Go Phish: Annybell Villarroel, Security Awareness & Culture Manager at Auth0

We ‘Go Phising’ with Annybell Villarroel, Security Awareness & Culture Manager at Auth0, who tells as about her life both in and outside the office.

1. What would you describe as your most memorable achievement in the cybersecurity industry?

I would say, creating the right kind of vulnerability. At our last company offsite, I gave a talk about how I was almost scammed by someone pretending to be my phone company. When I put myself out there, it allowed others to be vulnerable and talk about their experiences too. In security, we’re often perceived as perfect people who know everything. I want to demystify that we’re people too, because it allows us to make people feel safe, connect with them on an emotional level, and ultimately build a security-conscious mindset that protects the business.

2. What first made you think of a career in cybersecurity?

Growing up at a dangerous time in Venezuela, I was always in tune with physical security. When I came to Spain and took a job in developer support, I felt a lot of responsibility for keeping our customers safe too. I started to study security and take Pluralsight courses. At some point, I saw a really good phishing email and suggested a phishing test for employees, which had a 50% success rate. I was offered a position in the security team to help train employees part-time, then proposed that culture and awareness could be a full-time role, which would not have been possible without the support of our leadership. All of this has contributed to my personal purpose to help people live more secure lives.

3. What style of management philosophy do you employ with your current position?

When dealing with people, especially when it comes to security awareness, we have to focus on emotion, not rationality. Instead of asking employees to do something because there’s a consequence, we can show them the benefit to doing it. Speaking their language, building relationships, and having a win-win mentality builds trust. And I believe trust is more powerful than any technology or policy at mitigating human risk.

4. What do you think is the current hot cybersecurity talking point?

I’m hearing a lot about insider threat, which refers to a security risk that comes from within a company like a current or former employee. Often these talks assume that people are the weakest link in the cybersecurity chain. What we don’t talk about enough is that people represent an opportunity, not an error waiting to happen. I believe that we can make people think securely, we can make the internet safer in a scalable way.

5. How do you deal with stress and unwind outside the office?

I lead the Madrid chapter for WoSEC — Women of Security, and we are always looking for new members. I also enjoy puzzles and calisthenics, and am an absolute corgi fan.

6. If you could go back and change one career decision what would it be?

Every job I’ve had has contributed to where I am today. Developer support taught me empathy and communication skills. My first security job as a security program manager taught me to approach things in a more structured way. I’ve learned from every experience, and from that standpoint, I don’t think I would change anything.

7. What do you currently identify as the major areas of investment in the cybersecurity industry?

Security awareness continues to be a major focus to help employees detect the most common cyberattacks, but more than any money or technology, these efforts need investment from people in leadership. If you want to be an ally to your security team and create a culture of security, you have to look at how security is prioritized with other business needs. Are you focused on speed or security? What gets praised? Is your security awareness training a checkbox or short, frequent, and engaging for employees (we hired a Morgan Freeman impersonator). Do employees have enough time and resources to make security part of their job and their lives?

8. Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

Security basics are the same for everyone, but some regions have special considerations, especially around data privacy. In the EU for example, there is a lot of talk about GDPR, the invalidation of Privacy Shield, and the need for US companies to process and store their data in Europe. We’ve seen countries like Japan and Kenya pass data protection laws too. Ultimately though it comes down to general security best practices: collecting only the data you need, securing it appropriately, using secure passwords and multi-factor authentication, and following secure coding practices.

9. What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months? The security culture and awareness role is a bit different for everyone. Many of our metrics are on the phishing side, which is important, because it continues to be an ongoing threat for any organisation. But there’s also more to the world than phishing. We have a role to fulfil for the business – reducing risk – but we also have a responsibility to influence people, so they live safer lives online in general. I would like to see our industry focus more on people and relationships and connecting the dots between our personal and professional lives. Teaching people how to write a phishing email is more engaging than showing them one, and we could all benefit from learning about MFA and privacy settings in our personal accounts.