8 More Women in Security You May Not Know but Should
Dark Reading highlights women who are quietly changing the game in cybersecurity. We also revisit some of those we've spoken to in the past to see what they're up to now.
March 8, 2022
![Photo of a woman's hand using cordless mouse on glass table Photo of a woman's hand using cordless mouse on glass table](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt711b82660026cc1a/64f170e776d823cf8720a93e/female_hand_on_computer.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Artem Rastorguev via Adobe Stock Photo
Most cybersecurity workforce experts agree that if the industry is ever going to crack the cybersecurity talent-gap problem, it first needs to bridge the gender divide. Women make up half of the world’s population, but they still comprise less than a quarter of today’s security jobs. Yet with the right training and recruitment, women can not only broaden the pool of potential talent, they also bring different capabilities and perspectives to the job than those of their male counterparts — the kind needed to inject fresh ideas into the industry.
The good news is that after years of advocacy from women's mentoring and professional groups, it appears the needle is slowly moving on this front. Whereas in 2013 industry analysts from Frost & Sullivan estimated the percentage of female professionals in cybersecurity at about 11%, the latest figures from (ISC)2 show that has risen to 24%. Industry groups, educational organizations, internal HR, and passionate security advocates — many of whom also happen to be women — have put their shoulders into the effort to keep bolstering this number.
It shows in the young and mid-career standouts who are making waves in the industry. Anecdotally, security conferences are seeing higher participation among women experts, and many of those who are getting a seat at the table are inviting their fellow females to join in.
In that spirit, Dark Reading showcases a few of the standouts who are coming into their own or gaining increased visibility through new endeavors. This is a continuation of an ongoing, if sometimes sporadic, series that we’ve run since 2018. To keep the recognition alive, we’ve also included a few updates on women previously highlighted.
An IT and security professional with over two decades of experience, Tia Hopkins began her career in the general IT world, starting with a range of technician and support positions in the telecom space and working her way up into leadership roles at several service providers. Her shift into security specialization occurred gradually over the better part of the past decade, with roles like security solutions architect and security systems engineer.
The past four-plus years at eSentire have seen her rapidly climb the ranks from senior solutions engineer, to team lead, to several vice president positions, and now to her current leadership role. Hopkins holds two master's degrees — an M.S. in information security and assurance and an M.S. in cybersecurity and information assurance — and is now pursuing a PhD in organizational leadership. In the past several years, she has racked up an impressive number of prestigious career and leadership awards and also started teaching as an adjunct professor at Yeshiva University’s Katz School, helping to develop course work in cybersecurity for the university's master's cybersecurity degree.
Hopkins is a strong advocate for shrinking the cybersecurity talent gap by encouraging women and girls to explore cybersecurity as a career path. She is the founder of Empowe(H)er Cybersecurity, an inclusive organization focused on diversifying the cybersecurity talent pipeline by empowering, mentoring, educating, and providing career guidance and opportunities for women of color.
"I am a firm believer in radical transparency. I want others to have visibility into and feel empowered by my successes, my failures, and my lessons learned,” Hopkins says. “We are exactly who we think we are, and we can achieve whatever we believe we can achieve. I want my story to give other women — and cybersecurity professionals, in general — of color the confidence that they can stand strong, overcome obstacles, and achieve greatness."
For as hard-charging as Hopkins is in pursuing her career, education, and mentoring goals, she also leaves time for extracurriculars. She’s a player, general manager, and assistant coach for the New York Sharks women's tackle football team and was named to the American Football Events (AFE) Hall of Fame for her coaching accomplishments.
As the chief success officer at SAP, Elena Kvochko leads an international group that helps support clients' secure digital transformation across the firm’s global cloud products.
“Finding new ways to deliver value, generate revenue, improve efficiency, and enable the customers using innovative technologies and secure strategies is what attracted me to the role,” Kvochko says. “Building trust with customers is a key priority for the leadership and the board of the company, and I am excited to help lead this journey.”
An inveterate go-getter, Kvochko has earned her meteoric rise during her young career, gaining deep expertise in technology and cybersecurity within the financial industry. After a short stint in risk analysis for S&P Global, she served as an IT specialist at World Bank Group for three years and then spent another three years as the lead for the Partnership for Cyber Resilience at World Economic Forum. From there Kvochko moved to Barclays, where she served another three-plus years as first the head of global cybersecurity strategy implementation and then the chief information officer for the security group. Just prior to SAP, Kvochko worked two years at Bank of America as COO for cybersecurity technologies and then as a global information security executive. In addition, she has served as an affiliate fellow for Harvard Law School and currently teaches as an adjunct professor at Cornell University.
Over the course of that work, Kvochko has filed dozens of patents for inventions in cybersecurity, privacy, and secure financial technology. She’s also proved that she can take a step away from her desk — especially for a worthy cause. In 2017 she hiked Mt. Everest to just above Everest Base Camp as a part of a charity challenge to raise awareness for the nonprofit Refugees International.
A veteran coder and application security engineer with over two decades of experience under her belt at everywhere from small startups to large companies like Microsoft, Adobe, and Nokia, Tanya Janca is a tireless supporter of secure coding.
The author of "Alice and Bob Learn Application Security," Janca has spent the past two years building up WeHackPurple, an online academy focused on helping developers and security professionals learn how to build more secure software. Her organization offers both paid on-demand training and live virtual classes, as well as a free educational podcast and online community for professionals of all experience levels hoping to share and receive AppSec knowledge.
“We share tons of content that has helped people find jobs, do their own jobs better, and secure their organizations, even if they aren’t a paying customer,” says Janca, who adds that COVID-19 helped shape the direction of her new venture. “We moved from in-person training to live virtual training, which makes conducting business outside of Canada so much easier — no need for a visa. I’ve been able to work with people from all over the planet in such a short period of time.”
In the past two years. WeHackPurple has enrolled more than 3000 students over 6,000 times in its range of courses. Janca says she has “personally trained several large orgs that are household names.”
She hopes to fill a void she sees in AppSec education — one she believes to be one of the most depressing trends of cybersecurity today: lack of a modern education.
“Colleges, universities, and boot camps are still teaching the old ways that lead to insecure software. People pay a small fortune to attend university. They should receive a modern education,” Janca says. “I gave a lecture at a university in 2020 and the students had never heard of DevOps, only a handful had heard of agile — from outside of school — and all their courses focused on [the] waterfall [project management methodology].”
Fortunately, if developers and security teams can be clued in about the many new tools available, “people can automate more and fret less,” says Janca, who believes there are tons of opportunities for development and security teams to reduce manual work, cut down on false positives, and make code more secure than ever.
With two decades of risk management and leadership experience in security and digital transformation, Dawn-Marie Hutchinson recently made a big change when she took on the role of chief information security officer at UK-based British American Tobacco (BAT) — amid the company's rapid digital transformation. Indeed, BAT is undergoing huge changes to support its goal to reduce the health impact of its company, which is supported by the creation of new vapor devices and other new categories of business.
“Historically, the firm didn’t have e-commerce, retail, smart manufacturing, or connected devices, and thus the very fabric of the company is changing dramatically,” says Hutchinson, who in September relocated to London to help lead security transformation during this transition. “BAT recognizes that its cybersecurity needs changed with the business and appointed me in September as CISO to deliver a leading-edge, continuously evolving cyber capability that protects and meets its needs as its business model changes.”
Hutchinson’s experience has certainly built her skills and expertise to prepare her for the task. After building her knowledge as an information security risk manager in healthcare for many years, she worked her way up to several year-long stints as a cybersecurity adviser and head of security before she landed for almost four years as executive director for the office of the CISO at security services and consulting firm Optiv. From there, Hutchinson jumped to pharmaceuticals giant GSK to first serve as CISO of the pharma, R&D and supply chain division of the firm, and then as the senior director of tech transformation. In that last role she helped with strategic and technical planning to transform the technology, security, and risk organization, creating a new operating model driven by automation and paying down technical debt in the process.
This teed up her career for her latest endeavor at BAT.
“This is some of the most exciting work I have done in my career,” Hutchinson says. “We are responsible for securing the legacy of BAT while innovating right alongside to secure the future of the company.”
A security researcher to her core, Sheila Ayelen Berta has been fascinated with finding all of the different ways to break technology since she was 12 years old. It’s been over a decade-and-a-half since then, and this relative youngster — she's not even 30 yet — has built an impressive career following that passion. Her formidable CV already includes a laundry list of important findings, international gigs, and speaking assignments credited to her name.
After years of work as a security researcher in and out of academia, in the private sector for firms like SICLabs and Eleven Paths, and as an independent worker, Berta took the helm as head of research at the Swiss firm Dreamlab Technologies in 2019. In the three years she has been there, she has built up her team from three people to 14, pushing them to explore flaws and weaknesses in a range of new and evolving technology.
“The success that allowed us to grow is something that makes me proud. Our daily work is about researching new technologies, finding their vulnerabilities, and helping [the company] to be better,” says Berta. Their investigations also spur new ideas that help Dreamlab develop new infosec products, she sadds.
Berta currently serves on the Black Hat Review board; andover the course of her career she has given over 50 talks worldwide at conferences like Black Hat, DEF CON, Hack in the Box, and EkoParty.
