Wisdom From The Women Leading The Cybersecurity Industry, With Melissa Miller of NetSPI

Make feedback a two-way street. Being a perfect and flawless manager is not only unrealistic but also puts a wall of fakeness between the real people I work with. I’m open with my team about my struggles so when they have struggles they are more willing to be open with me, which makes it easier for me to better help them. I also ask my team members the question about me quarterly: What should I keep, start, or stop doing? I like the format of “keep, start, stop,” and that helps me improve my management style and lets my team members know that I value their opinions.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Melissa Miller.

As a Managing Security Consultant at NetSPI, Melissa oversees the performance of web application penetration tests by NetSPI’s security practitioners, and serves as an instructor for NetSPI University — a training program for entry-level cybersecurity professionals new to penetration testing. Melissa is also a leader on NetSPI’s DE&I committee, which includes representing the company in various public-facing speaking events, panels, and partnerships. She has her BSc in Computer Science from the University of Minnesota as well as OSCP and CEH certifications.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up in Excelsior, MN. My dad was an IT professional and a tech enthusiast so I would sometimes spend summers with him, even though grudgingly, running Windows updates on some of his clients’ machines, doing python programs, and even building out a python game together. That planted the seed of technology in my brain from a young age, but it wasn’t something that I ever wanted to do as a career because there was this stigma of being a “nerd” and being “un-cool” for IT professionals, which I found out later to be a shallow statement.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

It is hard to think of a particular one because I mostly tend to listen to fiction (fantasy/sci-fi) audiobooks. I purposefully consume non-tech-related media as a way to maintain a balance between work and life.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

In college, I started off trying two different majors, Pre-Med and Chemistry, and found that I was not passionate about those subjects. I finally landed in Computer Science, which I have a family background in and early exposure to, and ended up loving it.

During my junior year in college, I was doing a general security internship. My amazing mentor at the time introduced me to different fields across the company including pentesting. The concept of pentesting, which I understood as “doing bad guy activities with a good guy purpose”, fascinated me — so I went back and joined the pentesting team as an intern. The focus of the team was very much within the web application sphere, which is what I still focus on today.

What I really like about the field is that you have no choice but to keep learning always. You have to try and stay at the bleeding edge of what malicious actors are doing because they are always trying new techniques. You also see the impact of your work, which is protecting people’s and companies’ valuable data and information.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

On my first day at NetSPI, I mismatched the names and faces of two directors — one of whom was meant to be my manager. I was interested, as a new employee, in scheduling one-on-one meetings, and proceeded to talk to my “manager”. about booking one-on-ones, when in reality this person works nowhere near my team. Fast forward to lunch, the two directors were saying goodbye to one another in front of me, and I thought “they must be playing a “game” where they call each other by the other’s name”. In fact, I was mistaken the whole day. At the end of the day, I figured it out by realizing that my real manager is the one who is hanging out with me all the time. Since I became friends with both directors, I have told both this story.

Are you working on any exciting new projects now? How do you think that will help people?

Other than my technical work, what excites me the most is improving diversity and inclusion in the cybersecurity industry. With NetSPI University (NetSPI U), we provide classroom-based training, hands-on lab work, and shadowing opportunities with experts for recent graduates and aspiring professionals, with the goal of closing the widening talent gap across the industry and providing equal learning opportunities. I work with the associates of NetSPI U to ensure they are well-equipped to deal with the ever-evolving cybersecurity threat landscape and can thrive in a fast-paced corporate environment. The program is a win-win situation for both industry newcomers and the company because it makes pentesting training more accessible to people, and as a company, we benefit from it by training people for the skills we need and recruiting them afterward.

Furthermore empowering and connecting with other women in the cybersecurity field, specifically, has been a core mission of mine, including leading NetSPI’s partnership efforts with organizations such as WiCyS (Women in Cybersecurity) and BlackGirlsHack — which aim to spotlight perspectives on the contributions, perspectives, and issues facing women/girl industry. In August, I spoke on a panel about imposter syndrome for BlackGirlsHack’s Girls Hack Village at DEFCON 30 where I shared expert tips for navigating the industry based on my experiences.

