A Founder on Being a Lone Wolf, Her Love for Mathematics, Building Trust, and Dispelling the Myth of Buying Security
Published
Key Takeaways
- Organizational policy always lags behind the tech, which often becomes the biggest challenge to overcome.
- O’Bryan says security systems should protect users without making access difficult.
- Cybersecurity cannot be treated like insurance, where protection is simply purchased through annual premiums.
- At Dapple Security, trust is one of the most important parts of client and partner relationships.Â
- Correctly implemented biometrics can provide both strong authentication and convenient user access.
Math, mentorship, and a refusal to accept security myths come together in this conversation with Gadalia Montoya Weinberg O'Bryan, Founder and CEO of Dapple Security.
A former cryptomathematician and cryptographic vulnerability analyst at the U.S. National Security Agency, she brings an analytical mindset to cybersecurity design, drawing from disciplines like number theory and algebraic topology.
O’Bryan also reflects on her love for mathematics, explaining that evaluating security systems often begins with simple signals such as who designed the algorithm, how transparent the implementation is, and whether the assumptions hold up in real-world environments.
As a woman entrepreneur, she reflects on the importance of transparency, questioning long-held assumptions about how organizations approach risk.
O’Bryan discusses identity and fraud challenges facing managed service providers, and evaluates security algorithms beyond theory, while building trust with clients and partners.
Vishwa: What identity and fraud challenges do you see MSPs encountering more often? For security tooling to work across multiple customer organizations, what design choices matter more for identity controls?
Gadalia: MSPs are seeing the same identity and fraud challenges that all businesses are seeing. AI and scalable, cheap hacking kits have made it easy for bad actors to steal employee logins. Social engineering is a big part of this, as are tools that bypass traditional multifactor authentication. Â
MSPs do, however, have a bigger target on their backs because of the access they have as IT administrators for many organizations - sometimes hundreds, thousands, or even tens of thousands. Some of the most publicized examples of this were last summer, with the hacks of multiple retail brands.Â
Because of this, MSPs and the vendors selling them security products do have special concerns to take into consideration from a design perspective. Multitenancy - the ability to easily configure and manage multiple tenants from one portal - is an extremely important feature for SaaS products targeted towards MSPs. Â
From the MSP standpoint, ensuring consistency of configuration and monitoring of identity access policies across all tenants is important and designing their own access policies to follow zero trust and least privilege patterns can help limit the blast radius if the MSP is compromised by a bad actor. In other words, if all your techs have access to all of your client tenants, you are really exposing your business to some pretty scary risk!
Vishwa: As an executive helping lead a professional services business through a successful exit, what decisions mattered in building trust with customers and buyers?
Gadalia: Trust is indeed one of the most important pieces of client and partner relationships. I have always tried to foster this through radical transparency and the simple act of always doing what I say I will do, when I say I will do it.
Think about the security breaches that have received the worst press; they are the companies who don’t communicate about what is happening and leave those affected in the dark.
And think about the last time a vendor really let you down; it was probably that they were unresponsive, uncommunicative, or did not follow through on something they promised. Consistency on these simple things makes all the difference.
Vishwa: When evaluating cryptographic algorithms or authentication systems, do you see signals that something is secure on paper but fragile in implementation?
Gadalia: I am going to answer this from a bit of a different angle, because of course, I have to dig deep into the math, but I think there are things anyone can look for that are often far more obvious than any technical deficiency. Â
One of the first things I look at when evaluating a new algorithm is who designed and implemented it. Seeing it come from someone who has deep experience in cryptography, as well as real-world experience, immediately gives me more faith in the algorithm itself before even digging in.Â
Similarly, algorithm descriptions that seem vague or gloss over key details or performance characteristics are often an easy sign that there may be unexplored weaknesses that will come out if fielded in the real world. Â
- Have the authors been transparent about storage and compute performance? Â
- Have they considered the capabilities of the adversary and how those will evolve in the future? Â
- And lastly, have they built upon commonly accepted hard problems and best practices?Â
Algorithms based on totally new principles without precedent to stand on have a much higher bar to meet.
Vishwa: You contributed to establishing secure big data architecture for the Intelligence Community. What principles from that work remain useful for organizations building security analytics platforms?
Gadalia: In terms of technical design principles, there are definitely themes that apply to any data architecture that is going to be leveraged by multiple organizations, including today with AI data architectures. Â
For example, making sure the technology enables features like granular access control, visibility/ transparency in processes and data lineage, and organizational sovereignty to control data and make decisions. Navigating an organization internally, or multiple organizations together, also entails just as many leadership challenges as technical challenges, if not more. Â
Organizational policy always lags behind the tech, so that often becomes the biggest challenge to overcome. In order to do so, stakeholder buy-in and communication of value are imperative so that the effort becomes a shared mission rather than something being imposed by one organization or department.
Vishwa: How to balance access and security when sensitive identity or biometric data is part of large-scale systems?
Gadalia: This question is one of the reasons I started Dapple. Biometrics are a strong way to connect physical identity to online identity, but biometrics are some of the most sensitive pieces of data we have. I truly believe that tech and security practitioners have an obligation to help users minimize the tradeoffs they make between privacy and usability to get security.
Find privacy-preserving solutions that don’t store centralized databases of biometric data. One cool thing on the usability front is that, if done right, biometrics can enable amazing convenience and security at the same time.
Vishwa: When technical teams and executive leadership view risk differently, what helps translate security capabilities into decisions that may get implemented?
Gadalia: Everyone has accepted that we pay annual premiums for business insurance, and cybersecurity can really be thought of as the same concept. You are paying to reduce the likelihood of business interruption, and also to reduce liability in the event there is a breach.
Even knowing this, many business leaders are like teenagers; we think we are invincible to attack, or won’t be targeted. For these folks, I find it powerful to tell stories of close industry peers to try to hit home that they are not as invincible as they may feel.
Vishwa: Your earlier work included fast Fourier transform-based matrix decomposition methods. Do you still see mathematical optimization skills influencing how you approach security and system efficiency today?
Gadalia: Absolutely! Yes, that work was done when I was an undergrad math student. I obtained undergrad and graduate degrees in math and worked the first half of my career as a mathematician at the National Security Agency (NSA) in the US.Â
My specializations after undergrad were more in algebraic topology and number theory. These specialties are used directly in my work on a weekly basis; I feel so lucky to be a CEO who still gets to do math a little bit every week. Â
My specializations after undergrad were more in algebraic topology and number theory. These specialties are used directly in my work on a weekly basis; I feel so lucky to be a CEO who still gets to do math a little bit every week.  Â
But in addition to direct technical application, the way of thinking that mathematicians practice really helps me think critically (for example, get in the mind of an attacker), and put together logically-sound systems and processes.
Vishwa: Looking back, what kinds of support would have helped you earlier in your career as a woman in cybersecurity?
Gadalia: I did not appreciate the value of mentorship, and I should have sought it out more. I spent a lot of years thinking I had to do everything on my own. Now, as a Founder and CEO, peers and mentors are my lifeline. Â
It can be really lonely at the top, and I make a concerted effort to seek out advice and support. And I try to be there for others as much as I can as well; I take some portion of my time every week to provide support to others.Â
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular