Welcome to Cybersecurity Today on the weekend, and our show, the Secret CISO. The show is where John Pinard and I invite people in the CISO or similar role for a conversation about their work, the industry, but most of all about them. And if you're looking for interviews and questions, this isn't the show for you. This is a conversation that we have to get to know people and talk about things in a relaxed atmosphere. So we'll start with our introductions.
Now, this is a bit like a party at my house. Everybody out there already knows me, but we'll start by getting, the guest's introduction. John, why don't you start? Sure. My name is John Pinard. I'm VP IT operations, infrastructure and cybersecurity for a financial institution in Toronto. I've been in it for longer than I'd like to admit, but, yeah, that's me. Priya, great to meet you. Why don't you introduce yourself? Sure. Thank you for having me, Jim and John. Pleasure to be here.
Yeah, so I'm, you didn't tell me how long it should take, so I'm gonna take as long as you want. I know this marvelous editor, so you can take as long as you want to introduce yourself, take the whole show. We'll have coffee. No. I wanna hear about the great things you all do as well. Yeah. I'm Priya Ali. I'm the CISO at, Sheridan College, here in Ontario. Very much in Ontario, Canada.
So I'm, I cover all aspects, information, security, privacy, resiliency, compliance, managed pockets of iot security as well. I work very closely with my peers, not only in IT, but risk management, campus security research, and other departments at the institution as well, including, faculty. I do have a part-time role as well. Serving as a key strategic, advisory council member, as we call it, to my CEO and to the board. And I'm part of the PanIN institutional, policy Review Committee as well.
And it helps me to understand all the policies the institution makes and then see where's the best fit, right? Like to be able to talk about, technology and information security. So just before I move, she, move to Sheridan. I have, in total, I have about 20 years of experience in the space of, cybersecurity, privacy, risk management, compliance, resiliency, and I will say data. And today, certainly AI governance. We not talk about ai.
And just in terms of my path into cybersecurity was not linear. I graduated with an engineering degree. I started my career as a software developer. Did that for about four years. And then two things I wanted to do. I did not wanna do coding and testing for the rest of my life. But I did wanna use my grounding in technology, so to speak, to do two things, right? One is to understand the intersection of technology with business.
And the second was, since I am a person that's motivated by challenges, I did wanna challenge myself to become a subject matter professional in another area of technology. That was up and coming. And at that time, this was back in 2010, back in India where cybersecurity was just being spoken about. So that's how I got my start.
After my software development experience, I went on to do my MBA and after that I landed roles, with the big four consulting firms, something with three of the four big four starting with Deloitte. Where again, I focused on, initially I focused on enterprise risk management and then moved into, technology risk and cybersecurity. But then before I moved to Canada, I spent close to a decade, in the United States, advising both, technology Ja Giants in the Bay Area.
So the likes of, the very large known, technology giants in the Bay Area, one name, the names. after that I spent about six years in New York where I was supporting a lot of, some of the most prominent and well-known names in Wall Street. Besides that, I've lived and worked in six countries outside of the US and Canada. So some of them being, the uk, China, India, and Spain.
And my journey has taken me from both working with operational teams to build cybersecurity programs from ground up and working with the senior leadership and the boards of organizations to be able to build. Robust and agile cyber risk and really resiliency strategies.
I'm very fortunate that I've had a lot of global exposure and, this global exposure has helped me to work in a multicultural environment, to work in a multicultural environment by having a global mindset and really being able to work with people from different backgrounds, thinking styles, and being able to communicate to them in their language, it also does help with being empathetic and adaptable as well. So that's that fun facts about me outside of work. I write poems.
So that's my stress buster. I think we may all need a stress buster. I have about 35, poems, that I've written in English, published, globally, I am a wildlife nerd. What can I say? Especially with respect to predators. besides that, I do love to travel. So I've, traveled to over, 20 countries and I do intend to increase the count. That's that. By the way, in preparation for this, I did, I do have my mom visiting from India, and I was asking her like, how do you describe me? Like a few words.
And so she was saying there, there's a few things outside of her knowing me as very ambitious and career oriented. I am someone who's motivated by challenges. I will say persistence is my middle name. it's important to be able to embrace failures, learn from them, but learn from them and pivot your approach every time. So I will say persistence is my middle name and I. Strive for excellence and try to achieve perfection in everything I do. Wow. Yes so that's me.
Another thing I will add is outside of what I do at work, and where I met Mosen and, and John, and now you, Jim, is that I keep myself very active in the industry in terms of networking, in terms of being, actively speaking at conferences, panels, just sharing thoughts, brainstorming on ideas and all of that.
