02 Aug Chloé Messdaghi: Ethical Hacker Advocate and Humanitarian
It is only with the heart that one can see rightly
– Di Freeze, Managing Editor
Northport, N.Y. – Aug. 2, 2020
Chloé Messdaghi isn’t one to see a problem and look the other way.
“When I see an issue, I do something about it,” says the vice president of strategy of Point3 Security. “I don’t think about how much time it’s going to take. I just take over everything and I go running with it,” she adds with a laugh. “What’s the point of living if you’re not making a difference?”
Messdaghi strove to make a difference when she was doing humanitarian work and she’s doing it now as an ethical hacker advocate.
Messdaghi has only been involved with cybersecurity since 2017, but that might not have been the case if she had received different input when she was in sixth grade and told her computer science teacher that she wanted to be a hacker. His response was “that’s for boys.”
Instead, she attended the University of California, Davis, working towards her B.A. in International Relations. Her focus was communication across cultures and how to do better humanitarian efforts. She graduated from undergrad a year early, in 2008, because she was eager to get out in the world and start doing good.
She volunteered for the U.N.V. for an organization in Cameroon to assist with their programs that provided education and health to orphaned kids and then worked with AmeriCorps as an afterschool supervisor and instructor. She thought about going into law, specifically humanitarian rights, but after working at a corporate law firm, she realized law wasn’t for her and decided to go back to school.
She attended the University of Edinburgh, where she earned an M.S. in Political Research. Messdaghi later worked at various organizations connected to the U.N.V’s volunteer programs across Africa and Asia, usually on children’s rights, particularly regarding education and healthcare.
After returning to the States, she temporarily worked with kids in special ed in elementary schools in Oakland. Messdaghi had also studied cognitive science, and she started a nonprofit that worked with storytelling to combat hidden biases using cognitive science.
She eventually did some management consulting work, but in 2017, she decided she missed the culture and environment of an office setting.
“When you’re consulting, you do one project, leave the company, go to another company, and do another project,” she said. “You never get to build relationships. I really wanted that, so I started applying for different jobs.”
Her introduction to cybersecurity came when Kenna Security, a vulnerability management company, hired her as marketing manager. She quickly saw a stark difference between the humanitarian field and the cybersecurity industry.
“When I was in humanitarian and educational roles, the ratio was probably 50-50, women and men, and sometimes even more women,” she said. “I thought it was strange that I didn’t see many other women in the office. I decided to do some researching about the field and got the feeling there wasn’t too much diversity in this industry.”
She was alarmed by statistics she found that told her only 11 percent (now 20 percent) of the infosec workforce is women.
“If you don’t have diverse folks on your team, you’re going to miss out on many things,” she said. “It makes you really vulnerable. And when it comes to developing a product, or anything like that, you’re not going to be cutting edge if everyone has the same background.”
Shortly before International Women’s Day that year, she decided to start blogging about the issue. She interviewed other women in the field and became more discouraged.
“Women who had been in the field for a long time were telling me they were seriously thinking about leaving,” she said. “They shared their experiences of discrimination. They were basically all telling me, ‘If you can, get out.’”
In April 2018, Messdaghi attended the RSA Conference in San Francisco. As she sat in one room with between 200 and 300 people, she again noticed that there were only a few women there in a room full of white males. She remembers later walking out the door and going down the hallway towards the restrooms. What she saw was eerie.
“On one side was the male restroom. There was a line outside and down the hall,” she said. “I thought, this is a first; I’ve never seen a line outside a men’s restroom. I looked at the women’s and I thought, where’s my line? I remember walking in, and it was like a ghost town. There was no line inside either.”
Messdaghi recalls how she felt after going back to her hotel that evening.
“I was wiping off my makeup, and it was as if at the same time some blindfold was lifted,” she said. “It was a very surreal moment. I suddenly realized that the things those women were sharing with me when I was doing that blog had been happening to me and I never realized it. I broke down crying. I was thinking, why am I in this field and no one wants someone like me to succeed? It’s like the 1940s.’”
