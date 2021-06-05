The way I lead is more of a servant leadership model. I feel that every person on the team has equal value. Our roles are just different, and my role as a leader is to really to inspire and motivate people toward their goals and their objectives. I’ve found that the more I can trust and be transparent with my team, the more motivated they are to actually be innovative, to go and accomplish the goals, treating them as equals and not letting hierarchy or titles get in the way.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Vanessa Pegueros, Chief Trust & Security Officer at OneLogin.

Vanessa is a CyberSecurity leader with over 18 years of security experience. She is currently the Chief Trust & Security Officer at OneLogin, an IDaaS (Identity as a Service) provider, where her responsibilities include Security, Compliance, Privacy and IT. Vanessa also serves on the Board of the Boeing Employee Credit Union (BECU) and formerly served on the Board of Carbon Black (CBLK) where she was a part of the sale of Carbon Black to VMware. She also is a venture partner with Flying Fish Partners in Seattle. Vanessa formerly worked as the CISO at DocuSign and successfully managed through hyper growth and an IPO in 2018. She also was the SVP of Enterprise Security at US Bank, CISO at Expedia and has held senior level security roles with Washington Mutual, Cingular and AT&T Wireless. She has held numerous other roles specifically within the wireless arena including Network Planning, Architecture & Engineering, Technical Sales, and Product Development. Vanessa currently teaches a course once a year entitled “Leading and Managing Enterprise Information Security” at the University of Washington. She has an MBA from Stanford University, a MS in Telecommunication from the University of Colorado, and a BS in Engineering from UC Berkeley. She holds GSEC, CRISC, CISM, and CISSP security certifications as well as the Certified Information Privacy Professional Europe (CIPP/E) privacy certification.

Thank you so much for doing this with us! What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why?

I don’t like the term “woman in tech” — I’ve been a leader in tech, and the fact that I happen to be a woman is no different than if I happen to be five foot three. I don’t think there’s anything different necessarily related to leadership but, I will say I’ve had to work harder to prove myself more often. I’ve had to deal with people’s comments or behaviors that were not dismissive of my expertise but possibly dismissive of my title, so I think there’s an element that any group that is treated differently has to have more resilience from a leadership standpoint.

The way I lead is more of a servant leadership model. I feel that every person on the team has equal value. Our roles are just different, and my role as a leader is to really to inspire and motivate people toward their goals and their objectives. I’ve found that the more I can trust and be transparent with my team, the more motivated they are to actually be innovative, to go and accomplish the goals, treating them as equals and not letting hierarchy or titles get in the way.

I do, especially in technology, feel like technical people only really respect other people that have technical skills. It’s kind of a sad commentary because it’s a very narrow approach. So having to garner that respect, and this goes for man or a woman, if you don’t have good technical skills your technical people probably won’t respect you. It doesn’t mean you have to know everything, they just want to know that you have some expertise, so that’s really important.

Communication, transparency and people. People don’t always have to hear good news; they know that things aren’t always going to go exactly right but they appreciate that you trust them to tell them what’s really going on. And then they feel a part of that process, and they feel like they can essentially help with the solution or help get out of the tough situation.

I also intentionally drive diversity in my teams. I don’t want everyone to think the same way, I don’t want everyone to come from the same background. I want different perspectives coming in to help really drive better decision making.

Those are some of my top leadership lessons.

The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

The challenges are greater. That means we’ve got new technologies like AI and machine learning, which the hackers are taking advantage of, as well as the people who are trying to protect the company and the customer data. So, the whole battle is kind of up-levelling with new technology. I think that’s both exciting and scary at the same time, because it’s an arms race. Which is challenging because at the center of the arms race really, are our people and their ability to leverage and utilize technology and who can do it more efficiently, who can do it better? That always interests me about the cybersecurity space, that it’s such an interdisciplinary space — you have aspects of technology, aspects of human behavior, aspects of compliance and law and regulation, and you have business process issues. You have to understand pretty much all elements of the business to understand security risk, whether or not it’s a HR team or finance team introducing new risks when they bring in a new vendor or they’re implementing a new process, they might not know that they are actually creating risk in the environment. To me, the most attractive thing about cybersecurity has been how complex it is, and how you have to really get involved in almost every aspect of the business.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

The one thing that concerns me is the arms race aspect of it. The threats are just getting more and more sophisticated, hackers are getting more and more sophisticated, and the tools available to hackers are becoming easier and easier to get. When I first started in security only the smartest hackers would be able to get access to tools that would allow them to take advantage of systems or people. Now there’s a whole underground economy and anyone can go buy a botnet or get some ransomware and leverage it. It’s so accessible, and that’s a really big issue.

There are some of the challenges in that there are too many vendors in this space. Customers are confused — when they simply want to protect their laptops and there are 10 vendors that are all saying they’re the right solution. How do they know which one to choose? There’s just a high volume and congestion of vendors, and if you’ve ever gone to RSA or any tech conferences you see how many vendors are in this space. I think some vendors are really good, some of them are really helpful with security problems. But you just don’t know with some of them whether they’re going to survive another year. Even some of the larger companies that have been around longer don’t have the innovation that’s needed to survive.

