[0:50]Exploring Secure By Design 2.0 with Lauren Zabierek

Rachael: Joining us today is Lauren Zabierek. She's a senior policy advisor to the cybersecurity and infrastructure security CISA. Prior to this role, she was executive director of the cyber project at Harvard Kennedy Schools Belfer Center. I'm so excited we'll get to talk a little bit about this as well as the online social media movement called Share the Mic in Cyber, which aims to dismantle racism cybersecurity, and privacy. Just so awesome. Welcome Lauren.

Lauren: Thank you so much, Rachel and Audra. It's really fantastic to be here. And I'll say I'm not wearing black, but dark navy blue.

Rachael: It's close. It’s excellent.

Audra: Well, shall we jump into the conversation? Just setting the scene, the Secure By Design Principles were initially published in April 2023, but they have since been updated. So what are some of the key differences between the initial version and Secure by Design 2.0?

Lauren: It's a great question. I think for anyone who opens up the document and sort of compares it, you'll see that it's almost triple in size. So the first one I think was about 13 or so pages, and then this one is over 30 I believe. But really the key differences in terms of content are that we really start to dive into the principles themselves as well as provide additional tactics on how to align with these principles. And we also talk about how to demonstrate these principles both from a pro-business and a secure product perspective. 

The Evolution of Secure by Design

Lauren: I think there are key differences there. And I think too that we talk about this concept of secure by demand, so we talk about ways for customers to actually start demanding more security in their products. So I think it's a lot more holistic in terms of this update.

Audra: Is it more consumable than to say businesses and that sort of thing it was before?

Lauren: I think that it is certainly more directed to businesses. I think maybe before when we came out with the first paper was kind of like, we're putting our stake in the ground. And that came from the National Cybersecurity Strategy. It also kind of flowed from director Jen Easterly and EAD Goldstein's article in Foreign Affairs. And so we were just putting out, I think our first set of guidelines and ideas there. 

So as we move forward, we understand that this set of guidelines, tactics, and principles is directed at business leaders. Because ultimately the business leaders are the ones who are setting the priorities and the direction for their business. And they're the ones that say, we are going to prioritize security or not.

Audra: Excellent. So what was the catalyst that drove these changes?

Lauren: Well, we don't want to just put out a set of information and walk away and say, okay, now let's figure it out. Not what and done. As you can imagine, we work with various stakeholders and have these discussions and understand who's doing what. There are a lot of new ways to demonstrate this and a lot of things that organizations are doing. 

Adapting Policies for a Safer Tomorrow

Lauren: My colleague Bob Lord quotes this all the time. He says the future is already here, it's just unevenly distributed. I can't remember who originally said that, so please forgive me. But my point in saying that is to say that there are organizations out there who are trying to prioritize this and making sure that their practices do result in secure products, but we don't really know about all that yet. And so we want to keep iterating on this document as our understanding continues to evolve as well.

Audra: So what's going to be driving those businesses to adopt the policies?

Lauren: Yes, that's a great question. Ultimately, we really do hope that businesses recognize that it is the “right thing to do”. Although I certainly understand that incentives are also really important here for businesses to take in and try to make changes. Because one of the biggest questions that we've been asked is, okay, we get it. We understand why this needs to happen, but who's going to pay for it?

Audra: Right, exactly.

Lauren: And what should be free and what can we charge for and things like that? So there's a lot of discussion here. And so I think as we move forward, the more collaborative approaches that we can take with these various stakeholders and the more momentum that we can generate among customers and among academia and think tanks and manufacturers. I think more and more this becomes this sort of norm building exercise, and so we can move together along this road.

Building a Global Cyber Village

Rachael: I love how many different groups you're involving in this process. I think I was reading in version one there were ten US and international partners. And then in this next iteration, another eight countries and international organizations came online. And all the summits that you're having and all the great feedback you're getting, and one of the favorite, I think things I heard Jenny Sterly say, I think it was at the Singapore Cyber Week conference, is that feedback you're getting around the three principles is that quote, “People are picking up what we're putting down”, which I love. It's like my favorite quote ever.

Lauren: She’s so cool.

Rachael: Absolutely. But it's wonderful because this is no small feat like we were talking about earlier. It also requires a village, a global village of feedback if we're really going to stand this thing up and get it right.

Lauren: Absolutely.

