The Hacker Mind: Shattering InfoSec's Glass Ceiling

Robert Vamosi
March 8, 2023
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Booth babes and rampant sexism were more of a problem in infosec in the past. That is, until Chenxi Wang spoke up. Today she runs a 100% woman owned VC. 

She’s an amazing person who has done an amazing number of things in a short amount of time -- CMU professor, Forrester analyst, CSO at a successful startup -- and she’s not done changing the industry.  

When I was a kid, I really wanted to direct motion pictures. I wanted to both write and direct, having no idea how to get from my humble home to Hollywood.  I did get a film degree in college, along with an English degree, but after college, well, knowing how the sausage was made, I wasn’t keen on going to Hollywood. I went to San Francisco. I wrote, and published, and eventually became a senior editor at ZDnet then CNET. And I was really fortunate to land the security beat right away. By accident. My first day at ZDNet there was a virus blowing up and my editor asked if I could do a story on that. I said sure, then realized I didn’t know the first thing about computer viruses. So I learned. I went to Black Hat in 2000. I went to smaller conferences. I wrote two books, one on IoT Security and another with Kevin Mitnick, then jumped around a couple of different jobs. Now I’m hosting a podcast called The Hacker Mind. 

I suppose though that as a white male, I am privileged. And I am. I can dream about being different because there are white male role models. But what if you’re an immigrant or just a person of color. What if you are a woman in information security?  In a moment I’ll introduce you to someone who faced and overcame a lot of challenges. And the good news? She’s not done shattering glass ceilings.

[Music]

Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi, and in the episode I’m talking about diversity, equality, and inclusion in information security with one of the industries' most successful examples.

[Music]

VAMOSI: My guest this episode is a Venture Capitalist. But before you end the podcast early, stick around. I’m not talking about some white male with a ferrari and pool. Rather, my guest is an amazing person who has done an amazing number of things in a very short amount of time. And she continues to amaze me even today.

WANG: I'm Chenxi Wang. I'm the founder and general partner of raising capital, which is a cyber focused venture fund based in the Silicon Valley 

VAMOSI:  A cyber focused venture fund based in Silicon Valley sounds generic. I mean you can drive down Sand Hill Road in Menlo Park and see all the VCs. Rain Capital is a bit different. For one thing, It’s based in San Francisco. 

WANG:  Rain capital, as I said, is a cyber focused venture fund we invest in early stage companies, startups. Really in cyber in modern infrastructure and dev tools. So I'm the founder of the investment firm, which now is our fun to we funded about 12 We actually want to talk now 15 companies across the two funds and we have almost $100 million under management. We are what you would say a sector specialist. So we spoke just on the three sectors with cyber as a primary focus in we help entrepreneurs from seed to take the product to market and and raise the next round or two rounds of capital. That's what we do. and I've done a number of other roles and a career path in the in the past 

VAMOSI:  So Chenxi’s career path is worth starting out with. She was born and raised in China and came to the United States to study at Lock Haven University in Pennsylvania. 

WANG: Oh, yeah. I mean, they had a computer science major. It was a small department, but they did have that major. And I always want it to be in technology or computer science in the choice but I could very easily do like electrical engineering or any other engineering discipline. The reason I ended up in liberal arts college was that no being from China, I need a scholarship to be able to afford the the tuition in in the US in the US institution. And Lock Haven University is the name of the college. They gave me a scholarship which covered my cover that 100% of the tuition. And the reason they're able to do that is they had a grant from NSF, which is designed to bring in international students to enrich their campus culture. And so they they run some kind of contest, I think, in China for for that they had that pulled out to bring one Chinese student, one Indian student and a few other from Europe. And so I won the contest somehow and so I was able to come to the US because of that

VAMOSI: Chenxi did her undergrad, then went to Virginia Tech for her Ph.D. It was around this time that she developed something called Chenxification, which she insists was not her term. Christian Colberg is credited with the term.  Anyway, what Chenxification does for example is frustrate computer malware's ability to locate and extract an application's decryption key. It removes the control-flow structure of functions. It put each basic block as a case inside a switch statement, and then wraps the switch inside an infinite loop. The algorithm allows programmers to create several decoy keys that are indistinguishable from the real one, with each one set to trigger an alarm in case of an attempted breach. To this day, the US Department of Defense uses chenxification to protect mobile applications. 

