Women Making Waves in Cybersecurity (ft. Kristina Balaam)

Kristina Balaam  00:09

Hi, everyone. Welcome to Endpoint Enigma. My name is Kristina Balaam. I am not Hank Schless, but I'm your host for this episode. For those who don't know me, I'm a senior security intelligence engineer here at Lookout. Today we're talking about something a little different, but equally important:  diversity in cybersecurity. It's International Women's Day coming up, but also we have Day of Shecurity happening March 23. We'll talk about deep security in a minute, but it's a free, women- focused one day conference that seeks to encourage participation of women in security. Joining me today, I have my colleague Victoria Mosby. Victoria is a lookout federal sales engineer. She's also involved in Day of Shecurity as well as the Lookout Foundation. Thanks for coming on the show, Victoria. So let's start with this question. Have you always been interested in technology and how did you get into it? Was it at a young age? 

‍

Victoria Mosby  01:04

Thanks for having me. Oh, Lord, yes, it was at a young age. My first kind of step in technology as it were, I was at home at the time, was about, like, six or eight and my parents just gave me a Nintendo system, the original Nintendo system. That was my first step into things technology. And from there, continued playing video games, and have another system, too –– the first PlayStation. But I got my first laptop around, I want to say, 10. And this was back in the day, when the laptop was about as thick as an encyclopedia. And your only ability to get online was like Net Zero or Juno or Flank, you know, one of those dial up services where if your parents picked up the phone, then the internet went down. But it just kept going from there. And I think the reason I kind of stuck with it and enjoyed it so much was just because it was just something different. It was something fun that had all these different avenues you could veto, do different things on –– you know, build websites for, like, GeoCity websites or Geopets or things like that. So it was a fun time. I ultimately decided in school that I wanted to continue in that vein and I got into… My original degree was in video game… was supposed to be in video game programming.

‍

Kristina Balaam  02:29

I love it. I love the discussion about Geopets, GeoCities and Neopets because that was my first foray into any kind of programming as well. The, like, the Neopet pages and customizing your pets individual page… That, yeah, that did it for me too. So that's awesome. And now, how did you pivot from the introduction to video games and programming and… and those kind of, like, early days, into cybersecurity?

‍

Victoria Mosby  02:59

Well, funny enough, I moved to Maryland. So, originally from Buffalo, New York, for their video game program. Degree was associate's degree out of Montgomery Community College at the time, and was one of the few. This was back when: “Do you know it's really starting to become popular?” And I got to, like, my last two classes in my associates. And I was like, nope, not doing this anymore. Because programming and I have kind of a very love-hate, mostly hate relationship. I can do it. But I just… I was having, like, night sweats and nightmares by a code that wouldn't compile this missing space or the semicolon I couldn't find. And I was just, like… I… This is not, this is not a conductive lifestyle that I can, you know, do. But I was doing an internship at the FDIC Federal Deposit Insurance Corporation. I started in their IT infrastructure branch. And while I was there, I moved up a floor like they moved my desk, my cubicle up to like the seventh floor, which is where,kind of, all the execs sat:  the CIO, the security engineering director, and a bunch of them set up there. And I sat right outside of one of their offices. And I needed something to do. I had kind of exhausted a lot of my assignments out of the infrastructure branch. So I popped my head into one of their offices one day. It's like, “Hey, intern; don't know if it's possible, but could I shadow maybe one of you or one of your folks for a little bit just to get a feel for what you know.” And they were all for it. And they said, “Definitely happy to have you shadow us.” And so I did that for a couple of months and, ultimately, kind of decided that I wanted to move into cybersecurity, and that was right around the time that I made that decision that programming and I just were not meant to be. So I put in a formal request to change offices, as it were, for my internship and moved into the cybersecurity branch. So it was a lot of fun. 

‍

Kristina Balaam  05:10

Nice, that's awesome. I feel like there are a lot of people who have sort of pivoted into cybersecurity from being in an adjacent role and kind of just being exposed to it in a really organic way. I feel like for a long time, a lot of school programs just did not really talk a whole lot about security in general. And so you didn't really have much exposure to it until you were kind of out in the workforce seeing that this is something that people need to care about. So that's really awesome.