I try to bring in perspective from a customer standpoint, because I’ve been buying security tools my whole career. Trying to get the insight into what works and what doesn’t work is important, and I think companies need to have that kind of view. Security companies have to take that view of being on the other side, being a customer and really understanding that experience.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Attackers are going to continue to take advantage of people through things like phishing and that’s going to get more sophisticated and more effective.

There will be some new threats related to AI and machine learning, but I don’t know exactly what that looks like yet. Someone will create something completely different and our current defenses won’t be able to handle it.

There are big threats to the supply chain. The suppliers and the vendors that a company works with are going to continue to be a challenge. Hackers are figuring out how to attack a supplier for example, because they want to get to the company and they’re not even going to try and come to the company itself.

I also worry about code and how code is developed because a lot of code is open source. Developers and engineers are contributing to this code and building it and then other developers pull that open source and integrate it into a product. Well, how do we know all those open-source developers are actually good people, or they could be a hacker who has now injected malicious code into that open source and any company who pulls that code could potentially have that integrated into their software. The concept of open source has created great innovation and productivity, but it also assumes people are good and that people are going to do the right thing. Unfortunately, most security professionals know that’s not true.

I do think we will see some type of cyber-911, whether it’s an entire city’s electrical grid that gets taken out or manipulation of the water system. It’s not a matter of if, but when.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I was involved in a very public breach at DocuSign in 2017 in which a system was compromised by phishing an employee that resulted in malicious software on the laptop. attackers figured out how to remotely go from that individual’s computer into a customer database and they downloaded data.

It happened in seconds and we launched an all-out effort to determine something had happened, the team was on duty almost 24/7 for a straight two weeks. It was exhausting, and we fortunately had a team in Dublin, Ireland, so when people in the US actually had to sleep, we would hand it over to Dublin and they would take over.

It was stressful. There were a lot of decisions that had to be made very quickly. I was working with the CEO and it was tough. But we did figure it out, we remediated the gaps and then the customer calls began.

In addition to meeting with customers myself, we had a whole team of people who were meeting with customers who demanded to know what was going on and the effort it took. We worked hand in hand with marketing and communications and PR and that communication effort lasted for months in terms of dealing with customers.

One big takeaway was that you have to manage the resources, your teams, they’re human, they need to sleep. Some people were so dedicated to fighting this battle that they wouldn’t sleep, and I remember just telling people to stop working and get their rest. The hard part of that is, they really just cared so much they were trying to do the job, and sometimes you have to force people to go do what they’re not doing for themselves.

Communication was the hardest part, along with managing some executives who were just not suited to handling a crisis.

But once you’ve been through something like that, you gain incredible knowledge. A lot of security leaders get fired after a big breach, which I don’t think is always the right move because if they can successfully get a company out of a breach, they’re very valuable. They have learned valuable lessons and they’ve now been battle tested.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

There are so many, but I think one of the most important tools nowadays because everybody is remote, is having good security software on the endpoint, on the laptop. You want to know that employees, wherever they’re working, have a protected laptop. This includes malware detection and monitoring/blocking tools.

On the back end, I would say the really important things are log analysis and correlation tools. So, you’re pulling logs from different systems, you’re correlating, you’re analyzing — you’re basically putting together a bunch of data to understand if you’ve got a problem. Security orchestration, automation and response (SOAR) is allowing teams to build detections. A human being used to do this, but now this automation has been brought into the process, which is so critical and these platforms leverage machine learning technology to do this kind of work.

The future too, is continuing to build automation because you can’t battle computers or machines with people, you have to battle computers with computers and machines with machines.

Our brains don’t process quickly enough, we need to get machines and build this automation so that we can defend ourselves. We can mitigate the problem and shut down and isolate the computer if we have to, but it has to happen quickly, we can’t spend two hours figuring this out, by that time it’s too late.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Sometimes you’ll see your computer slow down for no particular reason but maybe you’re not being breached, it’s just an application update. It’s hard to really know for sure, but obviously getting phishing emails is a sign. And if you clicked on one you might actually be compromised and that’s when you reach out to your security team to let them know you clicked on this and you don’t know what it did. Don’t be embarrassed, you have to tell your security team, otherwise we might not find out until it gets too late.

Putting good diligence into your suppliers and knowing what kind of security programs they have is a good step, but for example if they have a breach, they’re not going to come and tell us right away, they’ll have to investigate and it might be a month before you actually are informed.

Unfortunately, it’s not too easy and there’s just not one indicator, you have to look for all kinds of different signals to realize there is a problem.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

It depends on the kind of breach. There’s no one way to do things but do a deep dive into lessons learned on why the breach happened in your company and then really put a good program in place to address those weaknesses or gaps in your program and get the commitment from management to prioritize it.