So I do keep myself active in the industry there, not only on cyber data and AI topics, but DEI is close to my heart as well, especially when it comes to, women empowerment because, I'll say this, I've made a lot of mistakes in my life. I do wanna give back to the community I strongly believe in paying it forward. So I wanna see younger people accelerate their career. So that's why I take the time to do it. When do you sleep? Okay. I'll be honest, I get asked that a lot. So no, I, I do sleep.
it's all about time management and prioritization, right? It's not about, You need to be comfortable with the fact that some things can wait for tomorrow. And so how I do it is you are constantly thinking, you're constantly on your toes and prioritizing, right? What is it that I absolutely need to get done today versus the things that come ready for tomorrow? Otherwise, you're not gonna you're gonna end up with no. Wow. Mosin. How many countries have you been to?
I feel like I haven't traveled enough. I've been to a few too. I've been to a few, but, no. This is exciting. Good morning everybody. I. Maybe I'll, talk a little bit about, myself. Like John, I'm also in, financial sector. So I'm a director of cyber defense. And, over the past, many years, I would say probably 25, I've been in the IT industry, going from one role, to another, just prior to my current role, I was with, Walmart, Canada. traveling to, many areas.
And prior to that, I was in the entertainment and consulting sector. And I had the opportunity, to work to also, travel to Europe, US and, far east as well. One thing, that I can say that, over the course of, many years, being in a leadership position and going, from an IT to IT security, I've learned so many things, that, most of that relates to how you collaborate and communicate, with your community. Same as, John, yourself and Priya. I'm also participating in software community, events.
So some, companies such as, cyber X, Ivana, Gartner. And so those are some of, the forums that I tried to participate in. back in the days when I, started the, inception of digital, I was part of the entertainment, industry and, basically creating the first standard for MPAA, which is a motion picture, association of America.
Since then, done quite a few in the movement of, digitization of the organization as well as, protecting and, using, the knowledge that I have to help others to also elevate themselves as well. Cool. Absolutely. So we've got a fair bit of experience here. This is good. I'm gonna learn a lot. let's talk about, I want to dip into a couple things and Priya I wanna go briefly into this, but I do wanna ask the question because, I've been a big proponent of women in it.
I've taught in engineering schools, and I knew. Years ago, there are more women in engineering roles now. Thank heaven. you must have been pretty early in the game India's a pretty straight ahead country pretty rigid in some of its aspects of this. what was it like when you told your mom and dad, that you wanted to, go into engineering? Did you get big support? Okay. Yeah, I appreciate the question, Jim. I will say yes, I did get support.
my parents were very forward looking, so they were like, you own your career, whatever you wanna do, right? Whatever you are passionate about, and also be realistic because at the end of the day, you have bills to pay. let's be realistic, right? Have a real job. This is what they said. with respect to engineering I'll also say this about, myself, I did not initially start as a very academically oriented student. But I think things changed.
There's a few things that happened while I was growing up. There were some financial, scenarios, that we had to deal with that got me thinking. And then early on, like high school, about the time where I was like, okay, so I do need a good job. A good job means a high paying job, so let's work my way backward. What does that mean? I need my scores high, right? Okay. So let's focus on my academics, right? So that's what happened, right?
It's because of some things that we went through while growing up. So that's one. Now with respect to answering your question on the engineering, no, like I said, my parents were like, whatever you are passionate about. And actually why I chose Jim was, I don't know if I should say this, but while I knew I wanted to become an engineer with respect to honing On which specialty? No. At that time I didn't know better. Right there, there was not really Google at the time.
There was certainly no chat g PT at the time. I based it on, okay, so If I do this will be the potential career path. And then, so it's just about talking to people. And at the end how I picked it, I was like, okay, so between computer science and electronics and communications engineering, there's a maximum number of people going for this. And I picked ECE, which was electronics and communications engineering because that's where most of my peers were headed.
Yeah, my dad, when I told him I, I wanted to be an entertainer, and I actually was for quite a while. I still play music and things like that. But my dad said, gave me the great encouragement. He said, follow your dream, but learn to type that sound advice. And in the first computer rooms, the guys who could type were people who were desirable to have, you could do key punch, you could do testing, you, and you could be fast at doing that stuff.
Sometimes our parents give us the best advice, which is have a plan B, yeah. How about you? You had an interesting career. So you've gone through the entertainment industry and all this sort of thing. How did you drift into cybersecurity? I have to say, come from a, a technical background. I have an engineering degree. when it all started for me, I had, I always had the passion for everything tech. I have this lab in my place that I built electronics. I built, garage door openers.
I build, CV radios and all kinds of things, everything, electronics. I try to build and use them. So it was natural for me to gradually get into the tech sector. It all started with the IT operation for me and then. When I started with, deluxe, media Corporation, which is the entertainment sector back then, they were at the juncture of moving from the analog world digital, cinema. So I, had a part during that migration to go from the analog format to the digital format.
