Secret CSO: Dana Simberkoff, AvePoint, Inc.

Name: Dana Simberkoff

Organisation: AvePoint, Inc.

Job title: Chief Risk, Privacy and Information Security Officer

Date started current role: March 2012

Location: New Hampshire

Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Simberkoff  was featured in Forbes, writes a column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”.

What was your first job? If we’re being literal, my very first job was as a sales associate in my cousin’s luggage shop when I was a teenager. But I landed my first corporate position shortly after graduating law school at a software company. The company focused primarily on regulatory compliance, which gave me the opportunity to immerse myself in the privacy and operations programs of many of our corporate and public sector clients.

How did you get involved in cybersecurity? In law school, I worked for a criminal defence attorney and always thought I’d practice law. When the opportunity to work at this software company emerged, I had no idea it would lead to the cybersecurity career I’ve built. At the time, I did see the potential to take the skills I’d learned in law school and apply them in a different discipline – and that excited me.

I really got started in cybersecurity when the software company was tapped to work on privacy programs for our corporate and public sector customers, in addition to operations security projects for our U.S. Department of Defense customers. I was asked to research and become the subject matter expert in DoD OpSec requirements which were early precursors to the cybersecurity landscape we see today.

What was your education? Do you hold any certifications? What are they? I have a B.A. in Psychology from Dartmouth College and a J.D. from Suffolk University Law School. I am also a Certified Information Privacy Professional (CIPP) from the International Association of Privacy Professionals (IAPP), and I hold a Certificate in cybersecurity from Harvard University.

Explain your career path. Did you take any detours? If so, discuss. As a law student, I fully intended to become a practicing attorney, but once I got a taste of the privacy and cybersecurity industry I never looked back. I find my law degree has been incredibly helpful throughout my entire career and has changed the way I approach challenges in my work still to this day.

Was there anyone who has inspired or mentored you in your career? I think it is very important for women to have peers and mentors that help support, promote and inspire them. I’ve been extremely fortunate to have a host of women in my corner every step of the way, and it all began within my own family. My mother is a social worker who holds a master’s degree in economics. Her entire life has been committed to helping others, including me. My grandmother was one of the youngest women attorneys to graduate from Albany Law School in the 1920s and worked well and traveled the world into her 80s.

Today, I am surrounded by incredible women and men in both my professional and personal life who have always held me to a high standard. Their confidence in me and their unwavering support continue to propel me forward. I recognise this is not always the case for women in the workforce, and as I hear stories from women and girls treated differently simply because of their gender, I know we must continue to make progress as a society.

What do you feel is the most important aspect of your job? Without a doubt, helping build an environment of trust for AvePoint employees, customers and investors is the most important aspect of my job. We hold ourselves to the highest standard when it comes to data protection, privacy and security – and I work hard to ensure all key stakeholders know and can feel our commitment.

Another important part of my job is mentorship, for everyone on my team and those within my broader network. I’ve served on the Women Leading Privacy Advisory Board for the International association of Privacy Professionals (IAPP) where I supported programs tailored towards continued education, networking and career growth. I take pride in helping others realise career goals and believe it is important in this industry that we support one another.

What metrics or KPIs do you use to measure security effectiveness? We consider many KPIs for our program including customer, employee and management satisfaction, training effectiveness and risk management metrics. I generally believe that organisations should adhere to as many global standards and frameworks as possible, using the best practices to meet security regulations. AvePoint specifically prides itself on various certifications like our ISO and SOC2 certifications, for example.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I actually believe that in the past few years talent acquisition is becoming a little bit easier. As security and privacy have become front page news and coffee table conversation, I’ve noticed an increased interest and maturation in the profession. Which in turn leads to a broader pool of qualified candidates.

A few years ago, the cybersecurity industry lacked mid-level talent. But today, many of those entry-level folks have now progressed in their careers, and there has been a steady stream of new talent as well. This is a good sign especially as privacy laws around the globe accelerate and therefore demand more from the profession.

Cybersecurity is constantly changing – how do you keep learning? I am a firm believer in the constant pursuit of education – not only in work, but all aspects of life. We should always be learning. At AvePoint we maintain a very rigorous program of ongoing training and certifications within my team and our company.

I also attend industry conferences (which are of course virtual now!), participate in trainings and higher education like the certification I just received from Harvard. I encourage my team to take similar action and at AvePoint we provide funding for employees to participate in continuing education programs.

What conferences are on your must-attend list? I regularly attend the RSA Conference and the IAPP Global Privacy Summit. Today, there are so many incredible conferences to choose from, and because they are virtual it has become much easier for folks to attend. When possible, I encourage all cybersecurity professionals to attend conferences that will further their education and provide networking opportunities.

What is the best current trend in cybersecurity? The worst? Widespread acceleration to the cloud has been both the best and worst cybersecurity trend to-date. On the one hand, the pandemic induced rapid digital transformation, which has helped many organisations collaborate remotely and adopt new technologies that will serve them well in the future.

On the other hand, many companies moved to the cloud so quickly that they did not have time to properly migrate their data and instead took a simple lift and shift approach. Unfortunately, the opportunities for exploitation are much greater and companies could be dealing with the aftermath for quite some time. I advise all cloud-based companies to know three things: their data, their vendors and their regulators.

What's the best career advice you ever received? Naval Admiral William McRaven distilled a piece of advice I’d heard throughout my career in a powerful commencement speech at the University of Texas in 2014. He said, “if you want to change the world, start off by making your bed.”

And he is absolutely right. I truly believe the key to professional success is discipline. You have to master and take pride in the small, incremental steps along your professional journey, because they are the building blocks to real success.

What advice would you give to aspiring security leaders? Building and maintaining a strong network of peers within the security industry is vital. It can not only accelerate your career with new opportunities but constant communication with industry peers and mentors also lets you learn from their experiences – both the good and the bad.

I would also remind aspiring leaders that we all have an opportunity to rise, though it may not be fair or equal. With that in mind, it’s important to prove your value and worth every single day. Make sure you are not only an asset in your own mind but in the minds of your managers, your organisation and your peers.

What has been your greatest career achievement? Instead of focusing on a specific moment in time, like graduating law school, or advising the US federal government on its security policies, or even becoming a CPO and CISO, I tend to look at my achievements as both cumulative and continuous. I value the ongoing privacy and security contributions my team and I make every day and believe the best is yet to come.

Looking back with 20:20 hindsight, what would you have done differently? I would have taken more time to ensure that during the very first part of the year, we appreciated what I believe we all took for granted. That being that we could freely move about and enjoy the closeness and company of our family, friends and colleagues around the world. Our shift to a more virtual environment truly has made us all appreciate the privilege we enjoyed, and also certainly showed us the true value of a cloud-based collaboration environment.