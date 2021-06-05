Though I’ve never played any team sports, I’m a big believer that we win together and lose together. As a start-up co-founder, I’m ready to roll up my sleeves and jump in, but more recently I’ve focused on building a team of leaders, empowering them, and coaching them from the sidelines. Like most parents are with their children, all their successes are theirs, but any failure is a shared responsibility. It’s very important to use “we” when there is a problem.

As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Poornima DeBolle, co-founder and chief product officer of Menlo Security. Previously as a product management executive at Juniper Networks, she was responsible for cloud security, security management and security analytics. Poornima joined Juniper via its acquisition of Altor Networks where she was vice president of product management and business development. Before joining Altor, Poornima was head of business development at Check Point Software, where she also held product management and engineering roles. Poornima holds and MSCS from Arizona State University.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was born and raised in India, one of four children — three girls and a boy. My parents both have master’s degrees. We were a middle-class family — middle class for India, not necessarily middle class here in the United States. We had a good home, food, school, and all those types of things. We didn’t have television until I was probably 16.

I grew up surrounded by lots of family — aunts, uncles, cousins, and friends. We played outside all the time, and I also read all the time. We’d have a competition to see which one of us could read the most books in a day. I still read now — a book a week. In fact, my daughter and I are always competing to see who can read the most books — she has me beat. I don’t think I missed out on anything while growing up, maybe because I didn’t know any better, but mostly because it was a very happy, fun childhood. There was definitely a strong focus on education. It’s not just me who loves to read — my whole family does. One of my strongest memories is coming home from school and seeing my mom sitting and reading.

We also traveled quite a bit. My father worked for the Department of Atomic Energy in India, and with that came traveling. He often brought us along with him. I think those experiences gave me the worldly perspective and open mindedness that I have today. From a very young age, I saw many people from different cultures and came to understand that no matter where someone comes from, or what they do, or what our differences may be, ultimately people are people. This early exposure to different types of people from different cultures instilled in me an adventurous and open mind.

I was a very good student — I actually started school when I was three years old because I couldn’t wait to go. I poured myself into school — and not just my studies. I was very involved in extracurricular activities. I was on the debate team, in the theater group — you name it, I was involved. Except sports — I was not good at sports.

While in school in the 10th grade, I discovered my love for math and physics. Until then I had planned to be a doctor, but once I realized my passion for math and physics and other STEM-related subjects, I made a hard right turn to go to engineering school. I earned my undergraduate degree in computer engineering and then came to the United States to get my graduate degree in computer science.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share why it resonated with you so much?

As I mentioned, I’ve always been an avid reader, which makes it hard to pick just one book. A few that come to mind include Robert Heinlein’s The Moon Is a Harsh Mistress, which is such a breakthrough book in terms of societal changes. It showcases the philosophy of personal responsibility and political freedom. And like any engineer worth their salt, The Hitchhiker’s Guide to the Galaxy series by Douglas Adams is another favorite. The book A Suitable Boy, by Vikram Seth, is one I recommend to everybody. It’s probably one of the best books that captures a certain slice of time in India and what was happening. It’s a very well-written, detailed book.

On the work side of things, aside from technical books, I recently read The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers, by Ben Horowitz. Our vice president of human resources, Rosemary Fantozzi, gave it to me. As a product leader and co-founder myself, a lot of Horowitz’s own experiences and learnings really resonate. To me, the book feels like a guidebook. I think it’s really a great book for any founder or business leader.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It’s actually kind of funny. I wasn’t so much inspired to go into cybersecurity, rather than I sort of fell into it. I happened to be attending a job fair. I received an offer from Sun Microsystems and two other companies. After the job fair, I went to meet my boyfriend, who’s now my husband, for dinner and to discuss the offers. He worked at Cisco at the time. He mentioned there was a job fair in Santa Clara, so I thought I’d check that out before making a decision.

I was at the job fair and stopped at an empty table to organize my things. The table happened to be part of the Check Point Software booth. As I was finishing up, a man came up to me and said “Hey, talk to me.” He wasn’t as well-known as he is today, but it was Nir Zuk, who later went on to found Palo Alto Networks. I thanked him and declined, letting him know I already had job offers and I was sorry for taking over the table in his booth. But he was insistent and asked for my résumé. I thought to myself, why not? So, I gave him my résumé. He asked a few other people in the booth to speak with me. Since I was killing time, I talked to them.

This happened on a Friday and on that next Monday, they wanted me to come to their office to interview. I was resistant because, if you can believe, I thought it was too far to drive. I lived in the South Bay (of the San Francisco Bay Area), and their office was in Redwood City. If you know the Bay Area, you know that is a terrible commute.

