Dance Of The Next-Gen CISO
Security Pro File: Classical ballerina-turned hacker-turned CISO Justine Bone talks old-school hacking, biometric authentication, coding in stilettos, Kristin Wiig -- and finishing her kids leftover mac and cheese.
When Justine Bone visited New York City at the age of 21 with the Royal New Zealand Ballet Company for an auditioning tour, she decided two things: one, that she definitely loved New York, and two, that she wasnt going to be a prima ballerina after all.
If I cant be the best in the world, screw it, Im out, Bone recalls thinking that day in the mid-1990s as a young professional ballet dancer on the New York stage. She vowed to come back to New York someday, and when she returned home to New Zealand, she enrolled at the University of Otago and earned a degree in computer science.
Bone, a renowned security pioneer in the white hat hacking world-turned chief information security officer, got her start in security with New Zealands equivalent of the National Security Agency, the Government Communications Security Bureau, where she was heads-down hacking in her first job out of college on the agencys newly minted security offense team. I learned how to reverse-engineer, write exploits, and code. I was Windows-focused: I was all over Windows NT and Windows 95, finding bugs, she says.
Security was in Bones blood: her dad was a detective, and she found herself a natural at hacking things as a teenager. Climbing out of windows in the middle of the night to see boyfriends, she quips, I had to figure out the home alarm system, the motion detection system. I kind of grew up with a hacker mentality.
Bone ultimately worked her way back to the Big Apple as she had planned after landing a job as a consultant and researcher in 1999 with Atlanta-based Internet Security Systems, now IBM X-Force, after meeting some of the companys executives at a seminar. I walked up to them and said this is what I do. I know how to hack and I think I can help you and you can help me, she recalls. She eventually moved from ISSs Atlanta headquarters to its New York City office, where she honed her hacking skills in penetration testing.
An old-school Windows hacker, Bone used to hunt for zero-day buffer overflows and write exploits for them. I was queen of the buffer overflows, she says. As SQL injection flaws came to light with the explosion of Web servers, she set her sights on Web application bugs as well. Bone later took her skills to the business world, setting up the security department at Bloomberg LP, where she was head of risk management, a gig that encompassed both information and physical security.
Bone later co-founded security research firm Immunity Security in 2002 with David Aitel, serving as CEO, and in early 2013, returned to the enterprise security space as CISO of Dow Jones, a job she held until last fall when she left to become chief information security and solutions officer at identity management company Hoyos Labs. She describes her current role as a next-gen CISO, which entails overseeing security at Hoyos as well as helping its customers understand the companys biometrics-based identity management technology and how to integrate this new generation of facial, iris, and periocular authentication into their environments.
I do presentations to customers, pure sales calls, internal strategy ... Im at least 50 percent business-oriented, she says. Im still needed in a technical capacity, so still [creating] white-boarding designs, wondering where our bugs are, and still converting those who dont believe in zero-days.
Bone works in Hoyos Labs Manhattan office four days a week, and then returns to her home in Miami where she lives with her three young children, ages 3, 5, and 9 -- all boys. Her commute requires a little creative hacking of her time and the discipline of a dancer: she leaves from Miami at 3:30am on Monday morning, and gets to the office by 10am. On Thursday night, she heads out of New York and back to Miami, where she works out of her South Beach office on Fridays.
A lot has changed in security since buffer overflows were all the rage, but after nearly two decades in the field, Bone is painfully aware that she remains one of the only women in the room in security. We need to make it more attractive to women, she says of the security industry and its wealth of job opportunities. You can be social and engaged with other humans and code, a fact often overshadowed by the standard geek stereotype associated with the tech world. You can wear stilettos and code.
Bone says some women and men can be intimidated by the security industrys relatively aggressive culture, where many experts dont hesitate to call one another out publicly over a technical detail or dispute over a security issue. Youve got to be very factual and assertive to survive in our scene, she says. For someone coming in, that can be a bit intimidating.
Thats where her classical ballet training came in handy. She says her past experience performing on stage helped her through some nervous moments as a 20-something woman in security walking into room full of men. I was able to hold my own, she says.
As a seasoned CISO and a hacker, Bone is also well aware of the major security challenges faced by businesses today, especially large, established ones in an era where cyber attacks are now routine. Large companies struggle to manage their data, much less control its access in a climate of mergers and acquisitions. They dont understand their systems, and they certainly dont understand their data and where it is, Bone says, which leaves them vulnerable to attacks and data breaches.
The other problem is accountability: the way we authenticate doesnt work anymore, she says. You have to introduce accountability into the equation so we really understand who has access to what, where the transaction is initiated, and which humans are involved.
Bones hacking projects today are more on the philosophical side of things. These days my research gets pretty out there and philosophical about the balance between privacy and technology, she says. Shes focusing on things like data-centric security strategy.
That doesnt mean she doesnt ever want to get back into the trenches again. Ill end up on a beach coding someday when I retire, she says. We still need other old-school coders out there.
PERSONALITY BYTES
Worst day ever at work:
The day I found out my CEO was no longer with Dow Jones. Everything changed overnight.
What your co-workers dont know about you that would surprise them:
Im so business-oriented these days, maybe it would surprise them to see me when I was an orange-haired techie, spending all my days in a blacked-out room, coding and reverse engineering with the best & worst of em.
Security must-haves:
My face and my phone.
Business hours:
These days it never stops, but sometimes I take breaks. If left to my natural rhythms I lean toward 7am-10am for creative thinking like presentation preparation or solving harder tech problems, 10am-5pm is major game time - customer meetings and what-not, after that the more administrative stuff. Some business meetings in the evenings, a few phone calls, or writing papers over the weekend. I sleep on planes.
Actress who would play you in a film:
People are constantly thinking Im Kristen Wiig. At The Wall Street Journal, rumors went around that Kristen Wiig was on the floor, but it was just me at work. I get it when I go into shops. I get it all over the place. I cant imagine how much worse it must be for her: Hey, are you Justine Bone!??? probably every time she sits down at a keyboard.
Favorite hangout:
Segafredos on Lincoln Road in South Beach. Great outdoor people-watching, great cocktails, great music.
Comfort food:
My kids leftover mac & cheese.
In your music player right now:
Tove Lo, ODESZA, The Broods and Hannah Georgas.
Ride:
A VW Eurovan and Fisker Karma as needed in South Beach. Everywhere else, Uber.
For Fun:
(Spending) time with my kids in the pool/beach/yard primarily. I also love music and Im an amateur turntable DJ. And I love clothes - I spend too much time thinking about clothes.
Next career:
Artist.
Tags:
Dance Of The Next-Gen CISO