Last time, I had fun talking with Victoria Walberg. She really understands cloud and IoT cybersecurity. This time, I got to speak to Beth Cornils. She has a pretty cool job that involves making IoT cars safe! Kim Crawley: Hi, Beth! Tell me about what you do. Beth Cornils: I am a product manager for an autonomous vehicle company. Prior to that, I was the security product manager at Puppet. KC: What does Puppet do? BC: Puppet handles infrastructure as code, thereby allowing using to automate processes and make sure they are staying in their intended state. We layered on tracking changes and integrating with security companies, such as CloudPassage, Cyberark, and Conjur. KC: Are the cars your current employer produces IoT? BC: At Polysync, we are more in the IoT category. We can build a car for users, but we tend to build the middleware, such as harnesses. In testing, we use joysticks, so I have literally been a back seat driver in an enclosed space while testing code. It's pretty amazing thinking about the math and safety issues we need to take into consideration when assessing autonomous driving. We noticed a lot of autonomous driving companies focus more on the flash. At Polysync, we're working on safety-critical software for producing autonomous vehicles, and providing tools and platforms to enable others to build safer autonomy systems. KC: What are the biggest cybersecurity risks of IoT cars? BC: In my opinion, there are a few things. In order to assess and get it right, you need to get your threat model right – or as right as possible. Cars without autonomy have so many ins already. You need to be aware of those areas like GPS, Bluetooth and personal cell phones. New cars are basically computers on wheels. Add on to that the self-driving aspect, which requires the Lidar, GPS sensors, and the other sensors or drivers to assess where the car is at any given time. All of which need to talk to each other. If you need to connect to WiFi while driving, make sure it's random, at a minimum, and disconnect quickly. Where we sit, we have removed ourselves from the AI piece. This is where I worry about a lot of issues to come in. But we're keeping it as simple as possible, and we're aware of where people can hack in and are continuously improving accordingly. We can get some great tech out there soon. We just need to think of safety first. After all, we are literally creating code where if you mess up, people can die. We are very aware of and take this seriously. Not only that, it's super cool and so much fun to be part of. KC: How did you get into your field? BC: If by field you mean product, it was a long and rambling road. I started out doing data entry, which I hated! I felt there was a better way, so I built a database and had the third-parties send their information electronically. Problem solved. From there, I was a data analyst using AS400s, and I worked at the help desk. After that, I went to a start up called Unicru, where we handled the second largest number of SSNs after the Social Security Administration, did data analysis, and ultimately became a product manager. Databases just make sense to me. I can't explain it. They are just so logical. I was able to keep in my head the application layer's data structure, our reporting data structure, and how they all connected. It drove the dev crazy that I wasn't considered technical as I didn't code, so I didn't have access to the database. From there, I worked for a company that competed with Nielsen. My favorite project was working on the data for Obama's second run, allowing them to save money doing targeted advertising. I'm pretty sure the Secret Service will come crashing into my house if I ever divulged any of that information. But Obama's team was amazingly smart and wonderful to work with. From there, I went to Puppet, where I fell in love with ops and security people and their challenges. I decided to focus on security and how to make the two groups' lives easier, and get developers, operations and security to be able to work together. Here is where I ended up finding an amazing group of women in infosec, some of whom put on TiaraCon during DEF CON last year. There is this realization that tech is 25 percent women, but infosec is 10 percent. That's madness. So it became a passion to help women and under-represented groups feel supported, have a network, and not feel alone in the industry. I was lucky to find some amazing male allies who helped get the word out and who supported the cause with their money and their time. That's a great group whom I wasn't able to help with this year due to personal reasons. They changed their focus to strictly women, as well as a name change to Diana Initiative. Lovely, lovely people. I was lucky to have amazing support from my dev team, CEO Luke Kanies, and several others in the company to learn, build, and get the word out about what Puppet was doing in the security realm. I was basically given free range by Luke to build the security offering. That's a lot of trust. I did not take that lightly and felt honored that he trusted me to do the right thing. For reasons, I moved on and found autonomous driving vehicles. It's such a great problem to solve. There is still the safety and security aspect, and the company I am at allows me to get my hands dirty and learn all aspects of the business. My boss is probably the best boss I've had in my career. The wonders of a 20-person start up. KC: Wow, that's excellent. Given your experience with the Diana Initiative, how can more women be encouraged to enter databases and development? BC: I'm working on another project to do just that. I think the Diana Initiative will continue to be an amazing resource. They do networking, resume work, etc., and I expect they'll continue next year at DEF CON. That's a great resource. I'm also working with a group that's trying to get off the ground called Technology Diversified. Our goal is to help women re-entering the workforce, potential drop-outs, and a broader range of under-represented groups to get the training, networking and potential grants for education in tech and infosec. With Technology Diversified, we are hoping to have some sites, links and easier ways for people to get in contact with each other regardless of location. For me, the best way was to try a few projects, fail, and find people who knew more than me. Participating in groups like Women in Tech or PyLadies. The groups are out there; talk to the people you trust in the industry, and they will help you find a way. But more resources are needed. Lastly, start following some of the amazingly technical women on Twitter. See who they follow and follow them. It doesn't hurt to message someone and ask for advice. But don't take it personally if they don't get back to you. Some of these amazing women get more DMs then they can possibly read. Keep asking. So many people want new people to get in the industry and succeed.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
