As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Samantha Madrid, VP Product Management, Security Business & Strategy (PLM) at Juniper Networks. Samantha is an expert in the enterprise security market with nearly two decades of experience in roles spanning sales engineering, product management and marketing. She most recently served as the Vice President of Product Management and Marketing for E8 Security (recently acquired by VMware). Prior to that, she held leadership roles at Palo Alto Networks, Forcepoint, Inc. (formerly Websense) and Cisco IronPort Systems. She also spent many years in the field as a hands-on Systems Engineer, specializing in various security technologies. Over the span of her career, Samantha has built strong product organizations, introduced many successful products, created brands, and launched effective go-to-marketing programs that have led to rapid product adoption in the highly competitive security industry. She studied Political Science at San Jose State University, where she also was a member of the university’s swimming and diving team. She enjoys spending time with her husband and their two dogs.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up in California and went to school in the San Francisco Bay Area, where I majored in Political Science. I was a state-qualified debater in high school and a competitive swimmer in college. That competitive spirit has carried over into my professional life. I actually started off my cybersecurity career in networking right out of college and switched to security shortly thereafter.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

Onward by founder and former CEO of Starbucks, Howard Schultz. One of the lessons from the book was that he didn’t take “no” for an answer and had his own vision that he turned into a reality. That’s a belief system that I’ve applied to my own life, and it has served me well, so that story has a special meaning for me.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

As a little girl I loved spy films like “James Bond.” Cybersecurity had an extra attraction to me since it evoked some of the same cloak-and-dagger aspects of those early spy films — especially Q’s gadgets!

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

I don’t recall a specific anecdote, but I never dwell on my mistakes. I see them as learning opportunities because I don’t believe in regret.

Are you working on any exciting new projects now? How do you think that will help people?

It’s an exciting time right now in cybersecurity due to both the technology and architectural shifts taking place, specifically around cloud and distributed edge. Cybersecurity has also never been more important than it is today. There are nation states attacking our critical infrastructure, organizational supply chains and there are individuals being targeted by ransomware.

One of the exciting areas we’re investing in are techniques for identifying malicious activity that is obfuscating itself within encrypted tunnels. These tunnels can’t be decrypted inside organizations because of privacy regulations, but we’re using behavioral-based machine learning techniques to identify threats without having to decrypt the traffic. We’re helping to identify threats hiding behind encryption, which means privacy and security are no longer at odds with each other.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

What’s most exciting to me is that the Cybersecurity industry has reached a turning point.

For the past several decades, the security industry has been trying to convey that cybersecurity isn’t a niche problem or function — it affects everyone. Security is now at the forefront of many business decisions and becoming an integral part of organizational strategy.

The security industry is much more diverse than it was even 5 years ago. More women and minorities are in highly technical roles and leadership positions, which means different perspectives and opinions are going into figuring out how to solve for cybersecurity’s toughest challenges. If we’ve learned anything over the past four decades of successful breaches, it’s that we need to “think different” in order to find lasting solutions.

I’ve always believed that the network must participate in its own defense. We can’t rely on security tools to protect the network when they’re relegated to very specific points in the network. Security has to be pervasive and go beyond firewalls, proxies, and endpoints to better protect the network. What’s exciting is that organizations are realizing this, as well. And not just that, but they’re actively taking steps to extend security to every point of connection.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

If you look at nearly every breach, they all involve humans as the weakest link. Human error and social engineering has remained the top vector since the late 90s — earlier than that, in fact — and we still haven’t solved for our “layer 8” vulnerabilities, even with all the advancements in endpoint security and identity and access management. So, we have to figure out how to remove people from the equation.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Even though different attack techniques are emerging, IoT devices number in the billions, and network architectures are becoming more complex, breaches boil down to humans as the common weakness. The most significant cybersecurity challenge is removing humans from the equation.

In addition, attacks on critical infrastructure as a result of IT and OT convergence will have a greater impact on society. While organizations are rightfully securing their OT/ICS environments, securing the IT network cannot be deprioritized.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I can’t talk about particular breaches. However, one incident that has stuck with me over the years involved a company on the East Coast. An employee of the company was partitioning their hard drive and storing child pornography. The company was doing a proof-of-concept of my product at the time and the company was able to detect it. Long story short, the FBI seized the employee’s computer, and a predator was removed from society.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I don’t get to be hands-on as much as I used to be on a daily basis, but I recommend customers integrate threat intelligence into their networking infrastructure. At Juniper, we have SecIntel, which is a dynamic threat intelligence feed that integrates into all our routing, switching and wireless infrastructure to give broader visibility to an organization’s risk posture and actively stop known threats.

