From California to Moscow: 3 Women Leading the Way in IT SecurityMay 14, 2014 by Daniel Humphries
Women in IT security are a rare breed. While reports vary—it’s estimated that anywhere from 11 to 20 percent of the IT security workforce is female—the result is the same: men overwhelmingly dominate the field. This scarcity has inspired organizations such as the (ISC)² and Hewlett-Packard to support scholarships aimed at women to increase female representation in the field, but these will take years to bear fruit.
Nevertheless, there are many highly accomplished women working in IT security today. We interviewed three leading female figures at IBM, Cisco and Kaspersky Labs to find out how they rose up through the ranks to get where they are today, and what advice they have for others looking to do the same.
General Manager, IBM’s Security Services Division
As General Manager of IBM’s Security Services Division, Kristin Lovejoy is responsible for the development and delivery of managed and professional security services to IBM clients worldwide. While it’s a coveted position, it’s not the career she planned—not even close.
Lovejoy majored in English at LaFayette College, and her ambition in those days was to become editor of The New York Times Book Review. Computers, she says, held “zero interest” for her. In fact, she stumbled upon IT security pretty much by accident.
“After college I found myself living in Jacksonville, North Carolina with my then husband and young family,” she says. “After you’ve got a tattoo and gone to the ‘adult relaxation parlor,’ there’s not much to do! The only place to eat is Golden Corral, and there’s a WalMart.”
Searching for ways to fill her time, Lovejoy volunteered to run the local branch of the Key Spouse Program, assisting the wives of servicemen in the Gulf War during 1990-1991. It was often difficult for wives to stay in touch with their deployed husbands, and Lovejoy realized that computer networks could help.
So she raised money to buy computers for the program, and decided to set the system up herself. She read a book on Transmission Control Protocol/Internet Protocol (TCP/IP), the main networking protocols used for the Internet, and to her surprise, discovered it wasn’t difficult to understand. “From there, things started spinning,” she says.
Through a friend, Lovejoy found work at a consulting and training company in Washington D.C. that led her into network engineering. Soon after that she entered an enigmatic phase of her career, working for a U.S. intelligence agency (which she’s not allowed to name).
Lovejoy’s initial focus was on training and network engineering, but she wasn’t averse to getting her hands dirty—one job involved crimping wires and laying lines for networks. One day, however, she was asked to help configure a proxy server and router in order to “block entire nation states.”
Although she declines to say which country she was blocking, Lovejoy says that for her, it was just “a simple configuration—and lo and behold, I was a security expert!”
Since leaving the world of intelligence, Lovejoy has enjoyed a dizzying ascent to her current position. From 1999 to 2005 she was VP of assurance services for Trusecure, then a leading IT security firm, while from 2004 to 2006 she served as CTO, CIO and VP of support and services for Consul Risk Management, a provider of identity access monitoring software that was acquired by IBM in 2007.
Within IBM, Lovejoy’s rise has been swift. Prior to her current position, she was VP of security strategy and then VP of IT risk and chief information security officer (CISO), where she was responsible for managing, monitoring and testing IBM’s corporate security and resiliency functions on a global scale. She also acted as chair or co-chair of several committees, including IBM’s IT Risk Steering and Data Security Steering Committees.
Clearly, formidable computing chops have been crucial to Lovejoy’s rise. For instance, she holds both U.S. and European Union patents for Object Oriented Risk Management Models and Methods—not something many IT security experts can claim.
But Lovejoy says the technical side of her work hasn’t been the main driver of her success. Security is a business function, she says, which means an ability to articulate risk at the business level is essential.
“When people in the field ask me, ‘Do I need a certification? What should I do?’ I say, ‘Take a powerpoint class. If you don’t know how to do public speaking, then take a Dale Carnegie public speaking class,’” she says.
“If you want to be successful, you need to figure out how to communicate to an audience. It’s not about being the smartest security guy—it’s about being able to take complex ideas and communicate them to audiences with different skill levels. IT security professionals must be conversant at the technical level, but also able to communicate in simpler terms with executives at the business level.”
Lovejoy also suggests that women may have an edge when it comes to IT security. “The best security people know how to take risks and multitask—and women are good at both things,” she explains.
“If you’ve raised kids, then you’ve learned how to manage risk. For example, you learn that there are certain things you have to let them do: playing in the yard is okay, playing with knives isn’t. But you’re never going to be able to secure everything. That kind of risk analysis that women do on a daily basis works well in the security field.”
As for multitasking, Lovejoy says IT security requires you to address multiple threat actors that are trying to exploit vulnerabilities occurring in many different places.
“It’s a constant juggling act,” she explains. “You have to look at the business, the employee base, the customers and the services you’re delivering. You have to think about who’s trying to attack you and how to protect yourself or detect issues—and do it very quickly and effectively.”
Senior Security Researcher, Cisco Systems
Today, Mary Landesman enjoys a reputation as a highly accomplished malware researcher. And yet, like Kristin Lovejoy, she not only hails from a humanities background (Landesman majored in fine arts), but also discovered IT security by accident.
