All posts by Cindy Ng

[Podcast] When Security is a Status Symbol

[Podcast] When Security is a Status Symbol

As sleep and busyness gain prominence as status symbols, I wondered when or if good security would ever achieve the same notoriety. Investing in promising security technology is a good start. We’ve also seen an upsurge in biometrics as a form of authentication. And let’s not forget our high school cybersecurity champs!

However, as we celebrate new technologies, sometimes we remain at a loss for vulnerabilities in existing technologies, such as one’s ability to guess a user’s PIN with the phone’s sensors. I’m also alarmed with how easily you can order an attack!

Tool of the week: CaptureBox

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Christina Morillo, Enterprise Information Security Expert

If you want to be an infosec guru, there are no shortcuts to the top. And enterprise information security expert, Christina Morillo knows exactly what that means.

When she worked at the help desk, she explained technical jargon to non-technical users. As a system administrator, Christina organized and managed AD, met compliance regulations, and completed entitlement reviews. Also, as a security architect, she developed a comprehensive enterprise information security program. And if you need someone to successfully manage an organization’s risk, Christina can do that as well.

In our interview, Christina Morillo revealed the technical certificates that helped jumpstart her infosec career, described work highlights, and shared her efforts in bringing a more accurate representation of women of color in tech through stock images.

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:


Cindy Ng: Christina Morillo has been in the security space long before automation and actual data became the industry’s “it” word. She has been helping organizations advance their infosec and insider threat programs through her deep technical expertise in centralizing disparate systems, strengthening and automating tasks, as well as translating complex issues between the business and IT stakeholders. In our interview, Christina highlights hallmarks in her career, turning points in the industry, and how she worked her way to the top.

Cindy Ng So, you’ve been in the security space for almost 20 years, and you’ve seen the field transform into something that people didn’t really know about. Into something that people see almost regularly on the front page news. And I wanted to go back in time and for you to tell us how you got started in the security business.

Christina Morillo: So, I actually got started in the technology industry about 18 years ago, and out of that, in security, I’ve been like 11 to 12 years. But I pretty much got started from the ground up while I was attending university. I actually got a job doing technical support for, at the time, compaq computers. So that’s like I’m aging myself right there. But back when compaq computers were really popular, I worked for a call center, and we did 24-hour technical support. And that’s where I kind of learned all of my troubleshooting skills, and being able to kind of walk someone through restarting their computer, installing an update, installing a patch, being able to articulate technical jargon, in a nontechnical format. Then from there, I moved on to doing more desktop support. I wanted to get away from the call center environment, I wanted to get away from that, and be in, like, an enterprise environment where I was the support person, so I could get that user interaction. So that’s where my journey started. It feels like yesterday, but it’s been a long time.

Cindy Ng It goes by quickly, and how did you get started at Swiss Re?

Christina Morillo: When I came back home from university, I am originally from New York City, I was looking for work. And I wanted to really get into financial services, doing IT within the financial services industry because I knew that would be a good strategic move for my professional career. I bumped into this recruiter, and he told me about a position at Swiss Re within their capital management investment division. And so I gave it a go even though I didn’t have the experience. You know, I took a shot. And they really liked the fact that I had prior experience with active directory and networking. And since I was very much hands-on and I had just taken some Microsoft certifications, so I was like really into it. So I was able to answer the questions really efficiently, and they liked me, so they gave me the shot. That’s what started me into the world of information security, and identity, and access management, and access control. I learned all my “manual foundation” I’ll call it, manual fundamentals, at Swiss Re.

Cindy Ng Would you say that your deep understanding of AD was an important part of your career?

Christina Morillo: Oh, absolutely. Absolutely.

Cindy Ng And what do most sysadmins get wrong when it comes to their understanding of AD?

Christina Morillo: There is a lot to do with the whole permissioning and file structure. A lot of times people don’t really go into the differences between share permissions and NTFS permissions. And it can get really complex really fast. Especially when you’re learning in school, you create your environment, right? So it’s very clean. But when you start at a company, you’re looking at years of buildup. So you go into these environments where it’s nowhere near what you learned at school. So you’re just like, oh my goodness. And it becomes really overwhelming very quickly. I think it’s, like, not having that deep understanding and deep knowledge, and just kind of taking short routes. Because we’re very busy during the day, and there’s a lot to do, right? Especially for sysadmins. They have a lot on their plates. So I think a lot of times it’s like, okay, use your own backlist. Just throw them in whatever group, we’ll fix it later. And later never comes. I don’t fault them, but I just think that we need to be a little bit more diligent with understanding structures and fundamentals.

Cindy Ng How did you spend time figuring out how to restructure a certain group, if that was an important part in your job? In your team?

Christina Morillo: Yeah. Of course, absolutely. I always want to because it makes my life easier. But, you know, you’re not always able to. And that’s because, like I said, it’s so complex, and there’s so many layers that peeling these layers back will cause chaos. So sometimes you have to prioritize. And just from like a business perspective you have to prioritize. You know, is this something that we can do gradually or look at setting up as a project and completing it in phases, or is it high-priority, right?

And so, the first thing I do is I talk to whoever owns the group or let’s say whatever specific department, like finance. So who approved access to this group? So I like to kind of determine that. And then work my way backwards. So, okay, if this is the owner of the group, then I like to say, “Who should get access to this group?” What kind of access do they need to this group? Do they need read-only access, or do they need modify access?” And then go from there. And who should be the initial members of the group? And a lot of times its a matter of having to recreate the group. So create a fresh group, add the individual users, read-write or modify, or read-only, and then migrate them into the group, and then delete the old group. Which that part can take time because you don’t know what you’re touching.

A lot of times people like to permission groups at different levels where they don’t belong. The worst thing that can happen is you can cause an outage and you never really want that. Kind of investigating and using tools like DatAdvantage to help with the investigations to better understand what you’re doing before you do it. So it’s a process. I mean, I wouldn’t say it’s something easy. That’s why, a lot of times, it’s put on the back burner. But, you know, I feel like it’s something that has to be done.

Cindy Ng Your next role which was at Alliance Bernstein?

Christina Morillo: So at Alliance Bernstein, that was a short-term contract. That was part of their incident response & security team. 50% of the time I was handling tickets, and, you know, approving out FTP access, and approving firewall access, and checking out scans or anti-virus scans, and making sure that our AV was up to date, and doing all that stuff.

And then the other 50% was working on identity management and, like, onboarding applications into the system and testing. And then training the team that would handle day to day support. So it’s like a level two, level three. And then defining the processes. You know, onboarding the applications, defining the processes, writing the documentation, and then handing over to the support team to take over from there. So it was a lot of conversation with stakeholders, application owners, and I really appreciated being able to be a part of those processes.