Audra: Exactly. Have you been doing any kind of crystal ball gazing? Because you said it's an iterative process, have you got some sort of longer view in terms of what you think the next areas will be focused on? How is all this collaboration going to come together, and what is it going to kind of deliver in the future?

Lauren: Well, I wish I were a fortune teller. I wish I were clairvoyant. But I do see a lot of excitement around this. And I think that really is evidenced by the additional international Coss sealers and a lot of those countries wanting to have conversations about this. 

[8:53]Democratizing Security with Secure by Design Collaborations

Lauren: And then, of course, all the different speaking engagements we do, people really want to hear about it. And also when we try to have these more informal conversations with various stakeholders and industry, people are quite open to it. So I think it's really incumbent upon us to harness this excitement and this momentum and keep moving it forward. 

Identifying not only challenges but opportunities and identifying ways for people and organizations to come together and share information and best practices and make it easier to do the right thing. And we're all trying to understand the various policy or economic levers that need to be identified. So I think going forward a lot of collaboration and a lot of movement towards this because there really is a lot of excitement here.

Rachael: What I love too, this whole thing is when you talk about unevenly distributed. I believe you guys had a summit focusing on EdTech, which as we know, I mean, there's not a lot of budgets there. They're kind of doing the best with what they have. And so I think it was called how do you democratize these well-lit paths from these larger software companies and then create a playbook that a smaller software company could execute against mean? And that seems like how you get it done. I mean, we're empowering all boats to rise, and I just think that's truly awesome.

Lauren: Exactly. And I think that's a really good example of the kinds of economic levers that we can identify and as you said, democratize it. And see, okay, what do we need in order to do this? 

Global Collaboration in Action

Lauren: And where can the private sector act, where can government act, where can nonprofits or think tanks act and really try to identify and bolster this ecosystem towards that? So again, I think that goes back to why we don't necessarily want to put out one piece of guidance and call it a day. We're constantly reevaluating and assessing.

Audra: So what kind of traction are you seeing so far? One thing I want to lay out there for everyone, I know Rachel mentioned is this is international. It's being collaborated on and adopted across multiple countries globally. What are you seeing in terms of adoption? Where are there any leaders? I mean, where are you seeing people literally standing up going, this is really important for us.

Lauren: I think various agencies across different countries, they've stood up and obviously they've on the paper and they are also starting to think about, okay, given our set of tools or organizations or environments, what can we do? Or what can we focus on? And so trying to be complimentary to each other and not obviously reinventing the wheel while still taking into account different structures. 

I think that there are definitely a lot of places that are moving forward in different ways. But one example of the traction that you mentioned is this concept of the pledges. So you mentioned the K through 12 workshops that we did and the subsequent pledges that came out of it. And so initially I think we had five or six K through 12 EdTech company sign on, and now we have 11, which is really awesome. And I think that just goes to demonstrate that people understand that there is a need for this.

Cultivating Global Security with Secure by Design

Lauren: At the same time, we know that this is not just an overnight thing that you can wake up one day and say, well, I'm going to be secure by a design and default. And that's why when we look at the paper, there are so many different tactics and also ways to demonstrate this principle. We thought there was no way we could cover everything at this point. But there are going to be ways or areas where we can shine a light on different organizations to highlight that. And so yes, I think we're trying to build towards this in other areas as well. But part of that too is again, creating the community and identifying the ecosystem of players to collaborate and to share with each other.

Rachael: And speaking of the international partners, I'm looking at this list and I'm kind of surprised about some of the international partners on the list. They're five eyes nations sure. But Korea, Internet and Security Agency, Japan's National Center of Incident Readiness, Japan Computer Emergency Response Team, Czech Republic's, National Cyber and Information Security Agency. This is awesome to see this international collaboration cooperation on such an important. We got to get here. We have to figure this out.

Lauren: Exactly.

Rachael: We're never going to get ahead.

Lauren: This is true. And the more that we can adopt this and push this across the globe, I think you use the term the rising tide lifts all boats. Well, if we can have a sort of more uniform application of security, then companies I think have to spend less to sort of meet varying regimes of standards or regulations. If there's this uniform idea, then I think that is even better for business.

Overcoming Hurdles and Embracing Innovation

Audra: So we've talked about the positiveness around people. You're getting more and more agencies who are interested and more and more teams adopting. Are you seeing in other places where you're kind of going out and you would like additional obviously more people to come to the table? Have you had any feedback on any kind of, I don't know, hesitance in adopting the principles?

