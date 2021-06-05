Learn the Lingo: this is specific to cybersecurity. Being one of the only women in the room for most of my career, I’ve been able to remove that as a focus in many regards by learning the lingo and being able to hold my own in conversations, regardless of the gender of the individual on the other side.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Kimberly Johnson. She has over 10 years of cybersecurity and Identity and Access Management (IAM) market knowledge and experience, gained across multiple authentication and cybersecurity firms. Now as the VP of Product at BIO-key International Kimberly is focused on driving growth and deployments of BIO-key’s IAM and identity-bound biometric solutions. Kimberly continues to be a thought leader and advocate for evolving the way organizations and people approach cybersecurity in our everyday lives.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I am a “New Englander” through and through, having grown up in southern New Hampshire and now crossing over state lines to live in Boston, MA. I grew up watching my mother run her own business as a leading veterinarian in the area, and after working many years by her side helping her treat the latest furry patient, I realized very quickly that I did not want to be a vet.

At the same time, my high school, Milford High School, in Milford NH, had a tremendous culinary program and restaurant that was open to the public. After many years in culinary class, and discovering that I enjoyed baking, I thought my path was set. After high school, I went off to The Culinary Institute of America to start my baking and pastry arts education, where I also soon learned, that I did not want to be a baker either.

Finally, I returned home and landed at the University of New Hampshire (UNH) in Manchester NH, where I was commuting to classes and working multiple oddball jobs in my spare time. After taking multiple classes and ending up with a concentration in marketing, as part of the last class of my senior year I was sent to a mandatory job fair. There I wandered the aisles and came across a temp agency, who after chatting with them, said they had the “perfect job” for me.

That’s where my cybersecurity career started and as you can tell how I wandered into it. My first job was for a company based out of a very rural town in New Hampshire that did something called “SSO” for “Notes and Domino”, terms that were a far cry from the mixing, folding, and proofing terms I had learned in culinary class.

The rest is history. Once I learned more about cybersecurity, the approaches organizations took to solve the cyber challenges they face and attended a few “killer” IBM conferences, I was hooked. I was fascinated by the business and the large brands we were able to engage with from around the world.

From there I’ve gone on to multiple cyber-focused organizations including a certificate authority, an organization focused on IAM for healthcare, and one that developed its own unique way of measuring cyber risk, to now being a leader at an organization that is changing the way we solve common IAM challenges with biometrics.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I would have to say Simon Sinek’s Ted Talk on “How Great Leaders Inspire Action”. This has been a talk that I have brought up, leaned on, and shared throughout my career as it gets to the emotional, human connection we all have to technology. Often when working in a B2B environment and cybersecurity we can all lose sight of the fact that at the end of the day we are still humans looking to be successful and understand the “why” behind what we do.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

As mentioned in the intro, I somewhat fell into my cybersecurity career. However, since then I have become fascinated with the space. The one story that stands out is one that the retired head of the Ukrainian National CERT told about the cyber-warfare Russia had waged on their country during a customer event. Hearing him speak about the systematic attacks Russia conducted, such as taking down their treasury systems on Tax Day, was fascinating and reminded me of the global challenges cybersecurity looks to solve now and in the future.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Well, there are a lot. I’d say there isn’t a specific one, but an overall theme to when I first started in cybersecurity. The acronyms and completely different language cybersecurity professionals speak took a while to get used to, and in all honesty, to stop giggling at. Starting in my career as a young college grad, standing at conferences talking to professionals about their “front ends” and “back end” systems, took some getting used to.

As funny as that was, it taught me that you have to learn the language. Being in cybersecurity isn’t something you understand overnight, and you need to gain credibility by taking the time to understand how it is talked about by the people who live in it every day.

Are you working on any exciting new projects now? How do you think that will help people?

At this point in my career, I’m now in this new world of biometrics. I’ve said lately, “I’m an IAM girl living in a biometric world”, as biometrics have started to grow in popularity, but that hasn’t always been the case. We’re now working on new biometric offerings that take the level of integrity, availability, and security of this authentication method to a whole new level. Where biometrics have classically been for specific use cases and skeptical comments are often made about hackers stealing fingerprints, I now know these both to not be true. I’m excited to work on bringing this technology to the everyday customer, student, and employee at any organization and helping organizations realize it is a more convenient and secure authentication approach.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

First, the shift we’re seeing to end users or consumers being aware of cybersecurity. For years, cyber has felt like this “behind the scenes” group that implemented sophisticated technology to help secure the organization. Now, and especially with us all taking on the responsibility of securing ourselves at home, I feel like a whole new wave of cyber awareness has taken hold. I’m seeing cyber-related commercials on TV, friends and family asking about how they can secure their home networks, and an influx of privacy-related discussions we never saw in the past. People are starting to be aware that cyber isn’t just for the organization — it’s for the individual.

Related to that, I’m also excited with the ideas around self-sovereign identity and all of us having control over who we are digitally. Being able to decide for ourselves who gets to use our identity, how that identity is created and trusted, and when we want to revoke privileges for companies to use it. With everything in our lives going digital, who we are digitally is getting closer and closer to being who people know us as. Being in control of that is something I’d like to have, and I feel others are starting to as well.

Finally, I’m excited about the new ways we are figuring out to finally be able to confirm “you are who you say you are” digitally, using technology such as biometrics. While biometrics are still being discussed and organizations work through how to more widely adopt them, after years of watching us trust devices, tokens, and passwords to give access to critical data and systems, biometrics stands out to me as the perfect way to finally identify the individual person. After my years of working at a certificate authority and watching the processes, the vetting department would go through to “create” an identity and truly prove it represents an organization or individual, I’m looking forward to when organizations see biometrics as the best way to create a digital identity that can then be used to positively identify someone. Not to mention getting to the nirvana of eliminating passwords all together.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

I don’t think I’d be a cybersecurity professional if I didn’t mention the influx of attacks we are seeing in the market, especially with the impacts of COVID and security gaps it created as organizations rushed to provide online services to remote employees, customers, students, and third-parties. The latest stat I read was reporting an almost 200% increase in the number of cyberattacks we are seeing go after some of our most critical industries including education, healthcare, and local governments. According to the article more data records were compromised in 2020 alone than in the past 15 years combined. However, beyond the influx of attacks I have two more concerns that stand out. One is related to attacks, but more so the type of attacks that are happening. I’m one of those believers that the new World War we may all face may not use bombs and ammunition, but instead involves sophisticated cyberattacks that target our critical infrastructure. Attacks that shut down our hospitals, take out our electricity, and poison our water systems have been successfully happening across our country. The attack on the Colonial Pipeline showed just how disruptive an attack can be when it goes after such a vital system that supports many areas of our day-to-day lives. Now the infamous cyber question, “what keeps you up at night”, I can easily answer. Finally, my last concern somewhat contradicts the first two. For decades as security measures have been increased and controls tightened, we have seen convenience sacrificed time and time again. As I’ve said throughout my career, there must be a balance. Now, I’m not advocating for loosening security controls and letting hackers in, but what I am advocating for are new approaches that are developed with convenience in mind. We know that without convenience, we, humans, will find a workaround. Cybersecurity needs to make sure we focus equally on solving both challenges — making it secure and convenient.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Beyond what I mentioned before with the main concerns I have; I think companies need to be on the lookout for regulatory impacts. More and more I am seeing federal concerns around cybersecurity start hinting at federally regulated cybersecurity, especially around cyberattack disclosures and investigations. Also, the increase in privacy-related regulations and policies are continuing to rise. While these are essential to protecting individuals, organizations are going to have to remain nimble to adjust their cybersecurity approaches to them.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I don’t have a specific one I would highlight, however when it comes to fixing them, there are many that I can point to. For example, when I worked in the security ratings space our entire focus was on measuring and quantifying cyber risk. I was focused on Third-party Risk Management (TPRM) and worked with many customers to look at their vendors and suppliers to understand who was posing a high level of cyber risk to their organizations. I had the pleasure of presenting with the head of TPRM at TD Ameritrade on the subject, helping educate other organizations on best practices to follow.