That’s why I started seeing more of the automation. I mean, at Swiss Re, we were very much manual for the first couple of years. Which was fantastic because, you know, although it was a pain, it was fantastic because I got to understand how to do things if the system was down. It gave me that understanding of like ‘Oh, I know how to generate a manual report.’ So when it came time to automate, I was like, ‘Oh. Okay, this is nothing. I understand the workflow,’ right? I can create a workflow quickly, or I can… I understand what we need, right? And it also helps when people are just like, “That’s gonna take four days.” I’m like, “Absolutely not. That’s going to take you 45 minutes.” So it was a great experience.

Cindy Ng Would you ever buffer in time if systems went down? I’m thinking about something like ransomware.

Christina Morillo: Thankfully, that never happened while I was at these companies. That never happened. And since it didn’t hit my team, I think I’ve always been more on the preventative rather than being on the reactive side. A lot of times you did have to react to different situations or work in tandem with other teams, but I’m really into, like, preventative. Like, how can we minimize risk? How can we prevent this from happening? Kind of thinking out of the box that way. You have to not be an optimistic person. Like, you have to be like, well, this can happen if we leave that open. Right? And it’s not even meant to sound negative, but it’s almost like you have to have that approach because you have to understand what adversaries and hackers, how do they think? What would I want to do? Right? Like, if I see a door unlocked. It’s almost like you’re on the edge and you have to think that way, and you have to look at problems a little bit differently because, in business, you don’t rank, you just want to do their work.

Cindy Ng Did you develop that skill naturally, or was it innate, or did you realize, ‘Oh my God, I need to start thinking a certain way’? The business isn’t gonna care about it. That’s why you’re responsible for it.

Christina Morillo: I think I’ve always had that skill set, but I think that I developed it more throughout my career. Like, added strength in that skill throughout my career. Because when you’re starting, especially with network administration and sysadmin stuff, you have to be the problem solver. So you have to be on the lookout for problems. Because that’s, like, your job, right? So there’s a problem, you fix it. There’s a problem, you fix it. So, a lot of times, just to make your job a little bit easier, you have to almost have to anticipate a problem. You have to say, ‘Oh, if that window’s open and if it rains, the water’s gonna get in. So let’s close the window before it rains!’ It sounds intuitive, but a lot of times people just don’t think that far ahead.

I think it’s just a matter of the longer I remain in the industry, the more I see things changing. And then you just have to evolve. So you always have to think about being one or two steps ahead, when you can. And I think that skill set comes with time. You just have to prepare. And also, like, the more you know… Like, I’m very big on education and training and learning even if it’s not specific to my job. I feel like it helps broaden my perspective. And it helps me with whatever work I’m doing. I’m always taking either, like, a Javascript class or some class, or just like a fun in web development class. I’ve been looking for a Python class. Like, I did a technical cert, like boot camp. Like, I’m preparing for a cert. But it’s a lot. But I also take ad-hoc stuff. Like I’ll take a calligraphy class, just to kind of balance it out. You know I’ll go to different talks at the 92nd Street Y. Whether it’s technology related or just, like, futurism related, or just innovation related. Or something completely different.

Cindy Ng I’ve read your harrowing story about taking a class at General Assembly with having kids and a husband. Oh my God, you are so amazing. It’s so inspiring.

Christina Morillo: Definitely hard. But, you know, you gotta do what you gotta do. And it’s a problem because when you become a parent, it doesn’t mean that you lose your ambition. It just kind of goes on a temporary hold. But then you when you remember, you’re like ‘Oh, wait a minute. No. I have to get back to it.’

Cindy Ng So let’s talk about Fitch Ratings. That role is really interesting.

Christina Morillo: Yeah, yeah. Thus far, it’s been one of my favorites. Because, at Fitch, I was actually able to deploy an identity and access management platform. So, on nothing to create something completely new and just deploy it globally, right? So what that means is that I changed the HR onboarding process and offboarding process. So, like, how new-hires are added to the system. How people that are terminated are removed from the system. How employees request access to different applications. How managers approve. How authorizers approve the entire workflow. So that was amazing.

Basically, when I started, they wanted to go from pretty decentralized to a centralized model to purchase this out of the box application. They had a lot of transitions, so they needed someone to come in and own the application and say, like, “Okay, but let me implement it.” It was just on a like a development server, not fully configured. So, my job was to come in, look at the use-cases, look at what they needed. At least initially. What needed to happen? How did they need to use this application? Then I needed to understand the business processes. Current things, or how do they perform this work today? Like, does the help desk do it? Does a developer give access to a specific application that they manage? What are they developed for? What happens now?

So I took time to understand all of the processes. Right? Like, I spoke to everyone. I spoke to HR. I spoke to finance. I spoke to legal. I spoke to compliance. I spoke to the help desk. I spoke to network administration. I spoke to application developers. To compile all of that information in order to better create the use-cases and the workflows, and to kind of flesh them out. Then what I did is I started building and automating these processes in that tool, on that platform.

My boss gave me… He said, “Oh, I’ll give you like a year.” And I was like, “Okay. Fine.” But, I guess, once I got into like the thick of things, I got like really aggressive, and I really was hard with the vendor. Because I was a team of one. You know, I had support from our internal app team, and network administration team, and the sysadmins. But I completely owned the process, and owned the applications, and owned building it out. So I rode the vendor like crazy just to get this done, and understand, and just to look at it from top-bottom, bottom-to-top. And we were able to deploy it in five months.

You know, I got them from sending emails and creating help desk tickets, to fully automated system, onboarding, offboarding, and requesting entitlements. But more importantly, I was able to get people on board. Because that’s one of the other big things that you don’t really discuss. A lot of times we got a lot of pushback. While what we do is extremely important, especially in security, and sometimes we’re not the ones that are the most liked. People are afraid, right? So it’s also about developing new relationships with your constituents, with the users, right? And helping them understand that you’re not trying to make their lives miserable, you’re just getting them on board. I think that also takes skill. It takes finesse. It takes being able to speak to people, relate to people. And also, it takes being able to listen at scale. Right? So you have to listen to understand.

You know, I think if a lot of us did more listening and less talking, we would definitely understand where people are coming from and be able to kind of come up with solutions. I mean, you’re not always gonna make people happy. Maybe some of the time. Not all of the time. But at least you’ve communicated, and they can respect you for that. Right? So I was able to get pretty much the entire company on board. And to welcome this tool that they had heard about for so long. And they weren’t hesitant. To the point where I couldn’t get them to leave me alone about it.

Cindy Ng You were able to help them realize that you’re still able to do your work, but to do it securely.

Christina Morillo: And better.

Cindy Ng When you say scared and concerned, what were they worried about?

Christina Morillo: When you say the word “automation,” the main worry is that people are gonna lose their jobs. When someone says, “Oh, I heard that the tool will allow you to onboard a user.’ People won’t need to call the help desk anymore for that or won’t need help with that. Then you’re taking away like a piece or a portion of their work that may affect their productivity. And if it affects their productivity, it will affect the money that the team or the department gets. If that happens, then, obviously, we don’t need ten help desk people. We only need five. Right?

So, pretty much, it’s like fear of losing their jobs or fear that they’re becoming obsolete. So that’s usually the biggest one. And also when there’s, like, a new person coming in asking you how do you do your work, what is the process, that’s kind of scary. “Why do you want to know? Are you taking over? Are you trying to take away my work?” You’re always going to get push back. I think that’s part of the job, especially when you’re in security. You’re just always going to. And, you know, people fear what they don’t understand. So that’s part of it too.

Cindy Ng Let’s talk about Morgan Stanley now. So at this point, you’re at a really more strategic level where you’re really helping entire teams managing risk?

Christina Morillo: Yeah. So while I was at Fitch and, you know, while I loved it, it became more of a sysadmin type of role. So I decided to begin looking for my next opportunity. And Morgan Stanley came up with that summer. And I looked at it as, well, this is a great opportunity for me to be at a more strategic level and understand, become a middleman, right? Almost like a business analyst where I’m understanding what the business needs and the kind of liaising on the technology side. So I thought it would be a good opportunity for me to hone that skill set on the business side and look at values opposition. But also because of my technical background, I’ll be able to communicate with and get things done on the tech side.

So that was amazing. I mean, I learned a lot about how the business and IT engage. What’s important, and how to present certain, I guess, calls for action. Like, if you need something done, like, oh, you implement a new DLP solution. Are you solving a problem for the business or are you solving a problem for technology? Understanding the goal. Understanding your approach. And looking at things two ways. Looking at how to resolve a problem tactically. How can we resolve this issue today? And then what is the strategic or long-term solution? So a lot of business-speak, a lot of how to present.

I think I would almost equate it to… My time at Morgan Stanley… And I’m no longer at Morgan Stanley, actually. But my time at Morgan Stanley I equated to getting a mini-MBA because it really prepared me and allowed me to think differently. I think, you know, when you’re in technology you tend to stay in your tech cocoon. And that’s all you want to do and talk about. But understanding how others think about it, even how project managers engage with a business. The business is just thinking about risk, and how to minimize risk, and how they can do their jobs and make money. Because, at the end of the day, that’s what the goal is, right? Yeah, it allowed me to understand that. Whereas normally, on the tech side, I never really had to deal with that or face it. So I didn’t think about it. But at Morgan, you have to think about it, and you have to create solutions around it.

Cindy Ng Also, IT’s often seen as, like, a call center rather a money generator.

Christina Morillo: I’ve always had an issue with that. Even though IT, like, we’re seen as a call center, without us… And I’m biased, obviously… But I feel like without us, you wouldn’t be able to function. At the end of they day, are we generating money? I think so. But then it goes into that whole chicken or the egg thing. But that’s my argument, and I guess I’m biased. I’ve always been in IT, right?

Cindy Ng What’s most important to business? Is it always about the bottom line? For IT people, its always about security and minimizing risk.

Christina Morillo: It is about the bottom line. There are many avenues to get to there more efficiently, or just a little bit smarter. It’s like working smarter. But I think one of the ways is by listening at scale. Just like if you’re starting a company, you’re providing a service, you need to understand who your target market is, right? You need to understand what they want and why they want it. And that’s how you know what service you can provide or how you can tailor your needs to them. Why? Because then they will buy it from you, or they will seek services from you. And what does that mean? That means you get to collect that money.

And sometimes you need, like, a neutral group. You know? Like a working group. I realized they have a lot of working groups. So a lot of discussion. Sometimes that can be good and bad, but I see it as more of a positive thing. And the reason why is because you need to be able to hear from both sides, right? Both sides need to be able to express themselves, and everyone needs to be one the same page or get to that same page somehow. You need to understand what I need as a business user. I need to be able to book a trade, or I need to be able to do this, and I need to do it in this amount of time. Now how can you help me? And then the IT person, or the security person, whoever needs to be able to say, “Okay. Well, this is what I can do, this is what I cannot do right now. But maybe this is what I can do in the future.”

Again, it goes back to that we are problem solvers. So we’re all about solutions and how to keep the business afloat and keep the business running and operating. That’s our job. We’re not there to say we have to do it this way. That’s not what we’re there for. So I think it’s also understanding what role everyone plays, and understanding that we all have to kind of like work together to get to that common goal.

Let’s say we have a working group about implementing Varonis DataPrivilege globally, right? So then you have stakeholders from every department, or every department that it would touch. So if that means if that the security team is going to be involved, we have a representative from the security team. If that means that the project management who’s managing the project is gonna be involved, we have someone from that team. So you pretty much have a representative from each team that it will affect. Including the business, at times, so that they’re aware of what’s going on. And then you have status updates on what’s going on. What do we need? Where are the blocks and the blockers? And people get to speak, and people get to brainstorm, and you get to bring up problems, and what you need from the other team, what they need from you. And it just helps with getting projects moving and getting things going quickly and just more efficiently without anyone feeling like they weren’t represented in the decision-making process. It also speaks to that as well.

Cindy Ng Before our initial conversation, I had no idea that you used DatAdvantage.

Christina Morillo: My last employer, they used DatAdvantage, and were also implementing portions of DataPrivilege. The company before that, Fitch, we used DatAdvantage heavily. So, like, recording. You know, it’s been a couple of years, so I don’t know if they still use the tool. But I know when I was there, I actually used it for reporting purposes, and to help me generate reports, and just do, like, investigations, and other rule-based stuff.

Cindy Ng Was it helpful for, like, SOX compliance?

Christina Morillo: Yeah. Yeah, especially when whether it was internal or external audits, we always got the call. Like, “Can you come and give me access to this group on such and such date?” or, “Can you come and get this removed?” or, “Can you tell me this?” Just weird ad-hoc requests. That makes sense, right? But at the time, you’re like, ‘Why did you need this?’ Being able to kinda quickly generate the report was, like, super helpful.

Cindy Ng And finally, I love what you do with the Women of Color in Tech chat.

Christina Morillo: Yeah, yeah. A friend of mine, Stephanie Morillo…no relation, just same last name…but we both work in tech. And in 2015, we decided to co-found a grassroots initiative to help other women of color, and non-binary folks and just under-represented people in technology to have a voice, a community. We started off as Twitter chats. So we would have weekly, bi-weekly Twitter chats. Just have conversations, conversations with the community.

