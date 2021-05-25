Know your own weaknesses and the weaknesses of the people around you. If you do, it’s harder for people or companies to use them against you. This applies to a lot of aspects of life. In business and leadership, it specifically points to appropriate delegation of work and trajectory. If you are aware of weaknesses, you know who needs help with what, and you know what steps they can take to reduce that weakness. You know who is more fit to face a situation and who should only receive the overview of a project.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading Cybersecurity Industry”, we had the pleasure of interviewing J. (Zino) Haro.

Haro is a polymath in the making who has found footing in the fields of fashion, cybersecurity, and entrepreneurship. A graduate of Columbia University, she began presenting independent security research internationally by the age of 20 — only a year after debuting in the fashion industry through New York Fashion Week. She has founded two startups and is currently CEO of Uni-ke.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

Hello! I guess my childhood was fairly atypical. I went to maybe 12 different schools in and out of the United States and, in high school, my household income was only 12,000 dollars a year — low enough that filing taxes wasn’t even a requirement. That was difficult. Even though I’m part of Gen Z, I didn’t really grow up with a lot of technology because we just didn’t have the money for it. I guess technology-wise, I might as well have grown up two decades prior.

My parents didn’t speak English, and I was the first person to ever go to high school in my family, so I spent many hours working on and figuring out my homework alone and then doing creative projects in my room after that.

This was the start of my multiple interests, but it was pretty lonely — especially during high school in Texas, where there’s little public transportation. I’m in New York now, so that’s not an issue anymore. I love the subway system, even if it is dirty a lot of the time.

When it comes to my life, there’s some other stuff speckled in there, you know? Homelessness, fashion, the music industry… but that’s too much for one interview.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

Little Brother by Cory Doctorow. When I read it as a teenager, I couldn’t tell which technology in the story was real at the time and which was fake. By now, I think pretty much everything he mentions is real and out or is about to be released to the public. One thing that really stood out to me was the use of gait recognition in the story. That’s definitely real by now. I don’t think any public schools use gait recognition to monitor their students yet, but I wouldn’t be surprised if they decided to start it for next school year. Imagine you walk in the opposite direction of your next class and school security gets an alert that you’re trying to escape the school or something…

I was inspired by the main character’s attitude towards information and freedom. I started to like the idea of being a hacker and tried to learn more about the subculture — you know, the movies and events that define “hackers.” I think this is the typical teenage attitude towards most things, very idealized, but it helps you learn fast. I learned about DEFCON and other conferences around this time, too, even though I had already been on the hacking path for a short while.

In reality, this book stuck with me because I wrote an email to the author. I emailed him, and he responded. Just the fact that he responded made me think that maybe this was a good path to follow. I mean, I had no guidelines for anything, and my high school didn’t really expect much from people. Getting any sort of positive response from someone regarding possible career paths was enough for me.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I used to run an underground video game trade in middle school. That sounds a lot worse than it really was, I promise. Someone gave me a USB with a game once, so I started making USBs with a bootable version of the game in them. Basically, as soon as you plugged in the USB, the game started to run on the school computer, and we started game servers in the school network.

I should clear something up. Our school computers were locked down. Most sites weren’t accessible, and this was very bad for me. It wasn’t that I wanted to play games or anything, but computers at school were the only computers I had available unless I asked my mom to take me to the public library. It was a moment of necessity combined with creativity or maybe even naivety. I really wanted to use a USB again to escape the rules my school had in place. Now, obviously, I had achieved that with that game to an extent already, but this was a question of accessing the internet and the sites I needed.

