Eva Chen, CEO, Trend Micro
What have you done to help influence the direction of IT security?
Pursuing and encouraging innovation has always been important to me. I am passionate about finding new ways for technology to positively influence society. Having been involved in IT security since the beginning, I have seen how technology has evolved to dramatically influence daily life for businesses and consumers alike. Unfortunately, these great strides attract unsavory elements aimed at exploiting it. I am hopeful Trend Micro's commitment to innovation and desire to make technology safe, helps foster an attitude throughout the industry to stay focused on a common adversary, rather than business competition.
How do you view gender gap issues in the IT security field?
The technology field in general has a lack of females, so IT security is not unique. Although, two of the three founders of Trend Micro are women, which certainly stands out and we are very proud of that! While there is room for improvement to attract more women, those in the IT security industry are seeing greater chances to succeed. This field has awarded me tremendous opportunity to expand my horizons in terms of how technology and innovation can help improve lives. I feel a responsibility, along with other female leaders, to use my personal story to help young women understand the tremendous opportunity this industry offers.
How have you reached this point in her career/expertise?
My lifelong interest in technology led me to R&D for a major PC manufacturer, which helped to define the direction of my career. This experience exposed me to the pressing need to protect computers against those who seek to do harm. It was at that point I helped found Trend Micro with my sister and brother-in-law. Over the years, I have seen technology grow exponentially, and along with it an onslaught of cyber threats. Both of these developments inspire me to push for more innovation so we can stay ahead of the bad guys.
What drew you to this career (or how did you end up in the industry, etc...)?
Unyielding curiosity and the pursuit of challenges drove me to this career. Curiosity about technology, the way it can help to improve lives and making it safe to use is fascinating to me. This curious nature has also revealed challenges that need to be resolved. And, rest assured, IT security offers many things to be curious about and many challenges to face. Being exposed to these challenges on a daily basis is truly invigorating and consistently creates new excitement. I can't imagine a more intriguing field to be a part of that touches so many lives, and allows me to fulfill my insatiable curiosity. Because of this, I can't wait to see what new challenges lie ahead.
What advice do you have for female professionals entering the industry?
Be confident and embrace your ability to succeed in this predominantly male-driven field. Throughout my career, I have experienced numerous situations where my thoughts and value could have been overlooked. Fortunately, I had a strong support system of family and female colleagues. The confidence they helped me develop remains with me today. Most importantly, you can have both a career and family. Raising two children while establishing a leading company in the IT industry presented challenges, but it has been very rewarding. Finally, look to other female colleagues for mentorship and support to guide you.
Jennifer Henley, director of security operations, Facebook
What can men do to help champion diversity in their companies and organizations?
Diversity is not just about men and women; diversity of teams and thought helps all of us be more creative and innovative. Men should listen, be vocal, and set an example. Reach out to women and listen to their opinions. When you see biases at play, be vocal about addressing those and calling attention to them. But perhaps what is most important is to lead by example. For example, take full advantage of your company's family leave policy, and leave early for your kids' school activities. Above all, demonstrate your support through action and not just words.
What attribute would people be surprised to learn is important to have as a security professional?
Empathy. People often overlook the human element of the security industry. The problems we solve are tough, and we must be able to understand and share in the feelings of others in order to determine how to apply solutions. Empathy allows us to address complex problems in context and focus on helping people instead of simply implementing something because we can. We must be able to think beyond ourselves and our own personal gain in order to achieve the impact we are capable of delivering.
If you could change one thing about security in order to achieve more diversity, what would it be?
I don't think security itself needs to change, but we have serious image problems to address. When people talk about security, the emphasis is usually on the attack side and the people breaking in. The typical conversation excludes the parts that motivate the majority of us in this field: protection and defense. We face a complex set of challenges as more and more people put their lives and trust online. With that in mind, we need to change the conversation to focus on the collaboration, creativity and diversity of thought that's necessary for people to truly feel safe.
Cecily Joseph, vice president of corporate responsibility and chief diversity officer, Symantec.
You've been in the IT industry for quite some time. What drew you to entering the IT field? What has kept you here?
I was originally drawn to the IT industry because it was new and I saw so many job opportunities, as well as opportunities for career growth. Over the years, the excitement and passion people have around what they're doing in this industry has kept me here. We're really at the forefront and I feel like we're making history, especially being in Silicon Valley. The work that we do is really important and I couldn't imagine myself in any other industry.
