Skip to content

Interview: Nancy Zayed, CTO at MagicCube

Interview: Nancy Zayed, CTO at MagicCube

In this interview, we host brief and highly informative interviews with influential security leaders. Today we're joined by Nancy Zayed. Nancy is founder and Chief Technology Officer at MagicCube, a digital commerce security startup. 

Nancy has extensive experience engineering leadership across multiple business and technology domains. She has a proven track record in leading 40+ teams delivering on product development, product management as well as technical and vendor partnership management. She has also been very successful in recruiting, structuring and motivating teams globally. Prior to her current role Nancy had technical executive leadership positions at InnoPath, Cisco, Palm, and Apple

In this episode, we discuss how security should influence the "Internet of Things." Nancy gives a brief history of the internet and security and illustrates what is not working because enterprises are focused on old security concerns. We talk about the lessons learned in the Internet Age and how those same lessons can be applied to the "Internet of Things." Then, we flip the script and Nancy spends some time interviewing me on the implications of how security will need to be scaled to cover the "Internet of Things."

The following is a brief excerpt of our interview. 

Jeff Williams: What lessons did we learn in what I'll call the "Internet Age," not the "Internet of Things Age," but this age that we can apply to the Internet of Things.

Nancy Zayed: Oh, man. We learned a lot. We learned that the hacker community or the malicious hacker community is very aggressive and they're creative. Not only at the levels of individuals but really at the level of e-armies. We know of this. Right?

We know that the current approach of using hardware security implementation is probably not going to cut it anymore because of the nature of hardware based security with the manufacturing and the cost and time and the ability to react as fast and fulfill the demand. It may not actually cut it.


Jeff Williams: It's interesting. Just to follow up on that, I talked to Josh Corman recently about the supply chain for cars. He calls cars computers on wheels.

Nancy Zayed: Yeah.

Jeff Williams: The supply chain for a car is years. If they discover that one of their components has gone into the field and it has a security vulnerability it's years, like five years, before they can actually get that thing patched and fixed unless they do a whole recall, which is incredibly expensive. He's pushing to try to get automatic update as part of all automotive technology. It's interesting. It applies really to all the internet of things. Right?

Nancy Zayed: Yeah. It's the same thing, actually, with devices that have security chips. Anything that dies on the manufacturing line, it's dead. The whole board is done. That's it. End of story. Yeah? Hardware security is probably this is also going back to your question about the learnings from the Internet Age. We also learned that most security breaches either are bug implementations, a use of stale technologies, or on the flip side the use of two bleeding edge technologies. You know?

Jeff Williams: Where's the sweet spot there? You got about six minutes when you can actually use a technology. Before that, it's too new so you got a sweet spot.

Nancy Zayed: That's where experience comes in, I guess. Finally, and really this is the most important lesson in my opinion and then some. That is we learned that consumers are very serious about holding companies responsible for the privacy and the security of their own data, which means that or which translates to customer loyalty is related to a company's ability to secure their data.

This is why security breaches cost companies a lot of lost profits in the form of abandonment of their products and services because of the security breaches that happened. We at MagicCube believe that in the age of heightened "IoT" and mobility customer loyalty will be a selling point or responsiveness to security will be a selling point for any company or business that want to retain their customers.

Jeff Williams: So how do you see security for the internet of things being different than what's available now for desktop and web apps?

Nancy Zayed: I think that for "IoT" security solutions will have to be platform agnostic. I believe that it will, and it doesn't mean that a software only security solution ignores the hardware facilities or hardware based security technologies or facilities on the platform if they exist. It also doesn't mean that an "IoT" device that doesn't have that should be a vulnerable device or should not be as secure. Remember, what we said before is that security is, or the security of the whole system is, as strong as its weakest link.

Jeff Williams: Hmm.

Nancy Zayed: Right? I think that the next big thing for "IoT" will be a software security solution that is flexible and is able to be responsive and near real time to threats that get introduced to new environments. Again, with "IoT" comes a whole lot of devices and a whole lot of products and a whole lot of user experiences associated with those devices and the environments vary. That's why we think a platform agnostic solution is probably going to be the bigger winner.

Jeff Williams: Interesting. In your blog post on LinkedIn you talked about the need for ubiquity and transportability in software. What kind of solutions are required to deliver security to meet those requirements?

Nancy Zayed: Security solutions that are quick to respond to new threats. If we look at some industries, for instance like the payments, which has security as its heart, right? We think this trend is going to migrate and go to other verticals as well. Therefore, the ubiquitous nature of a solution will be necessary and of, again, judging by the nature of IoT and the nature of opportunities that arise with new devices that come on board, you're going to need to be fast and you can't really wait for a many doctrine line to put together the whichever chips and the costs associated with them and so on.

To listen to the rest of my interview with Nancy, click here.

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.