And then we started getting contacted by different organizations. So they wanted to sponsor some of our community members to attend conferences, and just different discussions and meetups and events. So we started to do that. We also did, like, a monthly job newsletter, where companies, like Twitter and Google, they contacted us. Then we worked with them. We kind of posted different positions they were recruiting for and shared it directly with our community.

And then, the thing we’re most known for is the Women of Color in Tech stock photos, which basically is a collection of open-source stock photos featuring women and non-binary folks of color who work in technology. So those photos, the goal was to give them out for free, open-source them, so people that can have better imagery, right? Because we felt that that representation mattered. The way that that came about was when I was building the landing page for the initiative, I realized that I couldn’t find any photos of women who like me who work in technology. And it made me really upset. Right? And so that activated… I feel like that anger activated something within me, and maybe it came as a rant. Like, I was just, like, “Okay, Getty, don’t you have photos of women in tech who look like me?” Why is every… Whether white or Asian or whoever… Why is any… And I see a woman with a computer or an iPad, it looks like she’s playing around with it. Those are the pictures that I was seeing. This is not what I do. This is not what I’ve done. So I just felt like I wasn’t represented. And then if I wasn’t represented, countless of other folks weren’t as well.

I spoke to a photographer friend of mine who also works in tech. And he started like his side passion stuff. So he agreed, and we just kind of started out. I mean, we went with the flow. It turned out amazing. And we released the photos. We open sourced them, and we got a lot of interest, a lot of feedback, a lot of features, a lot of reporting on it. And we decided to go for another two rounds. You know, a lot of companies we talked to were like, “We want to be a part of this. This is amazing. How can we support you?” So a lot of great organizations. If you look at the site, you see of those organizations that sponsored the last two photo shoots.

We released the collection of over 500 photos. And we’ve seen them everywhere, from Forbes, Wall Street Journal. It’s like I’ve seen them everywhere. They’re just, like, all over the web. Some of our tech models have gotten jobs because they started conversations. Like, “Wait, weren’t you in the Women of Color in Tech photos?” “Yeah, that’s me!” Whatever. Some people have gotten stopped, like, “Wait a minute, you’re in this photo.” Or they get tags. They’ve been used at conferences. Some organizations are now using them as part of their landing pages. They’re like all over the place. And that was the goal.

But it really, you know, makes us really happy. But just seeing photos all over the place, and the fact that people recognize that those are our photos, it was just amazing. We actually open sourced our process as well. We released an article that spoke about how we got sponsors, what we did, in hopes that other people, other organizations would also get inspired and replicate the stock photos. But we also get inquiries about, you know, “Are you gonna have another one? Can you guys have another one?” So it’s up in the air. I’m debating it. Maybe.

[Podcast] Evolving Bank Security Threats

[Podcast] Evolving Bank Security Threats

It was only last week that we applauded banks for introducing cardless ATMs in an effort to curb financial fraud. But with the latest bank heists, it may help to turn up the offense and defense. Why? Hackers were able to drill a hole, connect a wire, cover it up with a sticker and the ATM will automatically and obediently dispense thousands. Another group of enterprising hackers changed a bank’s DNS, taking over their website and mobile sites, redirecting customers to phishing sites.

But let’s be honest and realistic. Bank security is no easy feat. They’re complicated systems with a large attack surface to defend. Whereas attackers only need to find one vulnerability, sprinkle it with technical expertise, and gets to decide when and how the attack happens. Moreover, they don’t have to worry about bureaucracy, meeting compliance and following laws. The bottom-line is that attackers have more flexibility and are more agile.

In addition to evolving bank security threats, we also covered the following:

Tool of the week: ngrok, secure introspected tunnels to localhost

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Americans’ Cyber Hygiene

[Podcast] Americans’ Cyber Hygiene

Recently, the Pew Research Center released a report highlighting what Americans know about cybersecurity. The intent of the survey and quiz was to understand how closely Americans are following best practices recommended by cybersecurity experts.

One question on the quiz reminded us that we’re entitled to one free copy of our credit report every 12 months from each of the three nationwide credit reporting companies. The reason behind this offering is that there is so much financial fraud.

And in an effort to curve banking scams, Wells Fargo introduced cardless ATMs, where customers can log into their app to request an eight-digit code to enter along with their PIN to retrieve cash.

Outside the US, the £1 coin gets a new look and line of defense. It uses an Integrated Secure Identification Systems, which gets authenticated at high speeds. Plus, it’s harder to counterfeit and that’s exactly what we want!

Other themes and ideas we covered that weren’t part of the quiz:

Did the Inside Out Security panel – Mike Thompson, Kilian Englert, and Mike Buckbee – pass Pew’s cybersecurity quiz? Listen to find out!

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:




[Podcast] What CISOs are Making, Reading and Sharing

[Podcast] What CISOs are Making, Reading and Sharing

Besides talking to my fav security experts on the podcast, I’ve also been curious with what CISOs have been up to lately. Afterall they have the difficult job of keeping an organization’s network and data safe and secure. Plus, they tend to always be a few steps ahead in their thinking and planning.

After a few clicks on Twitter, I found a CISO at a predictive analytics SaaS platform who published a security manifesto. His goal was to build security awareness into every job, every role, and to give people a reason to choose the more secure path.

Another CSO at a team communication and collaboration tool company stressed the importance of transparency. This means communicating with their customers as much as possible – what he’s working on and how their bug bounty and features work.

As for what CISOs are reading and sharing, here are a few links to keep you on your toes and us talkin’:

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] No Data Left Behind

[Podcast] No Data Left Behind

Over the past few weeks, we’ve been debating a user’s threshold for his personal data seen in the public domain. For instance, did you know that housing information has always been public information? They are gathered from county records and the internet has just made the process of gathering the information less cumbersome. However, if our personal information leaks into the public domain – due a security lapse – it’s still not as serious as, say, a breach of 2 million records. The point is that many security experts will remind us that there is no perfect security as lapses and breaches will happen.

Meanwhile, I bemoan that no data should be left behind (all data should be protected!) and discuss my concerns with this week’s Inside Out Security Show panel – Mike Buckbee, Kilian Englert and Forrest Temple.

Additional articles we discussed:

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] How Diversity & Inclusion Drives Innovation and Market Growt...

[Podcast] How Diversity & Inclusion Drives Innovation and Market Growth

In part two of my interview with Allison F. Avery, a Senior Diversity & Inclusion Specialist at NYU Langone Medical Center, she clarified common misconceptions about Diversity & Inclusion (D&I) and offered a framework and methodology to implement D&I. She reminded me, “You should not be doing diversity for diversity sake.”

I’ve put together a few interview highlights below. By the way – they’re perfect for cutting-and-pasting into an email to your company’s HR executives and other C-levels!

