Women in IT Security: Influencers
Women in IT Security: Influencers

Donna Dodson, chief cybersecurity adviser, associate director for cybersecurity, IT Laboratory, National Institute of Standards and Technology (NIST)

When Donna Dodson first became interested in security, there weren't any cybersecurity courses to be found and the definitive book for security pros was Dorothy Denning's 1982 tome, Cryptography and Data Security.

Since then the topic has continued to grow as has the role of the National Institute of Standards and Technology (NIST) where Dodson is chief cybersecurity adviser and the IT Laboratory associate director for cybersecurity.

“It's a good day when you learn something new at work and every day I'm learning something new here,” she says of working at the NIST.

The organization of late has become the darling of cybersecurity – in large part because the NIST Cybersecurity Framework, while voluntary, is the de facto standard that organizations comply with to reduce cyber risk. The standards body has gained the reputation of working with different factions to come up with standards and best practices that are doable.

“I think we at NIST work very hard to have collaborative relationships with industry, other government agencies and academics,” Dodson says. “We listen, go back and process what we hear.”

The organization is also trusted by the cyber community. “Everything we do in cyber at NIST is open and transparent,” she says.

NIST has also moved toward developing standards and practices that “recognize technology is critical but has to be applicable to the business community.”

The pace of the industry keeps Dodson both busy and satisfied.

“Used to be: talk encryption and vulnerabilities on the bits and bytes level, she says. "But now we're bringing it into the business space. That's what we're doing differently today.”

 “I'm fortunate to work with the whole cybersecurity program at NIST," she says, adding that she is most proud of her good team for taking the work seriously, and not themelves. "We work on projects in a collaborative manner," Dodson says.

She has watched the National Cybersecurity Center of Excellence grow from no staff (workers were originally borrowed from other entities) to a center with 15 federal employees and a research and development center with 50 employees, run by Mitre with 30 industry partners.

Among the great influences she cites are her first boss at NIST, who she says helped establish a cybersecuritiy foothold for her and pushed her well out of her comfort zone many times.

Dodson emphasizes that it takes diverse backgrounds to solve problems. “I would like to see more women in this space,” she says, musing that she has never has to stand in line for the ladies' room.

"Cyber affects us all and it's not going to be solved by one individual or organization," she says. – TR

Kristin Judge, director of special projects and government affairs, National Cyber Security Alliance

In the world of cybersecurity it's more often the case than not that the CISOs, cybersecurity researchers, white-hat hackers and others are handed the headlines. But, by giving these folks center stage, other, equally deserving people, may not receive the recognition they deserve.

To some, Kristin Judge personifies this group of people. Judge does not work on the bleeding edge protecting companies and organizations from hackers, but the work she does as director of special projects and government affairs for the National Cyber Security Alliance, and other organizations, where she leads the way in awareness and education on cybersecurity is just as important.

“As we continue to understand the critical role of end-users in the security ecosystem, it is important to also highlight those working in the education and awareness space,” Ben De Bont, vice president & CISO, IBM Watson & IBM Cloud, says regarding Judge.

Her current position is centered on teaching consumers, government officials and those in the corporate world on how to protect sensitive data, people particularly at risk because they are not familiar with cybersecurity.

“The population who are not IT professionals can find cybersecurity and technology intimidating," Judge says. "When a person starts out intimidated by security and feels encouraged to change their behavior, I feel like I am making a difference."

This is a role she is well situated to handle having received her masters in education and masters in counseling from Arizona State University, in addition to a BS in education from Northern Arizona University. But the deciding factor that helped maneuvere her into the cybersecurity world was when several local high school students in her town became the prey of an online predator.

“Our community is highly educated, but the parents seemed defenseless against this new threat coming into their homes," Judge says. "I was fortunate to sit next to a cybersecurity leader from the U.S. Department of Homeland Security at a national conference, and he asked me to help support his outreach and education efforts for elected officials on this very new topic at the time. From that moment on, I realized the need for cybersecurity education and became an advocate,” she says.

Now, her position with the NCSA allows Judge to proselytize for cybersecurity in a variety of ways, including speaking engagements, workshops and writing columns.

“The work I do at the NCSA is truly public service work, not much different than serving in elected office. Every day, our team takes on the responsibility of educating parents, kids, businesses, government and others about how to stay safer and more secure in this new and sometimes scary world we now live in,” she says.

