When I ask around about who most consistently exemplifies strength and resilience in our industry, the answer is quite often cybersecurity industry veteran Wendy Nather. While we’ve never worked directly together, I have been so fortunate to cross paths with her often with the many different hats we have both worn in this industry. I’m insanely honored that she agreed to be part of the Rising Tides series, and this interview really focuses on human actions–from being sponsored early in your career to how we need more diversity in leadership NOW.

As Wendy looks for her next perfect role and considers ways that we can design better security, details of which are all covered below, she has been on the podcast and speaking circuit, sharing her unique wisdom not only about security but also her unrivaled humor in how she interacts and teaches other people.

The interview below inspired me to want to learn more and do more as a cybersecurity professional, but also reminded me how important personal resilience is when you are faced with some of life’s darkest challenges.

Wendy Nather

Q. You’ve been a model of how to grow in this industry by building a deep skillset, a strong network, maintaining a kind heart, and holding a strong foundation of ethics, for me and so many others. Whether you knew this or not, what do you think are the most important tenets of mentorship–direct or indirect?

A. Well, I didn’t have much in the way of mentorship or training when I started in this field, so I had to make things up as I went along. What I did have were sponsors – men (they were all men) who advocated for me and pushed for my advancement. This was all without my knowledge, as many of my promotions came as a surprise. I’ve tried to carry this forward by taking deliberate steps to help people with skills and talent, no matter where they’re currently positioned.

Q. Your career has been incredible, with internal security leadership roles and vendor leadership roles (most notably with Duo through their huge market exit), working as an industry analyst, which is how I first met you, and you’re on more advisory committees and boards than one can count. What has been your favorite in your journey so far, and why?

A. I feel as though all my roles have been great in that they let me learn something new. As someone with ADHD, my span of attention in any given position is about two to five years, so if I stayed longer with a given company, it was because there was enough change that like a shark, I could keep moving. I do have to say that Duo was exhilarating and inspiring to me, due in large part to the deliberate corporate culture that the leadership built. Once you experience something like that, it’s hard to settle for less.

Q. I remember an old mentor once said to me, “Sometimes you do a job to learn what not to do.” What would you say has been your hardest yet most rewarding lesson in your career?

A. It’s about the people. It’s ALL about the people. I made a lot of mistakes as a young manager that still haunt me, and I try never to forget that your colleagues, customers and leadership can make or break the mission, no matter what the technology or business model happens to be. And it’s not people in aggregate; you approach it one individual at a time. The power and dignity of an individual are paramount.

Q. As of interview time, your LinkedIn has you “in transition” after the latest RIF round at Cisco—which sent a shockwave across the industry. With that in the past, what do you hope to do next?

A. I never know for sure until I see it. Every move I’ve made has been to a new challenge, and there is still so much to learn and figure out in this industry. Some days I think of myself as being at the stage in my life that is called “Vānaprastha” in Hinduism, where I want to use what I have to work through other people and amplify their efforts for the common good. There are lingering hard problems that I’d like to work on, but I’m not good at being specific enough to say “I’d like to be a cyber executive working at X place on Y technologies.”

Q. Last year you spoke on a panel at RSA Conference about “Faulty Assumptions and Magical Thinking in Cybersecurity,” essentially focusing on how so many misnomers about what security needs actually cause more issues. Can you expand on that topic and what you think still needs to be done about it?

A. I was fortunate to join that panel with the authors of the book “Cybersecurity Myths and Misconceptions,” and there are just so many myths in it that they explode, I don’t even know where to start! We can certainly focus on the magical thinking that we as security professionals are prone to; some of it is making our jobs harder. Other faulty assumptions result from our tendencies as humans to sink into fallacies. Today’s contagious illness of disinformation certainly doesn’t help. I’m glad that we have plenty of experts sharing their knowledge in permanent form, and what we can do is keep promoting those reliable sources.

Q: If you had your druthers and could architect a solution that created the most imminently possible risk reduction for humans, what would you prioritize?

A. Wow, that’s a tough one. I’ve played around with the idea of federating cybersecurity, both in the architecture itself and in governance, to push out influence over policies directly where it belongs. But one of the concepts I bring up in talks is one that we won’t necessarily like: it’s to reduce flexibility and choice in how we develop the most important software. Today we don’t have a manufacturing model of software development; we have a literary model, where everyone gets to make up their own version of what we often already have. Safety is critical for many industries, and you’ll see there that “innovation” is strictly discouraged in favor of what is tried and tested. We may have to go there, at least partially, to reduce risk across the board for humans.