But I got myself to their office and I interviewed with what now feels like a who’s who of the cybersecurity industry. I met with Shlomo Kramer, one of the co-founders of Check Point. Shlomo went on to found Imperva and Cato Networks. He is one of the smartest security investors I know. I also interviewed with Asheem Chandna, now with Greylock where he has been a founding investor in multiple successful companies, including Palo Alto Networks.

I interviewed with this all-star panel and they gave me a job offer on the spot. I really liked the way they came together to make an offer so quickly. I had to decide — not so much about going into cybersecurity, but more about this group of people who inspired me to join them. It was probably one of my best experiences in terms of learning about cybersecurity.

And to think I didn’t want to go to the interview because their office was too far away!

Can you share a story about the funniest mistake you made when you were first starting your career? And what lesson you learned from that?

In my first job out of school, I worked on a network monitoring appliance and I was responsible for the full stack — the real-time operating system and the applications. I spent a lot of time in the OS optimizing the performance using an in-circuit emulator. Stanford was one of our customers. The appliances would work perfectly for three or four months and then crash. I worked many weekends and when I found the problem, it was a quintessential math/engineering joke — I was dividing by zero! To this day, the Divide by Zero jokes hit a little too close to home.

I learned that perseverance and creativity are key to solving problems. I also remember the gratification of solving the problem. That same determination to solve a problem and experience the happiness from a job well done drives me to this day.

Are you working on any exciting new projects now? How do you think they will help people?

Every morning when I get up, I sincerely believe in my heart that what we’ve created here at Menlo Security is a really exciting revolution of all the security architectures that I have seen over the years. Our challenge is to get this into more people’s hands. And when it is really widely adopted, I think it will truly change the way people perceive cybersecurity. Somebody once told me the best security is when the person using it doesn’t have to think about it. And that is exactly what we’ve built with our browser isolation technology. I just can’t wait for it to be widely adopted. We’re already seeing a good uptake. I’m very excited for our future and how we’re going to help so many people.

As the adoption continues, isolation gets baked into our everyday use. I think it’s one of the technology things that can make a big difference in people’s lives, not just in enterprise operations. I believe it has an equal application, if not a better application, to small businesses, personal use, and all of those situations where you currently need to rely on people who understand security to provide it for you.

Our isolation technology, on the other hand, can really keep users secure while they just do what they do, and without having to worry about it. I can hardly wait for our technology to be more adopted and more prevalent everywhere.

The cybersecurity industry seems so important and compelling right now. What things in particular most excite you about the industry?

It is an exciting time for many reasons. The adoption of the cloud as a platform for security is definitely at the top of the list. Historically, security was funneled into one place, but also suffered from resource limitations. So, you would be forced to make a choice — do I implement IPS on everything, or do I do isolation on everything?

I think it’s very exciting to have a cloud platform that really delivers the right security — independent of the resources needed — anywhere you are. It’s so powerful in that methodology that you can be secure from anywhere to do anything — whether you’re working in another country or at home. I think this is really the first time in my life I’ve seen it. There have been some indications of that order, but the evolution of it has been very exciting to watch.

I think it will make security accessible to everybody while making everything secure.

I know the word “exciting” may seem overused, but I truly find, from a technology perspective, machine learning to be exciting. Think of all the data that can be provided. Because you’re using this cloud form factor in such a big way, you’re generating a tremendous amount of data. Any resulting machine learning that you generate is just superior.

An example of this is self-driving cars. I read that humans have been trying to build self-driving cars for a long time, so what changed in the current iteration of these efforts? How did we get to have actual, working self-driving cars? The answer is that we just have so much more data now that the training of the algorithms and other factors is so much more reliable and accurate. It’s what you put into the system that makes such a big difference.

I feel the same way about security. As we consolidate and use our cloud platform to deliver security, we gain learnings and have the data that can feed into our machine learning capabilities to create a very effective feedback loop.

I think what we learn and how we protect ourselves, as a result of these huge amounts of data, is very exciting. Many companies are trying to do many things, but enterprise cybersecurity still has a long way to go. When we compare our industry to what consumer companies have accomplished, such as Facebook or Airbnb, they use all of that data to make their product better.

The cybersecurity industry isn’t there yet, but we’re getting there.

What are three things that concern you about the cybersecurity industry? Can you explain what can be done to address those concerns?

For all the talk of innovation, I don’t see a lot of innovation from large cybersecurity companies. Whether it’s my alma mater, Check Point, or Palo Alto Networks, or others, they all seem to be more on a path of evolution — making things slightly better than they were yesterday, which is good, but I don’t see any big innovations.

I would say the last big innovation was when FireEye came up with the sandbox. The next big innovation, in my opinion, is when Menlo came up with browser isolation. There are a lot of new technologies that need care and feeding, but I don’t see a lot of breakthrough, hardcore innovation in cybersecurity. That’s a real concern.

Another concern is that there is little to no focus on women in cybersecurity. It’s definitely a very male-focused arena, even within tech. I believe bringing in more diverse perspectives would make a big difference.

I think about Tina Fey’s interview a while ago when she talked about starting to work at Saturday Night Live. All the writers would write jokes, but if a joke was written by a woman in the group, the men in the group wouldn’t understand it, so the joke would get scratched. But as more women writers came on board, they had more voting power, resulting in their jokes making it into the show. I think we would see similar kinds of contributions from women in cybersecurity, especially in engineering where their roles are even more limited.

To help solve this issue we need to build and nurture the pipeline. I think girls self-select out of math and STEM classes for whatever reason. We need to create a nurturing environment early on, in a way that girls can explore and grow, and then add in a broader group. We need the creative solutions that girls can bring.

I’m a strong believer in all-girls schools. They can be a great way to foster the girls’ talents while insulating them a little bit from some of the challenges they may face that might make them less confident.

There are societal and other tools we should be applying to make sure the pipeline is nurtured along the way, all the way. This doesn’t stop once girls have left school. It should extend to when they’re in their jobs, when they’re looking to start or grow their family, and while they’re raising their children. I think society generally needs to have a supportive infrastructure that helps them all along their journey. It shouldn’t be a “one and done” approach. I wish it were that easy to solve.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

The critical threat I worry about the most is cybersecurity attacks on critical infrastructure. In fact, just last week we learned about the DarkSide ransomware attack on a major fuel pipeline here in the United States. The impact of a compromise on our critical infrastructure — such as utilities, transportation, or manufacturing — can be huge, but our efforts to secure these enterprises lack the focus it deserves.

People will be the weakest link in securing critical infrastructure. A phishing attack or a supply chain attack is all too easy to imagine. Companies need to have a comprehensive security strategy and be diligent about ensuring that vendors and suppliers are following security best practices.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Menlo’s Isolation Platform stops many breaches every day, including ones originating from browser zero days. A recent one that our security research team blogged about is the DURI campaign. Five years ago, one of our prospects tested how the Isolation Platform would deal with delivering malicious code in a URI Blob. It was only a lab test, but we found that proxies and NG-FWs just let it flow through to the endpoint, while Isolation stopped it completely — with no impact to the user or enterprise.

Five years later, we found that exact method being used in a campaign. We first discovered it in the environment of one of our media customers. Once we identified the IOCs, we found that the campaign was also targeting major financial institutions.

Menlo Security customers were fully protected from this class of attacks.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers, can you briefly explain what they do?

On the cybersecurity side of things, the tools that we use every day involve isolation, a technology that doesn’t let cyberattacks get through to the users’ endpoint devices. We use isolation very actively at Menlo and with our customers. What’s most interesting about isolation is that it’s starting to provide us with visibility and information about various different patterns. Because we execute everything in our isolation platform, it gives us information that no other technology can get. It’s almost like having lots of people test various websites through the isolation platform and help us take out the ones that have been either compromised, or that haven’t been compromised yet, but we can see something isn’t right.

We have a combination of tools that we use to extract anonymized information from our Isolation Platform and that provide us with a petri dish of what is actually happening across the broader Internet, literally all over the world. I think this is one of the best cybersecurity tools available. Every other company in the world uses crawlers and things that both nefarious websites and malware actually detect, and then they protect or hide themselves from those tools — something they can’t do with Menlo’s Isolation Platform.

At Menlo, we’re able to have a user on one end doing what they’re doing, but in the middle, we both protect them and capture all the badness that might be happening. This gives us insight into our ability to extract and build on that. This goes back to what I talked about in regard to applying machine learning to the Menlo Isolation Platform, where we’re isolating billions of websites every day. What we’re able to see is really key to the research and insights that we bring to our customers and the market.

As you know, breaches or hacks can occur even for those who are the best prepared, and no one will be aware of it for a while. Are there three or four signs that a layperson can see or look for that indicate something might be amiss?

This question can have very different responses based on whether we’re talking about an enterprise or a personal account.

For enterprises, audit and anomaly detection have proven to be the best fallback in detecting something amiss. We need to continue to fine-tune the anomaly detection with better data, but these tools have proven to be a great backstop.

It’s somewhat similar for a personal account. Don’t ignore alerts from Google or your iPhone about password reset requests or unauthorized access. Use multi-factor authentication as much as possible. It’s a great first line of defense.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Similar to the previous question, data and security breaches can take many forms, and this is a difficult question to provide a one-size-fits-all answer.

The two things to do immediately are to get control of the environment as soon as possible, even if it means being offline. Immediately start implementation of the communication plan to customers and impacted parties, even if the full impact of the breach is not obvious.

Most companies that have been breached should rely on a third-party assessor and auditor to help them with the analysis and a plan. Employees who have been in the middle of handling the breach can have an outsized response and may not be ready for a balanced perspective.

