Fighting smart

"I felt the learning curve was inverted, it was hanging up," says Laura Mather, on her experiences when setting up Silver Tail, an anti-fraud start-up.

The year was 2008 and she and co-founder Mike Eynon were told the venture capitalists had no money, and the chief information security officers had no budgets.

"No one was going to ever sell enterprise [software] again it was always going to be a Salesforce type [cloud service] of model. You are never going to do million dollar contracts," recalls Mather, on some of the messages they were receiving.

When she and Eynon presented their idea before their first venture capitalist, Leapfrog Ventures, the latter told them about things they should be doing differently. "We went back and thought about it, we changed our pitch within about three hours of meeting with them.

"That is the beauty in being a start-up," she says. "With 10 people, you can change the vision of the company in half an hour."

"We would do two or three builds a day. Customers would try them and say 'it fell over here' and we would fix it, send it back. That responsiveness, that passion about making things as good as they could be is what led to our success."

ING Direct was one of Silver Tail's first customers, as well as some online brokerages. Late last year, EMC bought Silver Tail and integrated it into RSA, its security division. Today, there are over a billion accounts using the company's real-time anti-fraud software, and its customers include banks, e-commerce companies and governments.

"Our whole premise was that most traffic in the website is good," explains Mather. "Most of it is legitimate users and what we did was we modelled [the] good and then we would look for anything that would look different from good and we assume it might be bad."

"It turns out that premise works on banks, on e-commerce, on government websites. An adversarial criminal, a hacktivist, is going to do something different than what normal people would do. And by doing that, you can detect a new attack without even knowing what that attack is going to look like.

"I tell people it is okay to fail. Just be ready to recover, be ready to make it better whatever got broken and that is the way to do a start-up," she says. "Your customers aren't expecting you to be perfect. They are embracing you because you are doing something they need."

Shifting her mindset to one of an entrepreneur and company founder was another thing. "It was a challenge, definitely, going from thinking about technology and attacking criminals" to having to think about picking her employees, and finding office space.

Being based in Silicon Valley meant she got a lot of advice from people who have worked on start-ups. "I am helping lots of companies because lots of people helped me," she says. "Go find the expert in what you need to do and use them as an adviser. Get data -- multiple points of data -- from people who know what you are doing. The data is key."

Mather, who has a doctorate in computer science and a bachelor's degree in applied mathematics from the University of Colorado, describes her career path as "interesting".

After university, she worked at and at the National Security Agency in Washington DC. "There is simply something very patriotic about it," she says of her government stint. "You feel like you are protecting your country, which was nice."

She joined eBay in 2003, which at that time was the main target of the then new security problem of 'phishing'. Together with PayPal, eBay was very much the target of the new fraudulent attacks. "They couldn't really say we want to hire someone who has a graduate degree in fighting phishing, it wasn't a possibility," says Mather. "They said we need somebody who had worked in law enforcement and had internet experience. Somehow I just fit that, which was fantastic.

"The interesting thing at that time was that eBay had 80 million online users so I personally felt like I was protecting 80 million people."

The phishers would get a customer's password and would list an item and convince the buyer to send the money for the item which will never be delivered. When she received queries from these customers, "It would break my heart to say it is not coming," she says. "I really took it very personally because it was my job to stop that from happening."

Mather would bid for a listing that she suspected was fraudulent. "I wanted to see what the customer experience was like, how quickly did they get back to me? What kinds of things were they saying to me to try and convince me? I tried very hard to have the experience of the customers. I want to see what the experience is, it gives me real empathy."

She says that after her team developed a range of security strategies, the phishing emails targeting eBay went down to 15 percent. "The criminals found it not as lucrative to target eBay, I was somewhat successful in what I did."

One of the things the security team implemented was a toolbar that would find the phishing sites and create a list. If the customer tried to go to these sites, the toolbar would block them and tell them the site may be fraudulent.

"This was great except it is hard to get a lot of people to download the toolbar," she says. So the team met with Microsoft and told them the toolbar needed to be in the Internet Explorer browser and not be optional. It is now in Firefox and Chrome.

She says the cybercriminals were "extremely creative and extremely tenacious".

"It was just hard," she says. "They were always finding some new attack against the eBay website or customers. After three years of fighting, I was very burned out because I felt like I kept failing."

"It took me around six months to really step back and think, I have built technology when I was at eBay to try to protect users. But I realise we built it slightly wrong, we built it to look at a web server and say 'Is this web server's traffic looking suspicious?'

"That was fairly good. What we needed to do was look across a user and say, what is this user is doing? Does that look suspicious? Until you understand the entire user session [only] then you can understand if it is suspicious."

Mather says she is seeing a "real change" in the demographics of the attackers, who were usually "technological savvy".

"Now there is a sort of 'cybercrime as a service'. The really smart guys are creating the tools to do the attacks and they sell those to people who do not need to have the technological expertise. All they need is the money to buy the tools and they can use those in the attacks. It is very much becoming an actual economy and underground economy."

She says a lot of time information security is viewed as "geeky and not sexy".

"But the way I look at what we do as a company, as RSA, we are CSI computer," she says, in a reference to the popular television crime show. "We are finding attacks, we are investigating those attacks, we are getting to the basis of who is perpetrating those attacks, who the victims are, how can we help those victims? That is pretty darn sexy."

One thing she is sure about is that the information security industry will need as many people as possible in the next 10 years.

"If you want to be hardcore security, you are going to need math, computer science. But there are lots of other ways to do it as well," she says. "We need people who will help us build user interfaces that make the CSI computer guys really quickly find the attack. We need people who are going to help us communicate to the victim, 'hey this is what happened'. That is a hard thing to do and you have to do it in a compassionate and empathic way."

It also helps to "hone your criminal DNA a little bit," she says.

This is not about committing crimes. she explains, but being "able to think like a criminal because they will be responding and the only way to be effective is to try to anticipate that response."

The next skills shortage in IT -- if it is not happening already -- will be in information security.

Applying Big Data principles to information security

"With Big Data touching on everything we do, the attack surface will be altered and expanded and our risks magnified in ways we couldn't have imagined," says RSA chief Art Coviello.

Sidebar: Her next venture?

One of her upcoming projects will tackle another aspect of the information technology industry - developing software that organisations can use when interviewing prospective staff to ensure a level playing field for candidates.

She was inspired by a study done by Google which analysed why women often did not pass the phone screen interview (the initial call the company makes to prospective employees) compared to their male counterparts. "They had a lot of women in the pool but when they got the phone screen it was mostly men who passed the phone screen," she says.

Google actually changed the interview questions to make it more quantitative, she says, like how many years have you programmed in this language what sort of certifications do you have, "very much things you don't brag about".

"It levelled the playing field found and they got a much more diverse set of people passing the phone screen."

"Maybe we can create some kind of technology that will help people to interview in a way that doesn't automatically put their bias into the interview," she says.

She says the software can also be used for assessing people for promotions, who will get to do the training, and even selecting the board of directors.

"Most people want diversity," she says. "I don't think people don't want it, it is just a matter how you get there."

While it is hard to change corporate culture, she believes a technology that gets more diversity into the early stages of recruitment, targeting the young professionals in the company, will help bring "real diversity, a meaningful mix in corporations".

"That is even bigger than Silver Tail," she says. "This is not going to be a billion dollar company, I can guarantee that. But it could change the world."

Copyright © 2013 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act