S1:E5 – Abie Award Series: Cyber Crime (Laura Mather)

Subscribe: Apple Podcasts | Spotify | Android

Fighting cyber criminals is a challenging task. Laura Mather, Cyber Security expert, talked about her time at eBay fighting cyber criminals in the early 2000s. Laura explained different attacks that she saw and how these were being tackled back then. We also talked about Silver Tail Systems, a company she co-founded in 2008 to build systems that other companies could use to fight cyber criminals. Laura also explained the challenges of getting funding and how the panorama is changing for entrepreneurs.

In 2017 Laura was the recipient of the Abie award for technology entrepreneurship. Abie Awards are presented by AnitaB.org, a global nonprofit with a goal of reaching 50/50 gender equity in tech by  2025. Abie awards honor and celebrate women who have led technical innovations and made a notable impact on business or society through technology. This episode is part of a series of show that highlight the work of previous Abie Award Winners.

s1e5-laura-mather
Laura Mather

 

Wts_AB_lockup

@techwomenshow

Transcript

ES 0:00
[00:00:00] ES: I’m Edaena Salinas, software engineer and host of the women in tech show, a podcast about what we work on, not what it feels like to be a woman in tech. For more information about the show go to wit.fm

Fighting cyber criminals is a challenging task. Laura Mather, cyber security expert, talked about her time at eBay fighting cyber criminals in the early 2000s. Laura explained different attacks that she saw and how these were being tackled back then. We also talked about Silver Tail Systems, a company she co-founded in 2008 to build systems that other companies could use to fight cyber criminals. Laura also explained the challenges of getting funding and how the panorama is changing for entrepreneurs.

I want to point out that this interview was recorded at the end of April and a lot has changed since then. We started to see more conversations about funding to underrepresented group. I followed up with Laura about this, and I included her latest thoughts at the end of the show, when we discuss this topic.

In 2017 Laura was the recipient of the Abie award for technology entrepreneurship. Abie Awards are presented by AnitaB.org, a global nonprofit with a goal of reaching 50/50 gender equity in tech by  2025.. Abie awards honor and celebrate women who have led technical innovations and made a notable impact on business or society through technology. This episode is part of a series of show that highlight the work of previous Abie Award Winners.

Before we move on with the interview. I’m really excited to announce that season 1 of the 5 minute mentor podcast is available. This is a podcast where you’ll get advice from prominent people in tech, authors, journalists, artists and  more. Go to mentors.fm for more information about the show.  Thank you.

Laura Mather, welcome to the women in tech show.

[00:02:03] LM: Thank you for having me.

[00:02:04] ES: Today we’re going to talk about cybersecurity a lot, which is an area that you’ve worked on since you were early in your career. First, I want to begin with the panorama at the time you finished school. You completed a PhD in Computer Science in 1998 at the University of Colorado, can you talk about what it was like coming out of school into the tech industry back then?

[00:02:29] LM: Sure. I started my career at the National Security Agency, which was fairly interesting. I’ll be honest, though, all of the really hot topics were being worked on in places like Silicon Valley. So there I was in DC and doing interesting work. I liked feeling like I was helping the government and helping our country. But I was super envious of the folks who were on the west coast. I felt like they had the most interesting problems to tackle that their work had a lot of impact. So that was a way to start my career that felt like I wasn’t really starting that I was just kind of getting my feet wet in an area that I had some interest in, but not a ton of interest. And mostly I was looking west and feeling very envious of the folks that were on the west coast.

[00:03:27] ES: So you’re mentioning you’re in DC working at the NSA. And then after that you moved to work at Encyclopedia Britannica, right?

[00:03:36] LM: I did. Yeah. I actually interviewed for a bunch of jobs in Silicon Valley. One of them was at a company called Infoseek, which was a precursor to Google. This was 1999. Google wasn’t around yet. And I interviewed for the position of Infoseek. I interviewed with Britannica for a position there, so I was definitely exploring my options at the time.

[00:04:02] ES: Can you give some context around Britannica and what people were doing at the time? This is early 2000s, right?

