Local cybersecurity expert forges her own path
Missoula-based author Jeremy Smith provides a funny and telling anecdote about how he came to know cybersecurity expert Sherri Davidoff. A few years ago, they ran into each other at a playground in Missoula and realized they’d met briefly 15 years earlier, when Jeremy was a student at Harvard and Sherri was at MIT.
On the playground that day, they laughed about what a small world it is as their two preschoolers made friends on the swings. Jeremy recalls with a certain amount of self-deprecation that he went into great detail with Sherri about his life as a writer before finally asking her what she was up to these days. He says that she smiled and very matter-of-factly answered, “Well, tomorrow I have to break into a bank.”
Sherri is a professional hacker who is hired to break into security systems in order to find their weaknesses and prevent future malicious hackers from easily stealing information. She is the CEO and founder of LMG Security, a cybersecurity and digital forensic services company based in Missoula that is hired to do these penetration tests for various organizations and companies across the world.
These cases of stolen data can have enormous impact with harrowing consequences. There are high-profile examples, like the 2016 Panama Papers where 11.5 million leaked documents detailed financial and attorney-client information about more than 214,000 offshore entities. But even on a smaller-scale, everyday people’s medical and financial data might be being laundered on the dark web only to appear somewhere public without a trace of who was responsible for the leak.
“Right now, data gets stolen constantly,” Sherri said. “For every case you read about in the media, there are 99 others you never see—if not more than that. And many that are never detected or reported.”
Jeremy’s new book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien,” released in January, chronicles Sherri’s life as a daring young student at MIT and her rise to becoming a rockstar in the world of cybersecurity. In many ways, it feels like a superhero origin story.
On her first day at MIT Sherri finds a note in her backpack: “Meet in the East Campus courtyard tonight at midnight for the real tour of MIT.” That night she is introduced to a crew of hackers who spend their time seamlessly breaking into locked buildings, scaling the insides of elevator shafts, accessing underground tunnel systems, without leaving a trace. Sherry dubs herself “Alien” (all hackers have nicknames) and learns the ways of hacking both physical and digital spaces. It’s a story that uses Sherri’s coming-of-age as a hacker to reveal an underground culture that embodies all the drama of an action-thriller, where good guys and bad guys battle it out in the shadows, outside the periphery of the bustling and oblivious everyday life the rest of us lead.
“Who are you? A good guy or a bad guy?” Jeremy asked Sherri at one point in the book.
She shrugs. “That depends on who you are.”
Hacking has been around for ages, but the idea of a company paying a hacker to break into their system and find its flaws is relatively new. When Sherri first started LMG ten years ago, not a lot of mainstream companies knew what cybersecurity meant.
“Back in the day I had to explain what we do to all my potential clients,” she said. “What is a penetration test? Why do you need it? At first, it was primarily financial institutions that were investing in it, and then we saw a wave of healthcare organizations investing. Nowadays penetration tests are old hat.”
Pentests might include phishing operations where LMG sends out emails to a company’s staff. The emails emulate phishing scams and ask the recipient to click on an attachment. In a true phishing scam scenario, an infected attachment could infect a company’s entire network. The pentest, however, allows the company to see which of their employees need to be educated about scams.
“Then they see how many people click on that link and then we can work with them to help get additional training for the staff and work on other risk management measures,” said Sherri.
LMG has a wide range of pentests, but it does more than trying to prevent companies and organizations from being hacked. They also come in after a company has been hacked, clean up the damage, and handle the investigation.
“We really emphasize getting to the root of the problem so it won’t happen again,” Sherri said. They also help companies stay in compliance with regulations, which are always changing.
Sherri has the style of former-cyberpunk turned professional CEO. She’s funny and sharp and she has the mischievous expression of a person who is ready to take on any challenge.
After MIT, where she got her degree in computer science and electrical engineering, and before she started LMG, Sherri worked as a lone-wolf freelancer. Sometimes being a woman in a male-dominated field had its advantages. For instance, she says people often let their guard down with women, and during one security test, she was able to easily talk a security guard into letting her into a high-security wing of a bank where she stole a laptop with highly sensitive information. (As part of her job, she then reported that she’d stolen the laptop and returned it to the bank, so they could figure out how to not let that happen again).
In other instances, being a woman also has meant not being taken seriously or having bosses assume she can’t do the more technical work. Having to prove herself isn’t so much a problem anymore. Sherri has traveled all over the world lecturing about and training people in cybersecurity. She has been a consultant for notable organizations, including the Department of Defense and the American Bar Association. If you ask most tech experts in Missoula, they know who she is. (One Missoula IT said to me, “Oh Sherri? Yeah, she’s scary smart.”) Recently, when someone asked her if she was certified in cybersecurity, she had to laugh. “I wrote the first textbook on it,” she said. It’s the one people use to get certified.
Sherri is proud that she started LMG in Missoula.
“We’ve worked closely with the University and various economic organizations over the years and the Montana Hi-Tech Alliance,” she said. “It’s just an amazing place to start a business. But we do work all over the world and that means we have to be familiar with regulations all over the world.”
As a cybersecurity expert and a single mom, Sherri sees the world through a variety of lenses. She is keenly aware of the malicious buying and selling of personal data, so she refrains from posting information about her children on Facebook, for instance. And sometimes she feels the heavy weight of knowing that when she takes her kids to the doctors office, it’s likely that despite HIPPA enforcement, that their information is being accessed through other ways.
Still, when you’re a superhero fighting the bad guys, you don’t give up. You take it a battle at a time.
“To feel like you can see that but you don’t have control, is really hard,” she said.
“But it’s also nice to be on the forefront of this industry—to feel like I can make a difference.”