This work has a special place in my heart because I believe the core driver of diversity and inclusion in the cybersecurity industry is accessibility, knowledge, and skills.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

1. Accessibility. I really appreciate the open and collaborative nature of a lot of people in this industry. That “open-source” mentality leads to a lot of easily accessible resources out on the internet where, hypothetically, anyone could learn the skills required to do many jobs within cybersecurity. I like how that opens the doors to people who are passionate about the subject but might not come from a long line of cybersecurity professionals (that’s slightly tongue-in-cheek, FYI). Accessibility of a field can be one of the key contributors to greater diversity, and that’s something I’m always going to be excited about.
2. Adaptability. I like that, for pentesting in particular, there’s an ever-changing nature to the types of exploits and attacks that we’re doing. There’s always something that you can learn more about. I’m excited about the concept of always learning and trying to improve (in my mind, if you’re not shooting for the next achievement, or next goal, what’s the point?).
3. Technicality. While this field is accessible for someone who wants to study hard and be a part of it, many aspects of it are highly technical — especially in the pentesting realm. In addition to that definition of technical, we also incorporate a fair amount of automation in what we do. If I can, I’ll make the computer do the annoying task so I can focus on the fun ones! Simultaneously, I’m comforted by the fact that there’s a significant amount of job security in knowing that there will always need to be the human ingenuity element. The systems that we’re testing are simply too complex to leave fully up to automation, regardless of whatever the latest automated-scanner salespeople will tell you.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

1. Experience-focused hiring. I worry that those following the traditional hiring dogma of requiring experience for everything can prevent people from entering into the Cybersec industry. It’s hard to not get caught in the “you need experience to get experience” catch-22. When I’m interviewing someone, I’d rather have someone who’s a bit more green but obviously passionate than someone who has years of experience but is just looking to coast. Fixing this one is relatively straightforward in that it requires alignment of hiring procedures and priorities with those doing the interviews to a more skills-focused viewpoint.
2. Toothless DE&I Committees. DE&I committees run the risk of being or becoming toothless when they lack the support of those high enough in the company to enact real and potent change. To aid that, the relatively simple solution is to garner that support and have one or many people from the C level either attend meetings or appoint a go-between person that communicates initiatives to C-level folks.
3. “Boys club” mentality. While this isn’t present in every cybersec area, it’s still very much a problem. Not only can it make it less exciting for anyone outside of the cis-male designation to want to get into cybersec, but it can chase existing diversity away from the field. The solution isn’t as easy here, but it does align with other diversity-seeking initiatives. In addition to that, ensuring that upper management is actively speaking against this mentality (i.e. laying down the law that this sort of behavior isn’t tolerated) alongside actually taking action if any is spotted in the company will go a long way in changing the tone across the field.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

I won’t pretend to be able to predict the most critical technical threats, so I’ll interpret this question as a critical threat to company engagement. Recently, we’ve seen a huge shift towards work-from-home or flexible work environments. Many people have moved to fully or partially remote work. As a result of this, we’ve seen more of what I’d call the “islanding” effect where remote workers can begin to feel like a remote island rather than a part of a larger collective. It’s difficult to beat the convenience of avoiding a long and fuel-intensive commute, but unless companies are actively engaging their remote employees, they will feel more alone and are consequently less loyal to a group that they perceive to not care about them. A danger here is to consider mandating in-office work. I believe that to be dangerous because there are many people who view that as a dealbreaker. Rather, I urge companies to lean into programs that bring people into the fold immediately after being hired (we use a buddy system at NetSPI). Additionally, embrace those pieces of technology that can bring remote and local people together (e.g. we have Slack channels for every hobby under the sun!). Creating those spaces for people to be people can do wonders for company engagement across the board.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I was involved in a social engineering engagement for a healthcare facility in which we were posed as the company’s incident response team to call medical professionals, and inform them that their accounts have been compromised, and their passwords needed to be reset. I started the phone conversation by providing their username, which granted me some credibility, so they trusted me when I said that I was going to reset their password. I then asked them for their current password, and after gathering the credentials, proceeded to bypass the multi-factor authentication by posing as the healthcare professional with the IT team. Eventually, I was able to get on the company’s portal and had access to the internal network, the application, and a bunch of patients’ personal data.

What this experiment revealed is that organizations need to have an ongoing and extensive cybersecurity training program in place for their employees so they are familiar with insider threats, red flags, and how to respond appropriately.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The biggest one for me is Burp Suite Proxy by Portswigger. For web application pentesters, there’s no other viable option, really. A proxy’s function is to be an intermediary between the client (e.g. a web browser) and the server. From there, we can replay specific requests, scan them (which provides a good baseline of coverage so we can spend the majority of our time on manual exploitation). Burp has a ton of extensions, many of which were contributed by NetSPI employees (I think we have around 5 or so, perhaps more). Those extensions can make Burp’s existing functionality even more useful. While it’s great for the practical aspect of testing, it’s also an organizational tool. It’s history and sitemap are helpful, and the (relatively new) ability to name and group Repeater tabs is indispensable for longer tests.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

For this question, I want to focus on what everyone can look for and that’s phishing/vishing. At the end of the day, people are the weakest link when it comes to security. Multi-Factor authentication doesn’t matter if you can get a person to bypass it for you.

For email phishing:

1. Hover over any links and make sure they’re going to the place where you expect them to be going based off of the context of the email.

2. Don’t open emailed files from untrusted sources. And double-check that source to make sure that it’s not one letter/character off from the legitimate source.

For voice phishing (vishing):

1. Don’t give them any information until you’ve verified they are who they say they are using trusted, in-company resources. You’re not being impolite, you’re being safe. Note that you shouldn’t just say “ok what’s your email?” and call it good if they’ve confirmed the email. Email conventions can be leaked online. Instead, send them a message via your internal Teams/Slack/etc. platform and ask “am I talking to you on the phone right now?”

2. Don’t ever ever ever give out your password. Even if they say they’re from IT and your account has been compromised and they say they’ve already changed your password to make it seem like they’re asking for your “old” password. I’ve used this scenario to great effect in my vishing campaigns and it works way too often. It doesn’t matter how much internal-only info they seem to have, this just isn’t how password reset mechanisms are performed.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Easy! Pursue potent preventative Penetration testing from a reputable company that has a great reputation for robust testing methodology. Stay away from companies that rely solely on scanning and not on manual exploitation. Anyone can scan, it takes a pentester to find the deeper stuff.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

So many of the findings that I’ve discovered have been the direct result of a functionality-focused development mindset and not enough of a security-focused mindset. It’s easier said than done, but very often, developers are under such tight deadlines that they’re doing their best to focus on the functionality of the application with security, unfortunately, falling by the wayside. Without realizing it, many devs and QAers (Quality Assurance personnel) are considering how to make the app work within the context of a user who’s trying to use it like a regular user. However, malicious actors think about applications completely differently. Security needs to be built into every fiber of the development process from the start. Essential steps range from more security-focused training for devs, QAers, and everyone in-between to make sure that everything’s being tested by pentesters at the end. I urge every developer and development manager to reframe the view of a security-related finding from “this is creating more work for me and my team and it’s going to impact the launch timeline” to “this is a finding that we’re catching before it becomes a massive problem, and that’s a good thing for everyone.”

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

The STEM industry is evolving to become more diverse, but there is still a “boys club” stigma associated with it. I would love to see more women and more female leaders in STEM. The main way that we can reduce the gender imbalance is to recruit more women into the field and part of that process starts with company culture. At NetSPI, the DE&I committee meets regularly to discuss the retention rate of female employees, how to create a more welcoming and inclusive workspace, and promote skills-based instead of experience-based hiring. The hiring process should be designed to include people with diverse backgrounds and identities, and companies should think of ways to expand their talent pool and the types of people they are looking for.

