Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Connect Directly

Dance Of The 'Next-Gen' CISO

Security Pro File: Classical ballerina-turned hacker-turned CISO Justine Bone talks old-school hacking, biometric authentication, coding in stilettos, Kristin Wiig -- and finishing her kids' leftover mac and cheese.

When Justine Bone visited New York City at the age of 21 with the Royal New Zealand Ballet Company for an auditioning tour, she decided two things: one, that she definitely loved New York, and two, that she wasn't going to be a prima ballerina after all.

"If I can't be the best in the world, screw it, I'm out," Bone recalls thinking that day in the mid-1990's as a young professional ballet dancer on the New York stage. She vowed to come back to New York someday, and when she returned home to New Zealand, she enrolled at the University of Otago and earned a degree in computer science.

Bone, a renowned security pioneer in the white hat hacking world-turned chief information security officer, got her start in security with New Zealand's equivalent of the National Security Agency, the Government Communications Security Bureau, where she was heads-down hacking in her first job out of college on the agency's newly minted security offense team.  "I learned how to reverse-engineer, write exploits, and code. I was Windows-focused: I was all over Windows NT and Windows 95, finding bugs," she says.

Security was in Bone's blood: her dad was a detective, and she found herself a natural at hacking things as a teenager. "Climbing out of windows in the middle of the night to see boyfriends," she quips, "I had to figure out the home alarm system, the motion detection system. I kind of grew up with a hacker mentality."

Bone ultimately worked her way back to the Big Apple as she had planned after landing a job as a consultant and researcher in 1999 with Atlanta-based Internet Security Systems, now IBM X-Force, after meeting some of the company's executives at a seminar. "I walked up to them and said this is what I do. I know how to hack and I think I can help you and you can help me," she recalls. She eventually moved from ISS's Atlanta headquarters to its New York City office, where she honed her hacking skills in penetration testing.

An "old-school Windows hacker," Bone used to hunt for zero-day buffer overflows and write exploits for them. "I was queen of the buffer overflows," she says. As SQL injection flaws came to light with the explosion of Web servers, she set her sights on Web application bugs as well.  Bone later took her skills to the business world, setting up the security department at Bloomberg LP, where she was head of risk management, a gig that encompassed both information and physical security.

Bone later co-founded security research firm Immunity Security in 2002 with David Aitel, serving as CEO, and in early 2013, returned to the enterprise security space as CISO of Dow Jones, a job she held until last fall when she left to become chief information security and solutions officer at identity management company Hoyos Labs. She describes her current role as a "next-gen" CISO, which entails overseeing security at Hoyos as well as helping its customers understand the company's biometrics-based identity management technology and how to integrate this new generation of facial, iris, and periocular authentication into their environments.

"I do presentations to customers, pure sales calls, internal strategy ... I'm at least 50 percent business-oriented," she says. "I'm still needed in a technical capacity, so still [creating] white-boarding designs, wondering where our bugs are, and still converting those who don't believe in zero-days."

Bone works in Hoyos Labs' Manhattan office four days a week, and then returns to her home in Miami where she lives with her three young children, ages 3, 5, and 9 -- all boys. Her commute requires a little creative hacking of her time and the discipline of a dancer: she leaves from Miami at 3:30am on Monday morning, and gets to the office by 10am. On Thursday night, she heads out of New York and back to Miami, where she works out of her South Beach office on Fridays.

A lot has changed in security since buffer overflows were all the rage, but after nearly two decades in the field, Bone is painfully aware that she remains one of the only women in the room in security. "We need to make it more attractive to women," she says of the security industry and its wealth of job opportunities. "You can be social and engaged with other humans and code," a fact often overshadowed by the standard geek stereotype associated with the tech world. "You can wear stilettos and code."

Bone says some women and men can be intimidated by the security industry's relatively aggressive culture, where many experts don't hesitate to call one another out publicly over a technical detail or dispute over a security issue. "You've got to be very factual and assertive to survive in our scene," she says. "For someone coming in, that can be a bit intimidating."

That's where her classical ballet training came in handy. She says her past experience performing on stage helped her through some nervous moments as a 20-something woman in security walking into room full of men. "I was able to hold my own," she says.

As a seasoned CISO and a hacker, Bone is also well aware of the major security challenges faced by businesses today, especially large, established ones in an era where cyber attacks are now routine. Large companies struggle to manage their data, much less control its access in a climate of mergers and acquisitions. "They don't understand their systems, and they certainly don't understand their data and where it is," Bone says, which leaves them vulnerable to attacks and data breaches.

"The other problem is accountability: the way we authenticate doesn't work anymore," she says. "You have to introduce accountability into the equation so we really understand who has access to what, where the transaction is initiated, and which humans are involved."

Bone's hacking projects today are more on the philosophical side of things. "These days my research gets pretty out there and philosophical" about the balance between privacy and technology, she says. She's focusing on things like data-centric security strategy.

That doesn't mean she doesn't ever want to get back into the trenches again. "I'll end up on a beach coding someday" when I retire, she says. "We still need other old-school coders out there."


Worst day ever at work:
The day I found out my CEO was no longer with Dow Jones. Everything changed overnight.

What your co-workers don't know about you that would surprise them:
I'm so business-oriented these days, maybe it would surprise them to see me when I was an orange-haired techie, spending all my days in a blacked-out room, coding and reverse engineering with the best & worst of 'em.

Security must-haves:
My face and my phone.

Business hours:
These days it never stops, but sometimes I take breaks. If left to my natural rhythms I lean toward 7am-10am for creative thinking like presentation preparation or solving harder tech problems, 10am-5pm is major game time - customer meetings and what-not, after that the more administrative stuff. Some business meetings in the evenings, a few phone calls, or writing papers over the weekend. I sleep on planes.

Actress who would play you in a film:
People are constantly thinking I'm Kristen Wiig. At The Wall Street Journal, rumors went around that Kristen Wiig was on the floor, but it was just me at work. I get it when I go into shops. I get it all over the place. I can't imagine how much worse it must be for her: "Hey, are you Justine Bone!???" probably every time she sits down at a keyboard.

Favorite hangout:
Segafredo's on Lincoln Road in South Beach. Great outdoor people-watching, great cocktails, great music.

Comfort food:
My kids' leftover mac & cheese.

In your music player right now:
Tove Lo, ODESZA, The Broods and Hannah Georgas.

A VW Eurovan and Fisker Karma as needed in South Beach. Everywhere else, Uber.

For Fun:
(Spending) time with my kids in the pool/beach/yard primarily. I also love music and I'm an amateur turntable DJ. And I love clothes - I spend too much time thinking about clothes.

Next career:



Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting