In this Security Boulevard Chat we speak with well known security expert, Chenxi Wang. Chenxi has started her own security consulting organization called the Jane Bond Project. Chenxi has a ton of experience as both a security practitioner, vendor and analyst. She is also a champion for diversity in our industry!
Below is the streaming audio of our discussion, immediately followed by a transcript of our chat. Enjoy!
Alan Shimel: Hey, everyone, Alan Shimel, DevOps.com and Security Boulevard here for a Security Boulevard Chat. I’m happy to be joined by our guest, Ms. Chenxi Wang. Chenxi, welcome to Security Boulevard Chats.
Chenxi Wang: Thank you, Alan. Thank you for having me.
Shimel: Thank you. Chenxi, most of our friends in the security business – I don’t want to use the term cybersecurity – but most of our friends in the security business know who you are and what you’ve accomplished in your career. But for some of our listeners who may not be familiar with who you are, would you mind giving us a little background?
Wang: Sure. I’ve been in the security industry for a long time. I started out with a very classic academic career path. I got a Ph.D. in computer science with a specialization in security. Then I went to Carnegie Mellon University. My first job was a faculty member there, researching and teaching computer security.
I did about six years of that and then left to join the industry, and have done a variety of different – both technology positions, also business executive positions. I have been an industry analyst also for a number of years, looking at the macro trends of the industry, covering different security products. I have run products and strategy in solution providers’ companies. I also have advised and consulted with users of security technologies. Right now, I’m running my own cybersecurity consultancy.
Shimel: You say it like it’s just no big deal, but that’s actually quite an accomplishment and many people would be happy to call it a career and say, “Hey, look at all I’ve done.”
As we were talking off-microphone, Chenxi, you recently started your own consultancy, and the name of it is the Jane Bond Project.
Shimel: It sounds to me –
Wang: So –
Shimel: Go ahead. Go ahead, if you can explain it.
Wang: I was going to say that most people would say, “Hey, what is the Jane Bond Project?” The reason that I picked this brand and why this concept is appealing to me is exactly that. It invites people to ask questions. Of course, Jane Bond is the female counterpart of James Bond, where she comes in and she saves the world. So I want to be someone who comes in and saves your world, whatever that world is.
Also, as you know, part of the things I do on a consistent basis is I’m a big advocate for women in technology, so Jane Bond fits that vision as well.
Shimel: It certainly does and that’s perfect for you as well. It fits you.
Chenxi, going out on your own like this and sort of starting your own consultancy, it’s a different mission than being an analyst, which you’ve done quite well, or running strategy for a software vendor. Can you share with our audience some of the things you’re doing as part of Jane Bond?
Wang: Sure. You are quite right that running your own consultancy is very different from running strategy within a security technology company or being an industry analyst. But if you look at the things that I have done in my career, I’ve done a number of different things, which gave me different perspectives of the industry.
What I’ve found now, running my own consultancy, is that those different perspectives that I was fortunate enough to gain through those different positions I had in the past really helped me in getting a well-rounded view of the industry and where different technology fits. So I’m able to provide this fairly strategic market product fit analysis that many of my clients love to have, as well as the to go market recommendation analysis that I think only comes with years of experiences in the industry, both from technology and also from the business strategy side. So I actually think the type of work I’ve done in the past really prepared me for this new stage in my life.
Shimel: Absolutely. Chenxi, of course something like the Jane Bond Project, it has to be in the right place at the right time. We live in interesting times from a cybersecurity point of view, obviously. I’ve been in security a long time, as you have, and we thought it was important 15 years ago, but, if anything, it’s more important now. Do you agree with that or is it just that we’re more aware of why it’s important now?
Wang: I think it’s both. It is more important because we have more adversaries. We have more sophisticated attack methods. We’re also more aware of it. Both of these elements really put this industry in the spotlight.
You’re absolutely right. Fifteen years ago or maybe 20 years ago, maybe a company would buy either Symantec or McAfee on the endpoint and they would have, I don’t know, Cisco or Check Point on the network and they’d call it a day. They didn’t need a lot of other things.
Today, many CSOs have a blank check, so to speak, from their board to acquire whatever security technologies they deem necessary to protect their assets and network and data, because it has become an increasingly difficult proposition.
Shimel: Yes, it really has. You know what, Chenxi? You’re actually consulting to sort of both sides, both security vendors and providers as well as end user organizations. Let’s concentrate for a second on the end user organizations. What kinds of challenges are they facing?
Wang: End users have a multitude of challenges. For one thing, it’s very difficult for a CSO’s team to wade through all the marketing noise and find that one technology or a small set of technologies to really solve their problems. So that’s one.
Second is their problems are compounded, and many CSOs are living in fear that their infrastructure and data has already been compromised and they just don’t know yet. And how do they respond should an adverse incident occur? It’s a very stressful position to be in.
So looking at both of these challenges, understanding, “Where do I go for the most effective, maybe emerging technologies or things that really could help me managing that risk, even if cannot prevent it 100 percent.” That’s where most of the CSOs are looking at, and certainly I work with some of them, to lay out that strategic road map and to wade through the marketing noise.
