From Cyber Frontlines to Digital Trust: The Allison Miller Method

Hello Cloud Control community  👋

Diving from the frontlines of cyber defense to the core of digital trust, Allison Miller brings her expertise and insights to the table. As a cybersecurity veteran, Allison is redefining our approach to digital safety and trust.

I've always been fascinated by the minds that operate at the forefront of digital safety, and Allison's approach has set her apart. In our conversation, she pulls back the curtain on her strategies for not only combating the ever-evolving cyber threats but also laying down the foundation of trust that the digital world needs.

Read on as we dive deep into Allison's insights, exploring her method and how it's shaping the landscape of cybersecurity👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

Let’s start with giving our readers a quick history of who you are and what you do. Can you share with us what technologies or cybersecurity areas you're currently zooming in on, considering your extensive experience in the industry?

Answer 1 🎯

I’m a cybersecurity “polyglot” - I speak dialects of enterprise cybersecurity, product development, behavioral analytics, e-commerce, and anti-fraud/anti-abuse. From a technical perspective, my expertise is really in designing and implementing detection systems at scale, with a preference for systems that are embedded in customer-facing products or platforms. This grew out of early career interests in tuning network intrusion detection systems, and understanding how those techniques could be applied in payment systems, and later social. video game, and advertising systems.  

In addition to the technical side of cybersecurity and risk, I’ve also spent time in roles where I was working through the business impacts and problems in these companies - that resulted in an interesting blend of product and customer-experience mindset blended with the technical approaches  to system and platform design.

Question 2 💭

As technology evolves, so do the threats. In your experience, what's the key to not just reacting to, but anticipating and preparing for, the next big cybersecurity challenge?

Answer 2 🎯

I like the truism “Follow the Money” when trying to understand where cybersecurity challenges are going to go. When working in fraud detection, it seemed like fraud was like water - the bad actors were constantly testing, and when they found weak points - cracks in the system - they would flow into those weak points. When we reacted, they’d find the new weakest points and flow. When one is building products that are going to be used in adversarial situations, products that are always under attack, a best bet is to focus on where the product drives value for the customer. That’s the dimension that will most be attacked, and the dimension that needs the most reinforcing and protection.

Question 3 💭

Throughout your career, you’ve had roles that encompass both 'trust' and 'security', which is fascinating. How do these domains intersect in your work, and how do you balance the two to create a secure yet open platform for users?

Answer 3 🎯

In many companies, the concepts of “trust” and “security” are very distinct - trust is generally outward facing, embedded in products and customer experience - where security is inwardly focused on protecting corporate and enterprise systems. That said, companies that are going through digital transformations start to find overlaps between the two concepts as their “product” offerings become software - and their customers need to be verified, authenticated, and protected as they move their way through a platform. The domains start to overlap, and tools from security become relevant not just for solving corporate technology problems, but in-product business problems.

You’ve captured the essence of the challenge in the question: it’s all about balance. A business exists to provide services to customers, and regardless of defensive capabilities needed, the business needs to be open for business - and usable by legitimate users. Striking the right balance generally requires flexible controls that can be tuned and re-tuned, and re-tuned again as the features change and the threats change. 

A more specific way to envision balance is - let’s say you are being flooded with some kind of bad activity. You’ve developed a mechanism to block the bad activity - but it’s not right all of the time. Typically we have a dial here, we can turn the dial up to “High” and make the mechanism really strict, which will block a lot of the bad activity but also block a bunch of good customers. Or we can turn the dial to “Low” and make the mechanism very relaxed - most good customers will get through, no problem, but so will a lot of bad actors. The first choice is a business question: how bad are the bad actors, and what’s the acceptable tradeoff to the business? You have the ability to adjust the dial but ultimately you’re just traveling up and down a particular false positive/false negative curve. The second choice is one of investment: how much would you need to invest in order to improve the power of your mechanism? (and also, of course, is such an investment available to you)

As someone with an economics and finance background, I love it when we can simplify problems down to this kind of trade-off. Oftentimes the discussions are a bit more speculative, though, because we are imagining impacts on customer experience, and also hoping that the performance of our security (identity, anti-fraud, detection) controls are predictable and don’t degrade too quickly before we’ll need to invest again.

Question 4 💭

In your view, how does cybersecurity extend beyond protection and into building digital trust, especially in platforms where community and user engagement are critical?

Answer 4 🎯

From a foundational perspective, platforms where community and user engagement are integral components inherently carry consumer expectations regarding the quality of discourse and services provided. The presence of bad actors or mishandling of sensitive account information can significantly undermine these expectations. Therefore, ensuring that protections are in place –  and instilling confidence that the platform is managed appropriately – are now baseline expectations for these systems. Cybersecurity plays a crucial role in fulfilling these expectations. Previously, the scope of cybersecurity was often perceived as limited to securing infrastructure and application code. However, as more companies transition to digital platforms and strive to forge lasting relationships with customers—who return seeking a consistent and positive user experience—cybersecurity has evolved to become an extension of product security and product value. This evolution reflects a proactive approach to protection, encompassing not only the security of the platform but also the authenticity and integrity of the information presented.

Moreover, the role of cybersecurity extends to the meticulous handling of sensitive information, a concern that transcends the specifics of community engagement or user interaction platforms. While the foundational measures like encryption and safeguarding against unauthorized access remain critical, the complexity of modern platforms introduces new challenges. These platforms often integrate with other services, facilitating the movement of data across different environments—from mobile apps to backend platforms—thereby broadening the scope of cybersecurity. This includes ensuring data handling is secure both within a single platform and as data traverses between platforms or devices. 

In essence, cybersecurity is integral to maintaining digital trust, safeguarding sensitive information, and ensuring that user expectations for a secure and reliable online experience are met.

Question 5 💭

Navigating through a range of domains like risk management, financial services, and fraud prevention undoubtedly offers a rich perspective. Reflecting on your career, could you share a moment or project from each sector that significantly influenced your current cybersecurity ethos? How do these experiences converge to inform your strategies in tackling today's cyber and fraud challenges in a digital-first world?

Answer 5 🎯

Working in payments shaped a lot of my ideas on risk. I joined Visa to work on “Technology Risk” - how do we protect the tech that is used in the payment system? I ended up working on methods for securing e-commerce - outputs of those initiatives are 3D Secure (payer authentication) and PCI-DSS (the Payment Card Industry Data Security Standard). Developing standards, policies and reference architectures is a lot of work, and yet, the rubber really meets the road in implementation. Those two programs are (still) fundamental in digital payments, and I learned a lot working on them - but actually my bigger takeaway from Visa was time working on “Product RIsk”, evaluating the design of payment products themselves (not just the tech!) that has shifted my thinking on how and where to look for risk in systems. 

Going deeper into payments at PayPal, risk management isn’t about policies and setting standards - it’s about quantitative analysis and modeling techniques. Those quantitative approaches are so effective, I wanted to bring that thinking back to cybersecurity, which I did in later roles where I spanned boundaries between anti-fraud/anti-abuse and cybersecurity programs. 

In video games (Electronic Arts), I gained a great appreciation for managing digital capabilities (like Identity, Commerce, and Fraud) in an industry that has been shifting to a digital model from a past of “shrink wrapped software”.

User facing platforms like Tagged, Google, and Reddit brought me new perspectives of dealing with user generated content in addition to (structured) transaction data. While at Google, I really appreciated working with the folks in Safe Browsing and TAG, and understanding how large platforms can be mindful, and not just protect themselves but uplevel cybersecurity and trust for people working across the web. 

Back to financial services, working in banking gave me newfound perspectives on the realities of cyber-ing in regulated industries, and balancing the need for speed versus the need for customization and control in some build-versus-buy discussions. 

I’d say that the way these experiences have converged is with an understanding that although every industry and environment faces different challenges, the lessons learned have been portable. Meaning, every job and role has been unique, but everything I learned along the ways helped wherever I landed next.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc 💪

Latest AWS and Azure Updates You Don’t Want to Miss

1. AWS Systems Manager Parameter Store now supports cross-account sharing

2. Generate AWS CloudFormation templates and AWS CDK apps for existing AWS resources in minutes

3. AWS Free Tier now includes 750 hours of free Public IPv4 addresses, as charges for Public IPv4 begin

4. Azure Classic Administrator roles are retiring on 31 August 2024

5. Retirement: Support for Application Gateway Web Application Firewall v2 Configuration is ending

Top Articles and Resources of the Week

Articles

1. New Zealand accuses China of hacking parliament, condemns activity

2. China hits out at US and UK over cyber hack claims

3. NSA releases top ten cloud security mitigation strategies

4. New Gmail And M365 security warning as 2FA bypass attack confirmed

5. China cyber-attacks explained: who is behind the hacking operation against the US and UK?

Resources

1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍

2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍

3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.

4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.

5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.