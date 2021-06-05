Avoid trying to be an expert; instead, maintain a beginner’s mindset. When people start out learning something new, there is a fearlessness in failure, a try-and-try again attitude that is almost magical. As we advance, many so-called experts lose that fearlessness, maintaining confidence only in their own knowledge. Cybersecurity is ever changing, and we need that fearlessness in brainstorming and in leadership if we are to win the war we face against attackers. A beginner’s mindset is important as we face daily changes in our experience with adversaries — and will allow us to tackle challenges.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Kate Kuehn, Senior Vice President at vArmour.

Kate Kuehn is the senior vice president at vArmour, where she focuses on driving alliances between vArmour and giants in the tech industry. She was previously U.S. CEO for Senseon and sits on several advisory boards for Senseon, cyber startups and cyber education initiatives. In nearly 20 years in the cybersecurity industry, Kate has led some of the industry’s most innovative programs in DDOS, Ethernet as a network (CPA), SaaS, and IaaS.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up splitting time between two small towns in Wisconsin, Oconomowoc and Chenequa. Both for the most part embodied idyllic small-town life, where everyone knew everyone. We would walk around the lake, sail in the summers and ice skate in the winters. I attended a small school in the area, University Lake School, and loved the small, close-knit community it offered me. As a young person, my passions were community theatre, art, early coding classes (for those that remember LEGO) and sailing/playing sports with my friends.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I am a voracious reader, which is something I get from my mother, who spent more on books a year than food. At her house, my TV and movie watching was very limited, so books were my world. I can’t say I had a favorite as a child, but books were precious, and I read and reread every one I owned over and over again.

I gravitated from a young age towards both classics and biographies, especially about strong women in history. I remember my second-grade teacher being shocked when I read “Great Expectations” by Charles Dickens for my first book report. It was the heroes of those books,, both biographical and fictional, that instilled a belief in me that you can do anything you put your mind to, and that “no” or “can’t” are NOT acceptable responses when faced with hard choices. To this day, I much prefer the feel and smell of a new book to turning on the TV.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

When I was starting out, the concept of a career in cybersecurity was in its absolute infancy. Many universities were just starting to offer IT as a major, and the idea of security as a career was still a very foriegn concept. It was my last internship, working for Iowa Senator Tom Harkina, that actually started me on this path. One of my tasks during the internship was to create a website for him using an “HTML for Dummies” book. The idea that an intern would create a website for a U.S. senator in today’s world sounds crazy, but for me it was a great opportunity — and my first firsthand view of the power of the internet. I loved the idea of creating something people could use to access the information they needed to help them. I loved the idea that what I was creating could help people, and I loved using coding to make my thoughts and ideas take flight. I remember though, in those early days, also wondering what would happen if something went wrong. What if people misused the information I was helping provide? The idea that that could happen fascinated me.

Years later, as I took on my first roles in technology and I was exposed to cybersecurity, I naturally gravitated towards it, with that same desire to make the world a better place, which strengthened and grew over time. My ultimate decision to dedicate my life to cybersecurity came with the birth of my children. By the time they came, the cybersecurity industry was here to stay, and I had firsthand experience of the consequences for both enterprises and people when it wasn’t taken seriously. I found myself wanting to create an impact in the field that I had long loved to ensure I leave the world a better, safer, more inspiring place for my kids.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Security and really, technology were never supposed to be my career path. Politics, theatre and possibly law seemed more likely. Basically what my father lovingly called my “underwater basket weaving pursuits” were my focus. When I secured my first interview with a technology company, I knew nothing about it. The VP responsible for hiring me asked me to present on why a company should invest in a network technology called Frame Relay. I bribed the IT major down the call to teach me over a six-pack of beer. The next day I stood in front of a room full of men, in my first navy blue suit, and presented my thoughts on Frame Relay. I stated in detail what the company needed was more bandwidth (like sandwich) and mispronounced bandwidth about ten more times during the presentation. Tears were rolling down my first boss’s face, when he stated that he was sure I could sell, but if I called it bandwich again, he would fire me immediately. I made a vow at that moment to learn everything I could about the technology I was being employed to understand,. It was a lesson to me to make the most of my mistakes, however small, and turn them into learning opportunities. As long as you learn from your mistakes, you keep on the path to improvement. olding onto that beginner mentality and not being afraid of those “bandwich” moments, but instead learning from them, has served me well during a number of complex, seemingly impossible scenarios throughout my career.