Q. How did you get started in cyber in the first place? And why do you stick with it?

A. It was completely accidental. I was running a Unix sysadmin team for Swiss Bank Corporation, and after being on a security-related task force, I was sent to London to run cybersecurity for the EMEA region. I had to figure it out as I went along. I’ve stuck with it this long because it’s a young, open-ended field, and I just can’t resist the pull. 

Q. You’re more than aware of the inequities and gatekeeping that happens in our industry, especially for women and other under-represented groups. What do you wish to see happen in the next one, three, five years to make this a more balanced and welcoming industry?

A. We should not just be talking about diversity, equity, and inclusion (DEI); we should also be pushing leadership. You can “include” as many underserved populations as you want, and you’ll find them all at the bottom of the corporate ladder. We need to create opportunities for them to LEAD. And it doesn’t need to start with promotions, but those should be part of the path. Individual contributors should be explicitly given the chance to own the direction of a project, to put forth their ideas and have them adopted, and to develop their confidence. I didn’t have any management training; I was just thrown into the pool. We can do better now.

Q. I know you speak up so much and do a lot to help others, directly and indirectly, to grow and learn and make cybersecurity a safe career landing. Will you please provide some examples for our readers?

A. I don’t focus on it, but I like to be supportive of the people around me. If someone approaches me and wants to ask for advice, and they think I have something useful to say, I’m happy to do it. I have also tried to hire and sponsor people who didn’t start out in a security role, but who clearly had the innate understanding, ability, and drive to contribute. One person who started out as my personal assistant worked her way up from heading my access control team to leading regional CISOs for Standard Chartered Bank. Another one who started as a temp contractor joined my team full time when I created a role for her, and now runs a major security project for a state agency. I’m delighted to see other people taking over.

Q.  Speaking of speaking, you recently did a keynote at BSidesNYC about how hard the industry works. What was the most important takeaway of that talk for attendees?

A. I think the main takeaway is that we are often making things harder by sticking with conventional approaches to problems that are clearly not working, and that means we should question our underlying assumptions and try something else. Why do we still believe that the main solution for phishing attacks is to deploy ever-changing blocklists in the heads of our users, all in the name of “awareness training”? We already know blocklists aren’t the best way to defend a dynamic attack surface, and we already know what happens when we rely on the fallible organic matter between our ears. If this hasn’t been working for decades, it’s time to re-examine everything.

Q.  You’ve been public about some significant personal strife–your battle with long COVID and the tragic sudden loss of your husband last year. A lot of people would buckle under one of those things, yet you kept going strong. You also said in one social media post that there were people in the community who jumped to action to help you when you needed it most. How did you keep pushing forward and was this community at all a part of what helped you along your healing path?

A. Like everyone else, when tragedy strikes, you just keep going, because what else are you going to do? When your family needs you, it’s not an option to curl up in a ball (although by the time you’re in a hospital, that option feels pretty good for a short time). I have not been able to do everything I felt I should, and there are plenty of days where giving 100% is relative; it means 100% of what I’m able to do that particular day. I don’t know if I’ll ever recover to where I was before I was hit by cancer, the deaths of my parents and husband, COVID, and the loss of my last team. Resilience doesn’t always work that way. But every time someone has volunteered to do something I couldn’t handle, or simply reached out to see how I was doing, it’s made a bigger impact than they could possibly know. Strangers and friends and passing business acquaintances – kindness is everything.

Q. Pretend you’re 22 years old, fresh out of college or even perhaps, like many of us, couldn’t finish college and are starting a career in cybersecurity. What one human skill or consideration MUST you know when you start to be successful?

A. Social engineering – and by that I don’t mean tricking someone; I mean influencing them in ways that help collaboration. Security doesn’t happen in a single team, and convincing others to help move it forward is a skill that security professionals have to use every day. If you want to play at an advanced level, you start to learn the art and science of creating processes and incentives beyond the organization, to regional, national, and global transformation. The rest of it – the ever-changing technology, the threat landscape, and the business cases – you can learn as you go along.

Rising Tides: Alyssa Miller on ‘Do Better, be Better’ and ‘See Past the Technology’ to Advance Cybersecurity

Rising Tides: Christien “DilDog” Rioux on Building Privacy and What Makes Hackers Unique