As you’re probably aware, the job titles and accompanying responsibilities that fall into the information security spectrum run the gamut—from threat analysts and network engineers to penetration testers and chief information security officers. While there may be "magic" quadrants that define each role and the unique functions that fall into them,Infosec Insider decided to reach out to these subject matter experts themselves to get a better sense of how their professionals journeys have evolved to earn them their professional role today.
Unlike many seasoned security practitioners, Georgia Weidman, Founder and CTO at Shevirah, Inc. and Bulb Security LLC, has spent her entire professional career working squarely in cybersecurity. From the very start, Weidman displayed an entrepreneurial spirit and commitment to pushing boundaries. With her impressive technical acumen, Weidman has gone from running a solo security consultancy to managing a security startup and navigating the chaotic waters of raising venture capital, creating a new product in a new category, and even learning the ins and outs of corporate salesmanship. Infosec Insider sat down with Georgia to hear more about her journey—so far.
I completed the CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition in graduate school. During the competition my team played the role of an organization’s recently hired security staff (blue team) that was under attack. The attackers (red team) were industry professionals tasked with wreaking havoc on our systems. By the end of the competition I knew I wanted to be on the red team.
After that I learned about penetration testing and got a job working in the field after graduating. I made the trip out to “security summer camp” (a.k.a. the trifecta of Black Hat, DEF CON, and BSides) in Las Vegas and saw the sort of reverence given to the speakers. I figured I could do that, so I did some security research and my first talk was accepted at ShmooCon. It was the same deal with security training.
The next big turning point was when I received a DARPA Cyber Fast Track grant to continue my research in mobile security. My employer at the time said I had to choose between the grant and my job, so it seemed like a good time to try my hand at building my own consulting practice.
While I’d built a respectable one-woman show of penetration testing, security research, training, speaking at conferences, and writing Penetration Testing: A Hands-On Introduction to Hacking, I wanted to take things to the next level. In particular, I wanted to move from research projects for other hackers to enterprise-ready security testing products, so I attended the MACH37™ Cybersecurity Accelerator to learn more about business.
When it comes to public speaking and media appearances, hackers either seem to love it or hate it. I’ve always loved it. It’s something I’ve continued to cultivate, and now I’ve been on national programs such as ABC World News Tonight, NBC Nightly News, and was recently featured in a PBS Documentary called Life Hackers.
I’ll always be a technical person at heart, most at home in front of disassembly, but now I’m involved in a lot of other parts of cybersecurity than just the technical bits. I still do security research to keep [Shevirah’s] product cutting edge, and I do consulting work like pentesting to keep the lights on. I imagine most pentesters and security researchers have never pitched for venture capital or had to think much about convincing non-technical people of their value beyond the executive summary on a pentest report.
Half the fun of entering an industry in high demand like cybersecurity is not having to worry about being out of a job and out on the street—and most security professionals probably aren’t worried about where their next meal is coming from—but that’s every day in the startup world.
The biggest challenge has been having to wear so many hats, and I don’t mean my early career penchant for wearing fedoras on stage! Everyone has strengths and weaknesses, but running a successful company has and will continue to push me in so many directions. I’ve had to take my skills from predominately reverse engineering and writing command line tools to graphical user interfaces, licensing systems, automatic updates, and writing the all-so-often-neglected documentation.
Having built a professional product, the next big challenge is closing sales. This is a whole different set of skills. It’s a very different thing to pitch your tool to a group of technical hackers than it is to convince a business-oriented CISO why he/she needs to buy your product to protect her/his enterprise from mobile attacks.
Then there is always the day-to-day challenge of making sure all user feedback is answered, the health insurance is paid on time, and still I need to make time to work on research to keep my skills sharp and our product cutting edge.
In startup life, no day is typical. Luckily, when I don’t have any in-person meetings I can work from home, which helps since I rarely stop working on something. I’m typically working on an update to our product, while at the same time speaking with advisors who have more sales and marketing experience than I do. This helps refine our messaging to resonate with non-technical people who will not be impressed by cool technical things like I might be.
It’s difficult to pin anything to gender specifically. Over time, one starts to see a pattern, particularly when discussing experiences with other women in technology. There’s the usual complaint about being at a speaker party for an event where I am the keynote speaker yet I get asked, “Whose date are you?”
In raising venture capital for my startup, I’ve run into investment organizations that were much more receptive to hearing about our company from our older, male CEO even though I’m the inventor of the technology and a more seasoned presenter.
But instances like these have just pushed me harder to succeed. If I had easily settled into a top security job at a top company with no issues from other team members not respecting my work, then I probably never would have made the jump to running my own company and having the potential to forever change the course of cybersecurity with my products.
On the other hand, when venture capitalists are seeing 200 five-minute presentations per day, if your goal is to be memorable then, like it or not, being the only female presenter makes you stand out. But I did, and continue to, work hard to earn the recognition in the first place.
Coming from the Mach37™ Cyber Accelerator I’ve gotten to know a good group of technical founders who have solid ideas for security products. The biggest challenge we seem to have is securing venture funding. Unlike consulting, where you finish a job and 30 or so days later you receive a check for your work, at product companies, a lot of time and money must go out before any comes in.
The startup community fondly reminisces about the mystical days when seed stage money was available for people with ideas so they could build their ideas into reality. Today, not only do you need an enterprise-ready product but also enterprise sales to finish a small seed round.
Additionally, it seems like much of the startup community is looking for business experience and skipping over the technical skills and experience necessary to make great leaps and bounds forward in our industry. In cybersecurity, with a vast community working on research projects and moving the state of the art forward, the business side needs to recognize that technical founders can learn about business, and that is just as valid a way to manage a successful startup as the other way around.
The perimeter has been shattered. People don’t work the way they used to, in an office, sitting at desks, working on a corporate-owned workstation, communicated on a controlled network with a well-defined perimeter. People work from home, from client sites, on airplanes, and in coffee shops. They use laptops, cell phones, tablets, smartwatches, even connected cars and Internet of Things devices to do their work.
Unfortunately, security hasn’t kept up. Most security testing, be it anti-phishing behavior modification, vulnerability assessment, or penetration testing still focuses on the traditional enterprise with the fixed perimeter and corporate controlled devices. Shevirah is part of a new generation of cybersecurity companies that bridges the gap between the old and the new paradigms. Practitioners need to move forward as well.