Women of Tech Meets: Merritt - Technical Security Expert
I recently caught up with Merritt – one hell of an incredible lady in my opinion. She inspired me.
Merritt, tell me a bit about what it is that do for work currently?
“I currently work at Amazon Web Services (AWS), which is the cloud, and I do security for some of their largest private sector customers.
I joined Amazon around a year and a half ago. I came from doing security work for the US Government. I have worked in all three branches of the Government. I was referred into AWS by a former student of mine, I’m an adjunct professor of the University of Maryland.”
Would you describe yourself as office based?
“I don’t go into one office day to day, but I do go into offices in whatever city I’m in. For example, this week I went to Duke to give a talk and then I went to Dallas to meet with some colleagues to talk through some upcoming engagements. No week is the same. I do customer facing security work as a technical security expert for the Cloud.”
What was it that had sparked your interest to embark on a career in the technology sector?
“I was in the same year as Mark Zuckerberg as an undergrad at Harvard, and so I saw some of those big issues sort of being born, in this landscape where private companies own and operate the infrastructure.
I went to law school, knowing that security issues involving government and companies would have a legal dimension. I’ve always been interested in security – I mean, doesn’t everyone find it fascinating?!
The forces were coming to be at the time, and I felt like it was one of the most important areas that I could work on with my life. For a while, security wasn’t really a career path, it was all such a new field that things were being written as we were doing it. For me, that was a call to action.
I realised the emperor has no clothes, no one has all the answers. These can be intimidating fields. But no one is going to come tap you on the shoulder, and invite you to your life.”
How would you describe your role?
“I work with customers all around the world from a wide range of industries: oil and gas, high tech, manufacturing, consumer goods, retail, hospitality, healthcare and pharmaceuticals.
I advise them on security in the cloud— from encryption decisions to expanding to new countries. Cloud has been a disrupter in the space – 15 years ago everyone had to have their own data centres and secure them, now that’s changed.”
What about your long-term goals, do you see yourself staying in this space?
“I’m happy to be where I am but I’ll always push for more. You play the cards you’re dealt, but in my experience, we create our next opportunities by stacking the deck of experience and personal connections.”
The programming side of you, which coding language do you use?
“It’s interesting, how we use languages with Cloud. For example, our Identity and Access Management is written in JSON, which is Java, and it’s conditional if/then’s - it works well with the legal side of me, law is structured in a lot of if/then’s.
If you have the if/then’s, you can logic out what you have allowed or not allowed. Identity and Access Management policies do that. It can be granular: you can only access this resource, with this role, at these times of the day, to take these actions. It’s written in conditionals.
From there, you can formally validate whether your math is correct: for example, whether one policy is more permissive than another, and whether it can have escalation paths. IAM as code allows you to implement and then check against known security best practices: for example, you should have your assets locked down to least privilege. You can verify who is able to access it, from where and for what actions, and that looks like these conditional statements.”
Cyber Security and Information Security are definitely areas that are gaining momentum quickly!
“The security community can sometimes be a strange world, I think it’s fascinating and wonderful but it definitely has a darker side, especially for women. There have been some significant high-profile cases of women being treated badly in the industry.”
Why do you think that could be?
“I think the security can attract those who don’t mind being a little weird, which has lots of benefits for out-of-the-box thinking. But it’s a ‘gotcha’ culture. That can be fun, but it can veer cruel.
By all accounts, the early days of the internet were a different landscape to the one it is now. Early CS programs were much more gender-equal. There are optimistic articles from the 90’s and early 2000’s where they’re talking about how online, no one would even know you’re a woman and so all ideas were going to get equal value assigned to them and that the internet would be this utopia, that we’d move beyond real-world biases. And then of course, as we all know now, the internet embodies much of humanity at its worst, including the Hobbesian landscape for women.
That being said, there is really interesting work to be done and we need more women and under-represented folks in security. Security is kind of a self-selecting group. You can be drawn to it, those of us that are in it are absolutely in love with the field. You can find your voice and your people, and that’s a really nice feeling.”
Are there any particular things in your career so far that you’re proud of yourself for having achieved?
“Because I’m a security person, I see everything as a process. I don’t necessarily see individual accomplishments as a static thing. They’re all part of an ongoing process. My current role gives me room to figure out how to benchmark that and come to a deeper understanding of what that is.”
Is there anything that you think is a particular deterrent for women generally succeeding in the workplace?
“There are two general categories that we could discuss here: structural support, and workplace dynamics.
One of the most prominent forms of structural support is parental leave. Here in the US, it’s not uniformly good by any means. I have written an article on concrete strategies for hiring and retaining women in tech, including logistics like leave policies and scheduling happy hours.
In terms of workplace dynamics, unfortunately I still feel like we’re at a point where women don’t support other women very much. It’s disappointing as it sets us back. Another big factor, connecting these two, is glass ceilings for upper leadership—women get promoted but only so much. And there’s lots of studies on the motherhood penalty.
Part of this is the need to revaluate labour more broadly-- I find that people may choose a job based on who’s on the letterhead (meaning they opt for prestige, or sexy-sounding employers). The day to day matters so much more -
It’s something that used to come up a lot when I was working for Government. People would ask what’s it like working for the CIA, and I’d ask, ‘Are you OK working in a cubicle for 9 hours a day and never being able to tell anyone what you worked on?’ And more often than not they’d say ‘oh, no, that sounds boring.’ Logistics matter. I’m a big fan of un-sexy work.
When it comes to women succeeding, it’s a shared enterprise. There are also many stats that demonstrate there are not enough technically skilled people to fill the roles available. It’s bad for business when companies allow bad behaviour to become a culture. It impacts not just women but the entire company. It also hurts the innovation landscape. Technologies are human-made, so if we are innovating with a limited demographic of workforce, then we get what I call ‘shallow innovation.’”
What’s the one piece of advice that you wish someone had given to you at the start of your career?
“I’m not sure that it’s advice that someone could have given me, but what I’ve developed along the way, is to set aside at least a couple of hours a week to either follow up with people by email, or grab a coffee with people, write an article that contributes to the security ecosystem, or give a talk at a conference. Basically, to do the watering and tending that it takes to have an active, robust set of networks.
When people think of networking, they often think of a networking event. That’s not what I’m talking about here. It could be catching up with that person you worked with 5 years ago that you thought was really smart, someone you currently work with tangentially, or someone whose article you read that gave you a new perspective, or a professor who taught you a class – these are all your people.
In my experience, the only way to get interesting jobs is through people. So, in terms of professional trajectory, it’s the right thing to do-- but it will also give you fulfilment, bring new ideas to your current job, or give you an idea of where the ball is moving in a professional field.
I don’t think it’s a natural skill. No one arrives fully formed from the womb with a natural skill for networking, but what it takes is a commitment to doing it over time. I made a decision that I was going to budget this time--I usually tell myself a minimum of an hour a week and literally put it in my calendar.
It yields dividends, it’s been one of the most powerful influences in my career, and it’s given me shortcuts to learn in a shorter period of time than had I been trying to navigate it all on my own.”
What would you say you love the most about working in the tech sector?
“A lot of things! The issues and problems to solve are really interesting-- as I said earlier, it felt like a call to action: if not me, then who(m)?
I like how it also attracts people who are unapologetically geeky or who aren’t trying to downplay how much they know. The tech industry is filled with passion projects.”
Is there anything perhaps that you don’t love about the tech industry?
[At this point, Merritt paused for a moment and then laughed rather wickedly]
“There is plenty of room for improvement. The venture capital and the technology innovation side are so self-referential that it’s no wonder that we don’t have the kinds of innovation that you or I would like to see where we’re figuring out how to positively change the world-- instead we have ‘Uber for dog food.’
It feels like sometimes we are our own worst enemies. For an industry so optimistic and ambitious, we could be building better technologies that have a bigger impact. We know that one avenue to that is through more diversity in development--human experience is the stuff that life is made of, and yet often in tech, we don’t capitalize on getting more of that in the room. (More in this article)"
Is there anything that you think companies could be doing more of to encourage women to want to work for them in the tech sector?
“There is a range of things. One powerful tool for getting other diversity hires, is current diversity hires. Show don’t tell. This needs to go all the way up the leadership chain.
Things like maternity leave, promotion schedules, pay, intake mechanisms, all need working on. I’ve noticed women in tech seem to sway towards companies that have a social justice element to them, which suggests women will want to work in places they feel morally okay to be working.
Women think differently, and code differently, so it’s not just a numbers game—like, “50% of humans are human so there’s a brain drain if women aren’t working.” This is the substance of what you’re producing, and it’s urgent that we care about having diverse development teams. Diversity in teams builds better technologies.
We can see examples where there has been a lack of diversity behind projects and innovations, like when Siri didn’t know how to respond to, ‘Siri I was raped.’
It’s hard to point to innovation that doesn’t happen, but when diversity improves we see it played out: companies with a diverse workforce have better dividends.”
Do you have any hints or tips for people out there who may be going through the process of seeking out new opportunities?
“Definitely. My top 3 tips would be:
1. Build your network, ideally before you need to rely on that network for an opportunity.
2. Have your “elevator pitch” updated. Be ready with a few sentences that sum up your narrative. Pick an area to own, and own it—it can always change.
3. Make the ask. People are often happy to help you but you have to ask.”
I really enjoyed speaking with Merritt, she came across as the kind of lady who I could sit and drink cocktails with for hours on end putting the world to rights. If I ever (somehow) happen to be in the DC area, I know who I’ll be dropping a line.
Merritt likes to make herself accessible; you can connect with her on Twitter here: www.twitter.com/MerrittBaer - she is worth a follow. Her tweets, as well as being informative and insightful, can be witty and amusing. My favourite kind.