Wow, to have someone name a process after you in your 20s, that’s pretty cool. 

Chenxi then applied for and became a professor of Computer Engineering at Carnegie Mellon University, where she taught for about six years. This was about the time that CyLab came into existence at CMU. But by then Chenxi was drawn elsewhere.

WANG:  I left Carnegie Mellon to try my hands at a startup. And so I joined a very small startup called KSR at the time and that we were trying to do security as service back in that was 2006 was way too early for the market. And so it was interesting learning experience. And after that I joined Forrester because my husband and I moved out to the West Coast and he was recruited by Google and he was also a CMU professor and recruited by Google. And so we wanted to stay on the West Coast and we decided to both leave academia and forester was recruiting at that time and my skill set and what they were looking for was a good fit.

VAMOSI: She left the startup world and became an analyst with Forrester.

WANG:  it was the security security practice. So it was a pretty early on already, but it was a small team at the time when I joined so I think that team as with me and a few other analysts, we really built up the foresters security practice coverage. Now the team is quite big.

VAMOSI: And after Forrester she went to Intel, which at the time had purchased McAfee.

WANG:  I was recruited by McAfee Intel security as at that time I so they wanted someone to help them do, essentially strategy with with a lens of market research. And customer intelligence. So they wanted someone who had that background. They're looking macro trends of the industry and who can do strategic analysis and strategy planning. So I was I was recruited for that from Forrester.

VAMOSI: At this point, this would be a highly successful career for anyone. A Phd in Computer Engineering, investor of a process still used by the DoD today, a successful teaching career at CMU, a role as security analyst at Forrester, and then a role at Intel McAfee.  This would be a dream come true for many, man or woman, yet Chenxi wasn’t done. In fact, her next act might arguably have made a name for her.

WANG: I mean, depending on what you meant by success, right. So Forrester is a interesting place, but you wouldn't say that the work at Forrester. If you were animals to work at Forrester, you did was probably know through your client base, but not necessarily known throughout industry, because most firms tend to be a little bit closed off. The Twistlock was a company I joined after Intel security was a startup. And I was very early as an executive in the company and help them doing go to market and that company was a success story. We sold the company to Palo Alto Networks, I think less than four years from its founding date, which is a very interesting growth story, obviously. So that's, I would say one part of things weren't one kind of success, right. And, and that gave me a different set of experience than academia and forester and as well as Intel, right so but you are right that my career took me to many different roles and so that I actually really enjoyed it because gave me very different perspectives on different things.

VAMOSI: At least I remember her being an early evangelist for cloud container security, joining a startup as its CSO.

WANG: Twistlock at Twistlock. Yeah, it was at CSO but I was actually chief strategy officer, and I ran some of I ran marketing on some of the pre sale, operations support. So the, you know, essentially a lot of the pre sale stuff.

VAMOSI: Chenxi eventually left Twistloq to go independent. She formed her own consulting firm.

WANG: Jane Bond Initiative was my that name of my consulting practice. And that was before I formed Rain Capital. So Jane Bond as an entity no longer exists, but as a spirit in that song, right. So I also have recently launched a nonprofit called the Forte group. I shouldn't say I launched I along with a number of InfoSec women leaders launched the nonprofit and we have about 85 cyber and high tech leaders in the group and it is a networking and support group for senior women in cyber and technology. So this is an advocacy group that we help each other, work through career challenges and share opportunities and help each other grow. And so I think that spirit of James Bond lives on through different manifestation

VAMOSI: And why Jane Bond?