So that was a big change at the time in the industry. a lot of things that used to happen, that movies get pirated and, they are on people's computers before they actually get on the screen. We were tasked to make sure that does not happen, and that's where we actually started, forming a consortium and building the first, cybersecurity standard that environment. going to cybersecurity, I always thought that I can probably, use my knowledge and, have a little bit more impact.
also being a father and appreciating the world that they're coming to with the young generation, I always thought that I can, make more impact, helping the people around me and people that I care about, community, that I care about, everybody that I care about to actually have a better life and protect the most valuable assets that they have, which is their personal and organizational data.
Cool. And John, this is always weird with you because some of the audiences coming here knows you because they've either seen you on Project Synapse or one of the shows that you've actually hosted here. just a little bit of background on you, to orient people Yeah, I guess at a high level, I started out as a programmer and have worked in a number of different industries, a number of different companies. I was joking with somebody the other day that I have never worked in the same industry twice.
Throughout my almost 40 year career. it's been interesting. I've worked in pharmaceutical, I've worked in healthcare, I've worked in, non-profit, I've worked as a consultant. I think it was on the last show we talked about, how did you get to be in cybersecurity. For me, when I was started out as a programmer and probably until the mid eighties, the consulting company I worked at, we didn't even have internet. So cybersecurity wasn't really an issue when you don't have internet.
And things have changed dramatically since then. there was no cybersecurity certifications or anything at the time. And so for me it's all been, self-taught. it's actually self lived because, there is no better teacher about cybersecurity than getting hit with ransomware when you're working for a large conglomerate that, takes your entire organization down. I've lived through that too. I'm so old that I remember when we put passwords in. and then we still do I, we still do, I was heading up.
No, but we didn't have passwords on any of our computers. They, when we first started, we had, we ran a deck mini, and that was, the whole thing. And there were no passwords. Matter of fact, we had a program called wipe. And usually you went onto the programs and you waited to get to, okay. And you click okay. If you want the program to go. There's a program called Wipe.
And one of the guys, one of the managers there on his last day wondered what it did, and you'd wait for the pro program conversation. You typed in wipe and hit return and it had no okay on it. Like we learned a lot by, oh. The stuff happened in financial services in the early days, you would just, you would laugh. But so I, yeah. The I and I, because I was supposed to, I wanted to get some mainframe experience.
'cause I was, if you were on a mini, you didn't make as much like if that was, you wanted to get to the mainframe world. So I got a job on, working for National Trust at the time and they, they had a fairly big trust system and all this sort of stuff. And then somebody came up to me, said, that lady over there, she works for you. What'd she do? Security. Oh, okay. We had great training in those days. She worked for you, anyway.
Yes. So we've all come to this in a different way and we've come to this world where we are bringing all that experience. What I'd like to do is just to focus a bit on the current world and what the challenges that you see with all, and they don't have to be the classical ones that everybody talks about, but what are the big. Challenges that you see in the world of Cybersecurity and it today, mos, do you wanna start? Yeah, sure.
So as, everybody mentioned we do participate in, events and, conferences. So one of the conferences that is, really dear to me, try to attend whenever I can is the RSA conference. So this year I had the opportunity to actually be there, with more than 45,000 other people, leaders from around the world.
Some of the key messages that I heard, that I think, it still makes sense for, many other organizations is the challenges that we, today we have, to using ai, AI both being as a threat and also as a friendly tool. So that, that's a big challenge that is in front of us. Like any other time that there is a sort of a, evolution or a change in the tech sector and more? noticeably. Now with what is happening in the AI world, there are two aspects of it.
One is a good side of it, one is the bad side of it. So how you deal with that, I think it's the top of a lot of the conversation today. One other thing that I also noticed that, was at the top of the agenda was how this, fatigue with, many aspect of the, SOC operation is actually kicking in. So there is a lot of burnouts.
there is, a bit of a shortage of the talents and, the companies get inated by, various, type of alerts events, and they have to start making sense of it and how they protect their organization. So that's also. A big challenge at this point. the last thing that I mentioned, as part of the top three are, basically a platform consolidation. many of us, through the work that we have done, put many tools and platforms and try to stitch them together.
this is becoming a bit of a challenge for everybody, including myself, to actually starting, making sense and have these platforms talk to each other and consolidate them. Because at the end of the day is the speedy and agility of the response that really, is important when something potentially goes wrong. Yeah, we'll come back to that one because I think is part of the, it fits into burnout as well is the, just the number of things that we have to master.
Priya, what do you, what are your top three? Sure. Yeah, I'd say first of all, completely agree with all the points that Mosen mentioned. so three things. number one, starting with, outside of the gen AI part, we continue to live in a hyperconnected world, right? And when I say hyperconnected world, it's not only. Organizations using multiple cloud partners. It's also remote work.
