Michele Schochet, Director of Corporate Information Security with Facebook, discusses the corporate culture that drives one of the biggest tech companies in the world forward, including the increasingly important role that women play in computer engineering.
CCBJ: What are some of the core standards for providing security and protection for users’ data and other information at Facebook?
Michele Schochet: One of the biggest challenges at Facebook is that we are constantly pushing the envelope. We exist to empower people to build communities and build connections.
My team focuses on baking security into that environment and ensuring that it is top of mind at every step. Oftentimes, companies tend to think of the biggest security risks as being externally based. For me, my focus is, what if that threat is actually caused by an engineer who is well-meaning and inadvertently introduces a security risk while building code?
Our core standards for providing security and protection involve making sure that we empower and enable engineers to do their jobs while also putting protections in place to mitigate potential bugs in code they build. At Facebook, we’re of the mindset that we all own security, regardless of what pillar or reporting structure we’re in.
Describe your team to us. What are some of the essential skill sets they possess?
I believe that it’s a 50 percent culture fit and a 50 percent skillset fit to be successful on my team. If you can’t play well with others, you’re not going to be able to support initiatives at the scale we need you to. My team is composed of people with anything from traditional computer-engineering backgrounds – myself included, as I have a political science degree and a minor in economics. I also have someone on my team who’s literally got a Ph.D. in cryptography. Continuously asking “why” is an essential trait for our team. I look for people who are not the type to just abide by the status quo. Always be inquisitive, have an open mind and look at the fundamentals. And, of course, a technical understanding of security matters like the OWASP Top 10 (a list of the top 10 web application risks) is hugely important too.
Where does security fit into the structure of the company? Do you report to the legal department, IT or compliance, or are you your own group?
Security engineers and practices are embedded throughout Facebook to help ensure that data protections are built into our code from the start. It is a massive, ongoing effort that spans departments and time zones. This is a very unique structure, actually, because in the past security has been a subset of IT, or it tends to report to one of the other business units, such as legal or finance. But here, we write tools and we do pure coding on top of the Facebook platform. We recognize that a traditional structure isn’t the best fit for us, especially at our scale – our highest priority is keeping our 2.7 billion users worldwide safe.
How do you see the industry evolving over the next five to 10 years?
I’ll tell you a bit of a story: I honestly believe it’s going to be artificial intelligence and machine learning because it enables us to spot bugs and bad actors quicker and more efficiently. When I first came into this industry, the detection efforts for discovery of the OWASP Top 10 issues, such as cross-site scripting and SQL injection bugs, were manual. One thing to keep in mind is that the nature of security is constantly evolving. People are always developing creative ways to manipulate security tools to get what they want. I tend to view people who are black hats or malicious actors basically as opportunists. While the company is scaling quickly, rolling out new products and empowering the world to build connections, our role in corporate security – and it’s incredibly important – is to make sure we keep Facebook safe and continue to expand the use of machine learning to assist in the analysis of security threats.
What’s your advice to young women looking to move into corporate security?
I was recently at the Grace Hopper Academy, which is an immersive coding program run and attended by women. I had many young ladies come up to me who were getting ready to finish their college degrees, and they said that they didn’t have any opportunity to take cybersecurity classes at their universities. I said, “That’s not an issue, it’s about the mindset and how you approach cybersecurity. These classes weren’t offered when I was in college; however, approaching each opportunity with an engineering mindset and intellectual curiosity is key.” The thing I say to any woman who wants to come into this industry is to ask yourself why you want to do it, what you’re most interested in, and chase that passion. Some people are really going to be passionate about web fundamentals and the security of that particular part of the framework or that particular part of the stack. Other people are going to be passionate about the database layer within the stack, looking at big data sets and securing the tools and access points.
Did you have a female role model in your field, growing up or in college?
This is always an interesting question to me. Things are different now than when I was growing up and learning to be a computer engineer. My father raised me. They didn’t have female STEM role models when I was going to school which meant that my father was my STEM role model. He raised me to be an engineer who came into the room to do a job. I was a brain and two hands. He taught me that my gender shouldn’t factor into things. If my gender ever did, I knew it was a problem. I think that, oftentimes, we lose sight of the fact that we are all people, and there is a simple element of common decency, and I tell people to come in and be confident in who they are and what they know – and what they don’t know, too. It’s OK to be OK with what you don’t know. Many people are terrified of impostor syndrome. Don’t be afraid of it. Embrace it, and know that everyone else around you feels the same way. It’s just a dirty little secret that none of us talks about.
Published May 10, 2019.