I came across bootable USB drives then, and I started to understand what an operating system was. I don’t actually remember what operating system I installed in the USB that ended up working, but I know that I got access to forums where people talked about a lot of questionable things. By this, I mean things like claims to hacking and instructions to manipulate technology. I tried a few. Many things didn’t really work, and others were pranks that made you delete essential files in your operating system if you didn’t know what you were doing; but a few did work, and I got hooked from there. Looking back, I guess the school would have fared better with a network-based whitelist rather than with local controls, but I’m glad they didn’t set that up.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

One time — it wasn’t tied to any particular job — but one time, I had met a few people at a Forbes 30under30 summit, and they realized I was there for cybersecurity. They lived in New York and I lived in New York, so we traded contact information. A few months later, I got a message from one of them asking me for some help with their computers. I’m not going to give details about what they needed done, but I went to their apartment with an idea of how to approach the situation. When I was there, I realized that I knew how to approach things on a regular personal computer, but I hadn’t considered the differences when it came to corporate devices. To be fair, I don’t think they gave me every piece of information until I was there, but I probably should have asked. So, I started approaching their request the only way I had thought of and without much additional precaution.

That was a mistake. Some alarms started going off on the corporate end. Even things like common software downloads or opening files in emails do that in some companies. It wasn’t anything illegal, so everything turned out fine eventually; but if I could do it again, I would make sure to ask more questions about the situation and not assume that the same method would work in different environments. I mean, I knew it wouldn’t work back then, but I should have stopped myself from continuing. Luckily, they didn’t pay me any money, so nobody lost anything. I did get a free meal, though.

Are you working on any exciting new projects now? How do you think that will help people?

I constantly have a lot of different things going on, not necessarily with the world of cybersecurity. Until last week, I was part of a startup incubator recruitment process that lasted about two months. On that entrepreneurial side, I’m working on fashion and a separate esports company. That’s in stealth mode right now.

I’m also trying to publish a book for children of immigrants. It includes things like basic personal finance things you should know, how to deal with extracurriculars and university applications, and how to succeed in an academic setting even when you have nothing financially or don’t have the best grades. I wanted to publish it and sell for less than 5 dollars, but it looks like Amazon won’t let me put such a low price on it. Maybe they’ll let me with an e-book. I haven’t tried that approach yet. I really want to do paperbacks and get them delivered to low-income areas with a high immigrant population, though. That’s my priority.

Additionally, I am set to show my fashion designs during the September fashion week in New York later this year. I’m not sure how the show itself could help people, but the show is part of a startup called Uni-ke that gives a platform to many young designers who are commonly left out of artistic careers due to financial burdens.

Lastly, I’m working on a possible collaboration with “Jforte” Jesse. This is the music side of me, which I haven’t really mentioned before in this interview. It isn’t majorly important right now. I’ve only hit about… half a million streams on Spotify? I don’t know. Shoutout to Jesse. He’s the one helping here. Music helps people.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

I think there’s a chance to get really creative right now. Why is there no startup working on cybersecurity in space? I know people who work in policy are talking about it. Kaspersky also wrote about it, but I haven’t really seen anyone working on the technology in a commercial or public sense. The same goes for fashion. If Moscow allowed a brand to showcase an entire collection of digital clothing to be sold as NFTs, I don’t understand why fashion designers haven’t publicized anti-surveillance fashion. I know some people are working on it, I’d just like to see it more publicly and in a more technologically advanced manner. Maybe there isn’t enough hype culture around this yet for it to happen.

Jobs are becoming more defined. I’m not sure I’m excited about this, but I think it’s generally a good thing. Now you get to start off as a malware analyst or a specialist in a particular kind of cloud structure.

Lastly, I’m partially excited about the normalization of cybersecurity. I think the general population has tended to see cybersecurity professionals as scary or suspicious in the past, but now we just exist.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

I can sum up my concerns in two main points, actually. There are a lot of details to both, but these are the general ideas.

First, I’m worried that corporate cybersecurity isn’t moving fast enough. Don’t get me wrong, the hackers meeting up in bars or chat rooms and coming up with ideas left and right definitely still exist. The people buying a Tesla just to hack it by writing live-memory patches also exist. The industry as a corporate idea is very slow, however. People can do a lot more than they’re allowed to do; but the criminals don’t have this same sort of barrier, so they’ll always be ahead. Open up bug bounties. Give your employees free reign in a controlled environment every once in a while. I think companies can benefit from things like that.

