This week we’re putting the Spotlight on Rachel Tobac — hacker, CEO & Co-founder of SocialProof Security where she helps people and companies keep their data safe by training and pen testing them on social engineering risks. Rachel was also a winner of DEF CON’s wild spectator sport, the Social Engineering Capture the Flag contest, 3 years in a row.
Follow Rachel on Twitter @racheltobac @socialproofsec @wisporg
How did you get started in info-security?
I got my start in information security on the SECTF (Social Engineering Capture the Flag) stage at DEF CON where I got into a sound proof glass booth in front of 400 people and live hacked a real company over the phone. I was not involved in the infosec field at all at the time — my background is in neuroscience, human behavior, and user experience research — but my husband went to DEF CON and called me the Friday night of the conference and told me I needed to buy a ticket to Vegas that night because he needed me to see the SECTF live hacking phone calls in the morning. I fought him on it as I thought it wasn’t going to be relevant to me, but he convinced me to come telling me it would be “kind of like how you call Comcast to get the bill lowered every month, except they’re hacking companies!” Turns out he was spot on. I applied to the SECTF the next year and Chris Hadnagy (he wrote the literal book on social engineering and runs the SECTF) took a huge chance on me, put me in the glass booth and I ended up winning second place in the SECTF (top two win)! I then won second place again the next two years after that, as well. I started speaking on my experience breaking into the infosec field at local conferences and people started asking me to SE pentest and train their company on human hacking so I started my company SocialProof Security to meet that need! We now SE pentest, train client facing teams on security awareness, and train infosec teams on vishing for some of the largest technology, financial, and Fortune 500 companies in the world. It’s been a wild ride so far and I’m so thankful for DEF CON and SECTF for creating a fun, creative, and competitive environment for me to get my start within this field.
Do you have any female infosec role models?
I do! I have a long list of women in infosec that I learn from daily, some of which are: @kimzetter for her cybersecurity reporting and research, @keirstenbrager for her work and writing on helping women in infosec get the pay and career they deserve, @tetrakazi for her phishing research, @hydens33k for her physical SE pentesting work, and so many others.
Why do you think there are so few women in info-security?
I believe the imbalance we see in infosec and technology as a whole starts all the way back in middle school for many. I remember expressing interest in “InfoTech” in 6th grade only to be told “There’s really only boys in that class, may I suggest HomeEc?” by my school counselor. It’s hard to imagine yourself in a role if you don’t see yourself represented in the group. You’ve probably also heard the stat from research conducted by Hewlett Packard that states that men apply for jobs when they tick 60% of the qualification boxes, whereas woman historically apply only when they meet 100% of the requirements. This issue may affect women applying for jobs that they could succeed at within infosec, as well. Many women have also told me that they were one of the only, if not the only woman in their CTF club, cybersecurity classes in school, or meet ups which made they feel out of place and uncomfortable and consider leaving the field all together without a strong sense of belonging.
What do you think is needed to change that?
We need more women (and diverse women) in positions of leadership to ensure that we “send the elevator back down” for those who are next to advance within the field. To ensure women don’t leave the field and continue to build their technical skills, they also need a strong sense of community, belonging, and support — which we are working to create within WISP (Women in Security and Privacy, @wisporg). Many women also mention that they are not fully supported by their workplaces and have not been able to attend the same trainings, workshops, or conferences that men on their teams get to attend, which creates a knowledge and networking imbalance for them throughout their career. WISP works to step in for women who don’t receive that support so that they can attend trainings, workshops, and conferences within the field to advance within their career.
What do you think is the biggest problem in infosec at the moment?
I personally think that one of the biggest challenges in infosec is the way we think about our users (the people who use our products). Many people say humans are our weakest link, but I actually see them as our first line of defense. Our users are not information security experts so if they are failing to secure their devices and data, that’s actually on us, and we can’t blame them for it! It’s up to us to educate the people in our organizations and life about security best practices, and set them up with clear technical controls (and frictionless user experiences) that enable them to make smart security choices that are fail safe. I have seen through our hands on trainings that we can get click through rates low and reporting high, and it takes an investment to ensure that the people in our lives are educated and set up against information security threats. Our people need training and technical controls to ensure they are set up to be our first line of defense, and that is the biggest infosec challenge I have on my mind day in and day out.
Any advice for women just starting out in info-security?
The biggest piece of advice I have for women starting out in infosec is to jump right in and get told “no”. Like I mentioned before, women are statistically less likely to jump in when they feel they don’t meet the requirements. Don’t self select out, because it’s likely that men will apply when they meet 60% of the requirements. Submit your presentation to the CFP if you’re into speaking, sign up for the CTF team, join the meet up, speak up and raise other women up with you in groups, make a Twitter if you like chatting with others in the field, write that blog post. Let others tell you “no” rather than self selecting out. If you aren’t hearing “no” at least once a week, that’s possibly a sign that you’re self selecting out.
Any advice for bug bounty program owners?
The biggest piece of advice I have for bug bounty program owners is to put social engineering in scope, even if it’s on a small, invite-only scale. Ensuring that you test the human element alongside your technical elements will help you evaluate under real-world conditions since the majority of cyber attacks now start with the human element of security.
To find out more information about the whitehat hacker community, download our 2019 Inside the Mind of a Hacker Report.