“Institute a culture of security across your organization rather than treating it like ‘somebody else’s problem.’ ”

Twitter: @aloria

Kelly Lum has “officially” worked in information security since 2003 and is currently a security engineer at Spotify—where she brings more than a decade’s worth of application and network security experience from the financial and government sectors to the startup space. Additionally, she teaches application security as an adjunct professor at NYU.

If there is one myth that you could debunk in cybersecurity, what would it be?

One thing that I have observed is that there is still this preconception that InfoSec is some sort of mystical art that can be done only by the rare, chosen few. It isn’t just nontechnical people, either. I’ve walked intimidated developers and students through proof of concepts (POCs), and it’s always cool to see their reaction when they get it working.

What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

Institute a culture of security across your organization rather than treating it like “somebody else’s problem.” Security needs to start at the beginning of every project, not in the middle or at the end. Throw less money at vendor crap and more at your talent.

How is it that cybersecurity spending is increasing but breaches are still happening? ...