I also recommend taking the time to actually implement your user and application-based micro-segmentation policies to secure the traffic between the applications deployed in your data center. Many organizations still don’t actually segment their traffic. Once an attacker gains access inside the data center, a non-segmented network is a free-for-all. This is actually the hardest part of architecting for a “Zero Trust” data center, and often left undone. It’s surprising to see in 2021, but many companies are still using IP-based polices, which is ineffective in terms of secure access when you have a dynamic application workload environment, which a lot of organizations do now.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

A ransomware email (I’m only half kidding). An unexplained increase in either network traffic or system access. Access from unusual sources or geographic locations. Duplicate access from an otherwise authorized user (also known as credential chaining)

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

First thing, which is somewhat obvious, is to isolate the compromised system and disable all access to the system(s), aside from your Incident Response (IR) team. If you don’t have an IR team, hire one immediately. Don’t delete logs, your IR team will need them. If appropriate, contact law enforcement.

It may seem obvious, but force a company-wide password reset, and consider increasing the password strength requirements.

The third thing, but certainly not the last thing, companies should do is revisit their segmentation policies to ensure that application access is carved out by user, device, application and risk level. Micro-segmentation should be pervasive, including from application to application.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Not implement or use the features and technology they’ve purchased. This is very common with Data Loss Prevention-based solutions. It can take an organization multiple years to fully implement after purchasing.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

No, I’m not satisfied with the way things are now, but I agree that they are getting better. There are more women in cybersecurity now than there have been in the past, and because of the increase in mentorship and support initiatives by security vendors, enterprise organizations and universities, that trend will continue on an upward trajectory.

Visible representation is important — you can’t aspire to what you don’t see! As a woman, seeing someone who looks like me in a cybersecurity leadership role is empowering. We all need to continue making visible that there many women in cybersecurity who function across myriad job functions. I’m proud that around half of my organization is made up of women.

In addition, women need to see men actively being allies both publicly and privately. Allyship is an area more organizations need to invest in, as it will fundamentally change the trajectory for women in STEM and put them in roles that they’re more than capable of performing.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

We’re all hackers in black hoodies. I, personally, have never hacked anyone’s network, and our hoodies actually come in a variety of colors 😉

Another myth is that you need a cybersecurity or computer science degree. More and more people are entering into cybersecurity from diverse backgrounds. There are so many courses online that are accessible for free or a very low cost. In fact, many of the best cybersecurity researchers and analysts don’t have a degree — some didn’t even finish high school! — but they were driven by their own interest and passion to learn on their own. Don’t be afraid of cybersecurity job descriptions that list a college degree in a cyber-related field as a requirement. You don’t need to meet all the qualifications to apply. Many capable people, especially women, often self-select themselves out of contention for these roles because they don’t have every single “required” qualification. There are also many women cybersecurity professionals who are interested in mentoring other women in the field, so the community is open, inclusive and tight knit. Introduce yourself, listen and learn, ask for help when you need it and don’t be afraid to be genuine.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Referencing one of my earlier comments is never to accept “no” as an answer. That’s just the start of your journey, so that’s number one. Other things to keep in mind:

Be introspective. Be honest with yourself: Have you put in the effort, or is there a way to get around that obstacle? Didn’t get a promotion? Did you really deserve it? It’s easy to blame people for things that don’t go your way? Ask what you really want, be it in career or in life. Once you figure it out, you do everything you can to make that happen. In fact, when I interview candidates for jobs I always ask what their blinds spots are.

Everything is a choice. Everything in your life is the result of the choices you made. You may not have chosen the situation, but how you react is within your control. And owning that choice can allow you to overcome the obstacle in front of you. Often, when we hear no, we think there is no path forward.

It’s not always about you. Whether it’s a disagreement with your colleagues, or someone was disrespectful to you — whatever it may be — there may be more at play. Try to understand the other person’s point of view. Early in my career, I was on a successful team. I wanted to make sure I was the best on the team. I inadvertently made it about “me.” And I was replaced for not being a team player. I realized that was 100 percent my own doing. And I never made that mistake again.

Be adaptable. You will never be able to predict what happens tomorrow but if you have the ability to adapt you are invaluable. If someone says “no” you have to be able to pivot around that. It does not mean your goal or strategy is wrong and you’re not going to reach your end destination, but you may have to take a find a novel approach and execute on new tactics. Have your goal, but be flexible on your method.

Trust your gut. That’s the number one thing that derails people from achieving their goals. When people hear “no” they tend to step back. Trusting my gut is why I didn’t step back when my high school counsellor suggested I should abandon my dreams of being of executive. Or when people suggested that going to a company whose reputation in security had fallen wasn’t a good career move.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

Apple has long been one of my favorite brands. They focus on customer outcomes, and lead with experience first. And they’re ruthless about execution. They also aren’t afraid to say no, think different, and challenge the status quo. They are the pinnacle of a customer-centric, experience-led business. I’d love an opportunity to meet and sit down with Tim Cook.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!