uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites,’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.


Lisa Xu – Women in Cybersecurity an Interview by ITSP Magazine

Lisa Xu, NopSec’s CEO recently sat down with ITSP Magazine to discuss the all important topic of Women in Cybersecurity.  ITSP Magazine is an online publication that focuses on Information Technology Security and the influence that it has on our everyday life, as Individuals and as the Society we live in. And, for a change, the other way around. Xu was also featured on their list of “17 Female Founders & CEOs in Cybersecurity” in late 2016. Read the full interview below:

Q: You are the CEO of NopSec, what does NopSec do?

A: NopSec is a cybersecurity technology company, our product helps customers prioritize security vulnerabilities and remediation using advanced machine intelligence and human expertise. We aggregated and enrich security vulnerability data across systems, applications and configurations with real-world threat and social contexts. We also offer highly automated adversarial simulation services to emulate a real-world attack.

Q: What is the old approach to tackle the same problem?

A: The traditional approach has focused on detection, ranking vulnerabilities based on an old lab-based CVSS scoring system. The new approach is all about highly automated machine intelligence to analyze the large volume of security data. Our patented technology helps customers distinguish the needle from the haystack, shorten life cycle to remediation, and safeguard over $15 trillion assets for our customers.

Q: What’s your view on IoT security?

A: Trust the untrustworthy is the first thing coming to mind. We are living a new era with intensive human and machine interactions with constant changes in technologies. IoT has expanded our attack surfaces to encompass new devices, new assets, new attack paths, and new techniques and exquisite knowledge required to stay secure and protected. However, the unchanging part is a robust cybersecurity program and processes, which incorporate detecting, analyzing, prioritizing, predicting and making decisions to deploy defenses, allocate resources, and manage risks. Our industry has put disproportionate amount of emphasis on new technologies, but underweight on the fundamental process and people in the same equation. For example, 0.1% of security breaches were related to “zero-day” vulnerabilities, whereas the most majority compromises were traced back to decade-old vulnerabilities. A sound robust threat vulnerability management process, and the intelligence and expertise of security practitioners are essential to complete the picture.

Q: As a woman CEO, how do you approach diversity in the tech space?

A: Diversity is not only limited to gender in my opinion. The value of diversity in workplace is to bring different perspectives. The different perspectives can be gender, skill sets, knowledge, experience, or technology stack. Collectively, our industry can benefit from these diverse perspectives and “voices”, and stay ahead of adversaries. I am a proud technology company CEO, where 50% of our workforce are strong grounded women professionals.

Q: How can we help our industry to create more security awareness?

A: Awareness is all about attitude and knowledge. Attitude means the tone at the top – the Board and executive leadership set the tone and attitude of how a company should approach cybersecurity challenges and opportunities. Making decisions based on business impacts and revenue-at-risk is a healthy approach to increase organizational security awareness. I have been advocating many of our customers to change the Board conversations from a technical security analysis to a risk discussion to effectively communicate to stakeholders in a language that they could relate to the success to their lines of businesses. Secondly, talking about knowledge – knowledge is power. How much do we know about our crown jewel assets, how much do we know about the adversary’s attack models, how much can we push the envelope on automation to programmatically standardize and codify security expertise – essentially “know the unknown”, and “automate the known” is our path to help our customers, our partners and our industry.

  • Date March 13, 2017