When a layperson imagines someone who works in cybersecurity, or any area of tech, they probably picture a man. But I'm a female information security professional, and I've had a great time speaking to other women in my industry. Last time, I spoke to Sarah Aoun, who educates journalists and political activists on how to keep their data secure. This time, I have the honor of speaking to Jennifer Sunshine Steffens. In speaking with her, I realize that not only are there women in my industry in directly technological roles but also some of us in corporate leadership, as well. Jennifer is the CEO of IOActive. IOActive is a major cybersecurity services company with many corporate clients across a number of different data-sensitive industries, including finance, healthcare and manufacturing. Kim Crawley: So, you've been IOActive's CEO for nearly nine years. I assume that most cybersecurity company CEOs are male? Jennifer Sunshine Steffens: Yes, August will be nine years. It's been an amazing ride so far. Most CEOs are male, but I've met more women in the role recently, which is a great trend. KC: I've had the opportunity to speak to many women in our industry now, and I think the gender balance might improve. Fingers crossed! JSS: Yes, I'm definitely seeing progress and have met some truly amazing women who are really advancing the industry as a whole. KC: You were also a Director of Sourcefire for four years. Did you learn anything there that has benefited you in your role leading IOActive? JSS: Definitely. I started before we had funding and before we’d hired our CEO, so it was a chance to help build a company from the ground up. It gave me great visibility and exposure to all aspects of the business, and I certainly learned a lot that I’m able to apply to our business every day. We also built the Vulnerability Research Team there, which gave me a tremendous opportunity to get inside the mind of researchers. My psychology degree has been extremely useful in that regard, as well. KC: Do you meet people outside of your company who have misconceptions about what you do? Or misconceptions about what cybersecurity services companies do? JSS: Less now than when I started, but sometimes still – yes. Some people struggle to understand the difference between a researcher and an attacker. As researchers and consultants, our mission is to make the world safer and more secure. When we tackle a new technology, our goal is to work with the vendor to fix the issues and then collaborate to ensure the public is aware of potential threats and how to address them. I think overall people are appreciating researchers more today than in the past and understand the importance and purpose of the work better. In many ways, mainstream media has helped as security is such a common topic now. Far less taboo than it once was. KC: Laypeople assume all "hackers" are criminals, and they don't understand pentesting and cybersecurity research. Is that what you're referring to? JSS: Yes. We don’t think “hacker” is a dirty word. We employ some of the best hackers in the world, and they do amazing and important work that makes organizations, products and people more secure every day. KC: Yeah, I wrote an article for 2600 Magazine about that exact topic two years ago. So, how did you get started in IT? JSS: I got my start in sports marketing actually, and I loved it. But then I was wooed into the shiny world of technology. I really lucked out early in my career at NFR, where the research team took me under their wing and helped me really understand the technology and industry. I’ve been hooked on security ever since. KC: You benefited from a lot of mentoring, I presume. I've spoken to lots of women in information security who have backgrounds as diverse as high finance and sociology. You were in marketing. That fascinates me. Now have you ever tried any sort of ethical hacking? JSS: Yes, I definitely did. And I should note, the technical teams that mentored me early on were all male. They were extremely welcoming. KC: That's great. I wonder how many more people could enter the field if education was more accessible to them. It's a significant problem, and the need for cybersecurity professionals is growing rapidly. JSS: Yes, I’ve done some fun projects over the years, but now I leave the technical hacking to our team. But I agree, access to education and more options for building interest and subject matter expertise, especially at early ages, is definitely a key to curbing the skills, personnel and diversity gaps we have in cybersecurity. KC: IOActive's clients are from a diverse span of industries. Do you have people who specialize in working with clients in one industry or another? For example, medical pentesters and financial pentesters? JSS: We do have people with deep expertise in certain industries and technologies, but we also work very cross-functionally. We do a lot of training to support how our people each want to grow. Additionally, lessons and learnings from one industry are often very applicable to others, so collectively the team and our customers benefit from the cross-pollination of knowledge and experience. KC: One of the issues that a lot of us feel will be a big problem soon is IoT. More IoT devices are inevitable, but if a cyberattack happens to a car or a medical device, it could cause death. Could you tell me how IOActive has prepared for the growth of IoT computing and cyberattack? JSS: Yes, the line between security and safety is blurring quite a bit now, as we demonstrated with our pacemaker and Jeep research, for example. KC: Ooh! Tell me about that. JSS: IoT represents a lot of innovation that enables us to potentially live longer, healthier, happier lives, so we want to support that, but while ensuring that, security is a top priority. We have two labs that focus on embedded device and chip-level research and consulting, and we will continue to grow that team and those expertise to support the industry’s growth and safety. We were able to remotely exploit a Jeep and take control of various functions from miles away while the driver was on the highway. I can have the team send you the video. It was fun but scary. The point was really to wake up the industry and get folks taking security seriously. I’ve been impressed to see how much the auto industry has changed and is actively engaging in security discussions. KC: Do you think governments are lagging behind in regulating IoT? That's a problem that I've heard discussed. JSS: Regulations can be a double-edged sword. All too often they provide guidance and standards that are outdated, creating a false sense of security based on compliance. I think having constant discussions within the industry, sharing information through groups like FS-ISAC and Auto-ISAC, and understanding industry best practices is generally more effective. KC: I noticed that IOActive doesn't use automated security scanning tools like OpenVAS or Nessus. Does that make your company a lot different from your competition? JSS: Yes, our focus is on much deeper testing. Automated tools have a place in the ecosystem, but we focus on approaching things from an attacker’s point of view. For example, chaining together a series of small issues that independently might be minor can often create a critical vulnerability. Automated tools aren’t good at doing that today. Our research is focused on ensuring we stay ahead of the threats and are able to truly help our clients be more secure. KC: I've been writing a lot lately about how fileless malware attacks are becoming more common. I'm also aware of network penetration techniques that evade IDS algorithms are also becoming more frequent. With these trends in mind, do you think machine learning is useful in the antimalware space? JSS: Machine learning is a fascinating topic and certainly a trending topic these days. I think it certainly has a place in the antimalware space, but I would caution that it’s still relatively new and doesn’t have to be an all or nothing solution. KC: Have you heard of an IDS that Lewis Rhodes Labs developed that uses neuromorphic computing? Computers that imitate the human brain may be a more efficient way to detect attacks with fewer false positives. JSS: Yes, I have heard of it and the LRL Cyber Microscope. Having worked in the IDS world for nearly a decade, I think it’s great to see the industry advancing and tackling new challenges. I have not had a chance to look at or speak to any users yet though. KC: It's really exciting! Yeah. I'm glad that you're aware of it. Before you go, what do you think the cybersecurity field can do to attract more women? JSS: I love the programs and projects aimed at young kids, including girls. Supporting the curiosity and “evil bit” early on is a great way to ensure we have a larger pool of women moving forward. I also think it’s important to have strong female role models in the space, provide ways for women to share their experiences and mentor others, and focus on creating environments where various personalities can thrive regardless of gender or background. I don’t think diversity is just about women, but I think diversity is critical for the industry as a whole. KC: How do you think the industry can benefit from greater diversity? JSS: Attackers are diverse. They come from every background, and to think we can be better than them by limiting ourselves to only certain types of people is naive. We need every smart person willing to help in order to solve the really hard problems moving forward.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
