14 Jan Plant Nut And Cyber Expert On Sheep, Ducks, And Stalkerware

Lysa Myers discusses how livestock fencing has had an effect on the way she views security

– Di Freeze, Managing Editor

Northport, N.Y. – Jan. 14, 2020

Security and privacy advocate Lysa Myers, one of the women featured in the book, “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime,” has been deeply involved with cybersecurity since 1999. When she stepped through McAfee’s door into a new world, however, she didn’t completely abandon a desire she had: to work with plants in some capacity. Over the last two decades, as she has led and managed many research projects, she has also run a mini farm and food forest with her spouse.

“I’ve been a plant nut since I was little,” she reveals. “I learned to forage for a couple of different native plants and fungi from classes at school, and at Girl Scout camp. Since then my interest has only grown.”

Their farm specializes in traditional native Pacific Northwest food plants, of which she says the most recognizable are huckleberries and blackberries.

“Some of the most popular and delicious commercial blackberry varieties (such as the Marionberry) were created by hybridizing with our native, trailing variety,” she explains, her enthusiasm for the subject contagious. “There are a wide variety of other types of plants that are edible, some of which are very recognizable but which most of us don’t think of as edible (such as cattails or pine pollen), and some that are edible but less popular in the U.S. (such as elderberries and elderflowers). Camas bulbs were a very popular staple crop here for thousands of years; they’re eaten kind of like potatoes, but they’re in the same plant family as asparagus.”

Right now, what they grow on the farm is for personal use. 

“The farm is still young yet, and we’re competing with a lot of local wildlife for what we’re producing,” she says.

Her husband has run a traveling reptile zoo for almost 30 years, and part of the interest in getting land was the possibility of expanding his business to include a petting zoo. They now have miniature livestock animals — sheep, goats, chickens and ducks.

“The chickens are particularly notable, as they’re one-fifth the size of a regular chicken — they’re not much taller or heavier than a can of soda,” she says.

So why are we spending time talking about adorable miniature livestock animals? Do they have anything to do with cybersecurity? In a way, they do. Myers has learned that one of the most important things about keeping livestock is to have good fencing.

“This has weirdly had an outsized effect on the way I view cybersecurity,” she says. “All the things I tell people about how to secure their environment, I’ve inadvertently broken each and every rule when securing my animals. When I started in this industry, I was hopelessly naive about how security ‘should’ be done. But reality has a way of getting in the way of our ideals. Rather than planning for accidents or security incidents to never happen, we need to set things up such that whatever damage does happen is survivable.”

---

---

Reflecting on her early days in cybersecurity, Myers says that back in the late nineties, she had no idea the career even existed.

“I had been regularly using computers since I was about five but never learned to program or really use it for much more than playing games or chatting on BBSes until I was an adult,” she said.

In 1999, when she was looking for a change from her job as a florist, and craving more job security than what she’d be able to find in that field, a friend who worked in the virus research labs at McAfee told her about an entry-level administrative job opening as an office manager’s assistant. She applied for the job and got it.

“I helped out with tasks for the virus research labs when I had downtime,” she said. “After a few months, I moved into the virus labs officially. I started out doing triage for the virus sample mailbox, doing something like the email equivalent of ‘thank you for your patience; your call is very important to us’ while people waited for the analysis of their file.”

After a few years, she was leading the group of people doing triage around the world, coordinating responses so that nothing got lost in the handoff between time zones, and making sure they were giving consistent and informative answers to everyone who wrote to them.

“As time went on, I picked up more and more malware-analysis skills, so that I would be able to route samples to researchers more effectively. So, the next natural move for me was into the malware research side of the equation.”

After that, she became the lead researcher for North and South America.

“I coordinated research in those time zones and trained new researchers in the U.S. and India,” she said.

After more than nine years with McAfee, Myers became director of research at West Coast Labs, in 2008. She remained there for more than three years. Her next move was to Intego, as senior security analyst.

She says that in her early career, the exposure she had to security incidents was after something had already gone wrong.

“Because I only saw the consequences of poor security practices, I became pretty dogmatic about what people ‘should’ and ‘shouldn’t’ do to secure themselves,” she said. “I figured that failing to do these things meant you must be ‘doing security wrong.’”

Her time as director of research for West Coast Labs introduced her to a very different side of security.

