Women Reshaping The Cybersecurity Industry: Johanna Baum Of Strategic Security Solutions (S3) On The Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry

An Interview With David Leichner

Be accountable: Taking ownership of your path and holding yourself accountable for results is critical. No one cares more about your career than you do. Pick a goal and pursue it. Being accountable to yourself and your team means owning success, obstacles and failures. Cyber is a team sport. Ensuring you’re a resource that the team can count on greatly increases your value.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series we had the pleasure of interviewing Johanna Baum.

Johanna Baum is the founder and CEO of Strategic Security Solutions (S3), a cybersecurity consulting firm specializing in identity governance & lifecycle, passwordless authentication, GRC, third-party risk management and SAP security integration on the identity side.’ Formerly an accountant, Johanna holds 25+ years of Cyber experience and 13 years of experience as a working mom with a blended family. Her greatest career challenge is navigating the struggle between being both an impactful business leader and present as a parent.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was a latch-key kiddo that grew up in an active household. My parents set a foundation of the necessity of hard work and the need to give each activity or event your greatest effort. That mantra still resonates with me today. I was a relatively average student (but spent a good bit of effort to be above average), played a lot of sports, and gravitated more toward the arts and music. Growing up in a household with two working parents yielded a fiercely independent little girl who followed the rules, but also questioned them constantly.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I listen to an oddly diverse set of podcasts, master classes, and audibles ranging from business, relationships, leadership, mental health, athletics and parenting– you name it– because I crave learning. I recently finished Richard Branson’s Masterclass and really enjoyed it. While few can operate with his level of risk tolerance, I have always pushed the boundary and questioned the status quo. His compelling ability to ask “why not,” challenge current thinking, pursue better solutions, lead dynamically, and stand up to intimidation is impactful.

I love understanding founders’ stories and perspectives. After hearing a number of them, similar themes of adversity, insurmountable odds, grit, and perseverance that eclipse the business world resonate. Most founders have an uphill business battle but also came from difficult personal circumstances. Branson’s story of his upbringing, repeated risk-taking, success, large failures, rebounds, and familiar lessons was fascinating.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

As a young accountant, I was already working on the technical side of assurance. With my constant inquisitive approach, aptitude for puzzles, and love for technology it was a natural progression from accounting into consulting. I’d also worked my way out of being a textbook “good accountant” by inquiring well past “reasonable assurance” and into business problem-solving and tech enablement.

The transition from accounting into consulting, especially into a practice that had yet to be defined as security, seemed impossible. Yet as soon as I heard the words, “no” and “it’s never been done,” I was well into a working plan for how to turn that into a “yes.” No one looked like me, no one did what I was hoping to do for the firm, and no one believed a CyberSecurity group was necessary…but I did. I’d say it was more a challenge than an inspiration. :)

Are you working on any exciting new projects now? How do you think that will help people?

A few projects that I’ve been working on relate to trauma support for women and children and a separate initiative on increasing opportunities for women and minorities in Cybersecurity. They’re two very different projects, but both are deeply important to me. While they don’t appear connected, they do have a common thread. The gap in simple therapy for trauma victims is enormous, and so is their ability to remain safe with the significant weakness in privacy and protection laws. Many of these women are also unable to support themselves and remain in extreme circumstances because of the mere inability to earn an income. Similarly, as a woman who entered the tech sphere at a time when no practitioners looked like me, utilizing the skills I have to keep today’s female security professionals safe and create an opportunity for employment seems like a no-brainer.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

1. Tech for good. With the standard fears and concerns of AI coming closer to home with deep fakes, ChatGPT, and rising personal cyber-attacks/identity threats, the need for a focus on the positive use of technology is significant. Efforts to focus on advances for humanity are open opportunities for huge leaps in medicine, education, and global efficiency.

2. Career depth in Cyber. Cyber careers used to only advocate for tech-heavy, hands-to-keyboard, coding practitioners. Today, we are finally discussing the inclusion of critical strategic or business-focused roles. A broad range of resources can enter a desperately understaffed industry (we just need to learn how to attract them, which is one of my biggest concerns!).

3. The rise of the boutique. Focused solutions are seeing a vast increase in market traction. The market used to seek generalists and large, enterprise-level technology to solve problems that were often cost-prohibitive to many smaller organizations. In recent years, laser-focused solutions have created answers to our biggest risks and concerns for any (and every) size operation. Fortune 500 companies to small operations can each find solutions to manage cyber risks and deploy them effectively.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

1. Negative tech. There are infinite ways to abuse technology. As an advocate for tech for good, this truly concerns me. We need to invest time and resources to promote positive advances and focus. With so much funding and a nefarious desire to negatively apply tech, I’m concerned about where that rabbit hole will take us.

2. A lack of focus on strategy. Many vendors are pushing the solution to a symptom, not the root cause of the problem. Without considering the long-term needs of an organization and the strategic solutions to support business objectives, you are merely applying a band-aid. We have an absence of critical strategic thinking.

3. Narrowly or poorly defined educational programs. We can’t continue to market to the same demographic, using the same resources and in the same venues without rethinking the way we attract and educate practitioners. Many programs are in the early stages of release and development, but several areas of our practices are only available to learn on the job. We need to redefine how we educate all our practice areas and attract new avenues of resources. We also under-educate users on “why we protect what,” yet expect them to have a higher understanding of why we do what we do. Education is a significant weakness in our industry that requires an overhaul.

Can you share how you are helping to reshape the cybersecurity industry?