Companies should also collaborate with and support technology education nonprofits with grassroots approaches that empower underserved communities, especially girls and women. NetSPI partners with organizations such as WiCyS (Women in Cybersecurity) and BlackGirlsHack, which aim to spotlight perspectives on the contributions, perspectives, and issues facing women/girls in the IT industry. Promoting accessibility and equal opportunity is the first step in changing the status quo.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

In popular media, ethical hackers are often-times portrayed as “basement dwellers”, “hackers in the hoodie”, or someone who is socially maladjusted — but these stereotypes are far from the truth. There is no one mold of what someone in the industry looks like, and in fact, we have a variety of interests. There are so many types of people that are working even just within NetSPI. We have a Slack channel for basically every hobby under the sun — from cooking to video gaming and even rock climbing.

What a lot of people also don’t realize is that cybersecurity professionals, especially pentesters, have to be able to communicate with each other in our day-to-day collaboration to present vulnerabilities to clients in a way that they can understand and are willing to fix, so a lot of people skills and soft skills do exist in the industry beyond technical and IT skills.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

1. Recognize the possibility and prevalence of imposter syndrome.

As mentioned, I recently spoke on a panel about imposter syndrome for BlackGirlsHack’s Girls Hack Village at DEFCON 30 where I shared some tips for navigating it based on my own experiences. When I first started my career in cybersecurity, I experienced a feeling that many of my other female peers have also experienced — that I needed to change to be “one of the guys.” Over time, I learned that my opinions and insights are just as valuable as those of my male peers. Overcoming imposter syndrome requires reshaping your view of yourself and what makes you unique in a more positive light. As such, I always make it a point to create safe spaces for employees to be themselves and feel empowered to advocate for themselves. I think recognizing the possibility of imposter syndrome and talking about it is one of the best ways to prevent the negative effects of it.

1. Promote balance as much as you can.

Burnout is a growing problem, especially in the cybersecurity industry. It is easy to overwork because there is always going to be more work. If you set expectations too high, or outline a workload that is too heavy, it can feel like you are not accomplishing as much day-to-day. Keeping a running to-do list helps me keep track of what I have done and have yet to do, which helps me maintain balance in my own life.

On my team and with NetSPI University associates, I encourage them to take a couple of days off a quarter just to relax, and outline a couple of long weekends on the company calendar sooner rather than later.

I think it is a toxic company culture to make working hours a measuring contest and evaluate employees’ dedication based on that, and a flexible schedule that promotes balance helps to prevent that.

1. Recognize humanity ​​and lead with empathy. “People are the most important assets of the company” is not only a slogan but a concept that needs to be reflected in leaders’ interactions with their team members. It is important to acknowledge that work is only part of people’s lives and that employees are just individuals who need to deal with the ups and downs in life. Genuine conversations with leaders’ active and empathetic listening encourage employees to share more — allowing leaders to get to know their team members as individuals and better help them grow and stay fulfilled at work. When employees feel truly respected, valued, cared for, and accepted, they are more willing to stay and more motivated to be an integral part of the company’s purpose.
2. Give candid performance reviews. When giving feedback — I aim to avoid the “compliment sandwich” — the idea that you praise something the employee has done well, then give some critical feedback, then wrap up with some more praise. That does not mean I want people to be unkind, but instead, I like all my compliments to be genuine other than saying them for the sake of being nice. Also, when people are not performing well, I like to tell them as honestly and as soon as possible, so they have a clear sense of what to improve and they have time to do so.
3. Make feedback a two-way street. Being a perfect and flawless manager is not only unrealistic but also puts a wall of fakeness between the real people I work with. I’m open with my team about my struggles so when they have struggles they are more willing to be open with me, which makes it easier for me to better help them. I also ask my team members the question about me quarterly: What should I keep, start, or stop doing? I like the format of “keep, start, stop,” and that helps me improve my management style and lets my team members know that I value their opinions.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

I’ll have to answer non-technically though and say Brandon Sanderson. Or ol’ Brandy Sandy, as I like to call him. He’s my favorite author of all time and I’ve probably read 90% of his published works.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!