation so they can see themselves in those positions in their future. There are several pathways to this — including honing interest over time through education, training, mentors and more, and offering opportunities for technology development in areas that interest women. In the workplace, businesses should create a more welcoming environment with career opportunities for professional development. As someone recently said to me, adding women to his team increased the emotional IQ of the entire company, which translated into greater empathy and deeper connections with customers, which ultimately leads to greater sales, profits and employee retention. On a societal level, we need to make the connection with boys when they are young and teach them that to treat women with respect as equal peers and to embrace and promote their capabilities in the world of STEM and in the broader business world. I am a firm believer that these things really begin in the home.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
- Despite the statistics, there are, in fact, women in this industry and there is a group specifically called Women in Identity!
- The most sophisticated solutions may not be the best/right solutions
- Hackers only go after the big guys. As we know, this couldn’t be more wrong. Despite the sophisticated lengths hackers go through to steal information or funds, they are, in fact, lazy and are looking for the easiest targets that will give them their quickest “fix.”
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- There is no such thing as a perfect work-life balance. Some days you win and some days you lose. As a working mother, there are days where you feel like you aren’t giving enough to your children, and others where it is hard to balance work. But at the end of the day, I feel rewarded on both fronts and am a firm believer that my girls are getting a front-row seat as to what is possible, and in the process, they too are gaining their own fortitude and confidence in how to navigate this world. The best is when they overhear a work conversation and after weigh in with their own advice on how to handle a situation!
- It is ok to show your vulnerability. We are all human. Remember, empathy is crucial to being an effective leader. Showing empathy to others is just as important to show the same empathy for yourself.
- You do not need to know everything to be respected, so just ask the question. The more questions you ask, the more you will learn, and while it seems counterintuitive, most people like to teach! More than likely, you are not the only one who is thinking the same thing.
- A bad plan is better than no plan. You can always adjust and edit the plan in order to meet the goal, but if you wait for perfection or to figure out every possible scenario, nothing will ever happen. In the world of startups, this is a death sentence.
- People’s true characters come out under pressure. Life throws us many curveballs as we are seeing now with the pandemic. There is a question about quotes later, but I’ll put one of my favorite ones here — “life is 10% how we make it, 90% how we take it.” Everyone was obviously having a hard time adjusting to pandemic WFH life when I was recently working on a project with a group from another company. Every time we would get on our Zoom calls, we found a way to laugh. Their attitudes were infectious and I found myself looking forward to the weekly calls with them. When the project was over, we planned a Zoom cocktail party to celebrate!
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂
If I could, I would love to meet New Zealand’s prime minister, Jacinda Ardern. Business is ultimately about people, and so is governing. I love that she brings her humanity to her work and shows it on the global stage. I am sure that she has her own stories about how she got to where she is — something i would love to hear about — and can talk about the supportive home life she receives from her family and community, which should be an inspiration to everyone.
On the other hand, politics and international relations was my early passion, and I am sure she has a lot to say from that perspective as well with regard to how she juggled COVID-19, the terrorist attack in Christchurch, etc.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!