Women Reshaping The Cybersecurity Industry: Jasmine Henry Of JupiterOne On The Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry
An Interview With David Leichner
Breaking into cybersecurity is incredibly hard, and the work we do is frequently exhausting and difficult. I wish I had been kinder to myself in my early career, particularly in those times when I didn’t feel like I was making progress toward my goals. We are all building experience and making progress, even when we don’t recognize it.
The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series we had the pleasure of interviewing Jasmine Henry, Senior Director of Data Security and Privacy, JupiterOne.
Jasmine Henry, Senior Director of Data Security and Privacy at JupiterOne, is an inadvertent career specialist in data security and privacy for cloud-native startups, as well as a passionate advocate and mentor who regularly works with security practitioners from underrepresented backgrounds. Jasmine is the lead author of “Reinventing Cybersecurity: Tales of Rebellion and Resistance,” a book written by 15 women and nonbinary individuals in the industry that highlights their unique experiences through original stories. In addition to her contributions to the cybersecurity industry, Jasmine is currently finishing her PhD in Computer & Information Science with a focus on Information Quality at University of Arkansas, Little Rock.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I am a first-generation knowledge worker, which is something I’m incredibly proud of. Due to my rural, blue-collar upbringing, I don’t think I really understood the full range of career possibilities when I left for college. I originally wanted to become a Professor of Russian, even though I supported myself through college by working as a database analyst and data researcher. Ultimately, I did not receive full funding for a PhD program in Slavic Languages and Literature and had to figure out a Plan B just weeks before graduating college. In the midst of a recession, I graduated college in 2010 and reluctantly took the first job I could find, a Help Desk job. I felt like my life was over.
Looking back, I wish I had been kinder to myself since things worked out exactly how they were supposed to. I gained invaluable skills and was able to find my passion for cybersecurity, perhaps especially cybersecurity analytics and research. I earned a Master of Science in Analytics with a goal of tackling complex cybersecurity big data problems, broke into the industry with an incredible amount of persistence and countless rejections. Today, I am the Senior Director of Data Security and Privacy at JupiterOne while finishing my PhD in Computer and Information Science at University of Arkansas — Little Rock.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
Many cybersecurity professionals got their first exposure to the profession from one of three iconic 1990s movies — Hackers, Sneakers, or War Games. I particularly remember the character of Kate Libby in Hackers, played by Angelina Jolie. It was the first exposure I had to a woman in cybersecurity, and it’s honestly a portrayal and character that’s still special to me since Kate is so incredibly smart and capable. She repeatedly saves the men around her with her technical skills, a concept that was radical in the mid-90s. Honestly, her portrayal of a capable, independent and technical woman is still radical today by some standards.
About a year ago, I was lucky to collaborate with 18 other women and non-binary individuals on a book called “Reinventing Cybersecurity,” a collection of essays. CISOs, CIOs, Principal Architects, and other security leaders tell their stories and share their work in a way that is entirely practical, but also intersectional. The book is now part of the syllabus curriculum for freshman seminar courses at least 3 universities, and part of the diversity collection at many other university libraries. The authors collectively decided to dedicate the book to the memory of Becky Bace — an entirely real individual who hasn’t been commemorated in a book or film yet to my knowledge, but inspires me endlessly. Becky faced an incredible amount of adversity in her career as a BIPOC woman in cybersecurity, but she prevailed through countless obstacles.
Whenever I worry about my future and start to question whether I should have pursued a different path with more opportunities, I remember the trials of Becky and other women, including women who I am grateful to count as mentors who were required to wear skirts to work within my lifetime. Even though our work can feel like an uphill battle, I genuinely believe that so many of the women in this industry have made incremental progress, and that collectively, we will create a much more equitable world for those who come after us.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
During my freshman year of college, a Physics Professor named Dr. Roberta Bigelow looked me in the eye and told me I had potential in math and science. She recommended a particular scholarship for women majoring in STEM. No one had ever told me before that I had potential in math and science even though I’d always excelled academically in these areas.
I also had never seen representation before I met Dr. Bigelow. I grew up in a rural area and cannot recall meeting a single woman in a STEM career. This moment of confidence in my abilities probably changed my entire career trajectory and taught me the importance of telling young women they have potential in STEM. This is something all women and girls need to hear early and often!
Are you working on any exciting new projects now? How do you think that will help people?
I recently finished the annual edition of an ongoing research project, The State of Cyber Assets report. This year, I performed analysis of 388 million cyber assets and vulnerabilities using a knowledge graph data model. Ultimately, I hope that this report becomes a tool to shine light on what normal really means in a part of the world that is changing at an incredible pace, much like other important cybersecurity research projects. I hope that my peers can take some of these statistics to their leadership to advocate for critical resources like new software or hires or use the research to spark conversations with product engineers about the new normal.
The work that we do is very hard, and sometimes it can feel thankless since cybersecurity professionals often work long and unpredictable hours. The worst vulnerabilities and incidents have a habit of making themselves known at 4:00pm on a Friday. Simultaneously, many cybersecurity leaders are remarkably under resourced, and contending with the challenge of protecting against a higher number of destructive threats with fewer resources.
My peers are some of the hardest-working, most dedicated people I know. Most of us who land here and stay here are here for a few common reasons, including the fact cybersecurity work is endlessly challenging, demands constant learning, and allows us to “do the right thing” on a daily basis — really, we are not like individuals in other service-driven professions such as medicine or public safety. Despite all of the headlines about salaries, I don’t necessarily know if I’ve met anyone who works in cybersecurity due to their salary. I often joke there are easier ways to make a similar wage, and it’s true. While the wages are helpful, they’re not enough to motivate you through late nights, cancelled dinner plans, or the necessity of endless skills development. Those types of things really come from true passion for learning, solving puzzles, or making the world a safer place. And that summarizes why I am so passionate about utilizing research — and the intersection of analytics and cybersecurity — to capture cyber risk in a world where we can’t even articulate it ourselves.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
1. Greater Awareness
Cybersecurity is no longer just an obscure technical problem; the CEO, the board of directors, and investors are all paying close attention to the security of the business. Historians may write that the 2017 WannaCry ransomware attack was when CEOs realized the importance of security and the 2021 Colonial Pipeline event was when the average person understood that security mattered. The past few years have taught everyone that cybersecurity can have a profound impact on public infrastructure, human safety, business revenue, and customers. I’m grateful that folks across different business functions are paying attention to cyber.
2. More Pathways
There is not just one type of career in cybersecurity. There are many different career pathways in cybersecurity to fit individuals’ varying interests, skills, and passions. One of my favorite resources is the InfoSec Color Wheel by Louis Cremen, which provides a simple overview of some common career pathways. There are many more opportunities outside of the ‘obvious’ choices such as defensive security (or, ‘blue teaming’) and offensive security (known as ‘red teaming’).
Individuals with a passion for project management, policy, and metrics may find a fit in governance, risk, and compliance (GRC) roles. Cybersecurity educators may have a natural affinity for writing or teaching. There is an abundance of opportunities for cybersecurity professionals who specialize in software development, architecture, and DevOps. And, there are countless new pathways emerging all the time, including a new need for individuals who can secure the supply chain and manage third-party risk.
I firmly believe that we need everyone’s help to solve the toughest cybersecurity problems of today and tomorrow. It is imperative to build an industry that is more inclusive, diverse, and prepared for the future. I am excited that rising talent has more opportunity than ever to find their ideal fit in cybersecurity. While it’s still notoriously challenging to break into this field, I also believe it’s becoming easier and that gives me hope for the future.
3. Today and Tomorrow’s Women Cyber Leaders
I would be remiss if I didn’t acknowledge the countless young women who are growing as cybersecurity leaders. My mentors, peers and mentees genuinely inspire me. I am fortunate to know many dedicated, self-aware women with unlimited potential, since I know these rising leaders will leave the industry a little bit better than how they found it.
When I start to feel burnt out, I think about the amount of progress we have made in the past 10 years. I am incredibly grateful to the women who blazed this trail and made the space more inclusive and diverse.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
1. Under-resourced Cybersecurity Teams
Cybersecurity teams are no longer a niche offshoot of the IT team that’s relegated to a tiny office in the basement. Cybersecurity officers have now found a seat in the boardroom and recognition that security is a critical business function. While this recognition has had an immeasurable impact, we’re still dealing with a difficult reputation that cybersecurity is a cost center, which contributes significantly to industry issues of exhaustion, burnout, and turnover. ISC(2) data indicates that cybersecurity teams grew by just 6% in size last year — or, a team of 100 cybersecurity would have hired 6 people. Our responsibilities are expanding much faster than our budgets!
2. The Gender Equity Gap
Fewer than one-quarter of cybersecurity roles are filled by women. Women leave cybersecurity and other STEM careers at a higher rate than their male counterparts for a variety of reasons, including a lack of pay equity, a lack of opportunities for advancement, and a lack of workplace flexibility.
We need to do better and we need to stop making excuses that women just aren’t interested in STEM. A recent study found that at least 40 percent of individuals in the cybercriminal underground are female. Private industry should be at least as inclusive as the criminal underworld of the internet, and the fact that we’re not should be subject to serious discussion.
3. The Cybersecurity Big Data Problem
Cybersecurity data has a lot of the same characteristics as big data. Security teams are dealing with an incredible variety, velocity, and volume of insights from their tools and services, which means a huge amount of time is spent on correlating, storing, and analyzing this data for many reasons. Investigating a security incident, measuring security program performance, or prioritizing software vulnerabilities can all require security professionals to manually deal with data from different sources.
The rise of security data was the thesis that first inspired me to study analytics and information sciences and I am passionate about the significant, growing role that data has in the cybersecurity industry. That said, there’s a few reasons the state of security data concerns me. First, I believe we need to be very intentional about hiring, training, and growing individuals with skills in both cybersecurity and analytics to avoid a painful competencies gap. Second, I think we need to be intentional about developing multi-year cybersecurity data strategies to consider how we can build automation into the ways we compile, categorize, and query data from many different sources.
The third reason why I worry about the state of cybersecurity data is the rise of AI and the very real, near-term potential for adversarial AI to poison data in our environments. I think there’s a huge need for innovation in data solutions that can identify AI-generated false data, so we don’t act on fake threat intelligence or security alerts. As AI get more sophisticated, adversarial AI will be able to generate very convincing data that may not be detectable by a skilled analyst, so we will absolutely need people and technologies that can work in tandem to filter AI-generated data before anyone takes action.
Can you share how you are helping to reshape the cybersecurity industry?
My cybersecurity research at both work and my academic pursuits is probably the single area that I am most passionate about. The intersection of cybersecurity, big data analytics, and statistics is my perfect niche in the world, and I hope to continue publishing research throughout my career. Ultimately, if my research makes the world a slightly safer place or improves workplace quality of life for some of my peers, I will consider myself successful in my career.
I also do not look like many people in my profession. I am a woman, and I am also covered in tattoos. I have often been told that my appearance inspires individuals from underrepresented backgrounds who are trying to break into the cybersecurity field, since it shows that there is room here for everyone.
As products, devices and vehicles become connected, this is creating a new and emerging threat vector. How do you think manufacturers and their customers should prepare to be as safe as they can be?
Our world is increasingly filled with smart, connected devices — including our vehicles, thermostats, stationary bikes, and even medical device implants. Not only are cybersecurity attacks more destructive than ever before, there’s a far bigger attack surface than ever. And, anytime a device has the potential for a cyber exploit, we need the capability to protect, detect, response, and recover from an incident.
More than ever, we need collaboration between technologists, legislators, and academia to protect public health and safety. Cybersecurity in a connected world is too big of a problem for any one group to solve on their own, and we cannot reasonably expect consumers to navigate these challenges on their own. I am passionate about collaboration to create standards for connected device safety and consumer education.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I am truly fortunate that I have never been part of a team that has had to deal with a major data breach with a significant impact on consumers. And, while I have plenty of stories about near-misses and false positives, one particular incident a few years ago stands out in my memory.
Essentially, several years ago, I pulled an all-nighter investigating a very serious cloud security alert with my remote colleagues in the Asia Pacific (APAC) region. I was exhausted before this incident hit since my work-life balance was terrible back then! After hours of investigation, around 6 a.m., we were finally able to completely determine the alert was a false positive — or, false alarm and there was no meaningful security risk.
This was a particularly painful response effort, since we had no mechanism to adjust, or ‘tune’ our cloud security service to avoid the same experience in the future. I was exhausted and felt frustrated toward the technology because it was a black box, meaning we had no idea what caused the false alarm and couldn’t guarantee the same thing wouldn’t happen the very next night. I also felt proud of my team, since watching a group of global colleagues pull together to handle a challenging effort is always a beautiful display of teamwork.
This particular false alarm was a huge inspiration for me deciding to finish my PhD in Computer and Information Sciences, with a focus on Information Quality. We are in the proverbial stone ages of cybersecurity and we have not yet achieved the capability to produce accurate, complete, consistent, and timely data for decision-making. There is such exciting potential for improvement in how we detect and respond to security issues in the cloud, and I wanted to contribute to research that paves the way to a more secure future.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
Laypersons can play a critical role in alerting cybersecurity colleagues to an incident before it is detected through monitoring. I would recommend keeping an eye out for the following:
1. Computers that suddenly seem extremely slow, sluggish, or low on storage.
2. Computers rebooting or restarting at odd times.
3. The sudden appearance of downloaded software or new browser extensions you don’t recall installing yourself.
4. Programs opening or closing automatically without your intervention.
These can all signal a compromised work device or a malware infection.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
This is a challenging situation to address, since the specifics of a post-breach scenario can be so incredibly variable. The right response depends on whether the breach has been contained and stopped, and the severity of the incident. Ultimately, my first and most important recommendation is for organizations to engage with professionals as soon as necessary, including consultants, law enforcement, and legal counsel who can provide recommendations on requirements. Collaborating with qualified lawyers is particularly important due to the recent precedent of CISOs being held legally responsible for their actions following a data breach.
A decade ago, organizations frequently suffered a long-term loss of customer trust and revenue after a major data breach. That is not necessarily the case in 2023. Organizations can recover from a breach incident, particularly if they are very conscious about how they improve their security and rebuild customer trust.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
One of the most common mistakes, and probably the easiest mistake, has to do with organizational structure. Too often, CISOs report to Chief Financial Officers (CFOs) or Chief Product Officers. This can damage cybersecurity’s role as an independent, objective function that reports directly to the board of directors. Even worse, Cybersecurity teams can report directly into Information Technology (IT) departments which is an increasingly irrelevant place to seat Cyber since our work is so much more expansive — for example, we must work very closely with Compliance, Product, Engineering, Facilities, and countless other teams.
Organizations are nearly guaranteed to spin their wheels at achieving meaningful cybersecurity improvement if they don’t know what they’re trying to secure. A capability for automated asset inventory is the foundation for effective cybersecurity, particularly in the modern era since many cloud assets are created and destroyed automatically. While keeping an asset inventory in a spreadsheet is better than no asset inventory, it’s also not sustainable and organizations should create asset inventory first.
Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry? .
1. Self-Kindness
Breaking into cybersecurity is incredibly hard, and the work we do is frequently exhausting and difficult. I wish I had been kinder to myself in my early career, particularly in those times when I didn’t feel like I was making progress toward my goals. We are all building experience and making progress, even when we don’t recognize it.
2. Love of Learning
I think that individuals from all backgrounds are needed in cybersecurity, including individuals who pursued a traditional education pathway, military veterans, and career-switchers. But, since the field is changing so often, everyone in cyber needs to love learning since continuous education is necessary.
3. Communication and Negotiation
Verbal, written, and presentation skills are underrated as a necessity for cybersecurity professionals. You will be called upon to communicate with others, including and especially individuals from different business functions on a daily basis. You’ll need to be able to frequently switch contexts and communication styles to be effective.
4. A Mentor
I’ve had many mentors in my career and I cannot even express how grateful I am for their mentorship. Do not be nervous about asking someone to be a mentor to you. There is a lot of power in the ask, particularly if you demonstrate the fact you have prepared by doing your research and considering your goals for the mentoring relationship.
5. Focus
There is no shortage of things to do in cybersecurity — on any given day, you are guaranteed to encounter countless problems that you must prioritize and pursue. You must choose between focusing on dozens of certifications and pathways for continuing education. Individuals at all levels of career need the ability to make decisions with confidence, communicate these decisions to their teams and managers, and focus on the task at hand.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)
I can think of two women in prominent leadership roles that I admire a great deal and would be thrilled to share a meal with. As the first woman Vice President, Kamala Harris is an incredible trailblazer and inspiration for rising women leaders. I also really admire Jen Easterly, the current Director of the Cybersecurity and Infrastructure Security Agency (CISA). If you ever have an opportunity to watch her speak at a cybersecurity event, don’t let it pass you by. Easterly is an incredible, engaging public speaker.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.