Women Reshaping The Cybersecurity Industry: Meghan Maneval Of RiskOptics On The Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry

An Interview With David Leichner

You also need research skills or questioning skills. Questioning everything is the world of cybersecurity. There are really no two companies that are exactly the same or do exactly the same thing, so that means there is always room for new ways of securing them. By being inquisitive and questioning, you can earn yourself a much stronger understanding of the cybersecurity landscape as a whole. Having that knowledge is extremely beneficial as you continue to grow your career and help defend against a myriad of threats.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series we had the pleasure of interviewing Meghan Maneval.

Meghan Maneval leads RiskOptics’ Technical Product Management team- tasked with developing and evangelizing innovative ways to solve industry problems. After more than 15 years managing security, compliance, audit, governance, and risk management programs in highly-regulated industries, Meghan joined RiskOptics in 2022 to help drive product innovation and empower our customers to achieve their objectives. Meghan is a passionate security and risk evangelist, DIBs champion, and home-renovation enthusiast specializing in process improvement and program iteration.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up

I grew up in Central Connecticut, in a big, Italian family, and actually, many of the families who lived in our village in Italy immigrated to the same town as my own family. Because of those strong cultural roots, I grew up immersed in the old-school Italian mentality: growing our own food, making our own clothing and we even had a water well and wood-burning stove. After high school, I chased my big-city dreams and moved to Boston, Massachusetts, where I attended Wentworth Institute of Technology. When I first started, I was a little nervous about being a minority at the school; the male/female split at that time was about 80/20. But looking back on my experience, it prepared me for a career in a male-dominated workforce. My first job was with an insurance company as an auditor. Since then, I moved across the country, started a family, earned my MBA and progressed through my career as an auditor, security engineer, and risk manager. Today, I use my experience to drive product strategy and lead open conversations about the future of risk management.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

Yes, the book is called “Redefining Cybersecurity” by Jupiter One. I found it really cool because each chapter is a story about a different woman in the cybersecurity field, whether it be a CISO, technical analyst or something in between. I saw myself in many of their stories. They cover struggles that they had, their path in the industry and how they tackled challenges. It showed me that my struggles aren’t uncommon after all — that was comforting.

At RSA in 2022, a handful of the authors held a book signing, so I of course met them. Meeting them in person really hammered home the idea that, “If they can do this, I can do this.” They helped me find my voice. Since then, I’ve felt more confident voicing my opinions and thoughts to the industry.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My journey in cybersecurity started with compliance and auditing. When I had my first job as an auditor, my boss described the common path: people start in the audit department, they learn about the company and then they decide where they want to work in the company.

As I continued my auditing career, I found that the longer I stayed in audit, the more I enjoyed it. I liked reading the regulations, assessing controls and understanding how to improve the business as a whole. As I began gravitating towards the security side of auditing — technical mechanisms and controls — I found my true passion. At that point, I moved into an information security analyst role solely focused on security controls and supplemented that experience with various cybersecurity certifications. From there, I began leading an information security team, which then led me to build the company’s first risk management program. This springboarded me toward an all-remote global organization where I expanded the existing governance, risk, and field security programs. After deploying and using ZenGRC (RiskOptic’s flagship product), at two of those organizations, I joined the team leading the design and strategy of our new product- ROAR.

When I look back on it, I think of my pursuit of a career in cybersecurity as a snowball effect starting with my first boss’ guidance. Use your current position to identify your next goal. I’ve carried that momentum through my career so far and it’s worked out pretty well!

Are you working on any exciting new projects now? How do you think that will help people?

With RiskOptics, I am part of the team designing the ROAR product, so to me that’ll always be exciting. But right now, I am also working on building a women in leadership program at RiskOptics. We have a phenomenal group of women across varying positions and this is an opportunity to create more avenues for support, mentorship and advocacy among this group. One of our vice presidents asked me to spearhead this program to build a community that spans internal team members and the broader industry.

Let’s face it. We’ve made progress and there are more women working in cyber today than 10 years ago, but it’s still a male-dominated industry. As such, there are times when we as women don’t feel welcomed or safe — and it’s important for that to be acknowledged. For example, some colleagues of mine asked if I was planning to attend a prominent industry event, and I told them no. I opted not to attend this event because of personal safety considerations. For me, the threats of sexual assault or harassment in a big city, like in this example, were reason enough to forgo this event. I want to ensure that all women in the industry have the knowledge and opportunity to make educated decisions like that to ensure their safety.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

The first one is AI — who isn’t excited about automation? But what’s really fascinating to me is that there’s a lot of AI use for the sake using of AI. A lot of people are talking about the benefits, but the value does not always outweigh the risks. There’s a certain level of exposure that comes with this technology, whether it’s access to data from other companies or potential ethical considerations. For example, Amazon was using AI to screen resumes, with past resumes serving as the criteria and training data for who would make a suitable candidate. Because of this, masculine pronouns, or things that are typically associated with men were being favored by the AI because the bulk of the accepted resumes that it learned from were men. So, companies assume that AI is helping, but in reality, it’s all about the data that’s being fed into it and then the pruning of that data to fine-tune it for unbiased use.