Once a mitigation plan with the right risk framework is in place, the company should plan for regular audit, awareness, communication, and tabletop exercises.

What are the most common data security and cybersecurity mistakes you’ve seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

There are a few best practices I advocate for.

The first is clear ownership and understanding of security controls. There’s always so much to do that it is all too easy to lose sight of important items.

Make sure everyone on the team understands why a security control is in place, so they’re able to use good judgment every day to ensure it is meeting its purpose.

Get the must-have protections done before you expand to corner cases. Similar to our battle against Covid-19, where wearing a mask, social distancing, and hand washing were the most important aspects to get control of it before the vaccines, there are similar must-have protections from a security perspective — prevention (firewall, isolation), authentication, audit, and visibility.

It might be different for your organization but ensuring that you have those four or five must-have controls understood and deployed builds the foundation for addressing complex use cases.

Last but definitely not least, invest in training. The threat landscape is changing all the time, and a knowledgeable team is the best defense against threats.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I believe there’s a lot more we can do to improve the participation of women and girls in STEM. There are a few changes that can help sooner rather than later:

Find men who are good advocates for women in STEM. I have colleagues who have a whole new perspective about women in high-tech and security after they’ve seen the world through their daughters’ eyes. Men have to be advocates for women in STEM.

We also need to help women be able to communicate their ideas and thoughts in a way that is well received and understood by a largely male audience. Being aware of your audience is an important skill anyway, but communicating in a way that can bring everyone along is important. Providing training and mentorship opportunities is an easy way to turbo-boost this skill.

The last one I practice myself in all my meetings, and that is to speak up. Women are often hesitant about speaking up. Men are more willing to speak up and don’t worry about how it looks. Women need to shed their inhibitions about looking bad and participate in the conversation. Here also, leaders making space for women to participate can change the tide quickly.

I have a longer list of suggestions on how we can make changes, but I’ll save that for another time.

What are some of the “myths” that you would like to dispel about working in the cybersecurity industry?

The Hollywood and TV depictions of people breaking through cybersecurity controls have to be the biggest myth.

It takes a lot of effort and knowledge to break cybersecurity controls, especially if those controls are implemented correctly. While movies and TV programs show bad guys succeeding, in real life, the good guys succeed every day.

While this is not a technical response, it is my pet peeve.

What are your “Five Leadership Lessons I Learned from My Experience as a Woman in Tech” and why?

Know what you know well, be willing to admit to what you don’t know, and take that as an opportunity to learn.

Cybersecurity encompasses many topics and more than in any other industry, cybersecurity buyers have a higher propensity to challenge every statement — whether it’s about a product or a concept. It’s important to establish credibility, but it’s equally important to be respectful of your audience and not mislead them, especially if you have an elevated platform.

2. Be bold and reach farther than your comfort zone.

Every few years I find myself with a great team that is executing with minimal oversight. I make it a point to take that opportunity to think about what I want to learn and how I can contribute to adjacent functions. To date I have had great mentors who have always given me opportunities to experiment and grow, but it’s incumbent on you to reach for it. A few years ago, at Menlo, I asked for the opportunity to own the customer success function because I was already spending a lot of time with customers. After a few years of doing it, I recognized that I’m not good at it, but I learned from the experience and today, I truly appreciate our customer success leader for his contributions.

3. Empower your team, celebrate their success, and have their back when they fail.

Though I’ve never played any team sports, I’m a big believer that we win together and lose together. As a start-up co-founder, I’m ready to roll up my sleeves and jump in, but more recently I’ve focused on building a team of leaders, empowering them, and coaching them from the sidelines. Like most parents are with their children, all their successes are theirs, but any failure is a shared responsibility. It’s very important to use “we” when there is a problem.

4. Care about your people and be vulnerable — it invites authentic conversations.

While we all understand that work is work, we spend a lot of time with our colleagues. Caring about them as people and knowing about their lives and what motivates them will make you a better leader every day.

I’m a very private person. It’s hard for me to be open and vulnerable, but based on my experiences, I highly recommend that leaders be vulnerable with their team. Share your experiences, tell them about your life. It creates the right backdrop to have authentic conversations and challenge each other safely.

5. Do the right thing every time — it will pay back in spades.

This is a leadership lesson I learn and live every day. Whether I’m working with a customer, a colleague, or an employee, this tenet sets the tone for how your team works when you aren’t in the room. I practice and preach this all the time. My favorite good-bye email from an ex-Menlovian described when he recognized this about me. While I appreciate all the feedback about my contribution to Menlo’s success, I treasure that email the most.

We’re very blessed that very prominent leaders read this column. Is there a person in the world, or in the U.S., with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I would love to have breakfast or lunch with all or any of the women justices of the U.S. Supreme Court. Of all the areas where women are making strides, I’ve always seen the Supreme Court as the hardest place to balance doing right with making it right, especially when it comes to women’s rights.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!