It's a lot of, usage of, IOT devices across the board and a lot of third party, fourth party, fifth party, whatever, integrations, right? So it's the extended, I will say, vendors slash business partner ecosystem as a result of which as cyber defenders, our attack surface just exploded. So that is one, top, challenge.
And then the second point that comes to mind is, just unpacking recent cybersecurity incidents and also paying attention to what's happening in the global scenario at stage there's a lot of geopolitical. Scenarios and tensions emerging. Hackers are continuously evolving their game where it's not just the data or affecting one institution, The motive can to, look at an economy as a whole, multiple economies at a whole, at a whole, right?
And attacking the weakest point to be able to cripple right us. So again, I don't mean to sound like a doomsday person, but again, like we need to build our immunity, right? Like it's not a matter of if, but when, so my focus is around cyber resiliency. It's not just cyber security risk anymore. It's around resiliency, being able to bounce back within your times and keep your business operating. The third part I will say is, we are in an inherently digital environment today, right?
for everything. It's a phone, it's a button click away on the laptop or on the phone. And we live in a globally connected system. So I would call ourselves the cybersecurity teams. We are not just insurance for the business anymore, right? Like we are the business enablers. And so to this effect, what I have done internally, I know we're talking about challenges, but I'll also give you a window into what I've been doing here at Sheridan is that, just in the Canadian higher education sector.
It's not as heavily regulated as financial services. I spent the longest time, in financial services. So I miss regulations, I'll say, if I can be honest. But that said, I've had to, come in and pivot my approach, Where I focus on building relationships not only within IT within HR finance, but also across the business lines, because you do want them to see you as a business enabler. And I focus on building relationships with them through my credibility and not being the naysayer all the time.
Hear them out, understand their use case. And there can absolutely be a middle ground that can be arrived at. So being able to build those relationships through credibility and also showing that you can speak their language, right? Speaking the business, speak. Yeah. Good. John, what's your reaction to all this? I agree with everything that Mosen and Priya have said, especially the Gen ai. based on our other, podcast, I love ai.
I think it's an amazing tool, but it can very easily be used against you and it is being used against you. It's, escalating the intensity and the speed of cyber incidents. So to me is definitely a big one. One of the things that I wanted to add too though, is people like, and I'm not talking about hackers, I'm not talking about external. People, I'm talking about internal within your organizations, and it's not intentional, but it's just the lack of thought, right?
Just in the sense that they get an email, they see a link, they automatically click on it, click first, think later kind of thing. that is, that's what comes back to really bite you, is that people don't think enough.
And we've spent an awful lot of time with training and education in general to our staff on, think about what it is when you get an email that's got a link or it's got a QR code or it's got something, think about it before you touch it It was actually very relieving because we ran a phishing campaign, a couple of days ago, and I had three people that normally would click first and think later actually come up to me and say, I got this email. It looks odd to me. What should I do?
Ooh. So that was, I have to, it's such a small thing, but I have to tell you, it was the highlight of my week. Yeah. Don't you wish when people ask that question, you had someplace in your drawer where you could reach in, pull at a $200 and say, take your family to dinner and celebrate the fact that you're great. Yes. That's a piece. Let's start with that. I promise you, we won't let AI get away from us let's start with that, because.
My perception is right now that a lot of us had a technical background and I had those corners broken off me by a great woman coach that I had partway through my career. 'cause I thought of the world as the army when I started out in business. It was the army. We did things in it. You did them, you were told, you just did them. Then we met all these people in the business and they didn't actually listen to us. that was a big revelation for me.
Somebody gave me a book called, power and Persuasion and said, Jim, they're two different things. But we have to deal with the humanity in that, the burnout and things like that. how have you adapted to this new need to be either an organizational psychologist or whatever you want to describe that. How has that changed how you think about your job and how have you adapted to that? Mo do you wanna start?
Sure. So this is an area that is, becoming top of mind more and more, as we go through our hiring practices, through evaluating who actually can do the work for us. I think there is merit to, the fact that, we need to. Hire problem solvers rather than technical people. there are certain disciplines that you do need that huge technical background to actually do the work. But a lot of other things in the cybersecurity world is you actually need those bright minds.
You need those people that they can actually, maneuver through many areas of the organization. They are, willing to participate in business, mission and, drive that business mission forward. They are willing to participate as a team. They're prepared to take your security agenda to the highest level of the organization and basically be a voice. For, things that you would like to do.
So I think there is a lot of merit in the fact that those people, with people skills and those people that they can actually talk and solve problems. play a big role in cybersecurity practice today. And in a world where there's a shortage of those people, that presents a real challenge. Priya, how do you deal with that? So is your question around burnout or around managing people. I think you came out of a big five firms. You know what I'm talking about. we did what we were told.
