The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called "Wisdom From The Women Leading The Cybersecurity Industry", we had the pleasure of interviewingTerumi Laskowsky.

Terumi teaches IT security technologies with DevelopIntelligence, a Pluralsight Company. She is a founder of CredoSec, an IT security consulting firm in Hawaii, which serves global companies and defense-related organizations in the U.S. and Japan. Her expertise includes cloud security, application security, ethical hacking and certifications (CISSP, CCSP, CEH, etc.).

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

Thank you for this opportunity! I was born in Japan, where my father was stationed at a U.S. Air Force Base. My mother is Japanese, so I’m a “hapa”. That’s Hawaiian for a person of mixed blood.

I lived in Japan until age 12, when we relocated to the U.S. mainland. We lived in several western states, finally settling in Arizona where I attended Arizona State University under an Army ROTC scholarship. I was a bit of a tomboy and played with GI Joe, so joining the military was a natural progression. I studied Computer Science Engineering, because an engineering major was a requirement for the scholarship. But I never imagined I’d work in the field. I figured I’d be in the Army forever.

For the next four years, I was an active duty MP — Military Police — stationed in Korea and New Jersey. In Fort Dix, New Jersey, I worked in CID — Criminal Investigation Division. I did not work in the cyber area and had no idea that that was a thing back then. As a MP, I worked in physical and personnel security and criminal investigations (non-cyber).

Eventually, I decided to go back to school and got out of the Army. The two years I spent earning my MBA from University of Pennsylvania helped me to overcome the culture shock of transitioning into the private sector. I still called people “sir” and “ma’am” back then.

After graduation, I worked for a major U.S. financial firm in their Japan office as an IT person. The rest is history. I’ve spent over 30 years in Japan and IT — almost 20 of that in IT security. I was also restless and moved around between companies and industries, working in both technical and executive management positions. These experiences have allowed me to view the security field from a variety of perspectives.

Did I plan any of this? Nope. It was a proverbial “random walk” with the “invisible hand” guiding me. And I really like where I am now. By the way, I’ve been working from Hawaii since March of 2020. 🙂

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I am super curious about human thought processes and communication. Books like Psychology of the Unconscious by Carl Jung and My Voice Will Go With You (and other books about the practice of Milton Erickson) resonate with me. In one of Erickson’s therapy sessions, he talks to a wife who is hesitant about traveling with her husband. He says, “…as you travel and go to new places, one day, you may see a flash of bright light…and it will reveal something very important to you.” These words stick with me to this day. Currently, I am looking for that “bright light” in books and studies about computational linguistics and how we perceive reality.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I tell people that I have been doing security since I was born. I have close family acquaintances who were in the civilian and military police investigation fields. I chose to be in the Military Police, and it felt right for me to be there.

After spending a few years in the financial industry, I had the opportunity to go back into the Department of Defense, working as a Navy civilian at the U.S. Embassy in Japan, coordinating U.S.-Japan cooperative defense technology development. I loved doing that, but I did get restless just coordinating things, so I decided to jump back into the private sector to be a doer again.

I knew the four-year hiatus from IT would make it hard to get back into that field. So to prepare for the plunge, I studied and got a ton of IT and security certifications, including CISSP. During my final six months at the Embassy, I was preparing for and taking certification exams nearly every week. So, it’s no surprise that I landed at a computer training company. I didn’t plan for that either, but it all worked out. And that got me back into IT and eventually security.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Sure. It’s amusing now that I look back on it — but not too funny when it happened. Early in my practice as a web application pen-tester, a Japanese customer was very leery about having its web application tested for security, but they had to do it for compliance reasons.

So, they only allowed me to assess one web page form with only one input field and one submit button. This was a customer support page where users could request assistance. After asking if it was ok to use an automated “fuzzing” tool, I completed the job in about two hours, including writing the report.

The tool found no significant problems, but I did note to the customer that the input field took all the inputs, even those that were malicious, without showing any error messages. Everyone was happy, and I went home early that day.

The next morning, I got a call saying that the customer’s system was down, followed by the question, “What did YOU do??” As it turned out, that support page collected all the inputs and queued them for midnight batch processing. When it did, all the malicious inputs it received choked the email system that was supposed to process them. The hundreds of malicious inputs all had our company name written inside them, so there was no denying I did that.

Back then, I didn’t know enough to ask about other systems that may be affected. I felt bad for the customer that I wasn’t more careful. My takeaway from that? Avoid testing on production systems even if the customer tells you it’s ok.