‍

Victoria Mosby  05:37

Yeah, definitely, like it was. So the actual IT director at the time, I found that he had a biochemistry degree. Oh, wow, he didn't have… he didn't have, like, an IT degree, but he moved into that space. And like… like you said about schools… It's really special… When I was… when I was in high school, we had an electrical engineering classes, we had programming classes. I went to a vocational school. So we had a lot of different kind of trade classes and stuff like that. But ya know, security was not a thing that anyone talked about. Even in those types of technical classes, security did not exist. But this was also the early 2000s. So security, as I think, the industry really didn't hit its stride until the late 2000s, early 2010s, in terms of it being  a big, you know, industry marketing buzzword, right?

‍

Kristina Balaam  06:34

It's probably why there are so few people in cybersecurity –– to why, as an industry, we're so understaffed. And so now you're… you're working in mobile security, and, you know, what do you like about mobile security that's… that's maybe different from just cybersecurity in general? And what do you find the most exciting about your job?

‍

Victoria Mosby  06:54

So mobile security and cybersecurity as a whole are exciting just because there's always something new, there's always something –– some new threats, or some new tool, or some new way to kind of go about the problem. And when I was at FDIC, I wore a lot of different hats and did a whole lot of different things, from policy work to governance, work strategy, operations, program, buildings, audits, you name it, I probably did. But mobile security specifically, I've always found fascinating. It's just because, I mean, I was I remember having a Nokia brick phone that you had prepaid, you know, minutes for, and that's all you had. From there to the flip phone with your, you know, T9  texting and all that. And from there to, like, your razor, Motorola's, and then the Sidekicks with the push up. So I grew up, obviously… growing up, you know, just seeing the evolution of these phones, but then seeing the evolution of what you could literally do with this phone. It is now, at this point, my oldest cell phone, like all of my test devices, is still more powerful than the original laptop I had. So it's just mind blowing, and it's not going to stop. So for me, I really liked mobile security, because there's just so much to it. And it's still kind of that relatively young technology from a security perspective. So it's also exciting to see what we can do to make it better. Do you know, because networking and all that has, you know, been around forever, there's tools galore, and people have more or less figured out what they need to do for it. It's just you know, doing it. Phones, on the other hand, are still kind of in a new state that not a lot of people really know how to properly defend against them. So that ties into what makes it exciting for my job, specifically, as a sales engineer. It's just fun working with different customers, especially on the federal side, especially since I have a background in the federal side. And I know how outrageously slow they can be and doing things for security, trying to educate them on why they actually need to protect our phones, and why oh, we just do email on our phone. It doesn't matter. Like no, it still matters.

‍

Kristina Balaam  09:19

Yeah, that's such a good point. I feel like for the longest time, people haven't realized that they are susceptible to different attacks on their mobile devices. And you know, everyone, I feel like for the last 10 years or so, if not longer, have thought about using antivirus software on their personal computers. But when you bring up how vulnerable you might be to certain threats on your mobile device, it's like people haven't thought about it, because maybe the technology is still too new. And we're sort of just getting to that point where people are recognizing that it is actually possible to be poned on your phone, and the media is now covering that.

‍

Victoria Mosby  09:54

So that's good. But what about you… What makes your job so exciting? Just for clarification, I love your drop. I love to read intel, especially with the mobile site. So I think anything you guys put out is exciting.