Currently, at BIO-key, I’m working with our teams to help migrate our customers using our on-premises version of our PortalGuard platform, to our cloud-delivered PortalGuard IDaaS platform. This is after some of them experienced severe ransomware attacks and had all of their servers, including their PortalGuard authentication server, encrypted and held ransom by hackers. By moving them to the cloud, we are able to handle the security for them and make sure all disruptions don’t hinder the ability of their employees and customers to log in to the services they need. We are seeing time and time again the benefits of moving to the cloud outweigh the organization’s IT team trying to maintain it on-premises.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The main one that I would say I use across almost all aspects of my professional and personal day-to-day tasks is multi-factor authentication (MFA). MFA requests multiple authentication methods to log in that is a combination of something you know (usually a password), something you have (e.g. a phone) and something you are (e.g. a palm scan) when you are logging in. MFA only allows a combination of one of each of the methods to be used to be true MFA and it is now a technology every person uses daily to access their online accounts.

For the easiest MFA, I use biometrics in a passwordless approach, that eliminates the need for a password all together to access applications and data. MFA has been proven to be one of the leading cybersecurity solutions for preventing cyberattacks, being able to keep hackers out and letting only legitimate users in.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Absolutely.

First, make sure the website you are logging into looks the way it always does. That means the branding, colors, fonts, location of the login form, etc. Often, hackers use fake websites to capture your information without you knowing. Second, make sure you check the URL of the website you are going to. You always want to make sure it is HTTPS, which is standard for most websites. Without HTTPS the data you entered is not encrypted and could be vulnerable to hackers who can intercept it. Next, look for the last login information including the date and time. This will often be displayed once you log in to a website or application and is something that is good to start checking. For example, if you are logging in for the first time in a month and the last login says it was yesterday, there’s a high likelihood your account was accessed by someone else. Finally, going back to the main cybersecurity tool I use, make sure your critical accounts are using MFA, such as your bank account, healthcare provider, and others. When you log in you should not only be asked to provide a password but also an additional factor. If you aren’t, please check with the provider of the service to see if this is something you need to enable for your account. Always make sure you have MFA turned on, especially when you have sensitive data you want to protect.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

First, it is important to understand the breach, why did it happen, what impact did it have, what’s vulnerable, and all other aspects of the breach that can be investigated. This is critical to understand so that the security controls that failed can be identified and future breaches can be prevented. In addition, this is a critical time to assess the overall cybersecurity strategy of the organization to understand are the right priorities being addressed to reduce the company’s overall cyber risk. As with any department, IT and IT security departments have many projects to prioritize. When a breach occurs, this is the time to ask, “are we prioritizing the right projects and the ones that are the most critical to preventing cyberattacks?”. Also, make sure your systems, applications, and data are secure with best practices such as multi-factor authentication 100% of the time for 100% of your users, and that the right monitoring tools are in place to understand when something is vulnerable. Finally, let your customers and employees know if their information was impacted and consider implementing a cybersecurity awareness program. The “human element” in security can be the biggest vulnerability with the only remedy being to educate your users on how they can help improve security and be on the lookout for suspicious activity.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

I would say one of the most critical mistakes is not having a formalized cybersecurity program and/or defined roles within their company who are responsible for it. All too often companies forgo cybersecurity because of costs and resources. With how critical cybersecurity is today from not only a security but also revenue and business reputation perspective, I don’t understand how any company can’t afford not to have a cybersecurity strategy and someone leading it.

Additionally, we really need to stop relying on passwords. It is still being reported that upwards of 80% of organizations are still relying on passwords for employee and customer access. I understand we’ve used them for decades but with 81% of breaches resulting from them according to the 2020 Verizon Data Breach Investigations Report, isn’t it time we figure out a different way to authenticate?

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

Well from where I am sitting, and being the only woman in the room for most of my career, I’d say we’ve come a long way from my early days in cybersecurity. Overall though, and with the expected impacts to women caused by the COVID-19 pandemic, I’d say there is still a long way to go before we achieve a more even distribution of women in STEM and more specifically cybersecurity. Also, while more women have entered the space there is still that “glass ceiling” above many of us, keeping us from reaching the higher-ranking positions in the industry. I’ve been fortunate enough to find an organization at this point in my career that is excited to have a female executive on board, however that has not always been the case.

For us to impact the status quo, there are multiple changes that need to be made, but I would highlight that we need to focus on the upcoming generations of women who are interested in STEM and cybersecurity. Programs that educate female students and get them interested in these areas early on will ensure more of them continue to be interested throughout their careers and get into these industries early on.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

This is a tough one, but I guess the myth that you have to be a “geek” to get into the industry. Now I say the word geek in the absolutely fondest way possible, especially as I grew up with my brother and father as being self-proclaimed geeks; however cybersecurity has so many facets to it, that being a coder, hacker, or knowing all about servers is not all there is to it. Cybersecurity is now a key business problem and all too often I come across IT professionals who struggle to discuss cyber concerns within their business.

