24 May Kathleen Moriarty, CTO At Center For Internet Security
Swimming, reading, and protecting the world
– Di Freeze, Managing Editor
Northport, N.Y. – May 24, 2021
The people who secure our world each have their own stress relief methods. Kathleen Moriarty, the chief technology officer for the Center for Internet Security (CIS), seeks out the peace and beauty of historic Walden Pond.
“I’ve been swimming since I was six,” she said. “I was on competitive teams year-round since I was ten. Swimming helps me to release any stress, but also to immerge good ideas. If I am thinking about something and not getting to a solution, swimming usually helps in the way a run or shower helps others. As for open water swimming, you can get out in the middle of a pond or lake and feel like you are away. It provides a break from everyday stresses. I am lucky enough to have Walden Pond as my local swimming hole.”
Swimming wasn’t Moriarty’s only interest growing up. Mrs. Ellie Aghill, a teacher at Sacred Heart Academy in Garden City, New York, ignited Kathleen Moriarty’s love for math in high school.
“I didn’t realize my gift for math until she opened it up with her thoughtful teaching methods,” she said.
She began as a mathematics major in college and added the equivalent number of credits in computer science with “some artful nudging” from another teacher.
“In freshman year, it’s safe to say I hated computers,” she said. “Mr. Matthews chipped away at that, as did a course where we translated assembly language to machine language.”
Moriarty’s aim was to combine her interests in mathematics, computer science and art pursuing computer graphics. When her acceptance letter to her top choice of graduate school was lost, she went with her second choice — Rensselaer Polytechnic Institute, “an excellent school with a declining computer graphics curriculum at the time.”
“I still have that letter and believe fate stepped in,” she said.
When she was encouraged to do so, she interviewed for some jobs on campus, just for the experience. In 1995, she was offered a position at PSINet, the first commercial internet service provider.
“I was encouraged to take the job as an amazing opportunity to learn about networking,” she said. “It was a career-shaping decision and an amazing first real job. The exposure to networking in-depth at the service provider level, as well as customer connections, system administration, protocol knowledge, protocol implementation, and security were foundational.”
It provided Moriarty “a deep and broad background, allowing for flexibility to go narrow or return to broad roles later.”
PSINet was her first experience with cybersecurity.
“Back in 1995, colleagues were encouraged to attack each other’s systems to learn about security hands-on,” she said. “It was also when e-commerce was just beginning to take shape and security was becoming increasingly important. I remember contributing to published work on incident detection. It’s fun to look back and see how far we’ve evolved.”
PSINet provided Moriarty with a strong and technically diverse base that has served her well throughout her career.
“Back then, individuals were not siloed,” she said. “My colleagues and I had the opportunity to learn networking protocols in-depth and configure them on multiple device types, hence understanding the standards as opposed to a command line interface and single implementation was important. This theme carried over for mail — SMTP, IMAP, POP, UUCP —, DNS, HTTP, and numerous other protocols.”
Moriarty and the rest of the security team configured and managed hundreds of firewalls.
“My masters’ project involved developing an SNMP based tool for the network operations center to automate provisioning of permanent virtual circuits,” she said.
She transitioned to FactSet when she completed her master’s degree, which was another great opportunity. She quickly moved up to the position of director of Information Security.
“I distinctly remember a conversation with one of the corporate leaders who said they wanted me in the position because I could hold my own in a technical conversation and didn’t worry about who it was with,” she recalled.
That solid base enabled a transition to MIT Lincoln Laboratory as the head of Information Security on the unclassified side.
“It was an exciting environment where challenges were constantly presented,” she said. “Although it was a bit of pressure in a role protecting the organization’s research, it was also a fun and challenging role. When there are 65 percent PhDs, no is not the right answer. You need to be prepared and on your toes with solid explanations. It would be hard to replicate that elsewhere.”
Moriarty managed the security team and architecture and was a member of various security strategy review efforts.
“MIT Lincoln Laboratory is one-third of MIT in terms of revenue and is a Federally Funded Research and Development Center,” she said. “Our team was responsible for protecting the assets and creatively detecting and defending against compromises. I also worked with one of the cyber research groups. We would deploy tools developed to test them out and provided meaningful operational feedback to help keep the research efforts grounded. I’ve stayed in touch with many bright former colleagues and have been able to see numerous spin-offs that productized their work.”
Moriarty was with MIT Lincoln Laboratory for six years. In January 2008, she became a senior practice consultant for RSA, the security division of EMC, and was in that role for two years.
“Consulting provided a wonderful opportunity to be exposed to a wide range of organizations in varying sectors,” she said. “As a lead, I was engaged with more customers and observed important variances, driving home the importance of risk management alignment to the business. The most successful organizations from a security and risk management perspective were those who made decisions in line with business objectives. This was also my first non-volunteer peer leadership role. I worked with a wonderful team.”
Moriarty became practice manager for EMC in 2008. She transitioned to GRC Strategy, Office of the CTO, in 2011 and began her role as global lead security architect in 2012. She was part of the EMC Office of the CTO when she was nominated as IETF security area director in 2014.
“This is a selected role through a community process,” she said. “A term lasts for two years. I had the honor of serving two terms and chose not to accept a nomination for a third term.”
