Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

October 27 | Fwd:Thinking. The Intelligent Security Summit (Powered by Tessian). Save Your Seat →

guide icon

Tessian Blog

See All Posts
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Swati Lay From Funding Circle
By Maddie Rosenthal
Thursday, February 6th, 2020
Swati Lay, who has more than 20 years’ experience in software development and information security, is the Chief Technology Officer (CTO) at Funding Circle, a peer-to-peer lending marketplace that allows the public to lend money directly to small and medium-sized businesses. Her interest in cybersecurity was piqued at 16-years-old with a course on Number Theory and Cryptography and, having earned her Bachelor’s Degree in Electrical Engineering and Operations Management from Princeton University, Swati started her career at Merrill Lynch in New York as a software developer.  Since then, she’s held leadership positions both at scale in larger enterprises and in higher growth environments, including retail banking at Barclays Bank and gaming, where she was the Director of Information Security at Betfair, what was then a FTSE 250 gaming operator.
Q. Describe your role as a CTO in 300 characters or less. I’m responsible for all of Funding Circle’s technology capabilities globally. Q. You’ve been apart of the larger cybersecurity industry for over 20 years. How did you get involved initially? My first real introduction to cybersecurity was a Number Theory and Cryptography course I took when I was 16-years-old. While I was so fascinated by the subject, I remember thinking that I wasn’t the strongest from a math- perspective and that, because of that, I just wouldn’t be able to get a job in this industry. Fast forward several years later, I’ve graduated from Princeton University, am working at AT&T as a Systems Engineer, and I started to realize that there are actual applications of cryptography in the business world. Importantly for me, its application in the business world is more focussed on implementation rather than the math behind it, so I was able to really get my head around it.  A colleague of mine at AT&T moved to Merrill Lynch to an Information Security team and asked me if I’d be interested in coming along. The rest is history! For me, it really was fulfilling a childhood dream. Q. Why did you initially write off the industry as an option for you? It just seemed so far out of reach. I didn’t understand what skills were required, in part because cybersecurity really wasn’t its own, standalone industry yet.  What’s even more sad, though, is that’s still the case for many people today.  Despite the industry being more defined than it ever has been, there’s still a lot that needs to be demystified to really get people interested and involved. Q. If you were discouraged based on preconceived notions about the industry, what skills and interests can you point to that are actually necessary to thrive in a cybersecurity role? I think people view cybersecurity as a black art. But, it’s really not that obscure! There’s an incredible range of opportunities available, and not all of them require technical skills.  Yes, when you consider more general engineering, technical skills are paramount. But when you think about management roles, you need communication, collaboration, vision, etc.  Then, you look at cybersecurity more broadly. What you really need is the ability to communicate risk in a way that enables decision-makers to do their job.  People don’t always understand the work you’re doing or why it’s important, and that can make you second-guess yourself. That’s why we need people who are willing to do some really deep problem solving, people who are willing to dive into deep issues and not be afraid to have a contrary point of view.  You have to be smart. You have to be disruptive. That’s why it’s so important that we diversify the population of people working in cybersecurity. We need to round out our teams and encourage more than just technical skills. If we don’t, the implications will be quite severe, especially because we’re not just protecting financial institutions and governments anymore. Companies across industries – small, medium, and large – have seen the value in building out cybersecurity functions.  Q. Does your senior role enable you to empower more people to explore the opportunities available in cybersecurity? I think every person in senior leadership in cybersecurity wants to empower more people to explore these opportunities that are available. A big piece of that is role models. You have to see it to be it!  I remember when I was 12-years-old,  someone mentioned an Ivy League school to me and I thought “I’ll never be able to do that!” It wasn’t until I saw people who had the same background and upbringing as me going to these schools that I finally thought I could do it, too. That’s why now – especially because I’ve been so fortunate throughout my career and have had so many incredible opportunities – I want to show the next generation that they can have those same experiences.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, KPMG, Nielsen and more. #TheFutureIsCyber
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Amy Johnson From Herbert Smith Freehills
By Maddie Rosenthal
Tuesday, February 4th, 2020
Amy Johnson is the Information Security Manager at Herbert Smith Freehills, an international law firm with headquarters in both London and Australia. She’s worked in cybersecurity for over six years and started her career as a Lead Investigator at Freshfields Bruckhaus Deringer. Before entering the cybersecurity industry, she worked in Human Resources. While she doesn’t have a formal education that’s focused on cybersecurity, she’s earned five certifications to-date, including her Certification in Information Security Management Principles (CISMP), Certified Information Security Manager (CISM), Certified Data Protection Officer (CDPO), ISO 27001 Implementer, and Certified Information Systems Auditor (CISA).   Next, she’ll aim to earn her Certified Information Systems Security Professional (CISSP) qualification.