Is there a particular individual, tool or piece of advice that has helped you succeed in your role?
The tool that has helped me succeed is the ability to adapt to change - it's especially important at tech companies. I've gone from a tech company of 40 to a Fortune 500 company at Symantec. The ability to adapt to change is critical - our role is constantly changing, it's part of this industry and it's been a key component that has helped me succeed.
During your time in the industry, have you noticed a trend in the number of women in IT security roles? What drives this trend?
I've worked with women chief information security officers and met incredible women in this field. I know that there are women out there in IT and they are collaborating more, but when it comes to the numbers I don't see that we've actually made a lot of progress in IT, people are talking but the numbers aren't changing - according to the 2014 (ISC)² report, women represent just 11% of this profession. People coming together is a sign of the need in this area and there is a lot of energy around women in STEM, but according to the numbers we still have a lot of work to do before we start seeing more women enter this field.
As a woman of color, what advice do you have for others of diverse backgrounds about entering the IT field?
Do it! Please enter the IT field. The IT field, unlike any other, is so dependent on diverse perspectives and innovative ideas. The value that diversity brings to the table is so needed in IT and our success depends on it. There are so many opportunities for women of color to enter this space and people are seeking these differences that people of color can bring to the table.
How can men become advocates and champions for bringing more women into the workforce and leadership positions?
Men can become champions by looking for a diverse pool of women in IT security when it comes to hiring and by being thoughtful about the leadership and development roles that they are providing for their people. In addition to hiring and promoting, men can be mentors and sponsors of women throughout the organization. Even if there's limited time for engagement, mentorship and sponsorship is so valuable for career advancement.
Susan Landau, professor of cybersecurity policy, department of social science and policy studies, Worcester Polytechnic Institute
Is there a specific moment that solidified your decision to pursue cybersecurity as a career? Or a moment that really sparked your interest?
I have always been interested in matters of technology and policy. My Ph.D. research was in algebraic algorithms, an area with close relations to cryptography (indeed, one of my subsequent pieces of research showed that a proposed cryptosystem was insecure). When cryptography policy became an important issue in the 1990s, it was a natural shift over for me for research, though in fact I had been writing about cryptography policy since graduate school in the early 1980s.
How does teaching offer a different challenge than your prior work? What do you hope students take away from your class?
I taught right after graduate school, so teaching at WPI is, for me, a return to old patterns. Research is typically cutting edge, while teaching involves interpretation.
I hope students learn about the complexity of implementing technical solutions in security and privacy: how the users' needs must be taken into account, what the social, political and economic pressures are in security and privacy solutions, etc. This is sometimes a big jump for engineers, so it can be challenging.
As a woman in the field, did you ever have a time when you felt especially challenged?
Many times. It was harder when I was younger, but it doesn't ever completely go away – and no, I am not about to mention specific instances here.
What advice would you give to young women curious or hoping to enter cybersecurity?
Never let sexism get to you. Remember that such attitudes is about them, not you. Have a tough outer skin, but don't lose your humanity underneath. Make sure to have friends – male and female – who help you make sense of it. And don't let such negative attitudes about women in the field take away your pleasure in working in the field.
Is there a particular accomplishment that you feel especially proud of?
Publication, with Whitfield Diffie, of our book, Privacy on the Line: The Politics of Wiretapping and Encryption, and the long line for the book signing at the RSA Conference in 1998. And publication in 2011 of Surveillance or Security? The Risks Posed by New Wiretapping Technologies.
With the U.S. debating default encryption and cybersecurity really breaking into mainstream news, what do you think cybersecurity professionals should keep in mind when doing their job?
Think hard about the use case: Whose data is being protected and what the threat model is. Be very analytic in your approach and think carefully about all aspects – including social, political and economic – before you begin your system design.
Jean Pawluk, founding member, Cloud Security Alliance
What was a key moment or experience that influenced your decision to have a career in security?
My favorite question has always been "What if?”
As a child I spent many hours reading mystery stories and science fiction which resulted in a deep interest in science and emerging technology as well as an interest in what motivates people to do what they do.
As a computer programmer and a hacker in the old sense of the word, I poked around into systems and mechanisms because I wanted to learn more about how it was all put together.