And now there's a whole new world out there that we have to persuade, including our own staff. Holding onto good people is not a matter of what it used to be that people applied for a job and they stayed with you for a long time and you gave 'em their annual review and all that sort of, we have to motivate them. We have to deal with burnout, we have to deal with persuading and educating, as John pointed out, the user community.
I was a prophet and taught a number of places and the politics of education have defeated many people. they're complex organizations where everybody's smarter than you. That's, everybody I dealt with when I was at doing a university aspect was really smart. So it wasn't, you have challenges of persuading people in those environments. So how do you deal with the people issues and a reason I separate that out is because we started in technology.
I mean that we learned technology, we spent our time in tech, and suddenly we have to become real experts at people and behaviors. Yeah, that's the longest question in the world. But no, it's not the longest, but it is loaded. So I'll say with respect to people management Yeah, you are Exactly. Ha you're exactly right. Now, with respect to the job market and with respect to all the other perks, right?
Outside of salary, like hybrid work and things like that, like the individual's preferences too have changed, right? For example, if an organization does not offer any hybrid work, even if they pay me a million dollars, say, yeah, I'm not gonna take it.
So I guess with respect to people management, my style is that, and again, I don't mean to throw the book at you, but then, there, there is a philosophy of, servant leadership, right where you are, where I. Where I do my best to be a servant leader, right? Where it's, I am there to serve the team and be that enabler, right?
Where I trust my team, I make them feel empowered, but at the same time, I am accommodating in the sense that typically I do get an understanding of the things they wanna work on versus not, the tasks they wanna work on, the projects they wanna work on, their work preferences, hybrid versus onsite.
Of course, making sure you meet the company policy, and the communication preferences and styles, So I typically, before I start working with my immediate, team, directly reporting to me or my extended team, I typically have a one-on-one conversation with everyone. So I understand the person as a human being, right? More than what they bring, to the organization, just to understand what makes them tick, right? What's their life like? Like for example, do they have a family here?
did they grow up here? And things like that, right? Because at the end of the day, my philosophy, Jim, is that if at all anyone has a question or problem or challenge work related or not, I want them to be able to. Be comfortable enough to be able to pick up the phone and call Priya, right? So that's how I build the relationships. I will say it is not at all easy, right? It's never a one and done. You've got to keep the relationship alive. You've got to keep it going, right?
And you've got to be accommodating as well and help them. Like for example, today, what's happening in the higher education space here is, yes, outside of the super smart people in the room, there's, international student quota restrictions, right? As a result of which there's a lot of Canadian colleges shared and included, where we're quite tight, financially, where we're really needing to take a hard look at our finances, right?
And one of the quickest ways that finances, reductions can be met is headcount reductions. That's just, truth being told. So there is a lot of anxiety and uneasiness in the environment, not only within my team, but also outside, but being able to be there for them and being able to hear them out and support them and offer them advice, like not only as their performance manager, but as their true outside of work, even career coach and mentor has worked well.
So I'll say at the end of, in summary, just be a real human being with a good heart, John, you work in an environment that you try to keep quite personal, but the question I keep coming back to, because I totally appreciate servant leadership. I totally appreciate understanding people, but the reality is there's the nuts and bolts that we've gotta do. There are rooms where people watch and they get alerts, and they have to make sure they track them down.
And, they may not find personal fulfillment in that, but it's the work that's gotta get done. How do we keep our own staff motivated and avoid pressure and burnout? Yeah. that's a tough one. I have dealt with that for the last. Three years where I am now, that organizations are looking at tightening the purse strings, which means either, letting people go or not hiring additional people.
it means doing more with less, and that's a difficult task when you have a finite number of resources and you have to juggle getting the work done and preventing burnout. I'm extremely lucky in the sense that I have 13 people that work for me, and I would say that every single one of them is extremely dedicated to their job, to the point where I don't have to ask anybody to put in extra time to do a job.
In actual fact, I have a few of them that I actually call them on the weekends when I see them online and tell them to get off that they need to have, their own time that's outside of work. it's tough. one of the things Mosen had said was, when you're hiring people is hiring strategic thinkers. And I would agree completely that you can teach. from an IT perspective, you can teach somebody how to program in a certain language or how to manage portions of a network.
It's very difficult or impossible to teach someone how to be a strategic thinker. you either have it or you don't. So you know it, when I'm recruiting, one of the things that I do is it's not only do they have the skills to do the job, it's are they a good character fit? Are they gonna fit in well with the people that are already in my team and at the organization? And can they think on their feet?
