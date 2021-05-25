Ask “how can I help?”. I strive to not just benefit from other women’s advice, mentorship, or connections but also consider how I can give back to each relationship too. Especially, when you’re in the earlier stages of your career, it can be tempting to assume you have nothing to offer to those who have been in the industry longer. I’ve been surprised how there are ways to help even the most senior people. I encourage others to think of finding ways to make their relationships two-way streets. It can start by asking, “how can I help?”

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading Cybersecurity Industry”, we had the pleasure of interviewing Mollie Breen.

Mollie Breen is the Founder and CEO of Perygee which helps enterprises adopt and scale IoT best practices through a platform of “no-code” and IoT cybersecurity modules. Before starting Perygee, she was an Applied Research Mathematician at the National Security Agency (NSA), the first NSA mathematician at the U.S. Secret Service, and co-leader of the AI/ML Portfolio for the Chairman of the Joint Chiefs of Staff at the Pentagon. Passionate about business and encouraging women to pursue STEM, Mollie was featured on the reality television show Girl Starter as one of eight women starting businesses, which aired on TLC and the Discovery Channel in 2017. Mollie has an MBA from Harvard Business School, an MS in Engineering from Harvard University, and Mathematics and Computer Science degrees from Duke University.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up in the D.C. area, and my parents both worked in the public sector. As my siblings and I have grown older, we have all gravitated toward jobs in the federal government, military, and non-profits. Looking back, I think my family contributed to an innate desire to want to work on big problems that have a meaningful impact on society.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I have always loved the movie Miss Congeniality (2000). In the opening scene, young Gracie Hart stands up for someone else at the playground only to get bullied. She goes on to become an FBI agent and goes undercover to save a beauty pageant and has to confront a world of hyper-competitive beauty standards. By the end of the movie, Gracie recognizes her own potential at the same time she realizes she is underestimating the beauty pageant contests and the impact they have on others. I think there can be a misconception that being a female leader means you can’t be too feminine. As a young girl, this movie fed my motivation for wanting to pursue a career in the intelligence community. I loved that it suggests that female leaders include women who are gritty like Gracie, and those who enjoy beauty pageants. You can do both!

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I have always been drawn to cybersecurity for the mission and the technology. I was in elementary school when September 11th happened, and it sparked my dream to go into the intelligence community. As I got older, I gravitated towards films and stories about female leads solving crimes, and math problems and puzzles. I still remember where I was when I first learned about the National Security Agency (NSA). It was a place for mathematicians and computer scientists to work on life-saving problems like code-breaking. So, I was eager to work for NSA because it combined all of my interests, and out of that, I began my career in cybersecurity.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

At my first job out of college, I had a long commute via the train to work and, like many people, often wore sneakers instead of dress shoes for going to and from the office. On one particular day, I had a presentation to the entire office, and I forgot to pack dress shoes. I was worried I was going to have to wear sneakers with my formal dress until I asked another woman if I could wear her shoes during my presentation. I remember how the shoes were a size or two too big, so I stayed glued to the floor during my presentation to avoid them falling off. That being said, I am so glad the other woman saved me from the embarrassment of having to present in a formal dress and sneakers. It speaks to the value of camaraderie between women.

Are you working on any exciting new projects now? How do you think that will help people?

Today, I am building the cybersecurity company Perygee which is a platform to help companies scale operational technology (OT) security best practices. The platform learns each device’s unique behavior and then customizes and automates actions such as patching, changing passwords, and segmentation. Our goal is to help security and OT teams who may never have managed IoT or who are managing it today and want to save time tailor a security approach for every OT device on their network.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

Internet of Things (IoT): Just as the iPhone wasn’t the end of innovation but only a midpoint to new technologies like the explosion of apps, advances in chip design, and even wireless headphones, it’s interesting to think about how the IoT will continue to evolve over the next 5–10 years. For example, I think the IoT will do more than just make a process automated but could lead to an overall improvement in network hygiene or offer opportunities for edge computing that don’t yet exist. 4G and 5G: 5G is bringing an influx in the IoT and digital assets. What will come first that is often not talked about is how we will manage the networks when half of the assets out there are 4G enabled and half are 5G enabled. Are there ways we can offer the advances of 5G to 4G assets so that there is consistency across the network? Encryption: When I got started as a mathematician at the NSA, encryption and cryptography felt like a black box to a lot of consumers. Since then, trends like blockchain and bitcoin have put cryptography into a regular person’s vocabulary and have even made their way onto Saturday Night Live sketches! I think encryption will continue to become a talking point within enterprises. It may not necessarily be a transition to the blockchain, but perhaps will result in a closer look at how data (at rest and in transit) is being managed.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

Cyber products don’t have to be insurance products. One concern I have is that cybersecurity solutions are often thought of as insurance products where investment in them is less about an improvement today or tomorrow but a preventative solution for unknown months or years down the road. The problem with that mindset is that it puts the onus on the buyer in the organization, usually the Chief Information Security Officer (CISO), to communicate to the Chief Financial Officer (CFO) why the product is important today. Part of the solution can be educating senior management, but I think even greater gains can be made if security vendors consider how to communicate that their product improves day-to-day operations, versus just preventing rare events. One thing that I didn’t pay as much attention to before COVID was cybersecurity in the supply chain. For example, in healthcare, cybersecurity touches everything from covid tests to producing vaccines, to storing vaccines, to the information on who is getting vaccines. While this is just healthcare, interconnectedness exists across just about every industry. When responsibility falls on so many stakeholders it can be hard to pinpoint a solution or set of solutions. One way to address these concerns that the industry is moving towards is establishing best practices and standards that stakeholders from different arenas can understand and adhere to. There isn’t enough cybersecurity awareness at the board level. It’s becoming more common for private companies like hospitals, banks, schools, energy providers to be the targets of costly cyber-attacks. These institutions don’t always have the security posture ready to prevent them. One of the first steps to address this is at the board level. The board should be educated on security risks whether that’s from an independent advisor or hiring an executive at the company who can speak to the security strategy for the institution.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Private companies as targets for state-sponsored attacks. While it may have been true before that just the federal government or military was the target for a state-sponsored attack, it is now the case that corporations are the first line of defense. This is problematic because it increases the volume of attacks these companies see as well as jeopardizes companies who may not have sufficient protection in place to defend against state-sponsored attacks.

Unclear strategy for IoT adoption. Over time, as new threats come to light, new teams inside of organizations are created. For example, application security became an entry point into networks, and, over time, enterprises added teams focused solely on application security. As the IoT increases in the amount on networks, often there isn’t a team dedicated to the problems created by the IoT. Just like with protecting other new threats, the first step to creating a strategy for the IoT can come down to having a team of dedicated people responsible for it.

Lack of enough talent in cybersecurity. In the future, one of the most critical threats may not be because of a new type of technology, but more the inability to have enough people to get out in front of the problem.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

While I can’t speak directly about my time at NSA, I have experience helping others respond to breaches as the cyber expert among my peer group. What I found most surprising is how long hackers were on the system before they were noticed. For example, there was a phishing attack in a work environment that eventually got noticed by a colleague. Upon investigation, it was clear a hacker had been logging into the compromised account at off times for several weeks to learn the behavior of the user. As the first step, we advised the user to change their password and add two-factor authentication. The main takeaway is even if you think you aren’t the target — perhaps you aren’t high profile or in a senior position — you can still be the target for a breach.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Leading a company that works with security teams of larger enterprises, it is important to have our own security policies in place since we know we are just as likely to be a target as our customers. There is a subset of tools we use that any small company should apply. The first is two-factor authentication (2FA). 2FA is when you use your email or your phone number as a verification method when logging on to a web application or appliance to prove you are logging into the account. A second tool that is applicable to small companies is a password manager for every member of the team. A password manager is a place that securely manages usernames and passwords, almost like you would using a notebook on your desk. The difference being it stores them in a secure way so that only you have access to the passwords, not even the vendor of the password manager. A password manager avoids password reuse and promotes strong password usage because you only have to remember one password.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

If you work in IT, some important traces to look for to see if you have been hacked are:

Escalation of privileges. Hackers usually escalate privileges or create new admin accounts in order to access sensitive data. So, it’s important to keep an eye on how admin credentials are being used. Infrastructure in the network talking to unknown IP addresses outside of the network. Hackers usually remote in from obscure locations. If they are stealing information, they will send that data to a server that they can access. This means it’s important to keep track of what infrastructure should be talking to outside of the company’s network. Infrastructure talking to unusual assets. Hackers can spoof IP addresses, meaning they appear they are coming from somewhere even when they are not. So, it’s important to also consider network behavior so in the event that the hacker does appear to come from a location that is safe, you can catch the breach through another method.