The effort put forth by Judge and the NCSA is not lost on those who are in the trenches fighting cyberattackers on a daily basis.

“What sets Kristin apart from most security executives in my experience is that Kristin's ultimate goal is to help normal people understand the reality of cybersecurity, the implications and how best to protect themselves,” De Bont says. "This is her motivation and I admire it, especially as it is so often missing in our industry as one (often myself) becomes focused on protecting critical infrastructure or building a new security product or service."

In addition to Judge's work with the NCSA, Judge is co-chair of the National Institute of Standards and Technology: NICE Workgroup Workforce Management Subgroup, which works to facilitate, develop and promote cybersecurity workforce management guidance and measurement approaches to create a culture where the workforce can effectively address the cybersecurity risks of their organization. Judge is also a member of the board of advisers for the Center for Cyber Security & Intelligence Studies at University of Detroit Mercy.

“Our team is making a difference every day, and being a part of such a dynamic group of people​ is rewarding,” she says. "On a larger scale, being a part of the national 'family' of cybersecurity education and awareness professionals inspires me everyday. There is a true public-private partnership in cyber that I enjoy being a part of." – DO

Emily Mossburg, principal, Deloitte & Touche

As student at Northwestern, Emily Mossberg decided to get a degree in environmental science rather than computer science so she didn't have to take two coding classes. There's more than a little irony in that.

In her first job right out of school she went to a consulting company that put her through six weeks of intensive coding training. Later, at Deloitte & Touche, she again found herself in an intensive six-week coding program, which she put to good use as a consultant.

When former co-workers eventually formed another company, called Exalt 2000, they lured Mossburg from straight-up tech to security. “I had a tech background, not security, but they said come over,” she says. Her former colleagues promised to get her up to speed so she jumped ship and went to security.

She quickly understood that transactions and data needed to be secured. “I thought this is not going to go away,” she says, and immersed herself in infosecurity.

“This space has changed tremendously,” says Mossburg, who has risen in the ranks at Deloitte to principal of Deloitte Risk and Financial Advisory Cyber Risk Services. “Our first conversations about security were quite narrow and siloed and it was a component of IT.”

Now, cyber issues, cyber risk and cybersecurity “are at the forefront,” she says, explaining that clients across the board, no matter the industry or size, find themselves in the crosshairs of attackers. Deloitte's clients are dealing with pervasive attackers, Mossburg says. “In some cases, it's not even your enterprise they're interested in; they might be using your network to get it.”

And the threats have become more visible throughout organizations, stretching to the C-suite and boards, the latter of which often demand quarterly updates. “They want to be educated, to know the risk,” Mossburg says.

She says she's proud of the challenging and collaborative work with her clients, as well as the risk practice that Deloitte has built.

While she says that she's always been the kind of person who doesn't believe gender matters, she readily admits she's in an “area where there are significantly more men than women,” noting, as do many women in cybersecurity, that it's “not significantly abnormal to be the only woman in a meeting.”

But she's quick to point out, “I don't think it's a hard space for women, there are no barriers, it's not intimidating.” She sees more women interested in cybersecurity and risk, something she credits to the media and others who raise awareness of the opportunities in the space.

Mossburg also credits mentors at Deloitte and Exalt for encouraging and shepherding her along the way, including Ed Powers, a Deloitte national leader. “He gave me the opportunity to lead and grow our Resilient practice,” she says. “His having trust in me and my ability gave me the opportunity to lead and grow the business.”

As the dialog continues to change in cybersecurity, cyber risk becomes more important and women can take advantage of that, she says. “A new risk angle comes into play when developing a new product or service and there's a shift in the stakeholders and in the conversation on impact,” she says.

“Women like to focus on areas where communications is a key element of the space,” Mossburg contends. How to tell the story with the right level of detail, and to the right people, so decisions can be made about risk will be tremendously important, she says.

Facilitation and collaboration roles will likely attract more women who can “bridge the gap between the intersection of the technology elements and what it means to business,” says Mossburg. – TR

Roberta (Bobbie) Stempfley, managing director of the CERT Division of the Software Engineering Institute at Carnegie Mellon University

While she acknowledges she's worked at great places throughout her 20-plus years in the security industry, it hasn't been an easy road for Bobbie Stempfley. She has had to fight to have her voice heard – over and over, she once told an interviewer.

