Women Reshaping The Cybersecurity Industry: Dr Kelley Misata Of Corelight On The Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry

An Interview With David Leichner

Be humble- Humility will go a long way, and will help others see you in a different light.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series we had the pleasure of interviewing Dr. Kelley Misata, Founder/Chief Trailblazer of Sightline Security, Senior Director Open Source at Corelight, outgoing OISF (Suricata) President, and former Tor Project Director of Communication.

Dr. Kelley Misata, founder of Sightline Security, has carved a distinctive niche in the cybersecurity landscape. As the Senior Director of Open Source at Corelight and President of OISF (Suricata), she seamlessly bridges the technical with the strategic in vital cybersecurity dialogues. Articulate and insightful, Dr. Misata brings to the forefront pressing issues like the cybersecurity imperatives of nonprofits, the significance of open-source development, and the nuanced challenges of cyberstalking and privacy. Her expertise is enriched by her pioneering research on nonprofit cybersecurity and her personal experiences as a cyberstalking survivor. Armed with a Ph.D. in Information Security from Purdue University, Dr. Misata pairs holistic security acumen with strategic business understanding.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I never thought I’d be here, in cybersecurity. I started my professional career in marketing and business development, and was always the person that was willing to take on the next big project or run with a new big idea, and always embraced the excitement and challenge around discovering new things- I was never really afraid to fall on my face, so to speak.

However, life has a way of turning things around. While I was working out on the West Coast, one of my colleagues became infatuated with me. It was an extremely scary and difficult time, and unfortunately, it became a stalking situation that went on for many years.

Through this experience, I was introduced to the security space, and to some incredible luminaries in the field who encouraged me to do something with my story and bring my perspective to the industry.

I went on to pursue my PhD at Purdue where I learned about cryptography, network security, biometrics- really the whole gamut of security. I then started my work with nonprofits to help them understand cybersecurity from a business standpoint. I became Director of Communication at TOR, became President of OISF, started Sightline Security, and now I am the Senior Director of Open Source at Corelight.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

While it is hard to pick one among the many great things that have crossed my path, there is one book and one film that stand out to me the most.

The book is called All I Really Need to Know I Learned in Kindergarten by Robert Fulgham. It is a series of different stories designed around the idea that many of the things we need to be successful in business or our professional and personal lives, are all things we were taught back in kindergarten: be kind, share, be curious, learn, try new things, etc.

The stories in this book resonate with me so much because the lessons are so applicable to our daily lives, and they serve as a good reminder that sometimes you need to take a step back and ask yourself if you are handling or approaching a situation with these core values that we were taught as children.

The movie that came to mind is called The Imitation Game. As a woman in security, this movie is so exciting to watch. You see a world problem trying to be solved through technology, but the film also demonstrates the dynamics between men and women. It is such a beautiful illustration of problem solving, mitigating risk, and thinking about how to make the world a better, safer place, all while having to make really tough choices along the way.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

The story I shared above pretty much covers it, but I’d like to add that Dr. Eugene Spafford, a professor of computer science at Purdue University and a computer security expert, who invited me to apply to Purdue, said something to me that I will always remember: “You can remain a victim for the rest of your life, or you can do something more with this experience. Why don’t you come do a PhD?” His words along with the support of Becky Bace, who was also a computer security expert and pioneer in the intrusion detection space, instilled the confidence in me that I could pursue this career.

Are you working on any exciting new projects now? How do you think that will help people?

While I am not working on any one specific project at the moment, something that I am excited and passionate about is continuing to evangelize that nonprofit organizations should be recognized just as any other business would in the security space. I am a zealous believer that we must shift our thinking about security in the nonprofit sector as not just a handout, but a component of our national critical infrastructure. Think about it- when disaster hits, who is the first on the scene?

Additionally, I constantly have my ear to the ground listening for conversations happening around securing open source software. For example, The White House recently came out with a request for information around securing open source software- so working on a response for that has been very exciting.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

One of the most exciting things coming down the pipeline in the cyber industry right now is AI and advancing technologies.