Q. Describe your roles as a Security Manager in 300 characters or less. I monitor system user behavior and I review client security requirements and questionnaires. I’m very much forward-facing and part of my job is to guide the firm and our people on how to work with information and technology in a safe and secure way. Q. How did you get started in this industry?  I don’t have a background in cybersecurity. I actually studied HR and worked in that industry for years. About two years into working at Freshfields Bruckhaus Deringer, Mark Walmsley, who was the CISO at the time and still is, started creating a new group called the Information Security Group (ISG).   At that point, I was ready for a career change. I wanted to do something that wasn’t just exciting every day, but different every day. The idea of protecting people, investigating threats, and creating training materials about the evolving risks in information and cybersecurity really, really interested me.  I decided to go for it and got the job! I was the Lead Investigator there for about five years. Since then, I’ve earned different certifications and have really catapulted myself into a more senior position that I’m in now at Herbert Smith Freehills. Q. Did your previous experience help prepare you for your first role in cybersecurity? Monitoring/ investigating systems can be a sensitive subject which means you have to be hyper-aware of data privacy laws, etc. That’s something I was able to bring to the table because of my previous experience.  But, to really be successful in a cybersecurity role, you have to be familiar with not just the current threats, but the new and evolving technologies. You have to stay on top of that. I didn’t get that exposure until I started. I also didn’t have any technical skills when I started. I learned on the job, which – to me – is far better than going to study.  Cybersecurity is really about putting what you know into practice. Q. Do you have any thoughts on why women only make up a quarter of the cybersecurity workforce? A lot of women in tech might not see cybersecurity as a suitable career path because it is considered quite a masculine profession. That’s probably ingrained at a very young age. It’s important to not be discouraged by that, though. Bear in mind, I came from a HR background; that’s a field where you’ll often work in a team that’s all women. Moving into this industry, I’ve often been the only woman within the teams I’m working in. But, that doesn’t mean I don’t feel like I belong. I don’t find men that intimidating!  Women can be just as successful in this industry and opportunity, recognition, and progression are absolutely available to those who work hard. Q. In terms of progression, do you feel like a career path to a more senior position is clear?  To be very honest, I’m already very proud of how far I’ve come in the last 10 years. When I first moved to London, I was making significantly less than I’m making now. I’ve consistently worked my way up the ladder since then. I’d still really like to learn and grow more within this industry and I certainly have dreams of being a CISO or a head of a department eventually. But, the opportunity for growth can really depend on how big your department is. Cybersecurity is still growing, and not all organizations have large teams which means you may not necessarily see what your next step will look like or what skills you need to develop to take that next step. It can be hard. But, the skills you get at any one organization are really transferable. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Kim Smathers from Snapdocs
By Maddie Rosenthal
Saturday, February 1st, 2020
Kim Smathers, who has worked in this field since the mid-90’s, is the Head of Information Security and Compliance at Snapdocs. Her resume is extensive and includes big names like Symantec, Walmart, and Jobvite among many others, as well as several years experience teaching Microsoft and Citrix certification courses and Engineering at the Computer Learning Institute. She’s just as passionate about building agile teams as she is about risk assessment and resolution and considers communication the most important aspect of being a leader. 
Q. Describe your role as a CISO in 300 characters or less. My job is all about giving people an understanding of risk and figuring out how to translate, address and resolve that risk. Q. How did you end up in a cybersecurity leadership position? The surprising thing about me – especially given where I am now in executive management – is that I don’t have a significant formal education. While I completed a bit of college, I didn’t earn my degree. But, a few years before Microsoft took off, before laptops were even a thing, I went to The Computer Processing Institute in Connecticut. This was back when computers took up an entire room!  That’s where I got my start and, for some reason, not only was I really interested in it, but it was really easy for me. I had a natural aptitude first towards coding, then networking, then technology, and I just kept going. Every time things changed, I changed. And, you have to remember, when I first started out, security wasn’t really a “thing”. It’s evolved and grown so much since then. Now, there’s so many different facets to it, so much depth. Q. What changes have you seen in yourself since then? For quite a long time, I was the only woman in the room and I would often be leading teams that were exclusively male. It was very, very hard to find any women working in information security or cybersecurity and it was even harder to find these women in leadership positions.  Initially, working in a male-dominated environment led me to think that I needed to adopt more masculine attitudes. I think a lot of women who have worked in the industry as long as I have would tell you a very similar tale. Doing this – trying to act like someone else or act how you think people want you to act – is problematic for so many reasons.  Once I started taking the time to talk to other women, I changed my approach. You’re going to get push-back from people no matter what; this taught me to rely on data instead of adopting attitudes that weren’t mine. That enables a lot more diplomacy and – more importantly – authenticity. That’s what’s really allowed me to thrive and do my best work. Q. Are you starting to see more women in leadership positions like you? There’s still only a tiny percent of women in senior leadership positions in this industry but I do see a shift, yes. Only in certain places, though. In certain companies – specifically really established companies – you still have boardrooms that are filled predominantly with white males. You can’t underestimate the impact that has on a larger organization. It all trickles down. If you’re a woman in that environment with aspirations to be in senior leadership and you’re only seeing one kind of person in those positions, the career path there can seem very unclear.  But, when you work in an organization like I do now, there’s an incredible amount to compare and contrast. There are women, there are people of color. It’s a totally different environment. Q. What advice would you give women who want to achieve the same sort of success you have? Be authentic to who you are and what you’re thinking and let go of the fear of saying “I don’t know” or “Explain it to me” or “Can I have more information, I’m not sure I understand”. Asking these questions doesn’t mean that you’re ill-informed or don’t know enough. Letting go of that fear will give you a lot more control over what goes on around you. When I build out my teams, I avoid people who are absolutely convinced that they already know everything there is to know about a topic. That almost eliminates the possibility of having a conversation and, in cybersecurity, collaboration and openness are absolutely vital. We’re influencers. My job is to bring diverse groups of people together, make them feel comfortable, and let them really exercise their creativity in order to actually influence other teams and solve problems.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Sara Zahid From Jefferies
By Tessian
Friday, January 31st, 2020
Sara Zahid is the Assistant Vice President at Jefferies, a global investment banking firm headquartered in New York City. After earning her Bachelor’s Degree in Business Administration with a focus on Finance from the University of Toronto, she started an internship at Scotiabank. Over the course of 5 years, she was promoted several times to eventually become a Lead Business Analyst. After that, she transitioned to a more IT-focused role and gained product management experience at Clarus Commerce. In her current role at Jeffries, she’s combined her business acumen with IT project management to safeguard the company’s Information Security. 
