Wisdom From The Women Leading The Cybersecurity Industry, With Antonette Vanasek of Vanasek Insurance

Always give credit where credit is due — Whether it’s praise, a career opportunity, or a monetary award, make sure to recognize those who have helped you succeed publicly.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Antonette Vanasek.

Antonette Vanasek is the Founder and CEO of Vanasek Insurance and a nationally renowned cyber security insurance expert with more than 30 years’ experience in business protection for Fortune 500 companies and businesses on growth trajectories.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was always interested in computers from a young age. I remember when I was at school, whether elementary, junior high, or high school. It didn’t matter what grade level; there were always opportunities to get involved with the computer lab and spend time on the computer during class time.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

I can share a mistake I made when my company was still relatively young. One of the websites we would be launching had a section dedicated to women in cybersecurity and another for a blog. The problem was that neither one of these websites worked. When you clicked to go to the sites, all you would get is an error page. So even if people are excited about your product or service, take pride in ensuring everything works 100% before releasing it to the world.

Are you working on any exciting new projects now? How do you think that will help people?

I have a policy workgroup called “National Small Business Advocacy,” where I bring together industry experts to talk about all things cybersecurity and federal government contracting. We formed to advocate for small businesses, given the pronounced pandemic crisis presented to small businesses.

I have to say information sharing and the ability to use tools to map threats to your security posture.

The other day, I was working with a customer and realized that they were having challenges because of their organization. The customer was divided into different business units, which created a common challenge.

I realized through that interaction that one of the biggest challenges we face as an industry is organizational change management. We can apply all of these fantastic technologies to provide security, but if you don’t have the proper organization in place, you have a situation where the technology will fail.

Women need to recognize their strengths and use them to pursue a career path they are interested in.

Finally, in my mind, diversity in the workplace is critical for success. I believe that diverse teams can better adapt to change and bring fresh insight into the decision-making process, resulting in successful outcomes.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

First, we need to continue to make sure people understand how important it is for everyone — not just organizations protecting critical national assets — to defend themselves actively.

Second, it’s also pretty scary the amount of data that nation-states and criminal groups have breached. This information can be used as part of building an entire profile of an individual, which goes beyond your credit card information.

The third and final thing that concerns me is our ability to do forensics and attribution when attacked. It’s great that the FBI just indicted 12 Russian military officers for their involvement with the DNC hacks last year but identifying who did it will continue to be a problem.

I think what inspires me most is that it is an industry with many challenges and opportunities. On the one hand, there are some significant threats that we face as individuals and organizations. Still, on the other hand, we can rise above those challenges and build some pretty impressive technologies that help us combat them.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain? What are the things that would hurt them most if they were compromised?

Companies need to focus on their most critical assets. So I would start by looking at those assets through the lens of “how do I know this is true?” or “can I prove that this is true?” If you can’t answer that question, then you’re susceptible to attacks.

I know this is a buzzword, but detecting and preventing breaches is critical for all organizations. We also need to be looking at ways we can identify attackers before they get into our networks, so we don’t have to spend $200,000 on remediation activities. In my opinion, ransomware is going to continue to be a challenge for businesses in 2022. Unfortunately, there are plenty of cases where this type of attack has been successful, and the damage it has caused hasn’t been easy to recover from.

I also think that we need to start thinking about our workforce differently when it comes to security. We’ll see a mass exodus of employees within the next five years as baby boomers retire and younger generations seek employment elsewhere.

This leaves organizations with the challenge of hiring talent quickly and teaching them everything they need to know about security in a short period. This will be challenging because there aren’t enough people in this space to go around, so companies need to find creative teaching, training, and building defensive capabilities.

I think there is a lot of work that needs to be done by everyone for everything to function successfully.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Multifactor Authentication (MFA)

Two-factor authentication (2FA) is a terrific way of protecting our accounts. Without it, someone could potentially take your username and password and access all of your sensitive data. However, organizations should consider moving to more secure MFA solutions because 2FA just isn’t cutting it.

Data backups

If an organization is breached, they need to restore critical data to stay afloat.

VPN

Virtual Private Networks (VPNs) are essential for protecting our data on a public network. Without it, that data is effectively unprotected and could be seen by attackers who can intercept the traffic we send over the web.

Our observation is that there are two types of organizations:

1) those who get breached and

2) those who detect the breach within 24 hours.

The reality is that it often takes time for organizations to discover breaches. Unfortunately, this lengthens the number of times attackers have to steal data or infiltrate an organization’s systems without anyone noticing. With this in mind, some of the signs read more like symptoms than indicators, so organizations must pay attention to their employees.

For example, if someone notices new logins at odd hours or on new devices, they might want to look into that further. But, ultimately, the security team’s responsibility is to do their due diligence and make sure that they’re taking a proactive approach.

Is there anything we as an audience can do to help mitigate the likelihood our data will be used against us?

Recently, there has been a big push in the media about how Facebook and Google use our data for advertising purposes.

So, what should I be doing with the services I use to ensure they’re not using my data in unethical ways?

Ultimately, it comes down to who you work for and what kind of data you handle. For example, if you work at a bank or financial institution, then there are specific protocols that you need to follow to keep your customers safe.

I don’t think that you, the average Jane or Joe, need to do much to protect yourself because it falls on companies who have a greater incentive and responsibility for protecting your information.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

There are three key things that organizations need to do when they learn about a data breach.

They need to make sure that they have the right technology and security teams in place so that any vulnerability can be patched quickly and potentially stop further damage from occurring. Second, we encourage companies to ensure transparency, so customers don’t panic and feel like they need to move their data somewhere safer. Third, we want companies to be aware of the legal and regulatory requirements that may come up, so they don’t neglect specific rules or protocols.

A lot of it comes down to a lack of security practices and awareness. So organizations need to make sure that they’re taking the necessary steps to protect their data because it helps prevent these data breaches from happening in the first place.

One fundamental mistake we see is companies sharing sensitive information over unsecured networks like public WiFi or email. So these are some steps that they should take:

Secure the internal networks with VPNs and firewalls like FireEye, Fortinet, Palo Alto Networks.

Educate employees on cybersecurity best practices through different pieces of training that help them avoid opening suspicious emails; admins should also warn employees about social engineering attacks, including phishing, vishing, and smishing.

Ask your vendors how they secure information — their attitude towards protecting data is an important indicator of whether or not it’s safe. For example, if a company does not invest in cybersecurity or awareness training for their employees, that should raise red flags for potential customers and business partners. Also, if a company does not have a cybersecurity-focused vendor management program, then that too should raise a red flag because it means they’re more likely to be breached.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I think there are a lot of issues with the lack of women in STEM, but two that come to mind are the pay gap and the difficulty finding woman mentors. Women who work in tech disproportionately hold positions that are either junior-level or non-technical roles. The truth is that these positions don’t command the same pay as a more senior or technical job. So you have this disparity between men and women because women are less likely to be in the higher paying positions; therefore, they make 20% less than their male counterparts.

Another major problem is mentorship. Unfortunately, there aren’t enough woman mentors to help guide and support women through their careers. So we need to do a better job of encouraging women who have found success themselves to become mentors for other women and girls. This encouragement needs to come from the top, whether companies or educational institutions. They all need to take an active role in asking successful women if they would-be mentors.

The other thing that I think is important for companies to do when recruiting women is to look at the number of women currently in various positions and then decide how to bring more into those roles. For example, if there’s only one woman in a software engineering role out of 20 people, what can the company do to bring more women into those roles? They might need to provide incentives like coaching or support with childcare, but they need to be ready and willing to invest whatever the solution is. You can’t just hope that women will come knocking at your door; you have to make it happen.

There’s a lot of myths and misconceptions about what we do and who we are. For example, many people think that hackers are men hiding in basements, but it’s a dynamic field with more women working in it than ever before. So I would say one myth is that there aren’t many women in the industry. However, we’re here, and we want to be visible, so that means having woman-focused events at conferences, for example.

There are also myths about what our jobs are like — some people think cybersecurity is just about finding the latest malware or doing forensics on a hard drive. What I tell them is that it’s so much more than that. It’s about training employees to be better at protecting themselves online. The industry focuses on the human side of security. Hence, companies need to make sure they train their employees properly and educate them on protecting themselves both in and out of the workplace.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned from My Experience as a Woman in Tech” and why?

1. There is no one-size-fits-all leadership style. Find what works for you and build on it while asking others how they would do things differently.
2. Encouragement goes a long way (especially with younger generations) — Seek out and encourage those around you to do their best work.
3. It’s okay to ask for help — You can’t know everything, so don’t be afraid to reach out when you need support or advice from someone who has walked the path before.\
4. Always give credit where credit is due — Whether it’s praise, a career opportunity, or a monetary award, make sure to recognize those who have helped you succeed publicly.
5. Lead by example — If you only ask a team member to do what you wouldn’t do yourself; they’ll never know if it’s something you value.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

I would have to say the first person that came to mind is Jen Psaki, White House Press Secretary. She’s been a massive inspiration for me. She is the epitome of cool under pressure, and I always strive to project that demeanor during times of crisis. Likewise, a client looks to me for leadership in times of extreme turmoil, which exemplifies the best leadership type.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!