Content

Where are they now?

SC Magazine caught up with some of our past honorees to see where they've landed on the information security landscape since they were featured in one of our Women in Security issues. 

Becky Bace, chief strategist, Center for Forensics and IT Security at the University of South Alabama.

When we selected Becky Bace two years ago as one of 10 outstanding women for our Women in IT Security issue, she was cited as a pioneer in cybersecurity research and an early information security program manager, having directed research in information security for the U.S. Department of Defense in the 1980s and 1990s. Since our profile, she has been at the University of South Alabama. 

Have you changed focus since SC Magazine first interviewed you for our Women in Security issue?     

I'm still at University of South Alabama, still serving as strategist for the Center for Forensics and IT Security. We've a new security degree program in place (BS, MS, PhD) in Cyber Assurance, and I'm leading a set of tech transfer to practice workshops and activities supporting NSF-funded academic researchers in cybersecurity who want to transfer their results to use. I'm also mentoring a number of startups in the area, and serving as an advisor to several national-level programs. 

What new security/privacy challenges have emerged since we last spoke to you? Any significant developments? 

A lot of things that are being discussed as new challenges have actually be in discussion for some time in the research community. I see the victim footprint for attacks growing to include a lot more individuals and small businesses than before. I also see more business discussion of issues that need significant investments in R&D (e.g., cryptography in the post-quantum world)

What security/privacy issues have improved? 

Ironically, the growth in losses associated with cybersecurity breaches has raised awareness to levels outstripping our most ambitious predictions of the past - we don't have to spend all our time convincing executive management that security protections are an essential part of doing anything online (i.e., conducting business in this day and age.) There is a lot more discussion of what security and privacy measures are useful and how to apportion the protections between locally and globally provided (the discussions associated with the move of enterprises to the cloud have been especially interesting.) 

How have things changed for women in security over the last year or two? Any progress? Setbacks? 

I see an explosion in the number of activities that encourage girls and women to enter the area. Good news is the sheer number of activities and the publicity they get. Bad news is that I see a lot of programs run by folks who don't understand the area (i.e., knowing how to hack a system is of limited value to someone who wishes to lead a corporate security program or pursue an advanced degree in secure system design.) I also see programs that presume that attracting women to the area is sufficient - the number of departures due to workplace issues worry me as much, if not more. 

What advice would you give young women interested in entering this field? 

Go online and start exploring the security world. Invest the time in reading books on the area (we've loads of good stories) and exploring all the different roles you could play in the community. Look for areas that are interesting to you, that appear to be a good fit for your talents and skills, and pursue them as you would a new hobby or passion. Finally, take advantage of all the new gatherings and outreach programs targeting women to learn more - you'll meet folks there who can provide advice and connections to you as you identify and pursue your goals.

Ann Barron-DiCamillo, CTO, Strategic Cyber Ventures 

After a year that saw a major breach at the Office of Personnel Management (OPM), Ann Barron-DiCamillo left her position as director of the United States Computer Emergency Readiness Team (US-CERT) to become CTO at Strategic Cyber Ventures, a venture capital firm that invests in cyber startups. Last year as a Power Player, the Oklahoma native talked about US-CERT's “first-actions list that we have created based on operational events”  that ensured when the group had “a real live event, we are always improving. We always look at how we can improve the severity and follow-up of an event. It can take some time to do a full analysis of things, so while we do that, we are sharing information.”

Have you changed jobs/position/focus since SC first interviewed you for our Women in Security issue?

Yes, I'm not a partner and chief technology officer (CTO) as a venture capital firm that invests in cyber companies that provide the capabilities to help cyber operators, that fill the gaps.   

What new security/privacy challenges have emerged since we last spoke to you? 

What's old is new again. The continued success of phishing attacks puts the focus on endpoints. You have to protect data where it is and make sure if malware goes splat, it doesn't erode other things. We've seen an evolution of ransomware. It's frightening that watering hole attacks are so difficult to detect.w

What security/privacy issues have improved?

There's been a lot of effort to improve information sharing in real time. It has to be bidirectional, you can't just suck down all the information. You have to give back.

How have things changed for women in security over the last year or two? 

One study talked about how the number of women in STEM is down. Hollywood has pushed cybersecurity as a guy in a hoodie who's antisocial. But we're expanding of what you can do in cybersecurity.

What advice would you give young women interested in entering this field?

Be open to the opportunity. One thing helpful to the paradigm shift is taking on additional responsibilities and not just say “no.” Be open to the possibilities of leveraging your experience to help cyber operators. Sometimes you learn how to say “Yes, but…,” knowing what the tradeoff will be.

Latha Maripuri, global CISO, News Corp.

Last year, when SC honored Latha Maripuri as a Power Player, she had just moved to News Corp. to become SVP and global CISO. As we noted, throughout her career she had distinguished herself as an expert on security issues who has honed skills in threat intelligence; data security; governance, risk management and compliance (GRC); identity and access management; mobile security; application security and incident response. 