Q. Describe your role as an Assistant Vice President in 300 characters or less I am responsible for requirements gathering, simplifying requirements, testing, organizing sprints, managing the sprint cycles, delivering requirements, communicating with stakeholders and management, and other business analysis and project management activities across Jeffries’ Global Information and Technology umbrella. As a manager, one of my key responsibilities is to make sure the team stays organized. Q. Have you always been interested in cybersecurity? When I was younger, I always got feedback that I was creative, so I initially pursued marketing. But, as soon as I started as an undergrad, I realized that I was missing an important piece, which was practical, hands-on work. I actually got an offer for a marketing job straight after college and didn’t take it because it just didn’t seem interesting enough. It didn’t seem like a challenge. That’s what drove me to consider finance, then IT, and now cybersecurity.  I love to critical-think, I love to strategize, I’m great at problem-solving. It’s been a great fit. Q. What did your path into this industry look like, then? A recruiter actually reached out to me based on my experience in product management and business analysis. At that point, I had zero exposure to cybersecurity. I didn’t know what it looked like. But, during the interview, I was told that if you have a background in IT, you’ll be able to pick-up cybersecurity. It’s not rocket science.  That was hugely comforting to me and enabled me to look at the job description with a much more open mind.  They were looking for an experienced project manager who was willing to learn. I ticked both those boxes. The journey from that day until today has been exactly that: all about learning.  Q. Was it challenging to transition from business analysis to a highly technical role? I’d say my knowledge base is currently 50% technical and 50% business analysis. But that’s part of the appeal for me. It’s something I have to work at, especially because IT and cybersecurity change so drastically, so quickly.  That means that I have to learn something new every single day and I’m not afraid to admit that. I don’t think that’s a weakness, I think that’s a strength. I know 50% more about cybersecurity than I did a year ago and that number is only going to continue to grow.  And I’m not afraid to ask questions! I’m not afraid to say that I don’t know.  Asking is the only way that you get an opportunity to get involved and expand on what you already know. Q. Has your work in cybersecurity so far been what you expected it to be? I didn’t fully grasp how many problems the industry solves until I got into cybersecurity myself. Even with a background in IT and business, I didn’t know. You think about logging into your computer every morning at work. We all do that. I never even considered how a functionality like that is safeguarded until I started in cyber. Most people don’t spend time thinking about how many characters their password has or whether or not two-factor authentication is enabled, the work behind the scenes is normally done for us. I’m now the one behind the scenes doing that work. And it’s incredibly important work! Not just for the individual, not just for the company, but for any and all external parties involved in that company as well.  Q. Did you face any challenges related to the disproportionately low percentage of women in the industry? It’s very clear that there are fewer women in this field than there are men, but I don’t feel – or haven’t been made to feel – like I’m less than because of that. If anything, I’ve gotten more respect from male colleagues because of it. It’s actually in many ways empowered me and boosted my confidence. Not only have I taught myself about the industry and progressed by doing so, I’ve progressed in an industry where not many women currently exist. That’s something to be proud of, not burdened by. I also have to give credit to my colleagues and managers and people in leadership; the culture at Jeffries enables me to do my best work. The problem isn’t solved just by acknowledging that there’s a problem. It’ll take time. But, this is such an important industry and we’re solving real problems with a real impact. It’ll continue to evolve, expand, and attract more people. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Read Blog Post
Email DLP
Data Privacy Day: Why You Need to Protect Your People
Tuesday, January 28th, 2020
Everyone has an email blunder story. Whether you forgot to bcc someone or you sent a message to the wrong person, mistakes on email are common. After all, the average worker spends two fifths of their working week on email, so accidents are bound to happen. But it could be happening in your organization more often than you think. According to our data, employees at large organizations send over 130 emails a week to the wrong person. What’s more, workers are also sending company data to unauthorized or personal email accounts nearly 200,000 times a year. In SMBs, we found that employees send as many as 177 emails a year to the wrong person.
Our data highlights how much of a risk employees pose to an organization’s data security. Misdirected emails – emails accidentally sent to the wrong person – are particularly dangerous. Beyond just embarrassment over cc’ing the wrong person, for example, we are seeing serious repercussions as more people expose personal and corporate data. Simply misspelling a name can result in sensitive data or company secrets falling into the wrong hands and your company facing a regulator’s wrath. More than a simple mistake In fact, latest figures from the Information Commissioner’s Office (ICO) reveal that emails being sent to the wrong person were the leading cause of online data breaches during 2019. UK organizations reported 1,357 data breaches caused by people emailing the incorrect recipient last year, up from 447 in 2017. That’s a 300% increase in misdirected emails over two years.
Last year, the ICO made it clear that failure to implement appropriate organizational and technical measurements to protect data under GDPR will result in significant penalties. With so much at stake, businesses need to consider whether their company data is properly protected from incidents of human error. And Data Protection Day (EU) / Data Privacy Day (US) on 28 January acts as a timely reminder to do this. To keep data safe, businesses need to start at the human level and protect their people. Human error is the leading cause of data breaches, and this is because people make mistakes, break the rules and are easily hacked. In many cases, people may not even realize they’re doing anything wrong. Businesses, therefore, need to take a people-centric approach to cybersecurity that focuses on educating and protecting their employees. But in addition to policies and training, organizations also need to add an extra layer of security. Securing the human layer Human Layer Security (HLS) is technology that secures all human-digital interactions in the workplace. By focusing on the human layer (employees, suppliers, customers) as opposed to the machine and systems layer (networks, devices, apps), HLS keeps business’ sensitive data and systems safe. Tessian’s Human Layer Security technology understands human behavior and relationships, enabling it to detect and prevent dangerous activity. Importantly, Tessian’s technology learns and adapts to how people work without getting in the way or impeding productivity. Tessian uses stateful machine learning models to analyze historical email data in order to understand human relationships and communication patterns. Once we know what normal and abnormal look like, Tessian can automatically predict and prevent security breaches caused by people, for example, accidentally sending emails to the wrong person or exfiltrating sensitive data to personal accounts. Given the huge volumes of sensitive data exchanged every day, the consequences of just one of these emails ending up in the wrong hands are extremely damaging. Not to mention the serious financial penalties of personal data breaches. It’s time to protect your people with Human Layer Security.
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Tess Frieswick From Kivu
By Maddie Rosenthal
Tuesday, January 28th, 2020
Tess Frieswick recently started a new job as a Client Success Manager at Kivu Consulting after spending a year working at Uber as a security consultant. She started as a Security Analyst straight out of college and was promoted to a more senior position after just six months.  In addition to earning her Bachelor’s Degree in World Politics with a minor in Islamic World Studies at The Catholic University of America, she’s gained political experience through internships at the International Model United Nations Association (IMUNA), the National Consortium for the Study of Terrorism and Responses to Terrorism (START), and the American Enterprise Institute.
Q. How did you end up in cybersecurity after studying World Politics and Islamic World Studies? I was fortunately hired to work for IMUNA during my first semester of college after getting involved in the organization in high school. I really lucked out and was assigned to work on the Counter-Terrorism Executive Directorate which, at the time, was focused on the terrorist group Boko Haram in Nigeria. I loved learning about African politics and counter-terrorism efforts in the region which sparked my interest in international security.  By the time I was ready to graduate, I was more certain that was the direction I wanted to take, I just wasn’t sure in what particular specialty. I had a few years of experience in counter-terrorism, but no real experience in cybersecurity. Q. What was it like, then, starting as a Security Analyst at Uber so soon after graduating? When I first started, I was a bit intimidated. I was the youngest on my team, didn’t have my Master’s, and was one of the only women on my team. I felt like I had a lot to prove, but that inspired me to work really hard. I had a manager and a boss who both recognized and valued my skills and trusted me with big projects that had a global impact.  My team actually worked on 565 different tasks from executive protection to assessing phishing emails. That experience really reinforced that cybersecurity was the path I wanted to pursue. Q. What interested you the most about cybersecurity? The 2016 presidential election piqued my interest. I remember learning about Russian interference, bots, and the manipulation of social media after Trump was elected and recognizing that cyber security is bigger than people realize. It provides a new landscape for modern warfare and these things are changing the dynamics of politics. Even something like the recent assassination of Qassim Soleimani; that presents a potential cyber warfare risk. After the assassination, I was doing assessments and considering what retaliatory actions Iran may take. Could it result in cyber warfare? Would they target critical United States infrastructure?  Developing technology is driving all of this; it’s changing everything. Politics is constantly evolving, especially with the development of cybersecurity and cyber warfare. It’s fascinating!  Q. Did you have any specific technical skills that made you especially marketable for jobs in the field? I haven’t taken any cybersecurity-specific classes. Everything I know about cybersecurity I either taught myself by reading or learned on the job. After leaving Uber, I was really upfront during interviews that I didn’t have technical skills. But, that was balanced by the fact that I can learn really quickly. That’s what I focused on. I think my writing background was also something that made me stand out. I have experience writing intelligence products in a strong, thoughtful way. At Uber, I wrote over for a project 70 documents, including style guides for products, global standard operating procedures, and security policies. Talented writers might be surprised that they have a place in cybersecurity but they’re needed to create really polished products that impress clients. Q. You had an internship at an all-female media company while you were in college. Was that a formative experience in your professional development? In every single internship I’ve had, I’ve had a woman that I looked up to for advice and counsel. I’m also just a huge feminist. I’m obsessed with Ruth Bader Ginsberg – she’s my hero, and I love Madeleine Albright. From athletes to politicians, I’m constantly seeking out stories of successful women, and women fighting for equality and change, to motivate me. I still think of some of these mentors years after working with them and I hope I am making them proud. Now, as the only female leader in my new role, I have a responsibility to step up and empower other females, too. This is especially important for women who are shy or aren’t as quick to speak up. Those people – even if they’re smart and capable – can be overlooked. Backing up their ideas, supporting them, making sure they feel empowered…it all makes a big difference.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Funding Circle, IBM and more. #TheFutureIsCyber
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Carolann Shields From KPMG
By Maddie Rosenthal
Saturday, January 25th, 2020
Carolann Shields was recruited for a Chief Information Security Officer role at KPMG LLP almost 7 years ago after rising through the ranks at McKinsey & Company. Starting in system reconciliation and deployment, going on to managing development for all of their enterprise systems, and then to becoming the IT Security Program Manager (de facto deputy CISO).  Throughout her career and to date, she’s driven more than fifteen company-wide cybersecurity initiatives and has done so by developing collaborative, positive security cultures and multi-faceted teams. While Carolann had an interest in math and aced computer classes from a young age, she actually studied and earned a degree in Business Studies in Ireland  before starting down the path to cybersecurity. Having a background in business has shaped her style and approach to security, driving a focus on efforts that reduce an organization’s overall cyber risk.
