Women Reshaping the Cybersecurity Industry: Schneider Electric’s Megan Samford On The Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry
An Interview With Martita Mestey
Courage to be wrong — be vocal about being wrong when you are, be bold about it because it will help create an atmosphere within teams where they feel psychological safety in being transparent when they mess up. Vulnerability is a key aspect of connection.
As a part of our series, we had the pleasure of interviewing Megan Samford.
Megan Samford, is a Global Cybersecurity Alliance leader and Chief Product Security Officer, Energy Management at Schneider Electric.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I grew up an 80s baby in rural southern Virginia to a single mom with an “it’s me and you against the world, kid” attitude. My mom and dad weren’t together and my mom, like many other single moms in the area, depended on her grandparents to help watch me. It afforded me a first-class education in snapping string beans, canning vegetables from the garden, and really having one of the last traditional upbringings before the internet, we didn’t even have cable TV. I read a lot; I was independent…many relatives tell stories of me being like a tiny adult when I was a small child. I could easily converse and was interested in talking to adults…I never felt like I fit in with other children as a child. I may even act more like a boomer because I was partially raised by people who grew up in the 1920s. So, I don’t know. I may be generationally homeless.
As I got older, I developed an interest in civics, history, archaeology, and law — my interests varied across the social sciences but by my senior real had solidified more towards international relations and security. From there I went to Virginia Commonwealth University and was one of the first 20 or so folks to graduate with a degree in homeland security and political science.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
I remember seeing the movie Gattaca and it really left an impression on me. It’s obviously a very future-looking film whose plot concerns itself with how human beings utilize, in fact overly utilize, genetic research to alter themselves, and in turn society. It’s a cautionary tale of taking science too far.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Yes, an individual inspired me — I had a friend who worked for GE and was standing up their product security incident response team and they asked me to apply for a role on the team. For a solid six months, I told this person that I wasn’t qualified, I felt I was more of a physical security person, and I didn’t know much outside of college courses on cyber. They told me, you have the right attitude, and you understand the foundations of security…. we will teach you cyber. And that’s exactly what happened, I owe my entire cyber career to this event.
Are you working on any exciting new projects now? How do you think that will help people?
Yes, in the event of a large-scale cyber incident, the private sector lacks a common framework to help cyber-incident responders organize and execute basic company-to-company aid, multiparty response, and most importantly, coordination with local, state, and federal government.
The goal of “Incident Command System for Industrial Control Systems,” which we refer to as ICS4ICS, is to identify how the private sector can adopt portions of the National Incident Management System (NIMS) Incident Command System to ensure coordinated, uniform and more effective cyber-incident response. Implementing ICS4ICS at scale will help the United States and its allies better coordinate more effective cyber incident response and recovery efforts within the private sector, especially critical infrastructures.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
The industry is mature, but the discipline is not which is the underlying issue of many of cyber’ s problems. There has been tremendous and urgent funding poured into ‘cyber’ problems — talent shortage, tooling, infrastructure, policy — you name it, but cyber practitioners, academia, and standards are playing catch up. We’re so new of an industry, existing for around 30 or so years, that we just haven’t had people studying the “right” way to do things…people have just had to “do things.”
Secondly, and it stems from the first, are repeatable risk models. With hurricanes, fires, and floods, we have good models to predict the risk of those events positioned against any type of asset. With cyber, we have limited/incomplete data sets for incidents, so don’t feel great about the data we have on attacks. It’s hard to say whether one asset is at greater or less risk than another. The best we can do is by sector, somewhat by region and we get more of a general feeling of where there are greater concentrations of risk. I liken it to knowing that storms are circulating over a state, but we can’t predict where lightning will strike.
Third, is resource allocation, we don’t properly allocate because we can’t accurately model. So you see how these three things lead to one another. We don’t do a great job of identifying where our resources can make the greatest impact. In many cases, a peanut butter spread approach is taken with cyber to provide all-around coverage. Again, this would be analogous to every business employing a firefighter based on the threat of fires.
Can you share how you are helping to reshape the cybersecurity industry?
I think of myself as the cyber emergency manager; I’m all about professionalizing cyber as a formal disaster science in the same way we study and build programs around natural disasters, pandemics, and nuclear response…it’s disaster science and it deserves to be treated as such.
As products, devices and vehicles become connected, this is creating a new and emerging threat vector. How do you think manufacturers and their customers should prepare to be as safe as they can be?
Well, the first thing is to understand how attack surfaces change with more connectivity and that always starts with an asset inventory, you can’t protect what you don’t know about. From there, whether you’re a manufacturer or an end-user customer, you want to follow a standard, pick a standard or framework like ISA/IEC 62443 or NIST and begin to execute a strategy that is in line with that standard, that way you’re not making things up and you have a roadmap for securing your infrastructure and the assets therewithin. We secure components, products, and systems, and at the end of the day supply chain, everyone is either upstream or downstream so it’s an entire ecosystem. This involves manufacturers, system integrators, and end users. ISA/IEC 62443 provides guidance for all these stakeholder groups.
Typically, we want to achieve 1) asset inventory 2) defensible architecture 3) anomaly detection 4) incident response capability
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
For every incident you’re working against recovery time objectives for getting assets back online; I can’t go into specifics but I can say it was a case like that where we knew the situation was going to get much worse unless we were able to get in, do a clean wipe after a backup, and restore and we got it accomplished because we had a predefined command structure, knew what we needed to access, had the right folks to do it and got the job done without cascading impacts.
Main takeaways to any incident though; 1) in most cases you won’t know it’s an incident immediately, 2) if you can get through the notification phase of an incident, you’re halfway there…just being able to reach people you need to and get them plugged into a command structure is half the battle — want to see just how hard notification can be? Do a zero-notice text message drill and see what your response time is for your entire team to check-in.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
Exfiltration of data, unknown connections to your network, file manipulation, and the main thing is JDLR — just doesn’t look right — think phishing emails, etc
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Utilize the experts, you want to hire a firm that does incident response professional…you want to have a retainer already established and you want to give them a call — they will explain do’s/dont’s, preservation of evidence, you’ll want to issue a statement to customers as soon as you can that clearly explains the facts as you know them and any guidance to protect them. Unfortunately, in the case of incidents, the work that needs to be done to protect a company and its customers needs to come before the incident occurs. After it has occurred, you want to follow your defined processes and most likely work with an external firm to ensure all reporting, evidence preservation, etc is done. You’ll of course also want to a full breach assessment to understand the extent of the breach and if the bad guy may still have a foothold in your network.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
I have seen many companies with products directly connected to the Internet. In our industry, we refer to this as the direct exposure problem. In most cases, companies are unaware that these devices have been left directly connected and from there, attackers are able to walk right into the network. To avoid this, organizations should have an updated asset inventory, and regularly check connections. What is talking to what, and is it patched? Scanning tools can also be used to monitor the perimeter of networks and can proactively detect if a device is directly connected to the internet within your network range.
Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry? (Please share a story or example for each.)
1) Command — leading with inspiration and not fear. Things are stressful in cyber and there is a lot of work to get done, with that there can be a tendency for leaders to lead through fear. If you mess up, you’re on your own and there will be consequences. You don’t want to be that type of leader; you want to treat your team so well that they want to live up to your expectation of them. Teams always go further for inspiring leaders vs. those they’re taught to fear.
2) Comfort with ambiguity — Cyber problems are complex and taking that first step to solve a problem can be daunting, be the leader that leans into the discomfort of the ambiguity and defines the first step. Be the leader that can take the really big, entangled problems, and begin to decompose them into smaller, more manageable pieces.
3) Calibration — in cyber there are many risks to be afraid of, as good leaders in cyber it’s our job to make sure our leadership and our organizations are afraid of the right ones based on their unique profiles. In essence, you decide what is a big deal or not. Overshoot problems and you waste time, money, and resources. Underestimate problems and the consequences can be more severe. It’s the calibration of the risks that sets the tone and measure of good cyber teams. “Nec temere, nec timide” — Neither rashly nor timidly.
4) Courage to be wrong — be vocal about being wrong when you are, be bold about it because it will help create an atmosphere within teams where they feel psychological safety in being transparent when they mess up. Vulnerability is a key aspect of connection.
And finally….
5) Connection — being a good cyber leader is being a good middle person If you’re in the business of working with disparate teams across large organizations you’re in the business of being a good middle person. Your and your team depend on others and being a door opener to other teams and capabilities will greatly enhance your arsenal of resources. It’s the better together story and to quote Stephen Covey, “everything moves at the speed of trust”.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)
I’ve thought about this and there are a few tough contenders but let’s face it, I’d pick Elon Musk, he’s like the Howard Hughes of our generation. I’m pretty sure it would be hard to top a breakfast or lunch with Elon Musk in terms of “wow” factor. It wouldn’t be dull for sure.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!