Carolyn Crandall, the Chief Security Advocate at Attivo Networks, is of the opinion that companies should set up mentorship programs where women in power educate the next generation of security executives

Tell us about yourself and your current job role.
My name is Carolyn Crandall, and I am the chief security advocate and CMO at Attivo Networks. I have over 30 years of experience building new markets and successful enterprises infrastructure companies such as Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate.
Taking companies from pre-IPO to multi-billion-dollar sales has earned me recognition as a global thought leader in technology trends.

I have specialized in developing strategies and solutions for my clients in operations, digitalization, and security. I am highly passionate about educating my customers about shifting to an active security defense that prevents and derails cyberattacks, thus mitigating the risk of a breach.

As the chief security advocate, I’ve focused on raising awareness on the importance of – and inherent market need for – a modern security defense that addresses an ever-evolving environmental and threat landscape. I consistently advocate for proactive vs. reactive cyber defenses and have become a major advocate for an identity-first security posture.

I’m able to use my platform at Attivo to educate enterprises about the need for new cybersecurity measures and what new innovations can be deployed to address them. With the concept of perimeter defenses dissolving, the focus now shifts to identity-based innovations that accelerate detection and response to advanced, credential, ransomware, and insider cyberattacks and for better protection of emerging attack surfaces including cloud, the internet of things (IoT), medical IoT and interconnected operational technology (OT) environments.

Additionally, I serve as an Advisory Board Member for the Santa Clara University Executive MBA program and co-authored the e-book Deception-based Threat Detection, Shifting Power to the Defenders.

Tell us about your journey into the security industry. Was the security industry your first choice?
I have always been interested in technology and studied Electrical Engineering and Computer science at Santa Clara University. My studies in college sparked my interest in pioneering technologies, and I made sure to keep hot technology companies on my radar and follow their news to stay informed.

My security journey has been filled with many wonderful opportunities, teams, products, and solutions. Almost six years ago, I joined Attivo Networks. Since then, I have made it my mission to spread awareness of good cybersecurity practices across organizations alongside Attivo Networks.

During your tenure in the security industry, have you experienced significant changes the industry has gone through?
Since I started with Attivo Networks, there has been a drastic rise in credential attacks. As the business landscape has changed significantly since 2015 due to the further adoption of digital transformation rapidly so in the past two years, this has exposed security vulnerabilities and has given threat attackers a playing field that is ridden with possibilities for cybercriminals to target organizations.

This has ultimately resulted in significant global financial losses as they exploit companies in exchange for the safekeeping of the stolen data. As more news of ransomware due to credential attacks arises regularly, the security industry draws the need for advances. Attivo Networks has recently introduced a new cybersecurity category called Identity Detection and Response (IDR). This category addresses the need for better protection against credential-related threats.

Are there any challenges you face on a day-to-day basis working in this industry?
Debunking the misconceptions in cybersecurity is one of the biggest challenges we face. Proving ROI is also a constant challenge for any security control. With Attivo’s solutions, the value comes in early detection, being informed when existing security controls fail, and in the operational management of an alert. Efficiency savings are fairly easy to calculate but assigning a savings amount to early detection or breach avoidance can be a harder dollar figure to define.

What sort of future do you foresee for the security industry as a whole?
As organizations have both accepted and embraced the digitalization of most services, this means that cyber threats will continue to evolve no matter the defenses put in place. There will be an additional need for better in-network detection to disrupt and derail attackers before they can cause damage.

As time goes on, companies will begin adopting a prevention posture instead of dealing with the consequences of a successful attack. As defenders, we need to keep up with the TTPs of the sophisticated actors and update our systems and technologies to keep up with them. With identity-based attacks on the rise, today’s businesses require the ability to detect when attackers exploit, misuse, or steal enterprise identities.

This need is particularly true as organizations race to adopt the public cloud, and both human and non-human identities continue to increase exponentially. Given the penchant for attackers to use credentials and leverage Active Directory (AD), it’s becoming more critical to detect identity-based activity.

What more needs to be done to welcome more and more women into the security industry?
The technology field has been saturated with mostly men, as very few high-level opportunities were available or pursued by women. Top executives need to start the conversation and empower women to pursue this career path to make the security industry a more inclusive space for them. This can be done by setting up mentorship programs where women in power educate the next generation of security executives.

Creating women-oriented programs and initiatives that include workshops on the security industry can generate interest in the participants. When larger organizations set up this type of program, it is often beneficial to provide internship or job opportunities to those who demonstrate a genuine commitment to the inclusion of women into the field, ultimately benefiting from talented resources.