Security is just as important as sales. You should invest just as much in both. Without security, you don’t have a product, you don’t have consumers, you don’t have a company.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Chloé Messdaghi, vice president of strategy at Point3 Security. She is an InfoSec advocate & activist who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights as a co-founder of Hacking is NOT a Crime. She is also the founder of WeAreHackerz (formerly known as WomenHackerz) & the president and co-founder of Women of Security (WoSEC), podcaster for ITSP Magazine’s The Uncommon Journey, and runs the Hacker Book Club.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Oakland, Calif. My father was a teacher, and my mom was in technology. My dad was in education and always volunteered in the community. He taught me about empathy. Everyone has a backstory that you likely don’t know about — and because of that, I find it very hard to really dislike anybody and try my best to understand their perspective. People always have a reason why they do what they do. It may not be right, but there’s a reason. My mom was and is in technology. She would share stories of discrimination and harassment because of her gender. For example, being told she needed to wear skirts and dresses at conferences, and how male colleagues would steal her ideas and be pushed out. She taught me many ways to stand up, be strong and remember that half the world is going through the same thing you are. You know… all the other women! Her overall lessons focused around having compassion and pushing forward. In other words, the world is difficult, so you have to be a fighter and be true to who you are.
Throughout my childhood, I was severely bullied in school because of being thin and also my background. I had to transfer schools because someone threatened me, so I transferred from Oakland to Berkeley public school districts, and that was quite an eye-opener. Growing up in Oakland, you’re born into seeing a lot of the human rights situations, it’s hard to avoid the issues — pistol control, lack of education funding, lack of resources, poverty, safety, etc. And then when I transferred to Berkeley, I really saw what money looked like. It was most definitely the haves and have-nots. Experiencing and seeing such differences was heartbreaking, but it would lead me to wanting to ask WHY? Why is this happening? And how can I fix it? This is how I view the world today. What are the issues, and what can I do to make it better? You don’t just talk about it, you do something about it. Support people. Every human is human, and every child deserves equity to achieve their dreams.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
After a year of being in the cybersecurity field was when I decided to be (stay) in the cybersecurity field. From the moment I entered the field, that entire first year I was told that I don’t belong here. My response was, “There’s other people like me who DO belong here, and I’m going to prove them wrong, while also proving to myself that I’m right.”
I really didn’t get inspired to stay in this field until after all the doors were closed to me and I was rejected time after time. I knew I wasn’t the only one, and I knew I had to help change things.
Can you share the most interesting story that happened to you since you began this fascinating career?
The “giving up” part of my experience, right at the very beginning. For the entire first year in the industry, I experienced discrimination all the time. Sexist remarks, completely inappropriate comments and looks, pigeon-holing me into secretary duties because I was the only woman at the meeting. I was really upset, and ready to leave it all.
But then, right when I gave up on infosec, a bunch of things started coming my way. There was a conference that I came across where a number of wonderful women were talking about how terrible it was for them in the field, but also how it was still possible to thrive in this community. I remember not being able to sleep all night that night, and all I could think about was how I could bring empathy in this industry. If there was empathy, people would hear each other out, and realize that anyone who isn’t a cis white male deserves a place in the industry.
So I submitted a talk on the topic, and I was able to present for the first time, and I was able to connect with people who then referred me to having a paid-for trip to Las Vegas summer camp week. This was the changing point of my career. I met my co-founder of WoSEC and landed a job at Bugcrowd. It was surreal. Everything started falling into place.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There hasn’t been a single person, however, throughout my time in this community, the thing I realized is that whenever I’ve asked for help or wanted to talk to someone, it would always happen, there would always be someone helpful that would step up. And it got even better when I figured out that Twitter infosec existed, I found out that there were lots of good people in the community who believed in me and helped me bring ideas to life. That’s the greatest thing about the hacker community, we really help each other out at the end of the day.
Are you working on any exciting new projects now? How do you think that will help people?
Yes — definitely! Here are a few I’m working on and/or involved with:
- WoSEC — In other countries outside the U.S., the portion of women in infosec is even smaller than it is here, so this gives them an opportunity and place to meet up, network and support and empower each other.
- WeAreHackerz (formerly known as WomenHackerz) — This is a place for hackers around the world to connect in a safe environment, and also provides workshops, guidance, jobs — all free. It opens a door for marginalized genders to feel welcomed and not alone — the community is here for you.
- The Hacker Book Club — This is a group where we read a new book from someone within the hacker community, and the author of the book and/or those mentioned in the text attends our events. This is a good way to let other people in the hacker community know about the author and give back by helping connect hackers in the community.
- Hacking Is Not A Crime — In this organization, we work with other organizations and hackers within the community and the press to try and change the public perception of hackers with the goal being to bring about a change.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Keep a list of your to-do’s, know how to prioritize, and have self-awareness to know when you’re starting to show any changes in your mood or daily life. For me, the sign is: if it’s an email that I can usually send in a few minutes, and it’s now taking me hours or days, that’s when I know I’m on the road to burn-out.
If you are burned out, you MUST take days off. Mental health is just as important as physical health.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Three things that most excite me about the industry:
- The cybersecurity industry is all about trying to reduce mis-information. The majority of our job is teaching people how to better secure themselves. So that’s an exciting part of it — more and more people are starting to understand that cybersecurity is important.