Early in my career I became fascinated by security and cryptography when I investigated the cryptographic devices and hardware I was working with while developing ATM software and electronic funds transfer networks for the financial industry. How did they work? What was it really protecting? How could it be broken? What other technology could we use to protect funds transactions? At the time, most of the information was propriety, so it took a lot of digging in vendor manuals and academic journals to get the answers we could use. My interests led to work at several telecommunications companies programming telephone switching systems. (There were some really interesting discussions while carpooling with the folks who designed "blue boxes" about how to exploit phone systems.)
What moment or experience characterizes your career in security?
Fortunately, I was working in silicon valley for Tandem Computers and my interest in security was re-awakened when it became painfully obvious that the internet was totally insecure. We then immediately focused on starting new security initiatives at Tandem. I led several teams to deliver various security and strong authentication solutions to overcome those threats, including, for Singapore in 1997, the first commercial public key infrastructure (PKI) system in the world.
A broad mix of security and technical skills and business leadership and the ability to translate between the worlds of technical, business and legal concerns eventually brought me back to the financial world as chief architect, where I spent several years working on data and global security at Equifax and Visa.
What have the security industry and your peers done to support your successes in security?
The incredible network of friends and colleagues from all over the world which developed over the years on the job, and collaborating on several standards groups, including FSTC, OASIS, IETF and NIST, and with other professional groups, such as ISSA and the Cloud Security Alliance. The opportunity to invent and innovate on the job and make changes that can better the world has been fantastic. It is one of reasons that I am so passionate about welcoming new faces into our security community – to encourage people from all sorts of backgrounds to join us.
The world is constantly changing and we all need to be able to adapt quickly. When Jim Reavis and Nils Pulhmann approached a small group of us to form the Cloud Security Alliance in November 2008 we all responded with "Yes! Let's do this." We could see where the cloud was going and no one wanted to repeat the security mistakes we made when the internet was introduced commercially.
What would you say is most challenging for a women about having a security career?
In many ways it's the same challenges for both genders. To develop a well-rounded set of skills and to find what work you are passionate about. Women need to grow their self-confidence and learn to stand up for convictions. Don't allow anyone to tell you that you can't learn to do something or allow them to so narrowly define your job that you cannot advance. Security can encompass so many different areas in order to protect the whole, that a big picture viewpoint is as necessary as the ability to do a deep dive into a subject.
We need to do a much better job of showing girls and women about the joys of working in tech and that it is a rewarding field both as a career and to their financial bottom line.
Of those challenges faced, how do you respond and did your response influence success?
I'm always learning and trying new things. For a long time I was shy about getting in front of an audience to speak, but as time passed I learned to forget to be nervous, to have the courage to be myself and say whatever I thought appropriate to the occasion. Now I enjoy public speaking.
Deborah Peel, expert on health information privacy, founder of Patient Privacy Rights (PPR) and the Coalition for Patient Privacy.
What motivated your activism in the health privacy and security space?
My interest/activism started very narrowly but explosively, when I realized that the right of each patient to decide who can see or use her medical records, the right of consent, was precisely and surgically removed from HIPAA in 2002. The foundation for trust between patients and physicians was destroyed. I looked at it like this: there are a few thousand Freudian psychoanalysts but there were no health privacy advocates. Oddly, it was simple, there was no one else.
Why do you think there was such a vacuum at the time?
It takes an “insider” to know about it – like a practicing physician (me). It turns out that health data security protections are also grossly inadequate, but plenty of privacy advocates and civil society organizations understand what data security protections are needed.
IT in general, and health IT in particular, can be a very male-dominated field. Have you found that the industry has become more receptive over time to including women in high corporate positions and government advisory boards?
No. The problems in health IT parallel the problems in life itself in the 21st century: women are underrepresented everywhere in the U.S. and the world: in leadership, arts, governance, research, science, politics, business, etc., etc. Strangely enough, the U.S. lags other Western nations, many of which have quotas to ensure women have equal representation at least in governance. It's so painful to see repeated studies that show working groups with women perform better than those that are all men.
What could be done to assure that more women's voices are included? Some European nations require a quota of women on the boards of public companies. Could something similar be done for health governance?