‍

Kristina Balaam  10:10

Thank you. Yeah, I love it too. I love reading all of the research reports that my coworkers put out, I find them all fascinating. I think what I love really overlaps with what you were talking about with mobile security. It's such a new part of the industry. And there's so much growth here. And I also feel like we're progressing so much toward this kind of, like, mobile-first lifestyle; everyone's always kind of connected to their phones, your phone goes everywhere with you. I read some stat that was like 90% of Americans use their mobile devices for at least some of their internet usage during the day. And we're kind of progressing towards it being, like, a mobile-first internet use, at least in the United States. So from that perspective, there's a huge attack surface that so many people don't realize is actually quite dangerous. And you have this device in your pocket that is essentially the perfect espionage tool. I mean, it could record your audio, your camera, your location. It can detect if you're picking up your phone to look at it, and decide whether it's going to basically activate any malicious activity because it knows you're looking at your phone, and it might just kind of wait to put that off until your phone's sitting down. And it can do stuff behind your back without you noticing. And so it's terrifying, but important, that we're protecting our customers and protecting users from those kinds of threats. And then it's also quite fascinating from, like, a purely scientific standpoint, seeing what malware authors come up with next, because they can get very creative. So I love the problem solving. I love the constant puzzles that reversing a piece of mobile malware presents. And yeah, so that's, I mean, why I love mobile, specifically, and especially the work that we're doing here. Which brings us to Lookout. How did you end up at lookout?

‍

Victoria Mosby  12:01

A little serendipitously? I know I said that wrong. But there you go. When I was at FDIC, it's just back in 20… 2014, I went to the Gartner risk summit. And I maybe should backtrack a little bit. I've had Lookout on my personal device since 2007, since, basically, inception –– so 2007, 2008. Because being in security, I'm like, no, I don't… I didn't really have much on my phone to be honest with you. But still, it's like, no, I know what can happen here. So I've always been a fan of the company and what it was doing. It just seemed like the most logical step of putting something on the device itself. So… and then fast forward to 2014. And that's… This is around the time when mobile management, mobile device management, and BYOD really kicked off from a cybersecurity-buzzword-for-that-year sort of deal. So a lot of agencies were looking into how do we handle, you know, mobile devices? And do we let our employees do BYOD? I went to the 2014 Gartner conference. And while I was, you know, walking the floor, there was a booth, and it said Lookout, and I was, like, I know that name and I know that shield. So I went over. And Tim LeMaster, who's my current boss; Bob Stevens, current VP of America sales –– I hope I got the title right –– and one other individual were there. They ran a booth and I got to chatting with them and ultimately brought them to the FDIC to do a pilot. Fast forward a bit: didn't really go anywhere. The FDIC decided they weren't going to do anything from a device management perspective or BYOD perspective at the time. I kept in touch with Tim out of personal just, you know, curiosity, in terms of what's going on in the realm of mobility because even back then that's kind of where I was leaning. And he and I kept in touch over the next three to four years. You know, just occasionally grabbing lunch, catching up on each other as, you know, what we've been up to. And he would pass along different information about what's going on in mobile security, different research that's going on, things like that. So… and then fast forward to summer 2018. I was finishing up a contract that I was working on for the Air Force at the time. And this was right around the time Tim and I were supposed to have our biannual, as it were, lunch and catch up sort of deal. And he had to reschedule because he had to go to a conference but he was like, “Hey, if you're interested at all, we have some positions coming up in the DC office for a sales engineer” and admittedly, I –– in the time that I've been talking to Tim –– I had expressed the fact that I wanted to get in at Lookout. I wanted to get my foot in the door at Lookout because, by that point, I decided mobile security was ultimately kind of where I wanted to go. And I knew Lookout was that company, at least from a consumer perspective, and just, you know, keeping tabs on things. So I thought this place would be a good starting point. And I've thoroughly enjoyed the job. It's amazing. 

‍

Kristina Balaam  15:25

I feel like that's such a great endorsement being a customer, a consumer, and then you know, liking the product so much that you actually want to go in and sell it. That's… that's very, very cool.

‍

Victoria Mosby  15:38

It's definitely been a fun time. So how about yourself? So I want… I understand you actually joined us after a day-long security conference?

