Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer at AvePoint Reiterates the Need for Women to be their Own Promoters and Advocates
Published
We interviewed Dana Simberkoff of AvePoint to know her views about the traits needed to thrive in cyberspace, guiding youngsters in this industry, and pursuing a career interest outside of one’s initial formal education.
Dana studied Law and completed her Bachelor's in Psychology. She served as the VP at HiSoftware for over 13 years and has been shouldering the responsibility of the Chief Risk, Privacy and Information Security Officer at AvePoint for over 13 years.
TechNadu is thrilled to share the hard-hitting answers given by Dana Simberkoff in this interview as part of our women’s outreach campaign, LeadHER in Security.
Read further to learn what this interview uncovers about cybersecurity, working towards FedRAMP expansion, and observations about SOC 2 Type 2 report from a woman’s point of view.
1. Please tell us about your journey from joining law school and pivoting towards cybersecurity. What inspired you to be an attorney? Can you share what led to the dramatic change?
I attended Suffolk University Law School and always planned to pursue a career in law. An opportunity later arose to work at a software company, and I had no idea that this position would help launch the career in security that I have today.
The software company I worked for was appointed to design privacy programs for our corporate and public sector customers, as well as operations security projects for our US Department of Defense customers. It was during this project that I got started in a security role and quickly became interested in the career path – eventually serving as Vice President of the Public Sector for that company.
2. You are a role model for women in cybersecurity. We want to know what traits and qualities strengthen professionals as they navigate into the ever-evolving field of cybersecurity. Did your inner curiosity or perspective about justice contribute towards working on the critical responsibility of maintaining information risk and data protection?
All individuals in the cybersecurity field should constantly pursue additional education and upskilling opportunities. Security professionals should always be curious about what’s next – focusing on advancements in technology and evolutions in the threat landscape (especially with emerging AI threats and changing data regulations). In terms of professional qualities, maintaining a positive outlook is always critical in the cybersecurity profession – as we’re faced with new challenges and fast-moving threats every day.
I submit myself and my colleagues for speaking sessions at industry conferences, and I am a regular contributor to many publications – helping me promote the work that we do internally and externally. I make an effort to do as much public speaking as possible. Eye contact, standing tall, using your hands, and working a stage have all been non-verbal traits I’ve learned over time — many of which have taken a lot of practice. I’ve also learned that smiling and humor are helpful, even when talking about serious topics.
Early on, I realized that if your audience can relate to you in some way, they are much more likely to be receptive to what you have to say. So, I try to find a way to draw people in and to be inclusive while at the same time maintaining my command of a topic.
3. Do you feel women need more guidance and assistance to be a part of the cybersecurity industry? How can youngsters be drawn towards data security early on?
Mentorship has been a critical part of my career in cybersecurity. At AvePoint, I currently lead a team made up of 50% women and always strive to foster accessibility within my company. I’m committed to helping not only those on my team, but also women and young professionals across my broader network to succeed.
As cybersecurity is a male-dominated field, it’s critical for women to have mentors and industry peers to help guide them. I previously served on the Women Leading Privacy Advisory Board for the International Association of Privacy Professionals (IAPP)—where I was able to support initiatives for young professionals’ continued education, networking, and career growth.
I have been fortunate in my own professional (and personal) life to have mentors and managers who have believed in me and helped me achieve. From hearing others’ stories, I understand that this is not always the case for women in cybersecurity – leading me to advocate for and support women in security in everything I do.
Women tend to believe that if they work hard and keep quiet, someone will eventually notice. It’s even more important for women to become their own promoters and advocates both inside and outside of their organizations.
Everyone who works for me knows that I have a saying: “Being a legend in your own mind, or even in my mind, is not going to be that meaningful for you.” You need to make sure that leadership is aware of your work and accomplishments and do so in a way that is not boasting, but rather informative and helpful.
Aside from pursuing a degree in cybersecurity or computer science (which isn’t a requirement to find success), young professionals looking to jumpstart their career in cybersecurity should prioritize industry certifications to prove their knowledge on the current threat landscape—as well as working with an industry mentor to learn hands-on skills and gain on-the-job experience.
4. What are the key points that you keep in mind while working towards FedRAMP expansion?
Vendors across all sectors should prioritize undergoing independent security audits – including ISO, SOC 2 Type II, CSA STAR, IRAP, FedRAMP, and StateRAMP for example – as they prove your company’s commitment to maintaining the highest security standards.
Although rigorous to complete, certifications like FedRAMP prove to public sector clients that they can maintain compliance and data security when using a software platform. As government agencies accelerate digital transformation efforts, AvePoint continues to prioritize FedRAMP expansion to provide the public sector with the AI-powered tools needed to secure, manage, and govern their data.
5. What are some of your observations about SOC 2 Type 2 reports? Do you see a common issue that often resurfaces?
In highly regulated industries like healthcare, for example, patient data protection is critical – and these organizations have more advanced compliance needs than private companies. The SOC 2 audit confirms that an organization’s practices meet the stringent information security and privacy standards, set in place by the American Institute of Certified Public Accountants (AICPA). In highly regulated industries, SOC 2 Type II certification is essential for vendors to prioritize – comprehensively reviewing security, availability, processing integrity, confidentiality, and privacy.
To me, this process is similar to taking a newly purchased car to the mechanic to assure that it runs correctly – they can not only confirm that the car has all of its necessary parts in place but that it is in great working condition as a whole. Undergoing third-party certifications like SOC 2 is a long road, but it is necessary to build cyber resilience and data security in 2025.
6. How can companies be familiarized with the IRAP assessment? What are your observations about the initiative that aims to safeguard the Information and Communication Technology (ICT)?
IRAP Certification is unique to organizations in Australia and is similarly critical in helping government organizations in the region secure their data and digital workspaces. Conducted by the Australian Cyber Security Centre (ACSC), IRAP ensures the highest standard of cybersecurity and information security assessments for government data. Compliance to frameworks like IRAP can help organizations verify if a third party has security controls and practices in place to ensure the highest levels of protection for clients’ sensitive data.
The process of IRAP Certification begins with connecting with an IRAP Assessor, who guides organizations through the process of evaluating their security controls. However, before even beginning this process, organizations should first ensure that their data environment is properly managed and governed and conduct their own internal assessment of cybersecurity threats/ posture – to ensure that their security measures ‘practice what they preach’.
Related