Shimel: Sure. Chenxi, I was recently speaking to a CSO of a large organization over in Europe. It was specifically around the ransomware stuff that was going on a month or two ago. But the bigger issue that the ransomware was part of was how does he explain to his board, “Look, it’s going to happen.”
No matter what he does, short of being superhuman, they’re still going to have these incidents. It’s not about preventing them. It’s about responding to them. He struggled with getting that across. What do you recommend?
Wang: It is difficult for the board to say, “Hey, I’ve given you a lot of money. How come you can’t prevent incidents like ransomware from happening?”
The threat comes in from many different channels and as an organization your attack surface is large. You’ve got employees who are anxious about phishing e-mails and phishing websites, and you’ve got maybe a compromised third-party, or your contractor who is sending you compromised content and what-not. Every day there are threats coming at you from 360 degrees. It’s very hard to be the defender.
But ransomware specifically, ransomware is a failure of, obviously, protection and detection, but this is also a failure of business processes, because if you have had your data sufficiently backed up, if you have your disaster recovery business continuity processes all laid out very sufficiently, they don’t necessarily need to worry about ransomware. They can come encrypt the data. You’ve got a copy somewhere and you just reinstate that copy, and you don’t need to worry about this particular one that’s been encrypted, and you could just go on with your operations and life.
What we’re finding out with these new ransomware attacks is many organizations, their business continuity and disaster recovery processes were not sufficient, and that really brings a highlight to that. I think if there’s a silver lining in this, it’s that more people are aware of the approach of being more resilient than before. So they now have multiple copies of data stored across different infrastructure, with the hope that maybe if one set of infrastructure is attacked, the others can just be brought up online and data continues. Overall, that’s the right approach anyway.
Shimel: You can’t put all your eggs in one basket, because if that basket goes all the eggs go with it.
You know what, Chenxi? That actually brings up another thing, that as much as things change they remain the same. Defense in depth, redundant systems, backing up, these are things that we within the industry have been talking about for a very long time, and they remain as true today as they did then. Do you find that as well?
Wang: Yes. Security, even in the very beginning you asked me, “Is the problem getting worse?” Yes, the problem is getting worse because the attackers are becoming more sophisticated.
But on the defense side, we haven’t done a sufficiently good job to alleviate some of the run of the mill attacks. So security hygiene is still a big problem across different organizations. If you look at some of the WannaCry, the Petya attacks, they’re using a vulnerability that is well known, even though it hasn’t been in the public knowledge for years, but it has been in the public knowledge for a few months, which means that if you have a good patching process you would have defended against that particular threat for your organization.
So I think as an industry we have a lot of growth and learning to do, and we better do them fast because the threats are coming fast and furious and we have to step up.
Shimel: Yep. Chenxi, we’re almost out of time. I just quickly wanted to mention your efforts with the Equal Respect Group and the role of women in technology and specifically cybersecurity. I’d love to do a whole other podcast on that. But just quickly, for any women, especially young women who are going to college right now, we have so many more cybersecurity offerings than we used to and opportunities for education. What’s your best advice to give them to break into the industry, to get ahead, to move forward?
Wang: I think if you are a woman, a student or somebody with a different background that wanted to come in the cybersecurity industry, there are a lot of different channels you can come in. The best advice I would say is do not be afraid to take a risk. Maybe you will be doing something that you’re not trained to do or maybe you will have to learn a whole new set of skills, but the reward is there. The industry desperately needs new talents and new, diverse talent as well.
So if there’s anything I can do personally and the group can do personally to help, the place to go is – on Facebook you can search for the Equal Respect Group. We have many, many senior women in the industry, engineer woman as members of this group. So you can join and you can ask questions. It’s a very active Facebook group.
Shimel: Yes it is. Chenxi, one last thing. For people who want to find out more about the Jane Bond Project and perhaps want to engage with you on various activities, where can they get information on that?
Wang: I am not as good at taking the advice I give to my clients . I haven’t taken the time to build up a website yet, but for listeners who are interested in at least talking to me, you can send me an e-mail at Chenxi@Janebond.io.
Shimel: Very cool. Chenxi, for those who may not know, it’s C-H-E-N-X-I @Janebond.io. Correct?
Wang: Correct. Thank you for spelling that out. I forget that it’s a foreign name and not everybody knows it.
Shimel: Well, even if it’s foreign or not, my name is not very foreign, but no one spells that right, either. Anyway, Chenxi, of course the people who attend security conferences, there’s a good chance they may see you speaking there as well. You have an active calendar of appearances, and it’s always a great chance to learn, watching you present.
Anyway, we’re about out of time. Chenxi Wang –
Wang: Thank you.
Shimel: Thank you. Thank you and good luck with the Jane Bond Project. We’ll check in with you again. Also, thank you so much for all you do with the women in technology and equal access group on Facebook. We will speak to you again. Thanks for being our guest today.
Wang: Thank you.