Are you working on any exciting new projects now? How do you think that will help people?

I am immersing myself in Artificial Intelligence, Machine Learning, Deep Learning and Data Science. I also am creating training content for Cloud-Native Development, DevSecOps, CI/CD and Blockchain. The thread that goes through all of this is automation (except for Blockchain). For businesses, especially in the U.S., time-to-market is driving organizations towards automated testing, including some of the security testing. I like the Test-Driven Development (TDD) coming out of this movement. Right now, however, not all security testing can be automated. I believe the technologies I mentioned will be a part of making this automation possible.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

First, I am very excited about the increased focus on security. For many years, I’ve had to convince people that security is important. Japan is a high-trust culture, whereas planning for information security requires considering all the ways that people might break trust.

Second, we have increasing amounts of data about security breaches and malicious behaviors. This data helps us evaluate how security breaches happen and what to look out for. There will always be new and novel ways that attacks will happen, but we will be less susceptible to common, low-hanging fruit-types of attacks. The growing amount of historical data allows us to assess IT security risk in a more meaningful way. What do we mean when we say a risk is “Critical” or “High”? How much money or effort should an organization spend to reduce that risk? If we can quantify IT risk like actuaries in the insurance industry, this will go a long way to justify the money invested in security.

Third, I’m intrigued by Blockchain — specifically, the public and open Blockchain systems where users can be anonymous, and the platform is not owned and controlled by any one entity. Bitcoin and Ethereum are good examples. The Blockchain allows one to interact with someone that you don’t necessarily trust. Why? Because you can trust the platform. Bitcoin has a pretty good track record when it comes to that. Ethereum is still a youngster compared to Bitcoin, so we’ll have to see. I also like that when people mention Bitcoin, they are mostly talking about cryptocurrency, not the bundle of security features that Blockchain offers. I love that Bitcoin is an example of something you can do — THANKS TO security.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address these concerns?

First, I’m concerned about the increase in data breach incidents, and these are not minor breaches either. We are talking about millions of data lost. I’m worried that we, as consumers, are becoming numb to these incidences, and this has repercussions for data privacy.

When I talk about data privacy, I say that privacy is not equal to security. Privacy is about “data self-determination”. That is, you decide what you want to do with your unique personal data. But if people steal your data due to security reasons, then privacy is out the window. I think all these data breaches are making us apathetic about privacy, too.

What can be done? In many types of transactions, we’re trading privacy for services. Companies promise to protect our data, but we can see that many companies are doing a horrible job with that. So, I believe that the simple answer is not to collect private data. This is tough to do since many businesses make money by collecting our personal information. I am hoping Blockchain technology can shed some light on solving this issue.

My second concern? Organizations have an appetite for speed. Consider DevOps and CI/CD, for example. By streamlining and automating the software development process, companies can get new software services to market more quickly. However, the speed too often competes with security considerations. As I mentioned earlier, some important security testing is done manually. There isn’t yet a way to automate it totally. So, slow down because speed kills.

Third, organizations need to “own” their security — it’s not someone else’s problem or responsibility. For example, it’s not up to your cloud provider to secure your organization’s data. Sure, they play a role, but they are not responsible for your organization’s security strategy.

Have you heard about bug bounty programs? In general, these programs allow outside people to analyze your software for security flaws. If they find anything, they get rewarded with money, swag or other benefits. The bigger the flaw, the bigger the payout. These programs help ensure companies do not release flawed applications to their customers. These also motivate kids to become bounty hunters, attracting more people into the security profession. But what did companies do before the bug bounty programs?

The best practice was and still is to implement security in every step of the software development lifecycle (SDLC). We call that built-in security. In contrast, if companies check and “fix” security just before releasing a new product, we call that bolt-on security. We prefer built-in rather than bolt-on. If you bolt security on to a product that has inherent vulnerabilities, it will still have those vulnerabilities.

Here’s a story from my time in the military. A vendor was selling a portable SCIF (Sensitive Compartmented Information Facility), which looked like a freight container. A group of Marines was tasked with breaking into it. After 30 minutes, they blew out the door with C4. Was it strong enough? If not, does the vendor go back to the drawing board to build something completely new? Or does the vendor simply strengthen the door?

Remember my funniest mistake? The same lesson applies here: Components of a system are connected to everything else. Chances are, if you change the door, other things also need to be modified.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

I see two things in the near future that are concerning: one is the proliferation of IoT devices, and the other is the insider threat.