As I look back and reflect on the history of all of the pivotal moments we have faced previously, there was fear as well as excitement. I think we are living that again with these advancements. It is so exciting to be on that edge again, and people are starting to recognize the responsibility that comes with these new technologies. It is very important to remember to always look at it from both sides: What is the good, and how can we harness it- and what is the bad, and how can we get ahead of it? I think figuring this out together as an industry is a very exciting opportunity.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

1. One of the biggest concerns that I have about the cybersecurity industry is the level of awareness. There is a perception that there is a magic solution that will keep us all safe. Many end users believe that there is one certain fix that will make the hackers go away, or make their phone or bank secure. This is a very risky way of thinking. We need to recognize that there are many more pieces to the puzzle when it comes to a proper security solution.
2. Another concern with the security space is that we have broad sweeping assumptions, particularly about sectors within the landscape. The security space makes broad assumptions about what each sector “is” or “is not,” and tries to build solutions to address these assumptions, rather than stepping back and understanding what each sector really needs to be successful. This prevents us from realizing that some of the nuances within different sectors are what is making security challenging for them.
3. Lastly, there is a lack of humility in the security space. We need to build humility into our work so that we can see the problems differently and more clearly. The more we let our egos get involved, the harder it will be for us to do better work.

Can you share how you are helping to reshape the cybersecurity industry?

I am helping to reshape the cybersecurity industry through my work at Sightline Security. Sightline is designed to measure where a nonprofit organization stands in terms of cybersecurity and helps to determine what areas they need help with the most. This is advancing the narrative around nonprofits, and we are acting as a voice to encourage measurement of needs so that these organizations can understand what areas need to be prioritized.

Additionally, I am aiming to help reshape the cybersecurity industry through open source, by consistently asking questions and offering insights into important discussions, like The White House’s recent request for information around securing open source software.

As products, devices and vehicles become connected, this is creating a new and emerging threat vector. How do you think manufacturers and their customers should prepare to be as safe as they can be?

The most challenging part of security is the human part- we need to recognize that each of us thinks of security differently and that products, devices and vehicles all have unique nuances that require different approaches. Understanding this is a good starting point.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I was working with a sizable nonprofit organization, whose mission was to provide early education services. Unfortunately, one of the directors of this organization had created a shell company and was using this shell company to accept payments from parents, rather than running the payments through the nonprofit organization.

The board of directors for this organization began noticing that something was amiss- there were unusual transactions being run through the internet, and they came to the conclusion that there had been a data breach.

When sitting down with these folks, we were able to determine that this was not a data breach, but rather a case of fraud. This discovery was vital to this organization’s well-being. If they had continued down the rabbit hole of believing this was a cybersecurity breach, they would have wasted massive amounts of time and resources, shutting down systems, etc., and then they would have had to disclose it to their community.

The main takeaway here is that for a nonprofit, having to disclose an incident like this can be crippling, and has a massive ripple effect. It creates distrust with donors and impacts the ability to fundraise, so the fact that we were able to prevent this before it was reported as a security breach was a win.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

The biggest thing that I advise people on is always listen to your gut. Think about when you’ve gotten an usual text message or email, you immediately go to your gut to ask yourself “what do I do.”

The more that average technology users can take a step back, take a breath, and listen to their gut, the better we will all be because our intuition will always tell us when danger is coming.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

1. Secure your assets- Look at what’s most vital to your business. Identify the most vital assets and make sure you secure them.
2. Take a hard look- Look at what you know and don’t know about your systems, networks and people. Establishing visibility so that you know when something is going astray is challenging for organizations of all sizes, but how else will you know if you can’t see it?
3. Document it- Document everything, even if it seems insignificant.
4. Rally your leadership — Don’t take it all on alone, get advice and council from the right people. This is why having a plan in place on how to address an incident is so important.
5. Breathe- Take a deep breath. In high-stress situations, we forget to breathe which affects our decision making.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

The number one mistake is that organizations assume that someone else is going to keep an eye on them, whether it be vendors or companies, etc. We buy into the promise that “if you pay us” you’ll be protected. Ultimately, you cannot rely on others to point out when something is amiss, you must make sure that all external parts of your organization are accounted for when it comes to security.

Lack of visibility is something to be cautious of. The hardest thing is to recover from something that you can’t see coming. If you can see it coming, then you allow yourself more time to react and make better decisions.

Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?

1 . Be curious- Be curious all the time, even if you are crowned as an expert, because even experts suffer from imposter syndrome.

2 . Embrace the ride- Embrace that you get to discover and see things from an angle that most people don’t get to see. Yes- there are bad guys out there, but we are the ones that get to uncover them.

3 . Be humble- Humility will go a long way, and will help others see you in a different light.

4 . Try things out- Try things out and ask questions. Open source is a great place to connect with people to try things out and ask questions- this is what makes it fun!

5 . Take a pause- Whenever it gets stressful and overwhelming, breathe and take a pause, and know how to do so effectively.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

I would love to have breakfast with Barack Obama. His leadership and grace under pressure are so relevant to the things we deal with in cybersecurity- and we learn so much more by stepping out of our lane and seeing how others work in their space. I would love to be able to just sit down and ask him “how did you do it?” and “how did you pull yourself together when things got hard?”

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.