‍

Kristina Balaam  15:49

Yeah, that…Yeah, that's right. I had known about Lookout because I went to a local Toronto cybersecurity kind of meetup. I was working in application security managing, basically, Android security for Shopify out of our Toronto office. But I had a really keen interest in malware. And I was doing my own little side projects. And so I knew about Lookout from going to these local security events. And I saw a talk that the threat intel team did on Dark Caracal. And I just thought it was the coolest thing I'd ever heard. I mean, the idea of looking at state sponsored malware, and combining that, like, love of malware research with, I have a history in political science and foreign policy stuff. I'm really passionate about that. So it was really cool to see those two things combined into, like, this technical research. And so then shortly after that, yeah, I heard about the Day of Shecurity events. And I went to that and spent the day with the team and totally fell in love with all of the workshop things that we did, and ended up getting recruited that way. So it was kind of serendipitous as well, actually. Yeah. And speaking of Day of Shecurity, do you want to tell us what that is what it's all about?

‍

Victoria Mosby  17:04

Sure. So Day of Shecurity is, as you mentioned before, it is a woman-focused, women-only conference to essentially celebrate women in IT and cybersecurity and, honestly, in STEM in general. Lookout actually originally started it back… the first conference was back in 2017. Lockout was the founder of it; we've since partnered… been partnering with another firm, Secure Diversity. And it's very much an effort to get more women involved in cybersecurity or IT in general, to show those women who are interested and just may not know where to start, or those who've been in it for, you know, years –– like yourself and me –– that there are others out there and, you know, to come together and kind of share what we all know. And to help those newbies, you know, get on the right track to, you know, figure out where they maybe want to go. So this year's… will be a virtual event… will be on March 23. Registrations are currently open. You can definitely find more information at dayofshecurity.com. The website would have a lot of information. Registrations are open, honestly, I believe up until the day of the conference. And it's completely free. So go for it. There's no reason not to. But I will caveat in saying that it is women only. So unfortunately, fellas, this one's not for you. But we are also always looking for sponsors to…

‍

Kristina Balaam  18:42

Yeah, and it's such a great experience. I mean, I really love this event, because I feel like when you're at a security conference, as women, it's, sort of, you get lost in the sea of mostly men. And it can be really hard to find other women in the industry to connect with. And especially for, like, mentorship and stuff too. Sometimes, it is really helpful, you know, seeing people who look like you doing the jobs that you might want to do and that kind of can help you figure out what area of security you're interested in as well. So I mean, right now, it's a great way to connect with other women in the industry or those who are interested without necessarily being able to all be together in person. So it's gonna be great.

‍

Victoria Mosby  19:21

Oh, and the other thing I should probably mention is that just like what happened with you, Christina, like, we will have… there will be recruiters from the various sponsors on-site. Secure Diversity itself is a recruiting firm, so they will be there as well. And so there'll be a lot of resources available at the conference for women who are looking to get into intel... Yeah, definitely. But as you know, cybersecurity… it, in general –– there to help with that. Actually, we have one track that is actually solely dedicated to, you know, getting your career started and figuring out what your pathing would be. 

‍

Kristina Balaam  19:56

That's amazing. I think that's the question I get asked At least four times a week on various social media channels, so that… that's going to be super helpful. So now, kind of going back to engineering in general and being a woman in engineering, how would you describe your experience so far as women in engineering, 

‍

Victoria Mosby  20:17

It's been fun, honestly, like, I've had a great time. My personal background, like my degrees and all that, are, by and large, more on the, say, the policy governance side than the top level side of, you know, pushing down the letter of the law –– less doing or executing it. But since, you know, being at Lookout, and being in this kind of engineering role, though more of a sales side, it's been a lot of fun, frankly, I've gotten to kind of really build up my technical expertise, my ability to speak more technically and just the people that I've worked with, in general. Frankly, I've had a great time. I am –– well, not anymore, actually –– one of the few female engineers that we have on staff, specifically, from the sell side. We do have more on the actual back end engineering side as well. And obviously, also on intel. But, like, I've had a great time; everyone's been very helpful, very keen to, you know, work with me to get problems solved. Because I think, at the end of the day, in most shops, especially here, it's just all about getting the work done. And, you know, making sure we're all successful. So I've had a good time.

‍

Kristina Balaam  21:34

That's awesome. On that point, just so you know, about being a woman in engineering and just diversity in general, why… why do you think it's so important to promote this in our field?

‍

Victoria Mosby  21:45

Because security is everyone's issue. And I say that kind of making a joke, but also being completely and utterly serious. Traditionally, you know, it's been mostly men that have gone into, you know, a security IT field. And it goes very much along the lines of, you know, when you see the news, or you see movies or things like… you see a certain type of individual in that role. So whether you consciously think of it or not, that's what you associate with that role, which is the nice mundane securities that you… As you mentioned before, seeing other people like ourselves, other women in these roles, it’s “Oh, no, this is open to everyone.” And there's so many different forms and avenues within security that lends itself to, you know, anyone's kind of personal interests or personality types. You know, I'm more, honestly, more of an introvert as a person. But when I'm in my sales role, I'm more extroverted because I have to be. But there are some people who are just, like, that's-not-me paranoid. So that way, there's security research, or there’s, “she's back in engineering,” where you're not dealing with customers face to face, but it is –– it's necessary. Because one, we are being perfectly honest: We're so far behind and so understaffed as a nation from a security perspective. And there's no reason that this should be a man… you know, men's only club for any reason. And you know, women in this field have just as much to contribute and to, you know, offer new insights and ideas as anyone else. That's my two cents anyway. What about you? What do you think?

‍

Kristina Balaam  23:23

No, I totally agree. Completely, completely agree. Yeah, I think it's super important to have different backgrounds and opinions look at a problem from all different angles. The way I kind of think about it, it's a totally different industry. But in the automotive industry, I think about the story where they were creating the first airbags. And quite tragically, the airbags that were… were developed by a team of men that basically created the airbag for the typical dimensions of a man at that time. And so when you had airbags that were deployed around women or children, you know, the specifications were off because no one really thought about who else might be sitting in the car. They came at it… they came at the problem looking at it from their perspective, as –– you know –– men of a certain height and stature and build and everything like that. And so that was a huge problem. That, thankfully, has been corrected. But I feel like there's a lot of that in tech in general. There are so many different problems that require different approaches and different eyes and different experiences to properly tackle. So yeah, I totally agree. We need everybody we can get, so it's important that it's not just one group of people. And now you're also involved in the Lookout Foundation. Can you tell me a bit about your work and your involvement with that group and the types of work that the foundation does?

‍

Victoria Mosby  24:45

Yeah, so the Lookout Foundation is a 501 c3 charitable extension of Lookout as a whole. And through that we do different grants for what we'd like to call random acts of kindness, disaster relief funding in various different projects. So the Day of Shecurity actually came out, or at this point is being done through the Lookout foundation. It originally started in our internal diversity steering committee. But as it grew, we moved it to the foundation to better support it. And this foundation has three kinds  of main thematic areas that we focus on. And below that we do various things. But the three areas are: Women in STEM, data, privacy and internet freedom, and supporting Black communities. That last one is newer. It was a request specific from our CEO Jim Dolce last year, and we are definitely making strides towards that though it has proven to be a bit more challenging than we would have otherwise liked. But that's not to say that there aren't great organizations out there. It's just been a bit harder for us to kind of sink our teeth into it. But specifically, the women in STEM, for instance; that's kind of where the Day of Shecurity really sits. And we are, you know, beyond just sponsoring the Day of Shecurity event. We are also doing, you know, other things. Some of the other programs that we're looking into have been around, you know, sponsoring groups that focus on, well, women in STEM,  care packages, things like that. My personal involvement with the foundation –– I am in charge of the internal communications, which… I say “internal comms” because that's kind of where we focus thus far, but we will be slowly rolling out to external as things progress. I'm also on the board for the Day of Shecurity program. I'm the voting member for Lookout with our other partner and other things they're in. So the foundation is definitely… it's a great avenue for Lookout to give back. And to put more back into just the community as a whole. Versus just say, you know, selling our product. Lookout as a company, through the foundation, subscribes to what's called pledge 1%. That started out of Silicon Valley. But it is essentially tech companies pledging to give 1% of the revenue, 1% of employee time, and 1% of product to external causes, charitable causes, nonprofits, local, say, food banks or disaster recovery relief, different avenues. So we are looking forward to 2021 and doing you know, a lot more than we have in the past and trying to really ramp up and do more fun things.

