Talks Tech #49: How We Can Securely Build an Amazing Technology-Based Future
Meghan Pope, Director of Quality Assurance Engineering, sits down with Laura Bell Main, Founder and CEO of SafeStack, to learn how to securely build an amazing technology-based future. They discuss Laura’s leadership path and how teaching is also a natural space for her.
Tell us a little bit about your journey in the tech industry, what your early career looked like, and how that built the foundation of where you are today.
I'd love to say we all have a golden plan. We all go to the right college, and we know from age ten that we will do something. That never happens, and it certainly didn't happen for me. I thought I was going to be a lawyer. For a brief while, I thought I would be Scully from the X-Files. At age 16, some things happened in my family, and I needed to get a job quickly. My hometown's options were retail, manufacturing, or a burger place. There was one employer. They were called EDS at the time, they've since been bought out by Hewlett-Packard. They did an apprenticeship in software development. I knew very little about computers. Their interview was about solving puzzles. At age 16, I became a junior COBOL developer. I've since then had a really interesting journey from COBOL and big taxation systems, to real-time radiation monitoring software in Switzerland for CERN, to counterterrorism and working for the UK government. Eventually, I moved into security. I've been doing that a long time too, first as a consultant, and now I teach engineers worldwide how to do security and go really fast and build amazing software.
What sparked your interest in security and data protection specifically?
I was always curious about it when I studied. Security wasn't a subject you took at college or university. We had one guest lecturer in a four-year degree. This guy came and he told us about an old-school attack that was against the very early, when it was just a bookstore, Amazon. That was curious to me. I remember sitting in that lecture and going, "Well, I wonder if one day, there will be police of this internet thing and we will have to figure out how to stay safe." Fast-forward a few years, and I ended up in government and doing counterterrorism. I'm passionate about securing every tiny little innovation so that it lasts longer.
What were some of your experiences specifically working in government?
In government you get a group of people who are not motivated necessarily by money but by mission, safety, about understanding the harm that can come from events. Government work really helped me understand how security could be much more than just theoretical. It gave me the confidence to work with a team to use our skills combined. We look at security not just as academic, but to understand motivation for people do bad things. Those things could impact people financially, sway political situations, or hurt individuals on an emotional or physical level.
Tell us a little bit more about your relationship with teaching.
All of us who end up in teaching, if you look back far enough in your family, you can see where it came from. My granddad is a tinkerer. If you went around his house on a Sunday, he'd say, "Laura, what do you want to build today?" I got this passion for creatively thinking, problem-solving, building things, and tinkering. We grew up quite poor so we would catch the bus between places. My Mum was the type of person who you could be on a bus for 10 minutes, and suddenly she's friends with 15 new people. I never understood how this happened, but she's a storyteller and a connector. When you mix someone who loves experimenting, building, and playing with things and always looking at problems in different ways with somebody who likes connecting with people and telling stories, the natural pathway leads to some form of teaching. That's where I've ended up just naturally.
What was your path to career success and leadership?
My path has been bumpy. I was a reluctant leader at first. I was a really nerdy person and I'm just a little bit unusual in the way I communicate, the way I see the world. I had no real interest in power or money. I started getting into leadership early. When I was a COBOL developer, even at 16, and 17, I was starting to move towards leading a small team. I didn't have the experience at that point, I didn't have the world view to really understand what that meant. It's been a transition for me to find my own leadership style.
Why did you decide to found your own company and how did you have the courage to make that leap?
I had my first child, she's 10 now. I'd gone back to work and my tolerance for having a bad job was just zero at that point. I was tired and grumpy. I was seeing how I was employed to do application security in a very fast-moving company, and security was moving so slowly. Development was moving so fast, and nothing between these worlds was working together. With a grand total of $300 of savings, I quit my job with a 10-month old and did probably the silliest thing I'd ever done and started a small consultancy. I wanted to prove that we can do security differently." I literally wheeled my little office chair from home, down the main street in Auckland, New Zealand, to the cheapest shared office space that I could find a desk in. I started seeing if I could find software teams who wanted to do security, who were keen to experiment. That led to a successful consultancy and a couple of books. In 2020, I and my business partner, Erica, and I honed our craft at doing very fast-paced application security. It was only really accessible to people with deep pockets and big budgets. With covid, we knew we had this lockdown period to play around with something. We thought it would be cool if we could build a product that allowed teams wherever they are in the world to do what we've been doing for 10 years in person. In April, we started building, and in October, we got to market. We're now in 79 countries and about 1700 organizations, so it's been a bit of a wild ride.
