All posts by Cindy Ng

[Podcast] No Data Left Behind

[Podcast] No Data Left Behind

Over the past few weeks, we’ve been debating a user’s threshold for his personal data seen in the public domain. For instance, did you know that housing information has always been public information? They are gathered from county records and the internet has just made the process of gathering the information less cumbersome. However, if our personal information leaks into the public domain – due a security lapse – it’s still not as serious as, say, a breach of 2 million records. The point is that many security experts will remind us that there is no perfect security as lapses and breaches will happen.

Meanwhile, I bemoan that no data should be left behind (all data should be protected!) and discuss my concerns with this week’s Inside Out Security Show panel – Mike Buckbee, Kilian Englert and Forrest Temple.

Additional articles we discussed:

[Podcast] How Diversity & Inclusion Drives Innovation and Market Growth

[Podcast] How Diversity & Inclusion Drives Innovation and Market Growth

In part two of my interview with Allison F. Avery, a Senior Diversity & Inclusion Specialist at NYU Langone Medical Center, she clarified common misconceptions about Diversity & Inclusion (D&I) and offered a framework and methodology to implement D&I. She reminded me, “You should not be doing diversity for diversity sake.”

I’ve put together a few interview highlights below. By the way – they’re perfect for cutting-and-pasting into an email to your company’s HR executives and other C-levels!

On Recruitment Practices: Hire for Diversity or Skillset?

I’m going to challenge your question because thinking in that way dichotomizes two very critical ideas. It feeds into this mythology that diversity is lowering standards or is a compromise.

If a candidate has potential, capacity, ability and aptitude to learn new skills and someone you want to invest in – hire her. Don’t just look at people that have the hard skills today. Business climates are always changing and you need someone who is flexible to those changes. If you just look at just diversity or just skill, that’s not the model you would want.

On the Benefits of Diversity & Inclusion

If you truly understand Diversity & Inclusion appropriately, and know the actual benefits – i.e. better financial gains, better product and software development, new niche markets developed, greater capacity, enhanced creativity, better innovation. When you really understand that, it benefits everyone.

Albeit – it might make things more challenging. Because the more diversity, the more challenging things are and you have to work a little bit harder. But it really should pay dividends, make your company more lucrative, and the people who work there would and should benefit from that.

Embed this infographic on your own site – copy and paste the code below:

<a href=""><img title="Diversity & Inclusion with Allison F. Avery - Infographic" src="" alt="Diversity & Inclusion with Allison F. Avery - Infographic" width="650" /></a>

diversity & inclusion

[Podcast] When Our Reality Becomes What the Data Says

[Podcast] When Our Reality Becomes What the Data Says

In our “always-on” society, it’s important that our conversation on IoT security continues with the question of data ownership.

It’s making its way back into the limelight when Amazon, with the defendant’s permission, handed over user data in a trial.

Or what about that new software that captures all the angles from your face to build your security profile? Your face is such an intimate aspect to who you are, should we reduce that intimacy down to a data point?

I discussed these questions with this week’s Inside Out Security Show panel – Forrest Temple, Kilian Englert and Mike Buckbee.

Additional articles we discussed:

  • Leaked data tranche of 8,700 documents purportedly includes tools that turn smart TVs into covert surveillance devices.
  • Spammers expose their entire operation through bad backups
  • Inside the TalkTalk ‘Indian scam call centre
  • A sysadmin told the courts he was authorized to trash his employer’s network
  • Google accidentally spreads fake news


[Podcast] How Infosec Can Implement Diversity & Inclusion Programs to Address Workforce Shortage and Make More Money Too

[Podcast] How Infosec Can Implement Diversity & Inclusion Programs to Address Workforce Shortage and Make More Money Too

Data breaches keep on happening, information security professionals are in demand more than ever. Did you know  that there is currently a shortage of one million infosec pros worldwide? But the solution to this “man-power” shortage may be right in front of and around us. Many believe we can find more qualified workers by investing in Diversity & Inclusion programs.