The proliferation of the Internet of Things (IoT) is not a threat — but rather, a target. Naturally, however, if targets increase, threats and incidents also increase. IoT devices are typically housed in a piece of hardware with limited real estate. For example, I wear a ring that collects, uploads and analyzes my activity 24/7. I didn’t want it to weigh a ton or look awkward on my finger, so I picked a featherweight option with a sleek design. This ring contains many types of sensors, so I wonder how much security “stuff” is in here? Probably not much.

I’ve also noticed the ring manufacturer updates its software a lot. This usually means a company is using Agile development methodology characterized by small incremental updates with a short development lifecycle. And, Agile goes really well with DevOps and CI/CD. To be fair, I have not seen any data breach incidents with this particular company, so they could be doing a great job protecting customers’ data, both in the device and in the cloud where the data is uploaded. But I am concerned that other companies are not as diligent. Think about recent breaches involving webcams.

The second threat I mentioned is not new. For years, companies were concerned about insider threats. But I don’t see enough focus on that right now. Organizations are concentrating on things like DDoS, black-hat hackers and malware threats, but I believe the insider threat is bigger than ever. Open-source news suggests that insiders are perpetrating some of the major data breaches that have been attributed to outside hackers. I can’t substantiate these claims, but I think that where there is smoke, there is fire. It’s highly probable that insiders sometimes help cyber criminals. Don’t let down your guard. Trust but verify. A lot of us are outsourcing to the cloud these days, so this applies to your favorite cloud service providers, too.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I specialize in web application pen-testing. This involves looking for flaws in customers’ web applications by using ethical hacking techniques. In one project, a customer asked me to find flaws in an administrator portal. This particular organization was a SaaS vendor hosting applications for end-user companies, and the portal was for these companies.

Their SaaS service kept a lot of sensitive information such as SSNs, so my first try was to go for the database that stored that. I couldn’t find a way into the database, so I next tried to break the authentication scheme. Since this was an actual production site, I couldn’t do anything that would reveal information from existing customers, so I couldn’t be too aggressive and wasn’t able to find any flaws.

The customer created a fake company account for me, so I was poking around inside that account, searching and creating reports. That’s when I noticed that the PDF report it produced had a nicely organized name to it, like CompanyX-ReportY-mmddyy.pdf. The report contained sensitive data too (all fake for testing). So, I created several types of reports, noted the URL for each report and logged out from the portal. I then tried accessing these reports again using the URLs I had written down.

Voila! I was able to access them even though I was not logged in. So, the next thing I did was search the Internet for major end users of this SaaS service (because it is a common marketing practice to highlight client names). I notified my customer that it was possible for these major end users to have their reports publicly available, including sensitive information about their employees.

They worked feverishly for the next two days to remedy this flaw and then asked me to recheck their site. The flaw was indeed fixed, but the data could have been breached already. My takeaways? Test stuff thoroughly before production. Fixing things on a fly is not a good option — what if you break the system? And finally, simple things like this can lead to major breaches.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

As an application pen-tester, the tools of the trade fall into two categories: static testing tools and dynamic testing tools. Static testing tools check the program when it is NOT running. One type of static testing is called source code review. A lot of companies use tools like Fortify by HP. Fortify will identify poor and insecure coding practices. It supports multiple programming languages, too. I normally pair these commercial tools with another open source tool to make sure that if one missed something, the other one catches it.

Dynamic testing tools check the program when it IS running. One type of dynamic testing is called fuzzing. Basically, this type of tool will try many attacks to see if it can break your application. The tools I have used are WebInspect by HP and AppScan by IBM. These are high-end scanners that mimic external attackers. They have tons of attack techniques built-in and are updated all the time with new attacks. I have not found an open source version that does the testing as well and as completely as the proprietary ones.

Unfortunately, these tools are pricey. On top of that, most of the findings are indications of flaws — not identification of flaws. You still have to go back with human eyes to verify that they are indeed flaws. And, of course, these tools miss things, too. To me, these are like RPA (Robotic Process Automation) tools. If the testing is repetitive, automate it. Sometimes, however, it pays to hire a security person with development experience to find flaws that these tools are not good at finding.

Also, before you run out and buy security tools, make sure they have API interfaces. If they don’t, you won’t be able to integrate them into your CI/CD process.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

It’s highly likely you aren’t going to see the damage right away.

I have a friend in the Army who used to investigate data breaches. He told me that the criminals would breach data and sit on it for a while. Then all at once, they’d use it (think: credit cards) and run away to another country. Victims often feel blindsided, while perpetrators get away with the crime.

