Ariel Weintraub, CISO. PHOTO: Cybercrime Magazine.

No One Trains To Become A Cybercriminal, Or A CISO

MassMutual’s Chief Information Security Officer Ariel Weintraub

David Braue

Melbourne, Australia – Aug. 5, 2021

Like many security executives, Ariel Weintraub didn’t go to college aiming to become a CISO. “Like every good teenager,” she recalls, “I was just trying to do anything other than what my parents did.”

Given that her parents were both “very technical” — her father as an electrical engineer and her mother a computer programmer — that meant studying business at the University of Southern California, where she even tried her hand at marketing.

It didn’t stick. “It turns out I’m horrible at marketing,” she told Cybercrime Magazine. “I’m not very creative, and I’m much more of a math and science person. So I quickly found my way back into it.”

After several years in technology consulting, she ended up working in cybersecurity at a big-four consultancy. “I like challenges, I can get bored easily, and I love building,” she said.

“I don’t necessarily like just running things that have been functioning for a while — so it gave me an opportunity, both within companies and also to leave companies and try a lot of new things.”

And while “I wouldn’t say that I knew I wanted to be a CISO eventually,” she said, cyber resonated enough with her innate talents and interests that “I knew that I wanted to take on a big role within that field.”

Cybercrime Radio: MassMutual’s CISO Ariel Weintraub

A career she wasn’t exactly planning

Graduating from NYU’s Tandon School of Engineering in 2018 with a Master of Science in cybersecurity, Weintraub began a career arc that this year led to her appointment as head of enterprise cyber security at Fortune 500 financial-services giant MassMutual, based in Springfield, Mass.

Given that MassMutual turns over more than $30 billion annually and employs 8,000 people, being CISO in a company that size is a significant challenge — made even harder by the fact that financial-services companies are high on cybercriminals’ list of choice targets.

Yet it quickly became clear, she said, that the many steps of her career — even her abandoned business major — were each contributing value to her CISO work in their own way.

Roles in risk management, security operations and others proved fruitful. “I got a lot of exposure to all of the functions that a traditional CISO would have responsibility for,” Weintraub said, “which I think really set me up for success.”

Mentors were also crucial to helping Weintraub find her calling. “I was really fortunate that early on I met some amazing female leaders within the cybersecurity risk and privacy space that opened up those doors for me, and made me even consider that the CISO role could be a career aspiration for me.”

If you can’t enjoin ‘em, beat ‘em

Strong mentors, a variety of previous jobs, and a constant hunger to try new things all contributed to Weintraub’s eventual appointment as a CISO — and it is that varied experience, she believes, that turned her into such a keen cybersecurity practitioner.

Many people, however, believe they need to commit to cybersecurity early on if they are going to be successful — and that, she said, is often the wrong mentality.

“I think some people, especially people going through undergraduate school now, think that they have to choose a major that aligns directly with their aspiration of what they want to do in a career,” she said.

“In cybersecurity in particular, I think having a diverse set of backgrounds — educational and other types of backgrounds as well — is really helpful to be successful in preventing and responding to cybersecurity attacks.”

The notion that someone can be directly trained to become a CISO, she said, runs into trouble when you consider that nobody formally trains to become a cybercriminal.

Rather, increasingly diverse cybercriminal enterprises draw together a range of people with diverse skillsets. “Threat actors that we’re up against come from a wide variety of backgrounds,” she explained.

“Some may be formally trained, and others aren’t — so we have to have a team of people that are thinking creatively and come from different backgrounds.”

Those business courses, for example, are helpful for “things like communication and presentations and strategy and ideas,” she said, while a colleague with a political science degree “is going to have an understanding of the political landscape and how that influences our threat actors and our relations with different countries.”

“All of these different backgrounds make us very well-rounded as a team, to be able to defend against some of the most sophisticated actors that are out there.”

Help where you find it

Yet in this day and age, skills are only one part of running a successful cybersecurity operation: with the sheer volume of cybersecurity activity already far past what a human team can manage, Weintraub said, a growing focus on data science has become just as important to being a successful CISO.

“Some of our traditional techniques are no longer sufficient to be able to defend ourselves,” she said. “We can’t hire an army of security analysts to monitor all of the events and logs generated on a daily basis — so data science can be really helpful in focusing our human time on the things that actually require human analysis, then leveraging the technology to do some of the more standard and repeatable functions.”

Data-driven systems are most relevant for security operations centers (SOCs) and identity and access management (IAM), Weintraub said — both of which generate massive volumes of alerts and logs that “it can be like looking for a needle in a haystack to find something that’s compromised within the environment.”

“But if you’re using data science to baseline what’s normal for any given identity, you can more easily identify when something has gone anomalous.”

Yet that visibility typically stops at the edge of the company, leaving companies exposed to security shortcomings at suppliers and business partners they may not be aware of.

In an industry as risk-averse as financial services, these blind spots are steadily being filled through greater industry-wide cooperation aligned around common interests.

“We’re fortunate to work in financial services,” she said, “where we have access to one of the greatest information sharing organizations that really gives us a step up in terms of being more proactive.”

“We can communicate confidentially amongst our peer organizations to understand what the threat actors are doing and what their techniques are, and then use those to inform our own programs.”

Developing more shared intelligence should remain a key priority as companies work to strengthen their cybersecurity defenses, Weintraub said — and it all comes down to thinking like the adversary.

“There’s more we could be doing across both private and public sectors,” she said, “because the threat actors that we’re up against aren’t necessarily working in silos like we are. And so the more sharing we do of intel — between private and public sectors, and even across private sectors — I think we will be much stronger in defense against them.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.