- We’re starting to have a better bilateral trust amongst the organizations and the hacker community, which means we can help each other more than ever before in securing everything — super exciting.
- Another thing I’m excited about is that we are definitely pushing for things to change when it comes to representation. Representation matters in every single industry. We’re doing everything we can to fix that situation. We’re open-minded to everyone’s backgrounds, and we help people to have a voice when we can.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Yes — I see two huge threats:
- Burnout. Burnout will leave you to a breach, guaranteed. Companies need to put mental health on the forefront. I hope that one of the good things that comes from COVID-19 is that it makes companies more aware of how important the mental health of their staff is, and how much it can directly affect the company.
- Apathy to security. People who aren’t paying attention to the little security things, people who aren’t taking security seriously. These people are weak links in any organization. All it takes is one person to open the doors and (unknowingly) invite an attacker in. It’s not IF you’ll experience an attack, it’s WHEN.
- Lack of diversity. Companies need to start preparing for the fact that the lack of diversity is going to hurt them in the end — without diverse teams, you won’t have diverse products, and you won’t have diverse eyes on your security. Without that diversity, you are literally opening the door to be more vulnerable than anything.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I don’t have personal experience, but I have plenty of stories about hackers contacting a company about vulnerabilities, which then the company has ignored and then had a major breach within the next month or two. Many companies don’t want hacker help, and it’s because of the stereotype about hackers. Companies think because they have a security team that they don’t need any outside input from hackers. It’s like someone saying, “I already have a general practitioner, I don’t need a specialist!”
Also, too many companies don’t have a vulnerability disclosure policy (VDP). Having a VDP allows you to create an open door for hackers to inform you about vulnerabilities that they find in your company, systems, programs, etc.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
If you’re into bug bounty, Burp Suite is a must. The other tool that I use on a frequent basis, honestly, is Google. Google Search can pretty much answer any question you have, or at least help guide you.
Another tool that I recommend is actually a book series — Tribe of Hackers. It has various security team members share insights of their job and lessons learned. It’s valuable. It’s a great book series to learn how to be better, the differences between red, blue, and purple teamer, and to learn more about the cybersecurity field.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Before I worked in infosec, I was a management consultant, and one thing I can tell you is that many startups don’t invest in security at all — and this is scary. They don’t think they need to invest in security which, obviously, is not true at all.
Last year, we saw a huge rise in competitive companies trying to go and get information from other companies. We also saw a big rise in larger companies asking start-ups to come on board and to show what they’re working on and then the larger company ends up taking the idea and running with it. The thing is, when you’re a startup, there’s always competition that wants to know what you’re doing.
So it’s important for startups — any company really — to have a vulnerability disclosure policy in place. Even if you don’t have the funds for additional security, have the VDP in place.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
- If your team is being overworked, chances are they’re going to miss something. Burnouts create breaches.
- When you see companies fully relying on just scanners on what to prioritize, that’s a sign that something will be missed. Those scanners are, lots of times, not real-time. It’s important for teams to realize that using scanners alone is a dangerous thing. Something will be missed.
- Communication across departments. If there’s no communication from the security team to other departments, or no involvement or participation of security within the other departments, that’s a huge sign that companies don’t care much about security. Ex: a company is implementing a new tool and security is not involved in that conversation, it’s a huge sign that something is “amiss.”
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
- Have a vulnerability disclosure policy. It protects both the organization and their customers. It’s common to have the hackers that report the vulnerabilities actually be existing customers, so they care.
- Take notes of lessons learned and come up with ways on how to handle a security breach differently if it ever occurs again. Get your playbook together. Revise the old playbook. Most of the times when there’s a breach, it’s ad-hoc. Playbooks get out of date quickly. Keep them current. Revisit them often.
We’re not in California, but I’m always for more privacy measures, because I believe that companies should have limits and they should always notify their customers as to what data they’re collecting and offer their customers options. Customers love options. The companies that will thrive more in the future are the ones that grant consumers options. So when we do privacy measures, it’s important to let the consumer know that they have control of their own data and what it will be used for.
What are the most common data security and cybersecurity mistakes you have seen companies make?
- No vulnerability disclosure policy
- Mis-information, which comes from mis-communication
- Know the difference between hackers and attackers
- Not making sure your personnel are trained around cybersecurity. Hands-on learning is the best training. People remember better this way.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Absolutely. We’ve seen an increase of at least 400% of cyberattacks just this year because of COVID-19. The reason for this uptick is that people are burned out, we have a lot of emotion, we’re all in new workspaces, etc., so companies need to check in and invest in their team’s wellbeing. The cyberattacks are mostly around phishing emails and communication issues. Having multiple channels of communication is a bad thing.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Burnout will lead you to a breach. We have seen that the most successful phishing attacks happen to people who are burned out, usually, and that leaves your entire company at risk.
- Don’t have multiple communication platforms.
- Lack of training/education — invest in your people, invest in their wellbeing. You have employees that love you. When they feel appreciated, they’re willing to do more and put more energy into things.
- Have diverse teams. When we don’t have representation at the top, you’ve got a problem. Non-diverse teams create insecure products and products that are not cutting-edge.
- Security is just as important as sales. You should invest just as much in both. Without security, you don’t have a product, you don’t have consumers, you don’t have a company.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I’ve been working as hard as possible to change how people perceive hackers in the community. There’s a difference between a hacker and an attacker.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!