“I had to go searching for malware, instead of drowning in a sea of samples sent by concerned customers,” she recalls. “I also had the chance to talk face to face with a lot more security practitioners, to hear what it was like to make security policies work despite very limited budgets and difficult interoffice politics.”

Her time at ESET, a six-year period from 2013 through 2019, was another wonderful opportunity to expand her awareness of how security is practiced in the real world, and to get more involved with the community.

“In particular, I got to talk a lot with people in healthcare and in education about what challenges they face, particularly since there has been a lot of legislative and regulatory interest in their ability to protect their customers’ data,” she said. “And I’ve learned a lot about how small to medium-sized businesses are starting to deal with the challenges they face, as well as how MSPs and MSSPs are evolving to help meet that need.” 

Most recently, Myers has been able to delve into the area of protecting people from stalkerware.

“This has been such a difficult area to give people good advice for,” she said. “So much of the advice we traditionally give people about how to protect themselves can put someone in a domestic violence situation in an even more dangerous position. And many of the tools that are commonly used for stalking people are totally legitimate dual-use products for sharing your location with friends and family. The tech industry as a whole needs to come together to work on this issue; it’s not something we can attack as if it’s ‘just’ malicious software.”

A frequent contributor to a variety of security magazines, including We Live Security, Dark Reading and Security Intelligence, Myers has been writing about cybersecurity and speaking publicly for almost her entire two decades in the industry.

“The funny thing is that I absolutely hated writing in college,” she says. “But as it turns out, when I get to write in my own voice about a subject that interests me, I find it very satisfying.”

She says speaking publicly is a different story.

“I absolutely hate being the center of attention and it causes me an almost unbearable amount of anxiety,” she shares. “I’ve chosen to take on public speaking primarily to expand the conversation I can’t really have if I’m just writing. You don’t really get to hear or see someone’s reaction to writing, but you do get that in person. And most writing opportunities tend to be long enough just to get across one single concept, so speaking allows me to get more in-depth with a subject.”

As Myers anticipates her next exciting opportunity in the cybersecurity world, she continues to be an advocate for improvements in the way we do cybersecurity.

“The biggest issue I see with the way we do cybersecurity is that we approach it as a technology problem rather than a human one,” she says. “The approach many companies take is to throw more tools at the problem and create more rules that restrict our employees’ ability to do their job. What we should be doing is sitting down and thoughtfully assessing our risk, and then mitigating that risk in a way that enables people to get work done. I know this sounds super idealistic and difficult to accomplish when security practitioners are completely overwhelmed and underfunded. But in one situation we’re patching holes in the roof and putting buckets all over the place to catch the deluge, and then yelling at people who are unable to navigate the maze of water-catching devices. In the other, we’re inspecting the roof to assess the damage, making necessary repairs and replacements, and then setting up a schedule to maintain and repair things so we don’t get caught with catastrophic leaks again.”

When it comes to improving diversity within the industry, Myers says she used to think we just needed to tell more people about careers in this industry.

“That’s because I was unaware of this as a job opportunity 20-some years ago,” she says. “While that may have had some element of truth two decades ago, I think a huge part of the problem now is in our ability to retain diverse talent. There are a lot of barriers to success and career longevity for people from groups that are underrepresented. The longer someone who’s outside the majority spends in this industry, the more they experience difficulties in being hired, promoted or funded. This sort of constant friction wears on a person over time, and we end up losing a lot of really talented people. It’s my hope that we can improve hiring practices and be more transparent about how companies pay and promote employees within different demographics.”

Myers believes it’s important to increase empathy in the way people are educated, to protect themselves.

“It can be really hard, when you’re constantly stewing in the cybersecurity soup, to step back and view things from the perspective of a ‘layperson.’ It’s a little like asking a fish to explain what water is like; when you’re surrounded by something day in and day out, it can be hard to perceive how that would differ from someone else’s experience. But security is scary and incredibly technical to the average person, and it’s our job as experts to make it both painless for them and very difficult for them to truly cause damage by doing something wrong.”

She says that most people “manage to learn how to cross streets safely,” and we can learn a lot from those early lessons about how to teach people to be safe online.

“Keep your initial message brief and memorable (e.g. ‘Look both ways before crossing’). Then you can fill people in with more in-depth information that gives them a plan for positive action (e.g. ‘Always hold an adult’s hand when you cross’) rather than just a long list of things they shouldn’t do.”