Limor Kessem: Be an upstander. [Security Advisor] [Career Notes] - CyberWire Daily

Summary5 min read

Podcast Title: CyberWire Daily
Host/Author: N2K Networks
Episode: Limor Kessem: Be an Upstander
Release Date: May 11, 2025

Introduction to Limor Kessem

In this episode of CyberWire Daily, Limor Kessem, an Executive Security Advisor at IBM Security, shares her inspiring journey into the world of cybersecurity. Limor provides valuable insights into her career path, the challenges she has faced as a woman in the industry, and her advice for aspiring professionals.

Career Journey into Cybersecurity

Limor begins by reflecting on her childhood aspirations, which included becoming a doctor or a teacher. She studied microbiology and pursued naturopathic medicine, illustrating a strong foundation in the sciences. However, her transition into cybersecurity was influenced by what she describes as “pure chance.”

Limor Kessem [01:50]:
“I started my cybersecurity career by what I call pure chance. But I don't want to make anyone think that they just need to get lucky to get into cybersecurity or to any other domain that they end up really loving.”

Despite the serendipitous start, Limor emphasizes the importance of having the right skills and attributes beyond mere luck. She cites passion, investment, discipline, and perseverance as critical factors that enabled her to thrive in her first role in a large security research lab.

Experiences and Insights in the Security Field

Limor's initial foray into cybersecurity involved threat intelligence, where she engaged with information from underground communities. Her work extended to malware analysis and understanding the evolving cybercrime economy dominated by ransomware gangs and the black market.

Limor Kessem [02:40]:
“It was like opening your eyes in a whole new way and seeing a new world. That's how I started out.”

Her transition to IBM was a natural progression, facilitated by existing professional relationships and the mutual growth of both her and the organization.

Limor Kessem [04:10]:
“I ended up at IBM because I started working with researchers that I worked with before. ... It was one of those things where I was asked to come on board, but it was also the right time for IBM and the right time for what they were trying to do.”

Daily Routine and Professional Approach

In her day-to-day role, Limor likens her work to being in university—characterized by constant learning, knowledge sharing, and staying abreast of the latest threats. She balances this ongoing education with actionable security measures, particularly in risk management and innovation.

Limor Kessem [05:30]:
“On my day to day can feel a lot like being in university. There is constant learning, there's staying up to date, there's reading and writing.”

Limor highlights the necessity of tightening core security measures while embracing innovation to keep pace with adversaries who continuously evolve their tactics.

Limor Kessem [06:15]:
“We see bad guys all over the place, innovating, using stuff, progressing. They try new tools before legitimate customers ever do so they use new tech against our old tech and they're kicking our behinds.”

Challenges and Advocacy as a Woman in Cybersecurity

Addressing the gender disparities in cybersecurity, Limor discusses the various forms of adversity women face, including gatekeeping, gaslighting, harassment, and bullying. She underscores the importance of being an "upstander"—someone who stands up for others and oneself—to foster a more inclusive and supportive culture.

Limor Kessem [07:10]:
“I found that the most important throughout these adversities is to be an upstander and to stand up for others and then be fortunate enough to have others stand up for you.”

Limor argues that active advocacy and personal actions have a more profound impact on shaping organizational culture than formal programs alone.

Role as a Security Advisor and Leadership

As a security advisor, Limor operates independently within her team, collaborating extensively with customers and research groups. She engages in mentoring, leveraging matrix management to navigate and influence various facets of the organization without direct authority.

Limor Kessem [07:50]:
“I really work across every different part of the organization, which I find is really invigorating. It's called matrix management.”

She credits her success to the mentors who believed in her potential, encouraging her to take on roles she had not previously considered, thereby enabling her to explore diverse opportunities within the field.

Advice for Aspiring Cybersecurity Professionals

Limor offers several pieces of advice for those entering the cybersecurity field:

Embrace Diversity:
She emphasizes the critical need for increased diversity in cybersecurity, advocating for more women, ethnic diversity, neurodiversity, and broader male participation to fill the burgeoning job market.

Limor Kessem [08:05]:
“The cybersecurity job market has grown by about 350% in the last eight years alone. So we have over 3 million jobs to fill right now. So we need more women, we need more ethnic diversity, we need more neurodiversity, we need more men.”
Be Purposeful in Your Career Choice:
Limor advises newcomers to have an open mind but also to know “what you want to be, not what you want to do,” encouraging a focus on long-term career goals rather than immediate tasks.
Prepare for a Steep Learning Curve:
She warns that entering cybersecurity requires significant investment in learning and adaptation, underscoring that success demands dedication and continuous education.
Leverage Available Information:
Limor hopes that the wealth of information accessible today will empower individuals to make informed decisions about security, thereby enhancing the safety of their organizations and personal lives.

Closing Thoughts and Vision for the Future

Limor concludes by reiterating her commitment to mentoring and supporting others within the cybersecurity community. She envisions a future where diverse talents collaborate to address the ever-evolving security challenges, ultimately creating a more resilient and inclusive industry.

Limor Kessem [08:25]:
“I would hope that all this information that's out there helps others make better decisions about security, helps them better secure their companies, their families. Things like that would be, I think, worthwhile for me.”

Conclusion

Limor Kessem’s narrative is a testament to the power of resilience, continuous learning, and advocacy in shaping a successful career in cybersecurity. Her experiences highlight the importance of diversity and mentorship in driving forward a more secure and inclusive digital landscape. Aspiring professionals can draw inspiration from her journey, leveraging her insights to navigate and excel in the dynamic field of cybersecurity.

Loading summary

Transcript4 lines

[00:02]
A
You're listening to the Cyberwire Network, powered by N2K.
[00:10]
B
Hey everybody. Dave here. Join me and my guests, Outpost 24's Laura Enriquez and Michaelo Steppa on Tuesday, May 13th at noon Eastern time for a live discussion on the biggest threats hitting web applications today and what you can do about them. We're going to talk about why attackers still love Web apps in 2025. The latest threat trends shaping the security landscape, how to spot and prioritize critical vulnerabilities fast along with scalable practical steps to strengthen your defenses. Again, the webinar is Tuesday, May 13, for our live conversation on the state of modern Web application security. You can register now by visiting events.thecyberwire.com that's events.thecyberwire.Com we'll see you there. And now a word from our sponsor, Black Kite. If third party risk is keeping you up at night, you're not alone. It's a constant battle. Black Kite's third party cyber risk platform is built on real world threat intelligence straight from their research team's ongoing breach analysis, dark web monitoring and attacker tactics. That means you get a hacker's eye view of your supply chain to proactively spot risks. And speaking of research, they just dropped their 2025 third party breach report, breaking down last year's biggest trends and what's coming next. Grab the report now@www.blackkite.com.
[01:51]
A
My name is Lamor Kessem and I'm an executive security advisor at IBM Security. When I was a young girl, you know, like a lot of us as children, we wanted to be a doctor and we wanted to be a firefighter. We wanted to, you know, have these core professions were, I think, what ruled everything that we talked about as children. So I definitely wanted to be a doctor or a teacher. I did study microbiology and then I went into naturopathic medicine. I ended up really liking that and studying that. But lo and behold, that's not what I do today. I started my cybersecurity career by what I call pure chance. But I don't want to make anyone think that they just need to get lucky to get into cybersecurity or to any other domain that they end up really loving. So I think that opportunity has to be met with something on the other side. And time and again I saw others that joined by chance into cybersecurity. But they brought skills with them to the table. They brought passion, investment, discipline, perseverance. Those are some of the things that I started out with and they characterized my first job in cybersecurity and also aligned with everything that I've been doing since then. The first job that I got was in a large security research lab and it was a fascinating place and a pivotal time also in cybersecurity to get in and learn the ropes. And my first encounter was with threat intelligence and I worked with a lot of information that was gleaned from the underground communities. Then came the malware analysis, the cybercrime economy that evolved into what we now see as the big ransomware gangs and all these, the big money that we see going into the black market of cybercrime. It was like opening your eyes in a whole new way and seeing a new world. That's how I started out. I ended up at IBM because I started working with researchers that I worked with before. So a lot of times when you end up on a team that you really enjoy, that team moves on and they bring in people from different parts of the teams later on. And it was one of those things where I was asked to come on board, but it was also the right time for IBM and the right time for what they were trying to do. On my day to day can feel a lot like being in university. There is constant learning, there's staying up to date, there's reading and writing. There's an ongoing knowledge share that is the core of what security advisors do. There's also a lot of action. Sometimes it could be emerging attacks that make my life look more like I'm a journalist. Then there's core security stuff that brings things down to the domain of risk management where I think everything kind of comes together. There is a concept of innovation that is a guiding principle that we have to recognize. We see bad guys all over the place, innovating, using stuff, progressing. They try new tools before legitimate customers ever do so they use new tech against our old tech and they're kicking our behinds. So I think there's a lot to be said here also for we tighten our core security and at the same time we allow innovation to help us move forward with the times. I think as a woman cybersecurity, I've either experienced firsthand or seen things happen to and with women. From gatekeeping to gaslighting to harassment, bullying, everything, it runs the gamut. And I've been through some of these things and what I found to be the most important throughout these adversities is to be an upstander and to stand up for others and then be fortunate enough to have others stand up for you. I found that it was a sure way to really influence culture more than having programs that try to fix the culture. It's more of a lived experience. Because I am an advisor, I am always more of an independent person within the overall team. I work a lot with customers, I work a lot with our research teams. I always try to mentor others. I really work across every different part of the organization, which I find is really invigorating. It's called matrix management. It means you're not really managing anyone per se, but you're really managing a lot of things all at the same time with different people. I had mentors that kind of came into the picture when I needed it the most, but had no idea that I did. It was more people who believed in me that thought that, yes, you'd be great on a stage, you should go up there and speak about the stuff that you do, when I totally did not even think that was an option. And that is so motivating and has allowed me in my career to really explore every possible thing I can contribute without limiting myself to a certain role. And I think I was extremely fortunate in that way. What I would suggest to people coming into the field, whether they're women or, you know, otherwise, because we need more of everything. The cybersecurity job market has grown by about 350% in the last eight years alone. So we have over 3 million jobs to fill right now. So we need more women, we need more ethnic diversity, we need more neurodiversity, we need more men. We need. So anybody coming into this field, what I would say is you have to come with an open mind, but you have to know what you want to be, not what you want to do. The second thing is, you know, understand there's going to be a major learning curve, and that's going to require a lot of investment, and there's no way to really go around that. I would hope that all this information that's out there helps others make better decisions about security, helps them better secure their companies, their families. Things like that would be, I think, worthwhile for me.
[08:34]
C
What's the common denominator in security incidents, escalations and lateral movement? When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks. With attack path path management, you can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by SpectreOps. Head to SpectreOps IO today to learn more. Spectre Ops See your attack paths the way adversaries do.