WANG: So I was thinking, what are the character characteristics of that practice? My own practice I wanted to be and obviously I liked the James Bond. model, but you know, that's men. And so what is the equivalent of that? And then Jane Bond came to came to exist, it said, yes.

[Music]

VAMOSI: So Jane Bond is important to keep in mind. To succeed in the tech world as a woman as a person of color one has to be crafty like Bond, and tough as well. Around 2014 Chenxi authored a blog, which was very important for the industry in my opinion. RSAC had reached a point where its exhibition hall was massive, and for companies to get attention, they were doing more and more outlandish things. So that year there were booth babes and such. While this was common at gamer conventions and even CES, having scantily clad women bending over sleek red sports cars, as I remember it, was really over the top for information security. I mean, what does any of that have to do with nation-state actors? I asked Chenxi how she felt about speaking out about something that was, like, so obvious, but yet, you know, in some ways tolerated?

WANG: Yeah, I mean, you know, now it's like, eight years like later. Looking back was an interesting, interesting time for the industry, right. So my friend was a Zenobia, who co authored the blog with me, s he and I walked around on the show floor. And we both felt very I don't know what the word was kind of. We were offended. We were a little bit taken by surprise in the sense that 2014 We were talking a lot the industry was talking about nation state threats, know very serious topics with what avatars, right those kind of topics. Yet, many companies were using scantily clad women to promote their products. And to us, we're just no so waiting. Right? It's just not the right image that that that provokes trust. And so she and I were talking and we were like, you know, we gotta say something and this is not a topic that up that everybody would pick up on. Because, you know, their considerations of where you are in the industry. Do you really want to pick that fight? And but we felt really strongly about it. So we wrote a blog and I think we were I remember staying up late at night and writing it and we were like, both felt really passionate about it. 

VAMOSI: I like to think that the information security community is a bit ahead of society, in that we are actively trying to be more inclusive. At least we’re having honest conversations about it. But at the time, in 2014, what Chenxi wrote was strong.

WANG:  And I think if you read that blog today, you can feel the words that we used, we didn't really feel very personal. It was personal to us. And that blog, I think, when in terms industry, viral, it was industry by URL, other people read it, and was then I think, read to the RSA Organizing Committee, and it went from there and I think that had was one of the factors which led to the change of code of conduct. Right. And I was very proud that that we had something to do with it. And and then, many years later, people still talk about it. So I'm very proud of that. We were able to like step up and say something, and which, you know, in some ways, it kind of gave me that confidence that if you really want something to be done, you do it. You don't you know, wait for it to happen. You take the initiative and and do it, which in some ways led to me finding my fund and all that stuff.

VAMOSI: So speaking up is a double-edged sword. If you don’t speak up, you get ignored. Or booth babes continue to be a problem. But sometimes if you do speak up, you’re harassed, and sometimes marginalized. So it takes a few leaders to emerge, to pave the way for others to follow. To start to change an industry. 

WANG: So I think if you talk to women leaders my age, similar my age, in my generation, a lot of us, at least early on in our careers. We were one of the few in the or the only one in the Room. And it took certain kind of personality to persevere. Right because a lot of us were somewhat assertive. We were not afraid of being the only one in the room. I remember when she interviewed CMU, the first meeting I had I walk into a conference room it was huge table was 12 men sitting around the table, and I was the only one in the room who's female and giving a talk and being assessed. It didn't faze me at all because that's how I am but not everyone is like that. And that's not just a male female thing, right? So if you're not, you're a certain profile you walk into environment with everybody else look the same but in a very different profile. You may feel a little bit unsettled, as well. Right. And so bringing back to your point is that many of us have that personality but what we want the industry to do is doing that diversity, D and ni work so that everybody would go get the opportunity, not just those of us who are, you know, maybe more aggressive or assertive. Right? So that's the, that's the future we want.

VAMOSI: Are you finding that conferences today are being more inclusive? I know there was a period when several InfoSec people, myself included, said we will not be on panels unless there's diversity represented on said panel.