Are you working on any exciting new projects now? How do you think that will help people?

I am blessed to always be working on exciting new projects. It is one of the things that makes me love being in the cybersecurity industry. vArmour, being a fast-paced, later-stage startup, is amazing to work at, and I am very proud of the strategic partnerships and innovation we are bringing to market, especially around identity management. The unique position of looking at an enterprise from the inside to focus on app and user relationships is truly taking the market by storm. I actually asked to join the company because I was so passionate about both the technology they were bringing to market and the market culture the company embodies through the concept of “relationships matter.” I think over the next few years, the benefits we’ll create for the overall cybersecurity landscape will be nothing short of revolutionary.

Outside of my role with vArmour, I advise a few early stage companies, which is so much fun! I love the passion of new businesses and the drive and excitement of new founders. There is always a “we can change the world” mentality that is palpable, and I find it incredibly rewarding to help them all mature their ideas and business operations.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

Oh, there are many things that excite me about our industry. The fact that it is so fluid and ever-changing is right at the top of my list, and the constant stream of innovation cybersecurity brings to the market has always been a source of inspiration for me. If I had to narrow it down, I would say my top three are:

The focus on using the ecosystem and collaboration between companies to provide comprehensive solutions. This trend is the reason I chose to take my current role running Alliances at vArmour. As a practitioner, one of my largest sources of frustration was the lack of interoperability between security solutions. Everything was in a silo, and there was no focus on the larger landscape and how tools could be interconnected. I love the visibility and more robust solutions I see coming to market via companies partnering and collaborating through API integrations, and focusing on collective security, rather than separate efforts. The concept of focusing security from the inside out, and truly understanding relationships. (i.e., Application Relationship Management). The traditional concepts of perimeter security and borders are gone. Flexible working, the pandemic and rapid digital transformation were catalysts that t to understand intimately the relationship between applications and applications to users. If we can take one lesson from the supply chain attacks of the past 12 months, it is the need for enterprises to adopt a robust Application Relationship Management strategy. It may be my favorite shift in security thinking in the past decade. When executed well, the automation of visibility and the enforcement it enables can significantly enhance dynamic security controls. Zero Trust Architecture (ZTA), aka the concept of “trust no one, verify everything”. The theory around ZTA architecture has long been discussed and debated, and I am so happy to see ZTA now becoming a reality for many organizations. ZTA is not a product or a solution; it is a practice and an architecture, and should be treated as such. When coupled hand in hand with the visibility Application Relationship Management enables, it is a robust defense that works perfectly in the increasingly dynamic, hybrid business world.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

So what keeps me up at night? Well, lots of things… my four children to start with, but from a cybersecurity lens I would have to say it is lack of automation, the ramifications of rapid transformation and the rise in nation-state and criminal megabreaches. Unfortunately, the three are often linked.

In the past year, many companies struggled to suddenly shift their workforces, and sometimes their supply chains, from traditional enterprise architectures to work-from-anywhere configurations. This shift has security teams facing a monumental amount of cleanup and the task of closing holes in their adapted security posture. Now that the dust is settling, many organizations are realizing that the traditional event-driven security practices are not viable ways to maintain proper visibility and anomaly detection capabilities across their dynamic enterprises. Automation of these processes is now a must have. One company I was recently speaking with talked about how the only way to understand the environment was to send out manual surveys and spend weeks and months analysing legacy data. Not only is this ineffectual, it makes it nearly impossible to understand and catch subtle changes in an environment that may indicate a breach.

If we’re going to stop the types of breaches we see increasingly occurring, automation is a must have — and we’ll have to stop relying on manual processes. The known issue of a lack of visibility/automation is catalyzing a rise in complex attacks. Sophisticated hacking groups are taking advantage of these known vulnerabilities and wreaking havoc in both public and private enterprise.

The way to turn the tide lies squarely in the details. First, know your environment and user behavior inside and out in real time. Second, execute and constantly evaluate robust policy management to have a firm handle on acceptable and suspicious behavior. Lastly, do away as much as possible with manual processes in favor of automation.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

The future is here. We have never seen a time in cybersecurity history where there has been such a proliferation of critical vulnerabilities and coordinated breaches as we see now. I really hate to say it, but no one is safe. Governments, private enterprise and critical national infrastructure have all been recent targets, with no end in sight. The key is for companies looking to prepare is to understand their risk appetite and what type of vulnerabilities they may have exposure to. Again, dynamic controls and complete visibility are key for preparedness. Tabletop exercises and planning that utilize lessons from recent attacks can identify key areas of improvement where we can cause attacks to fail.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

One of the first breaches I was part of fixing was for a large financial institution whose data centers in London had been attacked, in order to insert early days packet capture tech into their network gear. I remember thinking it was very James Bond-like. The entire breach had been set up to look like a highly sophisticated robbery, not a cybersecurity breach. Network equipment was stolen, guards were tied up and destruction was everywhere. I remember walking through the scene with my first CSO mentor, and him telling me, “Kate, always look beyond the obvious. There is always more than meets the eye. In this case, I don’t think we care as much about what the bad guys took, as much as what they may have left behind.” He was dead right. It took a few days, but we found the malware left behind that would have been used in a much larger cyber attack on the global financial systems. Thanks to my mentor’s insight that day, that attack never happened. His advice was an amazing early lesson, one that has served me my entire career. Breaches are never straightforward, and teams should always care most about what the bad guys may have left behind.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

For my current role, the tool I use most frequently is education. To stay current for my role in vArmour, and to stay on pulse with cybersecurity, since I am not currently a practitioner, I read quite a lot daily: threat reports to look at current issues, vendor releases and news to stay on top of our ecosystem and what may be impactful for my current role, and books tied to cybersecurity so that I can stay ahead of emerging trends and changes.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Anomalous or odd behavior. That is the number-one tell in my book that something may be amiss. We can start with user behavior. Users by nature are quite repeatable in their habits. They use the same applications, access the same set of data and even usually work generally at the same time daily. Except in rare cases, their patterns are known and repeatable. When we see their behavior deviate — such as logging on at odd times or accessing files they never have before — that’s an early red flag. The same approach carries through to applications and the rest of the enterprise. When you see things acting differently, you should pay attention to it. Beyond anomalies, sudden changes in traffic patterns are important to look at. Bandwidth spikes, odd amounts of data being transferred or dormant system activity should be taken seriously. From a preparedness and sign perspective, most early detection stems from a robust understanding of what normal should look like in the environment. This again taps into the need for robust visibility and controls across an entire estate.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Communicate, communicate, communicate. When a breach occurs, everyone in the company has a role to play, and making sure that they understand what role they have, what steps they should take is the first and arguably most important first step. One of the toughest breaches I have lived through was WannaCry, and there are many war stories from the early days of that attack. One that stuck with me was of a company that had little to no communication plan for a real-time breach scenario. As WannaCry started, they were all hands on deck to ensure their internal systems were not compromised. No one thought to alert their sales and engineering teams to their protocol for an attack. A well-meaning sales engineer actually proactively sent copies of the WannaCry executable to customers, to try and help show them what to look for. His actions almost caused hundreds of customers to potentially be infected. While thankfully there were no repercussions to his actions, it was a lesson for that company: ensure that everyone knows their role when an issue inevitably happens.

The other most important thing is to review what happened and share key learnings.The would-haves, could-haves and should-haves post breach are the best way to educate both team members and your customers on the best protections to implement moving forward.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

I see a lack of proportionate investing in the right security practices. Some organizations invest too much and risk becoming complacent about their security architecture. Others ignore the problem, believing breaches can’t happen to them, and invest too little.

