EP 12 – Laura Whitt-Winyard CISO of Malwarebytes and Den Jones

Speaker 1:
Hello and welcome to Get It Started, Get It Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer, Den Jones, speaks with Laura Whitt-Winyard, an experienced chief information security officer most recently at Malwarebytes. We hope you enjoy Den’s discussion with Laura Whitt-Winyard.

Den Jones:
Hello, everybody. Welcome to another shiny episode of Get It Started, Get It Done, Banyan’s adventure into podcasting. I’m your host, Den Jones. And today, I’ve got an amazing guest, Laura Whitt-Winyard, who was once described as one of the 100 most fascinating females, I think, in cyber, Laura, I’m not sure, but why don’t you introduce yourself before I totally screw it up.

Laura Whitt-Winyard:
Laura Whitt-Winyard. I’ve been in cybersecurity for 22+ years. I started out very technical, your typical security engineer. I’ve done some cryptography. I’ve done your SOC analyst working overnight shifts. I’ve been in leadership for I don’t know how many years now. I love to spread the cybersecurity word as far and as wide as I can. Security is a passion of mine, so here I am.

Den Jones:
Awesome. I did see you’re wearing, you’re sporting your DEFCON top.

Laura Whitt-Winyard:
Oh, yes.

Den Jones:
Yeah. Awesome. Awesome. I’d done a podcast recently with one of my old engineers from Adobe who’d been going to DEFCON forever. Then one of my junior engineers from Cisco, who went to her first ever DEFCON, and we had this podcast where we’re like, let’s chat about that. What’s the difference in your experiences? So that was pretty cool. And I love DEEFCON. It’s a great-

Laura Whitt-Winyard:
Yeah, I’ve been going since 2007.

Den Jones:
Wow. Yeah, yeah. That’s, oh wow.

Laura Whitt-Winyard:
No eight, 2008. I think. A very long time, I will say. And I love it. I’m surprised more security leaders don’t go to DEFCON.

Den Jones:
Yeah. It’s certainly my favorite of the year. So yeah, I love it. And hopefully you get to meet up with lots of friends. People you’ve hung out with over the years. So let’s jump into this. So one of the things, so yes, you’ve been a female leader in cybersecurity for a number of years. So over the journey, I’ve got two questions here. One is, as a CISO in that role, how have you seen that evolve over the last five years for females in the role?

Laura Whitt-Winyard:
Yeah, I mean there’s becoming quite a few more females in the role, which is awesome to see, I think. When I first became a CISO, or a cybersecurity leader, there were very few females, I would say like 3% or something like that. Now I think it’s closer to 20, which is awesome. But I think it also brings a different perspective and probably a little bit more empathy to the role. Cybersecurity professionals, they have high rates of suicide, alcoholism, stress and all that. And to be able to have someone in that role that has empathy, I think has really helped the industry a lot.

Den Jones:
Yeah, and it’s funny, one of my old bosses, he said, I need to learn empathy. And I think he’d been telling me that for 10 years. He’s like, Den, he went, you’re not very nice, are you? And I think as I’ve navigated my leadership roles, trying to become more empathetic, but then also trying to give people in the organization room to breathe, as opposed to me enforcing, it’s my idea, it’s my idea. That was always a challenge for me. And I’d like to think I’ve got a lot better at it. Now, in your experience when you’re dealing with junior, young and career females and they’re trying to aspire to be like you and get to where you are, what’s the one piece of advice you share with them the most?

Laura Whitt-Winyard:
Don’t be afraid. I think for me, when I first started, you’d sit in a conference room and there would be tons of people there and you’d want to chime in, but you were so afraid of looking like you didn’t know what you were talking about, or chiming in on something that possibly couldn’t make sense. Don’t be afraid. There’s not one single person in cybersecurity that knows everything. And chime in, speak up. If you want, wait until the end and speak up after the fact, until you gain some more confidence. But don’t be afraid.

Den Jones:
Yeah, no, that’s excellent advice. And then I did, in Adobe, they did a great program for Women Executive Shadow, it was called. Women’s Executive Shadow Program. And it was about young and career or junior management females that were trying to learn from existing executives. And I used to volunteer for that. And one thing I learned there was women don’t tend to ask for things as much as guys tend to ask for things.

Laura Whitt-Winyard:
Sometimes we don’t even know what is possible to ask for.

Den Jones:
Yeah. And so for me, it’s a case of if you don’t ask, you’re not going to get, and then don’t be afraid of seeking advice from other people and having them tell you what you think your career direction could go. Because like you say, you don’t always know, right?