On Recruitment Practices: Hire for Diversity or Skillset?

I’m going to challenge your question because thinking in that way dichotomizes two very critical ideas. It feeds into this mythology that diversity is lowering standards or is a compromise.

If a candidate has potential, capacity, ability and aptitude to learn new skills and someone you want to invest in – hire her. Don’t just look at people that have the hard skills today. Business climates are always changing and you need someone who is flexible to those changes. If you just look at just diversity or just skill, that’s not the model you would want.

On the Benefits of Diversity & Inclusion

If you truly understand Diversity & Inclusion appropriately, and know the actual benefits – i.e. better financial gains, better product and software development, new niche markets developed, greater capacity, enhanced creativity, better innovation. When you really understand that, it benefits everyone.

Albeit – it might make things more challenging. Because the more diversity, the more challenging things are and you have to work a little bit harder. But it really should pay dividends, make your company more lucrative, and the people who work there would and should benefit from that.

Embed this infographic on your own site – copy and paste the code below:

<a href=""><img title="Diversity & Inclusion with Allison F. Avery - Infographic" src="" alt="Diversity & Inclusion with Allison F. Avery - Infographic" width="650" /></a>

diversity & inclusion

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:


Cindy Ng: Should we be hiring for skill set or for diversity?

Allison Avery: I’m going to challenge your question a little bit, because I think that people dichotomize those two things as, you know, do you either want diversity, or do you want “quality”? And I think that those two things get pitted against each other as though they’re one mutually exclusive or in competition with each other, and that you have to choose. And I think that even looking at it that way puts people into a mind pretzel, and makes diversity seem antithetical to being a top talent place, and being a top talent institution. And I think it gives diversity a bad name, but it also kind of feeds in this kind of mythology that somehow diversity is lowering standards, or diversity is compromised. And I think that whenever we get into this bind of doing things differently, our brains get into this idea that somehow, whenever we go against the grain, that all of a sudden we’re compromising our standards.

But all we’re doing is one, either changing our standards for something that we have prioritized for a different reason or rationale. One, we need to fully understand what that rationale is, and if we don’t that’s when we tend to dichotomize, because we don’t really understand the value of diversity, and what the sort of actual benefits of having a socially diverse workforce is, and you know the fact of the matter is it does lead to greater creativity, greater financial gains, and greater innovation, and greater research. I mean, that has been substantiated in multiple research, pervasive throughout different industries and in multiple different ways from innovation creativity to financial gains. That’s just kind of time and time again.

There is a big financial case for diversity, and how it does literally make you smarter, more creative and more conscious. Julie Peeler who’s the foundation director of the International Information Systems Security Certification Consortium, you know, was sort of citing in March how there’s…you know, there’s about 30,000 open positions in U.S. information security, and how the gap is growing wider and wider. It’s actually easier and we’ve noticed this actually in medical school as well. It’s easier at times to train people in skill development, than it is in human skill development, and what we’ve noticed that is that certain areas of aspects of diversity, and what should be needed for tech in the 21st century, and tech for the next coming 50 plus years are the communication and analytical skills, and participation decision making. Women in leadership positions tend to be more engaged in being able to do that.

They tend to be able to be more collaborative. We’ve also noticed that in medical school, that it’s easier to teach somebody some of the hard “skills” and it’s harder to teach somebody some of the soft skills. Harder to teach somebody some of the needs of a diverse community, but it’s easier to teach them some of the hard skills that they’re going to need. So if they have somewhat of an orientation, if they have potential, if they have capacity, if they have the ability to learn, and those are things that you can test for if you look at some psychometrics testing, if you look at some actual like organizational development testing.

You can utilize that or leverage that within your hiring system. So looking at a person’s aptitude for learning, as opposed to just being a hard and fast person on a skill acquisition. So the potential for a person to be able to learn a new skill, or to be able to acquire a new skill, you can test for that through some psychometric testing. You get somebody who’s good at like organizational development, or organizational psych, and you input that within your structural system in your hiring manager, and you can test for that and that might increase aspects of your diverse workforce, as opposed to being hard and fast about you need to know this still today. As opposed to we can teach you this skill, but you’re coming in with some of these other desired skills, and be more competency based.

So we’ve noticed that when we switched to a more competency-based…so this person has the ability to deal with ambiguity. This person has better communication skills, this person has the capacity for critical thinking, so when we switch to what kind of culture do we want, what type of learner do we want, what type of capacities do we want and competencies do we want, then that changes the methodology and changes are hard and fast orientation to you need to know this, this, this, this and this skill. It’s like we can teach you this skill, but we need you to have these levels of competency, because that’s a culture we’re trying to build. That’s the community that we’re trying to cultivate, and that’s the innovation that we’re trying to have within our organization to get to where we want to be.

A person who is not able to engage in lifelong learning, period, and lifelong professional skill development generally is not the kind of person that you want in your organization anyway. And so it’s…I think when you juxtapose diversity and or skill, that’s not even the right model or methodology for any industry really.

For the 21st century, our talent innovation does say that employees at companies with diversity and management, are 45% more likely to report growing market share for their companies, and they’re 70% likelier to report that their companies captured a new market.

Cindy Ng: Can you give us some context to this stat? In the infosec space, 58% of females who hold leadership positions have advanced degrees versus the 47% of males.

Allison Avery: This is something that we see in a lot of different industries. And I wish I had a better name for it, but what tends to happen is that there’s a luxury to convention. I would think of it this way, when a person looks the part, you assume a lot of things about them. You assume their competence, you assume their quality, you assume their…you’re not surprised. And so there’s a luxury to their average- ness, and there’s a luxury to them being good enough, correct?

I think that there generally when you do not look the part necessarily, you have to fill in things a little bit more, because they don’t just assume that you’re qualified, in the same way. And so it’s not as luxurious to just be good enough. You have to be above average in order to be considered equal, you know, there’s an adage in especially in the black community, there is this adage that you need to be twice as good to be considered just as qualified. You’re starting from a different assumption, and a different framework and then going from there.

A lot of times women, they don’t assume a level of competence, you’re proving it and then you go from there to the other man, or whatever because he looks the part, because he’s assumed to be the part. You’re assuming a level of competence and jumping out from that point. The level of work that they need to do, the level of accomplishments that they need do, and the level of performance doesn’t have to be quite the same because you’re already assuming competence. And the other person, i.e. and I think this actually harkens back to the initial question to of, do you choose diversity or skills? And that goes back to so many questions when people say things about, you know, they look around the room, let’s say you know we’ve seen this on TV.

We hear this about, you know, certain social campaigns, about like, “Oh, did you get into Harvard because you were black, or because you deserved it?” Those two things…they’re assumed to be diametrically opposed as opposed to thinking that the person…as opposed to assuming competence, and assuming quality and qualification.

Cindy Ng: How can we build a good D&I program? Or maybe a better question is what do we need to have on our radar so we can have the best possible outcome?

Allison Avery: The biggest kind of hairy fault lines that I think happen to organizations, is that they try to go too fast too soon, when it comes to D&I, or they try to go from 0 to 1,000. I think that that’s very dangerous, it can be very detrimental to D&I efforts. And so I think you want to be really, really clear on why you’re doing it, because it’s not just doing diversity for diversity’s sake. That’s a really important piece, because if you can’t explain the rationale for why you’re doing diversity, it ends up in that dichotomous form of, well, we’re doing it because we have to do it because it’s a good thing. And so I am choosing diversity over skill set, and it stays in that kind of lazy mentality, where you only do a first pass.

And that actually I think is much more harmful than having nothing. People don’t understand why you’re doing it. That’s even worse than doing it, in my opinion. And so really having a firm understanding of the actual benefits and the actual rationale is very, very helpful, and starting very, very small and clear. And then having it on multiple different registers, like I was saying. So it’s not just enough to have recruitment. So this is where people get tripped up is they think, “Okay, well, we need, you know, we need more minorities, so what are we going to do? We’re going to go recruit.”

Well, if you bring people in, that’s only one iota of what is happening. Because that’s just about diversity, that’s not inclusion. Inclusion is about okay, so if you are recruiting a diverse workforce so then you have to look at engagement, you have to look at climate, you have to look at talent management, you have to look at success in planning, you have to look at the composition along the echelon of your institution, you have to look at compensation, you have to look at, you know, who’s in upper management, who’s in middle management, who’s in below management? You have to look at, you know, all of these different arenas.

And so I think a very comprehensive strategic plan along…that’s multi-yeared, with different goals and objectives of held accountable by a nested board, that is a not just staffed, nor is it just comprised of under-represented minorities, period. That is the most dangerous thing, too. It cannot just be minorities invested for themselves and of themselves. So if you’re going to have any type of board, if you’re going to have any kind of competition, it has to be led by an executive and CEO. It has to be invested by upper management and upper leadership. It has to be really, really supported because otherwise it won’t be successful, and pairing people along different ethnic domains, you know, having different relationships forms, like mentoring programs and talent management programs, and people from outside of their…even outside of their area of expertise, social identity categories, even gender identity categories.

You know, so that there is more relationship building, going back to this point of white Americans having 91 times as many white friends black friends, to try to break down those types of prohibitive barriers that can be compensated for, if an intentional structural design is put in place within the institution, or within the organization.

Cindy Ng: Okay, we need get everyone’s buy-in, we need to build partnerships, there needs to be a multi-year long term vision. It sounds so complicated.

Allison Avery: It’s very complicated. It’s not just for one segment of the population, that’s a transformative in a sort of transcendent piece, you know, like that’s the whole idea, is that if you understand it appropriately and you really know the actual benefits to social diversity within your industry, of why does it make sense to have more social diversity within your organization, i.e., better financial gains, better product development, niche markets that can be developed, more engagement of a workforce, you know, greater capacity, enhanced creativity, better innovation.

I mean, if you really truly know that and then you see that, it betters everyone’s game and everyone’s performance in the organization. Albeit it makes things a little more challenging, because you know the more diverse…the more challenging things are, people have to work a little bit harder. But it should pay dividends, that’s the piece. It should make your company more lucrative, and then people should benefit from that who work there. So it should make your lives better, our lives better. So there really should be marketable, as well as tangible payoffs that aren’t this sort of esoteric made up social justice circumscribed idea of like its good diversity for diversity sake. It’s not as I think ambivalent or opaque as people sort of feel it is.

[Podcast] When Our Reality Becomes What the Data Says

[Podcast] When Our Reality Becomes What the Data Says

In our “always-on” society, it’s important that our conversation on IoT security continues with the question of data ownership.

It’s making its way back into the limelight when Amazon, with the defendant’s permission, handed over user data in a trial.

Or what about that new software that captures all the angles from your face to build your security profile? Your face is such an intimate aspect to who you are, should we reduce that intimacy down to a data point?

I discussed these questions with this week’s Inside Out Security Show panel – Forrest Temple, Kilian Englert and Mike Buckbee.

Additional articles we discussed:

  • Leaked data tranche of 8,700 documents purportedly includes tools that turn smart TVs into covert surveillance devices.
  • Spammers expose their entire operation through bad backups
  • Inside the TalkTalk ‘Indian scam call centre
  • A sysadmin told the courts he was authorized to trash his employer’s network
  • Google accidentally spreads fake news

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] How Infosec Can Implement Diversity & Inclusion Programs to ...

[Podcast] How Infosec Can Implement Diversity & Inclusion Programs to Address Workforce Shortage and Make More Money Too

Data breaches keep on happening, information security professionals are in demand more than ever. Did you know  that there is currently a shortage of one million infosec pros worldwide? But the solution to this “man-power” shortage may be right in front of and around us. Many believe we can find more qualified workers by investing in Diversity & Inclusion programs.

According to Angela Knox, Engineering Director at Cloudmark, “We’re missing out on 50% of the population if we don’t let them [women] know about the job.”

For skeptics: creating a more diverse workplace isn’t about window dressing. It makes your company more profitable, notes Ed Lazowska, a Professor of Computer Science and Engineering at the University of Washington-Seattle. “Engineering (particularly of software) is a hugely creative endeavor. Greater diversity — more points of view — yields a better result.”

According to research from Center of Talent Innovation, companies with a diverse management and workforce are 45 percent more likely to report growing market share, and 70 percent likelier to report that their companies captured a new market.

I wanted to learn more about the benefits of a D&I program, and especially how to create a successful one. So I called Allison F. Avery, Senior Organizational Development & Diversity Excellence Specialist at NYU Langone Medical Center, to get the details from a pro.

She is responsible for providing organizational development consultation regarding issues such as diversity and inclusion, performance improvement, workforce engagement, leadership development, and conflict resolution.

In part one of our interview, Ms. Avery sets the foundation for us by describing what a successful diversity & inclusion program looks like, explaining unconscious bias and her thoughts on hiring based on one’s social network.

And next week, we cover hiring for skill set or diversity (the short answer: neither), hard skills versus soft skills, and how to create a successful diversity & inclusion program.

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:


Cindy Ng: Allison Avery is a senior organizational development and diversity specialist at NYU’s medical center. She is responsible for providing organizational development, consultation regarding issues such as diversity and inclusion, workforce engagement, leadership development and conflict resolution. In our interview, Allison demystifies common misperceptions about diversity and inclusion, offers a successful framework and methodology to implement D&I and, yes, confirms that diverse organizations do make more money.