Another worry I have is the growing apparent power of large institutions, and I mean institutions in the sense of companies, schools, organizations… The perception of power is a double-edged sword, and it’s creating this illusion of invincibility. Notice I said “apparent power,” not just “growing power.” When you combine this illusion with increased digital exchange among users, you get an overconfident monolith that doesn’t know where its exit wounds are after a breach. I think this has always been the case, but the attack surface is growing tremendously for everyone, and attitudes aren’t really changing. There’s no clear solution for this one on the horizon.

On this same idea — and this mostly applies to bigger, global companies — you have companies that know where their weaknesses are. When they get evaluated, they block off some of those weaker sections just to look strong, but that isn’t helping anyone. It’s easier to pretend the problem is gone; but sooner or later, someone’s going to notice it again. I know of companies that had gigantic breaches half a decade ago. Three years after the fact, you could still find the same issues in other areas of their network that hadn’t been evaluated.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

One thing that’s been a pressing concern for me for a long time is industrial control systems — the things that control electrical grids, space stations, factory lines, things like that. They never really matured with the internet, and they weren’t built for having any contact with it. IoT devices became commonplace, so that opened up a lot of concerns. They aren’t as removed from the internet as most people think. Someone will realize this soon and capitalize on it, one way or another. I’m sure they already have.

When the rest of my generation enters the workforce, there’s going to be a lot of information publicly available about everyone. Social engineering will become a lot easier. It’s easier now to learn the names of pets and family members. A video of the view out your window can reveal your address or what car you drive. Speaking patterns and word use are also easily accessible because the sample size is so large. If you can think like a criminal, you basically have a blueprint for taking over anyone’s digital identity.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I’ll speak in general — most problems happen because of human error. Everyone wants to think of intricate hacks like the ones shown in Mr. Robot; but even then, social engineering was very important. Most things I have helped with involve people doing things they shouldn’t be doing on their corporate devices, people opening files from random emails, or companies not recovering company devices after an employee leaves. Every once in a while, you do get a zero day on something the company uses, like a Cisco ASA or something like that, but that is far less common. My takeaway — my advice to companies — is to take care of their people and give them the information they need. If people are scared of their supervisors or don’t trust them, they’re less likely to give information when they do something wrong.

In most companies, I think everyone sort of sees the cybersecurity team as the annoying, strict parent that doesn’t understand them. I wonder what would happen if there was a multidisciplinary person on each major team. What if you had a cybersecurity person who was also part of marketing? Someone who could understand marketing needs but had a cybersecurity background and could guide the team on safe possibilities within the team itself from the start? I think that would be a good step for large companies. It opens up discourse and limits alienation.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

As a human, I recommend password managers to generate and handle passwords safely.

As a researcher, I use a lot of fuzzing tools, usually created for one specific use. It’s not very efficient, but when a tool is tailored, you get to see a lot of software errors that would be missed by a more general tool, especially if what you’re working on isn’t a common thing. Using a fuzzing tool is like automatically hitting all the bricks in Super Mario to figure out which ones have stuff in them and which ones will break after a number of hits.

Lastly — and this isn’t really a cybersecurity tool — I’m interested in I2P. It’s sort of like a layer on top of the internet. I guess you could call it almost a separate internet from the one everyone accesses. It’s built in a way that you can send a message and nobody will know who sent it, where it’s going, or what’s in it. The problem is you can only really access things that are within this decentralized network, and there are no exit nodes to the “real” internet. If you need that, you should use a VPN. I2P is not that easy to set up, either. I think there’s a lot of potential in it, but it needs work to become a public tool.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Let’s approach this on a personal level — your home computer. If you are like most people, it’s unlikely that you’ll be directly targeted. A phishing email with your name on it doesn’t mean anything. Your name and email are basically public knowledge at this point. Usually, individuals are victims as part of a breach that affected thousands or even millions, and in most cases, the motive is money in one way or another. Signs that something is wrong could come in the form of suspicious small credit card transactions, logins from unknown locations, your accounts suddenly switching from one language to another, or your computer slowing down for no apparent reason.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Like many things, it depends, but you should have a general company-wide plan. The FTC has better recommendations than I do, but I’ll give a general overview.

