She was craving a soda, but each time Mischel Kwon aced a logic problem the Computer Learning Center representatives put in front of her, they fed her yet another test question.
"They gave me more and more problems, and all I wanted was to go get a soda," Kwon recalls of her 19-year-old self that day at a Northern Virginia suburban shopping mall in the early 1980s. A CLC rep there had stopped her and asked if she wanted to take one of their tests. "I said, sure, I'll take it," not knowing what it was, recalls the former federal government cybersecurity executive.
Kwon never got her Coca-Cola that day at the mall, but her high score on the test won her a full scholarship to attend CLC's computer training program, where she ended up graduating at the top of her class. She later landed her first job in technology, as an Assembler programmer for retail giant Woodward & Lothrop, where she wrote code for the very first automated cash-register system in the Washington, DC, area.
Like most pioneers in the security industry, Kwon, the former director of the US-CERT and former deputy CISO at the US Department of Justice, landed in security by chance. But along the way, she says her work in IT in the pre-security industry days was also unknowingly honing her security skills. She worked on IBM mainframes while at Woodward & Lothrop, coding and developing patch management systems for the big iron. "I started at the base of the system and learned everything about it, and the network, too, and that translates to a good understanding of the technology" of security, she says.
"I did security all along the way, and had no idea I was doing security," Kwon recalls. "I was so wrapped up with IT."
It's that epiphany that has helped shape Kwon's view that one of the biggest missteps in IT history was separating IT and IT security into separate departments and sectors. It was mistake, she says, to decouple the two worlds. "Melding of IT and the security operations center is absolutely required. We tore them apart with separation of duties years ago," she says. "But adversaries don't separate duties."
Today's gaps among IT, the SOC, and security teams, basically give the bad guys an edge, Kwon explains. "Security should get its data from the SOC and how they protect the network. These days, it's being based on security controls and compliance, but we need to move to an operational security model."
Filling those gaps is at the heart of the strategy of the security consulting and SOC managed services security company Kwon launched in 2010, MKACyber. "I was wanting to get back to my tech roots and wanting to make a difference," she says of her decision to start the firm, where she serves as president and CEO.
Born to a Korean father and an American mother from North Carolina, Kwon grew up in a diverse yet traditional household that emphasized education. In the early 1960's when she was born, it was illegal for her parents to be married in North Carolina. The family later moved around the US for her father's career as a toxicologist.
"As a Korean man, it was never his intention for me to work. I was raised to be a mom and a very traditional woman," she says. "My mom had other ideas, though. She thought I was going to be a singer."
Kwon's parents both were opera singers, and her mom put her in voice lessons mainly to deprogram her native North Carolina accent. "I had a very big southern drawl, and it comes back when I go back to Shelby, North Carolina," my hometown, she says.
Math was always fun for Kwon. Because she grew up before the age of personal computers, she wasn't exposed to coding until later. The closest thing she had to a computer growing up was a Nintendo. "We played Pong," she says. She met her first computer in high school in Fairfax, Va.
After her mainframe stint with the now-defunct Woodward & Lothrop, she realized she needed a college degree to further her career. So Kwon applied for and won a Clare Boothe Luce scholarship, and in 2002, she went back to school to get her undergraduate degree in computer science at Marymount University, and then her Master's Degree in information assurance at George Washington University. At the time she was also a mother of four kids between the ages of 4 and 12. "I was working" then as well as taking classes, she says.
While still a grad student in 2004 doing research on wireless technology and hacking, Kwon got her first real taste of the hacker scene at the DEF CON hacker convention in Las Vegas. She won "Most Innovative" in the WiFi Shootout contest for her handmade antenna made out of a cardboard box. "I read the instructions wrong that you couldn't use any antenna parts," she recalls, so she built it from scratch. "I had it engineered to go one mile," she recalls, and it got close, reaching .8 miles.
Her career was refreshed after getting her Masters. "Security was a big open space that I was just curious about, how to break everything, how to hack into everything, and how to protect everything. I had a big love for wireless."