Q. Describe your role as a CISO in 300 characters or less. I lead a team with complimentary talents and skills to work together effectively and bring transparency to an organization’s cyber risk in order to identify and design solutions and processes to mitigate those risks. I also educate and influence behavior to ensure compliance and protection while making security a commercial benefit, not just a cost. Q. What would encourage more women to pursue roles in cybersecurity? Need is the mother of invention. Highlighting the number of open positions and highlighting the fact that there are women with these skills in and outside of the industry is the first step. The fact is, you’re cutting out 50% of the population when you don’t create an environment for women where they feel they can excel and actually progress in their careers. Even if you hire a lot of women – which we’re seeing now they don’t move through the ranks as easily because they don’t have enough role models or advocates. That’s why it’s so important that the women that do become successful reach back to support the women who are coming behind them. Encouragement is incredibly meaningful, and it doesn’t take much for leaders to give it.  Q. With that in mind, can organizations really ever guarantee diversity within teams? When you decide you’re only going to hire the most qualified or the one with the most potential , you naturally have diversity. On the other hand, if you start saying I’m only going to hire women, or men, or this ethnic group or that religious group, the goal of recruitment breaks down. Decisions-makers should only be interested in your brain and emotional intelligence. Who is the most qualified with the most potential? That’s who you should want for that role. Q. Have you had role models or advocates throughout your life who enabled you to achieve the success you have? The CISO at McKinsey at the time I started working there was a woman, Denise Hart, who has since retired, so it never even occurred to me that it wasn’t possible to achieve what she had or that it was in any way unusual that she had because she was a woman. On top of that, I had a father whose beliefs were sort of the reverse of what we typically think of.. He believed that men should be out physically working and that women were much better as lawyers and accountants and doctors. For me, there were no limits as a child growing up about what I could be from a career perspective. Q. What are some of the skills, interests, or personal attributes that lend themselves to a career in cybersecurity? People who care about consequences and the bigger picture and who understand the larger impact of their role in an organization are the ones who will be successful and really excel in this industry. It shouldn’t be about just a paycheck; you need to care about what you do. Why? The vast majority of organizations get hacked because of mistakes; someone clicks on a link, firewalls are misconfigured, access is overly permissive etc. The way to really prevent that is to have people care about their work so that they pay attention to the details, identify mistakes early and correct them before there is any harm done. Q. Are there any misconceptions about cybersecurity that you want to set straight? Security teams believe in the mutual benefit of being safe, which makes it collaborative by nature. While – yes – some of the most talented security engineers are at their desk working alone, a lot of it is about relationship building and collaboration and working with teams to develop and manage secure solutions. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Nielsen, Funding Circle and more. #TheFutureIsCyber
Read Blog Post
Customer Stories, Email DLP, Integrated Cloud Email Security
Insights on Human Layer Security from Tim Fitzgerald, CISO of Arm
Thursday, January 23rd, 2020
In case you missed it, on January 22 Tim Sadler, Tessian’s CEO and co-founder, hosted our first webinar of the year which explored the biggest threat to an organization’s security: its employees. To understand the risk of human error in the workplace and how Tessian’s Human Layer Security platform is able to mitigate that risk, Tim S. was joined by Tim Fitzgerald, the CISO of Arm for a live Q&A. Before joining Arm over two years ago, Tim F. served as the CSO of Symantec for over five years. He has a special interest in digital data and human security. Arm is a customer of Tessian’s, and has deployed Tessian Defender,  Tessian Guardian, and Tessian Constructor. Consequently, Tim F. is not just attuned to the security risks associated with employees making mistakes, he understands how best to combat those risks. While you can listen to the full webinar and Q&A on-demand here, below are some of the key takeaways from Tim Fitzgerald. Where does risk really exist? Tim Fitzgerald: “It is very ‘sexy’ in security to talk about big hacking groups and use that as justification to invest in security. And there’s a lot of legitimacy behind that. But the other side of the narrative – which we spend more time on now than nation-state type threats – is how do we not do it to ourselves? Because now we’re more often dealing with avoidable events caused by predictable human error.” “I think, in general, not only should we be talking to our senior executives and boards more clearly about where real risk exists – which for most companies is the human layer – but we also need to be doing more to help these people combat the problem rather than just passing blame.” To err is human, but people are (generally) well-intentioned