Creating a more diverse cybersecurity workforce

Chris Sienko: Welcome to another episode of cyber speak with InfoSec, the weekly podcast where industry thought leaders share their knowledge and experiences in order to help us all stay one step ahead of the bad guys. As part of Infosec's effort to close the skills-gap and empower people through security education, I'm happy to announce that we're launching our annual scholarship program in April. Please visit InfoSecinstitute.com/scholarship for the full scholarship details. In line with that goal, over the next four weeks, we will be speaking with diverse and interesting women in the cybersecurity industry, including today's guest: Ruth Gomel-Kafri, the director of product design at the security policy company Tufin has a fascinating personal story. There's also an interesting story to be told about Tufin. Out of Tufin's 449 employees, 121 or 27% of the workforce is made up of women. Further, 37% of Tufin's research and development workforce is women, compared with Frost and Sullivan's report that women comprise 14% of the cybersecurity workforce in North America, 7% in Europe and only 5% in the middle East.

Even in higher positions where the glass ceiling is less commonly broken, Tufin boasts 12 security female managers, 44% of the total management pool in the R and D department. Anyone who's tried at any level of governance to bring a more diverse workforce into their organization knows that an organization with a gender breakdown like this doesn't happen very often. We're going to talk to today about Ruth's work with Tufin, but we also would like to learn some specifics about what working with an organization like that is like on a day to day basis. Ruth Gomel-Kafri is the director of product design at Tufin where she oversees and leads the product design group. Ruth has more than 10 years of experience working in cybersecurity, nearly nine of which were spent at Tufin. Ruth received her BSC in Biology and Computer Science, as well as her MSC in Cellular and Molecular Biology from Bar-Ilan University. Ruth, thank you very much for being here today.

Ruth Gomel-Kafri: Thank you. I'm actually quite excited. It's my first time interviewing for podcasts.

Chris: Oh, good. We're happy to be your first here. Thank you again for your time. Starting at the very beginning, how and when did you first get involved in computers and security? Is this something that you were interested in since childhood? Did you move down that avenue later in life?

Ruth: I would say it's more like happened later in life.

Chris: Okay.

Ruth: As a kid, I grew up in the 80s. As a kid in the 80s, I had some experiences from school with computers, both as a kid and also as a teenager in high school. Those who remember years ago, logo basic, Commodore 64.

Chris: Yeah. Commodore 64 has come up in a of episodes so far. I think there was a lot of people's first, for people of our age group.

Ruth: Right. Yeah. I had some, I showed some interest. I couldn't say it was a passion. Actually, I tended much more for science. I was more of a science and math person than humanities and arts. I think my passion was much more into Life Science. That's why I have my Masters of Science in Life Sciences. For a while I really thought I'd be a scientist. I really, really believed it and thought this is my goal and way. Then, life happened and I realized that I don't really like the bench.

Chris: Okay, that's what I was going to ask.

Ruth: The lab bench.

Chris: Yeah. Are those still parallel tracks? Do you still keep up with science and the things that are currently happening in the science realm? Or have you moved completely to-

Ruth: I completely ... At the first when I moved more than I think about 15 years ago.

Chris: Okay.

Ruth: Totally. For a while, I was indecisive. I completed my ... As an undergraduate, I took a position at a QA, engineering startup dealing with broadband services. In 2000 that was the thing, broadband services.

Chris: Yep.

Ruth: That basically was my door to the so called high tech industry. Then, I got back to university to do my Master of Science degree, because I really thought I'm, as I said, going to be a scientist. At first when I realized that I'm not going to be because it's not my thing, I let go my academic career. For a few years, I tried to keep up with what's happening in the research arena of life science. As your goal goes by and you have more on things in your life, then I'm not keeping up. Though, in what you call the public communications, not the professional communication, I still like to read about science.

Chris: Okay.

Ruth: When I decided that I'm moving away, I found another QA position. It was, again not at all in the cyber arena. My first position is in the broadband services startup. It was somewhat related, at least, to networking.

Chris: Okay.

Ruth: My second position in software testing was in medical tests and science test device software, software for medical devices, basically. It was a combination of my education fields.

Chris: Okay.

Ruth: Again, in my education there was life science but they're also computer science. Somehow, I thought that I might go there. Then, my way into cyber actually was not so obvious. I was back then already a friend with Reuven Harrison, one of the Tufin founders.

Chris: Okay.

Ruth: Mutual friend urged me. He said, "You should go work there. It's really nice company where there were a handful of people there." I looked for ... Actually after about, I think it was over six years, in five in QA, I try to see: What is my next thing? I know that QA is not going to be my main career. I knew I'm going into product management even before I knew what it is. I knew I wanted to deal with the 'how the product should work'. What do you do in order to understand what should be done in the product? Define it and make it happen. I just didn't know that's product management back then. Talking to Reuven Harrison, I saw that it might be a place where I could get there. Basically, that was my first position in the security arena. The rest is, I guess, history.

Chris: Yeah. You've been with Tufin for much of your security career. Could you tell us a little bit about Tufin? It describes itself as a leader in network security policy orchestration for enterprise cybersecurity. What type of services and products does Tufin provide for its clients?

Ruth: Tufin has more than 2000 enterprise customers all over the world. All over the verticals, really all verticals and financial tel-co's, retailers automotives, everything. About half of the 50 top companies in revenues, right ... Companies of Tufin are in the Forbes global 2000.

Chris: Okay.

Ruth: The reason they approach Tufin and look for a solution from Tufin is because they have massive networks; Very complex consisting of sometimes thousands of firewalls and network devices. They're also, of course, using Cloud solutions, whether private/public infrastructure and platform as a service. They basically manage very complex network, huge and complex.

Ruth: It's hard to control network security in such environments. It's a huge challenge to both control in terms of auditing and also making changes for business applications to work. Today, when these customers are also facing massive grow in digital services within the organization and between different organizations, aligning both, it's like ... The need for security but also fast pacing changes, technological changes, really requires control. Tufin basically helps automating some of these security process or network security processes, such as change and auditing.

Chris: Okay.

Ruth: Reduce significant costs for these large organizations.

Chris: As someone who's worked at the very latest developments of cybersecurity policy, how has the cybersecurity landscape procedurally or directionally changed since you first got involved 10 years ago?

Ruth: Massively.

Chris: Yeah.

Ruth: Yeah. I remember I joined Tufin and security was perceived as for ... Many customers we met and in lots of places, you see the security was this mysterious job of 'you people'. What exactly do ... They use these weird tools, firewalls and all sorts of things that no one knows how to handle.

Chris: Right.

Ruth: Mostly, from the other sides of the organization, the silos usually those who are really making us problems, they are slowing us down. They have all sorts of weird requests. When you look at it today, the volume of comprised data increasing constantly, which is discovered regularly. I think the most important thing is that companies really lose money because of breaches.

Chris: Yes.

Ruth: Security, of course, became like hot and a lot of money is invested in the industry. Again, it's all in parallel to a massive grow in digital services which introduce, of course, more risk.

Chris: Right.

Ruth: I think that's where Tufin was and still is an innovator, because they saw it coming. We saw it coming and that's exactly what we deal with. In one hand, the acknowledgement all over the organization that security is required. Every company and every, I would say, managers in every company understand why they need security. It's already not this weird thing that's not understood what it's for. It's a well established need for a company. Also, the challenge is growing. That's exactly where Tufin is valuable and investing.

Chris: Yeah. It seems like 10 years ago people were ... Security seemed extraneous because no one had really been hit by anything yet. Once you start seeing these breaches, these attacks and this money loss, then the perception changed very, very quickly.

Ruth: Right. Even board level directors are basically exposed when a breach occurs. It's for sure making it a very hot topic today. Changed dramatically.

Chris: Yeah. Walk me through your everyday work day at Tufin. As director of product design, what are some job duties or tasks that you perform every day, and what are some of your favorite aspects of your job?

Ruth: First of all, as I said before, I knew that I wanted to design products even before I knew to name it. I understood the requirements, how the product should work, what R&D should do to make it to work. I knew that's what I want to do.

Chris: Okay.

Ruth: Basically I started it a bit, as you know, even when I still had QA positions in my previous companies. I always took assignments of defining parts of the product. Also, as a project manager, one of my roles in Tufin was project manager in engineering. Also, for some of the stuff I defined and helped to resolve the issues by defining better the product. I realized that's what I want to do.

Today, as the director of product design, my group basically responsible for defining the product, how it behaves, how the users will use it, how the different parts of the product will work together. We have a few products, it's a suite of products. They all should be coherent. That's our main responsibility. It means that we need to talk to a lot of customers and understand the challenges, so we can provide the best solution. It means that almost every day, there are customer calls and not all of them I'm leading.

Chris: Right.

Ruth: Actually, I try not to lead any of them because I have my team to do that. I'm joining a lot of them. Again, I think a main thing is talking to customers and users, basically. Even more than customers, users.

Chris: Yeah. It sounds like you are still ... Even though you're at the director level of product development, you are still really excited about working hands on, making sure that everything works correctly. Is that right?

Ruth: Well, yeah. Probably from an early QA stays QA.

Chris: Right. Old habits never die. Yeah.

Ruth: I left the QA but QA never left me.

Chris: Never left you, all right.

Ruth: My day today ... Again, as you said, I'm more of the director or managing. I have a group of almost 12 people and I'm still hiring.

Chris: Okay.

Ruth: You can imagine I have a lot of personnel meetings with my people. Since my team is also responsible for what we call release planning and making sure that the various features and capabilities are coming at the right time; Then, it's also project meetings, architects and product management. My schedule is usually full with meetings.

Chris: Sure. Yeah.

Ruth: Yeah.

Chris: As we described at the top of the show, we're trying to speak to as many interesting people with diverse backgrounds. Women and people of color in the cybersecurity industry. There's an issue of the skills-gap and there's an issue of who's being hired and who's not being hired. Who's hearing about these jobs and who isn't and so forth. As was described at the top of the show, Tufin has an impressively diverse workforce, including a much higher percentage of women at various levels from research developers to managers. What is it like working in this type of environment, as opposed to the organizations you've worked in the past? Does it change the outlook? Does it change the procedure from day to day at all? What is your experience?

Ruth: Interesting question. I have to say that in a day to day, I'm not sure that it's the percentage of women. Okay. Maybe it's cause and effect here are not really obvious.

Chris: Right.

Ruth: I have to say that working with Tufin is working in a very respectful environment. Some of the core values in Tufin are respect and honesty, open communication, collaboration. I think that for me personally, I tend to think that for women in general, it's important. I can tell you that I didn't see it in past companies. It wasn't as much like that in other companies I worked with. I do tend to feel that more women contributes to such environment. I'm not sure. It's not the only thing. You have to have the leadership very into these core values.

I think that having that environment helps. Not just women, different people.

Chris: Yes.

Ruth: When the environment is open, then even if you do not look like your next desk neighbor, you still know that you can talk freely, you can ask questions. You'll be treated fairly. Tufin is really a company like that. For almost three years, I was working for another company, in 2016 until the end of 2018, and I came back. It says it all, isn't it?

Chris: It does. I've heard tech leaders say things like, "We'd like to have more women at our company, but none of them are answering our job applications", or "We don't know where to look", or what have you. Is there an art to crafting job listings or targeting them correctly to bring more diverse candidates to the pool?

We were talking in previous interviews to people about the skills-gap in general. We were finding that, for instance, HR crafts their applications too high in such a way that you have to have this many years. You had to do this and you have to have this certification or we're not even going to consider you, and so forth. It seems like maybe at that level, maybe there are diverse candidates who look at a job listing and see subliminal signs in there that say, "That maybe isn't for me", or what have you. Do you have any sense of that?

Ruth: Interesting questions. At first, I personally, and I don't think anyone in Tufin writes the job description or the job listing in any other way than what we need. Okay?

Chris: Right.

Ruth: We're looking for [inaudible 00:21:44] people with our domain expertise. Personally, in my group, design expertise. We are not compromising it for anyone or anything. That's what we need and that's what we get. You can get that from anyone.

Chris: Yes.

Ruth: Actually regardless of Tufin, your question is interesting. I don't remember where I read research that says that women tend to apply for jobs only if they are at least about 90% to 100% suitable for the exact requirements that are listed there.

Chris: Right.

Ruth: Men will apply even if they meet only a handful of the requirements. I believe more in trying to encourage women to do the same as men and not the other way around.

Chris: Right.

Ruth: Companies will say what they need and that's okay. As a recruiting manager, I'm listing whatever I need. I'm sure I can get that. These people, whether they are men, women or whoever, it's not related to gender.

Chris: Of course.

Ruth: I think here in Israel, we have an advantage because of the compulsory military service.

Chris: Right.

Ruth: Our army is known for technology. We have lots of technology positions in the army and they are open both to men and women equally. I think we get a lot of workforce, young women who are leaving the army with technological knowledge. They are just joining the industry. I think maybe that's also, to some extent, the reason we have quite ...

Chris: Yeah. That's huge. If you have, as you said, compulsory military service, you have a military with a lot of technical background and military service for both men and women; You've already seeded the field with a great deal more people with technical acumen who then might want to move on to technical positions in the private sector, and so forth.

Ruth: Yeah, totally.

Chris: Very interesting. We just spoke with Gregory Garrett, who was in the U S military, who was saying that there is a bit of cyber skill shortage due to things like budgets and what have you. I think that's a really interesting insight that you've brought there.

Ruth: Yeah. I really believe it's something in Israel. It's big, I think, that it's contributed.

Chris: Yeah. Do you think there are ways that the tech and security fields in general can make these types of careers more interesting or accessible to diverse candidates? Conversely, is it possible to make the tech industry understand that more women and minority professionals in tech ultimately makes the industry stronger and more able to take on diverse challenges?

