Last time, I spoke with Kim Wong, a woman who recently acquired a cybersecurity role in Britain’s financial services industry.
Kimberly Crawley: Please tell me a bit about what you do.
KE: I’m an independent analyst, academic researcher, and author. I am also a strategic advisor to certain organizations. Basically, I have three lines of work. I write for WIRED, Scientific American, Financial Times, and for other, more scholarly publications like DEMOS and academic papers. I do strategic advisory work for big multinational companies. I also advise start-ups in the field of cybersecurity, usually coming in early when the company doesn’t yet have a product officer or product management. I help with that, product positioning, by finding their unique fit in the global security puzzle and understanding how the product addresses what the market needs.
I have spoken at TED, TEDx, TEDMED, DLD , CyCon, DEFCON, RSA Conference and for organizations like Google, eBay, GE, Intel, PayPal, Microsoft, Rafael Advanced Defense Systems, The Young Presidents Organization, KPMG, CitiBank, Carmel Ventures, NATO, WIRED, and Singularity University.
I’m also a contributing co-author to the Women in Tech book Tarah Wheeler curated.
KC: Excellent! I’m interviewing her, too. How did you get into cybersecurity in the first place?
KE: Well, that’s a story I shared in my TED talk from 2014. As a child, I was always really interested in technology and curious about how things worked. I would break things, take them apart, crawl under the table to disconnect the cables, and see what happens if I put them somewhere else.
We first got the internet in 1993 in Israel. I was maybe twelve or thirteen and didn’t really know what it was, but I still wanted to get online. So I spent so many hours exploring this world that would never end. Sometimes, I would find password protected websites and get really curious about how to get over those restrictions. I spent a lot of time on IRC, where I met some of the first hackers in my life and also learned English there. I at least learned how to have a written conversation in English through the computer. Later, I met some of these hackers in the real world when I went as a volunteer to a hacker convention in Tel Aviv, Israel. In 1999, I was finding my home in the world.
Another important milestone in my life was the movie Hackers, which came out in 1995. I always talk about this movie because it really gave me an image to match the idea, the calling. It showed me that a hacker could be a hero and she could be a girl! Angelina Jolie was pretty much the coolest person in the world from my point of view. Everything was exactly right for me in that cultural moment, exactly what I needed to see and hear to understand that it was my calling to be a “friendly hacker.”
KC: What do you think the greatest misconceptions are that people have about what you do?
KE: It really depends. Some people, more conservative organizations, for instance, are afraid I will hack them in person. Hack their phone or their email. Or their website. Some people also ask me to hack people, which of course I don’t do. I’ve always been about using the hacker mindset to find flaws and help fix them, not exploit them.
On the other hand, some engineers or more tech-oriented people I meet ask me where all my CVEs are. Where are the vulnerabilities that I have openly reported. Or where is my Github, and where is my code.
That’s not the type of work that I do as a researcher. I have an academic affiliation with Tel Aviv University, which is why I am called a researcher. For example, I’ve looked at bug bounty programs and the data from leading programs with an economic or business line of research to showcase the value created by these programs for companies that engage in them.
KC: How did you get into contributing to WIRED? Frankly, that’s a dream job of mine.
KE: With WIRED, as with all of the other publications I write for, it’s usually the case that an editor sees my work on TED or they hear me speak at an event. They like my point-of-view and storytelling. So they get in touch with me and ask me to pitch some ideas for an essay or op-ed. If they like my ideas, they publish them. Simple as that.
The way I see it, writing is one more form of expressing my ideas. I don’t blog, so it’s a great medium to share some of my insights about our industry with the world. In my research, writing, and speaking work, my focus has always been about reaching people and connecting people with different perspectives.
KC: What kind of cyber attacks do you feel are underreported in tech media?
KE: That’s a great question. We don’t really hear a lot about the way day-to-day cyber crime affects people’s jobs, reputation, and money.
The media is really focused a lot of the nation-state adversaries such as Russia, China, and North Korea. That’s really interesting. Global politics catches people’s attention, but does it really matter who it is? We should focus more on how the attack happened.
We also don’t hear a lot about crises that are averted, about good stuff. When people find a flaw, get it fixed, save lives.
KC: We should report on successful cyber attack aversions?
KE: Yeah, why not? If there’s public information, what’s there to learn from it?
KC: I think organizations would have to report those sorts of events to us, wouldn’t we? We don’t have sources in every datacenter.
KE: Of course not. But there are cases when outsiders, friendly hackers, and/or independent researchers report a problem and help a company fix it. Some of that now happens in the public eye.
I’d also really love it if companies actively shared more details about how they fixed problems or even how they dealt with them. This is also not something a lot of people submit talks about to security conferences. I just think it would help everyone get safer.
KC: That might work. Have you faced sexism in your career?
KE: Yes probably, like perhaps every other woman in tech. I do think my experience is a bit different since I grew up and had my first professional experiences in Israel, some of it in the Israeli military. My military service, which all women in Israel are mandated to serve at age 18, was very empowering and equalizing.
KC: Do you think there’s less sexism in tech in Israel, then?
KE: Not in the sense that it turned me into “one of the guys.” I think so, and I hope so. I think Israeli women have a stronger starting point, let’s put it that way. There’s a more level playing field for women if they served. I also did reserve service for many years from the same point of view. Equal rights and equal service means equal respect.
It’s also a great way to start a career in information security in Israel. Keep in mind I began my service more than sixteen years ago when there weren’t that many people passionate about the field and not that many companies where one could learn the trade.
KC: What advice would you give a young girl who’s interested in a cybersecurity career?
KE: First of all, I would say go for it! It’s a great field. It’s always changing, always learning, never boring. It has so many aspects and things you can do. Crypto, appsec, social engineering, malware analysis, network, DFIR… so much to choose from! If you’re not finding your passion right away, don’t give up. Change it up; try something else.
My other piece of advice is to go out and meet people. There are now more regional and local security events like BSides than ever before. I co-founded and run BSidesTLV in Israel. It’s easier to attend a conference than ever before.
There’s no doubt in my mind that the community, the industry, is changing. This is incredibly exciting to witness. There are more and more women, more people from all walks of life, ethnicities, genders, backgrounds, ages, finding their place and their voice in this community. One metric of this change is in the featuring and curation of talks at conferences and featuring more diverse speakers which attract a more diverse audience.
KC: Awesome! Is there anything else you’d like to add before we go?
KE: Yeah. It’s important for me to talk about the things I do to give back to my local community in Israel where I started.
In 2016, the idea to do BSidesTLV came to me. I got co-founders, volunteers, and Tel Aviv University on board to support. The first one was 2016, and there were more than 500 people in 2017. I’m looking forward to 2018. Events that are accessible, free or cheap to attend, and include first time speakers are really important for our community and for the “next gen” of talent. All of our sponsors came to BSidesTLV in order to hire talent, which is another indication of how important local events are. I also run quarterly meetups for women in security, which provide them with an opportunity to present technical content and network.
I often go out and speak to groups of younger audiences, girls and boys, about choosing a career in this field. That’s out future work force, and we need it!
KC: That’s excellent. Thank you for speaking with me today, Keren.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.