The first thing you should do is figure out what happened and where. Was it through your website? Was it through an employee workstation? Is the breach something that could only happen with physical access? Stop the thing. If this means going offline for a little bit, consider the costs and then either literally or figuratively unplug it. This doesn’t always apply, but if there are other things in your network that use the same technology, you need to find them and treat them carefully. For example, if there was a problem in a code section that is used in three separate platforms, address all three, not just the one that has already been breached. Tell everyone who was affected internally and give them instructions. Depending on what the problem is, you might need a forensics team or you might need someone to quickly build a workaround for vulnerable technology. Things will vary, but you need to build a patch while maintaining the “crime scene.” Get legal advice and notify people. If the breach included people’s passwords, disable them and do not allow customers to log in without changing their passwords first. A lot of the time, there isn’t much customers themselves can do beyond this. Fix the vulnerabilities. This might be out of your control if the problem is with a third party technology, but make sure you have a workaround in place and patch things up as soon as the fix is released.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

I work a lot with startups and founders, and the biggest mistake they make is not think about security at all. The company then grows without having security at its core, and it’s much harder to fix things once they get more complicated. One thing I can think of is having a single master password for all client accounts that everyone in the startup knows. A surprising number of startups do this. I think companies, when they are starting out, should research the infrastructure they want their company to have as it grows. People know to register their companies as a C-corporation in order to get VC funding. This is the same level of basic due diligence. Don’t plan everything out around your market and industry only to find that next month’s scale-up will break your infrastructure or expose you to a number of threats.

Part of this comes from lack of awareness but also from confidence that another company will act as their umbrella. This is especially prevalent in small startups that are entirely cloud-based.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

No. Not at all. I can’t speak for other sections of STEM, but in cybersecurity, I’ve had some pretty bad experiences in the corporate world. Mostly good ones, but definitely bad ones. One company in particular actually put me off of the corporate lifestyle for a while. In that case, I was on a team of about 30 men who were, on average, probably 20 years older than me. My questions would be answered with jokes or completely ignored. My suggestions were ignored until someone else said the same thing. Things like that. Someone called me a “feisty latina” once, too. There were constant annoyances, and I’m not very tolerant of disrespect.

I won’t name them now… But I will when I buy them!

The corporate world in some industries is horrible, but there are some great companies out there.

Outside of the corporate setting, I haven’t really had any bad experiences, personally. The international hacker community has been very welcoming, and I have a lot of peer mentors throughout. I remember being a teenager and walking up to one person because I saw him running linux in a sea of Windows machines — remember, this is when I was dipping my toes into the world, so I always got overly excited about everything — and we struck up a conversation about hacking. He was excited to work on any project idea I put out there after that. I remember a fairly well-known member of the industry who helped me with my homework one time — completely unprompted. Another person I met as a speaker in China — she gave me a place to stay for my first DEFCON ever.

Another time, I was in Sweden at a hotel, and it just so happened that someone else was also looking around on the hotel’s network — nothing significant. It turned out we were both in the lobby, and that person taught me a lot afterwards. People gave me books and self-made hacking tools expecting nothing in return. I have countless stories.

It’s not a tame environment, but you do learn.

In academia and research, I have also had mostly positive experiences, especially with my undergraduate thesis advisor, who I mentally thank every day. There’s definitely a gender disparity in the people studying the topic, but I wouldn’t necessarily blame the school, just the industry and maybe some of the classmates. When I was a student, there were only two or three undergrad “hackers” in the school. One person took the time to write out many paragraphs to tell me that one of the guys was a much better hacker than I was and that I should give up. Pretty odd. I can’t tell if that was gender-based or just generic bullying, but I didn’t care enough to think about it at the time.

In the corporate setting, I don’t think anything can change until HR starts protecting the workers rather than the company. I think retaliatory firings are fairly common, and a lot of people are unofficially threatened with being fired for not following a social norm for women. For example, being an assertive and intelligent person translates to “not getting along with the team” because they think you “aren’t friendly enough” for their expectations of a woman. Not asking for permission to speak when you have a very relevant idea comes off as “rude.” If you don’t smile, they take it personally.

HR isn’t the root of the problem, though. My hope is that as people age out of work, new hires will be less subconsciously sexist, but that’s not really going to happen if they keep hiring men to be trained by these same older men. Especially in industries like finance, you get a very “bro club” sentiment. The worst thing is, I don’t think any of them realize it.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

Not everyone’s a hacker. I feel like for the entirety of this interview, I’ve approached cybersecurity strictly as hacking, but that’s not the case. I think that’s how a lot of people start, but only a small portion of people actually hack on a daily basis. There are writers, software engineers, active threat hunters, network infrastructure specialists, people who do math all day, people who break things all day… It’s a long list. Every company has different needs.

Is everyone a nerd? This one’s a little tricky. I would say that not everyone looks like the stereotype, but mentally, you almost have to be. It’s a diverse industry as far as interests go. There are people who are into fashion, music, bodybuilding, basically anything you can think of. I’ve actually met male and female hackers who are models, and there is a whole community of musicians that perform at cybersecurity conferences.

Black clothing is a valid stereotype. Most people look like standard workers during working hours, but in non-work social settings, it seems like the majority of the younger people wear black. I think we almost do it to be ironic, but it ends up consuming our sense of style. I know I personally started it as a joke, but now I wear all black without thinking about it most of the time. It’s self-fulfilling. Gift your cybersecurity friends colorful clothes. Sneak it into their wardrobe. Put googly eyes on their back.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Find a group of people you can talk to openly about things. This goes for any industry or company, but especially one where you are the “other.” This could be based on race, gender, education, or any number of things, really. There were times where I noticed things that bothered me, but I was completely surrounded by the people who were doing those things, and everyone was trying to convince me that nothing was happening. When I talked to people outside of that group and casually mentioned the things that were going on, I realized that I wasn’t “being aggressive” in my response or “imagining it” like my teammates had tried to convince me. Don’t change yourself to try to fit in. If you do, you’ll willingly relive that awkward stage of middle school. I’ve seen a lot of people try to change their personality and style to fit in with the majority. It ends up prolonging a culture that will not welcome the real you nor those like you who will come after you. The most benign example I can think of is people adopting the corporate t-shirt and jeans uniform to become “one of the bros.” Trust people to do what they were hired to do. This goes for everyone. Although I would like to know all the details of the software for a project I run, hovering over the engineers is a waste of time and shows that I don’t trust the very people I chose to help me. Code review is important, but don’t hover. Know your own weaknesses and the weaknesses of the people around you. If you do, it’s harder for people or companies to use them against you. This applies to a lot of aspects of life. In business and leadership, it specifically points to appropriate delegation of work and trajectory. If you are aware of weaknesses, you know who needs help with what, and you know what steps they can take to reduce that weakness. You know who is more fit to face a situation and who should only receive the overview of a project. Don’t give up. A lot of people will ignore you or try to actively put you down. I always assume this stems from insecurity, but I can’t say for sure. I didn’t study psychology, and I’m not a mind reader. Unless you have genuinely done something wrong, this is a sign you , or someone else, should take their job. They clearly can’t handle the responsibility and don’t have the ability to mentor in a positive manner. The problem with this lesson bullet point is that it requires you to be accurately aware of your own mistakes, and that is a whole other lesson on its own.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I would like to meet someone I can’t think of. If I do this, I am more likely to learn more because I am unaware of what they can teach me. I don’t think that would work as far as tagging goes, though. Maybe Ashley Lannquist, who works on digital currency at the World Economic Forum. I feel like that might be an interesting conversation. I kind of want to talk to everyone: models who work internationally, like Sora Choi, a New York City MTA conductor, too. I’m just curious.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!