Ruth: I believe women will get women. When you started quoting like, "Recruit the first, the second, the third women, more women will follow." First, because the best recruiting channel is network.

Chris: Yes.

Ruth: When you have you women in your company, you have also women networks. By the way, in social media, we have a lot of women groups.

Chris: Okay.

Ruth: We have women in tech in Israeli groups. Women in tech, product [inaudible 00:26:07] UIX, HR, everything. We have groups. Not one of each, many. We have meetups for women in tech, we have events, hackathons for women. By the way, we use all of that to recruit and to send open positions that we have. Get women to know about us. Presence in those places, it's really good. Again, I think mostly it's having women on your workforce, because then other will follow, you know?

Chris: Right.

Ruth: By the way, other ... It's funny to say minorities. Women are not minorities, but you know what I mean?

Chris: Yes I do.

Ruth: Diversity.

Chris: Yes, right. What are some tips you would give to women entering the world of security? What are some of the common pitfalls that you've learned to sidestep over the years or that you would warn against?

Ruth: The first one, actually, we've just talked about.

Chris: Okay.

Ruth: Don't try to perfectly fit into the job description.

Chris: Yes.

Ruth: Be more, I would say ... Don't be afraid to make the leap for your next job, that's for sure.

Chris: Okay.

Ruth: That's number one, I would say. I think also don't be afraid to ask questions. Don't be afraid to be perceived as, I don't know, less known. Come to discussions with data. That's what usually tech people are expecting. Also, mind your gut feelings because even though sometimes feelings are perceived as less value, the tool for decision making, it's not correct at all.

I had a manager that told me ... I once came to my manager, I told him, "Look, I know that this project is not converging. I know that, but I don't have the data to tell you. I don't have the data, I just know that" He said, "Okay, I trust you because you know. Now, I'll help you to get the data." I think it's a good lesson. Don't be afraid to share what you feel, even if it's not totally based on data. Ask for help when you need it. It's okay. Also, nurture open communication, lead by example, open communication, collaboration, inclusive communication. I think that's things that really makes it easier for women, and so we women should act like that.

Chris: Awesome. As we wrap up today, where do you see security policy and practices going in 2019 and in years to come? What are some innovations and ideas that you're looking forward to seeing and what are some major challenges to be addressed?

Ruth: I think, as I said before, a main growing challenge in security is the massive growth in digital services in various platforms. You have Cloud and SDN, whether it's ... It's all very elastic. It's changing a lot. Changes usually are for security. I think anything that we ... Also, changing roles, because sometimes it was very siloed and only security people handled security.

Chris: Right.

Ruth: Today many different, I would say, stakeholders in an organization can create infrastructure without even minding that they are harming security in many ways.

Chris: Right.

Ruth: I think that innovation in our field will be in how to get a control without interfering the pace of change. Change will get faster and faster, and it won't stop. I'm happy to be with Tufin because I know that's exactly what we do, and we provide and will provide innovative solutions around exactly this challenge.

Chris: If our listeners wanted to learn more about Tufin, where can they go?

Ruth: www.tufin.com.

Chris: T-U-F-I-N dot com.

Ruth: Yeah.

Chris: You were mentioning a couple of Facebook groups. Are those just for your company or can you recommend any of those 'women in product and security' groups and stuff like that?

Ruth: Yeah. I know a lot of Facebook groups, but I know mostly the Israeli Facebook groups.

Chris: Right.

Ruth: Yeah, we have many, Product Queens, or Women in Tech. Actually, Women in Tech you have also in the US, I think.

Chris: Okay.

Ruth: Also an Israeli group. UIX, UI, I think it's called. 'We do IX' or something like that. I don't remember.

Chris: Awesome.

Ruth: Really, we have a lot. It's a lot.

Chris: Good to know. Okay. Especially if you're an Israeli listener or anywhere, just go find some groups and talk to people. Start collaborating.

Ruth: Exactly.

Chris: Ruth, thank you very much for being here today.

Ruth: Thank you. I was really glad to be here. It was really great.

Chris: Very glad to have you. Thank you all today for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in Cyberspeak with InfoSec to checkout our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of our videos including this one are also available as audio podcasts. Just search Cyberspeak with InfoSec on your favorite podcast app.

To see current promotional offers available for podcast listeners and to learn more about our InfoSec Pro live bootcamps, InfoSec Skills on demand training library and InfoSec IQ security awareness and training platform, go to infosecpkstage.wpengine.com/podcast or click the link in the description. Thanks once again to Ruth Gomel-Kafri, and thank you all again today for watching and listening. We'll speak to you next week.