Kwon's first big security job was as deputy CISO for the Department of Justice, where she built out the Justice Security Operations Center, after an initial gig as director of wireless security for the agency. While that's where Kwon first made a big name for herself in security, it was a lesser-known project she worked on there that she says she's most proud of during her tenure. While performing a penetration test on Motorola's mobile radio system, she and her team "owned the whole system within a couple of hours," she recalls.
Motorola then worked, with the help of Kwon's DOJ team, on re-engineering the radio systems to become secure. "Land mobile radio so strategic for them," she says, and they continued to work with Kwon after she left DOJ to continue locking down that wireless product. "That was the best work I've ever done in the security field," she says.
During her 18-month gig as director of the US-CERT, where in 2008 she was the first woman named to the post as well as the first director with technical expertise, Kwon got a reality-check about the state of security in the federal government: "I was shocked to find out they [civilian agencies] didn't know what attacks were about," she says. "My main mission was to help agencies. There was a large need to educate federal SOCs and give them guidance and information," she recalls.
So she launched so-called Joint Agency Cyber Knowledge Exchange meetings to help spread the word and educate agencies. "They were so popular that there was not a large enough SKIF area for us to hold a secret-level meeting," she says.
While head of the US-CERT was one of her favorite jobs, the politics of the newbie DHS began to wear on Kwon. "The job itself was awesome. But DHS was a political nightmare. It was like running down the hall juggling scissors," Kwon says. "It was a fairly new agency. Mature agencies have decorum, a culture, a way of behaving, sound hiring practices and rules of behavior. DHS was missing all of that."
That made it a difficult culture for success, causing problems with contracts and "unhealthy behavior," as Kwon describes it. "It made it difficult to do any work. I didn't have the patience for that."
She then returned to the private sector as vice president for public sector security solutions at RSA. Kwon quips that that job ended up as more of a "float princess" role where she was paraded out as a former government cybersecurity executive. "It was an interim gig," she says of her one year at RSA.
Like many professional women, Kwon has experienced her share of sexual harassment during her career. "No question: Me, too," she says.
Working long and late hours as a young woman, she says she always "had to worry" about her safety. And there were the questions: Did I get the job because I was a woman? "I hope I got it because I was talented," she says.
Kwon points out that sexual harassment and discrimination are not just a workplace thing. "It's our societal norm."
That's why Kwon says she created the Cybersecurity Diversity Foundation, which offers scholarship funds and promotes corporate commitments to build a more diverse workforce in the industry.
"Not just because I'm a woman, but also because my last name is Kwon and I'm half-Korean," she says of her personal experience. "I definitely found myself not being included, not being heard … and being dismissed," she says.
The good news is that a conversation has begun about implicit biases, she says. "It's not going to be something we can fix overnight," though, Kwon notes.
Worst day ever at work: Being fired. I worked for Network Solutions when I was 25 and was fired for "participating in office politics."
First Hack: Cell-phone hacking. When I went back to school, I did a lot of breaking things. Phones were pretty open [then].
What Kwon's co-workers don't know about her that would surprise them: That I’m a softie at heart. They figure it out eventually, but most people think that I'm a hard-ass.
Security must-haves: Up-to-date, non-DOS machine.
Business hours: I usually sleep between 2am & 6am, for a total of four hours a night. The rest of the time is working, either in my career or as Mom.
What keeps Kwon up at night: I'm less worried about adversaries. I'm more worried about system owners and businesses not taking care of their systems – not patching, not wiping [when swapping out old systems], and not looking at their architecture to make sure its current for today.
Fun fact: I had a Token Ring network in my house. My father was getting rid of Token Ring at work.
Favorite hangout: My bed at the beach.
Comfort food: Vegan mac and cheese or kimchi and rice.
In her music playlist right now: Beatles, Red Hot Chili Peppers, Rolling Stones, Eagles, Carly Simon, Carole King
Ride: BMW M4 convertible
After Hours: Play with my kids, yoga, play the guitar, spend time at the Outer Banks, NC.
Actress who would play Kwon in film: Catherine Zeta-Jones, specifically from the movie "Zorro" … I wish!
Next career after security: Making biscuits.