Is cybersecurity a creative field? A Q&A with Merritt Baer, new Field CISO at Lacework

Lacework EditorialJuly 24, 20238 min read

Who can teach us the most: an industry expert, a peer, or a toddler? Merritt Baer, our new Field CISO, would suggest you keep an open mind. In Merritt’s experience, great advice can come from the most unexpected sources, a concept that even led her to establish a network of tech experts. 

With an impressive career that spans all three branches of the U.S. government, the private sector, and academia, Merritt is a leading voice in the cybersecurity landscape. Merritt joins Lacework from the Office of the CISO at Amazon Web Services (AWS), where she provided technical cloud security guidance to organizations and also hosted her own security show where she discussed security challenges and solutions with industry experts.

Join us as we learn more about Merritt in this new Q&A where she discusses why she chose a career in security, why security is a creative field, and why she decided to join Lacework. 

Q: With your diverse background spanning government, private sector, and academia, what initially drew you to the field of cybersecurity?

A: Doesn’t everyone find security fascinating? (I’m only half kidding.) I see security as an element of how we decide rights and responsibilities in the world — from companies, governments, and private citizen/consumers. We know that security is critical but we don’t want to halt getting things done, for the sake of some concocted security fears. So I wanted to both increase the water level of security (especially in a distributed way, where it will impact communities that need it) and to enable innovation and creativity. It wasn’t until I moved to DC that I realized folks were doing security as a career and it felt like my passion that I now might be able to do as a job.

Q: What do you enjoy most about working in cybersecurity? 

A: There’s a lot of work to do, but I think at its heart, security is a creative field like arts and music. It’s about testing boundaries (what if I put a TB of data in the “address” field here?) and solving problems (why did it take us 3 hours to notice this? Did some human write a threshold? Why did they pick this particular threshold to alert?)

 

There’s a lot of work to do, but I think at its heart, security is a creative field like arts and music.

 

Q: What inspired you to join Lacework?

A: So many of my conversations with customers at AWS revolved around empathy for what they were going through and what they were looking for — which was a solution that met them where they were and made security mechanistic. These customers didn’t want me to tell them that we have lumber and nails here, they wanted me to build them a house. And I saw Lacework doing that for customers in a way that felt like magic to the customer (though of course it’s hard work under the hood!). 

 

These customers didn’t want me to tell them that we have lumber and nails here, they wanted me to build them a house. And I saw Lacework doing that for customers in a way that felt like magic to the customer.

 

I also see Lacework as a healthy young company with a lot of growth potential and I wanted to be able to contribute to growth in a place that is still at the beginning of an S curve.

Q: As someone who has advised complex, regulated organizations on cloud security, what are some common challenges you have observed in this space? 

A: It’s not that folks don’t want to be secure. It’s not that folks don’t care about security. 100% of CEOs will say they care about security. But they lack the mechanisms to implement it. Figuring out the organizational challenges, regulatory and compliance roadblocks (real or perceived), and helping use tech to unlock capabilities internally, can help folks feel equipped to stand up to tough bureaucratic challenges.

Also: one real boon is having an internal champion for change, a person who wants to write automations and learn new tech and implement new approaches. (This doesn’t need to be the CISO. You can be this person, wherever you are!)

Q: Do you have a mentor or role model who you look up to in the industry?

A: There are a lot of smart folks, including in this industry. I look for folks I can learn from, whether it’s in security or not. I also read poetry and try to become a better boxer and listen to podcasts and seek out live music and watch toddlers a lot of the time.

I think there’s a more useful construction than mentor/role model, and it’s a peer (who may or may not be younger/more junior or older/more senior). We should be elevating each other and steel sharpens steel but I don’t see relationships as a one-way, especially if we want to justify time we spend on them. It’s like gardening: you plant seeds and take care of them and see what grows.

Q: As a frequent speaker on infosec and various technology topics, what do you enjoy most about sharing your insights and expertise with others?