You can learn from other people’s breaches, so you don’t actually have to experience a breach. you should be looking at SolarWinds and what happened there and asking, do I have those challenges, do I have those vulnerabilities? You should be learning from other breaches, not just wait until it happens to you.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

It’s the basics. Don’t click on a phishing email. Clicking on a phishing email is not a technically complex thing, but it has a high effectiveness rate when used for ransomware.

Make sure to install patches and software updates. Many developers and engineers don’t want the updates, they create all kinds of problems and then it ends up being the reason a lot of companies are not doing this.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

When I went through UC Berkeley, I was one of five women in my mechanical engineering program.

I’m not satisfied with how women are treated once they get into a company in a technical role, so this isn’t a pipeline problem, this is an inclusion problem, and in my experience, men are very harsh on women in the technical space, and a lot of women are forced into thinking “I don’t want to deal with this, I don’t feel supported, I feel like I have to prove myself and be doubly good as they are.”

We see this in society in a much broader way, when you think about any profession that women dominate, they are usually lower paying professions — primary education teachers, nurses, administrative assistants, social workers, flight attendants, etc.

And that’s a problem with our society in general.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

It’s funny, there’s a group of people who think you’re working with the CIA like James Bond or Jason Bourne, it’s all about the mystique and being on the inside of top-secret information. But it isn’t. It’s a lot of hard work. It’s a lot of partnering and so a lot of relationship building. It’s a lot of doing things like patching and telling people “hey, we need to educate you so you don’t click on phishing emails.” It’s not that mysterious.

I think that people also assume that the only way that you’ll have a career in cybersecurity is if you’re very technical and that’s not true either. There is an analytical component but I’ve worked with people from math majors to those who were self-taught and never went to college.

There is no one profile of what makes a good cybersecurity professional, and I think that is definitely a big myth that you have to have this certain profile.

Can you tell us a bit about your backstory and how you grew up?

I was the oldest in a family of four — two boys and two girls. I’m third generation Mexican and my mom and dad, and both my grandmothers, were born here. Neither of my parents graduated from high school and I was the first in my family to go to college.

I love math and science and that’s what I followed my whole career. I made my decision to major in engineering because I needed a job and I knew engineers were well-paid. I had to work through college and pay my own tuition, room and board and everything, so I was very driven by “I need a job!”

I just stayed in technology and I was driven by catching trends. I knew I wanted to get into the wireless space in the early 90s, because I knew it was going to be a very explosive industry, I saw how critical it was going to be.

The trend I caught next was security. I got into security during the time Sarbanes-Oxley was introduced in 2003 and was able to catch the security wave — that has been a great wave to catch.

Now I’m getting involved as a board member for various organizations, and I’m helping start-ups and I want to do some angel investing to fund diverse founders including women and people of color.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

“The Innovator’s Dilemma,” by Clayton M. Christensen is about the hard drive industry of all things but it’s a wonderful book and applies to any company today and the challenges that companies face. The basic concept is that by supporting your current customers, you are actually falling behind because you’re no longer innovating. You’re no longer putting money into the new ideas and so you end up essentially becoming obsolete, because you didn’t put enough money into your future revenue stream. That’s the innovator’s dilemma: do I innovate and spend money, or do I support my current revenue base? I think it’s timeless in terms of technology, and also from a business standpoint, so that was a really impactful book for me and it’s been helpful in every company I’ve gone to.

“Caste,” by Isabel Wilkerson, is also a really good book that tied together a lot of other books that I’ve read in my life about race relations in this country, and why things are like they are. I’d recommend it to everybody and it’s going to be one of those books that 10 to 20 years down the road I’ll still consider it one of the better books I’ve read.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

The story is that I didn’t really pick cybersecurity, I tell people it picked me. In one of my early jobs the VP of my group had to figure out how to dedicate somebody to security and I got called into the office and they basically told me, you’re going to fix security. I didn’t know what that meant but I said ok I’ll do it! And here I am.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

One of the funniest ones didn’t happen to me but I was there. I was on a conference call announcing our company was being sold, and senior management said they would leave the conference line completely open, so all the employees could come in and speak.

I’ll never forget an employee came on and he started complimenting the CEO and then asked point blank, “what are you going to do with all the money you make?”

I think why I remember that so much is not just because it was shocking, but also because in a way, it represents the power of an individual who may be low in in the organization yet made such an impact because he expressed exactly how many employees felt, “you’re going to walk away with millions and millions of dollars, and we (as employees) don’t get anything close to that.”

I think he got fired.

Are you working on any exciting new projects now? How do you think that will help people?

Yes, ourcybersecurity professionals mental health campaign, IAMOkay, is really needed and important. I’ve written several articles on this subject, including one for Infosecurity Magazine and the SANS Institute.

I like connecting the dots, anything that involves connecting very different things together.

I’m also working with a group called the Women of Color Capital Collective and we are focused on getting more women of color as venture partners within the VC community. That’s something personally interesting to me, but it also intersects with start-ups, and the community around start-ups and technology, and I like bringing all of those together.

Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I think I would want to talk to Greta Thornburg. Her being so young, and the incredible movement that she started, I just think she would be super amazing to talk to.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!