Women in information security

sridhar.jpgThe first character of the #1 issue of Information Security Magazine 2018 is Manjula Sridhar, the founder of ArgByte company.

Manjula was a keynote speaker at InfoSecurity Russia / ITSec by Groteck in 2017. She spoke at TEDxNMIMSBangalore back in 2013 with a story about sport and entrepreneurship. The full version of her talk is available here.

Manjula graduated from the University of Mysore (India), majoring in Electronics and Communications, and worked for Bosch, Alcatel-Lucent, IDG Ventures, Aujas Networks, Huawei, Arcot Systems, CA Technologies, and then she founded ArgByte to help people fighting with Internet Persecution. We decided to ask her some questions:

- How did you choose your profession? What influenced your choice?

I was always fascinated by science and technology. I was good at school so it was very easy and natural for me to get into engineering. 

In Engineering, I specialized in electronics and communications which lead to a job in networking space in USA. While building these systems I got introduced to implementing security. I grew up on a staple of thrillers and detective novels, so it was again very natural for me. Then I did my Masters then majoring in security. Security is really a great space, lots of new challenges so it keeps me engaged constantly.

- Despite the fact that women are actively engaged in "male" work, gender division in the business environment is very strong. And among information security experts, it is rarely possible to meet a woman. How do people react when they learn what you do?

I think given the advances in culture and technology, definition of "male" or "female" work is blurring. The way I look at it, there is a problem, there is brain power to solve that. Gender hardly matters. However biases exist because of lazy thinking patterns.  It is unfortunate and does pose a challenge in terms of the number of people that you can work with. Your playing field becomes smaller. However once you get through initial hurdles and establish yourself, it becomes easier. There is also additional satisfaction of creating new paths for humanity.

Fortunately in my career I haven’t faced too much of discrimination. In Bangalore India which is called silicon valley of India, we have many women techies and there is a healthy respect for the work we do. So I haven’t faced too much of a problem in this regard.

- Would you consider Information Security sphere is more male than female?

If we go by existing social norms, isn’t a women more suited for planning security ? Given the safety concerns women grow up with "defensive" mindset. That is very useful while designing software systems. In fact I would go one step ahead and say if more women were involved in early development of networks, we wouldn’t be in such a mess.

Having said this, I believe information security is cross disciplinary problem (technology, psychology and business) which requires a collaborative team work to design across many specialities. Gender is not one of them. 

- As social networks and digital transactions increasingly penetrate into the business and people everyday life, the line between business and personal life, the physical and online worlds is becoming increasingly blurred. False accounts in social networks are increasingly being used by cybercriminals for phishing attacks. How to protect the company from this threat?

Awareness is a key step. For phishing, one of the effective solution is two factor authentication. (I have done my bit by creating this awareness video https://www.youtube.com/watch?v=nYx38QfY_1s in multiple Indian languages and we have half a million views cumulative). We have the video translated in 5 different langaues. The Hindi version (one of the widely spoken Indian languages) has 130 K views which shows that we are catering to a real gap. The Facebook version has 350 K views in Indian subcontinent.

There is no accurate statistics in India as many go unreported. But it is quite high as most banks have been subjected to it.  I would think it is on par with global statistics and may be slightly higher due to many first generation digital users. Digital India push by the government has been very successful but awareness is still a big concern.

Also as networks become more complex, I think intelligent systems which discover the gaps real time and address them will take precedence over other aspects. Security needs to be part of the system design rather than an after thought.

- Can two-factor authentication really resolve the problem of phishing? What type? Password + SMS? Or Password + Biometric (face/fingerprints)?

There is no perfect solution for security. The way to look at is an additional layer of security which also can be defeated if there is enough skill and motivation on the side of attacker.

Relatively though, the solutions which are true out of band and use two different channels such as mobile/wireless channel and Internet channels are more secure. Password + SMS on the same phone is not a true two factor as if the phone (only device and channel) gets compromised everything is compromised. For financial or sensitive transactions it is better to use multiple devices and channels. Biometric has its own issues as a one time capture can lead to lifetime block and experts have shown to lifting fingerprints and iris scans from high definition photos.

- Will Artificial Intelligence help in this fight? How?

The challenges are becoming so complex for humans alone to decipher. As they say with bots etc, attackers are already using AI or similar technologies. So defense needs to be upped to that level too. Sophisticated attack vectors need sophisticated software to defend one against.

Artificial intelligence provides unique ability to learn in real time that is very useful in detecting and preventing attacks for which no rules exist.

- What do you think will happen to human civilization with further development in AI technology? Can it be our friend?

Very hard to predict but my guess is it will be just like many other technologies which are good or bad depending on who controls it. Ex : Nuclear technology. One of the additional concern though is the concept of singularity, where collaborated AI machines surpass the intelligence of humans. That is truly something to be seen to understand, but that is a little far away I hope. My hope is logical world (supposedly) will be much better than chaotic world dominated by emotions.

- You are the founder of ArgByte, what is the main activity of your company?

ArgByte is a fraud analytics company and uses AI and other analytic techniques to detect and prevent fraud. At a basic level we learn from fraudulent profiles, build a rules engine and prevent such profiles from accessing a system. We also provide B2C forensic using some of the tools that we built.

AI is very hyped up today, however many of the techniques are quite old. One of the most popular AI languages now a days "R" was developed in 1993 and the predecessor to this S was developed in 1970S at Bell Labs. So many of the techniques we use and intend to use will be a combination of statistical rules followed by application of machine language classifiers.  Which technique to use is highly dependent on the nature of the data and the problem that needs to be solved. We use both supervised and non supervised methods to address specific problems.

The company blog also has some data https://www.argbyte.com/blog/.


Topics InfoSecurity Russia