Lauren: I don't necessarily think there's hesitance on sort of why we need to adopt those principles. I really see it more in how that's where the debate is. And I think that's a healthy debate, and I think a lot of different organizations do have differing opinions on this, and that's okay. I think that that debate will allow us eventually to get to further clarity while also bringing in perhaps new ideas like this idea of using well-lit paths. Kelly Shortridge uses this idea of let's make the secure way, the fast way. It should be the fast and the easiest way. Instead of maybe other older practices that just aren't really conducive to user experience and sort of human-centered design. So I think there's a lot more room for these sorts of ideas. 

Rachael: So you mean bolted on after the fact and hope it works?

Audra: Yes, Rachel said it.

Lauren: Yes, so a lot of ideas, a lot of, I think room for debate on how we get there, but I think that's a good thing.

[17:04]The Rise of Secure by Design as a Global Movement

Audra: Definitely. We're getting the crystal ball out. Do you think there will be a lot more adoption in terms of agencies globally coming to the table? Are you beginning to see you're getting a groundswell even? It's like enough adoption that more and more people are like, what are they doing over there? Should we be part of that? We probably should. And are you seeing that coming?

Lauren: Yes, I am. And I hope that it becomes more and more, we kind of joke on the team. We're trying to build sort of a cult. Right?

Audra: That's fair. Why not? A cult of security by design. 

Rachael: Exactly.

Lauren: Right. So could we design, say t-shirts or stickers or something to help us to push the idea and sort of be like, oh, this is the cool thing. But also within that have these sort of mechanisms to push us forward, push us along here and make something happen?

Audra: Excellent. No, I think that would be cool. I'd like to have that. Maybe it's something like being branded organic kind of thing, but you're branded secure by design. I mean that's kind of cool.

Lauren: Well mean that's an interesting sort of, yes, is that an incentive? We often use the analogy of the automobile industry. I'm sure you may have seen this in some of our communications, but looking back towards the 50s and 60s when automobiles were manufactured for speed and style and not necessarily safety, but then a lot of action analysis by Ralph Nader, congressional action, things like that has led to this plummet in deaths and horrific injuries due to accidents as our population has grown. 

Exploring the Road to a Secure by Design Rating System for Software

Lauren: And so talking or looking to those kinds of organizations like the Insurance Institute for Highway Safety for instance, and they have the stars on cars and what sort of testing can you do and what mechanisms can you use in there. They had actually written that when they've applied a five-star rating to a car that actually drove more customer traffic to that particular car. So I think that there's something there. I just don't know exactly what that looks like yet.

Rachael: There has been little discussion here and there, right about whether is there a security rating or a grade when you buy, let's say consumer software or something like that? How secure is it? That would be interesting to get to. But again, the automobile industry takes a lot of time and a lot of people coming together.

Lauren: Right, exactly. But on that too, there's an interesting convergence there between the automobiles and that industry and software because when you add it to the things, absolutely. So I'm really interested to see what happens when we start to combine those sorts of regulated industries and software could be interesting.

Audra: Yes, absolutely. So can we talk a bit about shifting the security responsibility? I think this is a really interesting direction that things are going where putting that responsibility into business. So it is your responsibility that your product has removed all the issues with vulnerabilities and things like that. So a major goal of the updated security by design principles is to place more emphasis on the role of the international software manufacturers and increasing the safety of their products. What sort of changes should technology manufacturers expect to align to the secure by design?

Practical Tactics for Implementing Secure by Design Principles in Business

Lauren: Well, as I mentioned in the paper, we dive more deeply into those principles, and we also offer various tactics as well as ways to demonstrate those principles. So for instance, if we look at the principle of, or the first principle where we talk about taking ownership of security, that principle essentially says that the responsibility of security should not fall solely on the customer. 

So what does that look like in practice? Some examples that we've provided are things like conducting field tests. Can you test out your product in a way that not only does it work or say what it's going to do, but also is easy for a customer to use it and use it in a safe setting? Another tactic that we talk about here is reducing the hardening guides. Again, going back to the user experience of the customer. When you have a whole stack of products and then you have a number of hardening guides, that's a lot to deal with.

