Cynthia Overby was present at the very beginning of mainframe security, but she never planned on it being her career.
"I kind of fell into it like most people do," Overby told us. "Forty years ago, I started as a systems programmer at Sundstrand Corporation in Rockford [Illinois]. In 1978, when they purchased [a license for] ACF2 [Access Control Facility 2], which is one of the ESMs [external security managers] available on the mainframe, I was basically promoted to be the security officer. From there, it just kind of went along over the years."
When cybersecurity was an afterthought
Overby, honored as a Cyber Veteran by SC Media's Women in IT Security program, recalls when information security, especially on mainframe computers, wasn't exactly at the forefront of people's minds.
"Back in those days, security was just kind of an offhand, 'Well, maybe we want to do it, maybe we don't, and how can we do it?,' type of thing," Overby said. "It didn't really begin on the mainframe until the SHARE [user group for IBM mainframe administrators] security project actually developed a white paper."
"Barry Schrager and [Eberhard] Klemens and [Scott] Krueger, SKK, were the ones that developed the white paper and IBM wrote RACF [Resource Access Control Facility, 1976]," Overby added. "Barry and Scott and Eb basically didn't like what [IBM] did. That's when they started SKK and developed ACF2. So that's where security on the mainframe really started."
Click here for full coverage of 2023 Women in IT Security.
Overby went on to work for SKK until it was sold to Computer Associates, then directed network and security services in the management-consulting and healthcare industries. In 1988, she and her husband Ray Overby founded Key Resources, Inc. (KRI), which produces the Vulnerability Analysis Program, a scanner for mainframes running IBM z/OS and related operating systems.
"It's the only product of its kind, and it's a technically elegant product that basically most financial organizations today use," Overby told SC Media. "The fact that he was able to develop it and I was able to market it and sell it is one of those things that we'll always be very proud of."
She considers her biggest career success so far to be founding and running KRI, which she and her husband sold to Rocket Software (where Overby is currently director of security and customer solutions) earlier this year. "I'm very proud of the fact that that we were able to join Rocket," she said. "It's an amazing organization that really respects its employees, so the cultures really matched. They took all of our employees and everybody really, truly enjoys working at Rocket."
From color theory to managing mainframes
Yet this stellar career in mainframe security was preceded by, of all things, art school. Overby studied color theory as an undergraduate, and then got an MFA degree — and she thinks this artistic training prepared her well for IT security.
"The theory classes that I took, whether they were for color, or just basic theory classes which we had to take, really teach you how to take logic and psychology and put them together and map them out to possible scenarios," she explained.
Logic and psychology, Overby said, are perfectly applicable to information security.
"I consider it [cybersecurity] to be about 50% logic and math," she said. "Then the other 50% is basically staying ahead of the bad guys, so you're basically, 'Okay, what are they thinking?'"
Meanwhile, the scenario-building that she learned in art school fits well with risk management.
"I took my ability to map out and to go in front of a board of directors when they say, 'Well, this is impossible,'" Overby said. "I can say, 'No, it is possible. And here's, basically from a theory perspective, the reason why I believe it is a possibility that this could happen.'"
Gaming out the MGM hack
A very recent, very public, cybersecurity incident let Overby apply her risk-analysis skills.
"I was at the IBM Tech Exchange this past week [held Sept. 12-14 at the MGM Grand Hotel in Las Vegas]," she told us. "And the hotel we were at, the chain got hacked."
"You couldn't gamble, basically," Overby added. "You can imagine how much money they were losing. When you went to check in, they were writing down your driver's license number and your credit card on a piece of paper."
The buzz around the conference was that the attack was carried out by a hostile nation-state, which Overby found unlikely. (A known cybercriminal group has since claimed responsibility, although that has not been independently confirmed.)
"Some of us sat down, and we started brainstorming," Overby related. "Okay, why would we think it's a nation-state versus just somebody in Bulgaria or in China or whatever just having fun?"
"We looked at it more from a psychological perspective," she added. "What we came up with, our theory is it said it was a disgruntled employee of IBM."
"There was no goal here other than to upset the applecart," Overby said with a laugh.
Choosing your focus early
To women who would follow in her footsteps with a cybersecurity, Overby offers some perhaps unexpected advice.
"Take a look at the different infrastructures that are out there, whether it be network, Unix, mainframe, distributed, and become an expert in one of those specific arenas," she said. "Go deep. Don't go broad, but go deep. Pick something that you really like doing."
The reason for this, she explained, is that while there are a lot of people who know a little about many different aspects of cybersecurity, there may not be as many with truly profound understandings of narrow, specific areas.
"If you're already in networking, become a network expert on cybersecurity," Overby recommended. "Then as you move along, distributed systems, the cloud, that really fits with network, you can move across. But go deep first, so that you can basically say, 'I'm an expert in this particular area.'"
Passing on the wisdom
Overby applies this framework to the young women she mentors, including one "who's at IBM [and] wants to be the CIO someday."
"We've been meeting once a week and we've been going through different scenarios," Overby said. "She's building a table of the things that she likes and the things that she doesn't like. Once we're done, then we're basically going to sit there and say, 'Okay, this is probably the direction that you want to take.'"
Overby believes that in general, women in the cybersecurity industry "need to do a better job of mentoring."
"It's not so much the technical skill set [that's important] now as it is the soft skills," she told us. "Do you communicate well? Do you know how to listen? Do you learn? Are you willing to learn? And taking those women and putting them in the right area so that they can succeed."
Not an easy road
In the early days of her career, Overby recalls, there weren't many women around to mentor her and, as she told us, her biggest obstacles were "being relevant" and "being heard."
"The first SHARE [conference] that I ever attended was back in 1982. There were 10,000 men and 10 women," she said with a laugh.
"It's been tough" as a woman in cybersecurity, Overby admitted. "It's still tough at times."
"I find now that I'm probably my own biggest obstacle, because I still don't at times feel that people are actually listening to what I say, even though I do know they're listening to what I say. Because I've been carrying that baggage for so many years, it's really hard to get rid of."
Yet even in the most difficult circumstances, Overby said, there's always a way to make a connection. When she was working for Sundstrand in the late 1970s, she was sent to Japan to train a roomful of engineers how to be security administrators.
"So I went to Tokyo, and they were very gracious. They understood and they went through the training," she said. "But at three o'clock, they went to have their tea with their geisha, and they didn't know what to do with me. So I said, 'Well, just show me where I can go shopping.' They understood women and shopping."
After the class was over, the Tokyo trainees apologized, but Overby told them she wasn't offended by the culture clash.
"I was very happy to go out and buy presents and things for the people I wanted to take back, so it worked out quite well," she told us. "If you can develop a relationship with one or two people and have a friendship and then they begin to trust you and to trust who you are, then you start to become relevant and it kind of snowballs from there."
Don't be afraid to speak up
To women in cybersecurity who might encounter sexism, being underestimated or similar obstacles, Overby has very simple advice.
"If you really feel strongly about something, put it in writing and go over your boss's head if you have to," she said. "Maybe back in the '70s and '80s, that might have gotten you fired, but nowadays it doesn't."
"If you're really passionate about that particular topic, go for it," Overby added. "You can't win by just sitting here with your hands behind you. That's pretty much what I tell people."