Do they have that ability to be a strategic thinker, that it's not just, oh, I'm doing this because of this, it's also I'm doing this because of this, but if I do that, what impact is it going to have? Not only within it, but also on other areas of the business? Yeah. So can I just add one? Absolutely. Point to that. Yeah. John. I completely agree with what, you and, Wilson said, especially on the strategic thinking aspect of it, Yeah.
Like when I hire for the team as well, yes, I do look for some foundational technology, foundational cybersecurity knowledge, but then that's not all right. So it's really around strategic thinking. But then some of the things I try to gauge in an interview process are someone being a self-starter, someone being open to learning, because. Let's be honest, we are all learning as we go. And it would never stop.
So someone being very open to learning and learning quickly and exactly like you pointed out, being able to gel with the team. Because the last thing you wanna have happen is you have a tight, cohesive team working well, and autopilot mode, and then you have a new person coming in and being disruptive. So being able to gel with the team. Absolutely. being a self-starter and being open to having the intellectual curiosity to learn and get the job done.
Okay. And Melissa, I'm gonna give you the last word 'cause you obviously have, you're just rolling in dough. You have no problem with resources. You just hire anybody you want, right? How do you cope with this situation of, scarcity, burnout, motivation? and the hiring that we talked about. So when I think about, the burnout and the fact that everybody has to do so much every day, I usually think about, life's ups and downs. There are so many ups and downs in life.
There is so many stress factors in our own lives that, when things happen and, the things go a little bit haywire, I try to approach it from that point of view. So say, this is just another aspect of the way of life. So I be, I have to be able to manage it. Same as, what Pia mentioned about writing poetry. You have mechanism, to actually cope with that kind of a stress. you participate in sports. I do a lot of, playing, instruments, more specifically guitar, lately. Priya can be the lyricist.
We can do a jam night. Will be, Yeah. We can do a jam night, jam. Alright. Yeah. So I think music saved me. I was very driven, I was very worried for most of my career because of the pressures that I would have, I always felt like a bit of an imposter through my whole career because I was always advancing. And I'd get there and I'd go, how do we from, I can do this from, yeah.
But if I bring it a little bit closer to home, like from a point of view of, looking at the organization and the team, I try not to, one thing that I really try hard is not to add to the stress level that is already there. So I try to be helpful. I try to create process not to do the same mistake twice. So if I can do all that and not have to be extra stressed that everybody experiencing, I think I'm a little bit ahead of the game.
It took me a long time to learn that, and I'm just being honest about it. you have to choose who you're going to be under pressure and, if you're driven, you might not respond in the ways that leaders should behave. And that took me a long time to learn. But I think, as I said, music, poetry, John, you're an outdoors guy. I know that, and you do a lot of stuff as well, but getting away is something you have to, not just phoning the people out, telling 'em to get away on the weekend.
You have to phone yourself sometimes. Yep. I wanna flip this a little bit and talk about, because I think there's a new role for CISOs and I think we're all adapting to it, and that's of the organizational psychologist and somebody put this together, and I got the greatest insight into this when we were thinking about this and said, we want people to behave in a certain way so that we can combat social engineering.
But in reality we're social engineers, we're trying to get people to behave in a proper way. How have you reacted to that? How have you understood that? What is that? John, do you wanna start? Yeah, I think, I have never really thought about it that way, but yes, you're right. We are social engineers in the sense that we are telling people what they can and can't do and how they're supposed to do things.
I think we have to though that, in an environment where we are, my staff or other employees at our organization, I can make suggestions as to things that they should or shouldn't do on their personal computers and in their personal lives to protect their own data. But at the end of the day, they can go do whatever the hell they want, but when they walk through the door or when they turn on the company computer, we have to dictate what, what is acceptable and what isn't. To keep our data safe.
And in our case, because we're a financial institution, keep our members' data safe. Priya's gotta look after the students and the faculty moss in the same boat as I am that we have, we look after people's money. I think one of the things that we try to do where I am, is not only educate people about why you have to do things a certain way at Duca, but also why you should be doing it, period. In other words, why do I need to protect my data? Why do I need to not click on things?
Because we're trying to educate them about, safe and effective use of computers in general. So that they will go home and do the same thing and, hopefully share it with their family. I did this for years with my father that I would call him up and go, dad, you're gonna get an email from somebody that says to do this, or somebody's gonna call you. Don't fall for it.
So I think it's trying to educate our staff, but not only for work purposes, it's to try to make things better for them across the board from an IT perspective. I get financial advice from people that I work with that are on the financial side of the business. They're doing that to help me on a personal note. So why shouldn't I do the same thing for them from an IT perspective? Priya talked earlier about giving back to me.
