Shake off preconceived notions. Most women have been told at some point that women “aren’t good at math” or “aren’t interested in science.” These arbitrary conceptions about who can and should excel in tech can become ingrained in your mind, affecting the way you make decisions. Empower the women around you to overcome those ideas and emphasize career path, promotions, and self-advocating for women in the workplace.
As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Lauren Winchester. She leads the Risk and Response team at Corvus. After practicing law as a litigation and privacy attorney, Lauren has spent the last six years of her career in insurance helping thousands of policyholders with risk management and breach response.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I grew up in North Jersey (yes, there are two) and knew early on that I wanted to be a lawyer. In fact, at the ripe old age of 7, I wrote a letter to my dad’s boss regarding his upcoming team building a high ropes course. I (falsely) represented that I was a very important lawyer, that my dad had a fear of heights, and that they could not force him to do anything he did not feel comfortable doing. I did eventually go on to law school, where I learned that high ropes courses have resulted in plenty of personal injury cases, before becoming an associate at a law firm, where I learned about litigation, data privacy, and cybersecurity. Saying “yes” to a cold email inviting me to coffee would bring me fully into the world of data breaches and all the security controls and risk management used to prevent them and would connect me with my mentor who guides me to this day.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
In keeping with the theme here, my favorite cybersecurity-related podcast is Darknet Diaries. There is one episode on Stuxnet, a malware that was planted deep into an Iranian nuclear facility that destroyed its centrifuges. The malware is believed to have been developed by the US and Israel. It’s a fascinating story of a nation-state cyber attack that got me, this political science major, hooked on the podcast. Recent supply chain attacks, like SolarWinds, have reminded me of Stuxnet. I remember thinking initially that it was a fascinating story, but not one that was terribly relevant to the day-to-day data breaches I was dealing with. But SolarWinds demonstrates the impact a nation-state supply chain attack can have on thousands of companies, even if they are not likely to be the initial targets.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Though I had already developed an interest in data privacy and cybersecurity and was learning about it at a law firm, I was really thrown into that world when I said “yes” to a cold email from my now-mentor. She offered to meet up for coffee to discuss “an exciting opportunity in data breach response.” She attached her resume so that I’d know she was legitimate. I thought, while data breach response sounds exciting, insurance… not so much. But when someone with a proven track record asks you to coffee, you just have to say yes. Turns out I was right — and so was she. Breach response was an exciting and engaging world. Since then, I’ve learned insurance can be exciting, too.
While that’s what got me into cybersecurity full time, what’s kept me in it are the people and the subject matter. Cybersecurity has blended what I loved about practicing law (helping clients, constant learning and problem solving) with the urgency and complexity of cyber threats. The companies I get to interact with on a daily basis are trying to do the best they can with the resources they have to combat threat actors that are increasingly more sophisticated.
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
While I made my fair share of mistakes starting out in cybersecurity, rarely did I find they provided me a good laugh. I did, however, always try to make sure I was taking something valuable away from them, no matter how uncomfortable they may have been. Mistakes are inherent to the learning process, so I considered each misstep a necessary roadbump. So, while I never enjoyed them, I never wanted to give my mistakes too much power. They’re more important to you than to anyone else.
Are you working on any exciting new projects now? How do you think that will help people?
At Corvus, I lead our Risk & Response Services team, working with policyholders and their brokers on the front end to mitigate risk as well as on the incident response side should they have a potential data breach. One recent project is our vCISO, or “virtual CISO,” a dynamic view of cybersecurity recommendations. Through our Corvus scan and vCISO experience, we are able to send vulnerability alerts, specific to our policyholders’ infrastructure, to help them identify and remediate.
One good example of this was with the recent Microsoft Exchange zero day vulnerabilities announced in March and April. We were able to quickly turn around an alert to our policyholders running Exchange servers, and conduct follow up outreach to those still vulnerable after some time had passed. Because of this proactive approach, we reached policyholders that did not plan to notify us of a potential claim, who ultimately needed help from a forensics firm to remediate.
The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
- Cyber insurance is no longer just about risk transfer, it’s also about driving innovation. Instead of just sitting around and waiting for claims to hit our books, we can actively work toward defense strategies when new threats emerge.
- We can now use alternative sources of data and create technology that help identify which of our policyholders might be at risk for certain cyber threats, so that we can alert them and offer resources before a potential attack.
- People, and governments, are starting to take it more seriously. This creates a better environment for disseminating education about cyber threats and expanding the adoption of better cybersecurity practices, making the world a safer place.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
For small companies especially, there is still a lack of investment in cybersecurity, which often leads to cyberattacks. Many believe they’re less likely to be targeted because they’re small, when in reality they are the most vulnerable. The cause for this misconception is the lack of education around cybersecurity, another top concern. There needs to be better education for companies to vet vendors, compare products and understand to what extent their security controls are being utilized. My third concern is how committed companies are to their cybersecurity controls once invested. Companies may have purchased the best cybersecurity solutions, but they’re only as good as the effort put into maintaining and updating the systems in place. Better education around cybersecurity can help companies understand the level of commitment they need to have.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
Ransomware and third party risk are much larger and more common now because they’ve become so lucrative. These threats have been driving the severity of claims. Companies only have so much control, as they are subject to the security systems they use. You can be doing everything right, and the third party vendors could still be a potential risk. That’s why companies need cyber insurance.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
In the earlier days of ransomware, cyber policies covered ransomware payment reimbursements and the resulting business interruptions, but those aspects weren’t being serviced by insurers as much as they are now. Policyholders who experienced a ransomware attack would have access to legal and forensic teams to help, but navigating the ransom payment was up to them. When one policyholder in Texas was hit with ransomware, their back-ups were not viable, so three gentlemen embarked on an armed mission with a lot of cash on hand to the nearest bitcoin ATMs. This, needless to say, was a turning point in my mind that insurers needed to solve for the service component of ransomware attacks, to ensure policyholders have a better way to complete those unfortunate transactions.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Although I don’t use cybersecurity tools myself, my role requires me to make recommendations for policyholders. A few I recommend include:
- Multi-factor authentication for remote access
- Especially, when it comes to usernames and passwords, it’s imperative that companies enable multi-factor authentication, as not everyone follows the “strong password” recommendation.