TF: “I very much chafe at the idea that we think of our employees as the weakest link. It underserves peoples’ intent and how they choose to operate. Rather than that, we try to take a look in the mirror and say ‘What are we not providing our employees to help them avoid these type of scenarios?’” “At Arm, we take the ‘people-are-people’ view. Not that they’re the weakest link; not that they don’t come with good intent; or that they don’t want to be good at their job; or that they take shortcuts just to get that extra moment of productivity. But, actually, everyone wants to do a good job and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.” The role of a CISO is people-centric TF: “I view my job in human security as somewhere between a sociology and a marketing experiment. We’re really trying to change peoples’ behaviors in a moment. Not universally, not their personal viewpoints. But will they make the right decision in this moment to do something that won’t create security risk for us? Evolving that strategy relies not just on how we influence behavior in that moment of time, but actually, can we change their ethos? Can we make responsible security decision-making part of everybody’s job?” “Security is ultimately my responsibility. But, we very much rely on what we consider our extended security team, which is all of our employees. Our view is that they can undo all the good that we’ve done behind them to try to compensate for the risk that normal human beings create.” Security solutions should empower employees TF: “By far the biggest single challenge we have is Arm’s ethos around information sharing. We have a belief – that has proven to be true – that this level of information sharing has allowed Arm to be extraordinarily successful and innovative. There’s no backing up from that, and that represents a huge amount of challenge; that level of information sharing is quite difficult to manage. “Rather than saying people are an intractable problem and therefore we can’t conquer this, if we start thinking about how we can mobilize them as a part of our overall cybersecurity defense mechanism, it causes you to rethink whether or not you’re serving your populous correctly.”
Machine learning enables Human Layer Security TF: “What I liked about Tessian is that it gave us an opportunity to use the ML in the background to try and develop context about whether or not something that someone was doing was either atypical or perhaps just part of a bad process. Either way, we can get a sense of whether or not what they’re doing is causing us risk. It doesn’t require us to be completely prescriptive about what we’re looking for, but it allows us to learn with the technology – and with the people – what normal patterns of behavior look like and, therefore, intervene when it matters and not have to react every time an alarm goes off. “You have all this amazing context of what people are doing on email, which is where people spend most of their time and where most of the risk comes for most organizations. How can we turn this into more than just making sure someone doesn’t fat finger an email address or send sensitive files where they’re not supposed to go? Can we take the context that we’re gaining through how people are using email and create more of those moments in time to connect with them?” Tessian fits into a larger security framework TF: “We have a whole bunch of other mechanisms to protect against traditional insider threats – the people who are really acting against our best interest – but that instance is infrequent and high impact. The person who makes the mistake is high frequency, medium-to high-impact. We were getting hammered on that sort of stuff, which is why we came to Tessian.”
“When used correctly and in a finite environment or a finite data set, DLP solutions are very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem. When you try to deploy that broadly though…you start to run into the inability of the DLP system to understand where that data is supposed to be. Is this person supposed to have it based on their role and their function? It’s not a smart technology like that. You end up trying to write these very complex rules that are hard to manage.” The future of Human Layer Security TF: “Can we start to mesh together what we know about the technology and the machines with real human behavior? It’ll not only help us find those bad guys in our environments who we know are there, but also to get out in front of people’s behavior rather than reacting to it after it happens. That’s the holy grail of what this could become. To get – if not predictive – at least start leading us toward where we think risk exists and allowing us an opportunity to intervene before things happen.” Want to learn more about how Tessian helps Arm catch and stop accidental data loss with Tessian Guardian and prevent spear phishing attacks with Tessian Defender? Read the case study here.
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Gisela Rossi From Tessian
By Maddie Rosenthal
Monday, January 20th, 2020
Gisela Rossi is a Backend Software Engineer at Tessian who’s earned both her Bachelor’s Degree and Master’s Degree in Computer Science. Before starting at Tessian, she gained experience at Intel, Lyst, and Facebook and, for the last several years, has been very involved in the larger software community, specifically those communities that empower women and other minorities.  She’s a co-leader of PyLadies London, a member of the WISE Young Professionals Board, and a former mentor and volunteer at CoderDojo. 
Q. Describe your roles as a Backend Software Engineer in 300 characters or less I work with Python to build and create products that are used by Tessian’s clients to protect their Human Layer from data breaches. I work closely with product and customer success teams to ensure we’re building solutions that make an impact. Q. For those who might not be familiar, can you explain what Python is? Python is my favorite programming language. Different languages have different styles and different communities around the language. There are conferences, online groups, and other events and Python has one of the more diverse and inclusive groups around the language. I’m actually one of the organizers of PyLadies London. It’s not just the community, though. The language itself is really thoughtful.  You can compare a programming language to what those of us in computer science call a “natural language”…English, French, Japanese. At the end of the day, they all serve the same purpose. You can have the same conversations but in different languages. Just like you’d have a preference in a natural language, you can have a preference in a programming language.  Q. And what about PyLadies London, what’s that? The real goal is to encourage minorities to be more active participants in the Python community and, for some maybe do a career change into the industry. There are talks, workshops, etc. It’s really about mentorship and empowerment. Q. Do you think more mentors or role models would encourage more women to get involved in the industry? I think mentorship is especially important for minorities – not just women – because we have to overcome different challenges. And those challenges aren’t necessarily big hurdles. For some people, it can be several small things.  It could be a professor you have or a bad internship. One bad manager or experience isn’t representative of the whole industry, but it can be demotivating if you don’t know that there are more positive environments where these things don’t happen. That means those of us already in the industry have to fight the fight! More than anything though, you need more minorities to be decision-makers. You need those people in higher positions to demonstrate what’s possible and empower others to do the same.  It’s especially important because the problems you solve in this industry are interesting, the work is fun, you’re well compensated. There are a lot of benefits if you can overcome the lack of diversity. But, you do need a diverse group of people to have a better chance of solving those problems. Age, race, gender…the more diverse the group, the more diverse the ideas. Q. What problems have you been most interested or focused on so far in your career? Data. All of our data is available online and when you consider all the people who could potentially access that data, you can start to see how big the industry’s scope is.  The average person doesn’t realize how valuable their data is. People hand over their personal information for a free voucher without thinking twice about it. They don’t have bad intentions, of course, but from a security perspective, that’s a big risk. If you input your email address, home address, and phone number into a site that isn’t secure and that site gets hacked…you’ve got a big problem. At the end of the day, you are your data. So, what happens when someone steals it?  But, it’s not even just scary from the perspective of hackers. Massive corporations and governments hold a lot of our data, too. What happens if they misuse it? That’s something that we’re trying to figure out in this field. We’re trying to mitigate that risk.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, IBM and more. #TheFutureIsCyber
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Niki Tailor From Tessian
By Maddie Rosenthal
Saturday, January 18th, 2020
Niki Tailor is a Platform Engineer at Tessian, where she’s worked for almost two years. Since starting, she’s been promoted to Team Lead and manages three people. Prior to joining Tessian, she worked first as an Analyst at Nomura, then as an Equities Technology Development and Operations Engineer at Bank of America.  Before entering the field, she earned her Bachelor’s Degree in Computer and Management Science.
Q. Describe your role as a Platform Engineer in 300 characters or less Security, stability, scalability, reliability, and automation of our Human Layer Security platform. As a Team Lead, I have people management responsibilities too, but day-to-day work involves solving problems, building new architecture, and empowering our engineering teams. Q. Have you always been interested in cybersecurity? Even though I studied Computer Science and Management, I didn’t always know I was interested in the field. My A-levels were a random mix of Math, French, Art and Economics. I didn’t know what I wanted to do so I chose a broad range of subjects that would allow me to pursue pretty much anything later on.  But there are a few tech professionals in my family, so I was exposed to it throughout my life. I was always taking a peek at what my dad was working on so, unlike a lot of other people, I knew the industry existed and what the path to it could look like. Q. How did you isolate Engineering as your area of interest from the larger umbrella of Computer Science? I’ve had a lot of opportunities both at University and through the work experience I got during and afterwards that have helped direct me towards what I enjoy the most.  My business-focused courses showed me that the technical, hands-on work was what I was most interested in and the work I did coding as a developer made me realize that sort of role probably wasn’t the best use of my skills. I think those experiences are really important. Even though I didn’t enjoy the work, it’s good to have an understanding of the theory behind each of these things. It’s helped me do better work in the roles I really like. Q. What interests you the most about the work you do? Working in a start-up that’s trying to solve really interesting real-world problems is the best part for me. The challenges around securing sensitive data are immense, but that’s where the most interesting challenges lie. As a comparison, I’m not working in a corporate environment where bureaucracy is a challenge. The work I do isn’t done with the goal of making rich people richer. I’m actually doing something good.  You read articles where businesses or charities get scammed and organizations lose millions and people lose their jobs. It’s rewarding to be a part of what’s preventing things like this from happening. Q. Does that sort of work lend itself to unlimited growth potential? The field is only going to get bigger. The problems we solve are only going to get bigger. I mean, right now, Tessian is solving the problem of security on email. Eventually, we’ll be solving the problem of security on all platforms.  That means there are so many opportunities to learn new things and exercise creativity. This is a field that really encourages trying, even if it means failing which means you never get bored. No two days are never the same.   This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Read Blog Post
Email DLP
How a Gmail Design Flaw Causes Misdirected Emails
By Ed Bishop
Wednesday, January 15th, 2020
A seemingly innocuous and incredibly common occurrence like sending an email to the wrong recipient can have severe consequences. The sender of a misdirected email is often blamed for being careless, for not paying attention to detail and, in some cases, for being technically illiterate. This can set a culture of embarrassment for employees, which means many misdirected emails and their corresponding data breaches, are often not reported to line managers and compliance teams. Gmail Design Flaw A few years ago, Google added a feature to Gmail that suggests contacts to be added to an email’s recipient list. For example, if you add Jane and Sam to an email, it might suggest Ali, because Ali is often included on emails with Jane and Sam. Designed to be a productivity feature, this in itself could encourage a user to add a contact who maybe shouldn’t be included – resulting in a misdirected email. However, the focus of this article will be on what I consider to be an unpredictable UI (user interface) design flaw in the Gmail email compose window. We reported this flaw to Google’s Security Bug Report page on 18th December 2018. I consider this to be a relatively common email user flow: In a new email: Click in the recipient text area start typing the 1st recipient’s name, and press enter to select Start typing the 2nd recipient’s name, press enter to select Click in the Subject field to type desired email subject You can see this demonstrated in a video below: If you look carefully, as the second recipient is added—and after a significant delay, caused by an asynchronous API request—Google suggests that you might like to add two internal addresses to the email as they are often seen on emails with recipient 1 and recipient 2. But notice where Google positioned the “add recipient” hyperlink. It shifted the position of the subject text area down and placed the hyperlinks where the original subject text area was. The clickable hyperlink area is fully encapsulated by the old subject text area. In step 4 of the above user flow, if after adding the second recipient I quickly attempted to click in the subject text area, there is a chance that at that exact moment the delayed API request finishes, the subject bar shifts down, and I accidentally add an unintended recipient to the email. Ironically, I believe this unpredictable delay makes it more likely for a tech-savvy employee working quickly, — those who can navigate around the compose window more quickly than it takes for the API request to finish — to fall foul of this design flaw and accidentally misdirect an email. A Potential Fix There are many potential fixes, but I think a simple rule that “no UI component should unpredictably move” would solve this. I would suggest increasing the spacing of the default compose window so that the “add recipient” hyperlinks could fit above the subject bar without moving anything. Google’s Response We raised this design flaw with Google Security on 18th December 2018.