Another hot topic in the industry is the increase in state-specific privacy regulations. For example, in the U.S., HIPAA is a national regulation or standard for healthcare. But when it comes to data privacy, each state is developing its own initiative — there is no federal standard. What we end up with is a variety of slightly differentiated regulations. If organizations are doing what they were supposed to be doing for data privacy in California, new regulations shouldn’t be very different from what they were tracking against already. Regardless, it’s a confusing landscape to navigate and keep up with manually.

The third topic is the rise of diversity, equity and inclusion in cybersecurity and technology. Recently, the Black Hat USA 2023 conference recognized the Cybersecurity Woman of the Year Award winners. It seems minor, but we have to appreciate the progress we’ve made with that caliber of award at a major event like that. It’s telling of the shift we’re seeing in the industry where all kinds of diversity are recognized, not just gender. I hope to see more categories including neurodivergent and other underrepresented groups in the future.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

The first is the overreliance on automation. Organizations often use a “set it and forget it” strategy that can cause some big problems. Automation takes fine-tuning and oversight, otherwise, organizations open themselves up to more risk. Consider an organization that relies on automated patching to remediate vulnerabilities but never actually reviews if all servers are patched. This false sense of security comes from overreliance on automation, which leaves organizations even more susceptible to potential data breaches and attacks.

Another concern is the use of compliance to demonstrate security. Compliance and security are not the same. Hackers don’t care if you’re compliant. When organizations focus on passing audits, they are unable to see the true threats and vulnerabilities lurking in their environment.

The biggest concern for me is the return to office trend. Remote work has unlocked so many possibilities for underrepresented groups and it would be heartbreaking to see some of those possibilities eliminated. More than that, it’s a win-win for companies. Remote work greatly expands their talent pool — applicants are no longer limited to driving distance to the office. Not to mention the missed opportunity for greater innovation and creativity with more diverse perspectives at the table.

Can you share how you are helping to reshape the cybersecurity industry?

I’m really proud to be a part of the team designing the ROAR platform at RiskOptics. It’s a first of its kind in terms of risk automation. The ROAR platform uses information about your business and compliance activities to provide a real-time risk posture and suggest mechanisms to mitigate those risks. I designed the spec for the back-end algorithm behind the automation. I remember when I was doing the research thinking to myself, “How is it that no one else is doing this?” This is going to change how companies see their risk, and it’s an absolute joy talking to customers and seeing those ‘a-ha’ moments. I remember the first time I saw it in live code, I cried happy tears.

I’m also a very active cybersecurity, risk management and DEI evangelist, conducting webinars, speaking engagements, podcasts and bylines. It’s been empowering to get my voice out there and see the responses. And it’s very rewarding to feel like I am helping others through challenges.

As products, devices, and vehicles become connected, this is creating a new and emerging threat vector. How do you think manufacturers and their customers should prepare to be as safe as they can be?

First and foremost, organizations need to be thinking about layering their defenses, rather than only relying on an audit or compliance. An analogy I like to make is that people can protect themselves and their data just like a castle protects its crown jewels. Organizations need to leverage audits, compliance, risk management, technical tools and monitoring tools just like a castle would protect its jewels with a moat, alligators, a large wall, a dungeon, a guard and a safe. Combining these defenses gives organizations visibility into their business to see where the highest areas of risk are, and from there, remediate those risks.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I was working as the risk manager for an organization that had a relationship with SolarWinds when they had their infamous incident a few years back. In my role, I oversaw third-party risk management, focused mainly on compliance. When SolarWinds notified organizations of the incident, my boss came to me with a handful of questions like: “Do we use SolarWinds? How many of our vendors use SolarWinds? What does SolarWinds do for us? What controls do we have in place?” At the time, my team and I had very little visibility into those answers. This was one of the first times I fully understood just how difficult it is to identify the impact of these types of incidents on an organization. It’s possible that even though your own organization wasn’t breached, your vendor may have, or your customer may have. Without that visibility, organizations don’t have insight into the full impact of the incident.

