“Women tend to believe that if they work hard and keep quiet”, With Jason Remillard and Dana Simberkoff of AvePoint

If you are new to the security profession, practical and applied experience is a must. Latch on to the security and privacy people in your own organization. If our company does not have a privacy team, that represents a great opportunity to raise your hand and help to build one. The cybersecurity industry has become so […]

Thrive invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive or its employees. More information on our Community guidelines is available here.

If you are new to the security profession, practical and applied experience is a must. Latch on to the security and privacy people in your own organization. If our company does not have a privacy team, that represents a great opportunity to raise your hand and help to build one.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Dana Simberkoff, Global Chief Risk, Privacy and Information Security Officer at AvePoint, the largest data management solutions provider for Microsoft 365. In this role, she is responsible for AvePoint’s privacy, data protection and security programs. As such, Simberkoff leads a team of experts that provide executive-level consulting, research, and analytical support on current and upcoming industry trends for risk management and compliance.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up in Scarsdale, NY and I have a BA from Dartmouth College and a JD from Suffolk University Law School. I am also a Certified Information Privacy Professional (CIPP) from the International Association of Privacy Professionals.

When I was attending law school, I fully expected to become a practicing attorney. However, I had the opportunity to begin working for a software company focusing on regulatory compliance after graduating and never looked back. In fact, I find my law degree has been useful throughout my career. I’ve also found it’s very important for women to have peers and mentors to help support, promote and inspire them.

I had many such mentors within my family, throughout my education and later within my professional life. My mother is a social worker and has a master’s degree in economics, but this really started with my grandmother who was one of the youngest women attorneys to graduate from Albany Law School (in the 1920’s). My grandmother went on to work until her death at the age of 89 in addition to traveling the world. As a result, I’m really passionate about advocating for women in male-dominated industries. I’ve even served as an inaugural member of the Women Leading Privacy Advisory Board for the International Association of Privacy Professionals (IAPP).

Currently at AvePoint, we are building a Women in Technology Program as one of our corporate diversity initiatives that we hope will inspire and provide mentorship for young professionals (women and men), and will help contribute to the development of a true peer-to-peer network of women technology executives. This program is important because over the course of my career I’ve found I am inspired by both women and men with whom I have an opportunity to work on a regular basis and across my professional networks.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

Sandra Bullock’s 1995 movie “The Net” appeared on screen when I was still in law school. I remember watching that movie and feeling a chill go up and down my spine. The idea that not only a person’s identity, but also their entire life could be stored, manipulated and ultimately erased on a computer was both shocking and fascinating to me. This was certainly a precursor for some of my future work!

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I became interested in cybersecurity when my organization was tapped to work on operations security projects for a number of our US Department of Defense Customers. I was asked to research and become the subject matter expert in DoD OpSec requirements, which were early precursors to the cybersecurity landscape we see today.

As part of that work, I became very familiar with The Department of Navy’s Social Media handbook that at the time read “Loose tweets sink fleets,” reminding service men and women that when posting information online, everyone should keep in mind the audience you reach is usually much larger than you intend. This idea sparked my passion and I began to really become interested in information risk and data protection.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

I’ve made many mistakes along my journey, but one in particular stands out. Early in my career I did a lot of work around the importance of Metadata and metatagging. I, like many others of my age, grew up learning all about the Dewy Decimal System and learned to use card catalogues in our libraries. Using what I believed to be a universal experience, I would describe metadata using an analogy to card catalogues and books in a library.

I clearly remember the first time I stood in front of an audience when no one knew what I was talking about because they had grown up on computers! Now I bring a picture with me and I’ve since updated my references likening metadata to a love note to the future.

Are you working on any exciting new projects now? How do you think that will help people?

I am extremely fortunate to have a job that is both rewarding and interesting almost every day. One of my favorite projects is AvePoint’s initiative to help raise awareness of the importance of privacy and security inside our company. We try to fight common misconceptions, like viewing “privacy as the place IT goes to die” and “security as always leading with no.”

Instead, we want to create a culture where everyone in the company views privacy and security as part of their job. To really make an impact, we try to extend this thinking beyond our organization. For example, we ran a campaign (internally and externally) on Global Privacy Day to ask employees and customers what privacy and security meant to them — and the winner was awarded a yearlong supply of cookies!

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

We are living at a time when consumers and companies recognize that information has become a new kind of currency. Tech giants like Google and Facebook have become multi-billion dollar organizations by offering so-called “free” services in exchange for personal information.