[00:04:11] LM: Yeah. I think my first day was January 6 of 2000. A lifetime ago. I was working for britannica.com. Britannica had started their online presence a couple of years earlier, but really wanted to understand the users of their website at britannica.com. My job was to delve into the data, look at how people were clicking through the websites, what queries they were doing, what results they would get from those queries, whether or not they would stick around whether or not they would pay us and try and really get an understanding of that kind of trend data. It was essentially web trends for the Britannica website. Web trends had just gotten started right around 2000. I didn’t even know about them when Britannica hired me. So I built a very rudimentary version of web trends for britannica.com.

[00:05:15] ES: After that is when you started really diving into cyber security at eBay in specific, and I’ve heard you mentioned in the past that somehow they put together NSA and your online experience at Britannica, and it seemed like a perfect fit for cyber security. Can you talk a bit about this?

[00:05:37] LM: Yeah, eBay was getting targeted by cyber criminals at the time. Prior to eBay, the cyber criminals had really focused on AOL if anyone listening to this remembers a company called AOL. They were the main focus of the cyber criminals until eBay came along and then the criminals saw a real treasure trove of opportunity to steal money from people using the eBay platform. Now the executives at eBay, realized that this activity was new. No one had done this before. No one had used a website to steal money from people. And because of that, they didn’t know who to hire to go after these folks. They wanted to hire law enforcement. But when you talk to people in law enforcement, especially in 2003, those people had no experience with online. You talked to people who worked online, those people had no experience dealing with criminals. And the poor executives at eBay, were tearing their hair out saying who do we hire to do this? The fact that I had experience with the National Security Agency, so I had some experience understanding the way people think when they’re trying to evade others etc. And then I had done this work for britannica.com essentially trying to understand you behavior on the britannica.com sites that look like about as close as they were going to get to someone who could possibly look at this problem with, you know, a little bit of experience. And so the fact that if I were to map out my whole career from PhD to NSA to Britannica, it looks like this jagged line, and yet that jagged line fit exactly into what eBay wanted, which was fortuitous for me for sure.

[00:07:29] ES: Exactly. And once you join eBay, and you start figuring out how to tackle this online criminals, and there are all these attacks coming, can you give some examples of the kinds of attacks that we’re seeing?

[00:07:44] LM: Yeah, the eBay platform, unfortunately, made it so that cyber criminals could find ways to steal money from people. The biggest attack vector we like to call it was what we call second Chance offers and there literally are things on the eBay platform called the second chance offer. But what the criminals love to do is they love to see that an auction happened for usually a fairly high priced item, something around the 1000 to $2,000 price range. And they would look at the bidders because eBay was very transparent. They wanted all the bidders to see who else had bid and how much to make sure that people trusted that it was real people bidding that they were, you know, in the midst of a legitimate auction. The criminals would then look at the person who didn’t win the auction but had the second highest bid. And their whole goal was to get that person’s email address, reach out to them and say, Hey, I noticed that you bid 1800 dollars on a Rolex, guess what I have that exact same Rolex and all that. I’ll give it to you for 1500 dollars. Now granted, they didn’t have the Rolex. The other part of the eBay platform that was not ideal for protecting our users was that when someone purchase something, the winner of the auction would send the money to the seller, and when the seller received the money, then they would send the item so if you’re a criminal, you could say to someone I have that Rolex just send me 1500 dollars and as soon as I receive your money, I’ll send you the Rolex. Now an unwary, or sorry, uneducated or unaware eBay user might get very excited about this. I’m gonna get that watch. I want it and it’s only 1500 dollars. They send the 1500 dollars and guess what they never hear from the other person again, the suppose it seller. So it was my job to prevent that type of criminal activity and I’ll say that it was not at all an easy job. The criminals were tenacious, the criminals didn’t have to QA the stuff that they built. They could launch any tool that they wanted into cyberspace immediately. And they would find very creative ways to try and steal money from eBay users.

[00:10:23] ES: And during this time, were you trying to generalize a system or a way in which you could prevent this attack? Or was it mostly on the go like, you see this attack, and then you try to craft a solution for it?

[00:10:36] LM: In the beginning, it was very much on the go, you know, we’re seeing this functionality on the website being used to target eBay users. We’re going to fix that and then the criminals would always respond after I was only there three years, but after maybe a year and a half, we started to get a little bit smarter about should we think about how if we shut off this attack vector, where are they going to go next? And how do we prevent that? And in fact, by the time I left, we tried to be much smarter and say, if they’re gonna go anywhere, we actually would really like it. If they went over here, maybe because there’s not very many users there. And we could let those users know or maybe because the users on this other functionality are much more savvy about these criminals right there, we would think about that. And we would try to actually push the criminals because we knew they weren’t just gonna walk away and be done. But if we could try and encourage them to go to a place where either we already knew is protected, or maybe was much less damaging for eBay users. We tried to even get that sophisticated about how we responded to them.

[00:11:51] ES: And I’ve heard you mentioned in other talks that toward the end, it was so much work you you kind of were overworked, right and then you left?

[00:12:00] LM: Absolutely, I mean, there’s a really challenging mindset in security, which is again, the, the criminals are never going to give up. There was a tough situation personally, where I would be sitting at work, and it would be 7:30 at night. And I would think to myself, I could write up this next business requirements document to try and prevent the, you know, this horrible thing that is happening to eBay users. And I can stay for two more hours to do that. Or I could go home and let this horrible thing happen to eBay users for an extra day. And that can be a very draining decision making process, especially day after day after day. And then finally to eBay as any business does had to prioritize. Are they going to put resources towards security and protecting users or are they gonna put resources towards new users and new functionality. And I think it we had also gotten pretty good at our jobs. And so the losses due to security had gone down quite a bit. And that made the business think maybe we don’t need to invest in this thing called security because that seems to be going okay. For now, anyone who’s actually in security will recognize that that usually means you’re about to have a spike in some kind of incident because the minute you stop investing, the criminals know it, and they go after you. But it can be very hard, as a security professional to have the business tell you what you’re doing is not super important. So we’re not investing in that. Thank you very much for what you have done though.

[00:13:45] ES: Exactly. And one thing I like from your trajectory is that you were overworked and then you leave. But you’re still thinking about this space, and In 2008, you co founded Silver Tail Systems, where you are bringing a lot of your experience from your days at eBay fighting cyber criminals. And at this moment, you are taking a step back to think about systems that you would need to fight attacks at eBay and how other companies online could potentially use these tools. Can you describe some of the main ideas behind the system and this company?

[00:14:27] LM: Yeah, absolutely. I noticed two things after I had stepped back from eBay for a few months. The first thing that I noticed was the attacks we saw to eBay. We’re starting to target other companies and that has something to do with how well we did at eBay. The criminals are happy to go after the weakest link. And if there is a strong defense in one part of the internet, they’re happy to go find a place that does not have quite as strong a defense, that’s actually a good return on investment for their time. And so stepping back from eBay, I went to work for a company called MarkMonitor. And MarkMonitor protected many different companies from something called phishing. And because I got to talk to all these companies, whether it was banks or e commerce companies, and it definitely was not at the level we were seeing at eBay, but I start to hear some of the same stories that I had heard from eBay users of, “hey, you know, I’m at this bank, and we’ve got this weird thing happening where you know, our forgot my password functions, getting a lot of traffic”. And that’s not what we would expect and, you know, just different stories like that. And I realized, wow, criminals are really diversifying, and they’re going after any place where they can make some money. So that was one realization I had. Once I realized that the key was to start thinking about if I can do eBay all over again? What type of system would I build? Because I had three years of headache and different obstacles that I had to overcome and why not build it the way I wished it had, it would have ended up but start from that place. And what we realized when we built the system for Silver Tail was that you need something very flexible, that is monitoring things in real time that is giving alerts in real time. And that can also respond essentially, within minutes at the most, maybe even seconds. Because again, these criminals are constantly revising their attacks, constantly looking for new ways to deal with this, constantly looking for new ways to steal money. And if we could build a system that could be as agile as the criminals, that’s it What you want to arm our customers with at silver tail? And so that was what we built.

[00:17:05] ES: So you found that in terms of the system components, the ability to monitor in real time and was it to update things quickly is what helped be on par with criminals?