This is one way to give back is give back to the people you work with, give back to your friends, to help to educate people on, the things that we have learned throughout time within our IT slash cyber world. Oh yeah. Awesome. Yeah. I can, relate to that. Definitely I, in a world that, we, it's so fast paced and the way that we are expected to perform at work, we don't pay a lot of attention to that chemistry between people.
So a lot of times, we simply dropped into, certain tasks or projects and, we wanna see it from, start to the finish. But there is a lot of nuances in between how you can actually get a more productive environment in place, how you can actually have people talk better to each other. a lot of what we do, we bring, many things from home to work. We bring many things from work to home, so that, area of, separation between the two is becoming thinner and thinner. So I think that there is definitely.
A reason that, organizations such as ourselves, we are actually paying attention and we are hiring psychologists to actually come.
I have to give you an example that happened to us not too long ago, maybe a couple of months ago, that there was this chemistry between a couple of teams that wasn't really quite working, and there was a bit of a friction, and we actually had to sit in the room and we have to put everything on the table and we have to, be a little bit candid about each other and the way that we want to put, certain guiding principles in place.
So I think all that, has a place in this fast paced, environment that we live today. Interesting. Yeah. Hard to do that over Zoom or teams, eh, very hard. Yeah. Priya, what do you Yeah, sure. So I don't know if I can, I, I think Mosen and John have covered it all yeah. A couple more things I'll say in terms of influencing behavior. I, I will say, yeah, culture, that, that was mentioned. I think John was alluding to that.
So with respect to culture, some of the things we do are certainly training, phishing awareness trainings and phishing awareness campaigns, and also the information, security trainings, that we do. And it's not only to staff, it's also to students and to students, and staff of course. Yeah. We speak to them in their language, right? And in fact, for students, like we have dedicated, as opposed to sending them a link, we do awareness sessions for them.
And we did quite a bunch of them very recently, where it's to talk about, because their lives are very different with respect to what we do, right? So there it was to really double click and talk about these are the different types of social engineering attacks. Extortion is a thing, right? So that's one. And then we also spoke about, deep fake scams. Be careful about what you post about what pictures you have on there, right?
Because, again, we all know based on CrowdStrike's most recent, report, social engineering scams are on the rise with wishing related scams enabled by deep fake, going up by 400%, right? So we bring that back and say, deep fake, watch out. Be careful about what you post. stay vigilant, stay suspicious, Stay vigilant in terms of like, when you look at an email that looks weird, right from an unknown sender and it's too good to be true. For example, click this link to win a million dollars.
It's too good to be true. So exercise the caution to be able to do that, right? So I would say that works, right? Like from a culture, perspective. So again, like we tailor that to different levels of the audience, right? Again, like we have it for faculty, for students, and for the executive teams. Tabletop exercises work very well in terms of being able to.
But then that is great in terms of bringing awareness that it's not a matter of if, but when, so let's just make sure we build the muscle memory today so that when we know if something were to go all right down the line, everyone knows what exactly to do. So that's like from a culture standpoint, I will say, in terms of influencing behavior, back to your point, I think that's why we have policies, right?
And I think John alluded to this, so the acceptable use policy, and we have an information security policy as well in terms of, how, in terms of talking about appropriate use of the network, of your devices, of the data, how you access sites, what you need to be careful about. So that's the second thing. And then the third thing I would say, similar to what I mentioned earlier, and I think both John and Mosin alluded to this, was, is around being a business enabler, right?
when in doubt they want to reach out to you, right? When in doubt they wanna reach out to you. And when they're looking at a new solution, for example, because you are not seen as a sledgehammer, they're not gonna go around you, they're gonna consult you. So that is what I wish for that to continue. But again, I think that's where, those are some of the things that we can do from a, behavioral aspect in terms of influencing behavior and telling them why it matters in their language.
So this has been a fascinating conversation. I'm cognizant we've only booked you for about an hour, so I wanna make sure we get through, can I invite you back to talk about ai? Because I think if we started talking about AI right now, you wouldn't be able to get back to work for the rest of the day. can we do Part two?
Yeah. Sure. I can probably, in a different conversation, give you a few example of some of the things that I've been, involved with and some of the learning that I've experienced over the past, year or so. That'd be great. So we'll pick that up. But I want to do one thing before our hour is up, and that's, it's a lightning ground because we talked about it, and this has been a fascination to me.
I once saw a picture of all of the tools that are available for cybersecurity, and it was a huge poster. The, everything was so small I couldn't read it. There are tons of tools and how do you cope with the constant barrage of new tools of all of that, especially, there's just all kinds of pressures. How do you guys cope with that? I. do you want me to go first? Sure. Yeah. Yes. So I alluded to the fact that, and if you have the answer, we can all go home.
No, I don't think I have the answer, but I can probably, guide myself in the right direction. Yes, this is a challenge. I think I mentioned at the top of the call that, it actually being brought up at the highest, forums and all the conferences that this is starting to become a challenge.
