Women Reshaping The Cybersecurity Industry: Mariana Padilla Of KIKrr On The Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry

An Interview With David Leichner

Curiosity-The end goal of cybersecurity is staying ahead of the bad guys. Curiosity and an excitement about ongoing research and about threats on the horizon will help you be successful in your goal.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series we had the pleasure of interviewing Mariana Padilla.

Mariana Padilla is the founder and CEO at Red Lab Marketing and the co-founder of the Urban Farming Initiative.

Mariana has a passion for brand-building through strategic storytelling built on a deep understanding of her audience, their needs, and how best to reach them. Her marketing approach is built on empathy and creating authentic human connections.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I have a very non-traditional background for someone leading a cybersecurity startup. I grew up in northern New Mexico in a small town called Espanola. Yes, the same Espanola featured in the Netlix series, The Curse and graduated from Los Alamos High School. Many of the scenes from the new Oppenheimer movie were filmed in my old stomping grounds which was a bit surreal.

As a child I didn’t have entrepreneurs or business owners to look up to. I never even considered that to be an option for myself until the pandemic totally changed the trajectory of my career, but I am a highly competitive person which I think is needed for this role. I started swimming competitively at age 8 and stuck with it through the first years in college. Specifically, being a distance athlete, I swam the mile, has been very helpful to my success. The long-term mentality that comes with the sport is second nature to me. I think a lot of new founders have expectations that their amazing product or idea will quickly bring them success, and that’s simply not the case. You’re constantly forced to iterate and try things over and over and over and over. If you think founding a company is a quick process you’re in for a rude awakening.

I spent time in education and non-profit before launching my own marketing agency, Red Lab Marketing, in 2020 and then joining KIKrr. One consistent thread with everything I’ve done is storytelling. No matter if you’re talking to students, donors, clients, or VCs, the better you’re able to tell a story you’re successful you are going to be.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I’m going to get real here. A lot of people when asked this question will probably tell you about a business book they’re reading because that’s what the gurus of the industry tell you you need to be doing in order to be successful. While yes, I also read these, I truly believe that my deep love for the sci-fi genre has been instrumental to my success. I find that these works help me think outside the box and are also a good escape when the trials and tribulations of the day are getting me down.

I particularly love the Matt Dinniman series Dungeon Crawler Carl and the Dennis E. Taylor Bobiverse series. I think the common thread with both is the question of what it means to be human. If your consciousness is uploaded into a self-replicating spacecraft, are you still human? How can you retain your humanity when you’re unwillingly placed into a Hunger Games style environment where you’re fighting for your existence? The true nature of being human is something that I give a lot of thought to and appreciate works that do the same.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Prior to meeting my co-founder Craig Ellrod, cybersecurity was not an industry that I’d given a lot of thought to. I knew that protecting your digital assets was important, but beyond that, didn’t think it was an industry I’d ever be working in. However, I truly believe that cybersecurity folks are today’s true superheroes. They’re doing the hard workday in and day out to make sure criminals aren’t stealing your health records or your money and can’t shut down hospitals for ransom. This industry is truly critical to the success of all others. No matter how successful your business, without a strong cybersecurity strategy and tech stack everything you’ve worked hard to build can go up in flames overnight. We need more top minds entering this field to fight the good fight against bad actors who can and will ruin your life and livelihood.

Are you working on any exciting new projects now? How do you think that will help people?

KIKrr was born out of the idea of revolutionizing the cybersecurity industry, so pretty much everything we’re working on is exciting. However, the one that I will touch on are our World Hacker Games events. During these monthly online events, we’re pitting our team of ethical hackers against cybersecurity products to see how they perform in real time. This has never been done before. The traditional way of showcasing tools is by having a vendor give a demo and show how their tool performs against a canned attack. There is nothing exciting or authentic about it.

But now, with so many new cyber vendors entering the space, vendors need a new way to showcase their products. For the first time, they’re having to put their money where their mouth is and show us how their tool works. These events are incredibly popular with buyers of cybersecurity solutions because many have been burned in the past by vendor promises about how products work. Buyers are over the moon to have the opportunity to see in real time how these tools work, while vendors are given immediate credibility that their product works.

Ok super. Thank you for all that. Let’s now shift to the focus of our interview. The Cybersecurity industry seems so exciting right now.

What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

I’m thrilled to be in cybersecurity because we’re at the forefront of change that is happening in the broader technology space. AI is going to change the trajectory of business and civilization. For those of us fighting the good fight to protect the digital world, we can now use these tools to help accelerate our work. So that’s the first thing I’m excited about.

