After nearly a decade as an astronomer, Dr Leila Powell wanted a change: “I enjoyed the type of work I was doing but I started to feel that I wanted to do something where it would impact people's daily lives a bit more.” Powell enjoyed the technical aspects of astronomy but wanted to put her skills to work outside of academia.
Much like astrophysics there are few traditional routes into cybersecurity, perhaps because the industry hasn't been around long enough to develop ‘traditions'.
Powell's route into cyber-security was data science - dealing with large data sets, analysing them and pulling out insights. In her previous line of work, questions of how you communicate those insights, make them accessible and ensure they can't be misinterpreted are critical. It was a lesson she kept in mind when she made the jump to IT security.
Powell decided that she wanted “to work in a startup because there would be more opportunity to learn different things, it would be a bit more fast-paced, and maybe I could keep some of the aspects that I liked about academia – working in small teams, working on future problems.”
It was a twist of fate that Powell landed where she did: “I just started looking at startups that I thought were interesting, and Panaseer was one of those that I found out about. At that point I thought, ‘cyber-security, that sounds interesting, could be good.'”
Powell was impressed by the refreshing maturity and expertise of her interviewers: “The team had a lot of experience working inside cyber-security – which can be unlike the typical start-up of young people starting a new App.”
“These were people who knew what they were doing already. I believed in them and the idea, and thought it would meet that need in me to help people because it's becoming such a pressing issue now, for everybody. And I ended up here – 18 months ago.”
Both astrophysics and cyber-security are very male dominated areas, so SC asked Powell how the two compared, and what particular issues had she faced as a woman?
Powell explain that astronomy in general had a slightly higher percentage of women than cyber-security - 25 percent on her University course - but it was a very low number when she worked in a niche area as a theorist analysing supercomputer simulations to study galaxy formation and evolution. “There might be just me or one other woman in a room of 50 people – and that's my experience in security as well.”
As for issues faced, Powell says, “I think I have been reasonably lucky in that I've got used to being in a male-dominated environment very young studying physics, and then astrophysics. Certainly you get lazy comments. If I go to a tech event, people just assume that you are in HR or marketing, and it's not meant in a bad way, it's just that assumption. Or in talks they will always refer to a generic CISO as ‘He'. And things like that can create an impression that you are an anomaly."
“I have also noticed that an all male group will communicate differently to a mixed group or female group. I know that, particularly early in my career, I made efforts to insist in getting my point in, rather than waiting for someone to allow me to speak. Now that may be a personality thing rather than a specific gender thing, but typically women are socialised to be a bit more polite, and a bit more reticent to come forward and stand by their views. It's something I've learnt to do being in the environment I've been in.”
But Powell also recognises that her relatively mild encounters are not necessarily the experiences of others: “If I see anything more significant I am quite shocked by it. I know this stuff happens, but I've been lucky.”
Powell notes how at events it's not uncommon to hear comments about a woman speaker's appearance in the middle of a technical talk. “You think to yourself, what on earth are you doing? Other people share your outrage but it still happens. They might say ‘She was really great', and then add some other comments, and you'd think, ‘just stop there.'”
But Powell's not completely sold on the approaches taken to actually get more into security because, she says, even then women are pushed into non-technical roles, like communications: “I am sure there are many men that have excellent communication skills, but aren't technical that might consider a career in security if they knew there were roles like HR, marketing, more organisational roles.”
“If it's a fact that cyber-security has a ‘Techie' image, that puts off people that don't have those skills, then let's open that out to men as well. Let's make it a gender neutral call to the general public.”
“It's interesting that you see a deficit of men in' women's roles', caring and communicating professions and you see a dearth of women in technical roles. Cyber- security can't undo all that, but I think [you can promote] role models of women who are in technical roles.”
Powell adds, “You also need to make the environment welcoming to women, so it's not just getting them there, it's retaining them there.”
Security data scientist?
Panaseer's aim is to provide insight for security stakeholders and companies into their security situation and to give them the information they need to make informed decisions about what should be done next.
Powell adds that it's important that different people get information which suits their role: From the CISO, to the Sec Ops Team, each position within an organisation will “need to know about the same situation but different levels of detail. We need to provide the information they need to do their job efficiently and be well informed.”
In short, deliver the right insight to the right person at the right time.
The biggest issue companies face, according to Powell, is lack of visibility: “We have all these tools gathering data, but there's not really a coherent picture of what's going on and being able to even know what's on their estate.”
A company may have up to 15 controls on their estate. There's a lot of information to take in, often in lots of different places. Powell's role, “as a data scientist is essentially to look at that data and find ways to view, analyse it, and present it – so there is a communication piece which is really important – to present it such that people can really understand what's going on on their estate and know what to do next.”
At the very beginning is Security Information and Event Management data, otherwise known as SIEM data, which has to be brought onto platforms; part of the role as a data scientist is to understand that data as well as model and clean it.
“The quality of the data is crucial, so part of my role will be to be involved in that; to model, to make it the best it can be. The next stage is ‘what analysis do we want to have?', what data sets can we put together to get more value than you would get if you had things separately.”
The next question is how to analyse that data. That could be about enriching it with more information or you might want to know which region one of your assets is in, and bring that together with an asset database.
Data is then searched, analysed and new ideas are tried out. When you have something you can work with, production code is written to feed into the Panaseer platform. That platform then runs on the client's estate and generates information on a regular basis so that that the client can check it.
Powell told SC that the most challenging bit of that process can be simply getting the data – depending on who owns the data and where it is actually stored, it can take time to attain.
Powell points out that, “This first stage is where a lot of the challenges lie and it can be a real blocker to getting useful insight. And it can sometimes be better to get a data set that is more easily accessible and demonstrate some value quickly, and make one aspect of someone's job easier.”
Providing technical information is all well and good for people to do their job, but ultimately they'll have to report up, justify budget and show how the security team is working.
But it's hard to report on something that hasn't happened, explains Powell, “We have this idea of different levels of insight dependent on the stakeholder – and it's not just the stakeholder, it's also the audience who they are reporting to, so for example, the CISO might be meeting with the vulnerability manager and discuss perhaps a lower level of detail, but if they then have to go and report to the CEO, they don't want to be showing them lists of vulnerabilities across the estate – then things would relate more to policies, SLAs, and risk.”
“The information provides an indicator ahead of time, so the report may say, ‘It's looking like you might not hit your KPIs next month, let's try to act now.' Whereas at the moment people don't have the visibility to even do that a lot of the time. It's about tailoring that information, personalising it, then they'll use that to decide – its providing evidence for a decision. “
Often, says Powell, it reinforces how people need to focus on getting the basics right so that they are protected from the threats we all know about that have been around for ages; do they know that what they have installed is actually working? If you start getting less data coming through do you know why are you getting fewer alerts? Because there are fewer threats or because something has gone wrong, been switched off, or half your estate isn't even scanning any more?
Regarding the role of AI, Powell comments, “Machine learning is great, great set of algorithms, great at finding complex correlations in data that it would be challenging for a human to spot with pen and paper, but it really is just a set of techniques. It's not magic – despite what a lot of marketing might have you believe. “
There's always caveats, adds Powell. Machines tend to throw up a lot of results and within them will be a lot of false positives. Things that will be flagged up as worthy of looking at but aren't actually anything. People in security are already bombarded with information from a plethora of different sources, but in order to make that noise intelligible, “an analyst, needs to go and work out what is really valid.”
So how has Powell found the career change? She told SC, “The skills I am using are the same including visualisation and communication; people often say it's a strange transition and it is in some ways, but [less so] with the maths skills, analytic skills and communication skills, and you pick up a lot of domain knowledge as well.”
“Getting to be in a start-up is also interesting. When I came in I was number five and we're 19 now. It was really exciting being part of a new company, so I learnt a lot about how businesses work as well, how the progression of a start-up works. We're all kept in the loop about how things are doing, get involved in recruitment, attend start-up community events around Silicon Roundabout and are involved in all aspects.”
It's not just big companies now that need security, its small businesses too. Powell concludes, “The average person can now get Ransomware attacks and has almost no knowledge about what they might do in order to be secure – and that does worry me. How would the average non-technically minded person protect themselves when they're not even aware they need to defend themselves?”
“I wanted to have this impact on people's daily lives, and while Panaseer is not directly helping the general public, it's helping companies be more secure – it's all part of the same thing.
“Now I feel like I am making that impact. It affects people personally – which is what I was hoping for.”