I totally agree, especially with solid scientific evidence that diversity works. We need only think about the way Congress has been operating, where one side never even meets with the other side---where building relationships is prevented, not facilitated as in days past. The need for women is very very great in health care and health IT governance: ie, the need for mature, altruistic, generative adult leaders who feel broad, deep emotional, social and intellectual obligations to protect and nurture the nation's children and grandchildren, in the same way they care for their own children and grandchildren, for the betterment of all!
If you knew of a young woman entering college now who wanted to act in the incredibly important advocacy role you now serve in, what would be your advice to her?
This is really hard. Serve the public's interests is a critical, vital function that every Democracy really should find ways to ensure. The U.S. is failing at this today because we are in an historical phase much like the robber baron phase of the late 19th-early 20th century. Unbridled capitalism must be balanced by very strong protections for everyone.
Lisa Sotto, managing partner, head of the privacy and cybersecurity practice, Hunton & Williams
If women have done much better in the privacy field – research shows them on par with men in both salary and career advancement – than they have in information security, it may be, in part, Lisa Sotto muses, because privacy is “more squishy.” That's not a word that anyone is likely to use to describe the direct, confident Sotto. Chosen as one of The National Law Journal's “100 Most Influential Lawyers,” she is the editor and lead author of the Privacy and Data Security Law Deskbook on the areas of privacy and security law that most affect U.S. businesses operating globally.
By "squishy," she means more policy-driven and societally focused, while security remains tech-driven, drawing professionals with a background in STEM, which girls often stop pursuing, for a variety of reasons, in junior high and early high school.
After a successful run as an environmental lawyer (another area initially dominated by men), Sotto developed an interest in the internet and transitioned to security and privacy, the latter, which was, at best in 1999, a fledgling discipline. A go-to source for news outlets, Sotto often provides expert commentary and analysis on privacy and security incidents. She counts among her top achievements an ongoing case that involved as many as 90 million users in 4,000 corporate entities stretched across 60 countries. The team she led in this case, 50 lawyers strong, handled the forensic investigation, as well as notification, and managed to mostly resolve the case (three years out, a few details remain for her team to sort out).
“The most remarkable part, there were zero lawsuits, and only a few regulatory actions, nothing to speak of – only investigations, not enforcement,” Sotto says. SC Magazine caught up with the intrepid privacy lawyer during a hectic week of travel – and in the moments after the Office of Personnel Management revealed that the data of millions of federal workers might have been compromised in a massive breach of its systems.
You've been practicing quite a while in security and privacy, the latter almost as long as it has existed. What led you to make the transition from environmental law?
I expressed an interest in the internet and technology group at my firm. The head of the group didn't want to retrain me as a corporate lawyer and encouraged me to think about doing privacy work. There was nothing at that time except a draft of HIPAA. Graham-Leach-Bliley wasn't even in effect yet. There was very little around privacy – maybe an inch of documents. It was a very quick read to become an expert. And I learned a lot working with our institutional clients. I was one of the first people to practice in this area. My entry was much more about serendipity than prescience.
How did your earlier experience as an environmental attorney inform your development as a privacy and cybersecurity practitioner?
They follow the same path. In environmental law, hazardous material is subject to leaks. In privacy, data leaks. Regulations are around the collection, use, sharing, transport and disposal of data. Environmental regulations [cover those same aspects] for hazmat. The information lifecycle of data follows the same path as environmental [concerns].
Your practice includes both privacy and cybersecurity. How do those disciplines differ for women?
There are a lot of august, senior women in privacy, not as true in security. I think women have made enormous strides in the privacy, but have a ways to go in the security arena – where their numbers are more sparse and I often walk into a room full of men. I chair two conferences – one is a two-day privacy summit. We have to fill quotas and have an over-abundance of women and minorities. We just started kicking off a one-day cybersecurity summit. And we're not doing well on making those quotas. There aren't that many women.
The International Association of Privacy Professionals (IAPP) just released research that found women in privacy on par with men in almost every aspect. That clearly doesn't mimic the experience of women in information security. Why do you think women are on such different trajectories in these two disciplines?
Early entry. We had first mover advantage in privacy back then – for me, truly the right place at the right time, true serendipity, entering a field where there was a blank slate. We had no male mentors to bring along, no baggage, no old boys' club, because we were creating the industry. If you were willing to take the risk and go in, the world was your oyster. If you had gumption, you were in the club. All you had to do was step through the door.