My message for laypeople? Every time you transact online — whether it’s signing up for a mailing list or purchasing something with a credit card or checking your cellular data usage — you’re sharing information. Have you vetted the organizations you do business with? Do they have a history of data breaches? If you see former and current employees venting about a company on Glassdoor, remember the insider threat. Be careful where you share your information.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

To control the spread of damage, segregate and isolate the IT assets in question, including people who have access to them. This also will limit the system(s) you’ll need to investigate forensically later.

The attacker’s goal may be to steal your data, bring down your system or both. Make sure that you can bring up a clean and trusted system to continue the business. Having Infrastructure as Code (IaC) helps in spinning up a new system quickly.

Companies are normally staffed with incident response handlers to work the issue properly, so make sure they are available and trained. The PR person for the company should work hand-in-hand with the incident response team to disclose information to keep the authorities and customers informed. What to disclose differs depending on the state and the country where the incident happens.

Planning and preparation are critical! The threat landscape evolves continuously, meaning you need to revisit your security strategy frequently. You want people throughout your organization to know exactly what to do if they suspect or find a security problem. And you want an incident response team that moves in a coordinated, swift, practiced manner to investigate potential and confirmed breaches.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Pointing fingers at software developers is a common mistake. Yes, many security flaws exist because of poor programming practices, so developers need training on how to write secure code.

But a programmer’s job is to code software based on the system requirements and design that come from upstream phases. If a security requirement is missing for some reason, it is not the programmer’s job to put it in. The responsibility for identifying those requirements is upstream.

Also, there are downstream processes, such as QA testing, deployment and operations teams, whose work directly affects security. Whenever I can, I try to show that security is everyone’s responsibility.

There’s a lot of talk right now about “Shifting Left.” If we were to lay out the SDLC processes from left to right horizontally, “Shift Left” means to involve people from downstream functions (the right side of the illustration) in the upstream security planning (the left side of the illustration). It’s interesting how old things get a new label. Security professionals have always stressed security at every step. The troubling trend, though, is that some companies are piling security responsibilities on the programmers. And, I don’t think that is the aim of Shift Left.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I majored in Computer Science Engineering and served in the military, where women were still very much a minority. The security field is not inundated with women either. I did not, however, experience any barriers to entering these fields. Some people did try to discourage me from going into the military, because they were concerned for my safety, so I appreciated that. But STEM is not like that. I don’t think people even used the term STEM back in my day. I do understand that there may be expectations in some circles for women not to go into STEM. I hope that is isolated and not widespread.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

For people thinking about getting into the field, security may seem scary and unapproachable. It doesn’t help that some security podcasts sound like a bunch of black or grey-hat hackers talking in slang that only they understand.

Cybersecurity is not rocket science. If we were to apply the 80–20 rule, 80 percent of the bad things happen because of 20 percent of the flaws. And that 20 percent is often related to flawed Access Control — weak authentication, over permissions, and lack of logging, monitoring and response.

So the myth I want to dispel is that cybersecurity is a highly specialized field. It can be, but it is like any other IT field. Pursue it if you’re drawn to it, maintain your curiosity and keep your skills sharp.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

First, be the type of person that others want to follow. People naturally follow if they trust your skills and judgment. Second, be a good team member yourself. Technical people sometimes lack this quality because they rely on their knowledge. But to do big things, you need a bigger playing field, which usually means working in teams. This requires making things about us and not about me. Third, stay curious. This has always served me well. In a field like security, not one person can be an expert in all areas. But in a leadership role, I strive to stay abreast of technology in my specialty to see the big picture. This also means knowing when something is over your head and letting others teach you. Fourth, have diverse interests. I like security, and I also enjoy other completely unrelated fields, such as communication skills and dog training. I think it was Einstein who said humans learn through analogies. Well, the more expansive your interests, the more analogies you have access to. I’m always amazed how all these seemingly unrelated fields of study help me solve security problems. Fifth, be conscious of others. I have no problem being in a field that is not traditionally a women’s field, but others on the team might feel differently. Everyone comes from different upbringings and beliefs. That is not going to stop me from doing things. But I will be mindful of it. It is about being aware and accepting differences.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I listen to a podcast by SANS called StormCast, hosted by Johannes Ullrich. His podcast is straight to the point, no-frills and short. Because his expertise is also in application security, I think he’d be fun to chat with!

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!