Laura Whitt-Winyard:
Yeah.

Den Jones:
So, that one for me, that resonated. Now, ICIT, seems like something that you’re involved in, and the only thing I took away from, well, first of all, could you explain what it is?

Laura Whitt-Winyard:
Sure.

Den Jones:
And then, I was like, why is there not a female word just part of that, I don’t know.

Laura Whitt-Winyard:
I’ll take the word fellow. So ICIT stands for the Institute for Critical Infrastructure Technology. And we are a not-for-profit cybersecurity think tank offering nonpartisan cybersecurity advice to government, public-private sector. We get involved with a lot of things. I have my lovely book here on display, which was recently published, and I think we’re printing some 70,000 copies and sending them to Capitol Hill. But yeah, ICIT, I think there’s a little over 25 fellows where people who have been in cybersecurity in some shape or form for a considerable amount of years. And we advise on policy, we advise on legislation. A lot of different things. We also advise on the cyberspace solarium. We worked with Ted Lieu on the Cyber Shield Act. So we do a lot of advisory work.

Den Jones:
That’s awesome. And the book, so shameless plug for the book. So let’s talk a little bit about what’s a book about? Is it a love story? Is it a drama?

Laura Whitt-Winyard:
It’s a thriller.

Den Jones:
A thriller. And then who do you think is like, yeah, is it a book we can buy on Amazon, or is it a book that is just distributed to government officials and people that come up with legislation?

Laura Whitt-Winyard:
No, it’s available on Amazon. It is right here. It’s called securing. I don’t know if my words are backwards, but yeah, it’s called Securing the Nation’s Critical Infrastructures, A Guide for the 2021, 2025 Administration. Each chapter, or each critical infrastructure, is a chapter in the book. And varying fellows, whether it’s multiple fellows writing a chapter together, or one fellow writing one chapter. I wrote the chapter on the dams sector. So you just go to Amazon in search Securing the Nation’s Critical Infrastructure and you can buy it there.

Den Jones:
Awesome. And we’ll try and remind me to make sure we put a link in when we publish the podcast. We’ll need to make sure we do that.

Laura Whitt-Winyard:
Will do.

Den Jones:
I get forgetful in my old age. Okay, so work-life balance. Now, one of the things that you are between roles right now.

Laura Whitt-Winyard:
Correct.

Den Jones:
There was lots of people getting laid off, unfortunately in our industry, which is a crying shame, and you were impacted there. So as you’re at the wrong end of that, how does that change your view on work-life balance?

Laura Whitt-Winyard:
I treat looking for my next opportunity as a job right now. So I spend nine to five doing that, networking and speaking with people, doing interviews, et cetera. But it doesn’t really impact my passion for security. I still do podcasts like this, speaking engagements, white papers, different articles to spread the cybersecurity world. My husband, I don’t have any children, I have two St. Bernards. They’re like children. But I’ve been in cybersecurity for so long. My husband, my dogs, they know when mommy’s upstairs in the office, she’s doing her thing.

Den Jones:
She’s working. Yeah.

Laura Whitt-Winyard:
But on the flip side, the impact from layoffs being a bruise to your ego, if you will. Being able to spend time in my garden and actually being able to take time for myself, to actually be able to turn my phone off at night, which I had never done before, because being in cybersecurity, your phone always stays on. Has been kind of a relief, if I’m being honest.

Den Jones:
Yeah. So, it’s funny, because I was thinking, does it change your perspective in the sense of you realize when we work for companies, at the end of the day, there used to be, so 20 years ago, I would say that people who are committed to their company and their company was committed to their employees. And it was a very rare event for a layoff to take place. But certainly be working in the valley, it’s every year. Every single year. And sometimes it’s like they’re swinging an ax and it’s not about performance any longer, it’s just like a whole organization, or a whole country, or office. So for me, my perspective of this is people’s allegiances and loyalties to companies, I think is beginning to wane. And no longer, as everyone said, well, I’m dedicated to this company. Now I worked in Adobe for 20 years, almost 20. So I had a blessed career with them. But every year for a period of about five years, Adobe were notorious for a layoff in November. And it was like every year and it was tough.