A solid practice starts with knowledge, and from there stems proper investment. You’ll want to understand your full enterprise environment: How do the apps and users relate? Where does data reside, and who can access it? And how do third parties fator in? This understanding must be dynamic and in real time, to avoid a rear-view look at your enterprise network’s health. Once you establish this constant visibility, you can identify routine vulnerabilities and attacks, develop prevention tools for the surprise attacks or future trends and prepare in advance for a potential catastrophic event, such as what we saw with SolarWinds this year. In each case, ask the hard questions about what impact a malware attack will have on your business, and where you can invest in visibility and preventive tools to help your organization be more prepared.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I am never satisfied with the status quo regarding women in STEM. It is a critical issue we need to continue to focus on with rigorous perseverance and commitment. When I was starting out, there were very few women to be found in cybersecurity or tech in general. We were the 1 in 10, or sometimes 1 in 20, in a room. My personality, qualifications and sometimes even choice in clothes were under constant scrutiny. The women who did break in often competed with each other for promotion rather than collaborating, and the culture of support I see people trying to create today was nonexistent. We have come a long way though, and I am excited by what we can do in the future. We need to celebrate the differences women bring to STEM and promote a culture of inclusion in our industry that draws all people together, leaves room for differences of opinion and breaks down legacy barriers.

One key thing we need to do is be an industry that promotes flexibility in the workplace. Work-life balance, and particularly flex hours, must be addressed if we want to retain and grow a gender-diverse cyber culture. I see too many women leave our amazing ecosystem because of the pressure to advance. During my own career, I’ve had both men and women tell me that taking more time for my family would be my greatest career mistake, and that I would never rise to leadership levels again if I made that choice. I was called an idiot, stupid and worse for wanting to prioritize both my work and my family. My goal is that no woman pursuing a career in cyber will ever face that same negativity and those difficult choices.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

The myth that drives me crazy is you have to be a security person to work in cybersecurity. Cybersecurity is a massive field. We need people from all walks of life, all career paths. Business, marketing, creative, technical, executive, sales… we have room for them all, and will take you, full time, part time, flex time. My only ask is that you enjoy learning about cybersecurity and have some desire to make the world a better place. Some of the best practitioners and thought leaders I know in our field came from other fields or did not intentionally pursue a career in cybersecurity to start, and yet they have found a beautiful home in our field.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

You are only as strong as your weakest link. Inclusion of all people within an organization is one of the most critical things to remember when building a strong security culture. It is awesome if you have a great relationship with the board, but does the cleaning staff know their role? During one of the first severe breaches I ever worked on, a mentor of mine who was reviewing things with me warned me that we needed to educate all after-hours staff on the breach or it would happen again. We noted it, but got busy with more “pressing” issues and didn’t get around to it. Three weeks later the hackers repeated their attack, exploiting the after-hours staff. Surround yourself with people who inspire others. Look for the people who see opportunities in the challenges they face, and who are resilient and creative, and make them your people. Leadership is about collaboration; trust in your teams is critical. There is no room for ego in the work we do. Give your team room to fail, then pick them up and help them learn when they do. No one intentionally sets out to make mistakes, and any real leader will acknowledge that they have failed at something. The key to facing failure is to create a safe zone for your teams to learn and grow, with the confidence that when they unintentionally make mistakes, you will be there to help. Let your team strive for success, and help them shoulder failure when it happens. Avoid trying to be an expert; instead, maintain a beginner’s mindset. When people start out learning something new, there is a fearlessness in failure, a try-and-try again attitude that is almost magical. As we advance, many so-called experts lose that fearlessness, maintaining confidence only in their own knowledge. Cybersecurity is ever changing, and we need that fearlessness in brainstorming and in leadership if we are to win the war we face against attackers. A beginner’s mindset is important as we face daily changes in our experience with adversaries — and will allow us to tackle challenges. Love what you do, and do what you love. Cybersecurity can be a very lucrative career, but it can also be marked by long hours, stress, frustration and sometimes even fear. There is a place for everyone in the world of security; we need all types of people and have a vast amount of roles to fill. But make sure that as you move around in your career you focus on the roles and responsibilities that motivate and inspire you. Life is too short for the mundane, and job satisfaction is so important.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

Oh, that is tough for me. I love meeting new people and I’ve never been good at narrowing down my list to only one! If I had to choose, it would be Madeleine Albright. Her work and her life has inspired me for years.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!