[00:17:19] LM: Absolutely. So to know, within a few minutes that something new is happening on a website, you know, at eBay and at other companies before something like silver tail was available, it might take weeks before customer support has gotten enough of these very strange phone calls, that they decided to raise it up to someone in the security group of Hey, all of a sudden people are saying that they keep getting these forgot my password emails or that they, you know, have seen the strange activity on their account. Why not make it so you don’t have to wait for your user to tell customer support and then customer support to tell you, let’s make it so the system is looking for these things, looking for anything that looks out of the ordinary and is giving you immediate indication when that type of thing happens. And then when possible, letting you respond to those new behaviors as quickly as possible.

[00:18:22] ES: And the security industry is an area that is still growing like you said, criminals don’t give up. They keep updating, attacks are more sophisticated. And I’ve heard you and other people in this space say how the number of jobs are growing in cybersecurity, and we don’t have enough people that will be able to do them. So what are some of the things that you liked from working in this area throughout your career?

[00:18:51] LM: Oh my gosh, I mean, security is such a rewarding field to be in. I mean, let’s be clear can be very frustrating to the criminal are beating you know you at at various phases, but then to be able to say there was this attack against my website and I was able to find a way to prevent it from happening. That is incredible. And knowing that you are out there protecting people’s money, heck even their sanity, right? We all know that if we’ve ever had our identity stolen or you talk to someone who had their identity stolen, the heartache and the rigmarole you have to go through to deal with it is just a nightmare. And the fact that people who work in security every day can say, I am helping to make sure that doesn’t happen. That can be an amazing feeling and an amazing calling to life, I think and to a career.

[00:19:53] ES: And what would you recommend to someone that’s been in the industry, they’re software engineers like they have been exposed. To do programming, are there recommendations that you would say into how to start looking into this area?

[00:20:08] LM: I mean, the best you can do now is actually get a degree in it. There wasn’t degrees in cybersecurity when I graduated from school, but now there are degrees. But there are even online courses you can take, if you’re an engineer, just, you know, look for job openings in the security engineering group. Oftentimes, for an engineer, you don’t actually need security experience. And you can just go do engineering projects in the security group at your company and start to get some of that experience. That’s actually what happened with my co founder, who is also my husband, he was an engineer at eBay. And I was doing all of this anti fraud and security work and he came to me and said, I have been coding up all of them. The projects that you have dreamt up, and I’m helping you to protect the site. And now I want to do what you’re doing, I want to create policy that does that I want to try and figure out how to detect these attacks. And so he was able to successfully transition from being an engineer and understanding how the bits move through the website, to understanding how the criminals thought about how to use the website in their activities. So there’s lots of paths for this. I think it’s similar to almost any job if there’s something that interests you, you know, find a way to get a foot in the door, even if it’s not exactly the job that you’re looking for. And then find a way to be useful. Everyone’s always looking for someone to volunteer to help with things. Just find a way to take on some tasks that might be relevant and show that you are interested. I think that can be a great way to do things.

[00:21:56] ES: Exactly. I want to talk a bit now about the entrepreneurship aspects of this. You founded several companies. Right now we’ve talked about Silver Tail Systems, the security company. I’ve heard you mentioned in other talks that it’s challenging to raise money. And at some point you were getting over 40 rejections. In your opinion, what are some reasons for getting rejections?

[00:22:25] LM: I mean, let’s be clear. There is bias in the venture capital world. There is it is a male dominated field. It’s similar, in my opinion to computer science. When I got my PhD, I think 12% of graduates were women. The startup space is probably even fewer as far as founders go, we know it’s way fewer as far as female founders who actually get funded. So it just is an area where there still is A lot of people who have a mindset of what an entrepreneur looks like. And unfortunately, as in a lot of other fields, people who are quote unquote, hiring someone, whether that means they’re actually giving them a job or maybe giving them money to start their company. We, as humans often do that more for people who look like we do, then we do for people who don’t look like we do. And there’s plenty of studies showing that that’s how venture capitalists work as well.

[00:23:37] ES: Exactly. And in addition to that, you know, where we have this bias of like you’re saying it’s a male dominated field. Do you think that’s a big component or there can also be reasons that you can tackle, like, they can tell you well, you need twice the number of users or some more actionable reasons or that wasn’t your experience?