According to Angela Knox, Engineering Director at Cloudmark, “We’re missing out on 50% of the population if we don’t let them [women] know about the job.”

For skeptics: creating a more diverse workplace isn’t about window dressing. It makes your company more profitable, notes Ed Lazowska, a Professor of Computer Science and Engineering at the University of Washington-Seattle. “Engineering (particularly of software) is a hugely creative endeavor. Greater diversity — more points of view — yields a better result.”

According to research from Center of Talent Innovation, companies with a diverse management and workforce are 45 percent more likely to report growing market share, and 70 percent likelier to report that their companies captured a new market.

I wanted to learn more about the benefits of a D&I program, and especially how to create a successful one. So I called Allison F. Avery, Senior Organizational Development & Diversity Excellence Specialist at NYU Langone Medical Center, to get the details from a pro.

She is responsible for providing organizational development consultation regarding issues such as diversity and inclusion, performance improvement, workforce engagement, leadership development, and conflict resolution.

In part one of our interview, Ms. Avery sets the foundation for us by describing what a successful diversity & inclusion program looks like, explaining unconscious bias and her thoughts on hiring based on one’s social network.

And next week, we cover hiring for skill set or diversity (the short answer: neither), hard skills versus soft skills, and how to create a successful diversity & inclusion program.


[Podcast] Security Courts the Internet of Things

[Podcast] Security Courts the Internet of Things

As more physical devices connect to the internet, I wondered about the responsibility IoT manufacturers have in building strong security systems within devices they create. There’s nothing like a lapse in security that could potentially halt the growth of a business or bring more cybersecurity awareness to a board.

I discussed these matters with this week’s Inside Out Security Show panel – Forrest Temple, Kilian Englert and Mike Buckbee.

First in line to be discussed was the shocking revelation that while car manufacturers enabled users to control their vehicles with an app, they never thought through what happens when it’s sold. What’s the harm? In the words of the car owner, “If I were a criminal, I could’ve stolen the car.”

In another alarming article, a security researcher recently discovered that anyone can connect and control a cuddly CloudPets via Bluetooth, recording private conversations with the built-in microphone. If you’re a parent who finds this IoT toy a cute way to leave messages with your child, your privacy may be at stake.

Additional recent news articles we discussed include:

Tool of the week: Chaos Monkey is a resiliency tool that helps applications tolerate random instance failures.


[Podcast] More Scout Brody: Bringing Design Thinking to IoT

[Podcast] More Scout Brody: Bringing Design Thinking to IoT

By now, we’ve all seen the wildly popular internet of things devices flourish in pop culture, holding much promise and potential for improving our lives. One aspect that we haven’t seen are IoT devices that not connected to the internet.

In our follow-up discussion, this was the vision Simply Secure‘s executive director Scout Brody advocates, as current IoT devices don’t have a strong foundation in security.

She points out that we should consider why putting a full internet stack on a new IoT device will help users as well as the benefits of bringing design thinking when creating IoT devices.


[Podcast] Proper Breach Notification

[Podcast] Proper Breach Notification

I recently came across an article that gave me pause, “Why Data Breaches Don’t Hurt Stock Prices.” If that’s the case and if a breach doesn’t impact the sale of a company, does security matter?

So I asked the Inside Out Security Panel – Forrest Temple, Mike Buckbee and Kilian Englert.

They gently reminded me that there’s more than just the stock price to look at – brand, trust, as well as pending lawsuits.

In addition to these worries, proper breach notification is becoming a bigger responsibility. Is there a good or bad way to notify others about a breach? We discussed a controversial way a vendor disclosed their breach as well as some of the top stories of the week:

Tool of the week: Netflix Stethoscope




[Podcast] Scout Brody, Ph.D. on Creating Security Systems Usable for All

[Podcast] Scout Brody, Ph.D. on Creating Security Systems Usable for All

With spring just a few short weeks away, it’s a good time to clean the bedroom windows, dust off the ceiling fans, and discard old security notions that have been taking up valuable mind space.

What do you replace those security concepts with?

How about ones that say that security systems are not binary “on-off” concepts, but instead can be seen as a gentle gradient. And where user experiences developed by researchers create security products that actually, um, work. This new world is conceived by Scout Brody, executive director of Simply Secure, a nonprofit dedicated to leveraging user interface design to make security easier and more intuitive to use.

“UX design is a critical part of any system, including security systems that are only meant to be used by highly technical expert users,” according to Brody. “ So if you have a system that helps monitor network traffic, if it’s not usable by the people who are designed to use it or it’s designed for, then it’s not actually going to help them do their jobs.”

In the first part of my interview with Scout Brody, we cover why security systems aren’t binary, the value of user interface designers, and how to cross pollinate user personas with threat models.

[Podcast] Gambling with User Data

[Podcast] Gambling with User Data

The debate between users volunteering their data for better service versus being perceived as a creepy company who covertly gathers user data remains a hot topic for the Inside Out Security panel –Kris Keyser, Mike Buckbee, and Kilian Englert.

There were two recent stories that triggered this debate. Recently, a smart television manufacturer agreed to pay a $2.2 million fine to the Federal Trade Commission for “collecting viewing data on 11 million consumer TVs without the consumer’s knowledge or consent.” Is that creepy or perhaps the argument could be made that viewing data only helps with the overall user experience?

Contrast the aforementioned story with one where psychologists and data scientists can measure a user’s voluntary Facebook likes to diagnose a personality type. This is known as psychometrics and measured using a model often referred to as OCEAN: openness (how open you are to new experiences?), conscientiousness (how much of a perfectionist are you?), extroversion (how sociable are you?), agreeableness (how considerate and cooperative you are?), and neuroticism (are you easily upset?). With your personality type identified, marketers believe that it can be used to influence users in a future purchasing decision or voting in a presidential election.

The panelists had vastly different views on acceptable and unacceptable behaviors.

Tool of the week: Git pre-commit hook to search for Amazon AWS API keys.

Other stories covered in this podcast:

[Podcast] Professor Angela Sasse on the Economics of Security

[Podcast] Professor Angela Sasse on the Economics of Security

In part two of my interview with Angela Sasse, Professor of Human-Centred Technology, she shared an engagement she had with British Telecom(BT).

The accountants at BT said that users were resetting passwords at a rate that overwhelmed the helpdesk’s resources, making the cost untenable. The security team believed that the employees were the problem, meanwhile Sasse and her team thought otherwise. She likened the problem of requiring users to remember their passwords to memory exercises. And with Sasse’s help, they worked together to change the security policy that worked for both the company and the user.

We also covered the complexities of choosing the right form of authentication (i.e. passwords, 2FA or biometrics?), the pros and cons of user training, and the importance of listening to your users.

[Podcast] Security Monk vs. Emperor Palpatine

[Podcast] Security Monk vs. Emperor Palpatine

This week, we continue our ongoing ransomware discussion with the Inside Out Security Show panel – Kilian Englert, Mike Buckbee, and Mike Thompson.

But before we launched into our conversation, as an icebreaker, I asked the panel what their advice would be to this tired sysadmin who deleted the wrong directory on the wrong server?

Buckbee: Do exactly what they did to fix the problem.

Englert: It happens, just have to recover and move on.

Thompson: Always take a snapshot before touching your production server.

Back to Ransomware

I likened this singular, life-changing malware to Emperor Palpatine. Why? The scammers try to be your friend and provide customer support. Meanwhile, they’re clever about extorting money from you.

There were a few interesting ransomware stories that we covered:

  • An IT pro that tried to fight back by sending the perpetrators a Locky ransomware. We’re not certain if it was a success, but at least he tried
  • One hijacked a hotel from making new hotel keys
  • Police storage devices that record video data were infected
  • The scariest of them all, Google Play hosted a ransomware app that infected a user’s cell phone

Moving away from ransomware, we also discussed these controversial stories:

Tool of the week: Google’s Site Reliability Engineering