I’ve been described as a unicorn, which I’ve taken as a high compliment: young woman in information security that specializes in human security and behavior modification.
I’ve been described as a unicorn, which I’ve taken as a high compliment: young woman in information security that specializes in human security and behavior modification.
Tell me about your early years and where you come from.
I grew up in Minnesota. My dad is actually an IT security guy, so sometimes I joke that I never had a choice with my actual career path. It was pre-destined. I had to my peers, the most wonderful childhood. My dad taught me how to build my first network because we wanted to play Quake against each other. Some kids would come home from school and do math exercises with their parents. He was like, let’s learn how to build your own website. I had the most awesome website that was devoted to Space Jam and had the Quad City DJ’s song actually playing on it I think it probably still exists somewhere, and I hope no one that I work with finds it.
I actually learned about security from my dad through trying to thwart his efforts to keep me safe. I was really interested in Harry Potter and Harry Potter discussion boards. And he, being a concerned parent, was like, “You’re talking to strangers, I’m not so sure about this.” So I would actually go down to our basement at night and set up a computer on a segmented network so that he couldn’t find out about what I was doing and ride my bike up to the local library to use the computers there, because I understood how he was getting around all of my efforts. So it was a really great exercise in learning about security which I think helps me in my job now, because I’m always trying to think about—from the user’s perspective and how they’ll intentionally or accidentally circumvent all the controls that we put in place.
But at that time I didn’t really understand what I wanted to do in life and thought I wanted to be a lawyer. So I went to do my undergrad at Saint Olaf College, a small liberal arts school in Minnesota. I Majored in Sociology and Anthropology when I was at St. Olaf, because humans, and human behavior, and how we all fit together is really what interests me. I got to take fun classes from the anthropology of mood-altering substances, to learning about studies of crack-dealers in Harlem, and how they ended up in that slot in life, and how many of them had actually tried to have jobs in the city, but encountered racism and classism that eventually drove them back home, where they ended up taking on these jobs. Then, went on to law school, thinking that was still a good path for me at the time. Discovered very quickly that I hated it and a wonderful professor told me that law school is like a pie eating contest where the winner wins more pie. So if you don’t enjoy the pie you’re eating, you should probably consider getting out now.
That’s a good analogy.
I’ve made friends there and they’ve all graduated and they’re like, that is exactly true. I decided at the end of the first half that I was going to leave and started looking at other programs to transfer to. Also fun fact about law school, if you quit at any point in the year, if you go back you have to start over at the beginning at that year. So you’re always better off finishing the entire year if you think there’s any small, tiny chance that you might ever want to go back. I started investigating other programs. There was cyber security programs that had popped up at the time in New York, but I was also engaged at the time and my significant other got into his PhD program in medieval history back in Minnesota. I checked out the University of Minnesota’s programs and they had a brand new program as cyber security. So applied to that one. We both got into Minnesota so we went back to Minnesota. Three months into my program at the University of Minnesota—and this was a really quick transition. I ended law school like third week of May, I started my master’s program the first week of June. Three months into the program, I started working at The Toro Company, the lawn mower people and irrigation systems, as part of a security team of three—Chris and Cary, both men and both still friends to this date. But it provided a really great experience for me to take everything that I was learning as I was going through school and applying at work, and then taking everything I was applying at work—or going on at work and applying it back to school. School was an interesting experience in that I was younger than everyone by a good ten years, and there was only three women in the entire class.
In school too? Wow.
It turned out to be really great for me. Everyone was so far ahead in their careers that I learned a lot of skills that are just becoming valuable for me now, even though I couldn’t really recognize it at the time. So school is going really well, got to work, was given several different projects. One was working on implementing single sign-on within our environment. Another was a pen test for remediation, where I had to go to the different groups and get them to sign off on changing whatever had been found within the report, or accepting the risk. Then, I also had security awareness thrown into my plate. Security awareness, if you’re doing your job right, it means that all of the employees within an organization have a base set of knowledge on how to protect the company’s information and then also themselves, physically. Although, traditionally, it is more focused on the data and information protection side of the house. So, I had never done this before. I really loved it and I think the program, I guess it would be considered now, is really the perfect marriage between my behavioral science background and my security background, because you’re trying to change behavior about security. I took the project and really ran with it, and actually at school at the same time, I had to identify what I wanted to write my thesis on. I was like, “Well, I should probably write it on something that I really like.” So, I chose to go with security awareness. Connecticut has the largest cluster of Fortune 500 companies in the country. I’ve reached out to my fellow practitioners at the surrounding companies to see if I could come in and do one-on-one interviews with them to find out how they did their programs and how they judged their success, and what were the components. Then if they would allow me to administer two surveys—one to their security staff and a second one to their whole employee base—to ask them had they learned anything from the program? Did they like the program? What components of the program did they interact with?—to kind of form a best-in-practice report, which was the end result. Much to my surprise, a lot of people actually said yes, even though people are generally pretty secretive about their security programs. I took all the findings, wrote the report, graduated from school. At that time, I shifted over to the Target company running their security orange program. I made it there three months because it ended up not being a very good culture fit.
Yeah, wow. Dodged a bullet, huh.
Yes. Absolutely. One of my professors in my graduate program set me up with someone who became my mentor at this time, and in working with him, he had contract work for me to do for some companies when the target time was coming to a close, and it became obvious that we had enough business to actually make it a full-fledged business. So we formed a company called Secure Mentem, where I got to build programs for companies big and small. Netflix was the first client that I signed, and had a lot of fun [chuckles].
Just Netflix, no big deal.
Their program, it’s a funny story. I went to speak at a conference in LA and I was in line getting a salad. I’m super clumsy and spilled my salad all over—who turned out to be the CISO of Netflix—the chief information security officer. And he’s like, “What are you doing here?” And I’m like, “I’m talking about security awareness tomorrow.” And he’s like, “I’m real interested in that. I want to come to your talk.” And then afterwards—well, he had actually been on his phone the whole time. I’m like, “Oh, he’s not interested. He hated it.” He’s like, “Here’s my card. You should come out and we should talk about how you can help us.” So sometimes it’s just the small actions, spilling your—
Spilling that salad [chuckles]. It’s the secret.
Highly recommended tip if you want to meet someone. So he was my first client. We got really, really lucky. We got an introduction to our eventual investors a couple months into my tenure with the company, and they or had just been starting to invest cyber security companies. I’m like, “This is awesome. We love what you guys are doing. We could see this really working out well for our portfolio companies,” and it was super easy from there. And from everything I learned from other people, like trying to find money for their startups, we had it a little too easy. Ran with the company in continuing to get clients, and enroll in programs for the next two years.
I eventually ended up having a parting of ways with my business partner, and decided to move out to California, and got to work with a really cool startup called Apozy for nine months, building a gamified security platform, and helping them with sales, building out the modules, and helping them find their product-market fit.
And then the opportunity at Uber came up, and I couldn’t turn it down. It was a really exciting job opportunity over there. Now I build the security awareness and education programs for what would more traditionally be known as the information and security team, physical security, threat operations, trust and safety, and privacy. And I take the BJ Fogg model of behavior change into account. If you want people to change you need to give them actions that are small and easy to do, that they’re highly motivated to do. So if we want to take a look at phishing; for example, the employee needs to know what it is. And you build info graphics. You build videos. You do a workshop having them come and teach them how I would structure sending out a phishing email to the company. Asking for volunteers from the group, looking at their public social media profile and telling them, “If I were a hacker looking to spearfish you, these are the elements that I would use to craft my email for you.” And then turning it around to the group, and having them partner up, and write phishing emails for their partner as just like a way of thinking about it from the adversarial perspective. For physical security, it’s building trainings on de-escalation training, what to do if you’re in a heated situation, if a fraudulent rider has been—or a driver has been taken off the account, and they come to our centers to complain. Like, how do you have a more meaningful, peaceful, conversation with that person? And then working with trust and safety on evangelizing the work that their team does to build safety features in the app, so that we know internally everything that we’re doing to protect our employees, our writers, and our drivers, and how we communicate that all publicly as well.
What about internationalization? All of that to take into account—different cultures, everything?
Yeah. I’m super excited for all the internationalization I get to do this year. Aside from BP, Uber is now in more countries than any other company in the world. 67 countries and 360 plus cities.
That is wild.
We’re opening an office in Pakistan. It’s crazy, but also exciting.
What are the biggest motivators behind your work?
Protecting the trust in our company and protecting our people. If we have a breach—separate it into the different groups. If we have a data breach, our riders and our drivers aren’t going to want to use our platform anymore and the company as a whole could fold. Look at Ashley Madison. The nature of that company is very different than Ubers, but after their breach they pretty much don’t exist anymore. From a physical security perspective, I want all of our people around the world to know what to do if they’re in a situation where they could get hurt. Whether it be from a bad actor or a situation of a natural disaster. Everything that I’m doing is to protect the company and protect our people. Moving beyond that it’s to protect our riders and our driver partners.
You’re in a subset of infosec where young females are very rare.
Yes. Even more so than tech as a whole.
How has the process been building your own name and your brand in the industry and how are conferences and speaking and events for you as a young woman who stands out?
It’s been mixed. I’ve been fortunate to have some really great mentors along the way who have kind of given me a road map for self-promotion—telling me right away, like write articles, get them printed, become a thought leader. Speak at conferences. These are the conferences to speak at first. If you get into these ones you will have no problems speaking at other ones going forward. And all of that has turned out to be true. Surprisingly, none of these mentors have been women. Speaking at conferences or just being at events, I’m often mistaken for being a marketer or someone’s daughter or their significant other, which is insulting in its own right. And then, oftentimes when they find out that I’m neither of these things, they take it as an opportunity to flirt with you or tell you about the time they got the best blow job, after they’ve compared you to their daughter or someone their daughter’s age. I could probably spend all hour talking to you about those encounters, but that’s not why I’m here [chuckles].
I’m sure that’s just the tip of the iceberg.