[00:24:03] LM: Well, so let’s be clear. Most of the comments that venture capitalists give to any entrepreneur, most of the comments are, here’s what you’re missing. Right? And because that’s their job, their job is actually define the holes in what you’re doing to reduce the venture capitalists risk when they invest. What that means is they’re very good at finding holes, even when maybe those same holes exist in another entrepreneurs business model. In fact, I did have a conversation once with a venture capitalists. This was a male, but someone who’s actually really open to try to understand what was going on with his own thought processes. And I went in and they asked me all kinds of very challenging questions which they should, they should and at the end, they you And they would ask me a question, I would come back with an answer. And they would ask me to sort of a deeper part of that same question, I’d come back with an answer. And we had this kind of great conversation at the end, they said, Wow, we don’t have this kind of really deep dive conversation with our the other entrepreneurs who come in. And I said, well, because you’re not holding their feet to the fire the way you are holding my feet to the fire, right? And you should have seen this venture capitalist, his eyes kind of lit up. And he, you could see it dawned on his face of, oh my gosh, I’m not holding certain entrepreneurs accountable in the same way that I hold women accountable. And so, the point is that, if you want to say no to anything, you can find a reason to say no, I mean, I would challenge the listeners out there. Think about your favorite thing, whether it’s like your favorite restaurant to go to, it’s something we can fantasize about in this times, right? But or you’re feeling dinner or whatever, and then decide that you’re going to find a reason you don’t like it, you can find that I would challenge anyone to find something where they can’t find some reason that they don’t like it. Right? The human ingenuity is just so amazing in that way. But what that does is it lets venture capitalists rationalize the fact that they’re turning away a lot of women, because they say, Oh, she didn’t have quite as many users. Oh, she didn’t have quite a good answer. When I asked this question. Oh, I think her monetization plan isn’t quite as good as this other one. And yet, someone else will walk in who looks just like them, who maybe hasn’t done nearly as much planning nearly as much research doesn’t understand the space and they get super excited about it because it looks like Something that they recognize, right?

[00:27:02] ES: Or they see potential, or something. Yeah, they’re not there yet. But I see it.

[00:27:06] LM: I literally use air quotes potential, right? It’s like, it’s so funny because I get it. I can see it. I mean, I know I’ve done it too. I know I’ve done it too, right? I don’t know, maybe I get annoyed with someone and then all of a sudden, I can nitpick things and find things they do wrong all the time, even though those same things wouldn’t have bothered me the week before, right? We can do that as human beings, but it ends up impacting the outcomes. And what’s actually really sad is it impacts the actual outcomes for venture capitalists, right, because there have been these studies, whether it’s from the caper capital folks, and others, that startups from minority groups, whether that’s women or people of color, they actually do better. They have better return on capital. They have much less consternation within their existing teams, there’s all these things, all these metrics where those companies look good. And yet, these traditional VCs who have a cookie cutter way of looking at what they’re going to invest in, they miss out because what walks in the door doesn’t fit inside the cookie cutter.

[00:28:21] ES: Exactly. Right now I’m starting to hear more and more conversations around this. Are you optimistic for the next five years? Let’s say that we’ll start seeing more funding to minorities?

[00:28:35] LM: Well, the pandemic I’m worried is going to change everything. If you had asked me four months ago, to be honest, I’m not sure my answer would have been that much better. I may have been slightly more optimistic.

[00:28:49] ES: It’s hard to tell.