WANG: Yeah, I think in general, it has gotten a lot better. If you look at the average statistics of conference attendees and speakers, and also I think RSA has put in a lot of effort in getting female keynoters on stage and I think it's has gotten a lot better. There's still pockets of things, you know, occasionally we I'm in the Cessnock channels we have at some women, leaders, security leaders, and occasionally someone will post to say, Hey, I'm at this conference. And look at the speaker list, and it's like 50 men and one woman right. It still does happen sometimes, but I would say it's in the minority.

VAMOSI: And there are ways to address that, like not being on panels. If they're not diverse things like that saying no.

WANG: I think we a lot of us are pushing but it's it's not necessarily everybody takes that up as a practice, which I think we should do more and but it's I think the conference organizers really need to recognize, you know, it's kind of jarring these days. If you go to a conference and you see the speaker list and they all look the same or they look one gender. Somebody should have taken a look at this and say hey, something's wrong here. Right? So we you know, you shouldn't have been shift left. You know, in the beginning you should have done your your homework better. And I think this is changing. It is slowly changing and more of us making noise. So that to take a stand. Definitely helps and for especially for folks who are more high profile in the industry, you should take a stand you need to make make a statement and into work. Make the event organizers know your position on this.

[Music]

VAMOSI: Chenxi put her efforts into practice. She founded Rain Capital, a 100% woman-owned venture capital fund dedicated to startups

WANG: It is easy to be 100% Female when you're the only person so I would say we are 100% Women founded and women man. So I do have folks working for me, who's not really in the management. So in the fund structure you have to be no this specific thing means being in a management right. And it's different than an operating company. So in the management company, which is the entity that manage the fun, it's 100% Woman Yes.

VAMOSI: I have heard that one way to get ahead as a person of color or as a woman is to start your own company. Chenxi makes a case for going with established companies.

WANG: I am not sure I don't have any, any data really in front of me to suggest one way or another. I would say startups has a slightly different set of challenges than established companies because startups are, you know, their feet being pushed to the fire to generate, you know, hit the next milestones and deliver products so they tend to be laser focused on one ask on a small set of aspects of running the business. So they may have challenges in, you know, sort of accommodating other parts of operations and they also are kind of very sort of resource challenged. Right. And, at the same time, the larger established companies may have more governance processes and procedures, which will allow them to do more things that are in the DNI space. So that that could happen and the opposite could happen as well. So it's, I don't, the short answer is I don't have any data to suggest one way or another. I do know that startups are very conscientious. about diversity inclusion. There are large companies also very conscientious. So I just don't know, statistically speaking, no, which category is better.

VAMOSI Maybe it’s just me, but when I’m at Black Hat or RSAC or any infosec conference, I notice how many women are in the audience for talks, how many people of color are in the room. And it’s gotten better over the years. But in leadership, that’s hasn’t changed much. And it should.

WANG: In leadership roles, I don't know that I think the overall percentage of women in cyber InfoSec is like 22%. Yeah. So it has gotten better, but in leadership there is a lot less but I don't know that number.

VAMOSI: Again, I’m wondering if the problem starts early, If there aren’t enough women in Computer Engineering programs, or Computer Sciences. 

WANG: I think you know, women are less represented in the computer science career path. That's a that is a trend. And we actually saw that the industry trend from like the 80s to now is actually accelerating may even be decreasing in terms of the number of participants that that are female in CES switch is there a lot of articles written about it? And hence, no trickling down. Going into any kind of CES related field you will see less women and security included. And I would say security even has a has a particular problem because it's it the image is it's hyper technical hyper specifically technical, right? So you have to like have not just general computer science skills but has to have the hacking skills, which most students most schools don't even teach you. And I think a lot of if you're not already know sort of operating in that industry, it's difficult for someone to say hey, I'm gonna pick up that those set of skills on my own and let alone being a woman who said it was minority anyway in the tech field.

VAMOSI: Entry level interest in computers starts with gaming which is typically a male. And gaming sometimes leads to interest in hacking. And because that's not there for women, per se, perhaps women don’t always see their role as being a hacker someday.

WANG: I would say hacking potentially doesn't have that. There. They are. They are things that you know. I'm trying to find the right way of explaining it so it doesn't sound patronizing. So, I think, certain set of the population, myself included, sometimes were inspired by things have like, direct social implication, right. And sometimes hard to see hacking being that and it's not to say hacking is not, but I think as an industry, we haven't really tied to hacking skills with positive social implications. So to give me an example, right we have computer security can really InfoSec really protect individual citizens from fraud and from other things, but those stories are not necessarily front page.stories, things we hear about is breached hacking, somebody took 3 million however many million user IDs and passwords and and you know, it's not necessarily a roll on image that everyone wants to be associated. So I think there's an image problem for the industry that we need to fix.

VAMOSI One of the things I'm trying to do with the hacker mind is expose the other side of hacking, which means taking apart and learning about technology. So yeah, it kind of sounds like you know, there's not a lot of visible role models out there. And so, maybe that's why we see low participation in CE and CS courses.

WANG: Yeah, I think, you know, positive role models, role models that you can personally relate to are really important for someone who are just starting out in their career or thinking about which career path to take. And so as the industry I don't think we've done as good of a job in showing that there are many different faces of InfoSec And certainly by having conferences, give more keynote speeches to women and people of color to show that there is that diversity out there. Those things will start to help it absolutely. But then you got the problem of how do you get the people in the door to go to a conference like  that, I think, you know, both RSA and bikecad are, you know, doing a decent job, and you know, they gave scholarships Barkhad in particular have many, like, nonprofit organization will send women and underrepresented attendees to a conference and DEF CON, as well. So they give scholarships and they work with nonprofit organizations to give scholarships so I'm aware of many of those different scholarship programs that draw diverse attendees to the conference.

VAMOSI  One of the best ways Black Hat and RSAC have moved toward diversity, equality, and inclusion is to sponsor scholarships to their conferences. And they also work with other organizations. In Episode 14 of the Hacker Mind I talked with Tennisha Martin, founder of Black girls Hack. Or course the organization isn’t just for black girls, it’s for everyone, but the name drives home the inclusive nature of the organization. There's also the Diana initiative and, and other efforts like the Grace Hopper recognition awards.

WANG:  Yeah, Grace Hopper is a great venue. That Diana initiative obviously is in the security industry is organization called west but women in security and privacy. They seen every year they sponsor many scholarships to black Island, DEF CON, I think 4050 on the order of every year, so very, very good programs.

[MUSIC]

VAMOSI: So Chenxi founded Rain Capital, and her investments are not limited to women-founded companies, she’s funding anything in the security industry that she feels will be successful. That means she’s following trends.

WANG: And, you know, there's a difference between, you know, a couple forming a company and technology trends, right. So I'm excited about technology trends and and extracting from that. They are companies that I'm very excited about because they speak to part of that technology trend. So I would say it the whole movement to cloud to dev SEC ops. What to DevOps in general, you know, cloud engineering platform engineering has really changed that technology landscape, and hence changed the tech stack of many companies. And anytime there's a change, or a significant change in tech stack. It is an opportunity for InfoSec because the old guards the old technology doesn't work on this new stack. So you need new form factors, new algorithms, new way of looking at things and defending against new threats and those are all opportunities. There. So we have for instance, a company called stands up which is a very new company that we invested in. They are in a cyber liability engineering space. So it's a fairly new concept that came out of Google and Microsoft and Facebook for those companies. That run large cloud infrastructure. And neat, they need automatic ways to ensure that infrastructure is up and running. Right. And those people run like millions of workloads a second you know, there's no way you can do manual management. of your infrastructure. And hence, they've, they've built infrastructure to manage the infrastructure, right? And so, and that part of capability doesn't exist in smaller companies or in the greater part of industry. So there's an opportunity to take those practices that that found just so readily available in Google and Facebook and Twitter and those companies and make it into product and services for the greater market. And this is what stands out this. So I find that super interesting, right? I go to a tech talk by you know, some of the cutting edge companies in Silicon Valley and I get inspired by listening to how they solve problems in a whole new way. And then in the drive home Am I think about how do we take that approach and make it into a product or a repeatable engine that can help others right. So that's, that's the part about being an investor or at least or someone who works with early stage companies that is so intoxicating to me is I get to see the emergence of new tech trends and emergence of new products that come out.

VAMOSI: So would it be fair to say that most of these companies are in some way related to cloud since it's so new, or are there other trends that you're also tracking?

WANG: There are certainly other trends where we're tracking I would say cloud is as a larger direction. is certainly has provided many many innovation opportunities. Another example that's outside of cloud that is also very successful. Very interesting is I have another company called Clarity, which is in the OT security space. Right operational technology, which is which our physical system controls, right? Oil and gas, manufacturing plants and healthcare system. And those systems are very different than cloud it's and they, you know, run virtual machines on them. You know, these are physical MRI machines, the physical controllers, that probably still run, some of them still run Windows and t. And for vulnerabilities and you would, you would know very well, coming from an asset company. And the innovation there is some of those devices are really old, but you're not taking them out and replace them with cloud because just not doable, because that's that physical constraint and the system you have to live with, right? And also those machines, you can't those controllers, you can't run the agent on either. You don't put CrowdStrike all over these old devices, because it's just not You can't run them an agent. So what do you do to secure them? You get into the network or you look at traffic because the network switches and routers may still be something you run an agent on or you can passively sniff traffic, right. But even then, you have to take the traffic and reverse engineer into something you understand because the protocols that run in those environments could be very archaic as well. And that's why clarity is interesting because they have done a lot of work of understanding lower level protocols that you know, a Siemens controller is talking to a different device. And what language do they speak and what data they sent back and forth. And knowing that are allow you to detect sweats and understand anomalies and then react. Right? So clarity is one of those companies and they are IMS ting them in 2018. They are huge. Now they are one of the largest companies in this space and very proud of their success.

VAMOSI: What other trends is Chenxi seeing?

WANG: I think a topic that everybody's talking about as a generative AI Right. And, and how that how that is related to security or how that can be secured. What are the additional risks it introduces? I think it's it really set a really interesting topics. You know, do you trust the output of chat? A GPT. And how do you test if the output is correct? It's one thing to say write me an essay, right? It's another thing to say, hey, you know, what are the historical record of certain things, right? Things that need accuracy, or things that could lead to a predictive outcome that you need accurate information for? How do you test the accuracy? How do you establish trust with that kind of generative capabilities? Those are all interesting questions to explore and potentially has opportunities for security. But they're also really interesting generative questions to ask, like, for instance, in the incident response, world, we're in the sock world. If you see these three events that may point to the next event or point to the outcome that is a breach, right? Can you ask Chad GPT that question versus have a sock analyst do that analysis? Potentially, right. And, and so but what kind of data do you need to feed to chat GPT to get that happen? Because a generative AI engine like Chad GPT today works only on public data. And so if you want to want it to make InfoSec decisions, maybe it has to be trained on private data. And other incident data and how do you get those things? It's all very interesting question.

VAMOSI: Any startups presenting themselves but I know this has only been a couple of months, so probably not.

WANG: Well, lots of startups are thinking about it. And I'm, I'm also thinking about it. I haven't made an investment yet, but I'm very interested in that space.

VAMOSI: I’d like to thank Chenxi Wang for taking time out of her day to talk about her amazing life and the work she continues to do today. Before starting The Hacker Mind, I did other podcasts over the years. And a quick search will reveal that Chenxi has been my guest on a couple of different podcasts over the years.  She’s always been very gracious with her time. That’s just who she is. So I look forward to talking with her again, soon, and learning what amazing stuff she’s into at that time. And I look forward to sharing that future conversation with you as well.

Share this post

How about some Mayhem in your inbox?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem