Interview extracts from the first volume of an oral history of cybersecurity practitioners.
Kelly Shortridge came to security by way of finance, a student of the industry and its people long before she decided to join them. Knowing the state of the art, and what those working with the state of the art thought about the future was an excellent way to identify a successful investment or acquisition opportunity. That same knowledge and connections are equally useful now as she manages product development at Security Scorecard.
Kelly Shortridge: There is no real “average” day in the life of a product manager. To be fair, everyone says that regardless of what they do, but product management has so many moving parts. Very rarely are you working on just one thing. For example, today I’ve been heads down working on a product requirements document for a new feature. That involves thinking about what we want to expose to the customer, what goes on in the back end, and does it fit in with the long-term vision of the product? At the same time, I’m thinking about existing features, taking in customer feedback, working with the customer success team. On any given day I’ll be talking to a wide range of people in the organization and thinking critically about all these pieces and where we want to take things going forward.
For a security person, my background is somewhat atypical. I was working in investment banking, primarily in mergers and acquisitions. There was a senior advisor at the firm where I was working at the time who was very keenly focused on cybersecurity as an emerging sub-sector to cover from mergers and acquisitions. There is this assumption with people who are older, that young whippersnappers can understand new technology better than they can, so I was tasked with learning about the space, meeting people in the space, understanding who the cool, emerging companies were, etc. So, I dove into it, and I stumbled across the offensive side of security, which really captured my interest. I’d say that was the area where I started to expand my network and my knowledge more, which is a little counterintuitive given what I was doing, but I really think it helped me understand threat models and what was going to matter in the future, which was helpful from an acquisitions perspective. After a while I decided that I was done with the finance side because I’d fallen in love with security, so I launched my own start-up and did that for two years. I was chief operating officer at my start-up, and I moved more narrowly into product management, really focusing on building new security tools and making sure we were providing value to customers; thinking about what the market needs—what some of the gaps are—and trying to fill them with tools that solved problems; trying to make the product space a little better, because it can be a little hairy out there.
Who are some of the people who influence your thinking about security? Any special references or go-to books or sources you tap for insights?
Dan Geer‘s text files, including the ones from back in the ‘90s. It’s rather shocking how they’re still quite applicable today. I refer to him in my conference presentations as the Gandalf of information security, since he can see the threats ahead, and not everyone listens. I’ve learned from people in the offensive side of security. I also like to learn from other domains. I gave a talk recently about the concept of resilience and the idea that you can’t really predict when or where some bad event will happen, but you can assume it will happen, and there are things you can do to prepare for it. We can learn a lot from other domains that have been studying hard problems (like resilience.) To my mind, in security we’re stuck in this weird—I don’t know if it’s a feedback loop but …
Yeah, we’re not making a lot of progress. And I think outside thinking and hearing from other domains is useful in that regard. For the past year I’ve been really been trying to look to other domains to inform what we do in security .
What are some of the less desirable aspects of working in security?
There is often a desire to “gate keep” in security—uphold barriers to entry into the field— particularly for someone of my “social demographic,” if you will. That, and because I come from a finance background. It becomes easy for people to try to take advantage of my expertise in one area to help them, or not treat me fairly, or in the best manner, because I am an outsider. The ego that plays into that is not great, and I’ve encountered it a few times.
Not everyone in security has the most highly developed social skills. In particular, people are not very empathetic and aren’t necessarily prepared to recognize that: one, they might be wrong; and two, that different sets of skills can be useful in solving problems. This manifests itself at a macro level across the industry in the sort of hive mind we have to problem solving. We’re using the same approaches we have for years and wondering why we’re not making progress. If we looked at examples and techniques from other domains, we might find something that is different, but might also work. We need a greater diversity of thought. It manifests itself on a micro level where people may think that if someone disagrees with them, if they have another way of viewing a problem, that person is wrong because it doesn’t fit their view. You deal with this problem all the time, all day long, so obviously you know what you’re talking about. What value can some example from outside your sub-discipline have? How could skills unlike mine be useful? It can be very counterproductive. Of all the fields I’ve worked in, security seems to have a greater number of people with those kinds of characteristics.
When you look at the industry, what are we doing wrong?
A bunch of stuff. Rock star culture is toxic. It inflates egos, and that helps drive the whole exclude-other-views mindset. It protects people from being called out on bad behavior. If you’re a rock star, there are no repercussions for your bad actions. We need to fix our culture.
As far as most other people conduct themselves, I’d say there is a missing level of professionalism. Victim blaming. “Users are stupid.” “Executives are stupid.” Look at the Equifax hack. People called them stupid for having a CISO with a music degree, but when you look at all the issues going on there, that was the least of their worries. I think we can be pretty childish.
We also focus far too much on sexy things, whether it’s offensive or defense. We give too much weight to small problems and too little weight to big ones. I still follow a lot of VC and M&A activity, and when I talk to people about the latest deals they’re surprised that it’s the boring companies that tend to succeed, rather than the super niche ones. People worship the new and novel and sexy rather than the basics, but it’s the basics that have the biggest impact. Unfortunately, few people are starting companies like that, and fewer people are investing in them.
Investors want their 10x, right?
They want their 10x, but they’re mistaken in thinking that the most likely path to that return is some bleeding edge that addresses a niche issue. It’s far more likely that you’ll see superior returns with something that isn’t sexy. That is, in fact, fairly boring.
There is this prevailing sentiment that we as an industry are a meritocracy. Do you think that’s true?
I think we’re mostly deluding ourselves, to be honest. Look at Call for Papers—it’s very rare that there isn’t some kind of bias in CFP selection. Anonymous submissions processes are becoming more common, which is a good first step, but in conferences and other aspects of the industry, it’s really who you know, and people who don’t have that access are left out in the cold. You see it in venture capital too. There is the notion of the “good old boys’” network, which isn’t necessarily so old anymore, but it’s still very true. There is this established network that can be hard to break into, and by the same token people in the network are artificially held up or promoted just because they’re friends with the right people. You see that in a lot of areas of life, but when I hear people talk about “we’re a meritocracy,” and as long as you’re hacking away and producing good work that it’ll work out … when you look at how people treat each other, that’s clearly not true. We strive for this ideal, but our behavior indicates we have a ways to go.
To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.