If you don’t work in IT, and you are hoping to contribute more broadly to the cybersecurity strategy, it’s important to change passwords if you have noticed something weird on your account. Always alert IT to suspicious activity.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Every security breach is slightly different and with different causes: was it an insider threat? Ransomware? It’s important to first figure out the root issue. Depending on when you discover the breach, there can be multiple systems compromised. It’s important to stop the bleeding so that more systems are not compromised. At the same time, it is important to communicate internally across business units to coordinate a response. If you are in a position that customer information has been compromised, it’s important to be transparent. While it can hurt the reputation in the near term, the cost of not telling your customers and having them find out later is greater than being honest upfront. When you are bringing the breach to the attention of your customers, it is important to communicate the action plan and the steps you are taking to improve going forward.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Often the new advances in technology come with new, “next-gen” security measures. Acquiring new solutions can be helpful to solving these new security challenges. However, these solutions are largely evolutions of security fundamentals like regularly updating IT and OT systems, segmenting the network, protecting egress, and tracking network change over time. So, while it is great to buy the next best-in-class solution, it’s also important to keep in mind if and how that is mapping to cybersecurity fundamentals. If you can map new solutions to better security hygiene, then I consider the lifespan of that tool in the organization to be much longer.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

There is certainly room for improvement in elevating women in STEM. One area where I encourage change is in the notion that we need to train more women to get into the workforce. While training is certainly a good thing, the more we focus on training as a means to get women the job, the more we raise the bar for what it takes to get into the industry in the first place. Instead, I want to encourage more employers to hire women (or anyone else for that matter) even if they don’t have four other cybersecurity references on their resumes. I think the onus should be on employers to pick talented people with diverse perspectives and help give them the technical skills to succeed. This way, training can be a lifelong accompaniment to a professional career rather than another way to filter out otherwise talented and passionate professionals.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

When I started in cybersecurity, I thought of it as hackers vs. security teams and learned it was much more nuanced than that on various levels. I found many examples of “hackers” working alongside security teams, and security teams working to think more like hackers. I also learned that among security teams there is so much more to the job than just hackers, including policies and controls, management of people and teams, or translating security objectives to business operations. Boiling it down to hackers vs. security is an oversimplification of the complexity of the day-to-day.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

You never run out of options. There will be many times where you might think, “If this doesn’t work, I don’t know what I’ll do next.” You might be trying to win your first client or find a new job and feel as if you’ve run through your last idea. Sometimes your solution or next step won’t be obvious, and you will have to tap into your creativity to find it, but it’s there if you keep pushing for it. Just because you don’t know how to do something doesn’t mean you can’t do it. Early on, I equated the fears I had about not knowing how to speak confidently from my cyber expertise or ask for money to fund the cyber business, with the notion that I wasn’t capable of doing it. Now, every time I face a situation that might be intimidating, I remind myself I am capable of it, I just haven’t done it before. There will be a lot of rejection. There might be a misconception that rejection means you’re doing something wrong, whereas I like to remind myself it means I am doing something right. Leadership is all about putting yourself in uncomfortable situations and taking risks. Nonetheless, I highly recommend finding peers with whom you can share the rejection and who will encourage you to take the learnings you can from the situation. You don’t need to have all the answers to succeed. Don’t be discouraged if you ever felt you weren’t the smartest technically or the most strategic in the room. Even if you are an expert on some topic, there will always be blind spots. Leadership is all about working with people of different perspectives and asking questions. Ask “how can I help?”. I strive to not just benefit from other women’s advice, mentorship, or connections but also consider how I can give back to each relationship too. Especially, when you’re in the earlier stages of your career, it can be tempting to assume you have nothing to offer to those who have been in the industry longer. I’ve been surprised how there are ways to help even the most senior people. I encourage others to think of finding ways to make their relationships two-way streets. It can start by asking, “how can I help?”

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

Sara Blakely, the founder of Spanx. She has an incredible story of dedication to her idea. To me, what I look up to most, is her authentic leadership presence. She never seems to shy away from being who she is and leading in a way that is unique to her. She is an authentically quirky, honest, and inspiring role model. It is a reminder to me that there is no one right way to lead, and that perhaps the best way to lead is by leaning into strengths you already have.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!