Early in her career, Landesman worked for a company that had computers, but no staff qualified to use them—so she took on the task of becoming the resident expert, and in doing so found she had a passion for it.
Landesman studied every aspect of IT that she could, and in the early 1990s formed her own company with the intention of being a provider of general IT services. But her career trajectory changed when one of her clients asked her to investigate suspicious events at his firm.
“A girl working there was being harassed by an ex-boyfriend who was allegedly breaking into the company at night and periodically causing problems with her computer,” she explains. “The police hadn’t been able to find anything, so they called me and asked me to come and take a look and find out if there was anything I could do.”
Landesman discovered floppy discs were infected with a virus that made the employee’s computer unbootable, which sparked an interest in malware and its effects. In 1993, Landesman took a job at Command Software, an early antivirus company.
Her career in malware had begun, but working at Command Software was formative in other ways, says Landesman. The company was “full of women,” ranging from the firm’s CEO to the employees in sales and tech support. “I can now see how tremendously lucky I was,” she says. “I had no idea that a career in [IT security] might not be something that women do.”
Since leaving Command in 2000, Landesman has held numerous posts at multiple companies, including senior product manager at InDefense, malware response manager for FrontBridge, manager of the anti-malware team at Microsoft and senior security researcher at ScanSafe, Cisco and Cloudsafe.
She’s also done consulting work at major IT security firms and was the recipient of a Microsoft Most Valued Professional award for her work advancing consumer security in 2009, 2010 and 2011.
This pattern of change is part of a deliberate strategy Landesman says she conceived at the start of her career. “I set out with this mental image of a pie and wanting to learn as much about each wedge of that pie as I could, so in keeping with my pie mentality I worked in a variety of companies,” she explains. “This has given me a very broad stroke sense of what’s happening in security and what the different drivers are.”
The strategy paid off: among her discoveries, Landesman was the first researcher to identify the Gumblar exploit in 2009, a serious virus that targeted users of Google and Internet Explorer and delivered malware to victims’ computers through hundreds of thousands of compromised sites.
As for the perspective women bring to IT security, Landesman refers to a recent conference she attended where she sat on a panel dominated by women.
“I noticed we were all keenly interested in solving problems,” she says. “That struck me, because at other security conferences [with men], the focus seems to be on finding problems. I’ve come to the conclusion that one of the strengths women bring is that we are more problem solvers by nature.”
Head of Content Analysis and Research, Kaspersky Labs
Founded in 1997, Russia’s Kaspersky Labs is a global leader among antivirus companies. Darya Gudkova joined in 2006 as a spam analyst, rising to the position of leader of the company’s Spam Analysts Group. Today, she’s head of content analysis and research, where she analyzes the current spam landscape and predicts future trends.
Gudkova’s interest in computers stretches back to her childhood—at age 10 she studied the Pascal programming language at a children’s computer club. But like Lovejoy and Landesman, her early academic interests did not indicate a career in security lay ahead. Though she did take courses in math and computer science, she studied applied linguistics at Moscow State Linguistics University.
Gudkova also describes her entry into IT security as an accident. “I just happened to apply for an open position as an analyst at Kaspersky Labs, where they were looking for a person with a linguistic background,” she recalls. From there, “I passed all the steps to my current position.”
Having a background in linguistics has been essential to Gudkova’s career fighting spam. “Mostly I work with content, with texts, so linguistic knowledge is important,” she explains.
While Lovejoy stressed the importance of developing communication skills, Gudkova argues that developing superb technical chops is key for success in any security career. “IT security is a special field where a manager must also be an expert at the same time—not just a good administrator,” she says.
“For example, I’m an anti-spam specialist, so I know everything about spam, its methods of spreading, botnets, tricks to bypass filters and so on. Spammers (like other Internet criminals) are constantly inventing something new, so I have to know the topic well in order to be able to foresee their next step and stop them.”
Gudkova adds that anyone considering a career in IT security must be ready to adapt quickly to a constantly shifting environment. “Since I joined Kaspersky eight years ago, everything has changed—for example, Internet connections, the number of devices that we need to protect and the complexity of threats,” she says.
“Some of my colleagues used to work with machines that had punch cards, while others have never even used floppy discs. The IT industry is developing so fast that we always face the so-called Red Queen effect [from Lewis Carroll’s Through the Looking-Glass]: ‘It takes all the running you can do, to keep in the same place.’”
Meanwhile, Gudkova has a starkly different opinion from her American peers when it when it comes to the role gender plays in IT security. “It’s not important at all,” she says. “The only thing that is really important is your brain. Mostly I work with my computer, and there’s absolutely no difference, whether I’m a man or a woman.”
However, Gudkova notes that she sees more women in IT security in eastern countries than in western. “This seems strange to me, since western countries are considered more feminist, and eastern cultures are supposed to be more traditional,” she says.
It’s an interesting observation. In the former USSR, engineering was a very prestigious career that attracted women as well as men. Could this be a legacy effect of that educational emphasis? Possibly, Gudova says, but she can’t be sure: “I would also like to know that!”