Laura Whitt-Winyard:
Yeah, I mean, I totally agree with you. And I think the allegiance or loyalty to a company started waning when pensions were going away, right? And then everybody started putting money in their own 401k, and it was like, okay, you’re contributing, we’ll contribute some, but you’re contributing the majority of it. And I think that’s when loyalty started waning. And then now, there’s been, especially in cybersecurity, there’s a lot of job hopping in cybersecurity. Usually you’re two to three years with a company. But I think with all the layoffs, I think that that loyalty is getting less and less and less.

Den Jones:
Yeah, for sure. Absolutely. So one of the things, how do you describe your role when you’re at a dinner party with people who have no technology experience?

Laura Whitt-Winyard:
Oh gosh. Sometimes I just say I’m in computers, so they don’t ask me questions. But I just say, it’s my job to, I’m responsible for securing a company, and ensuring that… When I was at DLL for instance, I would say, oh, I’m the head of security for DLL. I’m responsible for securing the company in 37 countries.

Den Jones:
Wow. Yeah.

Laura Whitt-Winyard:
And I Would just leave it at that.

Den Jones:
Good to get an elevator pitch. I found that out years ago, because the reality is you could be out in a conference event, or you could be anywhere, and being able to say, hey, I work at this company, we do this, and I do this. And getting that pretty succinct is important. Now, one of the 100 Most Fascinating Women, so where and what was that?

Laura Whitt-Winyard:
So it’s a book you can buy. It’s on Amazon as well. And it’s called 100 Fascinating Women Fighting Cyber Crime. And it’s just basically cybersecurity ventures picked 100 women who have been in cybersecurity for a while that spend their time fighting cyber crime.

Den Jones:
Awesome.

Laura Whitt-Winyard:
And each one of us were featured.

Den Jones:
That is brilliant. Now, so for your piece and the feature, or maybe separately, what would you say is the worst horror story you’ve had as you’ve been going through your career from a cyberattack perspective?

Laura Whitt-Winyard:
From a cyberattack? Oh, I have many that weren’t cyberattack related. Especially in my early days where I was accidentally taking things offline. I would say, I got to be honest, I don’t really have any horror stories. There’s been security incidents. But for me, when there’s a security incident, I get excited. So they’re not horror stories. I’m like, yes, this is what we’ve been training for all year long. And it’s really exciting for me and the team. It’s like when you’re in the military and you’ve been going through all of your training camp and everything, and then you finally get to see some action, it’s a little bit exciting.

Den Jones:
Yeah, yeah.

Laura Whitt-Winyard:
So I’ve never really had any horror stories per se, but I will say typically within six months to a year of me leaving a company, they have horror stories. I don’t know if that’s coincidence. It’s not me doing it.

Den Jones:
Yeah, I know, right. Hey, I don’t want blame. It wasn’t me.

Laura Whitt-Winyard:
Yeah, it was not me, but it’s historically that’s what’s happened.

Den Jones:
Yeah. I think it’s interesting because as an incident responder, or as a security professional, there’s an expectation that breaches occur now. I think five years ago when you heard about someone getting breached, or even 10 years ago, someone getting breached, then it was like, oh my God, that’s really bad. They must be really bad at what they do. But the reality is you could be amazing at what you do. Your team could be amazing, and you could still be breached.

Laura Whitt-Winyard:
Yes.

Den Jones:
And I think of it like we’re playing Russian roulette every day. If you’ve got 40,000 people in your company, you’re hoping they’re not clicking links and doing stupid stuff. But the reality is, is they’re doing their job and the attacks and the social engineering is getting so good that people are going to click links, and they’re going to end up on sites that we don’t want them being on. But that’s how the world works. And our job now is to catch the bad guys, get them out quicker, and try to make sure the damage is limited.

Laura Whitt-Winyard:
Reduce your meantime to detection and your meantime to response.

Den Jones:
Yeah, yeah, exactly.

Laura Whitt-Winyard:
That’s really all you can do.

Den Jones:
Now, so one of the things… I always love to hear how people stay up to date with technology, and from a security awareness perspective, what’s your go to source for information that keeps you up to date?

Laura Whitt-Winyard:
Well, I eat, sleep, breathe cybersecurity, if you ask my husband. So I wake up reading it and go to bed reading it. But there’s a website called NewsNow and it’s a news aggregator, and I think the URL is newsnow.co.uk. I prefer the UK version versus the US version, because the US version sometimes you get a lot of accidental politics in there. And it’s just an aggregate pulling cybersecurity news from all around the world. I also to stay on top of what’s going on in the hacking community, I go to DEFCON, BSides. I’m in a few hacker servers on Discord. So keeping the pulse on what’s going on with the community. And then for my own training, I use Cybrary has free training. YouTube. What did we do before YouTube? I don’t know how any of us ever did any repairs in our home before YouTube. But yeah, YouTube, anywhere I can get information.

Den Jones:
Awesome, awesome. And yeah, when you think of, so from a personal growth and stuff, I mean it’s a hard task to try and keep a company secure, and it’s a hard task to stay up on top of things. So when you’re not doing that, so you’ve got two St. Bernards, what do you do outside of work? You mentioned gardening earlier. So what do you do to relax and to wind down after a crazy day.

Laura Whitt-Winyard:
I don’t really relax ever. If I’m going to be honest. So I’m really into gardening, not vegetables, I kill them. But I love formal gardening. So I’ve been working on a formal garden on my property. I’m also developing a gardening app.

Den Jones:
Oh wow.

Laura Whitt-Winyard:
To help gardeners. I started gardening like four years ago and I didn’t know anything, and I had to do a lot of research, and Googling, and watching YouTube videos. And I’d love to develop an app that would help people who want to get into gardening, but don’t even know where to start.

Den Jones:
That’s awesome. Yeah.

Laura Whitt-Winyard:
And then I binge watch shows to disconnect my brain and watch something mindless on TV so I don’t think about work.

Den Jones:
Yeah. What’s the last show or series you binge watched?

Laura Whitt-Winyard:
It’s called, oh gosh. It’s with Gary Oldman, Slow Horses. It’s on Apple+ Apple TV+. So good. So good.

Den Jones:
Awesome. I’ll need to check it out. What’s the premise behind it?

Laura Whitt-Winyard:
MI5 spies and the slow horses are MI5 people that were put out to pasture because they either weren’t good or they had some major mistake, and it seems like the slow horses keep solving crimes.

Den Jones:
That’s funny. Yeah, I’ll need to check that out. It’s funny how there’s a cyber element to that kind of stuff as well, right?

Laura Whitt-Winyard:
Yeah. I mean, people in cybersecurity, we love puzzles, right? So a lot of us love mysteries. A lot of us love thrillers, because nothing is more depressing than when you’re watching a show and before the show’s even over, you know who did it already. Or you know the why, or whatever the mystery is you’ve already figured it out and that’s when you watch something else.

Den Jones:
Yeah. And it’s funny as well, cause a lot of the shows, especially the ones that claim to do the hacking and all that business, you’re like, they’re so fake. And you’re like, that’s not how it works.

Laura Whitt-Winyard:
I say that. My husband’s like, oh please. Just let it go.

Den Jones:
Yeah. Let me stay in my own world of make believe I’ll trust that’s how it works.

Laura Whitt-Winyard:
Well I think, that’s why Mr. Robot was so popular with the cybersecurity community because they actually had cybersecurity advisors on that show. They did a really awesome panel at DEFCON. If you go-

Den Jones:
Yeah, I was there.

Laura Whitt-Winyard:
I was there.

Den Jones:
Yeah, yeah. I was there.

Laura Whitt-Winyard:
We were in the same room together and didn’t even know it.

Den Jones:
Yeah. Yeah, yup.

Laura Whitt-Winyard:
I mean, I think that’s why that community was so attached to that show because they were real hacks.

Den Jones:
Yeah, yeah. And I loved, I mean, it’s funny because I think I’m probably due to watch it all over again, just for nostalgia. But I loved that show. I mean, it was quirky, it was underground. The hacks were cool. But yeah, as you say, yeah, people should search out the recording of the DEFCON panel discussion because that was really good. And I think they did record that. They don’t record everything at DEFCON, but I think they did record that one.

Laura Whitt-Winyard:
Yeah, they did record that one.

Den Jones:
Yeah. Yeah. No, that was awesome. Now, so as we mentioned earlier, you’re between work right now, so what’s in line for your next adventure? What do you see next?

Laura Whitt-Winyard:
That’s a good question and I’ve been asked it so many times. And I just want to be able to secure the world. Some way, somehow. I know it will never ever happen, but it is a puzzle that I just absolutely love. So I want to work somewhere that I could have a really huge cybersecurity impact. Whether it be on the company itself, or the company and all of their customers, or globally. I mean, when I went to work at Malwarebytes, that was one of the things that attracted me was not only would I be able to secure Malwarebytes, the company, but being involved in their product and being customer zero, I could basically help secure millions, millions of people. So I’m looking for something along those lines. I would love to work at a company that understands that this is a passion of mine and allows me to continue doing my speaking engagements and giving back to the security community.

Den Jones:
Yeah, and I think, for me, seeing someone like you in the industry, an available talent, a woman leader, strong personality, great background. I can’t imagine you’re going to be sitting twiddling your thumbs for too long. I think the important piece, or obviously, is that right fit between you and the company and making sure that the role is actually good enough, because there’s a lot of rules out there that frankly you want to steer clear of. So yeah, it’s as much, when there’s someone like you in the market, it’s actually maybe more about you picking the company and the right role as opposed to them picking you.

Laura Whitt-Winyard:
To be honest, it’s like dating.

Den Jones:
It is like dating, isn’t it?

Laura Whitt-Winyard:
I mean, it really is.

Den Jones:
Did you swipe left or right? I don’t know which.

Laura Whitt-Winyard:
But I mean, it really is. You don’t want to waste too much time on a date if you know it’s not going to go anywhere, or it’s not the right fit. And I think one of the things I learned is it can happen to anybody. This is my first time being involved in a layoff and talking to some of my CISO peers, they’re saying, oh, it’s a rite of passage.

Den Jones:
Yeah, yeah.

Laura Whitt-Winyard:
We’ve all been laid off, and I just hadn’t. I was fortunate at that point.

Den Jones:
Well, [inaudible 00:25:06] might not be around the corner. I’m not sure where.

Laura Whitt-Winyard:
We’ll see how this podcast goes.

Den Jones:
I know, right? If nothing else, I’ll be number two in Libya or something.

Laura Whitt-Winyard:
Yeah, yeah. Yeah.

Den Jones:
Well good luck on the future of that. And as we leave, what’s one piece of advice you’d love to give the listeners who are, maybe they’re CISOs or they’re new in career, but what’s one piece of advice you’d love them to take away?

Laura Whitt-Winyard:
Honestly, the best piece of advice I can give is to partner with your internal and external customers. And back in the day, security was always viewed as the cost center or the group that says no. Having that partnership and coming up with creative and innovative ways to secure things that enable the business. A lot of people talk about, oh, we’re a business enabler, but for so many it’s just been a catchphrase, but with no real meat behind it. And I think really understanding, and that’s where that empathy comes in, where you understand that if your development teams aren’t closing a gap, chances are it has nothing to do with them. It’s because product is sending them a lot of work to be done, and you need to partner with product to get security on the roadmap, or on the PI planning. So finding those partners internally, externally, working with customers and just being a little bit more understanding that not everybody knows security like we do.

Den Jones:
Yeah, no, that’s great advice. And as you mentioned, when I ran enterprise security in Adobe, we were seen kind of like with an attitude of an ivory tower when I took the team over. And there was a lot of reasons behind why that might be the case. And I spent a lot of time on brand and how do we rebrand ourselves as a partner, as a transparent organization. And like you said, that saying no, it’s never helpful if you’re going around saying no, and then people just try and avoid you at that point. You’re not helping the company and you’re not helping the internal customers, which reflects and then doesn’t help your external customers.

Laura Whitt-Winyard:
Well, and honestly it’s not even our place to say no, right?

Den Jones:
Yeah, yeah.

Laura Whitt-Winyard:
We can say we don’t advise it, but feel free to accept the risk. Make sure you get the appropriate approvals to do so. But there’s always a yes and. Yes, we can do that, and if we put this in place, there’s no worries.

Den Jones:
Yeah. Yeah, and I’ve said that a lot over the years, which is our role is really explain the risk and help make a good business decision with our partners. And it’s not necessarily our decision, it’s usually their decision, and we should try and help them make that as quick as possible.

Laura Whitt-Winyard:
Yeah, for sure.

Den Jones:
Awesome. Awesome. Lot of luck, thank you very much for your time. Really appreciate having you on the show. Best of luck with your endeavors. And I’m looking forward to actually just catching up and seeing you at DEFCON. And we’ll grab some drinks and we’ll shoot the shit there. That’ll be way more fun.

Laura Whitt-Winyard:
Yeah, I think that will be fun. Prepare to stay awake all night.

Den Jones:
I know, right? Well thank you very much. Really appreciate it. And Laura, everyone needs to go out, they’ll check out your books. There’s one that says coming out, and then there’s one where you’re one of the most fascinating women in the book, I guess. So thank you very much. Thank you.

Laura Whitt-Winyard:
Thanks Dae. Have a good one.

Den Jones:
And you.

Speaker 4:
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music urbanpunks.com.

Close Transcript