“If I have to choose a favorite research, I choose the one I presented at Black Hat USA 2019: backdooring hardware devices by injecting malicious payloads in microcontrollers,” she says.
Of late she has been focusing research on the big data stack and blockchain-based technologies, though the bulk of her time is spent helping the members of her growing team succeed in their investigations.
“In fact, this was the biggest shift in my career so far, going from being a researcher to leading a large team of researchers and developers. It brings a lot of new responsibilities and challenges,” she says, explaining that those responsibilities grew as she was tasked with helping her crew adapt to the realities wrought by the pandemic. “I personally had to make decisions that altered some of our original plans, priorities, and road map to run things as smoothly as possible throughout this tough time. We focused on staying together, supporting each other, and giving our best to drive the team and the entire company out of the critical moment successfully.”
Dr. Haya Shulman made waves at Black Hat USA last summer when she presented research from her team at the German cybersecurity research institute Fraunhofer SIT. The research picked apart the distributed domain validation service that certificate authority Let’s Encrypt uses to run its free and open service. The team uncovered design issues that could make the service vulnerable to downgrade attacks.
This is just one very public example of a long line of research that Dr. Shulman has been involved with over the past decade. She obtained a PhD in computer science from Bar-Ilan University and has been steadily producing published cybersecurity research since then. She heads up the cybersecurity, analytics, and defenses division of Fraunhofer SIT and serves as director of public key infrastructure for Fraunhofer Society. She’s responsible for the institute’s cybersecurity strategy and projects, managing 20 researchers and a range of graduate students. In addition, she’s the leader of the Analytics Based Cybersecurity Mission for the ATHENE German National Research Center.
Most recently, Dr. Shulman accepted a prestigious LOEWE professorship at Goethe University in Frankfurt.
“As a proven expert in this field of research, Professor Shulman is of central importance for the strategy of the Goethe University for research on digital topics in general and cyber security research in particular, which includes criminal and information law research fields in addition to technical ones,” said Enrico Shleiff, president of Goethe University, in the announcement of her professorship last month.
Joanna Rutkowska has spent her entire career working on the bleeding edge of security engineering and research. Her first big splash in the research world was her presentation at Black Hat USA 2006, when she unveiled the "Blue Pill," a kernel-mode rootkit that circumvented Windows Vista’s integrity-checking security before it made it out of beta. Subsequently she led the charge on exploring insecurities in low-level systems, including hardware-based memory acquisition and Intel Trusted Execution Technology.
Rutkowska also spent a considerable amount of time working on Qubes OS — what she and co-creator Rafal Wojtczuk call a "reasonably secure OS." It’s a free, open source, security-oriented operating system that uses Xen-based virtualization to compartmentalize workloads.
After a half-decade working on Qubes concurrently with conducting research for her firm Invisible Things, Rutkowska dropped out of the security limelight, taking a sabbatical and then working in stealth mode for several years on her latest project for Golem Foundation. That quieted profile is in the process of changing, though.
Rutkowska is chief strategy officer at Golem, and her work finally came out into the open last summer with the introduction of Wildland, an open data management protocol. Rutkowska is chief architect of the project, which is billed as "docker for your data." It is designed to essentially containerize data for better privacy and security by decoupling a user’s data from the underlying infrastructure.
A dynamic security guru with a decade of success in enterprise product leadership, Kelly Shortridge’s cyber career has been the picture of well-roundedness. As a graduate with an economics degree from Vassar College, she started her career as an investment banker — picking up her initial, on-the-job cybersecurity expertise by analyzing the financial viability of data security intelligence firms. That led to her jumping into the entrepreneurial world herself, working as an entrepreneur in residence for a venture-capital firm and eventually co-founding IperLane, a mobile monitoring and access control firm that was purchased in 2016.
Since then Shortridge has been building up her expertise, experience, and relationships in the cybersecurity world across a range of cyber domains through a succession of product management, executive leadership, and advisory roles at BAE Systems, SecurityScorecard, and Capsule8. She now works as senior principal of product technology at cloud provider Fastly.
Throughout her career, Shortridge has been a strong proponent of eschewing the security status quo and embracing the principles of movements like DevSecOps and chaos engineering, while also applying behavioral economics and resilience to infosec. She’s the co-author of "Security Chaos Engineering" and spends a lot of time evangelizing for security transformation. That’s coming to fruition in her role at Fastly, where Shortridge is this month kicking off what she calls a “spicy speaker series” with security practitioners across the industry. The series is called "The Department of Know."
“I am beyond tired of all the virtual infosec events that regurgitate trite ‘wisdom,’ repackage boring status quo takes, or shill vendor stuff,” Shortridge says of her motivation to start the series with Fastly colleague Bea Hughes. “[It] digs into the messy realities of making better security actually work in organizations, while also challenging the industry folk wisdom that doesn't measure up in practice.”
When we last caught up with Marcelle Lee, she was working as a threat researcher for LookingGlass Cyber Solutions. Since then she has landed at Secureworks as a senior security researcher, focusing on emerging global threats and cybercrime. Lee says she was drawn to Secureworks because of the caliber of its research publications.
“Some of my more rewarding work has involved tracking Hades ransomware and, more recently, Cuba ransomware,” Lee says. “Also, my work on Instagram hijacking was interesting and drove home the point that organizations need to include their social media accounts in their overall risk profile.”
She has also started teaching digital forensics at University of Maryland. On top of that, she keeps busy by giving back to the security community, working with organizations including Women’s Society of Cyberjutsu, Infragard Maryland, the NIST Cyber Competitions Working Group, and the Cybersecurity Association of Maryland Advisory Council.
Krista Mikaële Théodore continues to challenge herself in her role as a cybersecurity analyst in the healthcare world, picking up a lot of valuable experience during a time that particularly flexed the skills of security professionals in her industry.
“As a security professional, I am no stranger to feeling like I am constantly putting out fires. The pandemic only fueled this to warp speed,” Théodore says, explaining that she was tasked with helping to support the urgent demand for a suddenly remote workforce. “This is compounded by the fact that I work in the healthcare industry, which has dealt with its own unique complexities as it relates to COVID-19. As a result, I have taken on more responsibilities in my role and accepted the learning opportunities that come from that.”
Some of the challenges Théodore has been working on include contributions on a CASB project and a data loss prevention program for Memorial Healthcare.
Meantime, she has also started teaching as an adjunct professor in the college of business at Florida International University, a role she relishes for not only helping to shape the cyber leaders of tomorrow, but also learning and keeping current with her own skills.
When we first highlighted Jamie Tomasello in 2018, she was senior manager of security operations at Duo Security. Her career has continued on a constant upward trajectory. She kept moving up the ranks at Duo, working for a time as head of security operations and compliance and then as head of trust and compliance. She eventually departed and, after a short stint providing feedback and guidance for the Ford Foundation’s Cybersecurity Assessment Tool, she took a position as head of security programs and GRC (governance, risk management, and compliance) at Gusto.
Just last month, she moved into her latest position, vice president of operations for compliance platform vendor ByteChek.
“I find fulfillment in coaching teams, applying empathetic systems thinking for sustainable internal operations, building trust, connecting partners, serving customers, and bringing visions into reality,” Tomasello says of the move.
When we first highlighted Jamie Tomasello in 2018, she was senior manager of security operations at Duo Security. Her career has continued on a constant upward trajectory. She kept moving up the ranks at Duo, working for a time as head of security operations and compliance and then as head of trust and compliance. She eventually departed and, after a short stint providing feedback and guidance for the Ford Foundation’s Cybersecurity Assessment Tool, she took a position as head of security programs and GRC (governance, risk management, and compliance) at Gusto.
Just last month, she moved into her latest position, vice president of operations for compliance platform vendor ByteChek.
“I find fulfillment in coaching teams, applying empathetic systems thinking for sustainable internal operations, building trust, connecting partners, serving customers, and bringing visions into reality,” Tomasello says of the move.
Most cybersecurity workforce experts agree that if the industry is ever going to crack the cybersecurity talent-gap problem, it first needs to bridge the gender divide. Women make up half of the world’s population, but they still comprise less than a quarter of today’s security jobs. Yet with the right training and recruitment, women can not only broaden the pool of potential talent, they also bring different capabilities and perspectives to the job than those of their male counterparts — the kind needed to inject fresh ideas into the industry.
The good news is that after years of advocacy from women's mentoring and professional groups, it appears the needle is slowly moving on this front. Whereas in 2013 industry analysts from Frost & Sullivan estimated the percentage of female professionals in cybersecurity at about 11%, the latest figures from (ISC)2 show that has risen to 24%. Industry groups, educational organizations, internal HR, and passionate security advocates — many of whom also happen to be women — have put their shoulders into the effort to keep bolstering this number.
It shows in the young and mid-career standouts who are making waves in the industry. Anecdotally, security conferences are seeing higher participation among women experts, and many of those who are getting a seat at the table are inviting their fellow females to join in.
In that spirit, Dark Reading showcases a few of the standouts who are coming into their own or gaining increased visibility through new endeavors. This is a continuation of an ongoing, if sometimes sporadic, series that we’ve run since 2018. To keep the recognition alive, we’ve also included a few updates on women previously highlighted.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024