Elana Graham of CYDEF on the Five Things You Need to Create a Highly Successful Career in the Cybersecurity Industry

An Interview With David Leichner

Elana Graham, COO at CYDEF

Leaning in is crucial. By that I mean getting immersed in the cyber landscape and becoming familiar with standards, industry, and acronyms! A good start point is MS and cyber podcasts to gauge your interest and suitability for this field.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series we had the pleasure of interviewing Elana Graham.

Elana Graham received her Bachelor of Mechanical Engineering from the Royal Military College of Canada, and then spent eight years as a Combat Systems Engineering Officer in the Royal Canadian Navy before completing her MBA, Professional Engineer designation and Project Management Professional certification.

After her military service, Elana spent eight years with an International Defence and Security company before returning to public service at Canadian Nuclear Laboratories, where she got a firsthand look at the cybersecurity challenges facing organizations.

This led Elana to help establish a Canadian cybersecurity company, CYDEF, whose mission is to defend small and medium-sized businesses against cyber threats through affordable, turnkey, enterprise grade detection and response.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

Sure thing, I’m Elana Graham and I am the COO for CYDEF, a Canadian cybersecurity company. I started my career in the Royal Canadian Navy after obtaining a Bachelor’s degree in Mechanical Engineering from Royal Military College of Canada, I then trained as a Combat Systems Engineer.

After retiring from the Navy, I spent some time in the Defence industry and then at a Canadian Crown Corporation primarily in project/program management in both construction and IT — it was there where I started looking deeper into detection and response as part of a critical layer in layered security. Not just having the big wall (AV, spam filter, firewalls) but recognizing that organizations need to be prepared to defend against attacks that circumvent traditional security controls.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

This is How They Tell Me the World Ends by Nicole Perlroth, a cybersecurity journalist. In this book she talks about clandestine activities of hackers, state-sponsored cyberattacks, and the vulnerabilities within our digital infrastructure. I encourage anyone thinking about a career in cyber to check this book out — it is non-technical and paints an excellent picture of the risks to our infrastructure.

But also, Cheryl Sandberg’s Lean In. Sandberg encourages women to overcome self-doubt, society’s expectations, and workplace biases to pursue their ambitions and “lean in” to their careers. Key take away for me was to have courage and confidence in your abilities.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

So, it was while working in IT project management at Canadian Nuclear Labs that I saw firsthand the amount of time, money, and effort that went into building detection capability. We would spend X dollars and take 18 months to build and test a technology. Once we put a bow on it and handed it over to the IT operations team, they said, “Thanks, but we don’t have anyone to operate and maintain this tech.”

So the only option was to reach back to the vendor to purchase costly professional support services. I thought to myself, how can anyone, especially smaller organizations, even think about layered security with their limited resources?!

It was at that time that I met cybersecurity experts who were absolutely frustrated with the detection tools they were using. They still had to spend hours and hours sifting through “hay” to find the “needle.” They were convinced there was a better way to detect threats such as those that walk right through the front door using a trusted app like MS Outlook or Gmail.

And here we are today with patented technology that shows analysts the “needle.” It is a very satisfying job indeed.

Are you working on any exciting new projects now? How do you think that will help people?

Always — it’s about continuous improvement of our product. Most important to us is transparency, that we are NOT some ‘black box solution’ that does not demonstrate to customers how we determined that an activity was bad. We tell you it’s bad and we prove it.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

Cybersecurity is exciting because it is busy — but not a good busy. It is exciting because there is a certain amount of adrenaline combatting cyber-attacks.

What excites me about this industry are the ‘wins’ like the opportunity we get every day to save our customers’ butts from ruin. When we started this company, we had one goal. “We just wanna catch bad guys,” — and we do.

At the same time, it’s awesome to see more women get vocal about working in cyber. Cyber Queens is a kick ass cyber podcast — empowering women to fight for their place in cyber.

Most exciting, and this won’t be a surprise here, are the advances in AI to combat cyber-attacks. BUT, keep in mind, criminals are leveraging that same AI to improve their attack methods.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

Oh yes, there are concerns. The increase of attacks is surely a concern. But…

  1. I am frankly flabbergasted by the head-in-the-sand mentality and denial by small and mid-sized organizations with their generally lax attitude towards cybersecurity. Lack of preparedness. They think they are too small to be a target. They could not be more wrong. With their limited resources they are the easy prey for criminals.
  2. Another concern is the frankly over-hyped marketing of cybersecurity companies… Everybody wants to jump on the latest acronym, be it SOAR, XDR, UEBA, Advanced AV. With no clear definitions and “guaranteed to stop all attacks” messaging, it is a flooded, flooded space. Customers need to do their homework, and that includes reading the fine print (SLA) — are you buying tech or tech and service.
  3. Here is the BIG, BIG concern: I mentioned earlier AI is great, but there are a lot of assumptions out there that AI is all you need to combat attacks. This is FALSE — WRONG — and the worst mistake.AI is currently only a benefit when an activity gets a high threat profile score, i.e.: this attack is bad or in all likelihood is bad — AI takes action. But what if the threat score is not that high? The humans need to investigate…. And oops guess what? NOBODY has sufficient human resources to investigate and make that determination. If no one is available to do that, the activity is ignored. This results in a perfect pathway for criminals to circumvent security tools. We see it time and time again. And yes, that is why we still see enterprise organizations end up as the latest victim of attack in the news.