Messdaghi was trying to decide what to do with her career next when a friend told her she should check out the Day of Shecurity conference in San Francisco that June.
“There were about 200 women there,” she said. “I was so happy. I didn’t feel isolated or alone anymore. I knew there were other people like me here.”
Regenerated by the event, Messdaghi couldn’t sleep when she got home. She knew she wasn’t ready to give up yet.
“I thought, I’ll give it another year, and if I don’t succeed at something, then I will leave this field, because clearly, there are too many barriers,’” she said.
Suddenly, she knew she needed to give a talk.
“I wanted to talk about how terrible things are because we’re not practicing diversity or inclusion, and that’s why we have such a rotating door,” she said. “I wanted to bring my past experiences and show what is wrong here and how we can get better.”
She started creating a slide deck and drafting a CFP (Call For Papers). When she finished, she began making a list of things that could help and what women needed in the space.
“One of the things was a CTF (Capture the Flag) for women around the world to participate, connecting with other women’s organizations,” she said. “If you’re going to create any change, you cannot go at it alone. You need to work with other people.”
Messdaghi also began to think about creating an organization that would bring women together, no matter their background.
“They needed a place for them to feel secure, safe and empowered,” she said. “I also wanted some sort of hacker community for women.”
Messdaghi finally went to bed around noon the next day, feeling that there was a way to change things. She said that after that, things just started lining up, beginning with her visit to Hacker Summer Camp Las Vegas (combination of BSides Las Vegas, Black Hat USA 2018 and DEFCON 26).
One of Messdaghi’s talks, on diversity and inclusion, had been accepted, and she headed out to Las Vegas. She volunteered for BSides Las Vegas.
“I felt a lot more comfortable there than I did at the RSA Conference,” she said. “I really wanted to get to know that community because I felt like I could be part of it.”
One of the women she met in Las Vegas was Tanya Janca, a Canadian and at the time, senior cloud advocate for Microsoft. Janca told her that she wanted to create chapters where women would meet all around the world. She said she could tell that Messdaghi was driven to change the dynamics for women in infosec and asked if she wanted to be a part of it. Messdaghi, Janca and Donna Hogan would go on to form WoSEC (Women of Security) at the end of 2018.
Messdaghi, who serves as president of the organization and head of the San Francisco Bay Area chapter, explained that WoSEC was created so they could partner with other women’s organizations but also with the understanding that they would never charge membership fees. The organization currently has more than 30 chapters around the world.
While at Summer Camp, Messdaghi was also asked to speak at two other upcoming conferences — leading to her demand as a keynote speaker — and she found a new job opportunity. Her desire to work with the hacker community led her to find ways to “crash Bugcrowd events.”
“It was really between HackerOne and Bugcrowd, but at the time, HackerOne wouldn’t allow me into any of their events,” she said. “Bugcrowd was okay with it.”
Messdaghi interviewed with Bugcrowd and became part of their product team. At that time, Jason Haddix, Bugcrowd’s VP of Trust and Security, was in the process of creating a researcher community. When Messdaghi gave him some ideas, he brought her onto his team as a security research advocate. Haddix knew that Messdaghi had spoken before on diversity and inclusion and thought it would be a great idea if she did more talks, on those subjects and on bug bounties.
“I created a couple of CFPs and started sending them around to different conferences,” she said. “We thought the acceptance rate was going to be 10 percent or less, but it was 90 percent.”
By January of 2019, Messdaghi was flying all over the world to give talks. She soon added the subject of hacker rights to her list of topics.
“I started realizing that there’s a huge problem with the hacker community,” she said. “These laws exist that are supposed to prevent bad hackers from doing bad actions, but they prevent good hackers — ethical hackers — from doing something positive. The laws are out of date and it’s hurting the community. I’m trying to do whatever I can to change that.”