So we're saying either reduce or just even try to eliminate the hardening guides, alerting customers to unsafe features and configurations. What are the things that businesses can do to raise the cost to the attackers? And there are various things, so I won't go through every single principle here, but we'll say that in the paper. There are different ways to do it. It's not a checklist though, because this is aimed at business leaders and we want to provide some flexibility while also pointing to other established frameworks like the NIST, SSDF, or out in the UK, there's the cherry framework. 

Leveraging Peer Pressure and Incentives for Secure by Design Transformation

Lauren: So bringing those sorts of things in and saying, hey, look, here are ways that you can do this. Also pointing to other organizations like, hey, they did it. Don't just listen to us. Look at your peers. They've done it too. So trying to align with that. Look, it'll be a journey. We get that. But there are different ways I think that businesses can take very different tactics specific to their organization.

Audra: And peer pressure isn't a bad way of doing it. It really isn't.

Rachael: It's true. Once the dominoes start falling, you need to get on that bandwagon or it's going to leave you behind. Because I could really see something like this critically as your competitive advantage. 

Lauren: It's true in the years ahead. I agree. And I'll say one more thing too on this. This can't be sort of something that's relegated to the technology or the security teams and so on that, we talk about this in principle three on organizational leadership and structure. Make it so your structure and your incentives align toward this, making sure those incentives are there, the resources are there. We talk about well at paths and the tooling to do this can't just say, hey, make this happen. You literally have to turn the ship and point it towards there.

Rachael: I think that's a great point. Incentives particularly, right? I think that's probably the key to getting even the ball rolling for mindset change. A hundred percent.

Lauren: Yes. It's interesting, right, dealing with the business community and you have to sort of speak that language.

[24:51]Integrating Secure by Design Principles Across Product Supply Chains

Audra: Exactly. So have you considered, as part of what you have laid out in this framework, the fact that products generally are not just individual businesses that create them. But products these days, we talk about communities, and products are made up of a supply chain community to bring that together. It's not individual businesses working on their own in obscurity, creating these kinds of things. Have you considered that in terms of adoption? Because the people who officially own the product that is sitting there are adopting these principles. Have you advised on how you can put pressure on the supply chain to be doing similar things? Because we all have supply chains that we use to create our products these days.

Lauren: I definitely can appreciate that. And I know that products are essentially part of larger systems, and then within those products, you have smaller systems and all the components and organizations that you're having to pull from. Part of that is generating that demand signal, right? Businesses have to hear the demand signal not only from their customers and of course what we're doing in government, but then they have to turn around and signal to their particular vendors that, hey, we expect these products or the components to be more secure. 

That might also take or require particular action. We haven't necessarily addressed things like chips and things like that. I think that'll come, but you're right, it is part of a larger system that it's not just software, it's hardware, all the different components. And so I hope we'll start to address more and more of that. I hope too that the demand signal will sort of cascade from all the different changes that are being made.

Navigating the Impossible

Rachael: That would be great. I keep kind of suggesting to people when they come on, Lauren, I'm like, it's so hard what we're trying to do. I mean, do we just roll it back and make everything manual? Let's just take everything offline. 

Audra: Let's simplify things. You can't hack stuff. It's either on or off. 

Rachael: If it's on or off, not connected. And I'm not getting a lot of positive feedback when I make these suggestions. 

Lauren: So I think it's, we've come too far.

Rachael: That's what I keep hearing. But it's wonderful. I and everything's an evolution and security. I mean, even though it's been around a really long time, the pace of business and everything is changing so quickly, particularly out of COVID, right? Digital transformation. And it's exciting to see these kinds of movements get stood up because they have to happen. They have to happen because going back is not an option, right?

Lauren: Right. And some of the pushback, or maybe just feedback we received is, well, to your point, it is so hard. How do we do this? And my response to that is, yes, it is. I hear you. But just because it's hard doesn't mean we shouldn't do something. Right? Or even if the thing that we start with is very small, that's still something that we could do that I think will impact the rest of the ecosystem. So we got to start somewhere. Right?

Rachael: Agreed. I love that. There's this fellow who started a company called Not Impossible Labs, and basically, it's not impossible. We just haven't done it yet, right? And it's just put one foot in front of the other. 

Empowering Voices

Audra: And don't boil the ocean. Start one piece at a time. Things are hard because we didn't have the foresight when we were creating the solutions that we were building as to what environment they were going to be in what challenges we were going to face, or how clever hackers had become or would become. And there's a lot when you build that you can't see. We all need the crystal balls. I'm going to be sending those around for Christmas presents. 

