VMware’s Karen Worstell: This isn’t a black swan world anymore

Over the past 30 years, several disruptive events have completely changed the practice of security. The challenge for CISOs: take the lessons of the past and apply them to the future. mary

Karen F. Worstell, senior cybersecurity strategist, VMware
VMware

Karen F. Worstell offers a grim assessment: Security teams, and by extension the organizations they serve, are now “living in a zero-day world.”

“That’s our new reality, and we have to operate on the assumption of breach,” she says.

At the same time, she sees CISOs dealing with technical debt and limited budgets as well as the expectation that their security initiatives won’t slow the pace of business.

Taken all together, Worstell sees significant cybersecurity challenges coming down the pike.

But Worstell, a senior cybersecurity strategist at VMware, has faith in her profession. And she believes CISOs are capable of turning a would-be crisis into an opportunity by “coming up with approaches to protect the enterprise without hindering it, so they’re nimble and can respond” to whatever tomorrow holds.

For her, that’s all part of a day’s work.

Worstell meets with CISOs around the world to gain an “over-the-horizon perspective—the what’s coming and what should we be getting ready for so we’re future-ready.”

As part of a team of strategists engaging with CISOs, she takes the insights she gains from CISOs to help her own company understand the outcomes that CISOs need to deliver in their organizations and how VMware can aid their objectives.

“No one is going to say it’s 100% perfect, but having as much done before deployment as one can reasonably do to make things safe and secure is important to me, and it’s one of the reasons I work here,” she says.

The past informs the future

Worstell says the past gives her, her colleagues, and CISOs a lot of clues on what’s next.

“Looking at our long history of cybersecurity is really helpful, because the last 30 years have been marked with what I will say were disruptive events, things that completely changed what we’re doing,” Worstell says.

Consider, she says, how the advent of the internet dramatically changed the threats coming at organizations, how the rise of nation-state and organized crime syndicates introduced new security challenges, and how the COVID-19 pandemic increased organizational risk overnight as companies enacted en masse work-from-home policies overnight.

Such examples demonstrate how security issues come up fast and evolve over time, Worstell notes. But those organizations that anticipate and internalize those truths are much better positioned to defend against changing threats, be resilient, and, ultimately, thrive in the new environments.

The challenge for CISOs, their teams, and organizations as a whole is to take the lessons of the past and apply them to the future, Worstell says.

“This isn’t a black swan world anymore. We should expect the unexpected,” she adds. “So how do we think about security and protecting everything related to our digital life, and how do we anticipate what’s coming and build in capacity and flexibility to respond and not find ourselves compromised with our businesses or our services because we weren’t ready?”

Building a future-proof career

Worstell knows both personally and professionally the importance of being well prepared for the path ahead.

She was “a very broke mom of toddlers with $13 to last me two weeks” in the mid-1980s when her brother gave her a Radio Shack TRS-80 Model 1 personal computer. He also told her she needed to learn to code.

“He was telling me, ‘If you take this step everything can change for you,’ and I was very open to the opportunity to change,” she remembers.

Worstell, who had bachelor’s degrees in biology, chemistry, and music, quickly took to programming—calling it a fun combination of science and creativity.

She adds: “I like doing new things, and I had always been a tinkerer.”

She enrolled in Pacific Lutheran College and earned a master’s in computer science in 1987. She had some projects around encryption during her studies; those projects drew her into cybersecurity, where she found opportunities to quickly advance her career.

“It was such a new field that my managers would say, ‘We want you to do this now.’ And it was all new, and I’d have to figure out things like cybersecurity policies. Nothing had been done before, and I said ‘yes’ a lot to things I had no idea how to do,” she says.

That experience taught Worstell not to be afraid of breaking new ground—and the need to pass on that message to other women, as women remain vastly underrepresented in the profession (at about 25% of the workforce). She says she believes the tech culture had fostered the idea that men are more likely to want to tackle new problems and then women internalized that message, which together have discouraged women from entering and staying in the field.

Worstell works to counter that message.

“Women as much as anyone else have the capability to say ‘I have no idea how to get this done but I’ll figure this out,’” she says, noting that the profession requires all the brainpower it can get to counter the cybersecurity challenges on the horizon.

Preparing for the future

Worstell acknowledges that there are plenty of challenges that security leaders face when readying for tomorrow.

“We tend to be attracted to bright shiny objects and the next new thing, and I mean that about humans in general,” she says.

As such, Worstell believes it’s natural for CISOs to be fascinated by new technologies and captivated by the hope that they can use those tools to more easily secure their organizations.

But Worstell, like other leading security experts, believes CISOs need to devote more resources to cybersecurity fundamentals.

“We still don’t carve out enough time to take care of technical debt and basic cyber hygiene. So we end up with a growing technological gap that’s going to cause us more and more difficulty going forward,” she says. “We’ve also been reluctant to learn that so much of cybersecurity [success] is done by just doing blocking and tackling and doing the fundamentals.”

She says teams that invest in high-tech security solutions without practicing good cyber hygiene and flawlessly performing the fundamentals are merely “putting steel doors on grass shacks.”

On the other hand, Worstell says those who have committed to performing the fundamentals are better positioned to optimize the latest cybersecurity technologies and strategies, such as the zero trust methodology.

“We get caught up as an industry in compliance frameworks and the different kinds of mandates that come out, but if we had really just said, ‘What does it mean to demonstrate to a defensible standard of care? How do I do that [and] show it’s operating all the time and it’s right for my company?’ If we did that, we’d be far ahead of where we are now,” Worstell says.

She says those companies with high-performing security departments today are more capable of handling whatever cybersecurity threats are ahead.

Worstell already sees many potential risks, saying that climate change, geopolitical issues, societal disruptions and cyberwarfare are all likely to generate security-related challenges for enterprise CISOs.

CISOs should also anticipate new security challenges and requirements that emerge alongside evolving technologies, such as 5G and the plethora of services that it will enable.

All that, she adds, are on top of any threats that come out of nowhere.

“We’re not going to know the monkey wrenches that will be coming, but we have to be ready,” Worstell says. “So we have to think about operational models [of the future] and how to secure them. It’s easy to focus on what’s right in front of us, but let’s also think about what’s going to affect us in three to five years, to learn how to engage those things on the horizon, and translate them into scenarios that we can plan for.”

Worstell admits that puts a lot of pressure on CISOs.

“That’s on everyone’s mind. How do we get that done without upending the [existing] cybersecurity program and all the other things CISOs need to pay attention to every day?”

However, she sees CISOs successfully responding.

They’re focusing on how to scale devsecops (a challenging task in its own right) to ensure security is built into systems from the start. They’re getting better at balancing security requirements against operational needs for speed and functionality. And they’re developing agility within their teams and operations so they can respond as risks and circumstances shift.

And despite current and future threats, and the challenges in defending against them, Worstell is optimistic.

“Technology intersects opportunity,” she explains, “and we’re going to continue to take advantage of technology opportunities to be more productive, to deliver more services to more people, to do good in the world.”

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.