Have you changed jobs/position/focus since SC first interviewed you for our Women in Security issue?

Still in the same role as global CISO of News Corp.

What new security/privacy challenges have emerged since we last spoke to you? 

We continue to aggressively shift our infrastructure and applications to the cloud at News Corp., which is both helping improve our security program and introducing new security technology for this space.

What security/privacy issues have improved?

Awareness of the importance of security is definitely improving across all levels.  Culture is very key to driving progress across a security program.

How have things changed for women in security over the last year or two?

There continues to be improvement – with a growing number of women presenting at conferences and moving into leadership roles. While we have a ways to go to attract more women into this profession and tech roles in general, there is movement.

What advice would you give young women interested in entering this field?

Careers in security can be very diverse – from strategy, training, analytics, product management, sales, technology, policy, legal. It's a great area for anyone that loves a fast-moving environment that is so relevant in our world today. 

Katie Moussouris, founder and CEO, Luta Security

When SC Magazine profiled Katie Moussouris two years ago, she was the chief policy officer of HackerOne overseeing the company's philosophy and approach to vulnerability disclosure, advising customers and researchers and, as she put it, “working toward the public good to legitimize and promote security research to help make the internet safer for everyone.” This year has brought significant change to the always busy and engaged security pro.

Have you changed jobs/position/focus since SC first interviewed you for our Women in Security issue?

Yes! I'm now the founder and CEO of a new company called Luta Security (lutasecurity.com), named for the tropical island where my mother was born in the U.S. Commonwealth of the Northern Mariana Islands, a beautiful place that is still home to many members of my family. Not only is Luta Security the only company offering gap analysis and guidance on ISO 29147 vulnerability disclosure, and how to implement a vulnerability coordination program (which may or may not include bug bounties), we are also a 100 percent female-owned and Native Pacific Islander-owned tech company.

What new security/privacy challenges have emerged since we last spoke to you? 

The legislative landscape for security and privacy-related laws is becoming a major issue in identifying the right technical talent for review to protect society from unintended consequences like inadvertent weakening of security and privacy. There are still a lot of well-meaning legislators and regulators who don't fully understand the nuances of the technology they are trying to control. One recent example is overly broad language written in a Michigan state anti-car-hacking bill proposal that would, if passed, impose a life sentence for hacking a car, but lacks a mechanism for safe harbor for vital security research. Enabling security research on cars may save more lives than the deterrent effect put in place by that life sentence would. Luckily, the lawmakers behind that proposal have been open to feedback from technical experts. 

But the increase in these types of proposals and the spreading thin of technical experts like me and others to work on them is proving to be a challenge as more of these proposals gain traction not just in the U.S., but around the world. I personally just had to cancel a speaking engagement because I was asked to join the U.S. delegation at a meeting of technical experts to facilitate renegotiating computer security-significant segments of the Wassenaar Arrangement, which I've written about needing to reform in order to protect the internet's ability to defend itself. Balancing the needs of my new company and its growth, versus helping to defend the underlying technical principles of security that are threatened by poorly worded legislation or regulation, is a worthy but complex trade-off.

What security/privacy issues have improved?

Hackers gonna hack, legislators gonna legislate, and regulators gonna regulate. The alignment of well-meaning hackers who want to report vulnerabilities to get them fixed, and well-meaning legislators and regulators who want to protect people from abuse and crime committed using technology, is getting stronger. It's the beginnings of the realization that hackers who hack for defense purposes and legislators who seek to deter crime are likely on the same side, and that our efforts across these traditionally opposed populations should be more aligned.

The rise of new legislative and regulatory proposals has brought more technical security experts out of the trenches to help revise technically detrimental language that undermines the often noble missions of the lawmakers proposing them. This is encouraging in that the sleeping technology giants are awakening and lending their time in part to these efforts. What I hope to see are more experts like me who choose to take on more policy-driving roles from the deep tech side. 

How have things changed for women in security over the last year or two? 

I'm not sure I'd say things have changed much for women in the workplace – security/technology sector or not. For each major company that offers better paid maternity leave, I'd say where are the identical paid leaves for fathers? Why is there still the expectation that working moms are the only ones who are needed at home with a new baby or newly adopted child for an extended period of time? And where is the law in the U.S. to require that parental leave is paid leave? For a civilized nation with our GDP, we have a long way to go to catch up with other similar nations. The thing about supporting women in security, technology or any other profession is that it is not just a women's issue. It's an issue of supporting families, which in turn helps support careers, and that can bring value to any company with research-backed better bottom lines.  

What advice would you give young women interested in entering this field?

