Secret CSO: Wendy Nather, Head of Advisory CISOs

Secret CSO: Wendy Nather, Head of Advisory CISOs

Name: Wendy Nather

Company: Duo Security, now part of Cisco

Job title: Head of Advisory CISOs

Date started current role: December, 2016

Location: Austin, Texas

Wendy Nather is Head of Advisory CISOs at Duo Security. She was previously the Research Director at the Retail ISAC, as well as Research Director of the Information Security Practice at independent analyst firm 451 Research. Nather led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), and served as CISO of the Texas Education Agency. She speaks regularly on topics ranging from threat intelligence to identity and access management, risk analysis, incident response, data security, and societal and privacy issues.

What was your first job? Like many teens, I had lots of part-time jobs. I would have to say my first "real" job, with a formal, regular paycheck, was scooping ice cream and waiting tables in an ice cream parlor.

How did you get involved in cybersecurity? It was a long road through technical writing and then system administration, but I was working for a Swiss bank. They put me on a task force to evaluate whether they could outsource their IT operations without violating Swiss banking law, and after that they put me in charge of security for the EMEA region of the investment banking division.

What was your education? Do you hold any certifications? What are they? I studied liberal arts, concentrating on foreign languages and history, but I didn't finish college. I held the CISSP certification for a few years, but let it lapse. I have never completed a computer class. I took half a Fortran class in summer school one year, but that was it.

Explain your career path. Did you take any detours? If so, discuss. My entire career has been detours -- or maybe swerves, like a distracted driver. While still in college, I had an account on a department PDP-11, and learned how to format papers using nroff and troff. Soon I had jobs doing the same thing for other people, and got a job as a typist (which is one rank below that of secretary). From there, I became a technical writer, worked in QA and support, and then became a Unix system administrator.

When the trading company I was working for was acquired by a Swiss bank, I volunteered to move to Zurich. I was put in charge of the system administration team there, and after three years they moved me to London to head up security for the region. I did that for two years, moved back to the US to be part of the global security team, and then moved back to my hometown in Texas to take care of my parents. There, I got a job as the information security officer for a Texas state agency.

After five years in state government, I was ready for another change, and a friend convinced me to become an industry analyst. I joined 451 Research, and was named head of the security practice a year after that. In 2015 I helped to stand up the Retail Cyber Intelligence Sharing Center (R-CISC), and at the end of 2016 I joined Duo Security as a principal security strategist. Now I lead a team of Advisory CISOs, and Duo was acquired by Cisco in October 2018, so the environment has kept on growing.

In all this time, I've changed industries and roles on a pretty regular basis, and I don't know what opportunities will come next. There's still plenty to learn and to try out there.

Was there anyone who has inspired or mentored you in your career? Everyone who has hired me, took a chance on me, for which I'm very grateful. The best bosses I've had did two things: they made sure I learned about what was happening at their own level, and they let me know what areas I needed to grow in. In terms of inspiration, there are so many people that I couldn't possibly name them all. Gene Spafford has been inspiring me and making me laugh in equal measure since 1984. I've known Jack Daniel for less time than that, but he's been doubly inspiring and amusing to make up for lost time. Every year there are more infosec professionals who are younger than I am, but they inspire me so much: Keren and Amit Elazari, Allison Miller, Brian Honan, Fernando Montenegro, Allan Friedman, Keirsten Brager, Anjana Rajan, Rich Mogull, and many more.

What do you feel is the most important aspect of your job? Trying to figure out how to make security simpler and easier for everyone. Changing it from a fuzzy standard that nobody can ever meet to a clear and supportive presence.

What metrics or KPIs do you use to measure security effectiveness? KPIs should always have a clear relation to reducing identified risks to the business or organization. They should also be in a form that incentivises risk-reducing actions. For example, if you measure the number of employees that fall for a phishing message, that doesn't lead directly to useful action. On the other hand, if you measure the number of employees that report phishing messages (especially if they did accidentally click on them), you're incentivised to improve that number in the right way, by encouraging staff to report. Select your KPIs so that they lead to real risk reduction, not just penalties if you don't meet them.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? At Duo, we really don't find security hiring to be a problem. If you are open to training people up and bringing in talent from all walks of life, you can find your staff in areas where nobody else thinks to look (such as a liberal arts program!). I've hired physicists as system administrators; I found one of my best infosec people on Craigslist. As my colleague Jamie Tomasello says, "We should focus on welcoming all underrepresented and underestimated people into information security roles instead of continuously going back to the same well and saying it's empty."

Cybersecurity is constantly changing - how do you keep learning? I have to say Twitter is my most up-to-the-minute source of learning. I get news, I get discussions, I get links to articles and blogs, and I hear about new conferences, workgroups and forums all the time. I learn from my work colleagues too, especially the new ones.  

What conferences are on your must-attend list? My must-attend list probably isn't the same as others' because I go to many of them to promote and support my company. In general, I encourage everyone to find a variety of conferences that represent the many subcultures of infosec. Go to hacking conferences and academic ones, attend the local grassroots events and the vertical-specific forums. A cybersecurity forum in DC is going to be very different in style and focus from a financial services one in NYC, or an appsec conference in Austin. Try to go to conferences in other countries as well.

What is the best current trend in cybersecurity? The worst?  To my mind, the best current trend is usable security. Better design, retiring awkward and onerous controls that just make everyone miserable (such as memorised complex password strings), and focusing on what we can do to make life better for our customers. The worst trend is probably the one that won't die: the idea that more security is always better, so just keep piling on those layers of spackle.  

What's the best career advice you ever received? My dad always encouraged me just to go out and try things. He led by example: he had a BA in English, but became a nuclear physicist, an inventor, a programmer, and an astronomer. He taught me not to sacrifice the highs in life for fear of the lows.

What advice would you give to aspiring security leaders? Listen to non-security people. They will be your best teachers.

What has been your greatest career achievement? I don't think many other people have wandered as broadly through the security landscape as I have. Just being able to look at the problem from so many different angles -- from one of the richest banks to the poorest nonprofits, from the perspective of a practitioner, an analyst, and a vendor -- has taught me a lot. I can't say that I grasp it all yet, but maybe one day I will.

Looking back with 20:20 hindsight, what would you have done differently? I can't really say that I would have done anything differently. Every step I took was a learning experience, so nothing was wasted. Maybe I would have put more money in my 401(k) earlier.

What is your favourite quote?I take the work seriously, just not myself in it. -- Henry Rollins

What are you reading now? "Working in Cybersecurity: Life on the front lines, in the C suite, and everywhere in between," by Michael Tanji. It's a series of interviews with people from many different areas of the industry, and it shows the breadth of what this real world of ours is like.

In my spare time, I like to… wonder where all my spare time went.

Most people don't know that I… have lived in six states and six countries. No, I wasn't a military kid; I just got the travel bug from my parents.

Ask me to do anything but… take notes in a meeting. I'm really bad at it. I can't even make sense of what I wrote down for myself.


« Life beyond merger: Micro Focus talks HPE software carve-out and defines new vision


The CMO Files: Mary Clark, Synchronoss »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail