Original Interview in November 2023

This interview was conducted by Abby Sonnier, Associate Cybersecurity Analyst at Consortium Networks.

Maria-Kristina is an internationally recognized expert in cyber hygiene and resiliency. Her mission is to raise global levels of cyber-risk awareness and enable organizations (and individuals) to take control back from cybercriminals. She has delivered security awareness sessions and wargames to over 15,000 people worldwide, and is a keynote speaker, author, and 2022 recipient of the Women in Technology Excellence “Security Leader of the Year” award.

Maria-Kristina is CEO & founder of OUTFOXM INC, the world’s first boutique consulting firm advising Fortune 500 enterprises on immersive cyberattack simulations and human-cyber risk. In prior positions she led the Bank of New York Mellon’s Cyber Wargaming program, served as a Cyber Intelligence Officer for the Defense Intelligence Agency (DIA), supported the U.S. military as an Air Force civilian at the Pentagon, and served as a Congressional researcher in the House of Representatives.

She holds a Master’s degree in Cyber Intelligence from the National Intelligence University and a Bachelor’s degree in Security Studies from Georgetown.

What originally drew you to cybersecurity?

I had two internships during my college years at Georgetown, one with Booz Allen Hamilton and one on Capitol Hill in the House of Representatives. 

In one, I was analyzing the 44 cyber-related bills on the Hill that summer. In the other, I was doing research on cyber policy questions to help policymakers understand these topics. I found cyber so interesting because despite so much collective focus, no one could actually agree on a definition of cyber or cybersecurity! I saw this as a rare opportunity to jump into a fascinating and developing field.

What did the moves from policy to intelligence to wargaming look like for you?

After the policy internships and near the end of my studies at Georgetown, I applied and was accepted to a Department of Defense scholarship program called the SMART (Science, Mathematics, and Research for Transformation) scholarship. This took me to the Pentagon right after graduation as an Air Force civilian. I served as an operations research analyst and learned valuable skills like executive presence and public speaking. I also earned my first security clearance. Overall that was a transformative job for me. 

A few years later I was recruited to the Defense Intelligence Agency (DIA) to be an intelligence officer and my life was changed yet again. I learned a lot about patience and humility in that role providing intelligence support and analysis to our military. A few years later, after completing my Master’s degree at the National Intelligence University, I joined the Bank of New York Mellon’s Cyber Intelligence Team. From there, I started a separate team for Wargaming, Cyber Awareness, and phishing testing to help turn cyber intelligence into something that would resonate with a 50,000 person workforce.

Can you briefly describe what wargaming is?

Wargaming can mean different things to different people. In the military, it means realistic wartime scenarios that bring teams (and sometimes countries) together to test collaborative response plans.  

In the private sector, wargames are usually “tabletop exercises” where 30 people gather around a boardroom table talking through a fictitious scenario. Though that may sound less interesting than a real military wargame, when planned and executed correctly, it can be every bit as stressful, emotional, and impactful to your organization.

What is it about the ‘human side’ of cybersecurity that is compelling for you?

The human side is everything that is not a tool or software. It’s your employees and your family and the decisions they make online, their reaction to scams, their online behavior, and their ability to detect and respond to dangerous things online. The majority of the industry is focused heavily on expensive tools. While these are helpful and important, we continue to see organizations falling victim because they have not also focused on the human side. 

Tactically, the human side of cybersecurity are things like meaningful trainings , positive incentives that change peoples’ behavior, and building all employees (not just the cyber or techy ones) into the defensive fabric. Cybersecurity can’t just be about tools and software, it has to include the human element because attackers are targeting the human element.

How do you roll emerging tactics of different attacker groups into your exercises?

Tactics are constantly shifting because attackers are both extremely creative and financially incentivized to come up with new ways to trick us. It is essentially a game of Whack-a-Mole in which we have to continuously react and stay on the defensive.

When it comes to wargaming, game designers need to pull from our cyber intelligence backgrounds to stay ahead. We’re constantly watching where things are going next and what the bad guys are talking about. If we don’t do this, wargames won’t resonate.

One of the reasons I started my company, OUTFOXM, was because I was disappointed in other wargames I saw on the market– they weren’t keeping up with the threats and used cookie cutter scenarios that weren’t customized to the participants.

This all sounds like an incredibly creative exercise. We often assume there isn’t much room for people who want to work in non-technical creative roles within cybersecurity. How do you balance these things and how does that impact your view of who has a place in cybersecurity?

Good cyber wargames in the private sector are really 80% art, 20% science. The key to developing an impactful wargame is to understand the participants, their perspectives, their assumptions about cyber attacks, their roles in responding to them, their fears, interpersonal politics of the players, among other things. The other 20% is using wargame frameworks to build a relevant and technically plausible scenario.

Cyber tabletops or wargames are such a great example of how people from all backgrounds can have a place in cybersecurity. Wargaming requires a lot of different skills that aren’t necessarily technical. When I meet with students or am mentoring folks who want to get into cybersecurity, I encourage all of them to consider wargaming as a potential career path.

What made you decide to go on the adventure of building your own company?

There are two main sides to my company that were each inspired by different things. On one side is the B2B where we advise organizations and provide wargame simulations. I started this side of the company because of that gap I saw in the market.

On the other side is more of a direct to consumer model where we post our cyber hygiene tips for personal use on YouTube and Instagram. This side is focused on people’s personal cyber safety. I started this because all of my friends, family, and even casual acquaintances would constantly ask me the same questions over and over: How do I know if this is a scam? What do I do if I click on that? 

It became clear to me that people did not know where to get trusted advice on these daily hygiene tips, so we tried to help in some small way!

What have been some of the biggest challenges of starting a company?

Thankfully, I am someone who is comfortable with ambiguity so the rollercoaster ride that is entrepreneurship doesn’t get to me. The greatest challenge, though, has been ramping up so quickly– the building of a company is very different from providing the actual services of consulting, advising, or wargaming. Setting up all of the operational pieces and scaling to meet demand is a good problem to have, but it was a bit of a learning curve.

How have you found ways to build your network as an entrepreneur?

I am lucky to have a personality type that makes it easy for me to talk to people– it’s something I took from my dad who taught me that I could make the world a better place by trying to improve the moods of the people I pass throughout the day. Because of this, networking comes easily to me. 

However, I often hear from students and others I mentor that networking is difficult and often quite scary. My advice to them is threefold. One, when you’re in person, try to swallow that initial fear of being rejected. Going up to people and sticking out your hand to introduce yourself is intimidating but gets much easier with a little practice. 

Two, some of the best networking can be done online by using LinkedIn. Sending meaningful, personalized introductory messages to people in your field or dream position can open many doors. 

Three, something that I have learned over the last few years especially as an entrepreneur is that it helps if we get comfortable being the one to keep a relationship warm. Say you’ve done that initial work of having an initial meeting, and it goes well. Take it upon yourself to send that follow up about how their vacation went or how the new job is coming along. Don’t expect that they will be the one to reach out. I found this a bit uncomfortable at first but have learned that in this day and age it’s way too easy for promising relationships to die out. If you had a mutually enjoyable conversation the first time, the person will likely be happy to hear from you again. 

Do you have any final thoughts to leave us with?

If people are on the fence about pursuing something entrepreneurial, it’s normal to feel a bit uncertain and scared to make the jump. Full time jobs with full time salaries are comfortable and it’s easy to get used to that security. However, I am a big believer that if you have the entrepreneurial drive and an idea you’re passionate about, try it out! Make your friends and connections aware of your idea and you will likely be surprised about the support and encouragement you receive!