Lauren: I love it. I'm going to put it on my shelf. I can't wait. 

Rachael: That's fantastic.

Audra: Excellent. So could we talk about something a little bit different that is reasonably very close to my heart, your co-founder of hashtags, #ShareTheMicInCyber. Can you tell us how that came about what you're all about and how can people get involved?

Lauren: Yes. I'm excited that you asked about this. So Share the Mic in Cyber is an online social media movement, or at least that's how it started. It started in May, or June of 2020. Now, if you recall back to that horrible time, lockdown. But that made us, I think, more observant witnesses to the racial injustice that was happening in our country. 

And I often tell this story with a little bit of humor because I remember being very pregnant, sitting on the couch, and just scrolling through Instagram in sort of a rare moment of respite because I have another child too. I was looking on Instagram and I saw this campaign called Share the Mic Now. And that was with entertainers and politicians. So white women were sharing their platforms with black women. And I just had this idea.

Empowering Voices in Cybersecurity with Secure by Design

Lauren: I was like, I think this could really work in national security, cybersecurity. And I remember messaging a friend and she was like, yes, that'd be really interesting. And then I saw a tweet because when you're on one social media platform, then you go to another. I saw a tweet by this woman whom I had never heard of, I had never met before. Her name is Camille Stewart Gloucester, now Gloucester because she's married. And she had tweeted something very similar. 

And I slid into her DMs and kind of started, we started talking to each other, and then we traded numbers. We started texting. And honestly, literally within a couple of weeks, we're like, let's do this. Let's leverage our networks. I was at the Belfort Center at Harvard Kennedy School at the time, and I knew I had a platform. I knew I had to do something. And so we did it. 

We kind of threw something at the wall and we're like, we'll see what happens. And the outpouring of support and the reactions from the community really blew us away. And so it was very clear that we had to continue to do it. We utilized what was then Twitter and LinkedIn at the time. And then, so we decided to keep going. However, in October, I was on maternity leave. So another woman, Caitlin Ringrose, stepped in. But since then we've had five campaigns on social media. They grew in size. I think at one point we had over a hundred million Twitter impressions, not clicks, but impressions,

Audra: Aggressive metric. 

[32:21]Nurturing Community Connections Beyond Secure by Design

Lauren: Jen Easterly participated, and Rob Joyce and Chris Ingles participated. One time, we had Congresswoman Lauren Underwood give the opening remarks. A number of different sorts of things evolved organically, and it's just been amazing. So we still have the community, Camille is now the deputy national Cyber Director for technology and ecosystem security at the White House. 

So she has had to step back. And, in this job, I've sort of stepped back too. So we've been kind of figuring out, alright, how can we pivot in a way that still serves the needs of our community but maybe isn't online anymore or takes different formats. We're continuing to think through that. So if people are like, well, I haven't heard from them in a while, we're kind of thinking and evolving.

Rachael: I love this too. I mean it's, or this recurring theme, right? It's like I am the calvary. One person with an idea can spark this great movement and galvanize people, and that is so awesome. One person. You just did the passion and belief and the things that you can't achieve. And that is just so exciting. I think that inspires others to want to do more, to give back, and to be part of the conversation. I just love that. And I think that's wonderful. How many times are people kind of sitting there on the couch?

Audra: Exactly. Flicking scrolling.

Rachael: Exactly. You're like, I got this genius idea. Oh, I forgot to write it down. But people want connection. I mean, with all the social media we have out there, I think they're saying people have never felt more lonely. 

Driving Positive Change Through Secure by Design Community Engagement

Rachael: And these kinds of movements are so wonderful because then you are part of a community and you have a voice and you're doing something to make good vibrations happen in the universe. We need more good in the world, that's for sure.

Lauren: Absolutely. And Camille and I coming together and just working off each other's strengths and networks and ideas. It really was magical and continues to live on. There's a fellowship that we created at the Think Tank New America, and we just have pretty much wrapped up our first-year cohort. Well, we're going to keep going to that. It's pretty amazing.

Audra: If people wanted to get involved, how can they approach the community, get involved, and help drive the message?

Lauren: That's a great question. As I mentioned, we're really trying to figure out how we can evolve the movement. We've really sort of focused on continuing to uplift voices, continuing to provide connection, and continuing to provide opportunities for a community that really has been left out of a lot of that. 

