Working in the cyber field is a job like no other. Where does your motivation come from?
When I was young, I wanted to become an FBI agent. I thought that all they did was drive around and interrogate people, until I was 14 and began hacking. I started reading blogs and forums, and I went on different chat channels. I’m not going to lie to you; I didn't know what I was doing, and I wasn't professional or anything. But when I figured it out, I was like wow this is great. Maybe I can become a hacker for the FBI. The first thing I hacked was a family member’s email…
…You hacked your family member?
Obviously, with their permission – they didn’t believe I could do it. Back then email wasn’t very secure, well even a couple of years ago the same provider – which I won’t name – had a breach. Still today, I'm not a bad ass hacker where I can build my own code; A lot of the code I use is other people's.
You have quite an impressive resume. Please tell us a little bit about your background.
My first time working in cyber was while I was still at college as a security analyst for a start-up. When I graduated, I started working at an OEM, and I was teaching technical security courses in the evening. Since then, I have done work at Ford, Deloitte, and Booz Allen. At Booz Allen, where I was focused on connected IoT vulnerability management, I was put on SAP. After about five or six months, they had a position open in the group that I was working in, and I decided to take it because I loved the culture, the leaders, and the people.
Could you explain your job at SAP in 100 words?
I manage a group of talented North American Security Engineers who work hard to keep SAP employees and customers secure. We help protect the company by identifying areas where attackers could get into our systems and work with IT and business partners to fix those holes. Using my security expertise and industry best practices, I protect our interests every day. Together with my team and colleagues, I am working to mature and build a world class security program that will enable SAP to position itself as a trusted cloud software company and leader.
How much of a cliché is around your work – I’m thinking, for example, figures such as Lisbeth Salander in Stieg Larsson’s trilogy?
A lot of stuff is fueled by shows and Hollywood. First, is the idea that a lot of hackers are introverted hoodie wearing geeks, and that they spend a lot of time behind the computer; While this is somewhat true – I know a lot of hackers that would rather communicate their stuff through code – you also have a lot of hackers that are at the director levels, that are wearing suits, giving talks on what they have just done in their group.
Secondly, not all hackers are bad people. Hackers wear different types of hats: white hat hackers are ethical security hackers they identify vulns in hardware, black hat are criminal hackers, grey hat are your just for fun hackers, script kiddies are amateur hackers, red hat are government based, along with many more colors. You have the good security researchers that want to work with companies and help them, and then you have the bad ones that go and exploit people and put them out there. Most researchers that I know, they'll reach out to a company when they find something. However, what happens is that company will ignore them, and that leads them to get frustrated and go online and start posting about it.
You have had a lot of exciting opportunities. What has been a once in a lifetime experience for you?
I was working at Ford on the mobile application that transformed Ford to become a mobility company. It allows you to send command and control to your car (unlock it, lock it, find a parking spot, reserve a parking spot, pay for parking, share, and borrow your car, sign for concierge perks.) For the first release, I was doing all the security by myself (POC for all security). Once we launched, the marketing field said, hey this is what transformed Ford to become a mobility company, and they honored me with a plague. It was really fulfilling; It wasn't money, and I wasn't looking for money, it was experience. Once we launched, I remember the director let me know that they couldn't have done it without me. That was the most rewarding thing because it made me feel like wow, I did a lot for them – it took six or seven people to replace me for the work I was doing!
If you take a cybersecurity career, it’s not like climbing a ladder but more like a jungle gym.
What’s your favorite thing about your job? What keeps you going?
Honestly, I look at cybersecurity like a maze. You're always trying to figure out what to do. You think you figured something out, but then you hit a wall. It's never really a straight path; If you take a cybersecurity career, it’s not like climbing a ladder but more like a jungle gym. Normally, we make a lot of mistakes, but we fix them and there's a start and an end to everything. But in cyber its always like, oh, I started this, we fixed it, but something else just came up. You're always moving and looking for the next vulnerability that people are exploiting.
Why is cybersecurity one of the top 3 issues for any company?
In prior years it was somebody stole information, but today companies have bigger challenges. Now, it’s not when is someone going to steal personal information, it’s people's safety and lives at risk. For example, OEMs are developing autonomous vehicles that drive themselves. From a hacker’s perspective, if I'm a bad guy, I can take over the fleet of vehicles that controls them and make them all turn left or right. Just imagine the destruction that would ensue. So now you have the consumer, you have operational outages that companies are afraid of, consumer safety, physical destruction, and reputational damage, as well as your everyday things like: how do we secure our network, how do you secure the PI data?
With all the dangers out there, what is the most important 101 you can give that everybody can do in 10 minutes?
I would always say: secure your devices. A lot of people still don't change default passwords. It sounds old what I'm saying, but still the same thing: use complex passwords with two- or multi-factor authentication, disable and enable any features that you don't need on your network. If you have LinkedIn, you don't have to list your software programs you're using at that company. Hackers look for those types of key information while performing reconnaissance. Also, if you want to use a certain functionality on a device don't just opt in and give away all your data to use a certain feature. Really understand what you're signing up for.
Don't be afraid to get uncomfortable, because those uncomfortable situations always help you grow.
Do you have any advice for young girls interested in STEM?
I am a big proponent of getting more girls involved in cybersecurity. I started doing speaking engagements in 2013, and I have also been involved with Hack4KIDZ and Girls Rock IT. My two pieces of advice: “Don't be afraid to get uncomfortable, because those uncomfortable situations always help you grow.” One of my mentors told me this many years ago, and it was the best advice anyone ever gave me. The most challenging opportunities are always the ones that allow you to develop and make you realize that you can do anything.
Another mentor advised me that if I want a seat at the table, to always bring my own chair to meetings. She said, “Say something valuable, and I promise next time they are going to offer you a seat.” I took her advice and it worked. I would give other females this same guidance. You might be the only female in that room, but you're capable of being a bad ass. Anybody can do anything.