"I've learned to persevere and be stubborn, and not judge people too harshly when they make a mistake," she says graciously.

And, her efforts have bolstered support of public interests concerning cybersecurity. In more than two decades of experience at the Department of Defense, the Department of Homeland Security and as director of cyber strategy implementation at The MITRE Corporation, she has led strategy efforts and helped organizations – whether government or private sector – evolve their comprehension of the junction between strategy, policy and technology.

Her mission at MITRE was improving the technology used every day and applying it to government services. Her positive attitude and good cheer came through in her public statements about how she faced the challenge of improving the government's efforts in delivering services to improve efficiencies and streamline efforts. It also comes through in how she speaks about bringing different individuals together from various disciplines to iron out problems. Indeed, her willingness to consider varying viewpoints – what's she's called a "diversity of thought" – propels efficiencies and advancements.

As far back as 2011, during her five-year stint at DHS, her efforts to educate small and midsized businesses so they could evolve their cybersecurity plans to better protect themselves, their employees and their customers, were proving effective and ensuring changes. She made certain to promote resources available for cybersecurity protections connecting the private sector with resources being offered by federal partners to the DHS, including the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC).

But, with a move this year to become managing director of the CERT Division of the Software Engineering Institute at Carnegie Mellon University, she says her greatest accomplishment this year has been focusing on bringing technical and policy aspects together. "We've long been trying to solve the cyber issue as though there is a right answer, but really there are many answers because there are many questions."

She has been acutely focused on two things, she says. "The first is engaging on the false choice between security and innovation. The technology is and must evolve quickly, and security technology and concepts should not be pacing factors in this evolution. Both are necessary, and it is possible to have both."

The second aspect is continued focus on the workforce. "Not just focusing on growing more skilled individuals, but recognizing that what we also need is more diversity in this field. We need deeply technical individuals, we need individuals who think like the adversary, we need anthropologists who understand how humans function, etc.  We need to increase the participation of women and underrepresented minorities.”

And, she carries her advocacy to draw more women and underrepresented minorities into the STEM workforce, cyber in particular, with her work on the board of the Cyber Diversity Foundation. She serves too on the board of the Armed Forces Enterprise Infrastructure, as well as on the Global Cyber Alliance Technical Advisory Committee.

When she first started in the field, she was regularly mistaken for the administrative support in the office, she says. "I remember vividly a piece of advice given to me by a senior engineer at one of my first jobs. He warned me about admitting I knew how to type for fear I'd be responsible for typing up everyone's work. I was grateful for the advice and took it to heart."

Unfortunately, she adds, some version of this happens at many levels. She points to a recent example where a colleague questioned whether she was the right person because an interview was on a technical topic. "In this field, the challenges facing women include recognition of technical skills, and of leadership skills, but it is further exacerbated by male-dominated rhetoric (battle metaphors, teenager in a hoodie) and associated stereotypes. It takes a great deal of perseverance, a willingness to be firm, some thick skin, self-confidence and humility, and a sense of humor to be successful. And a willingness to expect a great deal from yourself and the men and women around you."

She credits a number of mentors who, she says, have been very important to her path and who she continue to leverage. She singles out Dawn Meyerriecks, Jane Holl Lute, Bruce McConnell, Harry Raduege, and Betsy Hight. "I also rely on reverse mentoring to ensure that I'm not only pushing myself, but I get a clear view of what is happening from all different perspectives in an organization. Anyone who will be truthful with you and will help you see yourself and the situation clearly is very useful."

She adds that she takes the most pride in watching those she has mentored, led or encouraged succeed in the face of the challenges inherent in this domain – whether it be helping someone find the right role for their skills and watching them bloom, working through a technical challenge that seemed insurmountable, scoping and executing research as of people as they work on the graduate degrees, or seeing someone take on a stretch assignment when the opportunity presents itself and growing. "Taking that time to help support others, women and men, has just grown the talent available," Stempfley says.

From 2010 to 2015, she was deputy assistant secretary in the office of cybersecurity and communications at the U.S. Department of Homeland Security, and before that she was CIO at The Defense Information Systems Agency.

