CO-FOUNDER OF ELEVATE SECURITY
Interview Conducted August, 2023
This interview was conducted by Abby Sonnier, Cybersecurity Analyst at Consortium Networks.
Interview Conducted August, 2023
This interview was conducted by Abby Sonnier, Cybersecurity Analyst at Consortium Networks.
Masha Sedova is an award-winning people-security expert, speaker, and trainer focused on helping companies transform employees from a vulnerability into a key element of defense. She is the co-founder of Elevate Security delivering the leading employee-risk management platform that provides visibility into employee risk while motivating employees to make better security decisions. Before Elevate, Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners, and customers. In addition, she has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as RSAC, Blackhat, OWASP, and SANS.
What initially brought you to cybersecurity?
I first learned about cybersecurity on a radio ad in the car while I was still in high school and it piqued my interest. At the time, you really couldn’t study cybersecurity as something to get a degree in so instead, I followed this interest into computer science and mathematics to go into cryptography and applied mathematics. From there, I decided to properly study computer science and ended up at a program called Cyber Corps Scholarship for Service.
This program, which is still running today, pays for either three years of a Master’s degree or the last two years of undergraduate with a nice stipend for tuition, room, and board. It enables folks to study cybersecurity at some of the leading universities around the country in exchange for working for the government for every year they paid for your education.
So, that was my entry into security and it’s been a wonderful ride without regrets since.
What were some of the greatest challenges you faced early in your career in an emerging field and as a woman in STEM?
Even before starting work, there were not a lot of women studying cybersecurity. Not to say that there were even a lot of women studying computer science or mathematics either. Within STEM classes, I was often the only woman present which made it really difficult to raise my hand and say “I don’t know, can you expand” or ask a question. I felt like if I was not 110% right in my response, people would look at me and say “Oh, women are dumb and shouldn’t be in the field.”
I was the single data point for the people around me for what women could or couldn’t do in relation to cybersecurity– that’s a lot of pressure, especially when you are learning some really new and complicated concepts. It added a lot of pressure and didn’t create the kind of learning environment I could have benefited most from.
It took me a long time to build up enough confidence to realize that it is okay to get something wrong and fully embody a growth mindset and value learning over what other people think.
How did you build that confidence to feel comfortable with being uncomfortable?
At one of my first non-government jobs at Salesforce, I was in charge of building the insider risk team and decided to expand that definition from only insider risk to human risk to encapsulate both careless and malicious actions.
A lot of the work I was doing was innovative and an out of the box way of thinking about risk using behavioral science and data analytics to apply interventions. Even so, I found that when I started doing it, it was hard for me to get traction, respect, and buy in from my peers on the security team. I wasn’t finding zero-days, which are at the top of the totem pole in security, so it was hard for me to get time, attention, and respect.
What I started doing was speaking externally about some of the programs and frameworks I was building. My first talk was at a local ISSA (Information Systems Security Association) where I got a lot of really positive feedback outside of my echo chamber at work. A lot of these people were very interested in what I was doing and wanted to collaborate and even started telling my peers about the “incredible stuff” I was working on.
That said, it wasn’t until I was invited to speak on stage at RSA that my peers really recognized what I was doing. So for me, it was very important that I went outside of my day to day colleagues to be able to get that validation in a safer space. It is what gave me the confidence to come back and stand a little taller to do the work I really wanted to be doing.
How did you gain the confidence and the ability to step outside of your organization for that outside support? Do you have any tips?
While this may not work for every organization, I decided to ask for forgiveness instead of permission. I submitted the talk and, once it got in, I went back to my organization and worked with them to figure out what I could or couldn’t put in the presentation and what I could say.
They worked with me on that. There are a lot of initiatives in security and in enterprises in general for helping women level up. If you use that and also show how valuable an opportunity is for your career and brand, there is a lot of pressure for them to say yes. Once you are able to do this one well and with respect to corporate communications policies, you gain the momentum to go on to the next thing.