Can you share how you are helping to reshape the cybersecurity industry?

We’re turning detection capability on its head. Literally flipping the security model to NOT focus on criminal tactics.

We instead focus on normal business behavior. We built a database of normal business activities. That means, anything new or anomalous gets immediately investigated and classified. So, instead of tracking 50,000 new attack methods every day, we focus on the 200 new business activities that happen on computers across all our customers.

It’s a much smaller database to manage — known good behavior versus criminal craziness… you decide which is easier to track!

As products, devices and vehicles become connected, this is creating a new and emerging threat vector. How do you think manufacturers and their customers should prepare to be as safe as they can be?

HAVE A PLAN. For a small business, this doesn’t need to be an overly complicated plan. But have a plan to defend against OR respond to attacks.

I am confident Governments will eventually catch up with the necessary legislation based on best practices. Consider this: How many folks remember driving around in your parents’ car with no seatbelt on? How many remember seeing a smoke detector in your house when you were little — can you imagine not having these safety tools in place today? Can you imagine them not being a law!? That is where we are headed.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

How much time do we have? We could literally be here all day.

A new QAKBOT malware attack by the Black Basta Ransomware gang targeted one of our customers. Our efficient security model stands out here. We rapidly detected the anomalous behavior — flagged it and responded to eliminate the attack.

Interestingly, another EDR vendor reported a similar attack at a few of their client sites. They wrote about how two of their clients were taken offline until an extensive incident response was completed.

By contrast, CYDEF’s client was back to business-as-usual in no time. This attack originated from an email, which is consistent in the trend of exploiting legitimate applications in “living off the land” attacks and masking criminal commands that evade AI-driven threat profiling. CYDEF for the win.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

I asked this Q to my cyber experts and they cheekily replied, “When you see a red screen, that’s a pretty good sign that you have a problem that has been brewing awhile.”

To get customers thinking about this very topic, I ask, “How certain are you that your devices have not been compromised? Can you prove they have NOT been compromised. What’s your DETECTION capability?”

The reality is that many organizations are deficient in their ability to detect threats that circumvent traditional protection layer tools (AV, SPAM filter, Firewall). The UNKNOWN is what keeps people awake at night.

A layperson should be on the lookout for suspicious emails. Phishing emails are scams meant to deceive people into revealing sensitive information or installing malware/ransomware.

Does your computer seem slower than normal? Could somebody have installed crypto-mining software without your knowledge?

Did you receive an unexpected email from Microsoft to confirm your authentication? Is somebody trying to login using your user account?!

And I always recommend people check out the HaveIBeenPwned website, which allows you to search across multiple data breaches to see if your email address or phone number has been compromised.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

If you’ve experienced a security breach, here are some key considerations for future protection:

  1. Have an easy and clear process for employees to report potential suspected incidents.
  2. Regularly review connected devices within your organization.
  3. Verify network users and their devices for familiarity.
  4. Keep your system patches up to date.
  5. Implement a robust password policy.
  6. Provide security awareness training for your team.
  7. Conduct thorough user account reviews. Assess access levels and Admin privileges.
  8. Establish an Incident Response Plan. Identify responsibilities: who is on your Incident Response Team?
  9. Keep important contacts on hand. Do you have someone on speed dial?
  10. Ensure the presence of a detection capability like CYDEF’s SMART-Monitor — enterprise-level security without the enterprise price tag. 😊

This list serves as a starting point. Above all, having a well-defined Incident Response Plan is crucial for effective management during security incidents.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

All too often we see organizations invest in cybersecurity tools, only to find that they remain improperly configured and are not regularly updated.

Why? Because they don’t have anyone to operate and maintain the system.

Also, neglecting essential tasks like patching your O/S can lead to severe consequences.

Elana Graham, COO at CYDEF, during her time at Royal Military College of Canada

Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?

  1. Leaning in is crucial. By that I mean getting immersed in the cyber landscape and becoming familiar with standards, industry, and acronyms! A good start point is MS and cyber podcasts to gauge your interest and suitability for this field.
  2. Finding a cyber mentor can make a significant difference. Establishing a connection with someone you trust — that’s the foundation of a fruitful mentor-mentee relationship.
  3. Attending networking events is a must. Cyber conferences provide an opportunity to understand the landscape and connect with industry professionals.
  4. But most importantly the right attitude is paramount! Aptitude matters of course, but the desire to learn is what truly counts.
  5. What you don’t necessarily need to get started is a degree in cybersecurity. Take, for instance, the CYDEF analyst team — they showcase how a positive attitude and experience in IT sys admin can suffice.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

I’d love to chat with Elon Musk — I’m thinking of renaming my company… Was thinking ‘W’ or ‘Y’… and would like his thoughts… And can I have the old twitter logo?

Seriously though, I’d really appreciate a chance to have a chat with Kate Maxwell, who’s leading the way over at Microsoft’s Worldwide Defense & Intelligence division. I would love to explain our cyber detection model that can help organizations no matter their size.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

Thank you for the opportunity to jump on a soap box!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.

This interview originally appeared at Authority Magazine. Republished with permission.