Even being within my job when I’ve had issues, like trying to set up technical systems at work and I’ve been interfacing with our dedicated support person from Company X, I was asked at one point to speak to my male manager because “I clearly just wasn’t going to get it.” I went in and got my male manager and he was like, “The problem is not with Samantha. The problem was with your system. I told her to call you to fix it. You will find a way to work with her, and your manager will be hearing about this encounter.” So, I’ve been lucky in that regards to always have strong support. But I often have to go to conferences or events with some sort of buddy designated that I can either like have some sort of signal for or text to come rescue me when I inevitably get cornered by some creeper.
Is a lot of your work based on best practices that you have been fortunate enough to know early in your career? Or is a lot of it just total problem solving from scratch?
It’s kind of an amalgam. I’m able to draw on best practices from the learning field as a whole, but the security awareness space is pretty new. There’s not a lot of people who do it. I would say less than 200 around the world. So some of it I’m able to draw on learning models in different studies, and then applying it to security. I like to draw on the concept of making the familiar strange. Taking this concept that is familiar to you (security) and being able to see it from your employee’s perspective: this strange and new concept.
Aside from working in your sub-set of tech, how has it been being in Silicon Valley for you?
Kind of– I don’t know. My answer would probably change depending on the day. In some ways it’s a little refreshing. There are more women out here than women in tech in the midwest or women in tech out east. It feels like women are treated a little better and differently out here and then in other words that even if it’s always been challenging because I’m a Silicon Valley outsider coming in even working at Uber. A large portion of our people worked at another tech company before they came here. I was like I’m the odd one out that came from this small startup that no one has heard of, so trying to impress upon people that I do have a legitimate background is sometimes a challenge.
Interesting. That’s surprising to me for some reason maybe because you’re already speaking and you’re obviously doing the work and it’s interesting that you’re having to deal with that outsiderness even though you’re obviously deep in tech.
They don’t know that I—well that creates another interesting divide. I don’t know how to go into a room and be like, “Hey I had my own company doing this for many years, and I was funded, and I speak.” I don’t know how to naturally bring that up in conversations so unless they go do research on me their own—l know I’m not alone, I think with us women in general that self-promotion piece is really challenging.
Is it just assumed that you’re non-technical?
Well that’s the other part of what I do. Within the security community, security awareness is a hotly contested subject. Either people believe in it or people really don’t believe in it. The studies have shown 90% of all data breaches start with the human failing, usually in the form of a phishing attack. So you can put all this great technology in place, but if I as a hacker can send a phishing email or socially engineer your people, it doesn’t matter what you put on your computer. I win. Not everyone believes in that though. They want to believe that technology will be the answer, but throughout history that has shown to not be the case. Look at the Trojan Horse and all these other historical examples where, if you’re able to bypass these controls, you win. So even within—my team at Uber is great—the industry as a whole, not everyone considers security awareness practitioners to be real security people.
How do you think your background and life experiences impact the way you approach your work?
I think my anthropological and sociological background has really taught me to try to think about things from other people’s perspectives and practice more empathy, so I think it’s really easy in security and technology to assume that everyone thinks like you do and to put out materials that are in line with how you want to be taught or spoken to, not realizing that that way might not resonate with your audience or you’re using jargon that just goes over someone’s head. So I always try to take that 400 foot view and look outside of our narrow scope, not only in our communications but in the way we roll out technology, in the way we’re trying to train people.
As I’m now building a team, my experiences are definitely going to impact the way I try to mentor my people. And then, it impacts the work that I’m planning on doing as well. I think there are a lot of ways that the women in the security community could welcome new people, where right now, a lot of the most vocal women focus so much on the negativity that men bring, that they themselves make it seem like everything is just all bad in security for women, when that’s really not the case. I think taking a more positive approach in talking about our experiences and our cause would probably incentivize more women to want to join.
Where do you see yourself in five or ten years? Do you think you’ll still be here?
I hope to still live in the Bay area. I have dreams of being a chief security officer or a chief information security officer. I think Uber is putting me in a really good place to learn and grow and find out if this is even what I really want to do, or it would definitely allow me to pivot to wherever seems to be the next role for me. I know I definitely want to stay in security.
What advice would you give to folks from similar backgrounds to you or girls who are interested in infosec?
It depends on where they’re starting out from. Security people love to talk about what they do. Reach out and have lunch with someone pick their brain on the kinds of work they do, and like the vast amount of opportunities that there are within the security space. Even within my team we have data scientists who do security. We have people who do incident response. We have people who do security research. We have people who do security operations. We have people who go and hack our app. We have people who deal with setting up the basis for security, like on our networks. And then there’s people like me who do security behavior. There’s a ton of opportunities within this space and it’s constantly growing and changing. So, even challenge your assumptions off what the actual security space has to offer. And then find a person who has a role that sounds interesting to you, and ask to shadow them for a period of time. And then don’t be afraid by the lack of women in the space. Like in every field, there’s some really quality people. There will always be detractors, but there are people who want to foster you and bring you into the community.
© 2016 Techies Project, All Rights reserved
Made in San francisco & New york city