You, every time that you go to these vendor events or conferences, there are tons of vendors that trying to sell a product or they wanna, bring you as part of the pilot group to test it and so on So I think it's a big challenge for all of us to make sense of this diverse. Number of tools that we have. Yes, they do serve a purpose. But is there a better way of handling and having them talk to each other?
Can I potentially combine two of them that each one do 20% of that, work for me and get a collective 50% from one? So there are definitely a lot of synergies to be had. And, this is, something that I'm, really. Deeply looking at today in my portfolio to see how I can actually make sense because there is a lot of these tools that they have low utilization, like they have so many features, but guess what?
We only use two of the 10 features that they have and the rest of it we just leave for who knows when we actually get to it and we never do so there is definitely a merit into all that to make sense of all these, the tools stack that we have, and consolidate the best we can. That's an interesting, observation.
If you just went through all the tools you had and find out the things you weren't using properly, and before you buy something new, or before you even look for something new, that'd be that, sorry that it's obvious, but it's something I think. Yeah. I challenge my team say rather than going to after a new tool, see if that, area that you're not utilizing an existing tool can actually be utilized.
in the old days when we had software in, used to come in cases and things like that, we'd do inventories and I'd go back and find things, and we made actually, as consultants, this was a great way to make a lot of money, go do a software inventory, found out the stuff they bought, but aren't using tell 'em to cancel it. And the savings were astonishing because people buy tools all the time and then they forget about them. Yep. Good stuff. Priya, what do you think? The shiny new, toys, right?
not be subject to that, but then really taking, so two things that I do is, certainly completely agree with what Mo said, making the best use of our existing in-house tools. That's one. And then let's just say if there's a new tool in the market, and I know that, sorry I'll just take a step back. First thing is making use of the existing tools you have. But the second thing is going back to first principles, right?
Like for example, understanding what your crown jewels are and knowing which controls need attention. That's one angle I use. Another angle I use is, are there any blind spots? So if there's any vendor solution, like for example, DSPM is on the market, right? everything has an SSPM, it has an SPM in addition, right? Data Security, posture Management, that seems to be the new acronym added to the cybersecurity alphabet soup. we desperately needed another acronym.
I'm so glad the alphabet silk continues to grow in our world. are there any blind spots, for us? And there's a tool that can help us point attention to that and be able to enforce control there. That's another area as well, that I look at, right? And for that, of course, you need to, understand what your known, control failures are. You need to have visibility into your environment. so say that.
And then the third angle, is, this is again, making sure that you have a defense in depth approach, right? it's not just passwords, Make sure you have your pin, your MFA and all of that. with respect to looking at vendor tools as well, if there is a tool or solution that can give it all for me, sure, why not? So those are the things I think about. And this goes back to what Moses said. sometimes the new acronym is the old tools renamed as well.
I think this is a real danger we run into somebody said this in one meeting, they were meeting with their management team, and then somebody looked at them and said, nothing that another $250,000 won't solve. And can't be seen as Dr No anymore, we can't be seen as Dr. Watts money. you know what Money Penny, I think was the other James Bond hero that, we could try not to be. John, how do you cope with all of the onslaught, the tsunami of tools?
Yeah. I think for me, one of the things that I work with my team on is, don't get, blinded by the shiny new tools that, there's every time you turn around, like I get probably 20 emails a day from vendors trying to sell me the newest tool that's gonna save my day. The fact is my day is spent maintaining what we have to ensure that our environment is safe and secure. And if the tools we have are working, the old adage if it ain't broke, don't fix it.
Somewhat applies in an ideal world, you would have one tool that does everything. But one of the things that I've found is that's like a silver bullet. there are very few of these one tool fits all things. you have to have at least a few different tools. And, using the ones that work for you, right? What we use may not work for PREA or may not work for mosen, and they need to go and find the tools that are best suited for their team.
But once you've got something, as long as it's, as long as you're making sure that it's keeping up with the new threats, to me that works. That focus on making sure that you're secure rather than making sure that you've got the latest and greatest of all the new toys. And on that note that's our hour. I wanna thank you Mosen. Priya. John, I wanna thank you for joining us and for being so open on this.
And I hope I haven't put you on the spot, but I but I'm going to, with all the people listening, I really do wanna do a part two of this and we'll try and do it as soon as we can. We can schedule it and we'll talk about ai. 'cause I think that will, at least, that'll take a lot more time. And all of you who've been listening out there, thank you so much for your time. You had other things you could have done on your weekend, but you're listening to this and we're glad for that.
If you have comments or questions, you can send them to me. You can reach me at [email protected]. That's [email protected]. . I'm your host, Jim. Love. Thank you for listening.