Andy Ozment, the DHS assistant secretary for cybersecurity and communications (CS&C), at the time Stempfley was there, commented at her leaving: “From my vantage point at the White House during those four years, I watched CS&C grow dramatically in size and capability. Bobbie deserves much of the credit for that evolution." He credited her with shepherding the department through numerous reorganizations, her expanding CS&C's role in the federal cyber mission, her strengthening of the CS&C's emergency communications mission capability, and her success in advocating for an increased budget for CS&C each year, despite the austere budget environment.

In March 2017, Stempfley was named to CyberScoop's inaugural list of 2017 Top Women in Cybersecurity for her work to improve collaboration and information sharing within government and the private sector. 

Stempfley has a B.S. in engineering mathematics from the University of Arizona and an M.S. in computer science from James Madison. – GM

Caroline Wong, vice president of security strategy, Cobalt.io

When it comes to the topic of women in security, Caroline Wong is not just a woman who happens to work in security, but someone at the forefront of attempting to boost the number of women in the field.

Wong's day job is vice president of security strategy for the crowdsourced pen test firm Cobalt.io, but her spare time is spent as a LIFT Mentor at the Executive Women's Forum (EWF), where she mentors graduate students and industry practitioners on information security and career topics. The EWF has not let Wong's efforts go unrecognized, awarding her the 2010 Women of Influence Award in the One to Watch category.

She has also recently begun serving on the security/privacy program committee with The Grace Hopper Celebration of Women in Computing.

“In a world where there are not many women leaders in cybersecurity, I have seen Caroline take on a chief of staff for information security role at eBay, a security strategist role at Zynga, a security product leader role at Symantec, security initiatives leader role at Cigital, and now a VP, security strategy role at Cobalt.io,” says Rinki Sethi, senior director of information security at Palo Alto Networks and a colleague of Wong's.

In addition to using her spare time to mentor others, Wong is also an author who just published her second book. “This year I published my second book, Crowdsourced Pen Testing for Dummies. The book contains a detailed analysis of how the application security industry has advanced over the past few decades, and explores options for how to approach a variety of different testing scenarios,” she says.

Wong has a B.S. in Electrical Engineering and Computer Science from the University of California at Berkeley and a certificate in finance and accounting from Stanford University's Graduate School of Business.

Her EE degree, in a roundabout way, led to her involvement in the cybersecurity industry, a business category she was totally unfamiliar with at first. Her path to cyber began by spending a summer interning at eBay working on IT project management. After the internship was completed she asked for a full-time job, but was told there was a hiring freeze in place in that department. However, the supervisor recommended she take a look at a position on the Information Security Team.

“At the time, I didn't know anything about cybersecurity. I literally didn't know what the term “information security” meant, and the night before my interview I memorized the Wikipedia page on the subject,” Wong says.

Evidently, Wong did a fine job memorizing the information and she kicked off her cybersecurity career at eBay where she was chief of staff and manager for the e-commerce site's global information security division and then moved on to spend a few years at the online gaming company Zynga. Here she was the senior manager of its security program.

Wong seems to have found a good home in her current position – one that appeals to her interest in metrics and the application to cybersecurity. “The coolest thing about working for a crowdsourced pen testing company is the data. I'm extremely interested in security metrics and the role they play in justifying appropriate levels of investment in cybersecurity. I've worked with a lot of organizations on metrics to show the value of their application security programs, and the challenge that comes up all the time is that organizations often don't have a single source of record for pen test findings, so they can't get the data to calculate their metrics,” she says.

However, with the metrics that can be supplied with pen testing this problem goes away, she says.

Wong's friends, colleagues and co-workers also point out that Wong is a fun and caring person always willing to take some time to offer advice or make an otherwise dull task fun.

“No matter how busy she is, she always finds time for me,” says Tyelisa Shields, a risk manager at Apple. "My day-to-day work life is changed because of her influence. She encourages me to grow, learn and look out for myself in very pragmatic ways."

Cyber industry veteran John Johnson says Wong has “done it all” during her career, having worked at big companies and small in a variety of roles, and, he adds, "she's also a fun and pleasant person to work with. When we were working on putting panels together for RSA, she was responsive and thoughtful in her approach, always willing to highlight the achievements of others and engage in interesting and occasionally controversial discussion,” Johnson says. – DO