A: Security can be a field that’s opaque — whether from a technical standpoint (what does “automation” mean anyway?!) or human perspective (sometimes the security person is the snarkiest in the room). I want to communicate complex problem-solving in simple terms — as simple as possible, but no simpler, as the principle goes. 

At the end of the day, public speaking is like doing customer conversations, recruiting and mentorship, and security training, at scale — it (hopefully) allows folks to think differently about problems, and to consider frameworks they hadn’t before. Plus, I learn some things every time I prepare/give a talk 🙂

Q: What inspired you to establish the women’s tech expert network Tech & Roses

A: I was sick of the term “mentor” — it sounds like something assigned to you, rather than an organic relationship where you both better one another. I wanted to create an expert network where everyone had something to bring to the table and we each walked into the room feeling tall, not having to assume hierarchical roles of mentor/mentee. 

We have folks who are software devs, general counsel (attorneys), policy folks, government executives, privacy experts, and of course security geeks like me. We talk about negotiating job offers, dealing with project slippage, open source rights and responsibilities, etc. It’s the voice in your ear that says “Ask that question” when you’re in the meeting or negotiation. It’s my Greek chorus.

Q: Can you share a memorable moment from your career journey that has shaped your perspective or approach to cybersecurity?

A: Coming out of law school, I clerked for the Chief Judge of the U.S. military’s supreme court, U.S. Court of Appeals for the Armed Forces. The judge I clerked for, James Baker, said (of taking a stand on issues): “You’ll go down with the ship. Make sure it’s a ship you believe in.”

Q: How has your legal expertise intersected with your work in cybersecurity? Has it given you any unique insights or perspectives?

A: Lawyers are like developers: there are certain words and phrases that create actions. Code either runs or it doesn’t; contracts are either enforceable or they’re not…except when there are exceptions. I don’t act as anyone’s lawyer but I appreciate the importance of navigating thoughtfully the landscape of deciding what we want to build, and what the “rules of engagement” should be.

Q: Are there any emerging trends or technologies that you find particularly exciting or impactful in cybersecurity?

A: There’s a lot of focus right now on generative AI, which folks seem to be considering represented by ChatGPT. I am interested in how we will secure our ML and AI models. So much of our use of ML (and ML, by the way, is nothing all that new — it goes back at least 30 years), relies on anomaly detection but doesn’t actively hunt for bias, poisoning, drift, hole-creation, etc. in the models themselves. I think we’ll see that change in the coming months and years and I see room to be a part of that work. 

Q: What are some of the most common misconceptions that organizations have when it comes to security? 

A: The biggest gripe I have is security as a cost center. Security is part of the core business value that you deliver. Not only is it critical that you keep your network secure so you don’t end up with a breach, but you need to keep your systems healthy and running, which requires security inherently. When you spin up an environment, you have already made security-relevant decisions. When you push something to production, you have already made a statement about your appsec and archsec (architectural security) protections. We need to live with the decisions we make, to make those decisions consciously, and to constantly improve.

 

Security is part of the core business value that you deliver. Not only is it critical that you keep your network secure so you don’t end up with a breach, but you need to keep your systems healthy and running, which requires security inherently.

 

Q: If you could give yourself one piece of advice when you were first starting your career, what would it be? 

A: Buy bitcoin at $1 and sell it at $60k. Just kidding (kind of!)

One piece of advice I give folks now is, “No one is going to tap you on the shoulder and invite you to your life.” Go do the thing that you have wanted (I know there’s some privilege to that statement, but: start somewhere, if you can.) There are lots of folks out there who call themselves experts but we all had to teach it to ourselves at some point. On some level, the emperor has no clothes. Who, but you, to go solve that next thing?

Q: Can you share a fun or interesting fact about yourself that people might be surprised to learn?

A: I once won an award for saving a life. Details upon receipt of coffee or wine 🙂

Suggested for you