Wisdom From The Women Leading The Cybersecurity Industry, With Victoria Mosby of Lookout

An Interview With Jason Remillard

Don’t feel entitled — There is a thin line however with feeling you were passed over vs. feeling you’re entitled to a given role because you’re a woman, a person of color, etc. No one is entitled to a job or role because of these factors alone, you need to prove you have the ability to do the job or are willing to learn and work up to it.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Victoria Mosby. She has an extensive background in strategic information assurance policy, risk management, and cyber operations spanning over 11 years of service across civilian federal and armed forces agencies, including the FDIC, the United States Coast Guard, and the United States Air Force. Victoria has a dual Bachelor’s in Cybersecurity and Computer Network Security and is currently pursuing her Master’s in Cyber Forensics from Stevenson University. Since joining Lookout in 2018, Victoria has presented topics spanning Mobile Threat Landscape & BYOAD within the armed forces at several DoD cyber conferences. As a federal Sales Engineer on the Lookout Public Sector team, she supports pre-and post-sales in the Department of Defense (DOD) and other federal theaters’ technical support and integration activities.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I’m originally from Buffalo, New York, but moved to Maryland in 2008 to pursue a degree in video game programming at Montgomery Community College. I ultimately chose not to follow a degree or career in this field, instead transferring to the University of Maryland University College to complete my degrees in cybersecurity and network security after discovering my passion for cybersecurity during an internship with Federal Deposit Insurance Corporation (FDIC) that changed my perspective.

Currently, I work as a sales engineer on the federal team at Lookout. In this role, I work primarily with branches and agencies within the Department of Defense, as well as a few civilian agencies and system integrators.

My job is to provide technical expertise pre-and post-sales of our mobile endpoint security solution by providing demos, overseeing technical evaluations, deployments and integration and ongoing technical support and training. I have also spoken at a few DoD conferences on topics like the mobile security threat landscape and FISMA metrics.

From a charitable standpoint, I serve as a board member of the Lookout Foundation. The foundation provides grants, volunteer time and products to various non-profit organizations that align with my and Lookout’s organizational values to support Women in Science Technology Engineering and Math (STEM), Internet Freedom and Data Privacy, and supporting Black Communities.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My stint in technology began at a young age. When I was about seven years old, I got a Nintendo gaming system. From there, my love of video games and computers took off, and by age 10, I had a laptop. Now, keep in mind, this was back when a computer was about as thick as an encyclopedia and had limited Internet capabilities. Still, I enjoyed learning and exploring the different avenues, from building websites to owning virtual pets. In school, I wanted to continue in a similar vein. My original degree was in video gaming but eventually changed after a love/hate relationship with programming. After waking up from one too many nightmares about missing a semicolon or code that wouldn’t compile, I realized that this route wasn’t for me.

At the same time, I was completing an internship in the infrastructure branch at FDIC. Somewhat serendipitously, my office moved to the executive floor, where I mustered up the courage to pop my head into one of the offices and asked to shadow an executive for a “day-in-the-life” of a security expert. To my surprise, I was welcomed with open arms, and after a few months, I began the transition to cybersecurity.

Are you working on any exciting new projects now? How do you think that will help people?

Yes! There’s always something new in mobile security — whether it’s a threat, solution, or tool.

My oldest cellphone was more robust than my first laptop. Phones are powerful and relatively “young” technology from a security perspective, so it’s exciting to see what you can do to improve and evolve continuously.

As a sales engineer, it’s fun working with different customers in the space and educating them about the numerous tools and cyber solutions. The government gets a bad rap for slow adoption compared to its private-sector counterpart, so user awareness, education, and implementation are necessary and important. And yes, even if you only use your phone for email, security still matters.

With 90% of Americans using their mobile devices for at least some of their daily internet use, individuals and organizations are increasingly susceptible to attacks via mobile. Most people don’t realize that the devices in our back pockets are the perfect espionage tool, equipped with the resources to record audio, track location and even determine when a user picks up/puts down his or her phone. Talk about scary!

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Ransomware is not a new threat, but it gained popularity in 2020 as various hospitals, government organizations, and school districts fell victim to malicious attacks. In 2021, and the foreseeable future, ransomware threats will continue, as evidenced by recent attacks on critical infrastructure like the Colonial Pipeline and Florida Water Treatment Facility.

As remote work persists, corporate and public sector network attacks will become more commonplace due to the ubiquity of phones, tablets, and Chromebooks. A dedicated mobile security solution is recommended to protect an agency, or any organization, from phishing and ransomware, as well as app, device and network threats. Administrators must also ensure endpoint validation of all users before allowing access to organizational infrastructure.