‍

Kristina Balaam  28:00

Yeah, you guys do so much important work. It's really great. Now, wrap things up. A last but very important question: Do you have any advice for people of color or for women who are interested in getting into the field?

‍

Victoria Mosby  28:15

So I can give a few pieces on it. Honestly, if you're interested in it, continue with that interest. There are a lot of good books on Amazon. But honestly, we have a local library, a lot of those books can be found through them. I know a lot of them are more virtual now, which is also great, because then you don't have to actually go there and wait in line and hope the book’s there. Anyway, I have had memories of this anyway, but actually some more actionable advice: If you're in high school, find your… Say if you have, like, a robotics team or your programming teams, or things like that, a lot of high schools nowadays are starting to pick up on that and do those more often, and at earlier stages. I would definitely reach out even if you aren't in that program, or on those teams. Reach out to, you know, whoever's spearheading them and, you know, express interest. If you are out of high school or you're getting towards your senior year, and you are just at all curious, look into different, you know, colleges. Whether they be community colleges or, you know, larger universities that have cybersecurity programs, forensic programs –– you know, policy programs, things like that –– reach out to the program directors. Or if you can get a name for an actual teacher there, reach out to one of the teachers because the fun thing about this is as an adjunct teacher for any given class, you actually have to work in that field and or have that certificate that that teacher is teaching. So they have to have those credentials to actually teach the class. So reach out, tell them that you're interested but you're just not sure where you want to start or, you know, you maybe want, if they are open to it, you know, maybe they can mentor you, or they can point you in the right direction. There are a lot of resources out there. And as much as I personally am not always the best at talking to people, networking is key. It really… It, honestly, really is, at least especially in those early stages. So I always encourage people to reach out if they can.

‍

Kristina Balaam  30:30

Yeah, I totally agree with that. And one thing I'll say, too, that I know was really helpful for me was reaching out to people that you might be interested in having as a mentor. Most of the time, people are more than happy to help, especially because they likely remember what it was like having an interest in this industry and not necessarily knowing who to talk to. I would say that 99% of people you reach out to would be more than happy to give you some advice, or their experience, or even just tell you what their day to day work is like. And that can really help you kind of figure out what area of tech in general or in cybersecurity that you might be interested in.

‍

Victoria Mosby  31:05

No, you're completely right. I think that's part of the reason. Well, I mean, look at me, I got here because I kept in touch with Tim and he has been a great mentor and just, you know, a good sounding board for different things that I was looking into at the time. So I completely agree with you on that. 

‍

Kristina Balaam  31:21

Yeah, absolutely. Me too. The connections that I made through random conferences… to lead me to Lookout and even before that, getting into application security, by way of another mentor that I knew previously. So it’s… people are more than happy to help. So don't be afraid to reach out. Awesome. That was fun. Thanks for hopping on and hanging out with me Victoria. It was good to talk to you and hear a bit more about your life story. Is there a place for people to get in touch with the Lookout Foundation?

‍

Victoria Mosby  31:51

Oh, definitely. You can reach the Lookout Foundation at committee@lookoutfoundation.com. There's also an external web page on our lookout.com page. I think it's just look out.com/foundation –– “Foundation” or “the foundation.” But yeah, we're always happy to chat, especially if anyone has thoughts or interest in perhaps partnering with us for different partnerships or grants and things of that nature.

‍

Kristina Balaam  32:23

And as you said earlier to learn more about the Day of Shecurity, which is coming up March 23, anybody listening can visit dayofshecurity.com and you can also follow Day of Shecurity on Twitter at @DayofShecurity. And you can also follow lookout for the latest on both LinkedIn and Twitter –– @lookout. Thank you Endpoint Enigma listeners for having me as a guest host. Until next time, it's been a pleasure.