[00:28:50] LM: Yet Well, I worry that with the pandemic, what happens when people get scared, is they fall even more back onto what is comfortable for them. And what is comfortable For people are people who look like them, unfortunately, I will say that if we were able to go back to, let’s say, November, and you were to ask me the same question four months ago, I actually was having some frustration because I would see things like, you know, so just launched a fund for black entrepreneurs, but the fund would be $10 million. Right? And then you look and some of the big VC firms even now are closing, you know, $3 billion funds, right. So how does $10 million compete with a $3 billion fund? You know, I look at $10 million. And I think that’s not even investment in one company, not even and these people, they have such great intentions, and I certainly don’t want to fault that. But they would say, you know, and we’re going to use this $10 million and invest in 30 companies and I just think, Oh my gosh, like you don’t understand what you’re competing against. If SoftBank is going to go put a billion dollars in a company, and they’re going to have all that money to do marketing and to hire people and do all these things, a company that’s getting less than a million dollars, even less than $10 million is unfortunately set up to fail. They just are and what I do hope maybe a way to turn this more positive is I do hope that the times we’re in now are going to reset this growth at all costs mentality that we’ve been seeing, because I do think that could help the companies that are founded by people of color and women, because I do think when it is about a realistic business model, and realistic growth, that does start to help the playing field get a little more level, when it’s about hype when it’s about spending. As much as you can, and then you pile on to that the fact that women and people of color have such a hard time getting capital at all, let alone exorbitant amounts of capital. That is a really difficult situation to try and overcome. So if there is any kind of silver lining to this moment of time, maybe it is going to be that a realistic business plan will look better to VCs and be more successful. And if so, that could make things a little bit better.

[00:31:36] ES: I followed up with Laura in July to get her thoughts on this question again. The reason for that is because in the United States, we started seeing more racial injustice activism. This is what she wanted to add, quote: With the racial and justice activism that has occurred over the last several weeks. We are seeing some investment firms looking to invest more money in underrepresented groups. Two examples include SoftBank, pledging 300 million in contributions or investments to minority groups, and Andreessen Horowitz, talent x Opportunity Fund, with an initial investment of 2.2 million. These are definitely a start. And I hope the venture capital community can continue to create funds like this”, end of quote.

I know we’re almost out of time. So I just want to end this interview with a couple of questions related to the award that you received in 2017. You are the recipient of the award for technology entrepreneurship. What did it mean to you getting this award?

[00:32:47] LM: I mean, holy cow. The fact that an organization which is now called the need to beat org, it wasn’t then chose me as the recipient of this award. I’m not sure There is a greater honor. You know, here are all these women who are so technical and are so accomplished, and to have them recognize the work that I had done as being beneficial. I mean, that’s all I’ve ever wanted to do. I love Like I said, I would love cybersecurity because it helped people. And I loved doing my cybersecurity company because I love knowing that I was protecting at one point, it was like 2 billion online accounts, holy cow, that was so amazing. And that’s why I start companies is to try and have impact in the world and to have this amazing organization recognize that I had impact. I’m not sure that there could be anything more meaningful.

[00:33:52] ES: And did you see an impact in your career in any way from getting this award?

[00:33:57] LM: I mean, it’s definitely a record admission that other people look up to for sure. And, you know, being able to say that I got this award being able to put it in my signature line that opened doors for me, it definitely got people interested. It meant that, you know, I’m of course, I can’t do any kind of AB test, but I would love to have, how many people actually responded to my email when they saw that versus not. But I feel like because I had that to point to it gave me some legitimacy. You know, obviously, I had done even if I hadn’t won the award, I had done the work I had done, but that solidified it and sort of summarized it nicely for people of hear someone who knows what she’s doing as an entrepreneur, who has built things that are impactful. It’s the way to create this label that lets people know that without me having to say it in to without having someone have to spend Three minutes explaining it, which is fantastic.

[00:35:02] ES: What I’ve also heard from other winners is, from getting this award, well, I need a beat or writes articles about it. And people notice they might be familiar with your company now. And they’re like, Oh, this is exactly what we need right now. And they found out because they saw you got the award, and then they look up all your work and that kind of stuff.

[00:35:22] LM: Exactly. I mean, let’s be clear, any kind of PR, especially positive PR is fantastic. And when you’re doing a start up, holy cow, you’ll take anything you can get, but having something that well sort of distributed, I had, like old professors reach out to me and say, you know, I just saw that you won this award, and we haven’t talked in 15 years, but congratulations. I mean, it was incredible. The amount of people who saw that because of the reach that Anita b.org has, that’s what makes it amazing.

[00:35:55] ES: Well, Laura, thank you for coming on the show. It’s been great chatting with you.

[00:35:59] LM: Absolutely. Thanks for having me this is fun.

Sponsors

5mm-Ad-Image-SMALL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s