As you know, breaches or hacks can occur even for those best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Most breaches or hacking campaigns begin with phishing. Attackers use social engineering techniques to lure users into clicking a link or page requesting personal data, account information, etc.

One of the most apparent signs of a phishing attempt is broken syntax and lousy grammar. You don’t have to be an English teacher to realize something might be awry. Secondly, links that redirect you to a website are also a red flag. Usually, these sites or attachments request your password, login credentials, or other sensitive information. Again, any organization worth its salt will not request information via attachments. Another sign, and one that is tricky on mobile, is unidentical URLs or domain emails. For example, on a desktop, you can hover over a domain email to verify that it matches the sender’s name in your mailbox (i.e., Paypal could be disguised as Paypai). On a cell phone, this is harder to detect due to the inherently small screen size.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further and protect their customers?

While there is no silver bullet to fool-proof your organization and employees against potential malware campaigns, there are several approaches that can mitigate the risk.

The first step is continuously assessing risk and ensuring devices and users are not compromised. This Zero-Trust method requires monitoring employee behavior to identify malicious activities and minimize the likelihood of an attack. Just be sure to strike a balance and set expectations to secure data while respecting user privacy.

Next, an organization should move away from the all-or-nothing approach to VPN. Instead of providing unlimited access, offer it only to the specific apps and data each employee needs. As a result, if an attacker compromises their device or account, their movement is “sandboxed” or restricted.

Lastly, modernize on-premises applications with dynamic access controls. Many organizations still have software hosted in data centers and accessible from the internet. To ensure a strong defense, update them with cloud access policies that hide the app from the public internet but still permit authorized users to access them from virtually anywhere.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

It only takes one successful phishing attempt to cripple an entire organization. To prevent unnecessary damage and incurred expenses, companies must first educate and train users to recognize new, sophisticated threats.

Additionally, implementing a Zero-Trust policy requires continual device validation to ensure devices are up-to-date and threat-free before they access data and networks. New guidance from the National Institute of Standards and Technology (NIST) is accelerating the adoption of this framework, but it’s essential to include mobile in this strategy.

Lastly, outdated operating systems, adware and risky applications are other pertinent threats facing government agencies and their constituents. Organizations should urge employees to upgrade devices regularly to prevent backdoor vulnerabilities within their applications.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

The movie Hackers came out in 1995 and I loved it, as campy and unrealistic as it is, it really made me want to get into computers and do what they did. It was really helpful that there was a strong female “hacker” character in Angelina Jolie, but it showed that even women could be part of the cool computer crowd. It also showed her as being fully capable of being effective without being reliant on her male counterparts, but also being a team player to help the group take out the “The Plague.” It’s a horrible movie in terms of realism, but it’s so much fun to watch.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Unfortunately, I can’t think of any that were specifically to share.

The Cybersecurity industry seems so exciting right now. What are the three things in particular that most excite you about the industry? Can you explain or give an example?

The most exciting things going on in the cybersecurity industry from my perspective are all sort of inter-related to each other. The new COVID-19 Remote Workforce reality, increased ransomware attacks and the recent Presidential Executive Order to help combat them.

In 2020, COVID-19 forced businesses and federal agencies to make the bulk of their workforce to remote and even as we begin to ease these restrictions that kept us at home, most businesses and agencies are giving serious consideration to keeping their workers remote. Telework initiatives have been a part of the federal space for a number of years, but there was always push back in the form of agencies not fully adopting it or that boss that didn’t believe their workers could be as productive outside of the office. 2020 proved that remote by and large doesn’t hamper work productive. But it does present a new security risk for IT and cybersecurity teams who now have to protect company resources traversing the wider public internet to reach remote workers.

Ransomware & Presidential Executive Orders. The May 7th ransomware attack on the Colonial Pipeline has been at the forefront of the news for the last two weeks and highlights the very real threat to our country’s infrastructure. Other examples include the ransomware attacks against various hospitals in 2020 during the height of the COVID-19 pandemic. These threats are very real and not only damaging to businesses but have a heavily implication on human life as well. As a result of, on May 12th, the Biden administration released a new Executive Order on Improving the Nation’s Cybersecurity which is causing quite the stir in the industry because it’s forcing agencies and businesses to take a very hard look at their own cybersecurity posture.

What are the three things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

The new Executive Order is a great step in forcing a boarder look at the cybersecurity health and hygiene, this is only the first step in a long process. The fact of the matter is that until all critical businesses and agencies have the same level of cybersecurity protections in place, there will always be a weak link to be exploited. There are a ton of legacy systems and programs out there that are still running on old technologies and software that, if exploited could cause great damage or the loss of intellectual property. They could also be used as jump-off points to allow infiltration of more important systems within a business or agency.

So, I’d say the three things I’m more concerned about are: (1) the obsolesce of programs or systems currently being used in critical infrastructure, (2) budgeting/resources to correct and maintain them, and the (3) time it will take to update, upgrade, create relevant cybersecurity programs to protect IT infrastructure.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I haven’t been a part of any breaches or breach clean-ups.

What are the primary cybersecurity tools that you use frequently? For the benefit of our readers, can you briefly explain what they do?

My current position as a sales engineer doesn’t have specific tools that I use on a day-to-day basis, outside of the mobile device security solution we sell. I would fully recommend everyone get security for their personal device. As a part of my job though, out solution connects to and integrates with multiple other tools in the mobile security space including mobile device managers, SIEM tools for collecting and aggregating system logs, virtual machines.

In previous jobs, I’ve used Governance, Risk and Compliance (GRC) tools rather heavily. These are usually suites of tools that are used by security teams to perform security assessments on internal applications and system, identify security flaws, manage their plan of action and milestones (POA&Ms), and more. These are fun tools to play around with because they allow for automating and tracking internal security concerns and posture.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

It’s getting better, there’s better representation in the news and media of women in the field. School and after-school programs are becoming more and more available. Greater acceptance of women into undergraduate and graduate-level cybersecurity programs, and greater pushes by companies to actively try to recruit and sponsor women-specific job fairs and conferences are on the rise. These are all the right actions to get us to where we need to be, but it’s not something that can be solved overnight. We need to get to a point where women make up more than just 24% of the cyber workforce and that will rely on continuing these efforts. Additional promotion of the cyber field at the junior high and high school level is needed to get the upcoming workforce interested in pursuing a career in cyber.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

1. Constant long hours/late nights — Not to say that this doesn’t happen, and there are certainly some roles that are more intense than others. But you can have a health work-life balance while working in the cybersecurity industry.
2. You don’t need calculus — Growing up I always heard you needed advanced math classes for a degree in cyber. I think you still might for computer science, but in my experience most cybersecurity fields don’t need math, except for calculating IP addresses. You’re more likely to need technical writing and presentation skills, over math.

What are your “5 Leadership Lessons I Learned from My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

1. Don’t be afraid to ask questions — Many women in the IT and cybersecurity tend to be very quiet in meetings, especially those just starting out. Speak up! Ask questions because that’s how you learn, and it shows your personal interest in engaging your team and absorbing the material around you. If you’re new to a team, try getting one of your new colleagues to have one-on-one lunch with you to pick their brain.
2. Don’t be afraid to be wrong — This goes in hand with #1, but don’t be afraid to be wrong about something either. You might understand a problem one way but learn later that you might have had your facts wrong, that’s ok. Be ok with being wrong about something and owning up to it. Don’t blame others to make yourself look good, you don’t make friends or in-roads that way, and ultimately could isolate yourself. More importantly though, don’t be afraid that being wrong makes you look bad in front of others. Owning up to your own mistakes makes you a stronger person.
3. Don’t be afraid to stand up for yourself — There will be times when you are passed over or it feels that way. In cases where you believe you could do the job or run a group effort but are passed over, ask yourself “does the person who was pick has the skills needed to complete the task? What do I have or know that would make be a better candidate?” Write a list of what you feel are the differences, and if you still think you would’ve been the better choice, go and speak with your boss or whoever set out the task. Have a one-on-one with them to explain your perspective on it, why you think you would’ve been great for the role and ask that they keep those things in mind for future tasks. Be polite, it could simply be that your boss wants to test your colleague to see how they perform in this task or they weren’t fully aware of your capabilities.
4. Don’t feel entitled — There is a thin line however with feeling you were passed over vs. feeling you’re entitled to a given role because you’re a woman, a person of color, etc. No one is entitled to a job or role because of these factors alone, you need to prove you have the ability to do the job or are willing to learn and work up to it.
5. Work life balance is key, remember that — Don’t burn yourself from both sides of the candle. This work is hard and there will be many late nights and long hours, occasionally they might interfere with your home life, but don’t make a habit of allowing that to happen. You need downtime. Time to rest, to be with family and to recharge. If you run to hard for too long, not only will your personal life suffer but your work will suffer as well.

We are fortunate that prominent leaders read this column. Is there a person in the world (or in the U.S.) with whom you would like to have a private breakfast or lunch, and why?

Not particular. Unfortunately, I have a bad habit of not keeping up with “who’s who” when it comes to people. I like to meet people at conferences and strike up conversation, especially after a great lecture or session. I’ve been stuck at home like everyone else this pass year, so I can’t think of anyone at the moment.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!