What were some of the challenges that you had to overcome in founding your own company?
Some of them echo what you feel when you move into leadership. You go from being very, very good at what you do. I know I can teach people how to do application security and I can work with teams and I can grow culture. As a CEO, my job is now to also look at the strategy, to look at the finances and to hire the right people. Growing a company wasn't just about building the product. You think you’ve nailed it and everything shifts again and you go back to the beginning.
Can you tell us a little about information security and its importance?
We talk a lot right now about cybersecurity, like it's this big brand new thing. Cybersecurity is actually a really old problem, just with a new outfit on. Humans have always been jerks to each other, we have always been terrible people. If somebody in the other cave had something valuable we wanted, we would go and use whatever technology at the time, whether it's rocks and sticks, to go and get that thing from someone else. We've moved on from just dollars, cents, and gold bars being our valuable things. Now in our organizations, our information, our data, our systems have incredible value. As humans, our instinct still exists, whether we're financially motivated, politically, or vengeance, there is a need in some of us to gain these things, to harm these things, to interact with them in some way. Information security is the idea that we're protecting the information in our systems from these people with these motivations.
What is the current state of information security today, and how has that evolved?
We are in an early age of awareness with information security. We're looking at it a lot more clearly across a broader range of organizations. We're getting good data. We're in this transition from, Can I buy something I put in my network to solve the problem for me? To a cultural shift where we accept that the best way for us to do security is for every single person on the team to do a little bit of security every single day. Changing the culture of an entire organization, an entire community, takes a very long time.
What do you see for the future?
Everyone's got to have been playing around with generative AI by now. As a security person, it's like being split in two. Half of you are super excited about the future: we're going to Mars, and we've got robot doctors. The other half of me, the security person, is like, "This is horrifying. Oh my goodness, this is all going to go wrong." It's a real disconnect between two sides of my brain. There's some incredible technology coming through, but the way we do security has been built looking backward. Our security processes guidance is looking at how we built software for the last 20 years, not these new technologies like AI that are coming through. We are going to have to have a chat as a community. All of us as engineers are going to have a part in this. If we're going to understand the risk and the potential bad outcomes, we're going to have to change the way we do it. There’s lots of work ahead, but hopefully for a very good cause.
What would you personally like to see in an ideal tech future?
The ideal tech future uses technology to help across entire communities. In New Zealand, we don't have many specialist health practitioners. We're a tiny country of less than 5 million people. We genuinely don't have enough specialist doctors for things like cancer treatment and diagnosis. There is technology being built right now that can look at mammogram scans and do early diagnoses based on scans using machine learning and AI. The more systems we have that make health accessible, growing businesses, and income for communities or education accessible, the better. Those are the things I want to see in the world.
Do you have any pro tips that you would like to share for women in the tech space?
Most of us work for some form of sprint, or if we don't, we're aware of the concept, working for two weeks on a set of outcomes, and then we review our progress, and we move on to the next one. I want you to give one hour of your time per sprint to security. That doesn't mean going and studying to be a penetration tester or anything like that. It could be that you find a conference talk from security that's interesting to you and you go watch that. It could be that you go and talk to your security team. It could be that you go and change those passwords you know you've had a bit too long. One hour per sprint. There are about 30 million software developers in the world right now. If we all did just one hour every two weeks, that would have a huge impact on security.
What are you passionate about outside of work?
I restore old things that are broken, sewing machines and old mechanical things. They were built to last forever. Often, they've been just left to rot in cupboards and garages and things. I garden and grow things. I have two beautiful daughters. I read trashy novels about princesses who are saving the day and have magic powers and all of the type of stuff that you never admit in a book group or on the internet because people would judge you.
Any final thoughts that you'd like to share and ways we can learn more?
Don't be overwhelmed by security. You don't need to be an expert. You don't need to have a degree in it. Security is a mindset; you do it every day, so don't overthink it. If you want to get started and you're in the software space, my company, SafeStack, has a free plan that you can go on with no strings, no credit card, and no tricks. The idea is that wherever you are in the world, big or small, you can go and do some of those basics. That can be a really powerful thing, not just for the organization you're working in and the tools you're building right now but for the rest of your career.