Dr Ellison Anne Williams, CEO of Enveil: “Stopping every breach is virtually impossible; ensuring protection for your sensitive data is not”

If you check out Dr Ellison Anne Williams’ LinkedIn entry then you will see an unusually short list of jobs. Senior Scientist at Johns Hopkins, Senior Researcher at the NSA and then Founder and CEO of Enveil. If that was an achievement graph it would point straight upwards, so we’re delighted to interview Dr Williams as part of our Threats series with thought leaders in cybersecurity.

Security leaders with a modern approach should be equally pleased with what they read. If, on the other hand, you’re a CISO who is still operating from a job description created two years ago then you won’t like what Dr Williams has to say at all.

Perhaps the single, strongest message to take from this interview is the one we put in our headline. Your defences have almost certainly been breached. But that doesn’t mean that your data needs to be put at risk – so long as you keep it secure at all times.

To find out what that means in practice, keep reading.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

I’m Ellison Anne Williams, founder and CEO of Enveil, a Privacy Enhancing Technology startup focused on protecting data while it’s being used or processed. Starting a company has been my dream since I was young, although I never imagined that company would fall within the technology sector.

My desire to contribute to interesting, substantive work led me to pursue a PhD and MS in Mathematics and an MS in Computer Science. I started my career at the National Security Agency and the Johns Hopkins University Applied Physics Laboratory where I spent a decade leading avant-garde efforts in large-scale analytics, information security, computer network exploitation and network modelling. It was during my time there that I first recognised the disruptive impact Privacy Enhancing Technologies (PETs), including homomorphic encryption, would have on the broader market.

Since then, my work has centred around delivering PETs-powered secure data search, analysis and AI capabilities that are critically relevant for businesses in today’s data-driven environment.

What are the biggest cybersecurity challenges those in leadership roles are facing?

One of the most challenging aspects of cybersecurity is the constantly shifting landscape. New vulnerabilities emerge, additional regulations are introduced, and organisational priorities change — sometimes significantly. We saw a seismic shift in the last 18 months as AI capabilities became increasingly prominent, requiring leaders to understand how to protect against new threats while also exploring how these tools can help protect networks and systems.

Additionally, most security challenges are inherently cross-functional, which means leaders need to navigate and coordinate across an organisation’s internal silos. This requires a significant time commitment by cybersecurity leaders beyond the core functions of their roles.

Worth a read: Ransomware trends: what’s on the increase and what’s going down

What are some prevention strategies you believe every business should adopt?

The most important prevention strategies revolve around protecting an organisation’s most important asset: its data. A data-centric approach to security aims to protect data at a granular level. Instead of building stronger perimeters or more secure infrastructure, data-centric security is designed to protect data at all times — at rest, in transit and in use. Since this approach assumes that systems and networks can and may be compromised, organisations work to ensure that data assets are identified, categorised and protected at levels appropriate for their sensitivity and/or value.

Stopping every breach is virtually impossible; ensuring protection for your sensitive data is not.

Download “Insider Tips for Choosing

the Perfect Data Security Platform”

As the IT landscape becomes increasingly complex with services and data hosted on the cloud and on-premises, organizations must rethink their data security strategy to protect valuable customer data while demonstrating compliance with ever-evolving privacy and compliance regulations.

What is it about generative AI that makes it so prone to exploitation by threat actors? Conversely, how can it be used for good (in cybersecurity)?

Right now, the biggest threat consideration around GenAI is the pace at which it’s being implemented. The desire to take advantage of the enriched outcomes delivered through these tools often means that they are put into use before organisations consider whether the systems can be secured and trusted. LLMs are data-hungry and the best results are driven by exposure to rich, diverse data sources.

However, for businesses navigating a complex web of global compliance standards, localisation requirements and data silos, ensuring that data is leveraged in a manner that protects the interests of the organisation, and the privacy and security of the underlying data sources, is not trivial.

As with any innovative solution, it is critical that leaders take time to implement the capabilities in a secure, responsible manner or the long-term risks will quickly outweigh the near-term benefits.    

Worth a read: Andreas Schneider, Field CISO at Lacework: “It sounds simpler than it is but culture, basics and detection are the keys to successful cybersecurity”

What role do you think governments play when it comes to cybersecurity?

Businesses want to implement emerging tools and technologies that can help address challenges and enable growth, and there is a clear need to accelerate broader standardisation efforts to meet this market need. When possible, government leaders could help expedite the development of such guidelines for high-growth, high-impact capabilities such as AI.

Such efforts, supported by international standards bodies, would directly drive responsible usage and adoption. When emerging technologies are transformational, organisations are going to move forward with their use.

However, it would be beneficial if they were guided to do so in a way that meets minimum security thresholds.

What advice do you have for aspiring professionals wanting to work in cybersecurity?

My message to those who want to work in cybersecurity is simple: pursue meaningful, substantive work. Don’t let fear or other assumptions hold you back — find an area you’re interested in and go for it. And when you get stuck, which will inevitably happen, ask for help from people walking a similar path.

I’m fortunate to have been surrounded by many fantastic mentors and colleagues who have helped me achieve more than I ever could have on my own.