Second, there is a rapidly growing movement within the industry to make it more diverse. I’m very lucky to have tapped into a group of men who are working hard to bring more women and people of color into cybersecurity. When you think about it, a lack of diversity can directly lead to security challenges. When the threat actors you’re up against are coming from around the world- Nigeria, the Philippines, China, Russia- it’s a legitimate risk to not have diversity of thought on your own team. So I’m grateful to my co-founder and other men in this space who are actively pushing, not just virtue signaling, to diversity the cybersecurity industry. As one of very few Latina leaders in cybersecurity, I’m thrilled to see this progress and commitment to change.

Lastly, I’m thrilled that this very critical issue that matters to ALL of us is finally getting more attention. We’re seeing more media attention around breaches and ways that consumers can protect themselves. For how critical cybersecurity is to all of us, it’s somehow managed to fly under the radar and has been seen as an issue that only impacts large corporations, but this simply isn’t the case. ALL of us have a target on our back and we need to be having more accessible conversations around basic cyber hygiene, watch outs, and ways to protect ourselves. Small businesses are the backbone of our economy but having worked with a lot of them, know that most know absolutely NOTHING about this space and are extremely vulnerable to having their business they’ve busted ass for years to build going up in smoke overnight because of a breach. More conversations that bring down to earth how important this topic is to all of us are welcome and encouraged.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

The first thing that comes to mind, and it relates to the question above, is accessibility. Being relatively new to the space, I was SHOCKED how hard cybersecurity is to understand. There is so much jargon tossed around, and most vendors double down on fear tactics for their marketing. Yes, the idea of a breach is scary, but we need to be having wildly different conversations about why cybersecurity matters to all of us because right now, the average small business owner or consumer is so intimidated when they start to learn about cybersecurity that they’re taking the tactic of hoping for the best, thus putting themselves at risk. We need to provide consumers with more easily understandable education and conversations about cybersecurity to familiarize them with the space and empower them with the knowledge they need to protect themselves.

The second is the dirty little secret of cybersecurity that no one wants to talk about, which are the backroom deals that happen. For how big and important this industry is, there are still a lot of incestuous deals that go down. Relationships between MSSPs and Value-Added Resellers with specific vendors often means that some products get recommended for buyers even when it’s NOT the best or most cost-effective solution. This problem is why KIKrr came to be. It was born out of the idea that we needed to empower consumers to make better purchasing decisions. Our AI-Driven try-before-you-buy marketplace is the answer to that problem. We’re allowing buyers to KIK the tires on tools on their own time without the pressure of getting on a sales call or the influence of MSSPs or VARs.

I think the last thing concerning about the cybersecurity industry is that there aren’t enough folks fighting the good fight. According to Cybercrime Magazine, there will be $3.5 million unfilled cybersecurity jobs by 2025. We need to take immediate action to rectify this. These are the people doing the work to make sure your assets don’t get stolen and sold on the dark web! Do you really want cybercriminals having access to your health records or holding hospital systems for ransom or having students’ private records released on the internet? No! No one wants this. So, we need to do a couple of things. 1) We need to start teaching coding, IT, and cyber hygiene in our schools. Our schools are absolutely failing to teach kids the skills they will need to survive in an increasingly digital economy. 2) We need to get rid of the paper ceiling. Many folks are shut out of cyber roles because they don’t have a degree but have the skills to get it done. So as an industry we need to stop shooting ourselves in the foot and hire the people that will get the job done even if that means they don’t have a Bachelor’s degree.

Can you share how you are helping to reshape the cybersecurity industry?

KIKrr and I are reshaping cybersecurity in a couple of different ways. First, are our World Hacker Games events which are essentially a proving ground for cybersecurity vendors. There are a lot of great tools out there that are getting overlooked because they’re newer and don’t have the clout of the Crowdstrikes or Armis’s of the world. Our live events are a way for them to show the world that what they’ve built is worth buying, or alternatively, weed out some of the products that are getting pushed that may not be up to snuff.

Secondly, our try before you buy marketplace is giving buyers more autonomy in the purchasing process. No one wants to get on a sales call, but the way the sales process works now, buyers are forced to do so to see the inside of a product. Our marketplace eliminates this, meaning buyers can make better, more informed purchasing decisions and ultimately, better secure their digital infrastructure.

We’re doubling down on community-led growth. As humans, we’re hard-wired to seek belonging. It’s my deep-seated belief that the companies that succeed in the future will be the ones that double down on community like we are. We have 4,000 cybersecurity professionals engaged in what we call the HACKERverse community. There, they can connect with other folks in the industry, learn about new threats, participate in our live events, AND evaluate new cybersecurity tools. We’re not just a marketplace. We ARE the single source of truth for cybersecurity buyers, vendors, researchers, and investors.

Lastly, all shoppers who come to our marketplace will be taken through an AI-onboarding tool to easily assess their needs and regulatory requirements. Eventually, this onboarding tool will provide us with a critical mass of data about our consumers. This puts us well ahead of Forrester and Gartner and we’ll know what industry trends are well before they make their annual predictions.

As products, devices and vehicles become connected, this is creating a new and emerging threat vector. How do you think manufacturers and their customers should prepare to be as safe as they can be?

First and foremost, manufacturers play a pivotal role in mitigating risks associated with connected products. Embedding robust cybersecurity features during the product development phase is paramount. This means integrating security protocols and mechanisms to safeguard against potential vulnerabilities. A proactive approach to cybersecurity should be ingrained in the design and manufacturing processes.

But customers also have a responsibility to protect themselves. I think consumers have gotten complacent and assume that companies are doing their due diligence to keep their data and infrastructure safe and that isn’t always the case. It is crucial for them to be informed and vigilant about the cybersecurity features of the products they use. This involves asking pertinent questions about security measures, reading product documentation, and staying informed about potential threats.

I’ve talked about education before, but I’ll mention it again. Education is fundamental for both manufacturers and customers. Staying abreast of evolving cyber threats and adopting best practices in cybersecurity is essential. Continuous learning and adaptation to the dynamic nature of cybersecurity challenges are critical for the collective safety of the digital ecosystem.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

While detection may not be immediate, there are several signs that to look for that indicate that something might be amiss:

Unusual Account Activity:

• Keep a close eye on your accounts for any irregularities. Unexplained changes in login history, unfamiliar devices accessing your accounts, or unexpected password resets could be indicators of unauthorized access.

Unexpected System Behavior:

• Be vigilant for unusual behavior on your devices or networks. Frequent system crashes, sluggish performance, or unexplained pop-ups may signify the presence of malware or unauthorized access.

Unexplained Data Usage:

• Monitor your data usage patterns, especially if you notice a sudden spike in data consumption. This could be a sign of malicious activities, such as data exfiltration or a compromised device participating in a botnet.

Suspicious Emails or Messages:

• Phishing attempts are a common method for initiating cyberattacks. Be cautious of unsolicited emails or messages, especially those urging you to click on links, provide sensitive information, or download attachments. Check sender details and verify the legitimacy of unexpected communications.

While these signs may not guarantee a security breach, they serve as potential red flags for further investigation.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Absolutely. I’ll talk through specific steps next but want to start off with the fact that the first thing you need to do is understand your legal requirements to report. There are federal regulations in place around how quickly breaches need to be reported as well as state regulations. We’re seeing some interesting developments when it comes to reporting- The AlphV cyber ransom gang filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. Now, that’s a whole conversation around the brazenness of that move but first and foremost, you need to know your reporting requirements and stick to them.

Here are other key steps:

Contain the Breach:

• Immediately isolate and contain the breach to prevent further unauthorized access. This may involve isolating affected systems, disabling compromised accounts, or taking other measures to limit the scope of the incident.

Communicate Transparently:

• Open and honest communication is crucial. Notify affected customers about the breach, detailing the nature of the incident, the potential impact, and the steps being taken to address the issue. Transparency builds trust and allows customers to take necessary precautions.

Conduct a Thorough Investigation:

• Launch an internal investigation to understand the extent of the breach, identify vulnerabilities, and determine the entry point of the attack. This knowledge is critical for implementing effective remediation measures.

Implement Remediation Measures:

• Address identified vulnerabilities and implement security patches or updates to fortify the systems. This may involve enhancing cybersecurity protocols, updating software, and strengthening access controls.

Offer Support Services:

• Provide affected customers with support services, such as credit monitoring or identity theft protection, depending on the nature of the breach. Demonstrating a commitment to customer well-being reinforces trust in the company.

Evaluate and Update Security Policies:

• Conduct a comprehensive review of existing security policies and protocols. Identify areas for improvement, update policies accordingly, and implement additional security measures to prevent future incidents.

Educate Employees and Customers:

• Reinforce cybersecurity awareness among employees and customers. Conduct training sessions to educate them about potential threats, safe online practices, and the importance of reporting suspicious activities promptly.

Engage External Cybersecurity Experts:

• Collaborate with external cybersecurity experts to conduct a thorough assessment of existing security measures. Their expertise can offer valuable insights and recommendations for strengthening the overall cybersecurity posture.

Monitor Continuously:

• Establish continuous monitoring mechanisms to detect and respond to potential threats in real-time. This proactive approach enhances the company’s ability to identify and thwart security incidents promptly.

By taking these comprehensive steps, a company not only mitigates immediate risks but also builds a foundation for a more resilient and secure future.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

While each case is unique, here are several errors I’ve seen that stand out to me:

Insufficient Employee Training:

• You’ve heard it before, but to reiterate, you’re only as strong as your weakest link. We saw this play out in the August hack that took MGM hotels and casinos offline for days and ended up costing them $115 million in damages and ransom payments. One person fell for a password reset request giving cybercriminals access to the entire system.
• Failing to educate staff about cybersecurity risks, best practices, and the evolving threat landscape leaves an organization vulnerable. Employees play a crucial role in maintaining a secure environment, and investing in their cybersecurity awareness is paramount.

Neglecting Regular Security Audits:

• Some companies fall into the trap of assuming that once security measures are in place, they are set for life. Regular security audits are essential to identify and address potential vulnerabilities. Failing to conduct periodic assessments can result in undetected weaknesses that malicious actors may exploit.

Overlooking Software Patching:

• Neglecting timely software updates and patches is a common oversight. Cybercriminals actively target outdated software with known vulnerabilities. Regularly updating and patching software is a fundamental practice to bolster defenses against evolving threats.

Inadequate Access Controls:

• Granting excessive access privileges to employees without proper monitoring is a prevalent mistake. It’s essential to implement and enforce strict access controls, ensuring that individuals have the minimum necessary access required for their roles. Regularly reviewing and updating access permissions helps mitigate insider threats.

Ignoring Mobile Device Security:

• With the prevalence of remote work and mobile devices, some companies underestimate the importance of securing smartphones, tablets, and other mobile gadgets. Ignoring mobile device security creates additional entry points for cyber threats.

Relying Solely on Perimeter Defenses:

• Some organizations mistakenly focus solely on perimeter defenses, neglecting the need for robust internal security measures. A comprehensive cybersecurity strategy includes both perimeter defenses and measures to safeguard internal networks, systems, and data.

Lack of Incident Response Planning:

• Failing to have a well-defined incident response plan is a critical oversight. Companies should be prepared to respond swiftly and effectively to security incidents. A lack of a structured plan can result in delays, increased damage, and prolonged recovery times.

Poor Password Management:

• Weak password policies and poor password management are recurring issues. Encouraging strong, unique passwords and implementing multi-factor authentication can significantly enhance overall security.

Data Encryption Neglect:

• Neglecting to encrypt sensitive data is a common mistake. Encryption adds an extra layer of protection, especially during data transmission and storage. Failing to implement encryption leaves data exposed and vulnerable to unauthorized access.

Failure to Monitor and Analyze Logs:

• Overlooking the importance of monitoring and analyzing system logs is another mistake. Regularly reviewing logs can help detect suspicious activities and potential security incidents before they escalate.

By addressing these common pitfalls, companies can significantly enhance their overall cybersecurity posture and better protect their valuable assets.

Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?

1. Adaptability- Cybercriminals are constantly changing their tactics. It’s imperative that you be able to adapt quickly in response. A successful cybersecurity professional is committed to continuous learning. Stay informed about the latest cybersecurity trends, vulnerabilities, and mitigation strategies. Attend conferences, participate in webinars, and engage with the cybersecurity community to stay at the forefront of industry developments.

2. Curiosity-The end goal of cybersecurity is staying ahead of the bad guys. Curiosity and an excitement about ongoing research and about threats on the horizon will help you be successful in your goal.

3. Technical Proficiency: Develop strong technical skills in areas such as network security, encryption, penetration testing, and incident response. Stay current with the latest technologies, tools, and methodologies used in the cybersecurity field. Certifications like Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), or Offensive Security Certified Professional (OSCP) can enhance your technical credentials. As I mentioned previously, I do not believe that you need a diploma to do this work. Certifications really are the determining factor for me in hiring.

4. Communication: I think this is one of the most overlooked skills in this industry. There are a lot of highly technical people who cannot communicate to others what it is that they do. Ultimately, this means that when it comes time to make the case for a promotion or petitioning for a budget for new cyber tooling, those technical folks are unsuccessful. Learning how to have accessible conversations with others is critical and something that folks entering this industry need to consider.

5. Ethical Mindset and Professionalism: Ethical behavior is fundamental in the cybersecurity field, particularly for roles involving penetration testing and ethical hacking. Upholding ethical standards is crucial for building trust with employers, clients, and colleagues. Professionalism, integrity, and a commitment to confidentiality are essential traits for success in the cybersecurity industry. For how big the whole cybersecurity industry is on paper, the community itself is relatively small and inclusive. If you burn bridges by acting unethically, word will get around and you will have a really challenging time advancing any further in the space.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

I’m a huge fan of Dwayne Johnson. I think he goes out of his way to be a good human being, which I appreciate. Each of us should be doing what we can day in and day out to lift each other up. Negativity and othering dominate our society and I appreciate those who, despite being rich and famous, don’t let it get to their head and choose to uplift others. Plus, I’d love to know whether or not his biceps are actually bigger than my head. LOL

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.