Messdaghi said that about 60 percent of ethical hackers don’t report a vulnerability because of these regulations and the fear of being prosecuted.
During that period, Bugcrowd also put out a research paper that stated that less than 4 percent of hackers around the world identified as women. To bring those women together, Messdaghi formed Women Hackerz, a global private online community for those who identify as women or non-binary, in May 2019.
“These people who used to have a male alias so they would never be found or tracked are now in this global community,” Messdaghi said. “We also have had women join who couldn’t tell their parents, or their husbands, that they were hackers. We also have members who have gone through discrimination and harassment. They now have a support group.”
When Messdaghi became concerned that the trans community also wasn’t being represented and needed support, she changed the name of the community to WeAreHackerz. “Anyone who is basically an underrepresented gender in infosec can join us.”
In the summer of 2019, Messdaghi returned to Hacker Summer Camp, where she gave several talks. She also met the team at Point3 Security, which provides challenge/game-based material that identifies and cultivates cybersecurity talent among professional organizations. When she told Evan Dornbush, the founder, about her goal to do a global CTF, he was enthusiastic about doing the project with her.
Over a thousand people registered for Women Unite Over CTF.
“We partnered with other organizations that work with women — Women’s Society of Cyberjutsu, WiCyS, Diana Initiative, Gatebreachers,” she said. “We did it again at the RSA Conference this year. We’ve done a lot of CTFs, at different conferences, for different events that I would say are definitely giving back to the hacker community.”
While they worked together on the CTF, Point3 also expressed an interest in having her join their team, and she became Point3’s vice president of strategy. Messdaghi speaks enthusiastically about Point3’s platform, ESCALATE, an immersive ecosystem that delivers gamified cyber-skills challenges with an online community of mentors. ESCALATE includes more than 2,000 hours of hands-on content covering more than 20 different subject matters.
“We have hundreds of challenges,” Messdaghi says. “Users have real time access to instructors 24/7. We also have a chat room so you can ask questions and receive guidance.”
These days, Messdaghi’s talks have expanded to include why gamification is important in infosec. For example, “Hacker Hippocampus” dives into how the brain processes gamification and threats and discusses the research that shows why gamification works.
She also believes it’s important to talk about burnout.
“We don’t have enough personnel to help on security teams,” she said. “People are putting on multiple hats or doing two or three jobs at the same time. Mental health isn’t being discussed enough at companies. We have an ongoing issue with burnout.”
Messdaghi is also the organizer of The Hacker Book Club, which meets weekly to read material connected to the hacker community, and she is a podcaster for ITSP Magazine’s “The Uncommon Podcast.”
“We basically cover how people got into infosec, their before story, and what advice and tricks of the trade they learned along the way,” she said.
Although she keeps very busy, she does indulge in some hobbies. One is visiting bookstores during her travels, and locally, to scout out different versions of “The Little Prince,” which her mother read to her when she was a child. If you haven’t read the book (this author is also a huge fan), or seen one of the film versions, Messdaghi explains that it is a story that makes you question what it’s like to be an adult and what we lost after becoming one, including a child’s imagination and creativity.
Her obsession with “The Little Prince” and her favorite character in the book, a wise fox who knows that “it is only with the heart that one can see rightly,” led to her desire to one day have her own fox. Although she considered moving to Chicago, Illinois, where she could legally have a domesticated fox, she instead adopted Sherlock, a Shiba Inu that looks like a fox and is “incredibly smart.”
Since Messdaghi’s travel schedule slowed down significantly due to COVID-19, giving her the opportunity to stay in place for a while, she took the opportunity to add a new Shiba Inu, Luna, to the family.
“It’s nice to be able to be home and be around my dogs,” said Messdaghi, who also helps rehome Shibas. “Dogs just make the world better. They teach us that ‘what is essential is invisible to the eye.’”
– Di Freeze is Managing Editor at Cybersecurity Ventures.