Women in IT Security: Power Players


Ebba Blitz, CEO, Alertsec

When Ebba Blitz was hosting Dragon's Den, Sweden's version of Shark Tank, she was often inspired by the eager contestants who would come on the reality show with hopes of building themselves a business empire.

That life-changing experience would ultimately persuade her to chase her own entrepreneurial ambitions on a full-time basis. Flash forward eight years later, and now Blitz is CEO of Alertsec, a cloud-based encryption provider protecting the data of small and medium-sized businesses.

Transitioning from Alertsec's president of U.S. operations to its chief executive in January 2016, Blitz has become the official face of the Palo Alto, Calif.-based company, which was founded in 2007 by her husband Fredrik Loevstedt. Her ascension has come at a time when IT professionals are pursuing encryption with vigor, hoping to avoid the repercussions suffered by prominent data breach victims such as Yahoo. And no wonder: a “brand perception study” that Alertsec published last year showed that out of 1,200 Americans surveyed, 29 percent said it would take them several months before they could trust a company again after a breach, while 17 percent of men and 11 percent of women said their trust would be lost forever.

Blitz now finds herself in a perfect position to address such issues, leveraging her past experience as a tech journalist, event moderator and television personality in Sweden. In her LinkedIn profile, Blitz notes that she covered the Silicon Valley tech sector “during the peak of the first IT boom,” as she strived to “understand the spirit of entrepreneurship in the U.S. at a time when Swedish tech companies started to make a mark in the world.”

“I think – or at least I hope – my background from TV actually helps me to simplify very complicated issues such as IT security,” Blitz tells SC Media. “I think that's such a big part of what I do, to really try to communicate and have people understand what IT security is, where data resides, where it needs to be protected, and why.”

Such skills are critical when conveying the benefits of encryption to business managers who may not be tech-savvy enough to grasp the science behind it, but are certainly capable of understanding the advantage of minimizing risk. “We have gone from a situation where IT security has gone from a cost of doing business to actually the cost of staying in business,” Blitz explains.

Alertsec was created as a spin-off of sorts from Loevstedt's original product, Pointsec Mobile Technologies, which was acquired by Check Point Software Technologies in 2007. That same year, Blitz joined Alertsec as a founding board member, while continuing to cover the tech sector as a writer and public speaker.

But it wasn't until Blitz began hosting Dragon's Den in 2008 – watching inventors and developers first-hand as they realized their dreams – that she began viewing Alertsec in a different light. “I just felt so much connection with the entrepreneurs,” says Blitz. “I was all teary-eyed, because it was so close to me. I could feel their passion.”

These interactions with aspiring business magnates would plant a seed, eventually convincing Blitz to set aside her communications career, move to the U.S. in 2015 and go all-in on building Alertsec into an encryption leader.

In the past year under Blitz's watch, Alertsec added a new monitoring solution for SMB companies to ensure that their third-party partners are encrypting vital data, and also began supporting two-factor authentication for administrators. She also filed a new patent for what she cryptically promised would be a technology that completes a “missing piece” of the security puzzle for businesses (she did not further elaborate).

But, according to Blitz, the need for encryption has never been greater, especially as organizations feel pressure to comply with regulatory guidelines, such as those established by HIPAA. Among the most significant regulatory additions, she notes, are New York state's new cybersecurity requirements for financial institutions, which went into effect in March 2017. “I think that regulation will probably spread to the rest of the U.S. because that looks at not only the responsibility you have if you're an enterprise, but [also] your third parties,” says Blitz. “So you are, in fact, responsible for people outside of your immediate IT infrastructure.”

One might suspect that leaving Sweden, where Blitz was once tasked to host a young leadership forum at the king's palace, would result in a bit of culture shock. But Blitz has embraced the change she encountered in America, where business, she says, moves at a faster pace.

“It's just a very different culture, I must say,” says Blitz. “I appreciate both, but I just love it here.” – BB

Jing de Jong-Chen, partner and general manager, global security strategy corporate, external and legal affairs division, Microsoft

There's a photo of Jing de Jong-Chen and the rest of the Microsoft Windows 95 launch team that once prompted her daughter to marvel at her mom's prominent placement front and center.

While de Jong-Chen proudly touts her role in bringing to market Microsoft's seminal operating system that married MS-DOS and Windows, she points out that save for the front two rows and a couple of sparse spots on the side, the photo mostly features men.

Being surrounded by men, sometimes the only woman in the picture or the room, wasn't unusual more than two decades ago when de Jong-Chen led the team responsible for launching Microsoft's seminal OS.

Still, she has been able to distinguish herself among the ranks at not only Microsoft but in the cybersecurity industry as an expert in cybersecurity policy focusing on U.S.-China relations.

