Secret CSO: Laura Whitt-Winyard, Malwarebytes

What is the best current trend in cybersecurity? “That the cybersecurity community, public and private sectors are coming to the realisation that we all must work together on cybersecurity. It is a puzzle that will never be solved…”

Headshot of Laura Whitt-Winyard, CISO at Malwarebytes

Name: Laura Whitt-Winyard

Organisation: Malwarebytes

Job title: Chief Information Security Officer

Date started current role: February 2022

Location: Santa Clara, CA

Laura Whitt-Winyard is the Chief Information Security Officer (CISO) at Malwarebytes. In addition to her role at Malwarebytes, Whitt-Winyard is a Fellow at the Institute for Critical Infrastructure Technology (ICIT). As a Fellow, she has contributed to the Cyberspace Solarium Commission's report on cybersecurity plus The Cybershield Act S.965 of the 117th Congress. She is also an International Advisory Board Member and Women in Technology board member at HMG Strategy. LP. Whitt-Winyard has been a member of the cybersecurity community for over 20 years and was featured in the book: Women Know Cyber: 100 Fascinating Females Fighting Cyber Crime. She and her teams have been nominated for and the recipients of many awards spanning multiple years such as HMG Strategy's Global Technology Executives Who Matter Award, ISE® North America & Northeast Project Nominee & Finalist, ISE® North America & Northeast Executive of the Year nominee, CSO 50/40 Awards winner, RSA Archer Innovation Awards & Excellence Awards.

What was your first job? Movie theatre cleaner – midnight movies were always the worst.

How did you get involved in cybersecurity? By accident. I had only been in IT for a couple years when I was asked to join a company whose security architects had sabotaged the network and quit. I had to learn on the fly and be quick on my feet.

What was your education? Do you hold any certifications? What are they? Molecular and Cellular Biology, I wanted to be a Pediatric Oncologist. I hold CISM, CISA, CRISC and my CISSP recently expired by accident.

Explain your career path. Did you take any detours? If so, discuss. Early on I took many detours before I knew what I wanted to be when I grew up. Once I started working in technology, it became like an obsession. I could not get enough. I still can’t. I love that it is always changing and that I always have to learn. I never get bored. My passion truly lies in security. I like puzzles and cybersecurity is the biggest puzzle I have ever seen.

Was there anyone who has inspired or mentored you in your career? There have been many. I would not say one person over the other. I have learned from every person with which I have worked and taken those learnings and added them to my repertoire. More than anything, I have learned by watching what NOT to do. There is no one right way to lead or to be a cybersecurity professional but there are definitely wrong ways to do it.

What do you feel is the most important aspect of your job? Trust. Cybersecurity is difficult enough and time is of the essence. Too much time is wasted if the Security Team, me, the executives and the board do not trust that we are all doing the right things to secure the company and advance our cybersecurity posture.

What metrics or KPIs do you use to measure security effectiveness? Three-month trend reports. We must know are we getting better or worse.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It affects every organisation. The key to managing the skills shortage is to be creative in where you source and to be able to act quickly once you find your candidate. I am not a big fan of long-drawn-out interview processes. I prefer all interviews conducted on the same day so that a decision can be made the very next day. I often partner with recruiting teams by searching social media platforms, security forums myself as well as reaching out to my peer network to help locate qualified candidates. My own teams have been the greatest source of candidates. If they think someone is skilled and good cultural fit for the team, I trust them. Finally, take a chance on someone who has less professional experience. I once hired someone that had zero professional experience, no certifications, no degree in technology, but had competed in and won several capture the flag competitions and it turned out quite well.  

Cybersecurity is constantly changing – how do you keep learning? I google everything. The word “google” was in my marriage vows 14 years ago. I also use a news aggregator service and filter by security. The security community is always sharing information and I happen to work for an awesome company of cybersecurity professionals. Our Malwarebytes Lab, Security Researchers, Security Team, Threat Intel, etc., are top notch and I learn from them every day. I attend conferences (Defcon is the best because it gives you an in-depth look at what threat actors are up to currently), take webinars, listen to podcasts, read twitter, reddit & discord.  

What conferences are on your must-attend list? Defcon and B-sides.

What is the best current trend in cybersecurity? The worst? The Best: That the cybersecurity community, public and private sectors are coming to the realisation that we all must work together on cybersecurity. It is a puzzle that will never be solved and no one will ever “get ahead” of the threat actors, but collectively we can significantly reduce the gap.

The Worst: The fact that cybersecurity vendors are using Artificial Intelligence, Machine Learning & Deep Learning interchangeably and the cybersecurity professionals buying these tools do not know the difference.

What's the best career advice you ever received? Do unto others as they would have done unto themselves. The way I want to be treated is probably not the same way you want to be treated. Everyone is different, get to know people and determine what they need.

What advice would you give to aspiring security leaders? Do not listen to those that will tell you if you want to be a security leader, you must “flip the bit” and stop being technical. You can do both. Personally, I have found being a technical security leader allows my teams to focus on securing the company using time that would otherwise be spent explaining certain technical aspects to a non-technical security leader.

What has been your greatest career achievement? Becoming a CISO was the pinnacle of my career. I am excited to strive for my next goal which will most likely be along the lines of cybersecurity charitable works.

Looking back with 20:20 hindsight, what would you have done differently? I would not have let fear hold me back. In the earlier days, I was always so worried about not knowing something and feeling judged. It was freeing to finally realise that there is not a single person in cybersecurity that knows everything. We are all learning every day.

What is your favourite quote? “Efficiency is intelligent laziness.”

What are you reading now? I am reading two books right now. The Coaching Habit by Michael Bungay Stanier, and DevOps and AWS by Yughi Chan

In my spare time, I like to… Garden. It keeps me sane. Cybersecurity is a very stressful career. Gardening lets me get outside, listen to the wildlife, get my hands in the dirt, focus on my flowers and destress.

Most people don't know that I… Am 7th of 9 children.

Ask me to do anything but… Eat Mayonnaise.