  1. First of all, what excites me about the cybersecurity industry is that it’s so topical right now. Privacy is personal and effects all of us.
  2. Secondly, in this environment, trust is something businesses will have to work to establish with customers each day. Once lost, it is very difficult to regain. I’m excited to play a part in maintaining this confidence in our company each day.
  3. Lastly, the security and privacy office will play a pivotal role in policing the ethical role of companies. As we increasingly move towards a data driven society, with self-driving cars, and IoT devices not only collecting data about us but making decisions for and about us — they are set to become the new “guardians” of our galaxy.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

  1. More and more, the lines are blurring between what have historically been the traditional roles within a company. In an industry that is all about risk assessment, “not my job” thinking presents a significant risk. I believe that it’s the responsibility for everyone in the business to be a part of the solution. This includes coming up with new ways to use the technology at our fingertips and how to maximize those opportunities, staying cognizant of how it impacts others. In the modern threat landscape, it’s imperative that cybersecurity professionals understand their business users and even develop some of the skills found in their counterparts across privacy, legal and IT. I’m a big advocate for higher education, and I think going back to school and diversifying skillsets can address “not my job” thinking.
  2. Another issue is that many organizations make the mistake of focusing their data protection strategies on keeping the outsider “out.” Truth is, many breaches come from an attacker who is already inside. Attackers usually don’t get in by cracking some impenetrable control they look for the past of least resistance, oftentimes trusting employees. Either intentional or unintentional, insiders cause the greatest threat to your data protection program. Fortunately, this is the threat you can do most to prevent, as you have more influence over employees than random hackers. Using a combined or “layered” approach to data classification can ensure that the policies, training and tools you are providing are being properly understood and integrated into the day-to-day tasks of your workforce. With the right training, you can depend on end users to appropriately identify and classify sensitive data they are handling and/or creating — but of course, verify that they are doing so.
  3. Finally, the shift to the cloud has created many new and unique security factors to consider. One thing is clear, the perimeter has just about vanished and the cloud is here to stay! Many organizations have accelerated their journeys to the cloud, partially to enable their decentralized and hybrid or fully home-based workforce and customers. As the boundaries between home and work, personal and business, and even customers, employees, employers, and vendors dissolve, companies will need to accommodate them similarly boundless security.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

One of the most pressing threats today are cyber adversaries and the rapid pace at which their techniques are advancing. While most organizations simply do not have the budget to defend against advanced adversaries, they can protect against those that will look for weaker targets. Meaning that if you make it harder for people to attack you and your organization or less attractive for them to do so, they will likely go somewhere else.

Another threat is that security teams are often more reactive than proactive. In the absence of metrics, they tend to focus on risks that are familiar or recent. It becomes very important to understand how data, people and location weave together to create patterns across the organization. Only by understanding the data you hold can you effectively protect it.

Companies need to also prepare for increased mix of vendor/supply chain interdependency. We are increasingly interconnected and while it’s easy to focus on you own program, its extremely important to focus on vendor risk assessment and third party security management.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

While I won’t talk specifics, I would say that education and training, along with tools, policies and procedures should be our most important areas of focus. As technology is evolving faster than ever, and data is exploding at previously unimaginable levels, it’s critically important for CISOs to understand and prepare to minimize future shock. This includes being a part of digital transformation planning along with knowing what you’re digitally transforming, how it’s being transformed, and who is being affected by the change.

As a person responsible for privacy and security inside of my company I have always believed that it’s important to know not only what our company is doing today but what will be doing in the future. Understanding the future of technology gives me a perspective as a privacy and security professional and the kinds of threats we may face I need a plan for in the future.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

We use a wide catalog of products that allow us to understand how data is created, collected, used, shared and stored, and ultimately end of life-d by our company. We use many of our own AvePoint products to identify, tag and protect data, create and manage secure containers, and review and limit permissions. We also use products to protect monitor and secure our networks, data at rest and in motion. These include Firewalls, Anti-Virus/Anti-Spam Software, Public Key Cryptography, Multi-Factor Authentication. Finally, we use SIEM products to analyze and continually improve our cyberposture.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Monitoring for potential hacks and exploits is now as commonplace as virus scanning, but this may lead some organizations to improperly rely on their existing scanning technologies, forgetting that most costly breaches come from simple failures not from attacker ingenuity. It’s important to remember that “innocent actors” themselves may represent some of our weakest security links.

When looking for signs of a breach, I always recommend starting with internal users. In my experience, the most common mistake ALL businesses make when it comes to cybersecurity is focusing their data protection strategies on only keeping the outsider “out”, when in fact many breaches come from an attacker who is already inside. Either intentional or unintentional, insiders may cause the greatest threat to your data protection program. Fortunately they are the threat you can do most to alleviate.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Once a breach is detected, the immediate next steps should include containment, communication, eradication and recovery. It’s critically important to do a post event analysis, and corrective action.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Historically, many organizations have paper-based policies that are largely unenforced for several different reasons. First and foremost, these polices are often written by legal and compliance folks who know very little about a day in the life of the normal “business user” within their companies. Many privacy professionals are used to writing policies that help their companies match the regulatory requirements. But those policies don’t necessarily reflect what their company is doing in practice, or even what is possible in practice. Second, these policies are often written without consultation and advice from IT and Security, and thus they do not always reflect either what is technically possible to enforce, or even the reality of what everyday workers in these organizations are in fact doing. Thus, the reality of compliance is slim if not at all remotely possible.

This is true in a world in which business users believe that their information is critically important. They tend to keep it for longer than necessary with the thought that they “might need it again someday.” And finally, oftentimes they keep it where it’s most easy for them to access it, rather than in the places across their networks that have been properly secured by security and IT. This can lead to a proliferation of data across corporate and personal networks and devices, loss of good knowledge management and critical corporate intellectual property, as well as an increase in potential security and privacy risk.

The real challenge comes from the intersection of policy and practice. It is important to understand that regardless of the source of the mandate, one challenge faces all these organizations: once they have created their policies, they must decide how to enforce them and measure their effectiveness. On the surface this may seem like a simple task, but in practice the dilemma is that creating a policy, without any mechanism (automated, manual, or third-party) to measure and monitor compliance of the policy, is somewhat like setting a curfew for a teenager and then going away for the weekend. How do we know if people will live up to our expectations? How do we know if those expectations are even reasonable? To build effective policies, we must not only understand the legal and statutory requirements that will shape the policy within our organizations, but we also must understand how these policies relate to the business practices, people and technologies within our organizations.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

There is work still to be done in the technology industry, and particularly in the security industry, to encourage young women to seek careers in this sector. This will succeed or fail based on what we teach children in school and what we expect them to learn. Just as my grandmother was a trailblazer in her time by going to law school, many women around me are now considering career paths in technology companies and in security.

We can look to the privacy industry as a success story in this landscape, where per research done by IAPP, at least half of Chief Privacy Officers globally are now women. That brings me great hope for the future of women in security and privacy. My mother and father used to tell me that “life is not fair.” And indeed, it is not. We all play the hand of cards that we are dealt. I believe that all of us have an opportunity to rise through who we are and what we do.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

A few years ago, at a Data Protection Congress in Amsterdam, I heard from a wonderful Dutch artist who spoke about his two “least favorite” words in the English language: “Yes, but…” He said that most of his projects were met by a skeptical audience that countered idea with those words.

“Yes, but what about the cost?”

“Yes, but what about the requirements?”

The list went on.

Many of us in the IT industry and in compliance roles are familiar with those words. We have either heard them, said them, or — in many cases — done both. I have struck those words from my vocabulary! Our Privacy, Security and Risk team attends forecast calls, supports our sales leadership and regularly works with our customers.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

  1. Building and maintaining a strong network of peers within the security community is not only essential for your personal career growth, but also allows you to learn from the experiences of others. I have found that some of the professional and personal friendships I have made with other colleagues working in my profession have been essential to my continuing success. This includes both women and men.
  2. Women tend to believe that if they work hard and keep quiet, someone will eventually notice. It’s even more important for women to become their own promoters and advocates both inside and outside of their organizations. Everyone that works for me knows that I have a saying: “Being a legend in your own mind, or even in my mind is not going to be that meaningful for you.” You need to make sure that leadership is aware of your work and accomplishments and do so in a way that is not boasting, but rather informative and helpful.
  3. I submit myself and colleagues for speaking sessions at industry conferences, I am a regular contributor to many publications, and that helps me promote the work that we do, internally and externally. I make an effort to do as much public speaking as possible. Eye contact, standing tall, using your hands, and working a stage have all been non-verbal traits I’ve learned over time — many of which have taken a lot of practice. I’ve also learned that smiling and humor are helpful, even when talking about serious topics. Early on I realized that if your audience can relate to you in some way, they are much more likely to be receptive to what you have to say. So I try to find a way to draw people in and to be inclusive while at the same time maintaining my command of a topic.
  4. This is a field that lends itself to women who want to learn, work hard, and become active in a vibrant community.
  5. If you are new to the security profession, practical and applied experience is a must. Latch on to the security and privacy people in your own organization. If our company does not have a privacy team, that represents a great opportunity to raise your hand and help to build one.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them.

Bruce Schneir — I have been inspired by his work, his insights, humor and practical and relentless determination to make people think!

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

    You might also like...


    “Hire a Data Protection Officer”, With Jason Remillard and Jason Lau

    by Jason Remillard

    “Establish an audit trail.” With Jason Remillard & Noah Johnson

    by Jason Remillard

    “Reflect on and measure your goals and achievements”, With Jason Remillard and Naama Ben Dov of YL Ventures

    by Jason Remillard
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.