As a leading cybersecurity professional, Traceable AI Head of Product Renata Budko recently attained an added distinction as a top woman in the fast-growing security field for 2022. To learn more about her success and ways that others can follow in her footsteps, I sat down with Renata to gather her insights on security careers and opportunities.
Renata Budko: Thank you, Dana. Like they say, I’m honored and humbled. It is a great group of security leaders. I always say we are leaders; we are not women leaders. We are cybersecurity professionals. We are not women cybersecurity professionals. But of course, being a woman and also trying to increase the number of girls and young engineers who want to enter the field and want to build themselves careers in our space, it’s also gratifying that, as a group, we are able to show them that it’s worthwhile. They can definitely make a difference in this field.
Gardner: What would you encourage them to do or perhaps recognize about cybersecurity as they enter the field? What is it about it that was appealing to you and why should it be even perhaps more appealing to them now?
Budko: Personally, I got into cybersecurity from the product-management angle. So, my career is not necessarily representative of how things go. I was a software engineer first, product manager next, and I got into cybersecurity as an already established professional and executive within the product-management field. But I guess the whole reason why I started to work with startups and found companies in cybersecurity is the same reason why the new, younger engineers should enter the cybersecurity field today.
There’s a big need from the industry perspective. There’s a big risk for a lot of companies that are doing business on the Internet, providing value as such services, and it’s a big opportunity. It’s a very interesting opportunity as well – it’s so versatile, from working with people along governance and compliance angles to becoming cybersecurity champions. You bring this idea of secure coding into one of the development teams and the colleagues that are not security aware to adjust technical expertise in a large variety of technical spaces, including the newer fields such as natural language processing (NLP), artificial intelligence (AI), and threat hunting. There are so very many aspects of it in a versatile career over time that you can build and never get bored.
Gardner: And of course, there are very many jobs begging to be filled, so it’s a great opportunity. Can you do well and do good at the same time in this particular field?
Budko: That is for sure. The demand is bottomless. The supply is limited and the supply of good people who have a broad understanding of the space is even more scarce.
Gardner: What are the trends that are driving this need for more cyber professionals? You mentioned that there’s many different onramps to the career, different technology trajectories. But what is it, in general, what are the trends that are driving this increased need?
Budko: There are several, and I think that’s probably why the demand is so high. The most pervasive trend is the change in how we offer software. Software used to be delivered as shrink-wrapped packages that were installed within the tight perimeter of businesses. Today, most software value is delivered via application programming interfaces (APIs) as a software-as-a-service (SaaS) model in the public cloud.
That means that the perimeter is a lot more porous. And that means that internal and external blending boundaries are not as distinct anymore, which means that there are a lot more various threat vectors that are now possible and can put our software in danger. That’s probably the biggest trend.
An offshoot of that trend is the impact of a potential security breach. Because services are serving multiple tenants, a single breach can have much wider implications and much stronger potential impact. So, the importance of cybersecurity professionals grows in proportion with the importance of financial risk and the value of the financial impact of a potential breach.
Gardner: It’s safe to say that things aren’t going back to a shrink-wrapped world. So, the demand and the opportunity for being creative and blazing new trails in cybersecurity is only going to grow.
To stay relevant as a cybersecurity professional, you need to understand the microservices and what are the changes in architectures and APIs and how they can be attacked.–Renata Budko
Budko: I would second that opinion for sure. That also is in line with the very fluid architectures in the cloud that we continue to see. To stay relevant as a cybersecurity professional, you need to stay abreast of not only the new cybersecurity developments. It used to be — you only need to watch for the new Common Vulnerabilities and Exposures (CVEs), new vulnerabilities that get published. Today, you need to understand what are the microservices, what are the meshes, what are the changes in architectures or what are the new API protocols and how can they be attacked in a different way. And that’s not even counting the state threat actors and the cyber warfare threats that are coming in. Those use very different profiles, very different resources than individual hackers would use. So definitely there’s a lot of interesting things going on to keep your mind agile and engaged.
Budko: The most interesting part for me is to be in a consultative position to our customers, to our market. Talking to the leaders in cybersecurity on the other side of the table, the Chief Information Security Officers (CISOs) of Financial Technology (Fintech) companies, the CISOs of banks, the CISOs, VPs of engineering at startups that are perhaps fairly new but growing rapidly and delivering value over the Internet.
In some cases, they are aware of cybersecurity as a general need and of the trends that we just discussed, but not necessarily aware of either specific attack vectors or the specific architectural decisions or the business decisions for that matter, the team composition that they need to have in order to properly mitigate those risks. So, it is most rewarding when these conversations come together and ask from the vendor side, especially forward-thinking vendors such as Traceable, and the leading-edge CISOs from the practitioner side, work together in industry groups and in informal organizations such as Silicon Valley CISOs and come up with best practices and recommendations for the industry to really become more robust and resilient.
Gardner: Going back to encouraging young people to get more involved with cybersecurity, are there any misconceptions about being an engineer or a technician or a researcher or a product manager in cybersecurity that you think people should be aware of? What do people not get right when it comes to this career?
