Senior Director of Consulting and Threat Intelligence at Unit 42 reveals how to build a successful career

July 9, 2024 | Emilia Chiscop-Head, PhD

Meet women Cybersecurity experts who teach in the Duke CISO Executive Certificate: Kate Naunheim

Kate Naunheim while teaching the Duke CISO certificate candidates on the Duke Campus, in May 2024

Kate Naunheim portrait

Kate Naunheim is a Senior Consulting Director with Unit 42. She performs technical and risk assessments for Fortune 500 and midsize companies using various cybersecurity frameworks to identify and remediate cybersecurity control design and implementation gaps. Kate joined Unit 42 from a technology startup developing an information security program management software. Previously, she worked as a senior consultant at a boutique business and technology consulting firm, where she focused on designing and executing disaster recovery operating models. Before this, Kate worked for Deloitte, a large accounting and professional services firm, managing cybersecurity, National Institute of Standards and Technology (“NIST”), Sarbanes-Oxley (“SOX”), and Payment Card Information (“PCI”) Data Security Standard (“DSS”) audits, as well as at Accenture doing similar work. Kate began her cybersecurity career as a consultant providing financial, acquisition, and budget analysis and developing audit plans for U.S. Navy and U.S. Army programs. She has in-depth experience in engagement management, supporting on-time/on-target project delivery, and building high-performing cross-functional consulting teams to address critical cybersecurity challenges in developing and mature organizations.

 

How does the Duke CISO Executive Program fit into the cyber landscape?

The Duke CISO Executive Program provides cyber practitioners an immediate baseline of critical academic, theoretical, practical, and technical knowledge of cybersecurity concepts and practices while giving employers and organizations an easily ascertained stamp of approval regarding a candidate or employee's cybersecurity skills. The potential impact of this program is far-reaching as it could change not only jobseeker but also employer checklists for CISOs and CISOs-in-training operating in security engineering and cybersecurity roles. 

What lessons would you like the CISO learners to have taken with them after your talk?

One is that cyber threat intelligence (CTI) sources are vast. Therefore, it is essential to identify trusted tools and methods early in your CTI practice and collaborate with peers to identify best practices. The second lesson is about the MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) framework—one of the most adaptive and predictive frameworks we have today—don't be afraid to use it!

How have you decided to become a Cyber professional, and why?

I've been exposed to cybersecurity issues at various points in my career, and it struck me as a career field where I could explore my interest in technology and make an immediate difference for customers. I was consulting for a company impacted by a cyber-attack – and its business operations went down for 3-4 weeks. This made me aware of cyber-attacks and their damage to companies and people. I started in cybersecurity audit, which involved speaking with organizational shareholders, understanding their operational processes, and writing reports about their performance. Once I got into auditing, I started learning about cybersecurity's threat intelligence aspects and joined Unit 42, known for threat intelligence.

What was more important to you for becoming who you are today?

Saying "yes" to every new assignment in cybersecurity, even if you aren't sure of your skills, and making it happen - you learn a lot.

What is one thing you wished you knew when beginning your cyber career?

There is a low barrier of entry for cybersecurity due to the availability of free resources, but this is a high barrier to truly and profoundly learning the concepts that will make you successful, as your knowledge base is time-dependent. Every little thing you know is handy, so use your time wisely.

Could you share one crucial career accomplishment?

My first certification (Certified Information Systems Auditor (CISA)) significantly increased my availability of quality cybersecurity roles. Don't overlook key certifications in your field—talk with your peers to understand which offers the biggest bang for the buck in your domain and get certified. It's an immediate benchmark of capability for employers.

Can you name 1-2 significant challenges in cybersecurity today and how an executive program like ours can help overcome them?

The Duke CISO certificate addresses some critical unmet needs and challenges for CISOs and aspirant CISOs: one is having a baseline knowledge of crucial cybersecurity controls. Another is the overwhelming amount of information that CISOs or other cybersecurity executives need to manage. Finding ways to boil the ocean and distill a minimal number of critical concepts in each domain (cyber threat hunting, cyber threat intelligence, SOC, etc.) will set up the CISO or CISO-to-be for success.

How difficult was it for you to succeed in a field dominated by men?

There is currently a dearth of women in the cybersecurity field (current estimates are that anywhere between 20-25% of cybersecurity professionals are female) - the reasons for this are multifactorial and it’s an issue we’re working very hard to address. I’ve been very lucky to have been mentored by some great men and women who have seen my potential and worked very hard to change the representation of women in cybersecurity by supporting me, advocating for me, and promoting me. I have been given many opportunities due to some strokes of great luck, but I know that not all women looking to break into cybersecurity have been this lucky. My advice to those who are hitting the front wall or the glass ceiling are to look for those people who are “safe” landing places - people who listen to you, mentor you, help you - and continue to ask them for assistance while working on your skills. Don’t forget to help them back however you can, as business relationships are a two-way street. Investing in your mentors will set you apart from those who only ask for help and will reap huge dividends for you later on in your career.

 

Also read:

Bloomberg’s Info Security Director Jennifer Swann on how she became a Cybersecurity leader | Duke Cybersecurity Master of Engineering