Like many security pros, de Jong-Chen feels like she was “in the right place at the right time” and she found her career migrating from IT to cybersecurity over time. “My career can be put in two buckets – product development and then dedicated to cybersecurity,” she says. With a degree in computer science and an MBA, de Jong-Chen joined the ranks of Microsoft when it was a relatively young company with only 6,000 employees.

It was there that she saw computing go from desktop standalone to something more interconnected. And, it is where she learned, particularly in the lead-up to the Windows 95 launch and subsequent frequent upgrades, how to get things done quickly and efficiently. She learned how to collaborate, persuade and bring disparate groups together – all skills that would provide the underpinnings of a gradual move to cybersecurity.

The impetus to switch her focus to security came in the wake of the 9/11 terror attacks and a wave of high-profile malicious viruses that disrupted the internet and served, she says, as a wake-up call to countries around the globe that they needed to protect what was increasingly becoming a “highly connected IT infrastructure.”

The next year she joined the company's Trustworthy Computing group in the advanced strategy and policy division and begin to develop her expertise and influence. As vice president of the nonprofit Trusted Computing Group (TCG) her work on global standards would eventually become well-known.

She's found tremendous support within Microsoft, where she has been respected and promoted for her expertise. “I came out of Windows and Java and people had a certain regard for that,” says de Jong-Chen, noting she did “hard project work early on.”

“You have to have people who advocate and empower you,” she says. “In the culture at Microsoft at the time, people could get into what they wanted.”

She witnessed a shift at the company as security went from an afterthought to “a mandatory requirement for Microsoft to ship product with security,” she says. “The entirety of Microsoft started looking at security as a requirement.”

These days as de Jong-Chen mulls the future directions of cybersecurity, she also pitches in to advocate for women. She leads Microsoft's Women in Security group, which was created to promote the professional development of women employees. And she does work with, speaking publicly, at the Executive Women's Forum (EWF). In 2014, she received the EWF Women of Influence Award.

De Jong-Chen sees a lot of opportunity for women in cybersecurity and notes that women may be “drawn to work associated with major causes.”

“When I got involved, I believed that cybersecurity is a cause we have to protect,” she says., “Women need a certain sense of why are we doing this. It's not just salary but it's important that women can and should consider what helps motivate them.”

It is as important, she says, “as a human being to have meaning in life.” – TR

Emma Leith, head of cybersecurity & IT risk, corporate business and functions, BP

Originally entering the cyber field as a security consultant, Emma Leith made a mark analyzing the key security risks to the retail banking environment while providing a PCI DSS gap analysis, security risk assessment and remediation for a global airline solution provider. These efforts led to stints at Barclays and Deloitte where she continued to lead efforts in security, privacy and resilience practices for global retail banking institutions. Her next stint was as principal information security manager at the Royal Mail, where she managed the risk and vulnerability management program.

Accumulating a number of certifications throughout her career, prior to her current position at BP, Emma's previous role was CISO for IST (Integrated Supply and Trading), essentially BP's trading arm, and moved to her first position at BP in August 2011 when the company needed to consolidate roles in order to streamline its security leadership.

Leith says she feels very privileged to be working for BP. "Since joining BP five years ago, the Digital Security team and I have accomplished a great deal. The security function has been transformed and I am very proud to have played a pivotal role in its transformation. Cybersecurity is now a regular BP board room topic and recognized as a very high priority by senior management."

People actively want to have conversations around cybersecurity with her, she says. "We have partnered very closely across the business to ensure the value we bring in mitigating risk and protecting our operations is fully recognized, and we are seen as an enabler and not a blocker or irrelevance."

In her career, she sees her greatest accomplishment being her ability to tackle a variety of skills and areas of technical expertise. "From reverse engineering cryptographic modules for FIPS 140-2 validations to presenting to and inspiring the C-level suite in BP."

On a personal level, she says that this year she was delighted to have been promoted to director while working the least number of hours in a working week than she has in years. "It is about being effective while recognizing the importance of being kind to yourself by taking a break, having fun and sustaining the habit of an optimum work-life balance."

Cycling to work is one example of that, she says Building and leading a strong and capable team is always front of her mind, she says, and one which she sees as the most important part of her current role.

"Emma is both a strong security professional and leader," says Gillian Cinnamon, a British security consultant. "She is a strategic thinker of independent mind, she is talented at bringing out the best of her team by demonstrating inclusivity and confidence in each individual, and she brings integrity to her decisions. Throughout her career, she's proven herself to be an outstanding security professional with a sharp focus on the necessary detail within the wider context, and so is a real asset to the industry." 

From the early days of her university degree in mathematics and computer science to starting out a career in IT, Leith says she has been in male-dominated environments. "Since an early age, I have had the drive to push my preconceived boundaries and work to the best of my ability."

Being a minority as a woman in these environments never crossed her mind, she says, or was something she only considered on occasion. "I have faced challenges from people around me – from woman as well as men. Typically, it was people doubting my credibility before they knew me or my work. Or assuming I had been promoted by the sheer fact I am a woman. I have never let this affect me."

If anything, she adds, it only made her stronger and more determined to prove her worth. "I now see it as the other person's insecurities and not mine."

She points out that she has been very fortunate to have worked with amazingly talented people throughout her career. "I will always be indebted to my first manager when I worked in IT support. One weekend over a slice of pizza during a server upgrade he asked, 'What do you really want to do, as you can do so much more than this.' I scratched my head and for the first time thought I'd like a career that truly challenged me and combined mathematics with IT. 'How about information security,' he said. And I've never looked back."

It is such a rewarding and exciting field, she says, where one can work in deeply technical environments, customer facing or both. "The possibilities for women are endless. BP has helped me to take my career to the next level. Internally in BP and externally in the security field I have fantastic mentors and sponsors who have inspired me to push myself forward and have trusted my ability to take on new challenges and deliver."

All of this, she explains, would never have been possible without the continued support from her parents and family. "They are always there to give me honest and direct advice whether I like it or not!" – GM

Chandra McMahon, senior vice president and CISO at Verizon Communications

Verizon's Chandra McMahon has built a career in cybersecurity by staying curious and never being afraid of the next challenge.

“I love the security field, love the challenges it presents in terms of working with new and emerging technologies and would like to see more women in information security,” she says. “My hope is that we can attract more women so the population of women in cybersecurity is on par with the number of women in the technology field in general.”

McMahon was referring to statistics released by the Women's Society of Cyberjutsu, which reported that while 25 percent of computing occupations are held by women, only 11 percent of the information security workforce are female.

Science and technology is McMahon birthright. She grew up in the Dayton, Ohio, area. Her father was a veterinarian and worked for Wright-Patterson Air Force Base as a researcher. And later on in life, her mother earned a degree in computer science and became a computer programmer.

As a student, McMahon was fond of science and math and had teachers who encouraged her in high school. During the summer of 1983, McMahon attended a special week-long women in science and engineering program at Carnegie Mellon that led to her attending undergraduate school at Virginia Tech. McMahon holds a bachelor of science degree in Industrial Engineering and Operations Research and later earned a master's degree in engineering science from Penn State University.

Her first job was working in mission operations at GE Aerospace. On that job, she worked on classified government systems, using tools to analyze mission data. She also did some coding and ran software development teams. Over the years, McMahon also worked in database management, requirements and verification and testing.

“While I didn't start out in security, all the work at an aerospace company such as GE is security-focused, so I've been conscious of security for several years,” she says.

Later on, she moved on to Lockheed Martin, where she ultimately became the CISO and did a stint as vice president of commercial markets. She also worked in the life sciences field for five or six years before returning to Lockheed Martin.

McMahon, who was recently named to Hot Topic's list of Top 100 Global CISOs, started as Verizon's CISO in May 2015 and recently celebrated her two-year anniversary.

She has some definite advice for women looking to work in the cybersecurity field.

Form a personal board of directors. Early on in her career, she identified the people who knew her best and would be willing to help her expand her career. Today, McMahon's personal board is made up of a startup CEO/entrepreneur, a technology strategist, a seasoned finance business leader and a close personal friend who understands her family and personal values. She also takes counsel from a former boss and mentor, another veteran professional CISO and an early career technology professional who works in Silicon Valley. The personal board of directors helps McMahon review her professional and personal goals, extend her network and receive input on diverse perspectives on business, professional and personal matters.

Take risks. McMahon makes it a point to change assignments every two to three years. She tries never to take a job where she has mastered 100 percent of the job tasks, adding that a good ratio is roughly bringing 65 to 70 percent of existing skills to a new job and have about 30 percent be new skills. Women also need to develop business-side skills because with all the high-profile breaches today, CISOs are not just technology people in the back office anymore. They have to present their arguments to top management and have increasingly become an important part of a company's management team.

Get started. Many women who have come into cybersecurity have started from other technology and related fields. She points out that there's practically zero percent unemployment in the security field today and that global demand will outpace supply at every level for at least the next five or 10 years. McMahon believes that there are tremendous opportunities. Every large company needs people to work in the security operations center and there's a need for security architects and people who work in threat intelligence and on the business process side. There's also a great opportunity for women to work on the legal and regulatory side of the business, as well as in the policy area.

