Wendy Nather - Director, Advisory CISOs, Duo Security


Written by

Wendy Nather has been around the block as a security professional. She has led security teams in the private and public sectors, at UBS and the Texas Education Agency. She also served as a research director at 451 Research and at the Retail ISAC. Now, Nather is the director of advisory CISOs at Duo Security.

As a “recovering” CISO, Nather discusses the most overwhelming challenges for security leaders today, as well as what it takes to design security to be user-friendly. She says that users recognize the importance of security, but can feel stuck in the “patchwork” of practices and services deemed necessary to keep things locked down online.

CyberScoop:  Can you talk about what ways authentication has evolved in the last couple of years?

Wendy Nather: It used to be, when I started in this field over 30 years ago, you had one login, and at the time we thought it was a good idea just to give somebody a password and have them memorize it. But of course now, over the decades, things have exploded to the point where any given person might have dozens or even hundreds of logins on different sites. It’s very, very hard for a fallible human memory to memorize so many different unique and complex strings.

So we’re now trying to dig ourselves out of that hole, and one of the ways is to get either get rid of memorized passwords altogether — which is something that the Duo Labs is actively working on — or at least bolster the security of that with another factor or factors of authentication.

CS: In what ways do you think companies like Duo have to keep up with the cutting edge of cyberthreats?

WN: I actually wouldn’t say that Duo to has keep up with cyberthreats as much as we need to adapt ourselves to help enterprises and how consumers use authentication. I think that the bigger challenge is making it usable for users and still defending against attacks. We can offer multi-factor authentication to users, but unless we make it usable for them, they’re not going to want to adopt it, which is why there’s so many opportunities for multi-factor authentication to be used. We still have a long way to go there, and until we manage to make something like multi-factor authentication easy and usable, it’s still going to be very easy for attackers to get in.

Your Twitter bio says that you’re a “recovering” CISO. What do you think is the most overwhelming problem for CISOs right now?

WN: I think the biggest problem for CISOs is trying to influence the rest of the organization to change its lifestyle. It’s not a project where you put in security and then you’re done. So they not only have to influence and encourage the rest of the organization, but they also have to encourage those business areas to change their own business processes to do things more securely. That takes a long time. The bigger the organization, the more inertia it has and the longer it takes in some cases over years to get them to change what they’re doing to do it in a more secure way. It’s kind of like encouraging everybody to live a healthy lifestyle. It’s hard enough to change your own habits to live in a more healthy manner, but if you’re trying to get hundreds or thousands of people to change their lifestyles, you can imagine how hard that is.

CS: What about security from an individual perspective? Is there something that you think people need to know about managing access to their own personal tech?

WN: We keep describing to people the rules that they should follow to secure access to their own technology, but unfortunately they’re stuck having to use whatever the owner of the technology makes available to them. So if they don’t offer two-factor authentication, for example, they’re kind of stuck. There’s no way the user can secure their own access better if it’s something that that provider won’t do.

So I’m not really sure how much we can tell them to secure, you know. I kind of feel as though it’s out of their hands in a lot of ways. We can tell them things like, use a password manager, which we always recommend. But if the password manager won’t auto-fill a password into a mobile phone’s browser, for example, then the user is stuck with a very awkward and difficult experience. So I don’t think we’ve designed a lot of things to work across platforms and across software from a consumer perspective. But I think consumers are getting tired of this sort of junky patchwork experience and they’re going to start complaining pretty soon if they haven’t already. So that’s the next challenge for us.