With every aspect of business going digital, cybersecurity now has reputational, competitive, and revenue implications and is a concern that goes all the way up to the CEO. This change is driving a need to not only understand the tech or code that is part of the cybersecurity systems we use, but also roles that can explain why those systems are needed from a business perspective. For example, there are numerous articles now covering the changing role of the CIO/CISO as it relates to this issue. They need to be able to work with the business, as a business enabler, while keeping it safe.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Know the “Why” that Motivates People: this is key to every aspect of business and life in general. It is important that you know not just how people make decisions but why. What’s the motivation behind their decision? This is something I constantly strive to understand about my customers, peers, and even friends and family. Knowing the “why” for someone is extremely powerful as it helps you understand their perspective and then relate to it. For example, B2B decisions are often thought of as being made between two businesses. The day I was talking to a customer and they said the decision would “make them a hero” to their business made me realize just how personal of a decision it was to them. Learn the Lingo: this is specific to cybersecurity. Being one of the only women in the room for most of my career, I’ve been able to remove that as a focus in many regards by learning the lingo and being able to hold my own in conversations, regardless of the gender of the individual on the other side. All too often I’ve been the only woman standing at my company’s tradeshow booth, and the attendees come up and ask me for the free handout and to speak to an executive. I enjoy watching the shock come over their face as I ask them about the latest security control they are trying to implement and rattle off the list of acronyms that go along with it. Find Mentors & Pay it Forward: I would not be where I am today without my mentors. Many times, I’ve had to look outside my current organization to find mentors that I can relate to and that can guide me. I’ve been absolutely amazed at how complete strangers, after reaching out to them on LinkedIn, have responded and continued to spend hours mentoring me through some of the hardest points in my career. Since then, I look for any opportunity to pay it forward. Just recently I had an aspiring product marketing professional reach out to me. We spent over an hour on a call, I worked on her resume with her, and she is now going in for her first interview. Being able to connect as strangers and provide support reminds me that we all need support from each other to succeed. Prioritize, Prioritize, Prioritize: as you grow in your career so does the amount of responsibility. It is critical to constantly prioritize, re-prioritize, and then…prioritize again. I’d say on a weekly basis I’m constantly reviewing my priorities and making sure I’m “moving the needle” in the right direction. Without this it is very easy to get too focused on the trees, or even the bark on the trees, and not the forest. For example, every week I keep a running list of the priorities I have for the week and continue to cross them off as I go. At the end of the week this helps me look back and see if I was able to achieve what I needed to do. I do this not only for the weekly priorities, but the quarterly, and even yearly ones. Remaining focused and diligent about whether or not you are focused on the right things is a key to success. Be Your Own Advocate: while I’ve had amazing experiences in my career, I’ve also had times when individuals have looked to take me down a notch. It is important to have conviction and confidence in what you do and advocate for yourself. This means knowing when it is time to make some of the more critical and often scary leaps in your career, such as moving to a new job, team, or even industry. When I went into a role that was not in cybersecurity at one point in my career, I had only been in it less than a year, and quickly realized my passion was in cyber. Although I had a short tenure in the role, I knew for myself and my career path I had to make the leap and get back into cybersecurity. It was a very hard decision but one that I look back on now and know it was the right one.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 😊

This was a hard question for me as many of the individuals I would love to have breakfast or lunch with aren’t well-known or recognized, but instead are other professionals like me who have been on my career path and succeeded. Again, as I highlighted in my 5 tips, I look for mentors constantly to help guide me along the way.

That being said, and to see if they “might just see this”, I would actually say the founders of Uber, Travis Kalanick and Garrett Camp. The ability they had to see a problem that society didn’t really know it had yet, and offer a service to fix it, is fascinating and something that makes a good business, great. Having been in the same industry for this long and watching different companies all look to solve the same problems, I’m curious how they saw the bigger picture. Being able to see that there could be a better alternative to taxi services and overcoming the huge obstacles it took to put this new service in place, would be fascinating to hear about. It’s not so much an interest in them starting their own company, but more so their development of a totally new category that today, we as citizens can’t live without.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!