Merritt Baer is a security executive based in Miami, FL. She serves as CISO to Reco (SaaS security from discovery to behavioral heuristics). Merritt served in the Office of the CISO at Amazon Web Services for over five years– a Deputy CISO to help to secure AWS infrastructure, at vast scale. She worked in security in all three branches of government and the private sector. Her insights on business strategy and tech have been published in Forbes, The Wall Street Journal, VentureBeat, SC Media, The Baltimore Sun, The Daily Beast, LawFare, and Talking Points Memo. Merritt is a graduate of Harvard Law School and Harvard College.
Recently, in an exclusive interview with Digital First Magazine, Merritt shared her professional trajectory, insights on the role of AI and ML in the future of cybersecurity, her future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Merritt. What drives your passion for cybersecurity, and how do you stay ahead in the field?
We all have only so many hours on this earth. Not to sound overly dark or serious, but I constantly think about how I want to spend my one life, and I’m convinced that security work is one way that I can matter. I find this especially true at the landscape level– while the work can be unsexy and incremental, if it moves the needle then it is something worth doing.
I am also cognizant that cybersecurity is a social justice issue– those who cannot afford to be insecure, are those who often inherit the least. This is true at the human interaction layer (what device you carry, what security system is on your apartment door) and at the enterprise layer (what institutions you interact with, and how much attention and investment they make in cybersecurity). As a result, the work I do to make enterprise security strong is a powerful way to get security to real people. And ultimately, cybersecurity, like all tech work, is done by people, for people.
What aspects of your current role bring you the most joy and fulfillment?
I love security, but I’m also a businessperson at heart. So I love working on helping Reco’s customers to “buy down” their risk by addressing it. Now that folks are building modularly, we are seeing an explosion of SaaS apps in the enterprise. These days, most enterprises aren’t going to build their own data lake; you’re going to use a productized version. They aren’t going to build their own CRM; they use an app for that. And so on. The result is a constellation of apps in your environment, some of which you will know about. As a CISO, you need to know every app in your enterprise that has access to your real data. Then you need to configure it correctly– and this is not a one time thing, it requires a continuous and programmatic approach. Reco also provides some “higher order” contextualization through threat detection and pattern recognition.
I also advise a small handful of young companies, including Enkrypt AI (guardrailing and model selection for enterprise use of AI), Level 6 Cybersecurity (CISO dashboarding using AI for decisionmaking), Andesite (SOC transformation using AI to remove manualness and increase fidelity), Expanso (efficient distributed compute and storage at the edge, based on open-source protocol Bacalhau), and GTS (partner for building out tech relationships and purchasing decisions). These advisory roles allow me to act in the company’s best interests, whatever stage they are at and whatever “diagnosis” we come up with– many of them are in the security field, but what they need from me is less security expertise than it is business acumen. They need to know, “How does a CISO think about this problem and what does it look like to matter to them?” This is fun work for me– companies should only exist if they add value to their customers.
What role do you think artificial intelligence and machine learning will play in the future of cybersecurity?
There are a number of ways that AI and ML are and will continue to play a role–there is the security of the AI/ML, the use cases of AI/ML for security, and so on. Those are too numerous and nuancedI anticipate that security engineers will start to be folks who can make AI work effectively for them.
Can you discuss the importance of diversity and inclusion in the cybersecurity industry?
We know that people who walk through the world differently, think differently. They code differently, they problem-solve differently. We know that tech needs to be created in service of good, and for people. Security as a field is made up of those who think differently and play around with possibilities. So I see the range of human experience and creativity as a core component of security work.
Who has been a significant influence or mentor in your career, and how have they helped shape your professional journey?
John Sparks (Judge on the US Court of Appeals for the Armed Forces) and Deborah Lathen (former FCC Bureau Chief) have given me a lot of tools to go out in the world and fight for the right things, and they also remind me that even serious work can be quite funny.
What has been your most career-defining moment that you are proud of?
I’m proud of a number of things, but I don’t think there’s a single career defining moment. The right to do work I care about and I think matters, and that I’m good at and get paid well to do– that’s a thing for which I’m grateful. That’s a realization that comes in a bunch of moments, not one.
How do you prioritize your well-being and self-care amidst a demanding career?
Admittedly, I’m not the best at this–I tend to be more than 100% invested in more than one thing. I don’t believe in drinking lemon water in the morning (unless it’s white claw on a Saturday), but I do believe that you can basically carve out time for things. For example, I wake up early (around 5:15am) so that I can take a sunrise walk while I listen to a murder podcast, and get back in time to get my 5 year old ready for school. It does mean that I fall asleep early in the evening–but that works for me. I bought back time from later evenings. Nothing is free, but you make some choices.
Which technology are you investing in now to prepare for the future?
I don’t think we need to invest in a specific technology to prepare for the future, I think we should invest in figuring out what frameworks we want to live by.
What are your long-term career aspirations, and how do you see yourself evolving as a leader over the next five years?
I anticipate staying on the business side and serving on boards, public and private. That being said, I also might serve as the head of a government agency, start a wedding venue somewhere pretty, or create a memecoin. Just kidding about the memecoin.
What advice would you give to young professionals starting their careers in cybersecurity?
Pick something to specialize in and be able to explain why it matters (which should relate to a broader problem in the world). Relatedly: have a personal (substantive) brand–folks will think of you for a conference talk or a next job conversation. Be memorable (authenticity goes a long way). Do your homework before you meet people, especially in a professional context. Don’t ask people to be your mentors, just collect smart people who are senior to you and who care about your success. Recalibrate your risk meter regularly– often, not taking risks can expose you to other risks. It’s okay to take a job for the money, that’s why jobs exist. When you’re picking between options A and B, remind yourself that there’s usually an option C that you might be able to create. No one is going to tap you on the shoulder and invite you to your life.