Secret CSO: Anne Marie Zettlemoyer, CyCognito

Name: Anne Marie Zettlemoyer

Organisation: CyCognito

Job title: CSO

Date started current role: June 2022

Location: Washington D.C.

Anne Marie Zettlemoyer (“AMZ”), Chief Security Officer, oversees the security of CyCognito and its products. A Fellow at the National Security Institute, AMZ is also a trusted advisor for Fortune 500 companies, government agencies, law enforcement, and think tanks. Previously, she was Business Security Officer and Vice President of Security Engineering at Mastercard, responsible for protecting trillions of dollars in transactions globally. AMZ has held strategic and technical security leadership roles including the Head of Security Architecture, Engineering, and Solutions at Freddie Mac, Director of the Cyber Think Tank at Capital One, Director of Business Analytics at Mandiant, and Special Advisor for the Director of the US Secret Service. She has served on the board of directors and advisors for security companies and nonprofits, is a founding board member of Security Tinkerers, and advocated on Capitol Hill for security policies and improvements.

What was your first job? I started working when I was 15. My first gig was as a hostess at a local restaurant and, surprising to most people who know me…I was really bad at it. The problem was I was hyper-focused on execution, rather than the customer experience. I thought execution was success.

That experience helped me be a better security leader. There is an overwhelming need to execute and get to the finish line, as if there were one. Security is continuous. The experience and empowerment we provide to the business and to our partners matters, and often changes the game on how to get things done.

How did you get involved in cybersecurity? Serendipity. I was hired by a company to build a revenue protection model, and they asked me to also handle an upgrade of their payment systems. The upgrade involved quite a bit of security work, and that was the aspect of the job I fell in love with. That’s where it all started.

What was your education? Do you hold any certifications? What are they? I have an MBA from The University of Michigan—Ann Arbor—and my undergrad majors were in Finance and Accounting. I’m a Wolverine twice over. I have two certifications as well: CISSP and CeH (Certified Ethical Hacker).

Explain your career path. Did you take any detours? If so, discuss. My first security job was in DC. I was recruited from graduate school by the Secret Service as a Special Advisor to the Director. 

They were looking for MBAs, and specifically for people who were strong in strategy and execution. They wanted people who could solve tough business and operational challenges, in even tougher settings. My accounting background was a surprisingly good fit for security. If you think about it, accounting and security have a lot of overlap.. You have to be able to build robust, dynamic systems that are trustworthy and resilient to fraud and abuse. Principles of continuity, resilience, separation of duties, and even the good old “security” triad of Confidentiality, Integrity and Availability—are all tenets of accounting curriculums. Finance is heavy on building predictive models, managing risk and reward -  and security is a risk equation.

I continued my work with various government and commercial clients while at Deloitte, then made the pivot into Mandiant, Capital One, Freddie Mac and then later became the Divisional Security Officer for Digital at Mastercard.

I am now proudly CSO at CyCognito. I was impressed by their risk-based approach to security, and their commitment to help the security team make wise, data-driven decisions on where to point scarce resources in the most effective and efficient way.  I believe in their outside-in approach to security and External Attack Surface Management as a category.

Was there anyone who has inspired or mentored you in your career? I couldn’t limit it to a single person. I’m fortunate to have been inspired and supported by all different types of people, both within and beyond the security field.

But within the industry, I have a tribe of peers—CSOs, CISOs and security practitioners. We are in contact most every day, sharing knowledge and best practices. We elevate each other on tough days. You could say we are a group of mutual mentors. 

That sort of camaraderie happens in cybersecurity because we are in battle every day against a common adversary. 

What do you feel is the most important aspect of your job? Speaking personally, I am very mission-oriented. Wherever I go, I am protecting something worthy of protection. At Mastercard, my mission was to protect customers by keeping transactions safe. At CyCognito, my responsibility is to protect customer data and their attack surfaces. It’s all about earning and maintaining customer trust.

On the technical side, I am responsible for thinking ahead of the hackers. We know the ways in, and we have to find the attacker’s path to key assets, and warn customers before the bad guys realise they even have a path. I don’t take that responsibility lightly.

What metrics or KPIs do you use to measure security effectiveness? I will always emphasise metrics that bear on hygiene and risk informed decisions so we can find fast, fix fast, and fix completely. Good KPIs keep us from spending money to protect the wrong assets. Guessing is expensive.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? As an industry, we talk about this a lot. I think the real problem is not that there is a shortage, but rather a lack of clarity about what it takes to be successful in certain roles and bias of what that looks like. I can’t tell you how many entry-level job postings I see that require five years of experience in some obscure practice area.

It’s true that there are tens of thousands of jobs that aren’t filled—but there are just as many job seekers out there who need a chance to perform at their best. So I don’t believe there’s a shortage per se, but rather a disconnect in expectations and understanding of what is needed and valuable.

Cybersecurity is constantly changing – how do you keep learning?  I read. A lot. In addition to learning from my peers every day, I’m very involved in the security community, I attend conferences, I listen to podcasts and webinars, I study. Every day I work to sharpen my skills.

What conferences are on your must-attend list? I enjoy and attend a mix of national and regional conferences, including ShmooCon, RSA, DefCon, and Blackhat, nearly every year. And not just for content but for the reunion that ensues. I’m also a big fan of regional conferences like GrrCON, InfoSec Connect and ones put on by local Bsides chapters.

What is the best current trend in cybersecurity? The worst? I’m very encouraged by the move to solve the toughest, most fundamental challenges first. This includes achieving good security hygiene and visibility with guidance, as well as adopting tools that enable the practitioner to make smart, data driven decisions to effectively address risk.

What do I mean by all of this? There are so many “solutions” that focus on “finding all the things” but don’t necessarily make the life of the security team better or easier. You can flood the SIEM with alerts, but if there is little guidance on which alerts matter, then you’re not improving security—you’re actually hindering it by blinding and ultimately frustrating the analyst. Instead, analysts need clarity on what to take action on and when. So I like the solutions that provide action-oriented intelligence on what matters. Tools that enable security hygiene—which is one of the toughest challenges—are near and dear to my heart.

Trends I don’t like? Edge case, point solutions that focus on “sexy” vs. “practical”.  

Also, the natural tendency to be influenced by effective marketing that pushes IT and CISOs to invest in dozens and dozens of point solutions.

What's the best career advice you ever received? Do your research and challenge your own beliefs. Know that you’re going to be wrong sometimes and you’re not going to have all the information—ever.  Even if you present the most compelling case that seems like a no-brainer, it doesn’t mean that someone will agree with you or choose your recommendation—and that’s okay. Even data-driven decisions are just driven, not guaranteed. Most decisions are a blend of emotion, data (hopefully), and experience.

Another one: talent and aptitude are present everywhere, but opportunity isn’t. Work hard to find the talent, even when it doesn’t “fit the mould”.

What advice would you give to aspiring security leaders? First, understand the business you are protecting. You can’t build something that works for the business if you don’t know how the business works. Make strong relationships with legal, finance, operations, and HR—alongside engineering and product teams.

Second, look at security comprehensively, from basics like hygiene to sophisticated matters, but know that incremental improvements are better than no improvements. You don’t have to fix everything at once and you don’t need to “wait for the best / most complete” solution. There’s always an opportunity to move the needle even when you don’t have enough people or budget to build what you ideally want. Those incremental improvements pay off over time. Work toward the twin goals of reducing risk while empowering the business.

What has been your greatest career achievement? I’ve been fortunate to have some strong wins in protecting organisations—building solutions that matter, and helping companies defend and recover. But my greatest accomplishments are  always centred around people—helping them get their first security job, their first promotion, their first speaking gig. It’s about helping others grow and achieve their goals.

Looking back with 20:20 hindsight, what would you have done differently? I would have taken more time to write things down versus relying on memory and caffeine.