Sapsiwai - Fotolia
Wendy Nather jokingly describes herself as a recovering CISO. She started out as a director of IT security in financial services and CISO in state government. She then turned her talents to the "business side of security" and became a research director at 451 Research and the Retail Cyber Intelligence Sharing Center.
In December, she joined Duo Security, an authentication software-as-a-service pioneer in Austin, Texas, as principal security strategist. Marcus Ranum caught up with Nather to discuss her journey from private and public sector CISO to information security strategist, and the industry trends she has noticed along the way.
How did you wind up in computer security?
Wendy Nather: I started when I was 12. I told my dad one day that I was bored -- by the way, don't ever tell your parents that you're bored -- so he tossed a BASIC manual at me and said, 'Go make the bell on the teletype ring.' [The code looks like this: 10 PRINT CHR$(7).] That's how I started in programming: a combination of boredom and my dad having access to that kind of thing. He wrote one of the first Fortran compilers and was already in computing at a very early stage. Later on, in college, he gave me my first account on a department PDP-11 [DEC minicomputer], and that was handy because I could print out my college papers, which felt like cheating to me.
I used an ASR-33 [teletype terminal], too!
Nather: Since user groups were pretty small back then, I wound up hanging out with the system administrators. Then, because I could already use nroff/troff [document processing and typesetting tools for the UNIX operating system], I got my first job doing formatting on the side for people's papers and for the computer science department. I found that I made more money than if I had stuck with the liberal arts degree that I was going to get. I became a technical writer. I documented Gosling EMACS [text editor developed by James Gosling] for Unipress Software, then moved into system administration when I went to work for a trading firm in Chicago -- it just snowballed from there.
I finally got into security when I was managing a UNIX system admin team in Zurich, and the Swiss bank I was working for decided to outsource their IT operations to Perot Systems. That was how I wound up on a task force that was trying to figure out how much we could outsource without violating Swiss banking law. From there, they put me in charge of security for the EMEA region. I kind of wandered into security; it was, 'Well, you want me to do that? OK. I guess I can do that…'
I found the field fascinating because it was so irregular. Nobody really seemed to know how to think about it, except for the formal systems/Orange Book [Trusted Computer System Evaluation Criteria] crowd, and they were off in impractical la-la land.
Nather: We were all making stuff up as fast as we could. This was in the mid-90s, and we did our bank's first internet presence in the form of a website. I had two or three teams of engineers all checking each other's work because we were all really nervous about what this was going to be like.
Since then, what have you been doing?
Nather: I've wandered from thing to thing because there is so much out there. I worked for the Swiss bank, and I had a really big budget; then I went home to Texas and worked for a state agency that had a really tiny budget. In fact, I had a zero budget. That was a whole new set of challenges: doing security on no money. Then I became an industry analyst and looked at the business side of security, the industry as a whole. It's incredibly broad: We were covering 1,200 security vendors at a time.
I don't know about other fields, but security seems to be so dynamic, fad-driven and important … What do you think of the internet of things?
Nather: (Laughs) I think we're on a trajectory for profound change. It used to be that everyone who worked in computing or who created anything was expected to be technical, and therefore we felt confident in making fun of them if they messed up -- we were all on the same playing field. But now, there are manufacturers that don't have any feel for the security side of things. It's not fair to look down our noses at them, and it's really becoming democratized in a way, but we do have to help them.
I had a phone call, a few weeks ago, with a major device manufacturer that has a significant chunk of a particular home market, and they were dumbfounded to realize that they had to worry about the release level of the Linux distribution inside their product. The executive I was on the phone with kept saying: We don't want to deal with this; we just want to make good [devices]. We want to make this go away.
Wendy Natherprincipal security strategist at Duo Security
Nather: It's very much like in medicine: We go to doctors because they presumably know more than we do. You can take two approaches -- you can either insist on knowing and understanding everything, checking your own lab results, doing your own research, getting second opinions and managing your health. Or you can just take the prescription and do what the doctor tells you to do. But no one would stand for a doctor saying, 'How could you not know what that protein level means? I mean, really!' I think we need to stop doing that.
There's a certain minimal amount of knowledge you need to have about something in order to govern the process effectively. My father sounds like he was pretty similar to yours in that he felt it was important for me to learn how to change the oil in a car. Not because I needed to always change the oil, but because I needed to know what it looked like when it was done right, what it took, what it cost. In IT, this comes down to governance.
Nather: That does sound familiar. We're still 'naming and shaming,' but at some point companies are going to start pushing back: 'Wait a minute, we've been getting really crappy unsecured stuff and it's our problem?'
Annoyance is an indicator of where the market is going to go next.
Dig Deeper on Information security certifications, training and jobs
Cisco security GM discusses plan for infosec domination
Device attestation: Another option for securing BYOD, contractor, and partner mobile devices
Risk & Repeat: Who's to blame for bad passwords?
Understanding of security remediation differs for CISOs, researchers