Breaking Barriers: How Ana Aslanishvili is Redefining Security Leadership in America, One Team at a Time

In the ever-evolving landscape of security, where threats are as complex as the strategies used to combat them, we often find inspiration in those who not only excel in their field but also pave the way for future generations.

This article shines a spotlight on Ana, an extraordinary security leader whose journey from a first-generation immigrant to a pioneering force in the realm of red teaming serves as a powerful reminder of resilience, innovation, and the impact of inclusive leadership. In a field where many tend to overlook the human element, Ana stands out by emphasizing that people are at the core of effective security measures. Her unique approach combines the principles of psychology and behavioral science with her hands-on experience, proving that safeguarding organizations isn't just about technology and protocols—it's about understanding the people who drive them.

As a member of the board at the Center for Advanced Red Teaming (CART) and the former builder and leader of Silicon Valley's largest physical red team, Ana is not only redefining security practices but also advocating for a future where physical red teaming is recognized as a vital profession. Her contributions to security publications exemplify her dedication to sharing knowledge and demystifying the intricacies of red teaming, making the field more accessible and understandable for all professionals.

Join us in exploring Ana's remarkable journey—one that not only highlights her professional achievements but also her unwavering commitment to fostering a more inclusive and proactive security culture. Whether you’re a seasoned professional or just starting, there’s much to learn from her dynamic perspective on security and the critical role of human insight in an increasingly complex world.

Enjoy the read! Below our Q&A

1. Could you share with us a bit about your background and what sparked your interest in the security industry? I was born and raised in the Republic of Georgia, which at the time was going through a significant transformation in its messy divorce from the Soviet Union. As Vegetius famously said, if you want peace – prepare for war. My childhood and adolescence were punctured with periods of civil war, revolution, coups, invasion, government turnover, and any other civil and political unrest you can imagine. Through all that, and despite not having much, I felt safe and protected within the community that made a better life possible for me and my family. Whereas security was never my destination, looking back on my career, I see a throughline of wanting to help people and to improve their circumstances, which ultimately led me to the proactive security space that I am working within today.

2. What are some of the most significant challenges you face as a security leader and social engineer, and how do you overcome them? My two seemingly disparate roles, as a harmonizer and an advocate of security controls and decisions and as a stress tester of them, inform my perspective from both sides of the coin. The biggest challenge I face in both of those roles is ultimately the same: the opportunity for success hinges on the security culture of the organization. As a security leader, I advocate for functionally integrated layers of security, informed decision-making, and evidence-based security controls. As a social engineer, my job is to look for gaps within the security posture of any organization – any misalignment of people, processes, and technology controls leads to an opening for me to exhibit adversarial behavior and cause hypothetical harm. Holistically secure, informed and adapted, stress-tested, and aware organizations all share responsibility between security and business groups to reduce risk to things that matter. Without this partnership, the overall security posture suffers, and my job as a social engineer gets significantly easier.

3. How do you form and lead teams committed to loss prevention and proactive security? Red teaming is both an art and a science and building teams with the correct ratio of experts who complement each other can be at times challenging. What we look for is the right mindset, team spirit, and an alignment in values. Whereas many aspects of the job require a specific technical skill and deep expertise, many skills can be taught with the right attitude and disposition. So, I choose to focus on aptitude rather than attitude. At my company, Pine Risk Management, we live by the value that diversity of opinions, backgrounds, perspectives, and experiences leads to better decisions, better ideas, and better outcomes. This is true for people dynamics as much as it is true for organizations, regardless of their size. At the end of the day, people are people, and some things are universal. It takes time, dedication, perseverance, and a lot of communication to build a team that operates as one, shares the vision, achieves the mission, and, most importantly, is not afraid to debate and disagree along the way. If you invest in the right people, the outcomes will speak for themselves.

4. How do you foresee the growth of physical red teaming in the future, and what role will it play in shaping the security industry? For starters, let us define Red Teaming (with the acute awareness that most practitioners will not land on the verbatim description). Physical security red teaming is stress testing security: testing security system with the goal to improve it. This is done by taking an adversarial approach and looking at the organization (and what it sets out to protect) through the eyes of a threat actor whose intention is to cause harm or disruption. There are many threat actors, and they have many tactics, so understanding your organization’s unique threat landscape is key. We call this threat modeling. In our age of ransomware attacks and cloud computing, it can be easy to discount the importance of physical security measures; however, digital security rests firmly on the security of doors, locks, hardware, and access control measures protecting your servers, infrastructure, and data centers. And many of these controls involve people. So, we focus on stress testing the process, technology, and people to truly understand how the security system works holistically. Red teaming sets out to look at the whole picture, assess how the unique layers of security interact with each other, and how they perform under duress. The goal is to identify the gaps, assess efficacy, and prioritize fixes for any uncovered vulnerabilities based on their criticality. If used correctly, red team findings provide the necessary insight to accurately prioritize the long list of remediations and fixes that the defensive team (the Blue team, or usually the entire security department) constantly has to contend with. No other team – not guards, and not even the audit team – conducts the hands-on testing of all layers of security and the many controls within them. Unlike in the cyber realm, in physical security, there are very few opportunities to test incident detection and response without a true incident. Red teaming is a realistic yet simulated incident, from an adversarial perspective – and a service no other team in an organization performs. By regularly testing our security measures, we can ensure that our security programs remain resilient against evolving threats rather than relying on past success as an indicator of future safety. Investing in red teaming is an investment in maintaining and improving our security posture, ensuring that we’re not just hoping for the best but actively preparing for it. It is my belief and my hope that more companies begin leveraging this service to safeguard the things that matter to them most.

5. For young professionals with an interest in the security industry, what advice would you offer, especially for women breaking into the field? Once you do this work long enough, it can be difficult to remember our feelings and thoughts as a young professionals, yet I find there are a few pieces of advice I have carried with me through the years that can shift perspectives regardless of your professional standing and tenure.

• Show up authentically. In a corporate world that loves smoke and mirrors, this approach is a breath of fresh air we all need. Have an idea? Share it. Don’t necessarily know an answer to a question, or maybe even what the question is about? Raise your hand and ask – some others may be wondering, too. Notice an assumption in a project or a meeting? Call it out. The success of these tactics hinges on a strong team culture built on psychological safety and trust – a team open to feedback, growth, and a diverging opinion is where you want to be.
• Meet people where they are. Prepare for meetings, take notes, understand your audience and their goals, and try to relay what you know to be true in a language that your stakeholders can understand. For technical roles, this may mean translating your challenges to business impact. For security folks, this notoriously means justifying the absence of security incidents as an intended positive consequence of a security budget.
• Realize that your skillset and lived experience are unique and make you equipped to bring forward perspectives that others in the room may not share. Though it can feel intimidating at first, it is important to share those insights. Diversity is critical for many reasons, chief among them the variety of thoughts, opinions, and lived experiences brought by humans who were raised, born, or lived in environments different from ours. This makes teams and organizations stronger.

If you find this content helpful, please share it with your friends and peers.

Abraham Desantiago