CyberWire Daily - Merritt Baer: No one has to go down for you to go up. [CISO] [Career Notes]
Episode Date: September 24, 2023This week our guest is Merritt Baer, a Field CISO from Lacework, and a cloud security unicorn, sits down to share her incredible story working through the ranks to get to where she is today. Before wo...rking at Lacework Merritt served in the Office of the CISO at Amazon Web Services, as part of a small elite team that formed a Deputy CISO. She provided technical cloud security guidance to AWS’ largest customers, like the Fortune 100, on security as a bottom line proposition. She also has experience in all three branches of government and the private sector and served as Lead Cyber Advisor to the Federal Communications Commission. Merritt shares some amazing advice for up and comers into the field, saying "my personal philosophy is that no one has to go down for you to go up. I'm always encouraging my colleagues, um, and other executives to be thinking about how we can, you know, steal, sharpen, steal, how we can be good for each other, how we can collaborate, how we can, um, create more strengths in one another." We thank Merritt for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security.
Hi, this is Merit Baer, and I am field CISO itself, the Chief Information Security Officer role,
was one that didn't necessarily exist until somewhat recently,
where I feel like there was maybe like your IT admin folks
and maybe a data privacy attorney,
but not a lot of room for those kind of technical
and business security conversations that are what I do now.
I had always been someone who would pick up a book about the CIA or something.
I don't understand how everyone doesn't think security is fascinating.
So it was kind of an indulgent side of what I liked to learn about.
And then I went off to Harvard and, you know, there were just these issues that seemed to be coming for us.
And I felt like we weren't very well prepared to answer them and that they were already staring us in the face in terms of, you know, private companies sort of burgeoning into more and more immediate and intimate interactions
with us?
And then what is the role of government and what is the role of that citizen or consumer
in sort of mediating those relationships?
And security was just such a primary element of what we needed to think about.
And I mean that literally, like how we're going to protect account access, but
also, you know, as the construction of what we think about when we want to experience the world
in a safe way. Well, then I went to Harvard Law School and did every computer security class I could do there. And I ran out of those quickly
and wrote my own studies. I was actually really focused on what is now known as CSAM, child sexual
abuse materials. Child pornography was the term then. And so I basically kicked off my security
expertise in this area that is really specific, but also permeates how we think about, you know, access to
software and to devices and, you know, rights and responsibilities of the government and of
companies. So that was something that led me into my next, you know, my first job job, which was
clerking for the military's Supreme Court, which is called the U.S. Court of Appeals for the Armed Forces.
They had about two-thirds of their docket at the time
was issues involving child sexual abuse materials
because the military gets some of these issues
as sort of like harbingers of what civilians will get
because civilians have, you know,
higher expectations of constitutional rights
than military members do,
or those who are subject to UCMJ.
So I went from that into working for U.S. government in all three branches,
doing security work, and then went to AWS five and a half years ago.
And today is my first day in a new role, which is as Laceworks Field
CISO. So I can't tell you what a lot of dudes have looked like so far, but I can tell you what
I think I'll be doing. And a lot of it is resident with what I was doing at AWS, Amazon Web Services,
which is to talk to customer CISOs or CXOs,
executives that have responsibility for security,
and ensure that we are helping them problem-solve
as effectively as possible,
which really should be a business enabler
so that security can be part of everything
they weave into what they do
and ultimately do more and do it securely.
So my personal philosophy is that no one has to go down for you to go up.
You know, I'm always encouraging my colleagues and other executives to be thinking about how we can, you know, steel sharpen steel, how we can be good for each other, how we can collaborate, how we can create more strengths in one another.
And I think that that in general is just an approach that is especially conscious of the fact that this field is so relationship driven.
And so it's important that when we get in the room, we don't like waste each other's time with competing, you know, with petty, small sort of self-serving conversations.
Because what we want to do
is elevate the entire state of play, right?
And we need to be doing that
through conversations that build trust.
And although lots of companies say
that they are not super hierarchical,
I have found that many are.
And so I think that that's,
you deal with the landscape that you're in,
but I think that it is an important attribute of places that they have a seat at the table for folks to contribute in whatever way that those folks are best contributors.
You know, that they're able, that folks feel like they are seen, that they have the opportunity to develop themselves and that they then contribute to the company bottom line or the policy bottom line in other cases. And I think that that's, you know, the goal is always
to see folks flourish. So I got into security because I had this conviction that folks who are vulnerable get the least inheritances when it comes to both safety and security.
And by that, I mean walking around in the world and as a sort of byproduct of the merchants and other relationships in their lives.
You know, women are likely to be murdered by a romantic partner
and so on. And so like it goes from the very literal to the more notional, like if you have
a fancy credit card, then you're probably insulated from identity theft debt in ways that folks who
are not, you know, using those kinds of luxuries don't have. So I think I would hope that at the end, while I'm working with enterprises and I am doing
what feels sometimes like these broad strokes, that I'm raising the water level in meaningful
ways for folks who don't have to then be experts themselves. That we're able to, you know,
create security as something
that folks are more entitled to
and that it benefits especially the folks
who need it in vulnerable communities. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.