Last time, I had the honor of speaking with Veronica of DFIRLABS. She’s a self-described cyborg who got into cybersecurity early and has a passion for reverse engineering code.
This time, I got to speak with Anna Westelius. Not only is she a web security specialist; she also has experience with Linux driver development. What do Anna and I have in common with Girl with the Dragon Tattoo protagonist Lisbeth Salander?
Kim Crawley: Hi, Anna! Please tell me a bit about what you do and how you got there.
Anna Westelius: Currently, I’m senior director of security research over at a web security company in San Francisco called Distil Networks. We focus on combating the automated threat, and my role is to help improve our services and products through threat research, a lot of testing and security analysis. I’ve been running organizations, mainly focusing on security analysis, for the better part of the last 10 years in various roles.
I’d like to say that I started my tech career in the crib. I’ve been picking apart mechanical things for as long as I can remember, then building home networks and computers as a kid. I then had the luxury of stumbling into a computer club in the high school basement where the home built Linux distribution forced all involved to write their own drivers for any hardware we wanted to use. I eventually ended up getting a job writing ActionScript for direct marketing companies before starting my own company with two illustrators doing web development and security consultancy. Running my own company was a fantastic experience, but in some strange longing for a “real job,” I switched up and started doing Network Security Analysis for an MSSP in Stockholm and eventually went on to run their Security Operations and analysis teams. A few years down the line, we went on to solve web-based problems and eventually got acquired by Distil.
During all these years, I also managed to get involved in way too many organizations. Amongst other things, I ran a security conference in Stockholm that celebrated it’s 10th anniversary last year and sat on the board for a larger initiative to get coding into schools.
KC: Was there anything you learned while developing Linux drivers that taught you about cybersecurity?
AW: I think the main thing was it forced me to work closer to the machine, not so many abstraction layers, in a very practical setting. I think it’s nearly impossible to do cybersecurity well without understanding the underlying layers. Even if human-readable languages are fantastic and enabling in their own way, it’s problematic when the copy and paste development culture doesn’t know what their code does behind the scenes.
KC: What are some misconceptions people have about what you do?
AW: Being Swedish, I get a lot of Girl With the Dragon Tattoo references thrown at me, which I guess is better than being asked if I could secure someone’s Facebook account, but not so accurate. Or people asking if I can “hack their website,” but I think most people in the web security space get that.
KC: Oh my gosh, I get that too. I’m not Swedish, but I’m goth, female, and I write about cybersecurity.
What do you think the biggest problems in cybersecurity are these days?
AW: If nothing else, it’s commentary on what representation in media does for people’s perception of what something is and people’s ability to do it. I felt like hacker life before the movies was more about people asking if I was the secretary. Strangely, I also feel people take my ability to do security as truth the darker my fashion is. Luckily, my wardrobe is mainly black.
The biggest issues I’m seeing in security right now seems to all fall back to inclusion, diversity and getting more people into the industry, combined with our inability to connect those issues. The threat landscape is increasing with increased connectivity and data, and as an industry, we need to start accepting new talent. We need to hire people who might not necessarily share our views, looks or experiences and actively diversify to inspire a new generation of hackers.
KC: What do you think our industry could do to attract more diversity, to better attract women and minority groups?
AW: More representation in public, for those of us who organize cons, as well as making an effort to have underrepresented groups keynote. The argument that there’s an availability problem has been proven by many conferences to be false. Make an effort to be inclusive.
In organizations, we need to evaluate our culture and inclusion policies and when able try to support these groups both in terms of entering the business and staying in it.
My awesome employer started a women in tech scholarship and managed to rally many other companies to help young women get into and through tech at universities. I know everybody can’t just start a fund, but if everybody does something, we’ll eventually get there.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.