Do you think that you were ever viewed differently as a woman speaking on these topics versus how a male would be perceived? Do you feel like your gender ever got in the way of being able to speak authoritatively even in those external situations?
It didn’t get in the way, but it did set a higher bar. There’s less room for mistakes. When you come into a room, there’s a preset bias around “Oh, well, you’re you’re a woman, right? You’re probably not as technical.”
It’s also interesting that my ethnicity played a part in this bias. I’m Russian by birth and so when I would introduce myself people were like “Oh, you’re a woman, but you’re Russian. So it makes sense why you’re in security.” Those were phrases I heard a lot in getting into security, which is so many biases all at once, right? It is putting labels on gender and nationality and things that you’re supposed to be good or bad at because of your upbringing.
What worked for me was learning to dance with those labels. I didn’t fight the bias. Instead, I embraced that XYZ is what people expect when I walk into a room and armed myself with it. While I didn’t necessarily start getting more respect, I was getting external validation through speaking at these conferences and publishing, by having that on my resume.
How did you decide you wanted to start your own business?
Looking back, I’ve always had an entrepreneurial streak. Even when I joined Salesforce, I basically built and ran a team within a team. I took a team of one, me, and built out a larger team with its own charter and scope. It was a nice way to start while under the umbrella of the larger company while still learning how to create sense from a lot of ideas and possible solutions and pull it together to make it reality.
When the time came to make the decision to leave Salesforce as I was figuring out what to do next, entrepreneurship and starting my own company was the most appealing even though someone once told me that if you can choose not to do a startup, do that. The startup journey is essentially getting punched in the face, hundreds of times, over and over. There are some high moments, but there are also a lot of people telling you that your baby is ugly and you can’t quit, no matter how hard it gets.
When it came down to it for me, though, I couldn’t not do it. I knew that if I got to the end of my life without doing it, I would be laying on my deathbed regretting not knowing what it would have been like and what the outcome would have been. That regret felt bigger than any potential failure.
How did you get through the hardest parts of entrepreneurship?
“This too shall pass.”
In startup life, there are highs and lows. I remember one day where I learned that one of my lead engineers was leaving our company to start his own, which was a critical loss for us. Then, I checked our bank account to see that the $8 million we just fundraised came through. At the same time I was trying to figure out what we were going to do about the employee leaving but knowing we were going to be okay because we had funding. You have to hold space for both emotions
It’s the highs and the lows that make-up a startup. Tomorrow, the sun will still get up, no matter how bad today was. You learn not to hold on to either side too tightly because you will get through it no matter which way it goes.
I have also found that your network is incredibly important. As a founder, the lows are a tricky thing to talk about. Everyone wants to ask how the business is doing and, no matter what, you have to tell them it is going great otherwise people will think you must have a bad product or that the company will go under if you have any doubts or difficulties. You have to constantly exude confidence and sunshine no matter what is going on with the company because you are its face.
Sometimes you need people you can talk to about the bad days and other founders are wonderful for this because they just get it. Those are the people you can let down your guard with and have a real conversation about things you can’t discuss with others who won’t understand.
Where do you see cybersecurity going in the future? What scares you or excites you about the industry looking 5-10 years from now?
The advent of AI is going to kick our butts in a really meaningful way. It’s terrifying because it has really stepped up the capabilities of our adversaries and their maturity on things like phishing and ransomware. The cost has dropped significantly for the attacker which makes it more expensive for the security team.
To keep up with this, I think cyber insurance is going to take a pretty serious hit. They’re already having a hard time paying out now, but ransomware just got a lot easier to do. I think cyber insurance will end up going out the window which is a pretty scary thing from an enterprise perspective.
At the same time, AI is an incredible tool to help us scale. Before, we could never hire enough people fast enough but I’ve seen reports that IT security teams are using AI to help detect and respond faster. It’s an incredible combination of AI and humans.
The thing I’m most excited about, though, is the diversity of skills that security is now going to require. In human risk management, the most interesting people who come into the space don’t necessarily come from a security background. They bring in different perspectives from psychology to organizational design and are able to see how other problems are solved in different disciplines and think about how to apply that to security.
For example, humans account for three out of four breaches we see today. There are security tools to look at this problem through, but there are so many more out there that help us understand how and why people make decisions and how we can effectively communicate to mitigate this risk.
With the difficulty that we have been having to hire in security, bringing in people with different backgrounds will help in a multitude of ways.
Do you have any advice specifically for young women or young people in this field looking into going into cybersecurity or entrepreneurship?
As for cybersecurity, you should do it. It has a hard learning curve and is a totally new language, but it is so deeply rewarding and there is so much work to be done here. We’re doing a much better job today than in the past about creating communities of women where you can have a safe space.
One of my favorite quotes is that women are over-mentored and under-sponsored. We should all take this to heart and start putting our necks on the line to help someone put their name in the hat, mentor them, help them prepare for an interview, and connect them with others who may be able to better help them get up to where they want to be. It’s on us to pull people in– leverage your power, your influence, and build people up.
My second piece of advice is not to underestimate the things you already bring to the table. When I first started at Salesforce, I was surrounded by super technical people who shared with me things like network architecture diagrams and log files. I remember thinking, I understand what this says, but I don’t have a lot to add to this conversation. I felt so dumb and like I did not belong there. I felt like they had made a mistake by hiring me and that I couldn’t contribute anything.
As I went around talking to people about the things that they really cared about and what they saw as the biggest problems, I kept hearing over and over again the issue of people making stupid security mistakes. I remember thinking, what are we doing about this human element? We’re throwing a ton of money at technology, but no one is talking about the human problem. Instead of trying to be like all of the other people on the team, I took a step back and decided that I wanted to solve this problem that no one was working on.
In essence, the problem was people attacking people. There is a bunch of technology in the middle and though I could understand that part, it didn’t light me up. So, I asked for a bit of rope to start a pilot program that helps look into people with the most critical access and try targeted intervention programs to see if that would reduce the number of security incidents.
This early program is what I built my career and company on. It was all around seeing a problem that no one else was solving. I came into this job with a unique perspective in that, in addition to my computer science degree, I also have a liberal arts degree. I am a musician in addition to being a mathematician. I bring all of myself to the table when I look at a problem and my brain connects dots that no one else’s brain connects and their brain connects dots that aren’t connected in mine. That is the wonderful thing about diversity of thought and backgrounds.
This is what it means to bring your unique background into security. Yes, you need to understand security basics and be able to speak the language and understand the threats, but do not throw away every other part of yourself because those other parts are what will help you see problems, spaces, and opportunities that other people don’t. That is what innovation looks like and that is how we move forward.
As for entrepreneurship, my number one piece of advice is to build the network. I would not start a company until I had a decent enough network of people that I could lean on for different problems. In entrepreneurship, you’re constantly faced with problems you’ve never seen before and probably couldn’t have predicted. Even if you go to business school, they don’t prepare you for a pandemic. Even if you have a degree in security, that doesn’t teach you how to recruit for a VP of Sales. There will never be enough formal or informal education that you can get to be an entrepreneur– you need that network to be your backstop.
Do you have any final thoughts to leave us with?
The first few years of getting into security is a bit of a challenge. You’re trying to figure out what your place is and reach the level of fluency and competency you need for it. It’s a challenge, but it is completely worth it. This is an incredible community that is doing incredible things and it can be hard, but it is worth the struggle.
If you don’t have mentors or sponsors and don’t know where to turn, reach out. Go to a community like Women in Cybersecurity (WiCys) or an individual in the community and tell them you’re trying to do this– can you help or do you know someone who can help me.
I think people– and young women especially– will be surprised about what a deep pull there is from the industry to get them in and support them. Don’t be shy– the answer is always “no” to a question that you never ask. So, raise your hand, ask for favors, ask for mentorship, ask for opportunities. Ask, and keep asking. On average, men asked four times more than women. They don’t always get what they ask for, but they certainly get it more often than someone who never asks. The support and the resources and the network is there– just reach out and we are behind you.