By Selena Templeton, Column Editor, IT Security Planet
During the Women In Security session at the 8th Annual ISSA-LA Summit, Chenxi Wang, Chief Strategy Officer of Twistlock, told a story about when she and her husband had to sign the paperwork to successfully take possession of a house they had bid on. Their realtor called while they were driving to the airport in their Internet-connected vehicle (a Tesla) and told them that, if they wanted their dream house, they had to send over the mortgage document right away. In that moment, Wang and her husband had to weigh the risk versus benefit trade-off of sending personal information online.
We’ve all been there—using payment gateways to make purchases, depositing checks on our smartphones, or signing e-documents that contain our Social Security Numbers. This risk/benefit issue that Wang mentioned on the panel led me to a one-on-one conversation with her afterwards to get the low-down on security versus convenience from a CSO’s point of view.
Wang agreed that the issue of security versus convenience is something that everyone struggles with, even cyber security experts such as herself. It all comes down to the risk/benefit trade-off that each person is willing to face because, in the end, online security is never completely risk-proof. For her, sending paperwork that contained her personal info via the Internet (while it was over SSL, it was likely through a vulnerable SSL pipe) was a risk she was willing to take when the alternative would have been to lose her dream home. For others, the risk might have outweighed the benefit in this particular case.
Part of the difficulty is that no security system is safe 100% of the time, because technology (software, for instance) is always written by humans and therefore susceptible to human error. The OWASP Top 10 is the perfect example of this.
Hackers are experts at finding these errors.
To highlight this point, Verizon puts together an annual Data Breach Investigations Report (DBIR), a comprehensive cybersecurity report pulled from 100,000+ incidents of 2,000+ analyzed data breaches, and is considered a yardstick in the industry. Wang cited this report when she stated that the number one culprit in security breaches are due to “easy mistakes.” This includes such things as e-mailing unencrypted information, working remotely, using simple passwords, not implementing dual-layer encryption, neglecting to change the settings on a router, and e-mailing pass codes to other employees.
Wang pointed out that another simple breach comes from the fact that every manufacturer has default codes and admin passwords that companies don’t take the time to disable and thus wind up basically waving an “open for business” sign to hackers who can easily find these details on the Internet.
One of the panelists in the Women in Security session mentioned in passing the Apple vs. FBI issue, and while this debate could go on indefinitely, as evidenced in the Privacy vs Security; Apple and the FBI session, Wang chimed in with her thoughts.
She said that the FBI wants to remove “warrant-proof” encryption—which means that Apple would be required to write special software to allow the FBI to bypass a mobile device’s password. Apple’s argument is that it’s not the government’s place to force them to write a new piece of code that would essentially become a master key for all its devices—which would leave the door open for cyber attackers. Wang agrees that this debate between privacy and security amounts to a case of the chicken and the egg—is Apple being stubborn or is the FBI being too “Big Brothery”?—that, as Apple says, should be resolved by Congress and not the courts.
Getting back to the topic of women in security, I asked Dr. Wang what advice she would give to young women interested in a career in InfoSec (or any tech field, for that matter). She said that she just sort of fell into this industry as a career, and if she could go back and do it again she would have found women to talk to, plying them with questions about their experiences in this male-centric field.
The perception that still comes to mind for most people when you think of working in technology is a couple of guys holed up in a darkened basement surrounded by empty junk food wrappers and heavily-caffeinated carbonated beverages. And while that may be a stereotype to a certain degree, it’s still an industry dominated by men, which can make a lot of women, especially younger women, uncomfortable. Wang is a strong, feisty, and independent woman, so this kind of environment doesn’t bother her—she and another girl were the only two females among 30 guys in a college computer science class—but it’s definitely not a lifestyle for everyone.
Find mentors, says Wang, join associations where you can network with other women and ask questions, and connect with groups of likeminded women for the support you will inevitably need when embarking upon an InfoSec career. She was compelled to create a Facebook group called Equal Respect, where women post personal and professional networking opportunities, after attending an RSA Conference two years ago in which “booth babes” continued to strut around and undermine women’s roles in the technology and security industries.
As we wrapped up, Dr. Wang made it clear that she was happy to see so many men in the audience at the Women in Security session because it’s extremely important for men to be included in women’s initiatives—after all, working together and supporting each other is what equality is all about.
Selena Templeton is the Column Editor for the Women in Security column on IT Security Planet. A freelance writer whose work has appeared in The Hollywood Reporter,JenningsWire and IT Security Planet, Selena also writes and edits for a variety of clients, both solopreneurs and companies, from the entertainment industry to the digital marketing industry.