Google’s ‘security princess’ on protecting users from cyber crime
We’ll send you a myFT Daily Digest email rounding up the latest Life & Arts news every morning.
Parisa Tabriz may work on the frontline of web security, tasked with keeping Google Chrome users around the world safe from an army of cyber criminals, but she still lives the life of a young adult. Leading the way to her light-filled loft room at her home in Mountain View, California, she recalls how a friend made fun of her when she turned 30. “He said to me ‘Time to be an adult – you don’t even have a door to your room’.”
In Silicon Valley, where just-out-of-college chief executives are canonised, and hundreds of 20- and 30-somethings lead exciting but unflashy lives, Tabriz is no exception. Her home – a 20-minute cycle from Google’s headquarters – is a new-build, two-bedroom rental which she shares with a housemate, and most of the furniture was chosen by the owner in the uninspired style of landlords the world over.
Tabriz has focused her room around a large office space, having pushed her bed against a wall. Darting between two desks on a leather swivel chair, she can work from any one of her three laptops. “Almost all of my work I can do from a laptop and I do photography and some digital art. So much of my life is on this portable device, which makes it really easy to be transient,” she says.
It is this transfer of everyday life to the online world, from personal conversations to banking, that has made the work Tabriz does to maintain security on Google’s browser all the more essential. The growth of mobile devices and the invention of the so-called “Internet of Things”, where anything from thermostats to baby monitors can be connected to the web, make the opportunities for cyber crime even greater. No wonder Tabriz was named earlier this year as one of the technology industry’s “30 under 30 to watch” by Fortune magazine.
“When I started the threat was not as large and the damage was probably not as significant in the common case,” she says. “But right now, so much of people’s personal lives is put online and it is not always done with the understanding of the full consequences of what the worst case scenario is.”
In the seven years since Tabriz left college and started work in cyber security, she has seen that threat grow dramatically. After completing a computer science degree and masters at the University of Illinois and an internship at Google, she landed a job at the internet company as a security engineer. During her career, cyber criminals have gone from widespread phishing (spam emails offering plastic surgery, for instance) aimed mostly at committing credit card fraud, to more dangerous targeted attacks designed to steal anything from personal data to intellectual property and sell it on a thriving black market.
Hackers can also now trade vulnerabilities called “zero days” which help people break into networks and sell information to the highest bidder, whether they are a western company, the Russian mafia or the Chinese government. Tabriz likens the threat to offline crime, saying as long as people are motivated by the need for money, whether it is to survive or just greed, cybercrime will continue.
But she says it can feel even more intrusive to have your online accounts attacked. “Things you can easily replace, but when you feel that people have got into your most private thoughts and messages, you can feel just as violated as if someone broke into your house.”
Tabriz says she feels sad and “questions humanity” when she hears about attacks, such as when her father, a doctor, had his email compromised three times. “He’s a smart man but clueless about technology,” she says. “Security should be easy.”
Like most of Silicon Valley, she is devoted to the internet and sees her job as making sure people can enjoy its “awesomeness” without feeling like they have wandered up a dark alley. Tabriz had the skills to join the “black hats”, as the criminal hackers are called, but the girl from the Chicago suburbs whose first hack was turning her operating system pink has never been tempted. “I’m much too boring and law-abiding for that,” she says. In a family full of doctors, Tabriz wasn’t a computer geek before college. Apart from being a maths and science whizz, she also credits playing football and tennis for giving her the competitive drive to beat the bad guys.
Instead of the “dark side”, she chose to join Google as one of a select group of “hired hackers” who attack Google products to find vulnerabilities which other engineers then fix. A security engineer needs to forget about how a normal user views a product, and considers it from a hacker’s perspective.
“Whereas software engineers create or ‘build’ software to solve a problem, security engineers analyse software to try and ‘break’ it – that is, we try to thoroughly understand how the code works and then avoid assumptions about how a typical person may use the software,” she says. “We assume an attacker’s mindset to look for software bugs that can be exploited to achieve some unintended behaviour.”
Tabriz is now Google’s so-called “security princess”, whose sunny outlook and many hobbies, from rock climbing to travelling, sharply contrast with the hacker stereotype. This alone has won her the type of media attention the industry does not normally receive. She has been featured in the technology press and several women’s magazines, which she says is like being a “reality TV star”.
On a black coffee table in the centre of her bedroom is a plastic silver tiara with which she was crowned when she was became manager of Google’s information security engineering team. “There’s a really collegiate, joking culture,” she says, insisting that she does not wear it.
Despite the concentration of young tech workers, downtown Mountain View is little more than a two-block stretch of pavement cafés, and is almost an extension of the Google campus. In recent years, many Silicon Valley workers have moved to nearby San Francisco, preferring to live in the city despite the hour-long commute to work. Tabriz chose to stay in Mountain View so she could enjoy an easier journey to her office. However, she regularly flies to conferences around the world in an effort to convince skilled hackers to join Google rather than the “black hats”.
She is committed to winning what she calls the game of “cat and mouse”, even helping to introduce “bug bounties” at Google that reward outsiders for telling the company about potential new hacks. Google has so far paid out about $2m for more than 2,000 security bugs, which it then fixed, and this summer it increased the rewards fivefold. Other major companies such as Facebook, Microsoft and HP now do the same.
Tabriz admits she eats most of her meals at Google (where the food is free). At home, the dining table is laid with handcrafted crockery from her travels: wooden bowls from Bali and a delicate olive oil decanter from Italy. She says she always tries to take a cooking class wherever she goes; her fridge, however, is bare.
“This is a typical Googler’s refrigerator – just condiments,” she says, referring to the name Google employees call each other. Inside is a pot of chilli sauce the size of an urn but no food to put it on.
However, there are signs of imminent change with boxes filling the living room. Tabriz and her housemate are preparing to move out and she plans to move in with her boyfriend; it’s time to be an adult.
One day soon she hopes she will have a home she believes is worthy of the House & Home pages. After all, at 30 she is approaching “senior Googler status”. But on this front, Tabriz’s ambitions still seem modest. “Maybe when we buy and settle down, we will get some plants – and then we’ll start with a pet fish.”
For a laptop-addicted Googler, a classic but clunky typewriter is perhaps an unlikely favourite object. But for Tabriz, it marks the moment when she took on the daunting task of leaving a pool of security engineers to become their manager. “When I came back from holiday, my team had removed all the computers from my desk and left this there,” she says, pointing at the machine on a table in the middle of her bedroom. Tabriz’s new subordinates had placed a piece of paper titled “TPS report” (standing for “totally pointless stuff”) in the typewriter, which she has left in place. The joke references Office Space, a 1999 film about “a stereotypically pointy headed manager who is always asking for TPS,” Tabriz explains. As well as the memory of an “interesting transition” to manager of her friends, peers and people older than her, she has a hacker’s appreciation for a “beautiful machine”. Still, used to living her life online, she has never even sat down to write a letter on the typewriter, let alone a report. “I’m not even sure if it works,” she says.
Hannah Kuchler is one of the FT’s San Francisco correspondents
Meet some of the world’s corporate cyber warriors: The hacker hunters