It taught me that organizations need to be more focused on their third-party relationships. Consider the types of data they can access, what critical systems they connect to, or if they’re a sub-processor — all of these increase the impact they have on your business. With that information, organizations are then able to tie that vendor directly to a business process, assess the criticality of the vendor and potentially adjust the cadence of assessments for them. The key here is that organizations need to have visibility into third-party relationships to understand potential risks and how to keep your organization safe.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Usually the signs are pretty subtle, but one of the bigger ones that I see is unusual social media activity. It could be as simple as an account you’re familiar with posting things out of the ordinary, the language sounding a bit off or a change in the tone. Another one is when you start getting weird, unusual pop-ups on your laptop, computer or phone. The subtlety of these signs is really the hard part about these types of hacks and breaches. A lot of times they’ll infiltrate and then wait. They’re testing that company or person to see if they’ll respond, which is why a lot of times you’ll get multiple phishing campaigns. They make it difficult to pick up on these signs. My recommendation is that if you see something unusual happening on your device, report it. In my experience, more often than not, it’s just a system bug, but it’s always better to be safe than sorry.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Certainly organizations must contain the damage and remediate the issue. But to me, the most important step a company should take after an incident is to communicate. It’s wild how many companies try to hide things, or even lie about incidents. What’s worse is they release information with no sustenance to it. We need to be transparent with our customers. Breaches happen, but it’s how we learn from them that is important. Organizations that try to lie or cover incidents up send a clear message to customers that they don’t value security.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

First, the reliance on backward-facing data to drive forward-looking initiatives. I see this a lot with compliance-focused organizations. Audits rely on past data and point-in-time checks. Oftentimes, leadership believes that because you can pass an audit, you must be secure. But what happens if the next day, there is a new vulnerability or a control fails? I don’t think we, as GRC practitioners, properly explain the purpose of an audit to company leadership. As a result, they might assume they’re safe and deprioritize security investments.

Instead, organizations need to consider the risk to their organization and the current exposure when presenting recommendations to leadership. You need to tie security investments directly to company objectives and return on investment.

Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?

1. First and foremost is building a network and support system. I also recommend finding a mentor, even if it isn’t necessarily someone in cybersecurity. At one point I had the CFO of my company as my mentor because I liked his style of leadership, and it provided me with opportunities to grow and learn from someone that I looked up to. On top of having a professional mentor, I find having a personal support system is just as important. I could not do what I do in my career without my husband. He is the glue that holds our family together. I travel a lot, I’m on calls, I have a lot of mentally intensive, time-consuming work, and my husband is there every step of the way. The way I see it, having someone who can support you is sort of like being a flower in a garden, and the cyber world is like the Arizona sun beating down on you all day long. You need someone to come in and water that soil. You need someone to make sure that you’re not burning out. If you don’t necessarily have a family member, close friend, colleague or mentor, there are networking groups that can help people find that support system.
2. You also need research skills or questioning skills. Questioning everything is the world of cybersecurity. There are really no two companies that are exactly the same or do exactly the same thing, so that means there is always room for new ways of securing them. By being inquisitive and questioning, you can earn yourself a much stronger understanding of the cybersecurity landscape as a whole. Having that knowledge is extremely beneficial as you continue to grow your career and help defend against a myriad of threats.
3. You also need to have thick skin. Working in the cybersecurity industry is hard, especially for incident management and frontline support workers. When cyber incidents happen, they’re the ones taking the brunt of the frustration and anger from impacted users or coworkers. They want to know what happened and why it happened as soon as possible. Resiliency and thick skin allow cybersecurity professionals to put aside the emotions of a tense situation and simply do their job to remediate in a timely manner.
4. You also need a strong understanding of the internet and how it works. I say that because you don’t necessarily need to have a thorough, in-depth knowledge of all things IT and networking, but you have to understand some of the basics. The cybersecurity industry is ever-changing, so cyber professionals need to remain agile with the industry in order to stay sharp in their position. You don’t have to be an expert, there’s always going to be experts if you need more than what your knowledge allows, but having broad knowledge and then continuing to learn from it will support a successful career. It’s funny, I received my MBA 12 years ago and recently began a doctoral program. The school wouldn’t accept the credits from the MBA because they are considered outdated. Concepts change, so I’m thankful that I’m gaining that new information rather than starting from that base of knowledge that’s 12 years old. It’s the same with my cybersecurity knowledge. Attending conferences and webinars helps improve your understanding of trends and challenges. I’ve continued to add and build my skills over the years, so while I may not have had the credits roll over, continuing to learn on my own has made the transition and pursuit of my doctoral much easier.
5. Last, and most importantly, you have to be weird. We’re all weird, and embracing that we’re all weird brings in different, creative points of view that drive teams forward. If there’s an incident and you can’t fix it the same way you did last time, or the same way another company fixed it, having multiple people thinking about out-of-the-box solutions will create so many more options. The more we all embrace our weirdness, the more creative solutions we end up with.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why?

Lieutenant Joe Kenda. He retired from the Colorado Springs Police Department after many years as a homicide detective. He had a TV show called “Homicide Hunter” as well. I watched the show, I’ve read his books and there’s just something about him that really connected with me. He’s weird, he thinks about things differently and he never really backs down from challenges throughout his career. I respect him and his style because he gets justice for people; he’s not afraid to take hard cases, the cold cases. As a survivor of ongoing sexual abuse as a teen, I wish I had a Joe Kenda in my life. The people responsible were never brought to justice, so while it happened 20-something years ago, I still have that feeling that they got away with it, and they probably went out and did more.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.