Wednesday’s Women in Infosec, our monthly profile, changes focus for May by moving to the technical side of security. Georgia Weidman, founder and CTO of Shevirah, brings with her the varied experience of pen tester, security research, author, and speaker. Her book Penetration Testing: A Hands-On Introduction to Hacking is rated as one of the top training books. Ms. Weidman presented at Black Hat 2016, one of the most well-known hacking conferences. Ms. Weidman’s intelligence and savvy make her one of the leaders in information security.
If you had to choose one event that led you to work in information security, what would it be and why?
I did Cyberwatch’s Mid-Atlantic Collegiate Cyber Defense Competition in graduate school. In the competition, we played the recently hired security staff of an organization under attack. The attackers were a red team made up of industry professionals tasked with wreaking havoc on our systems. By the end of the competition, I knew I wanted to be on the red team.
Why do you like working in the information security environment?
Throughout my career, I’ve watched an endless cycle of black hat hackers and penetration testers finding holes with security practitioners and white hat hackers fixing them. I thrive on trying to discover holes before the bad guys or, at the very least, educating people on how to recognize their risks so they can mitigate them before the bad guys get there. I break things to ultimately help fix them.
If a n00b to the infosec world asked you for a piece of advice, what would it be?
Don’t let anybody tell you can’t. There’s a lot of personalities in the industry who like to use the whole “GTFO n00b” mentality and act like you don’t deserve to breathe the same air as them unless you are a narcissistic vulnerability pimp. But that’s ridiculous. There was a time when everyone, no matter how proficient they are now, was struggling with the basics. Another thing new people tend to do is discount the skills that they have. It takes a lot of skillsets other than reverse engineering and exploit development to build a mature security program. You may be coming into infosec with a lot you can offer the industry already before you even start studying.
What is the most important issue facing consumers in the information security landscape today? Why?
Security is stuck in an old paradigm of the enterprise: people don’t sit at desks in offices working on corporate owned workstations behind a corporate owned firewall. They use phones, tablets, smart watches, even connected cars and Internet of Things devices to do their work. Hackers have moved from the enterprise to ransomware and now, increasingly, to mobile. Security practitioners need to move to mobile as well. Until they do, consumers need to be better informed about the risks surrounding mobile. For example, phishing isn’t just about email, but SMS, iMessage, even Facebook Messenger and WhatsApp.
What are your three “guilty pleasures” that have nothing to do with information security?
I have a horse, Tempo, who I show in hunter/jumper. I have a hard time categorizing him as a guilty pleasure though. I more consider horse showing the one non-work thing I do to stay sane. Also, since most of your time as a startup founder is spent being told “No” or at least “Not yet” in raising money or getting marquee customers, it is nice to be able to have the short term achievable goals that horse showing allows. I also like to do tourism things like going to museums and visiting natural wonders when I travel for work. Just recently after nine previous trips to The Netherlands during the wrong time of the year, I finally got to see the world-famous tulips at Keukenhof Gardens. But in general I just work on my startup all the time.