Budko: I think there is a perception that equates a cybersecurity professional with a hacker, and sometimes there is this concept of a White Hat hacker or an ethical hacker. A Black Hat hacker is out there to do harm. A White Hat hacker is the person who follows the same techniques but for the greater good. That’s a valued profession, absolutely a valued profession.
Perhaps that misconception got fueled slightly by the introduction of the bug bounty programs in that direction in application security, which is crowdsourcing the White Hat hackers to randomly find vulnerabilities in applications. But cybersecurity is so much more than that, and especially for folks who have the inclination to be moderators or team managers or evangelists, of course. There is a large field of vision and opportunity for those folks who are both technically and people minded.
Gardner: It’s also exciting that we’re at the intersection now of AI, machine learning (ML) and data science with cybersecurity. Why is that a particular interest and doesn’t that bring a whole other group of potential career enthusiasts into security?
Budko: Absolutely, Dana. AI and ML is a very broad technical field and a very interesting one. It grew out of what we used to call statistics. It solves the same problem as simple tools like linear regressions, but it solves it in a much more sophisticated way, which allows the tool to dynamically develop over time based on the data that are coming in.
In terms of the cybersecurity applications, I would argue that a data scientist is a data scientist. They are working on image recognition in YouTube or threat recognition in Traceable AI. A lot of the tools, a lot of the techniques are applicable, and there are some very interesting data science problems that we are solving at Traceable, and the industry is trying to solve at large within cybersecurity. I would argue though that the expertise in data science itself is a lot more important in this case than a specific background in the cybersecurity field.
Gardner: Looking back, Renata, what do you feel best prepared you for attaining this level of being one of the top 25 women in cybersecurity? Was there something that perhaps you might not have thought of at the time, but looking back has helped you become a top leader?
Budko: It’s a great question, Dana. It’s one of those situations where the crystal ball is not going to show you the past or the future. A lot of this I think is a combination of three things. Agility of mind is the first one and keeping up with whatever new things are driving our environment, whether it’s technology or work patterns or business patterns, that’s definitely the biggest one. But specific to the technology, the greatest skill that I perhaps did not understand was important is the ability to explain the same problem in the language of the listener.
Specific to the technology, the greatest skill that I did not understand was how important it is to explain the same problem in the language of the listener.–Renata Budko
Because the same problem is going to look different from the standpoint of a CISO versus my own developers who are trying to solve that problem from the software and code point of view. They are both interested in the impact that the solution is going to provide and in the specific steps that they need to take with the new tool to get to that solution.But both the language and the importance of different aspects of the solution look very different. It’s like a blind man trying to figure out that they’re touching an elephant, depending on where they are – at the leg or at the trunk or at the ear – each area feels quite different.
So, the skill of the leader is to see the bigger picture, see the entire elephant, but properly set expectations for the person who’s touching the trunk, what it is that they are interacting with, and how it relates to the entire elephant.
Gardner: That’s very interesting. Being a translator across different domains, personas, and disciplines is important, as well as being a guide who directs people along the way. Certainly, these are areas where women have done very well in many other careers. So, it looks like there’s a huge opportunity for women in cybersecurity as well.
Budko: I would agree.
Gardner: Any last words of advice, Renata, for people of any background entering cybersecurity and why they should perhaps give it a little bit more thought and serious consideration.
Budko: I think talking to other folks who are already in the field would help to both better understand the field and build the network because there is strength in interactions, there is strength in working together. Right before COVID and working from home, there was a huge number of in-person resources such as meetups that you could go to whether or not you were a current cybersecurity professional. As a student or as a developer, or as a person from within the field, attending these meetups and networking with other professionals is important. And listening to presentations about interesting aspects of the technology such as ML and AI, that’s definitely a good resource. The pizza is usually good as well.
These days a lot of these events are virtual. We just had an API security event last week that we participated in. I am presenting at the Product-Led Festival next week. So virtual events and virtual networking are good resources as well.Until we have the in-person available, the younger people can take advantage of it.
Gardner: So, there is literally a whole world of addressable opportunity and market and as I say, doing well for yourself and doing good for business and society, all in the cybersecurity field.
Budko: I agree and definitely would encourage more girls and young women and young professionals overall to consider this as the correct choice.
You can follow Renata on Twitter and also learn more about Traceable AI and how it observes, analyzes and secures APIs. Depending on your role and the needs at your organization, there are multiple options to get started with Traceable AI and its many options for observability and API security:
- If you’re a CISO or DevSecOps security leader and want to evaluate your API security risks, try the API Security Posture Assessment.
- To start your journey, sign up for a Free Tier and learn all about your APIs — internal, external, third-party, and even the shadow or rogue APIs you may not even be aware of.
- If you want to compare different API security solutions in the market, check out the API Security Tools comparison guide.
- You can also view a demo or book a meeting to learn more and ask your questions on how Traceable can meet your API observability and security requirements.
(Dana Gardner is Director of Content at Traceable AI.)