Chenxi Wang: From Security Research to Developing the Next Generation of Security Leaders

If you want to know how much has changed in information security over the past 15 years, just ask Chenxi Wang. The renowned investor, executive, former industry analyst, programmer, and writer was speaking at an event in New York City in 2009 when one of the audience members raised his hand.

"What we need," Wang remembers him saying, "are more breaches."

A wave of nodding in the room showed that many shared the perverse logic: At the time, C-suite executives viewed cybersecurity as an obscure IT concern, a geek obsession, and a budget sink. Imagine anyone saying something like that today, 11 years later, post-Target, post-Sony, and post-Colonial Pipeline.

That was the prevailing attitude when Wang first began her forays into cybersecurity. An immigrant to the United States from China at the age of 19, Wang received her Ph.D. from the University of Virginia, where her dissertation described an obfuscation technique now known as "chenxification." (The name wasn't her idea, she assures Dark Reading.) Chenxification changes the control flow into a flat loop, frustrating malware's ability to locate and extract an application's decryption key. The algorithm Wang developed allows programmers to develop five or more decoy keys that are indistinguishable from the real one, with each one set to trigger an alarm in case of an attempted breach.

Chenxification was one of the first control-flow flattening techniques available in the public domain. Data protection company Cloakware, later acquired by platform security company Irdeto in 2007, was one of the first firms to adopt the technique. Wang was later surprised to learn that the US Department of Defense used (and is still using) chenxification to protect mobile applications.

"I tell my friends I have street cred," she laughs. "Even the DoD uses my technique."

As a research professor at Carnegie Mellon University, Wang was fascinated by the idea of modeling computer virus propagation, drawing on theories of epidemiology from the world of medical science. The National Science Foundation awarded her a $5 million grant to develop a propagation index that would outline the detection and response rates necessary for network operators to "kill off" a virus or worm.

Wang spent six years at Carnegie Mellon developing the propagation index, studying system resilience, and teaching. The world of academia wasn't a perfect fit: Wang has an active, restless temperament, and the relatively sedentary life of a professor began to wear on her. As a doctorate student, "You're groomed to think that an academic career is the one you want to go into," she says. "I admired my advisers, my professor's careers. But after a few years … I was yearning for something more practical."

From Academia to Industry
In 2006, she joined the staff of Forrester Research as an analyst focused on Web, email, and app security. It was "an easy transition" from academia to industry, she says. From Forrester, she joined Intel Security as vice president for strategy. This was the crucible of her career: She drew on her programming and computer science background and her research experience to tackle new challenges posed by business and go-to-market strategy. The combination might have crushed someone else, especially if, like Wang, that person had no experience with the business side of cybersecurity. But Wang reveled in the challenge. Business strategy "was intuitive to me," she says.

From Intel, she moved on to executive roles in a number of startups, and from there to investment in cybersecurity startups. She also took on adviser and directorial roles for dozens of companies.

Twistlock was one of these startups, and the way Wang found the company is typical of her "nose" for industry trends.

"In 2015, I started picking up on trend toward containers, which was then a new way to use virtualization. It completely transforms the production environment. I said, who's doing security for this?"

Turned out Twistlock was.

Wang joined the unknown startup as chief strategy officer in 2015, and she laid the foundation for the company's purchase by Palo Alto Networks less than four years later.

In 2018, Wang founded Rain Capital VC, a 100% women-owned venture capital fund dedicated to startups like Twistlock. With a focus on seed investment, Rain Capital funded startups such as cyber asset management platform Jupiter One, which offers clients a knowledge graph to manage cloud security, and Claroty, which handles Internet of Things systems, among others, for Fortune 15 companies in the energy and manufacturing sectors. And while Rain Capital has no specific mandate to support female or minority-owned businesses, Wang is proud that 44% of companies under Rain Capital's management were founded by women or minorities.

The workload is staggering, but Wang never falters. Asked what the best part of her job is, she answers without hesitation, "Working with entrepreneurs. It's so rewarding to see a company grow from a seed of an idea to a scalable model."

Would she like to be an entrepreneur like the ones she helps, deep down? "Well, I am an entrepreneur," she says, "it's just that I build a platform, not a product."

But would she like to be building products? "Every day's a different story! Some days I'm brimming with ideas."

It may be fortunate that Wang's career has been in investment and not in product development. It means, for one thing, that she has the clout to start conversations in the tech world that many her colleagues would prefer to avoid.

The most important of these was the "booth babe" controversy, which Wang took on in 2014. It used to be standard practice, at big tech gatherings like RSA Conference, for vendors to hire young women in provocative dishabille to stand at their booths on the main floor.

"Really?" she recalls asking. "We're dealing with nation-state threats — why do we have to sell our products with scantily-clad women?"

Wang, in a blog post co-written with Zenobia Godschalk, CEO of ZAG Communications, did not hide her disappointment:

In between discussions of exploits and Big Data, a teen beauty queen was trotted out to sign autographs; Jane Doe here handed out data sheets from her skin-tight bustier, and mystery woman there displayed her acrobatic skills in barely-there fabric before the demo went underway…

We are not in the "Mad men" era. Women have stepped up and "leaned in". However, statistics still show that women's participation in computer science and engineering remains below 30%. As an industry, we have a collective obligation to promote, to foster, rather than discourage and demean the next generation of women IT leaders.

Wang and Godschalk called on companies to make a public pledge not to sexually objectify women at trade shows. It worked: RSA Conference, Black Hat, and other shows changed their codes of conduct to prohibit sexism and sexual objectification. Inspired by this success, Wang would go on to found the Forte Group, an association of C-level women in tech designed to help women get on boards, grow their careers, and exchange ideas.

"Infosec has always had a gender imbalance problem, especially on the threat hunter or analyst side," she says. But she's optimistic. For example, the director of CISA is now a woman, Jen Easterly. "Female participation in events like DEF CON used to be about 11%. It's now up to about 20." It only seems to be growing.

PERSONALITY BYTES

Wang's proudest professional moment: "I'm very proud of what I did with Zenobia Godschalk."

Favorite book: "The Gene: An Intimate History, by Siddhartha Mukherjee. It had a profound impact on me."

Biggest Influence — China or the US: "My education was definitely American. Let's say culturally Chinese, professionally US."

Next career: "I would love to be a writer. I am a writer, you know ... I have a novel in the works."

Something Wang's colleagues would be shocked to know: "When I was young, I loved salsa dancing. We used to go twice a week to different clubs."

Hobbies: "Gardening. It's a habit I picked up in COVID. It's a great outlet, a place to of calm down, be away from work — your own oasis. I grow seasonal vegetables: tomatoes, cucumbers, peppers. Fall's coming, so I'm turning everything over for carrots and parsnips."

That seems weirdly low tech: "The balance between the two mindsets — it's very healthy."