Young women (or men or other genders) have a great opportunity to learn and build the security and privacy technology that our connected society needs. I give the same advice to everyone who asks me: Take on new challenges, don't be afraid to try something you've never done before, and believe in yourself. People may tell you that you're wrong, or lack the experience, or that something you want to do has never been done before, and therefore it will fail, or is already being done by someone else, so don't bother trying. But then again, the great tech successes of the last 30 years – think Apple, Facebook, Uber as examples – have shown us how wrong the status quo naysayers can really be. After all, Microsoft said it would never pay hackers a bug bounty in exchange for vulnerability reports, and yet I never gave up, and now I even got the Pentagon to do a bug bounty program. So believe in yourself, acquire the knowledge and experiences you need to build your dreams, and hack yourself a career of your choosing – in security or otherwise.

Lisa Sotto, managing partner, head of the privacy and cybersecurity practice, Hunton & Williams

If women have done much better in the privacy field than they have in information security [research shows them on par with men in both salary and career advancement], it may be, in part, 2015 Woman of Influence Lisa Sotto mused, because privacy is “more squishy.”

Have you changed jobs/position/focus since SC first interviewed you for our Women in Security issue?

I continue to practice privacy and cybersecurity law at Hunton & Williams.  The field has exploded. While I thought I was exceedingly busy last year, I never could have imagined the frantic pace of the work today.

What new security/privacy challenges have emerged since we last spoke to you?

Our clients' systems are being hit with more and newer exploits of increasing sophistication. This is the new normal and we all need to reconcile ourselves to the fact that the cyber environment is only getting more perilous, not less.

What security/privacy issues have improved?

There are more tools available in the marketplace to detect malware, as well as new behavioral analytics tools. The challenge is finding the right technology for your systems and company.

How have things changed for women in security over the last year or two? 

The field has become much more competitive. That means women are being edged out by men who have recently woken up to the fact that this is a booming field. But many women in this area have years of experience which will make them extremely valuable for years to come. 

What advice would you give young women interested in entering this field?

Do it. Cybersecurity it not going away.  To the contrary, more cyber professionals will be needed than ever could have been imagined just five years ago. 

Jewel Timpe, senior manager, HPE Security Research Communications at Hewlett Packard Enterprise

Flagged in 2015 as one of SC's Women to Watch for overseeing the teams orchestrating threat research strategies, particularly in malware and information security research, Timpe was also hailed for directing HP's Zero-Day Initiative (ZDI) program, which provides zero-day research to mitigate weaknesses in the world's most popular software.

Have you changed jobs/position/focus since SC first interviewed you for our Women in Security issue?

With the split of HP this past year, I'm still the senior manager for HPE Security Research Communications, but now at Hewlett Packard Enterprise. I continue to lead the research communications team focused on providing world-class security research that builds awareness of the current security landscape, as well as a proponent of sharing threat intelligence. 

What new security/privacy challenges have emerged since we last spoke to you?

No security front has been more active in late 2015/early 2016 than privacy. Our “Cyber Risk Report,” released in February, accurately predicted that the reaction to world events would continue to dominate our conversations. As focused efforts to decouple privacy and security continue, the industry has ongoing conversations on why this is a bad idea and how to best protect citizens' privacy without crippling security measures such as encryption. In the last year we've seen Safe Harbor go away and Privacy Shield come onboard. There are differences of thought on how private information should be handled and these differences span the globe. 

Of course, one of the hottest topics this year has been ransomware, which was also a prominent topic in our report. While not new, ransomware is certainly more prevalent than it has been. Basic security measures – rather than significant developments – are the answer to protecting and recovering from a ransomware attack. First, continual user education on phishing scams so that malicious attachments and links are recognized and not activated. If a successful attack has your data hostage then engage the appropriate authorities and restore your environment from recent back-ups. Do not pay the ransom as there is no guarantee the decryption keys will come, will work, or won't re-encrypt your system at a future time.

What security/privacy issues have improved?

We've seen improvements where the industry stands together against backdoors, we've seen improvements from vendors implementing broad mitigations to address entire classes of vulnerabilities, and we've seen the strong need to get back to the basics of securing the digital environment. Patching, back-ups and user education continue to be the core of security and combat such prevalent issues as ransomware and spearphishing. There's more work to be done, but it has been encouraging.

How have things changed for women in security over the last year or two? 

It's more top of mind and leaders are more aware of the issues, but we have less women in cybersecurity now, according to an (ISC)2 report, than we did a year ago. More and more women are studying information security and considering it for a career, but we aren't doing enough to retain and promote the ones already here. Leaders need to pay them what their skill-level and accomplishments demand in the market – regardless of gender. Given a level playing field, the women aren't any more likely to leave the industry than the men. 

To sum it up, I would say challenge, communicate and compensate. We have raised awareness, now let's move toward improving the environment and actually solving the gap.

What advice would you give young women interested in entering this field?

You don't have to be an engineer to have a great career in security. The hard problems we need to solve take all kinds of backgrounds, experience, training and schools of thought. Come open-minded and eager to make a difference securing our digital world. Find your passion and go do that thing, but do it in the cybersecurity field. 










Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.