Decide which track works best. There's plenty of room for all types, McMahon says. Women more interested in the corporate path can pursue that track, but there's also room for women who want to work from home and focus more on their personal lives. They can do more technical jobs that lend themselves to working from home.

McMahon says the profile of women in cybersecurity has very much increased in the last five to seven years. She points to the Executive Women's Forum, which recently released its Women in Cybersecurity study. And she has praise too for male CISOs, particularly Jim Routh of Aetna; Brad Maiorino, formerly of Target and now with Booz Allen Hamilton; ADP's Roland Cloutier; and Rohan Amin of JPMC, who, she says, have all been very supportive.

“My mentors have been a combination of men and women, but the ones who really cared saw to it that I had business-side experience so I could develop as an executive,” she adds. “What I tell people is to get trained in some aspects of security. Whatever they do in technology it all has to be done securely. If they become developers, they have to code securely, and test and do threat modeling properly.” – Steve Zurier

Michelle Valdez, senior director of cybersecurity resilience and strategy, Capitol One

Securing a corporation from a cyberattack is not a simple or easy process. It is complicated further when part of the necessary infrastructure needs to be built from the ground up.

But that is what Michelle Valdez undertook and accomplished in her current role as Capitol One's senior director of cybersecurity resilience and strategy. Valdez built the division from scratch, including its budget and resource management, communications and awareness, metrics and reporting, cybersecurity resilience initiatives, and cybersecurity capability maturity. 

“She has the ability to help her team members reach their full potential and be strong contributors, even when her team members are challenging to work with and can develop large-scale projects and then break the projects into manageable tasks so that the team can accomplish goals and continually make progress,” said friend and former colleague Roselle Safran.

Dealing with corporate resilience is Valdez's primary passion, at least on the job, and one she is able to pour into her position at Capitol One.

“The reason resilience spoke to me was because I had spent most of my career focused on threat with never feeling like I was truly making a lasting impact. Resilience focuses on impact, which needs to be balanced with threat – so I help my company put those critical capabilities in place that bring that balance, so regardless of the threat, we can minimize the impact of any disruption,” she says.

Her accomplishments at Capitol One is symbolic of her previous efforts. She has multiple degrees, including masters degrees in justice and public safety and information systems technology from the University of Washington and Auburn University at Montgomery, respectively. She then moved on to serve in the U.S. Air Force for seven years, including a stint as operations officer for the Office of Special Investigations, as an analyst for General Dynamics, Department of Defense Cyber Crime Center, and chief of staff of the Director of National Intelligence. She then moved on to CERT Software Engineering Institute where she was a team lead and senior engineer on the Cyber Risk and Resilience Team.

“Valdez honed her ability to create new cybersecurity programs while at CERT, in a role where she was helping support the Department of Homeland Security,” Safran says. "There she played a critical role in designing, developing and implementing DHS's initiative to enable information sharing with critical infrastructure, the Cyber Information Sharing and Collaboration Program (CISCP)."

Valdez says that after leaving the Air Force she took a position at the Defense Cyber Crime Center where she helped build out the brand and the organization, which is where she first gained experience dealing with cybercrime.

“Prior to that, I had no experience in computer crime but knew this was a field that I could build a career upon,” she says, adding that her interest in resilience came when she moved to Carnegie Mellon Software Engineering Institute where she helped support the Department of Homeland Security.

“After spending over two years building a cyber information sharing program for DHS, I took SEI's course on the Resilience Management Model. I knew immediately this was my next adventure. I moved to the Resilience team at SEI and have been working in resilience ever since,” she says.

Safran also notes Valdez's ability to figure out what is coming down the road as another reason for her success. “She has an amazing ability to think strategically about cybersecurity issues, develop plans and then follow through with excellent execution. She can also identify where the industry is heading – or needs to go – far ahead of the curve." As an example of this, Safran says Valdez was talking about the NIST CSF years before most people know what it was.

And Valdez put her prognostication on NIST to good use at Capital One developing a comprehensive plan to mature all of Capital One's cybersecurity capabilities using the NIST Cybersecurity Framework, which was approved by the company's board and regulators. 

Valdez's ability to quickly adapt to new situations also garnered high praise from her co-workers. “I have had the pleasure of working with Michelle in support of our internal resilience program and find her passion and experience in process definition and rigor in support of security controls and requirements to be second to none," says Brandon Young, managing director of cybersecurity framework and risk assessment at Capitol One. "Her background and ability to quickly assimilate the culture to understand how we operate has led to high quality interactions and recommendations that are based in reality and not strictly academic." – DO

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.