Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/1/2015
11:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Dance Of The 'Next-Gen' CISO

Security Pro File: Classical ballerina-turned hacker-turned CISO Justine Bone talks old-school hacking, biometric authentication, coding in stilettos, Kristin Wiig -- and finishing her kids' leftover mac and cheese.

When Justine Bone visited New York City at the age of 21 with the Royal New Zealand Ballet Company for an auditioning tour, she decided two things: one, that she definitely loved New York, and two, that she wasn't going to be a prima ballerina after all.

"If I can't be the best in the world, screw it, I'm out," Bone recalls thinking that day in the mid-1990's as a young professional ballet dancer on the New York stage. She vowed to come back to New York someday, and when she returned home to New Zealand, she enrolled at the University of Otago and earned a degree in computer science.

Bone, a renowned security pioneer in the white hat hacking world-turned chief information security officer, got her start in security with New Zealand's equivalent of the National Security Agency, the Government Communications Security Bureau, where she was heads-down hacking in her first job out of college on the agency's newly minted security offense team.  "I learned how to reverse-engineer, write exploits, and code. I was Windows-focused: I was all over Windows NT and Windows 95, finding bugs," she says.

Security was in Bone's blood: her dad was a detective, and she found herself a natural at hacking things as a teenager. "Climbing out of windows in the middle of the night to see boyfriends," she quips, "I had to figure out the home alarm system, the motion detection system. I kind of grew up with a hacker mentality."

Bone ultimately worked her way back to the Big Apple as she had planned after landing a job as a consultant and researcher in 1999 with Atlanta-based Internet Security Systems, now IBM X-Force, after meeting some of the company's executives at a seminar. "I walked up to them and said this is what I do. I know how to hack and I think I can help you and you can help me," she recalls. She eventually moved from ISS's Atlanta headquarters to its New York City office, where she honed her hacking skills in penetration testing.

An "old-school Windows hacker," Bone used to hunt for zero-day buffer overflows and write exploits for them. "I was queen of the buffer overflows," she says. As SQL injection flaws came to light with the explosion of Web servers, she set her sights on Web application bugs as well.  Bone later took her skills to the business world, setting up the security department at Bloomberg LP, where she was head of risk management, a gig that encompassed both information and physical security.

Bone later co-founded security research firm Immunity Security in 2002 with David Aitel, serving as CEO, and in early 2013, returned to the enterprise security space as CISO of Dow Jones, a job she held until last fall when she left to become chief information security and solutions officer at identity management company Hoyos Labs. She describes her current role as a "next-gen" CISO, which entails overseeing security at Hoyos as well as helping its customers understand the company's biometrics-based identity management technology and how to integrate this new generation of facial, iris, and periocular authentication into their environments.

"I do presentations to customers, pure sales calls, internal strategy ... I'm at least 50 percent business-oriented," she says. "I'm still needed in a technical capacity, so still [creating] white-boarding designs, wondering where our bugs are, and still converting those who don't believe in zero-days."

Bone works in Hoyos Labs' Manhattan office four days a week, and then returns to her home in Miami where she lives with her three young children, ages 3, 5, and 9 -- all boys. Her commute requires a little creative hacking of her time and the discipline of a dancer: she leaves from Miami at 3:30am on Monday morning, and gets to the office by 10am. On Thursday night, she heads out of New York and back to Miami, where she works out of her South Beach office on Fridays.

A lot has changed in security since buffer overflows were all the rage, but after nearly two decades in the field, Bone is painfully aware that she remains one of the only women in the room in security. "We need to make it more attractive to women," she says of the security industry and its wealth of job opportunities. "You can be social and engaged with other humans and code," a fact often overshadowed by the standard geek stereotype associated with the tech world. "You can wear stilettos and code."

Bone says some women and men can be intimidated by the security industry's relatively aggressive culture, where many experts don't hesitate to call one another out publicly over a technical detail or dispute over a security issue. "You've got to be very factual and assertive to survive in our scene," she says. "For someone coming in, that can be a bit intimidating."

That's where her classical ballet training came in handy. She says her past experience performing on stage helped her through some nervous moments as a 20-something woman in security walking into room full of men. "I was able to hold my own," she says.

As a seasoned CISO and a hacker, Bone is also well aware of the major security challenges faced by businesses today, especially large, established ones in an era where cyber attacks are now routine. Large companies struggle to manage their data, much less control its access in a climate of mergers and acquisitions. "They don't understand their systems, and they certainly don't understand their data and where it is," Bone says, which leaves them vulnerable to attacks and data breaches.

"The other problem is accountability: the way we authenticate doesn't work anymore," she says. "You have to introduce accountability into the equation so we really understand who has access to what, where the transaction is initiated, and which humans are involved."

Bone's hacking projects today are more on the philosophical side of things. "These days my research gets pretty out there and philosophical" about the balance between privacy and technology, she says. She's focusing on things like data-centric security strategy.

That doesn't mean she doesn't ever want to get back into the trenches again. "I'll end up on a beach coding someday" when I retire, she says. "We still need other old-school coders out there."

 Justine Bone, chief information security &  solutions officer, Hoyos Labs

Justine Bone, chief information security & solutions officer, Hoyos Labs

 PERSONALITY BYTES

Worst day ever at work:
The day I found out my CEO was no longer with Dow Jones. Everything changed overnight.

What your co-workers don't know about you that would surprise them:
I'm so business-oriented these days, maybe it would surprise them to see me when I was an orange-haired techie, spending all my days in a blacked-out room, coding and reverse engineering with the best & worst of 'em.

Security must-haves:
My face and my phone.

Business hours:
These days it never stops, but sometimes I take breaks. If left to my natural rhythms I lean toward 7am-10am for creative thinking like presentation preparation or solving harder tech problems, 10am-5pm is major game time - customer meetings and what-not, after that the more administrative stuff. Some business meetings in the evenings, a few phone calls, or writing papers over the weekend. I sleep on planes.

Actress who would play you in a film:
People are constantly thinking I'm Kristen Wiig. At The Wall Street Journal, rumors went around that Kristen Wiig was on the floor, but it was just me at work. I get it when I go into shops. I get it all over the place. I can't imagine how much worse it must be for her: "Hey, are you Justine Bone!???" probably every time she sits down at a keyboard.

Favorite hangout:
Segafredo's on Lincoln Road in South Beach. Great outdoor people-watching, great cocktails, great music.

Comfort food:
My kids' leftover mac & cheese.

In your music player right now:
Tove Lo, ODESZA, The Broods and Hannah Georgas.

Ride:
A VW Eurovan and Fisker Karma as needed in South Beach. Everywhere else, Uber.

For Fun:
(Spending) time with my kids in the pool/beach/yard primarily. I also love music and I'm an amateur turntable DJ. And I love clothes - I spend too much time thinking about clothes.

Next career:
Artist.

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7617
PUBLISHED: 2019-08-22
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
CVE-2019-14751
PUBLISHED: 2019-08-22
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
CVE-2019-9153
PUBLISHED: 2019-08-22
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.
CVE-2019-9154
PUBLISHED: 2019-08-22
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed.
CVE-2019-9155
PUBLISHED: 2019-08-22
A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim's ECDH private key.