So one of the ways that we would love to more formalize, and we've done this informally, especially when I was at the Belfor Center, when one of us or a couple of us would get media requests and we're like, yes, this isn't really my area of expertise, or I want to share it with the community and be like, hey, does anyone want to provide a comment on this? And so going out to the media and saying, hey, we want to be a resource for you. If you are looking for more perspectives on these topics, come to us and we'll source your request to the community.

Building a Secure by Design Community Beyond Boundaries

Lauren: Same thing with jobs. We're always sharing different job opportunities with each other. So we're open, I think, to more ideas. The problem is kind of bandwidth. We're not even a nonprofit. We're just a movement. So I don't necessarily have a structure or a way to pay people. So that's something that we're struggling with. But on the fellowship side, they're always looking for more support. And of course, we just closed our applications for this coming year, but next year the applications will open again. So we're always looking for more people to apply. A really strong group of fellows last year and the candidates list year looks really good too.

Rachael: That's awesome. That's exciting.

Audra: That's fantastic.

Rachael: I think about, wait, what was I talking about was with Andrew Green. I was like, I was born too soon. Only I was born 20, 30 years later. All these amazing things that are available today. And what was the quote though, right? I mean, your future job as a young person is going to be something that hasn't even been invented yet. So how do you get on that path story?

Audra: Do you plan for that? How do you get the degree for what doesn't exist today?

Lauren: So true. Maybe per the national cyber education workforce strategy, we're working on core traits and skills that are very transferable instead of specializing in one area. I don't know, I was an economics major.

Audra: These things happen.

Rachael: And I think that's a good segue to your favorite question.

From Military Intelligence to Cybersecurity Leadership

Audra: It is, so I have a little bit of an obsession with asking our guests how they came to be in the career they are now. Because I'm a great believer that we all start off heading down one path and then, I don't know, there's a landslide or some kind of things, and you surf down that and then you change the path to decide that you're going to go the river way instead and so on. 

And it's always very interesting. And I want to always give hope to people who maybe are entering into their degrees now, or where I want to go in my life. I've been doing this job for a few years kind of thing. And give them inspiration that you can always change direction and try something else. So I would absolutely love to hear your origin story.

Lauren: So it is one of those stories that has a bunch of winding roads. I started my career in the military, I was in the Air Force as an intelligence officer. Got out after about five years, I briefly went into consulting and I said, I hate this. I want to go back into government. 
Serving has always been important to me. And so I think challenging of a situation that pushed me towards going back into government, which I enjoyed. I joined one of the civilian intelligence agencies, and I was in sort of, we'll just say your average group doing average intelligence and eventually several various issues. But my husband had supported me essentially through several deployments and shift work and things like that. And then he had an opportunity for a dream job up in Boston. I was like, oh, no.

[40:10]Navigating Identity Shifts

Lauren: So I essentially had to give all of that up. And I tell that initial story because I was so ingrained in that community, it was so important to me. It was my identity. And then I had to leave it to come to Boston and so hard. What am I going to do? Who am I? And so I happened to join Recorded Future as the 56th person. This company is now over a thousand people, but I am so grateful to Christopher Alberg and Scott Donnelly, who hired me and gave me that chance. They thought, oh, you've never done cyber before. You'll learn it's fine. 

And they believed in me. That's awesome. It's true. And so funny story, I remember being, I was hired as a solutions engineer, and I was like, I don't know anything I'm doing. I was in a meeting, and somebody asked me about APT 29, and I'm panicking. But that experience drove me to say, you need to make sure that you know everything possible. That experience overall really led me to this idea that I feel like we can do this better as a country. So as challenging, as that was leaving DC leaving that mission, leaving all of my friends behind to come to Boston in the winter, to a startup.

That opened up that whole new path for me. And so at the time, I had applied to the Kennedy School, never thinking I would get in. But I got in and I was so thrilled about it. I deferred a year and then to help build up the business, and then I started at the Kennedy School with a three-month-old. Don't recommend doing that.

A Secure by Design Journey

Lauren: I tell that part because I was in this class. It was this teacher, Eric Rosenbach, who would become my boss. He taught the class on cyber policy and operations and sort of all the things in between. And again, I was a brand new mom. I don't know what I was out of my mind. He saw me when I didn't see myself, and so he asked me what I was going to do after graduation. I said, well, I don't know. I guess I'll go back to Recorded Future. And he said, no, I want you to come here. 

I want you to apply for this job running the cyber project, do some interesting research, build up your profile, build your network, and then we'll go back to government after that. I just remember being in shock for an entire day. You want me, the guy before me, who's a friend of mine, Michael Meyer, he's a PhD from Oxford.

Audra: You're like, which shoot me.

Lauren: But I'm so, so grateful to him, to the late Ash Carter, to my former colleague and my just goals person, Juliet Kayam at the Belfer Center. Amazing. I loved it. It was just so wonderful, the people there and the things I got to do. But that really set me up to get to this role, and I'm thrilled to be here. It's so much fun. I get to work on really hard problems and talk to people like you. So yes, that's my origin story. 

Rachael: That's awesome.

Audra: Yes. That's a brilliant story. 

Diverse Paths to Cybersecurity Excellence

Rachael: Love it. And it also gets to what I love about cyber. We've had people who are Ph.D., even medieval studies who are now CISOs. But you come at it with a different way of problem-solving. So your background in intelligence, you're applying that kind of through that lens for cyber, and you're going to come up with all these things that other people never would've thought of, and that is just so cool. I don't know a lot of industries where those kinds of transferable skills have such an impact.

Lauren: It's true. To your point, I was at an event the other day where the CISO had come from the music industry, and I think it's awesome. There are so many skills, and that, I think, too, is the argument for diversity. When we bring all these perspectives and understanding of various threats that maybe we don't even think about. That is the beauty of it. That's why we need it. That is why diversity is national security.

Rachael: So I'm excited for our future. I love where cyber's going, and so thank you for sharing your story, Lauren. I just know so many people are out there listening to Audra's point. 

Transitioning Military Skills into a Secure by Design Future

Rachael: And we hear so many folks that have served, and when they come out of the military, they're lost. They're used to that regimen, and now their days aren't structured. They're like, where can I apply these amazing skills that I've acquired over years in service? And I love it, we brought a lot of folks on the global government side of our business. So many people have been in the Marines and the Air Force and the Navy, and all of the skills and critical thinking skills that they bring to the roles are just so awesome to see. I mean, just so many smart people.

Lauren: Yes, absolutely. And I hear a lot from that community too, where they're like, well, I'm not technical. I don't know how to do coding. I'm like, don't know how, or you don't need that, right? If you want to go down that route, you can, but you don't need that in order to come in. And so I always want to get that message out.

Rachael: Absolutely. And you can always learn a hundred percent. There are a lot of places that want to give people a chance to learn and also learn their way. So there's opportunity there, even if you don't have that skillset yet.

Building Cyber Resilience Beyond Code

Audra: Exactly. It takes many, many people to make a business and build cyber. Absolutely. It's much broader than coders.

Rachael: Absolutely. Well, I do want to be mindful of time, Lauren. Thank you so much. This has been so much fun catching up with you. And thanks for sharing all the information on Secure By Design. We can include a link to the cisa.gov website in the resources section. 

Lauren: Yes, if you go to cisa.gov/securebydesign, then you'll see all of our papers and our blogs and videos and things like that. 

Rachael: Awesome! Again, thank you so much for joining us this week. I just can't say enough, Audra. You have to subscribe so you can get these amazing, amazing episodes delivered right to your email box every Tuesday. 

About Our Guest

In January 2023, Lauren Zabierek was named a Senior Policy Advisor to the Cybersecurity and Infrastructure Security Agency. Previously, she was the Executive Director of the Cyber Project at Harvard Kennedy School’s Belfer Center. She came to this role as a 2019 graduate of the Kennedy School's mid-career MPA program. Her work focused on strategic, national security issues in cyber and tech--ranging from international conflict, cooperation, and norms to domestic collaboration, diversity, privacy, and supply chain issues. She was also the first woman participant in the Elbe Group discussions on cybersecurity, having been a part of the cyber-focused dialogue in 2019 in Stockholm, Sweden, and again in 2021 virtually.

Lauren is the co-founder of the online social media movement called #ShareTheMicInCyber, which aims to dismantle racism in cybersecurity and privacy. #ShareTheMicInCyber started as an online conversation on Twitter and LinkedIn but has become so much more--it is breaking down barriers in the cyber industry through individual and collective action. Since its inception, the movement has garnered over 100 million Twitter impressions and featured participation by the nation's cyber leaders.