Kimberly Sutherland, vice president of fraud and identity at LexisNexis® Risk Solutions, manages the North American commercial market for consumer fraud analytics, identity verification, authentication and fraud investigations. With the growth of digital transitions and digital threats, she oversees a portfolio of fraud and identity solutions that have received numerous cybersecurity awards over the last three years. Kimberly joined LexisNexis® Risk Solutions in 2006 and has more than 20 years of experience leading business strategy, product management and professional services.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was raised in Louisville, Kentucky by a loving family that taught me 1) academic achievement, hard work and perseverance would be my keys to success, 2) to always be a responsible steward and thankful for all that is placed in my care and 3) that life’s obstacles and limitations could be overcome by knowledge and the power of my imagination. I graduated from Vanderbilt University and Otterbein College receiving graduate degrees in public policy and business administration. I started my career as a data analyst, building statistical models and developing growth forecasts for call centers and then a telecom manager. I later joined Lucent Technologies and Avaya to become a call center implementation consultant, helping to improve business processes and the customer experience for many global brands. I later led professional services offer management at Avaya and after eight years, joined the LexisNexis® Risk Solutions family.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

My favorite book is The Color Purple by Alice Walker. I first read this book more than 30 years ago and it captivated me because of the way it illustrates how differences can be used to discriminate and dehumanize another, the pain that it causes from so many aspects and yet how we are capable of rising above our life circumstances to become what we are destined to become. A close second is the book Freakonomics by Stephen J. Dubner and Steven Levitt. It combined the art of storytelling with the power of data, economic modeling and statistical analysis to show how you can challenge assumptions and uncover unexpected connections and relationships. Both books encouraged me to challenge the status quo and make me want to dig deeper.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was inspired to build a career in fraud prevention and cybersecurity because I have always cared deeply about the ability to empower others. Empowerment requires access — access to information, access to your accounts, access to services. Computer systems and personal devices are what we use to gain access. Safeguarding or preventing inappropriate access while facilitating access to those for which it was intended was more of a career progression that has led to identity management, fraud prevention and now to defend against cyberattacks and support “cyber trust”.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

I once traveled to St. John’s, Newfoundland when I was supposed to attend a meeting in Saint John, New Brunswick. I did get there eventually, but it wasn’t very quick or easy. It was a great lesson on focusing on the details, asking for help the first time you are doing something and not sweating the small stuff because there is usually an opportunity for course correction.

Are you working on any exciting new projects now? How do you think that will help people?

Of course! At LexisNexis® Risk Solutions we are always working on exciting projects and right now we’re working on ways to help organizations better integrate risk-appropriate authentication methods, both passive and active. We are rethinking ways to enhance customer trust, especially in digital transactions. Our data scientists are looking for ways to help detect man versus machine to continue the fight against malicious bots and other forms of scripted attacks.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

I agree, this is a very exciting and quite busy time for the cybersecurity industry because we are in the middle of a digital transformation for so many industries, some of which were greatly driven by the shift in consumer behavior due to the pandemic. We are also at a time where many companies are rethinking their relationship with their customers, recalibrating their security protocols and modifying the experience that they create for their customers online and in their mobile apps. This is an opportunity for critical improvements — many companies seem more willing to try new approaches. I am also excited to see the amount of collaboration occurring between organizations and their interest in sharing risk signals and fraud events. Fraudsters are not wasting time connecting to one another, so we are firm believers that it takes a network to fight a network. Good actors must also take advantage of the network effect and be willing to share the actions of fraudulent activities and cybercrime. Our customers are better protected because of this shared knowledge.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

The challenges faced by the cybersecurity industry are never-ending since threats continue to evolve and adversaries adopt new attack vectors to compromise security. First, advancement in artificial intelligence has transformed cyber defense with adaptive machine learning algorithms and pattern detection. However, artificial intelligence has also facilitated the improvement in new forms of synthetic identities like deep fake technology. The Congressional Research Service recently updated its report on Deep Fakes and National Security, citing these risks as spurring a more rapid maturation of technology that reproduces these realistic depictions. Second, the pervasiveness of malicious bots sometimes dwarfs legitimate customer traffic for some industries. These bad bots will get worse and become increasingly more difficult to distinguish humans from software or script. Third, the cybersecurity industry must be prepared to identify these constant threats and that will require the ability to quickly and continuously attract new talent with fresh ideas and problem-solving skills. Having a large enough talent pool will threaten our industry’s ability to grow as needed, so we must pay attention to attract and retain the best employees. Cybersecurity must be attractive and accessible to those who may have never considered this to be a career path.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

We live in a hyper-connected world and almost everything that we do throughout our day is connected to some type of computer-based network. Cybersecurity experts tend to place their attention on servers, desktop and laptop computers and mobile devices. However, I do not think that there has been enough focus on the risk of IoT devices on which we are all growing more and more reliant. Combining IoT devices with botnet threats and malware may produce a more personalized attack on the horizon and these attacks may be further complicated by varying IoT device combinations.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