While Google does not feel it substantially affects the confidentiality or integrity of its users’ data, we disagree and believe this design flaw could lead to an increase in misdirected emails and data loss. Implications of sending misdirected emails can range from the embarrassing to the damaging, and can even lead to revenue loss due to reputational harm. Technology should be built and designed in a way to minimize human error, not increase the likelihood of it occurring. Update: this design flaw seems to only affect Gmail on browsers, not the mobile application.
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Amber Pham From TransUnion
By Maddie Rosenthal
Sunday, January 12th, 2020
Amber Pham is an Information Security Officer at iovation, a business unit of TransUnion. After earning her Bachelor’s Degree in Psychology, she transitioned into IT where she worked for over nine years, first as a Systems Administrator and then as a Systems Engineer for software and technology companies like Webtrends and Intel. She rounded out her IT experience with consulting and contracting and was able to gain a broad range of experience; this inspired her to go down a slightly different path and pursue a career in cybersecurity. She’s been working for iovation since then – except for a three-year stint in Amsterdam where she also worked as an Information Security Manager – and has watched both the organization and the industry grow exponentially. 
Q. Describe your role as an Information Security Officer in 300 characters or less I’m a people manager, which is probably my most important role. I ensure people feel supported and in cohesion with other teams to learn and grow. I’m also the central point of contact for the corporate business and, as a part of that, I work with Development and IT teams to get security work done. Q. How did you make the transition into cybersecurity after earning a degree in Psychology? When I came out of college with a Liberal Arts degree I had basically zero technical skills. But, tech companies were growing so fast that they were really willing to give people a chance and train them.  I got my “chance” thanks to a really good manager who recognized that I was a diligent worker and that I’d be able to figure the work out pretty quickly. That was working as tech support on a Help Desk, which is how I got into IT. I paid a lot of attention to the training and really just wanted to learn as fast as I could so that I could genuinely start contributing.  I didn’t actually even use my psychology degree until I got into my current role in security leadership. Understanding the psychology of motivation has been a key part of building a team and security program. Q. When did you make your move from IT to cybersecurity? I went out to do some contracting and consulting. That’s really where I grew the most. You learn a lot faster because you’re throwing yourself into different situations at different companies at a really high rate. I was able to sample a lot of the opportunities available in physical security and networking security that way, and that’s what’s really missing in recruitment for this field. People just don’t know the huge variety of roles that are available from social engineering to forensics to risk assessment.  Q. After you got a taste of all the different opportunities available, did you take any more steps to prepare yourself for the roles you were most interested in? I went on to get my CISSP which was a huge launching point for me. I know it’s just a test, but the studying that I did on the way to that really rounded out my knowledge and was a really strong signal to future employers that I had real experience under my belt and knew what I was talking about. This also gave me some confidence.  For a young person – or anyone really – who wants to launch into a professional career in cybersecurity, certifications like that are a good place to start, especially because it’s hard to jump from 50% system implementation or another aspect of IT all the way to 100% cybersecurity without taking a little bit of a step down and back. That’s something people are reticent to do. But, by doing that – by taking on a role with slightly less responsibility than I was used to, but that was a 100% security job – I was more prepared for the industry and got recruited just nine months later into what has turned into my current job. I was their first “security person” and was able to build a security program from scratch. Q. Having really run the gamut of IT and cybersecurity roles, has gender bias been an issue for you? I’ve almost always been the only woman within the teams I work in. Currently, out of about ten Information Security Officers, I’m the only one. It continues to be the trend but, more often than not, people completely disregard my gender. As long as people don’t talk about it, I don’t really feel it. When I was in my 20’s, it was more daunting. The combination of being young and a woman made me feel it more acutely, especially because I didn’t have a mentor.  You know, most men I work with that are at a certain level credit their success to a mentor. I feel like I’d be years ahead if I’d had one. That’s why I say “yes” every time there’s a Women in Cybersecurity function, a mentorship program, a local event, anything. I always say yes. My dental hygienist asked if I would mentor her daughter because she’s interested in security and, of course, I said yes. It’s so important!  You don’t have to be an activist to get involved and help someone.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, Funding Circle and more. #TheFutureIsCyber
Read Blog Post
Page