2. Endpoint Detection and Response (EDR) Tool
- This tool continually monitors and responds to mitigate cyber threats. It’s great for smaller companies to find a managed EDR tool, who may have fewer security professionals. It’s important for the company to understand how involved the vendor is in mitigating risk.
3. Tools to help companies track third party vendors
- It’s become increasingly difficult to fully understand third party risk, so a company should assess and compare the risk of third party vendors through tools that can automate this.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
The challenge with cyber breaches is that by the time a layperson sees the signs, it may be too late. The biggest signs a layperson can look out for are not what’s there, but what is not. These are steps the average organization can take to prepare:
- Find a trusted cybersecurity advisor, whether it’s setting up a day-to-day IT system, or actually running that system.
- Smaller organizations can leverage a virtual CISO (chief information security officer), which they can utilize for help on an hourly basis, as needed.
- Foster a culture that’s open to raising a hand when a mistake has been made and engage users in security training.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Companies that respond well to cyber incidents do three things consistently: planning, thoughtful communication, and trusting experts. Ideally, a company has done a lot of preparation for an incident before ever experiencing one. Training employees, understanding where key data is stored and how to recover that data from backups, creating an incident response plan and disaster recovery plan — all key planning that can occur on the front end. Then, in the heat of the moment, the company’s incident response team should not be meeting for the first time. The team will have worked out in advance how they’ll communicate, who will be involved at what times during incident response, how to keep the investigation among a core group while it’s still ongoing, etc. Finally, putting trust in the experts they retain to help them — counsel, forensics, crisis management, insurers, brokers. When planning, good communication, and trust in the first responders all come together, incident response runs as smoothly as is possible.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
- Purchasing expensive new security tools and not implementing or monitoring them properly
- Overconfidence in the security of a cloud backup solution without fully understanding (or turning on) the security controls
- Failure to account for how some employees may store mission critical data and therefore not having a backup solution in place for that data
- Too many companies are still not conducting regular security awareness training with employees — and the best security controls will still not prevent all email phishing and social engineering
Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
I am not satisfied with the status quo regarding women in STEM, as it affects how many women pursue careers in these fields. As a child, I can remember hearing disparaging statements about math and science from teachers and other adults. There was a bit of fear instilled in me about STEM, which I attribute to being female. However, I have hope that the status quo will change — is already beginning to change — with the next generation. It’s on the next generation of up and coming leaders to cultivate successful women in STEM. One way companies can help change the status quo is by sponsoring certificate programs to encourage women who may not have a STEM background. It would be great to see more companies with quality professional development policies.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
The intimidation factor. Coming into the cybersecurity field, you might assume you need to have tons of skills, but the reality is that there are so many different types of roles in cybersecurity. While some positions do require a computer science or computer engineering background, there are plenty of ways to put a variety of skill sets to work in the cybersecurity field — so long as you’re passionate.
What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- Given the lack of women in tech, we need to mentor and encourage those joining the field. Developing today’s talent will be the engine of change for the future and will develop new mentors for those considering getting into STEM careers.
- Be comfortable in the knowledge you have — and the knowledge you don’t. It can be intimidating starting out at a managerial or leadership level, especially for women who are less represented in those positions. Trusting the experience that got you to that position helps put you in a position to learn more about what you don’t know. Everyone in your position has more to learn, but don’t let that lead to second-guessing your expertise. Studies have found that more women will decide against applying for a job if they don’t meet all of the qualifications, whereas the trend was the opposite among men. Women should not be selling themselves short.
- When you have a seat at the table, speak your mind. It’s hard enough for anyone to get into leadership positions, so it’s especially important for women to use those opportunities to speak their minds. Influencing an organization’s thought leadership is a critical way to help guide the mission, which will have a future impact on the women hoping to take the same career path.
- Shake off preconceived notions. Most women have been told at some point that women “aren’t good at math” or “aren’t interested in science.” These arbitrary conceptions about who can and should excel in tech can become ingrained in your mind, affecting the way you make decisions. Empower the women around you to overcome those ideas and emphasize career path, promotions, and self-advocating for women in the workplace.
- Stay intellectually curious. As you progress in your professional career, you’ll find that you have the capacity to learn almost anything. As I’ve mentioned, it’s easy to second-guess yourself, so it helps to look to women mentors around you who have proven success. When I started in my current role, I was leading a team for the first time. I worked to instill the values I’d learned along the way, while actively engaging in the subjects or areas in which I still had more to learn.
Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why?
I’d like to have a meal with Michelle Obama to discuss her accomplishments and simply be in her presence. My go-to answer used to be RBG (even though that would have been a super stressful prep session!)
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!