In my role, it is much less about my individual contributions and more about an amazing team of data scientists, product developers and fraud/cyber consultants that I have the pleasure to work with. We work with customers around the world as they face cybersecurity breaches and other forms of compromise. The work that my team and I do when we are made aware of a customer’s cybersecurity breach or potential compromise is to think of ways to help protect the integrity of the customer identification and authentication processes at new account opening, during login or even when making a payment transaction. Our goal is to help organizations allow everyday business process to continue even during a constant barrage of cyber attacks. We often identify and lessen the impact of massive bot attacks that companies must fight past and cybercrime rings that cross industries and geographic borders. The main take away is that these types of incidents are inevitable and should be expected, but the attack can be without success. There are few things as satisfying as preventing a successful attack.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I work for a company that uses its own technology as a part of its cybersecurity arsenal. LexisNexis® ThreatMetrix® is an enterprise solution for digital identity intelligence and digital authentication used by some of the largest global brands in financial services, retail, communications and travel. Throughout our company, we leverage ThreatMetrix® on our sites to identify potential threats and to help prevent unauthorized access to products and services.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

There has been a lot of recent discussion and debate around the role of the customer in cybersecurity and fraud prevention. While it is probably safe at this point to assume that most U.S. adults have been a part of a cyber compromise that has made a portion of their identity data available at some point, I don’t think that laypeople should be responsible for serving as cyber breach watchdogs. Consumers should be tasked with selecting the strongest form of authentication for their personal accounts, reducing the level of personal information sharing within social media and eliminating clicking on unfamiliar website hyperlinks or visiting unfamiliar sites. The rest should be the responsibility of the site owners and cybersecurity professionals.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

There are differing responses for the varying degrees and types of cyber incidents and attacks, but all require fixing the vulnerability at some point. Each attack is unique. Without knowing more about the incident, I do not believe that it would be appropriate to advise companies regarding what the most important things they should do to protect themselves further.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

One of the most common mistakes that I see is companies either do not minimize the amount and type of data that they request for customer input or do not verify the data they collect. Both actions increase the risks of fraudulent users gaining access to their network, accounts and services. In the most recent LexisNexis® Risk Solutions Cybercrime Report, identity spoofing, defined as using stolen or comprised identity or account details, was documented as the most prevalent fraud attack vector. The best counter to this threat vector is multilayered identity proofing including anomalous identity usage, device and account velocity detection, verification of customer data and authentication of identity ownership.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I do see improvements since the start of my career and even in recent years, but, no, I am not satisfied as much more must be done. Now that we have more women in STEM, we need to nurture them, serve as mentors and help them progress so they remain fulfilled, are positioned to lead others and eventually pave the way for more women.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

I often encounter people who believe that cybersecurity and similar technology careers attract primarily introverts or individual that should not be customer facing. That is a myth. Cybersecurity positions do not need to be in the background. I have worked with some of the most outgoing, polished cybersecurity and fraud professionals that are not just comfortable engaging with customers and public speaking engagement but enjoy doing it and can operate with excellence. This is just one more stereotype that we should retire.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

First, leadership does not need to wait for a title. This is important because leadership occurs when people want or are willing to defer, follow or align with your ideas and positions. Like most leaders, I did not wait until I was promoted to a management role or assigned direct reports to practice my leadership skills. Look for areas that are void of leadership and help give the direction that is needed; you may be surprised who will appreciate that change and how many will walk with you. Titles will soon follow, even if you must create your own temporarily. Find your angle. Find your unique perspective to add to the tech world. Also, don’t minimize your professional and personal life experiences because they often serve to validate your observations and intuition. Diverse perspectives and keen awareness are the primary ways to overcome our implicit biases that become embedded in all aspects of technology and processes. Don’t keep it to yourself. Find ways to share your ideas internally and externally. Stay compliant with your company policies, but look to contribute to blogs, podcasts, webinars and other speaking engagements. Let others hear your ideas and challenge them to make you even better. Invest in yourself. Technology and threats to its misuse evolve so quickly that it is critical to continually invest in yourself by learning about emerging technology, adaptations and threats. There are always new use cases to address, standards and guidelines to propose and methodologies to produce and/or investigate. Invest in others. For success to be sustainable, it can’t be done alone. Invest in others around you, especially those earlier in their careers or still exploring where they belong. Paying it forward always seems to allow you to receive the best reward.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

There are so many amazing leaders that inspire me, but I still look forward to the day when we are no longer counting fractional percentages for black female CEOs of a Fortune 500 company — there have only been four EVER (Ursula Burns at Xerox, Mary Winston at Bed Bath & Beyond and currently both Thasunda Brown Duckett at TIAA and Rosalind Brewer at Walgreens Boots Alliance). It would be a great honor to have lunch with any of these brilliant business pioneers, as I would have so many questions to ask them and then I would thank them for the opportunity to celebrate their leadership and perhaps gain a new mentor.

