CISO Magazine – Interview of Carolyn Crandall
You have helmed several leadership roles in several companies. Tell us a bit about your journey from the marketing space to starting Marticulate and then becoming a Chief Deception Officer at Attivo. What was the transition like? From core marketing to core technology?
I didn’t originally start out thinking I was going to become a sales or marketing professional. If you have ever played Monopoly, think of the stigma they put on that profession, and as such it really wasn’t top of mind. That said, while I was going to Santa Clara University, studying both electrical engineering and computer science, I took a job as an assistant to the VP of Marketing. This was my first introduction to the high-tech workplace. I ended up in sales based on a bet that I could outsell any of the sales reps in the office. I think my boss at the time thought it was never going to happen, but upon my achievement, he did honor the bet.
My next 2 positions were exclusively sales and only after that did I become responsible for marketing programs. My entrée into marketing was when I moved to Australia to set up an international office for my company, and then again when I took on a channel role, which exposed me to all facets of operations – sales, business development, product marketing, and marketing demand generation and communications. Channels is a less known role than traditional sales or marketing, but absolutely a fantastic way to learn multiple disciplines quickly.
Throughout my career, I have had the opportunity to wear many hats in marketing, product marketing, channel marketing and sales for top tech brands including Cisco, Juniper, Nimble Storage, Riverbed, Seagate and others. I started Marticulate as a means to do additional consulting and gain experience in other types of businesses, it also facilitated philanthropic work. One of the most entertaining projects that I worked on was (early Groupon Days) helping a company start an e-commerce site that connected businesses with consumers. I helped them set up their marketing plans, business model, and launch. A technologist and innovator at heart, I love making markets for startups. I currently play a unique dual role at Attivo Networks serving as Chief Marketing Officer and Chief Deception Officer (think technology evangelist vs. marketing con) since 2014. I have been a leading technical and marketing speaker and educator of deception technology, not only for Attivo Networks, but for the industry at large.
Tell us a bit about your role as a chief deception officer. Tell us a bit about the deception technology space and its relevance in cybersecurity.
The Chief Deception Officer title has proven to be not only an excellent ice-breaker, (who wouldn’t be curious what that means?), but also a way of not getting shut out from my evangelism role. Often event organizers will veto any marketing or sales titles, which is an unfortunate discrimination. I can thank Jason at Fox News for dubbing me with the title, which has worked out to be quite useful.
As Chief Deception Officer, I have been evangelizing the importance of – and inherent market need for – proven, inside the network real-time detection, analysis, and accelerated response for today’s realm of sophisticated cyber-attacks. I work closely with our Technology Office, engineering, and product management teams on defining and positioning Attivo Networks ThreatDefend™ platform, as well as with customers and partners to determine and deliver the features and functionality they require in a deception technology solution. My personal mission is to educate the industry and debunk the common misconceptions associated with deception: it is not just a tool, but also a strategy for winning against cybercriminals. One that should be implemented in every enterprise as it fills critical security gaps and delivers adversary intelligence that no other tool can efficiently provide.
Deception uniquely brings pre-emptive defense into the realm of cybersecurity by laying traps and lures to deceive and misdirect an attacker into revealing themselves and by increasing their cost of attack. Deception alerts are based upon engagement, which means there are no false positives. A deception environment will also provide a safe synthetic network for studying the opponent and gathering critical adversary intelligence. Threat actors have historically had the benefit of having deception and time to learn about their victims and stealthily complete their attacks. The playing field is now leveled for defenders, where they can now use deception to gather valuable intel, confidently stop an attack, and build a proactive defense to mitigate any attempts to successfully return. Deception has proven to be an extremely effective solution for detecting both human and automated attackers, regardless of whether they are external, supplier, or employee bad actors.
Tell us about your take on the evolving landscape of cybersecurity. Do you think deception technology is the future of cybersecurity?
Technology advancements with IoT, cloud, and the Internet connecting of almost everything are opening doors to new attack surfaces and are offering new network entry points. Technology is also outpacing security leaving holes for crafty criminals to exploit. Legislation is also falling behind in setting minimum required security standards. To protect a businesses’ critical data, assets, and viability they will need to find new ways to stay one step ahead of adversaries. This will require a change in strategy. One that moves the cyberbattle inside the network.
It is no longer possible to keep attackers out, making it critical to detect them early, before they can establish a foothold or complete their mission. Advanced deception platforms will play an invaluable role in this transition and in shifting the power back to the defender based on their ability to detect, study, and accelerate the response to an attacker. I do believe that deception technology, used for building an active defense strategy, is the future of cybersecurity. Active defense, as Ernst & Young defines, “a deliberately planned and continuously executed campaign to identify and eradicate hidden attackers and defeat likely threat scenarios targeting your most critical assets,” is the next great frontier of cybersecurity.
One of the things that I love about deception technology is that you’re using some of the attackers’ own beloved tactics against them. They will use all forms of social engineering and deception to take over the identification of an employee, using employees’ credentials to navigate access and escalation. It’s rather fun to turn their own methods against them by creating an environment where they can’t tell what’s real and what’s fake. This will cause confusion, slow them down, trick them into making mistakes, force them to start over, and have a direct impact on the cost of the attack, which will be a driver in them quitting and finding an easier target.
For millennia, deception has been used to beat one’s adversary. It is deeply rooted in the playbooks of sports, gambling, military, and law enforcement. Threat deception will deliver the same strategic benefits of better adversary intelligence that can be applied to detect a cybercriminal early and outmaneuver their moves. Given its accuracy and efficiency, it is clear to see the value in having deception as a de facto part of every Internet-connected organizations’ security stack. Paraphrased, if you are connected to the Internet and have anything of value, you will want this technology.
What are the top challenges in the space of deception technology?
Debunking the misconceptions is one of the biggest challenges in the deception technology space. For example, a common misconception is that it is no different than a honeypot, which is similar in trapping, but lacks the authenticity, scalability, and ease of operations that are now designed into deception platforms. There is also a belief that deception is only used outside of the network and only for limited research. But, deception-based detection technology is different in that it accurately identifies threats that have bypassed perimeter defenses and are inside the network.
Deception also now comes in a variety of options including decoys that now mirror match production assets, endpoint, application, and data deceptions and can operate not only on-premise but also in the cloud. Another misconception of deception is that it is a luxury item only for large enterprises with budget, highly skilled staff to operate, and mature security programs. This myth is also debunked in that machine-learning makes deception preparation and deployment easy and automated. Additionally, all alerts are engagement based and provide detailed forensics and attack information so that incident response can be automated. This can save analysts hours of response and remediation time. Proving ROI is also a constant challenge for any security control. With deception, the value comes in early detection, being informed when existing security controls fail, and in the operational management of an alert. Efficiency savings are fairly easy to calculate but assigning a savings amount to early detection or breach avoidance can be harder dollar figure to define.
Finally, 50 states of the U.S have established breach notification act. What is your take on it? How essential according to you is breach notification?
U.S. organizations that have suffered a breach currently face a regulatory web that is near impossible to navigate and if a company’s products or services reach into the EU, they must also comply with GDPR for the relevant segment of their user base. This complexity also means that organizations must choose between complete compliance with the most stringent standards or a more piecemeal reporting structure based on widely variable laws. This choice is often dictated by practicality. For example, if the majority of a company’s customers are in California, a state with strict breach reporting laws, it may make the decision to adopt those rigorous practices much easier. In the interim, until we have a federal standard, there are a handful of states that are setting the pace in establishing aggressive breach disclosure standards and protecting consumer data privacy, including California, Colorado, Massachusetts, Delaware, and Utah. Given the diversity and complexity of compliance, businesses would benefit from having one Federal standard to align to.
You have received several other accolades from the cybersecurity space. Coming to a space that lacks gender diversity, how hard was it for you, as a woman, to reach the recognition that you have gained now?
Working in the tech industry as a woman is inherently difficult, even with a deep technical background or degree. Sadly, I’ve found that perceptions about women in the cybersecurity world are even harder to break. This can range from how people interact with me, to acceptance as a conference speaker, to being turned down as a volunteer contributed writer, despite being more qualified than many of their current male writers. I am not a person who typically points out unfairness, but sometimes it can be blatant. I have worked hard in my career to become a CMO that truly understands technology. Our CTO has shared on multiple occasions that I am the most technical CMO that he has ever met. I speak regularly at conferences, write technical bylines, regularly blog on technology, and create and deliver a significant amount of content on product and solution offerings. However, it is irritating when certain organizations automatically rule me out for opportunities simply because I am a female CMO.
Overall, I would not say that it has not been an easy journey. I believe that I am in the position that I am in because it was hard earned and because I did not fear being different or overthink whether I belonged in a room where no one looked like me. I encourage all women to walk with swagger and believe that they do belong there. I find that by doing this, it makes it easier to gain acceptance. I will also share that I was a bit surprised when a male coworker once confided that sometimes he wasn’t quite sure how to act in a diverse audience and that by my appearing with confidence that it took some of the pressure and confusion away. That all said, I do believe things are improving. I also love working at Attivo Networks as I have not once felt that people think twice about gender, race, or religious beliefs. Everything is all based on the impact you can make. It’s quite refreshing and appreciated.
Several research reports point to the lack of gender diversity in cybersecurity has also been due to the lack of female role models in the space. Do you think, you could become a catalyst in changing the trend? If so, have you taken any initiatives so far?
I strive to be a catalyst of change and a role model for changing that trend. New and diverse perspectives are the key to innovation and it is critical for the advancement in the cybersecurity and technology spaces. I am a strong advocate both in my work environment as well as in volunteer activities to help educate and drive the advancement of women in technology.
Attivo Networks has been aggressive in its college graduate hiring program and I have taken this opportunity to bring several millennial women on to the team. I often speak with undergrad and MBA students at Santa Clara University and I have spoken at When She Speaks, WITI, and most recently at the Silicon Valley TIE CMO Inflect event. This helps me build relationships, introduce cybersecurity as a career path, and actively recruit. For our newly hired recruits, we conduct weekly training on cybersecurity, our technology, and how to apply our technology to solve cybersecurity issues. We also encourage the team to participate in external training forums like ISC2, SANS, ISSA, and Cybrary. Notably, my team is ¾ women. I believe I have the ability to retain and continue to attract women because they feel welcome, the company culture promotes learning, and we offer on-the-job training to help them gain additional technical expertise.
We also appreciate that people are learning, and openly provide opportunities for employees to apply their learnings while providing direct feedback on what went well and where they need to focus to advance. I also encourage the women on the team to stretch beyond their comfort zone. I have found that many women want to master an area before they make a commitment to advance. They sometimes tend to shy away from jobs or projects where they don’t have all the skills, whereas their male counterparts tend to be willing to go out on a limb and apply for jobs they are not fully qualified for. Throughout my career, I have always sought out jobs that had scared me in some way. The skill or experience that I was missing, presented me with the opportunity to grow and be challenged. I encourage others to take big steps, but to also do this smartly by learning from others who have the skills, taking classes, or reading everything you can so that you become an expert in these new disciplines as well.