I have two initiatives that I’d love to help move the industry needle on. The first is to advocate for women entering the Cyber community and increasing opportunities in our space. Being not only a vocal supporter of initiatives to correct these gaps but implementing S3’s own internal programs to combat this is a first step. I can’t change an entire industry, but I can shed light on inequities and be transparent about the struggles of an employer, employee, or working mom, and potential solutions.

The second relates to simplifying the complexity of Cyber. We are hyper-focused on teaching stakeholders why strategy is so critical to Cyber initiatives. While technology is important, it can’t correct a fundamental lack of strategy. Playing whack-a-mole to correct a symptom, rather than the root cause of a problem, is not an effective Cyber strategy.

As products, devices and vehicles become connected, this is creating a new and emerging threat vector. How do you think manufacturers and their customers should prepare to be as safe as they can be?

The concept of technical interconnectedness has been around for years. As our need to be more connected and efficient and have functions at our fingertips has increased, so has the attack vector and threat landscape. We may compromise safety and security for that functionality and ease of transaction. We are willing participants as we continue to push functionality and demand new features yet continue our security-blind buying patterns.

Until we demand a new level of security from manufacturers and are willing to pay for the cost of that compliance, we will have to accept the risks that accompany ownership. Ensuring a combination of security and functionality or agreeing upon a uniform level of protection and regulation to limit threats is challenging to oversee. As buyers, understand the features you use and the risks they pose. Make informed buying decisions and assess your exposure accordingly.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I’ve devoted my business to helping companies develop a sound Cyber strategy, effectively manage risk, identify and address their weaknesses, and promptly respond to breaches or threats. There is always a learning experience from every breach or attempted breach, with the goal of continuous response improvement. I recall several instances where warnings were ignored and the aftermath of predicted events turned into unfortunate reality.

For each story like this, we continue to stress:

• Acting proactively: Create swift detection and response protocols, including establishing clear communication channels and collaboration expectations across the organization.
• Continuous maintenance: IT health and hygiene is not an annual appointment. Stay on top of updates and regular health checks including routine risk and compliance assessments.
• Education: Employee buy-in and consistent education on risks, threats and what information is most critical to protect creates consensus, understanding, and support.
• Keeping your eyes open: Remain vigilant and consistent with your risk profile and commitment to zero trust.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

I somewhat equate this to a warning sign with my children. When it’s too quiet, it’s time to check in. Abnormal activity is an immediate signal, but so is complete inactivity and silence. On the other side of the coin, when we are hyper-focused on preventing minor anomalies from slipping through, we have witnessed major events go unnoticed. A lack of attention to standard practices, upgrades and maintenance results in a treasure trove of opportunities for major outages, breach activity, or theft that aren’t identified due to application or network neglect.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

As humans, we are immediately wired to assign blame for a situation. This gains no ground on incident containment or protection. Immediately moving to containment, assessing the breadth of impact, and identifying factual data points to create the appropriate communication are critical steps.

Communication planning is crucial– but incredibly difficult. By identifying facts versus assumptions, you can clarify when to communicate what, why, and to whom with a fact-based message true to your organizational values. This prevents us from releasing too much or too little information to the wrong population. Remediation efforts are always important but ensuring the threat is eliminated and understanding the root cause to implement a more permanent solution is much better than temporary, repeated band-aids that devalue your reputation.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Making security a secondary priority means you are a primary target. By lacking organizational commitment to security functions and failing to protect your source of revenue generation, you are establishing a commitment to security mediocrity. This results in consistent theft, outages, breaches, inefficient operations, and limited privacy/protection of information.

The remedy is making security policies and procedures simple. Embed this philosophy of basic protection into your internal operations. Make it part of the fabric of your organization. Ensure that employees know what to care about protecting and why. Help constituents understand the financial impact of a lack of accountability or commitment to security values. This easy tie-in to operations and clarity of focus has a very positive impact on the value of security.

Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?

1. Be confident and trust your gut: Knowing your strengths and weaknesses can enable you to focus on where to showcase your expertise. Having confidence in your skill set will help you trust yourself and take action. If you make a mistake, own it, but also understand where you can shine.
2. Cultivate relationships: Like every career, it helps to know someone. No matter what career path in Cyber you choose, people can unlock a wave of opportunities for you. Making a positive impact on others and investing in relationships results in building a network of support.
3. Be accountable: Taking ownership of your path and holding yourself accountable for results is critical. No one cares more about your career than you do. Pick a goal and pursue it. Being accountable to yourself and your team means owning success, obstacles and failures. Cyber is a team sport. Ensuring you’re a resource that the team can count on greatly increases your value.
4. Stay curious: Cyber requires us to be on a continuous quest for knowledge. That knowledge and growth mindset helps establish the skills necessary to deliver results and the confidence to thrive. Our industry changes daily. A strong desire to build skills in any area and develop a deeper understanding results in an investment in your future.
5. Take risks: Not every risk is worth taking, but a large number of them are. Playing it safe means missing opportunities to expand, places to visit, and people to meet. In your personal and professional life, try to expand your horizons. Embrace new cultures, cuisines and activities, support new initiatives and visit new places– anything to broaden your perspective. All of these actions enrich your skills and your life, which greatly contribute to your ability to succeed.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

Not long ago, many of us read Serena Williams’ article on why she chose to end her tennis career. Her ability to do so on her own terms was incredible! In Vogue?! With an amazing photo shoot?! WHAT? She also did it at the height of her career based on the pressure of selecting one path: Champion, or Mom. This scenario keeps me up at night– not only for my household and my career, but for many of those around me I would jump at the chance to not only talk about the courage that took, but how we can try to put a dent into the need to be forced down one path. I am not someone that selects mediocrity on all fronts, but it also can’t be binary if you have ovaries– with success in one pillar and failure in the next.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.