She also served on the Internet Engineering Steering Group for four years. During that time, she managed half of the security area working groups with her co-area director managing the other half.
“We also read just about every standard published during our time across the IETF areas looking for security issues, aided by distributed security reviews performed by those on the Security Directorate,” she said.
In the first few years, this averaged out to 400 pages of reading every other week.
“That provided valuable insight into trends and industry movement,” she said.
After her two terms ended in 2018, she folded back into the Dell EMC Office of the CTO, focusing on security across Dell with colleagues. She also started writing a book, “Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain,” which was published in July 2020.
“I wrote it using the rare opportunity of gathered information and observations from my time as an area director with such broad exposure,” she said.
Moriarty became chief technology officer for the Center for Internet Security (CIS) in October 2020.
“I first interviewed for my current role at CIS just before everything shut down for COVID,” she said. “The position was put on hold. That worked out to be a very good thing, as having a remote CTO was seen as possible when the hiring process restarted several months later.”
Because of COVID 19, Moriarty’s interview process was conducted entirely over Zoom.
“The onboarding utilized a few online resources,” she said. “CIS has adapted extremely well to remote work when just months prior to the pandemic, there were roles that many thought had to be in-person.”
As CTO for a little over six months now, Moriarty has yet to meet a colleague in person that she didn’t already know.
“I’m really looking forward to meeting one or more soon with an upcoming project,” she said.
Moriarty said that CIS’s mission is what draws in many who work there.
“It’s an opportunity to work with like-minded colleagues to improve security, and make it achievable for businesses of all sizes,” she said.
The mission of CIS is to “make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses and governments protect themselves against pervasive cyber threats.”
“For the past few years, I’ve been thinking quite a bit on how to better scale security architecture patterns to improve the overall security posture to reduce the human resources needed,” Moriarty said. “The current threat landscape with increasingly sophisticated attacks coupled with a changing ecosystem — protocol stack, increased use of encryption, hardware evolution — provides an opportunity to change how we deploy and manage systems and applications. As CTO, I collaborate with the Security Best Practices team, responsible for the CIS Controls and CIS Benchmarks, as well as the OSS team responsible for the Elections ISAC and Multi-State ISAC.”
She describes her role with CIS as a large opportunity to make an impact with her colleagues.
“Being able to work with the various teams to improve security for State, Local, Tribal, and Territorial (SLTT) networks as well as any organization that uses the CIS Controls and CIS Benchmarks keeps me engaged and energized to accomplish what is possible with my colleagues,” she said.
Looking back at the roles she’s had, Moriarty said she sees them as evolution, “where knowledge and experience gained has opened the door for the next role.”
“In some cases, a role narrowed by scope, and in others, like PSINet and the IETF security area director role, broadened back out.”
That pattern has suited Moriarty well because she enjoys “going deep, but also sees across spaces to envision a bigger picture and how the components fit together.”
She said her recent book is a great example of this.
“The topic range is broad, but the topics covered over quite a bit of technical depth via references to keep it readable for a wide audience,” she said.
Moriarty wrote her book in a way that makes it accessible to a broad range of readers.
“It covers a strategy to move towards easier to manage and more secure environments with high-level explanations for the board as well as technical depth with references for security architects and other information security professionals,” she said.
End-to-end encryption is inevitable, but according to Moriarty, how we achieve it isn’t as simple as just enabling it on every device.
“It appeared in the executive order as a requirement for federal government agencies this month,” she said. “There will be an impact to existing tools and infrastructure for monitoring and management. The book outlines how we as an industry can embrace trends like ubiquitous and strong encryption, while taking advantage of this pivot to build-in security and shift to more scalable deployment and management options. If we do this right, it’s an opportunity to crush the 3.5-million-person deficit for global information security professionals.”
As an adjunct professor for Georgetown University’s CSC program, Moriarty is able to mentor and “help a large number of students determine what they would like to do next and where they may be able to make an impact.”
She considers mentoring an important step to help grow the field, and in some cases, help other women. She advises women wanting to get involved in cybersecurity today to find what area they are most passionate about, learn everything they can, and network.
“If your education has been more theoretical, try to get some hands-on experience. Some options include cyber red flag events, programs through CyberStart America, and industry internships. Over the past year, many conferences were online. The recorded sessions are often available post event for free. I’d recommend viewing some videos from RSA Conference and the Forum for Incident Response and Security Teams (FIRST).”
When asked about her biggest contributions to the network security field, she said that’s hard to answer since she’s “not done.”
“I’ve had a few firsts, such as writing the first incident detection and response protocol, Real-time Internet Defense (RID), and several protocols that have come later take pieces of it,” she said. “Another significant contribution was getting the timing right, proposing, and leading the charge to deprecate TLSv1.0 and TLSv1.1 in the IETF. I do hope some of the ideas in my book wind up as more significant contributions as we as an industry really need to move to more scalable solutions to deploy and manage security. Attacks are increasingly sophisticated and it’s the only way we can get ahead.”
Kathleen Moriarty is featured in “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.” To learn about more women fighting cybercrime, pick up a copy of the book.
– Di Freeze is Managing Editor at Cybersecurity Ventures.