Can you define for us what diversity and inclusion means?

Allison Avery: The way that I like to define, or the way that I’m going to talk about diversity, is really referring to the richness of human differences. And so, that can mean anything from socio-economic status, race, ethnicity, language, nationality, sexual orientation, religion, all the way to learning styles and life experiences. I know, for the context of this conversation. We’re really going to target specifically on a lot with regard to race, and ethnicity and gender because that’s really who’s primarily underrepresented in the tech field. We’re going to talk a lot about that, but diversity in and of itself primarily just means, really, difference, and it’s sort of a naturally-occurring phenomenon.

And then, inclusion is the way in which we engage that diversity. So, it refers to active, intentional and ongoing engagement with that diversity. It’s the way that we foster belonging, that we value and encourage engagement and that we really connect individuals throughout. Whether it’s an organization or institution, to leverage their excellence, leverage their skills, leverage their skill sets and promote them to grow into the climate and the culture that we’re trying to cultivate within an organization, within an institution and even within an industry. So, it’s the way that we intentionally, and ongoingly and actively engage the diversity at hand.

Cindy Ng: Describe for us the kinds of diversity and inclusion programs you’ve implemented and what has been successful.

Allison Avery: There are a couple of different arenas that I think diversity and inclusion programming gets parsed into. One is primarily along the lines of recruitment and retention. Now, in medical school, we tend to not have any general issue with retention, but that tends to be in the domain of professional development. And that’s pervasive throughout any industry, and I see that within a lot of the articles I was reading in the tech industry. There are some initiatives going on through Google and Twitter of trying to recruit individuals from different industries to companies, and that’s just a pervasive element. So, we do a lot of recruiting here at the medical school for students from the educational pipeline. So, we go to undergraduate institutions, we have summer programs for students that are rising juniors and seniors to come and spend the summer to do basic science research, primarily targeted for Blacks and Latinos because those targeted minority groups are underrepresented in medicine. Only about 6% of medical school matriculants are Black-identified and about 4% are Hispanic-identified in the country. About 56% are white-identified matriculants in medical school in 2014.

So, there’s a huge underrepresentation and, as we see the shifting demographics of the country over time, minorities will become the majority by 2050. That’s kind of the projected…and even before, that’s kind of of the projected year. So, we see a kind of need for greater representation in a medical school, so we do a lot of recruitment effort. NYU just matriculated its highest composition of diversity this past year or so. The entering class of 2014 was the most diverse ever, and so our efforts were quite rewarded in having a cultivated class of compositional diversity. That was a very successful effort and that is from going schools to having a very diverse group of individuals on the screening committee, on the interview committee. We have multiple mini interviews, so we have, where individuals do not review the full record. When students come into interviews, we try to eliminate aspects of bias. So, there’s trainings on unconscious bias for all the interviewers, trainings on unconscious bias for all the screeners. That’s another effort that we do. So, recruitment is a really big, targeted effort with regard to any industry for trying to attract and recruit underrepresented minorities.

Another area is educational enrichment. And so, there’s a lot of efforts to look at how do we ameliorate and reduce health and health care disparities. That’s basically looking at cultural competency training for all physicians, because healthcare is something, and rendering appropriate healthcare and rendering it across different cultural lines, is something that every physician needs to have the capacity for, especially when we’re looking at the diversity in the pluralistic community of the patient population that all physicians are needing to have the capacity to serve. And so, I think that that’s also generalizable to the tech industry when you look at the shifting demographics of the country of users. So, there is a huge pluralistic nation that we have, and people have different needs and there are very different markets that can be targeted and marketed toward. Having different educational initiatives, looking at how do we reduce health and health care disparities, and training students has been a very big initiative within the curriculum.

So, how do we basically educate our entire population of students to be able to render care for a huge and diverse patient population? They need to know about things like health disparities, they need to know about things like social determinants of health. They need to know about how bias might impact their decision-making on treating different types of patients of certain races, of certain genders, of certain sexual orientations. And they need to know how, generally, socially disadvantaged groups tend to receive worse quality healthcare.

Cindy Ng: Earlier you mentioned unconscious bias. Can you define that term for us?

Allison Avery: Unconscious is pretty much anything that’s outside of our conscious awareness, which is primarily the main way that we operate, it’s likened that about 90% of our mental processes and the way that we operate is outside of consciousness. So, the unconscious is pretty much any mental process that is inaccessible to consciousness, but it influences our judgments, our feelings and our behavior. It’s pretty pervasive.

And then, bias is really neutral term. It gets a kind of negative rap and it’s something that we cannot do without, nor would we want to. But bias is pretty much, it’s just a tendency or an inclination, but it’s one that prevents an unprejudiced consideration of a question. So, it has this sort of stigma to it but bias is really, it’s just a neutral thing. But the way that we understand unconscious bias and the way that we’re talking about it, is in this arena of prejudice, social stereotypes and attitudes that we form about certain groups of people without our intention or our conscious awareness. And that’s what we really mean when we’re talking specifically about unconscious bias as it relates to certain groups of people and how that influences the way that we engage with people.

That’s how I’m sort of using the term as it relates to D&I work in our workspace and how it might prevent the hiring of a person, how it might impede diversity and inclusion efforts, and that’s been noted as one of a main and contributing barrier to compositional diversity effort. Hiring practices in the recruitment phase, in the interview phase, in trying to really, really have a very, very diverse workplace, unconscious bias has been kinda targeted and denoted as one of a huge area or an impediment to having the diversity that we would like to consciously see. And I think it’s really important to make the distinction. It’s the distinction between the way that we consciously believe, and we might have these very consciously-held egalitarian views, which I believe that we do if you look at social attitudes in this country over the past 40 years and the evolution of which they’ve grown, and they’ve changed and they’ve evolved very, very drastically. It’s more stigmatized now to be a racist in this country than probably almost anything else. It’s very, very stigmatized. However, when you look at some of our unconscious attitude and what some of the outcomes, a lot of our actual practices, i.e. some of the health outcomes, some of our housing outcomes, some of the actual behaviors and outcomes have remained unchanged.

So, like you were saying, in the tech industry, there have been a lot of things that have remained unchanged for the past 15 years or, you know, two years or 10 years. It’s that spectrum or that dichotomy between the way that we consciously believe and, sometimes, the way that our unconscious behaviors and the manifestation of which gets played out. And bridging those two is the space of bias, and trying to bring those two things a little bit more in alignment and a little bit more closer together. So, we have there pretty egalitarian conscious attitudes, but the outcome of which doesn’t really reflect that when you look at some of our composition in the workspace, some of our health outcomes and the way that we hope to think of ourselves. You know, look at the composition of our prison system, look at the composition of women in the tech field.

Cindy Ng: It’s popular in the tech field to hire based on one’s social network. What’s your opinion on that?

Allison Avery: I think on face value and on first flush, that seems like a good idea but I don’t think we’ve tracked the full ramifications of what that means. And I think that there’s a way that, on first pass, that seems like a very respectable way to go about doing business, and I think on one level it is. But we need to do a little bit of a deeper dive on what do we mean by things like, how do we define culture fit? How do we define somebody who is aligned with our organization and the diversity that we want? And what are the actual ramifications of just pulling from our social networks? So, when we look at how people’s social networks get created and cultivated, they tend to be, like you said, people tend to migrate toward people that are like them. And that tends to also fall within similar social identity categories, socio-economic lines and class status, correct?

So, on one level, it seems like a very good…on first pass, if you don’t dig any deeper, it seems like a very good idea. Okay. Somebody suggests a friend and that person comes into the organization, and they probably do fit in very well, and they probably get along very well and then you kind of go forward without thinking much further. But then, when you look at the compositional diversity of who, then, you attract, everybody sort of seems to either come from similar schools so you’re not getting a diversity of educational experiences, come from similar classes and, potentially, demographics. So, you might have similar social identity categories of composition. When you look at the composition…I was just reading this article called, “What it’s actually like to be a black employee in a tech company,” and they cited some really, really interesting statistics and I think it’s very worthwhile to go over those because the Public Religion Research Institute has some statistics related to people’s social networks. And you know, white Americans have 91 times as many white friends as black friends. I think that’s really important because three-quarters of whites have entirely white social networks without any minority presence. So, if that’s where you’re pulling from, what are the odds that you’re going to have a huge minority presence if that’s the pool that you’re pulling from? Clearly, just from a statistical representation, very, very small, correct?

But unless you know that and unless you’re thinking in those terms, it just seems like a very good idea from first pass. That’s why a deeper dive is so much more necessary, and that’s why I think that there isn’t this intentionally evilness to people who are anti-diversity. It’s just that they don’t tend to know, nor do they tend to dig, and there’s this naiveté of, “Well, invite individuals from their social networks and things should just be fine.” But people think that other social networks are much more diverse than they actually are, and that’s just not true. And so, once you know that, once you know that, “Okay, if this is our structure, employees are actively encouraged to suggest friends or former colleagues,” well, if you also know that your company is comprised of 57% of this, and then you know that those individuals are going to be 91 more times likely to, “Blah, blah, blah,” well, then you’re going to rethink your methodology. But generally, people don’t have that type of statistical awareness or insight into how these social networks are formed or structured, and so they don’t understand all the nuance related to recruitment and why it’s so difficult to have elements of compositional diversity.

Cindy Ng: How would you reshape hiring practices?

Allison Avery: So, a couple of different things. One, I would have pervasive unconscious bias training for all hiring managers completely required. I mean, that’s just a given and an automatic.

Number two, there are some things right at the outset that take people out of the running right away, like affiliate universities. There’s pooling from similar universities that have a lower representation of underrepresented minorities.

So, you make partnerships with schools that are serving very high, either women or very high minority-serving institutions, and those tend to actually not be the Berkeleys and the Stanfords of the world. So, you can look at the compositional diversity of different institutions. So, I know at NYU we tend to partner with certain very specific institutions that have either very strong STEM programs, so they’re doing a lot of work with very high-quality students and doing a lot of rigorous scientific work, and we make very strong partnerships with them so that we also know the quality and the caliber of the student. And so, you can be a hiring manager and you make partnerships with, whether it’s a nonprofit or whether it’s an undergraduate institution that’s a high serving minority, but that you also are vetting with regard to the quality or you’re investing in the quality. So, you can help mentor them in the creation or co-creation of their program and have some sort of influence. That’s another way. So, you develop these kind of pipeline programs, that’s another one, and then you reward those elements.

Having internship, that’s another element. Not just pooling people from your social network. Also, the more diverse your hiring system is…so, we know that whatever kind of interview process you have, if you put five people in a room and that’s the interview team, they are going to replicate themselves in who they hire. So, whomever you want hired is how you comprise your hiring team. So, if you would like a very diverse team hired, then you need to have a very diverse hiring team. The worst thing that you want to do is just have one hiring manager because you’re most likely going to have that person replicated in whomever they hire. So, you want as many people to weigh in as possible and you want that team that gets weighed in as diverse as possible. So, that’s another recommendation that we do.

So, those would be just the first pass of things that I would recommend, very quickly. And taking out words in the job description of what you’re looking for. So, we know that there’s a lot of gender priming in the job description, like things like, “Strong leader,” and “Aggressive manager,” and those are very, very gender-oriented. Or when people assume at the very outset, sometimes, a lot of things about people, relocation, if they’re interested relocating or not, or inappropriate questions that they wouldn’t ask, you know, a man versus a woman, and things like that and really being conscientious that is not present within any part of the on-boarding. So, that’s also looking at the job descriptions and really making sure that those aren’t either gender or sort of racially-leaning.

And making sure that these things are advertised and reaching individuals in different pockets, so utilizing and leveraging people in-house too, utilizing any type of people in-house. So, you know, in kind of reading some of these articles, there’s a lot of informal or even formal professional networks within an organization or institution. So, we have the Black and Latino Student Association and they belong to a professional association called the Student National Medical Association. Well, that’s primarily for black medical students. Then there’s the NHMA, which is National Hispanic Medical Association and that serves Hispanic medical affiliates. And so, there’s a lot of affiliate, there’s formal and there’s informal. I know there was one in one of the articles that I was reading of Twitter, called each other the Blackbird, Twitter’s internal group for black employees leveraging the internal group that is serving or is in the interest group of certain underrepresented or underserved minorities that is your target. And being really intentional about saying that this is a priority, and this is why and this is why we’re valuing a certain demographic that’s extraordinarily underrepresented in this organization.

Also, when we look at paid differentials, so something that is very pervasive. So, when you look at how people are staffed, when you look at upper-level management and the composition, and how the color changes as you go along the rungs. And we know that the American Institute for Economic Research has done a lot of noting that, you know, employees of color as statistically paid less by a considerable margin. And that’s substantiated by a lot of economic research looking at how pay is a differential and trying to reconcile that, looking at how people are promoted and looking where they’re staffed. Are the majority of black employees on the janitorial and security contractor level, or are they, you know, in middle management? And how are people being staffed throughout the organization, and where, and what does that look like? And you can be more intentional about that, and it’s important.

[Podcast] Security Courts the Internet of Things

[Podcast] Security Courts the Internet of Things

As more physical devices connect to the internet, I wondered about the responsibility IoT manufacturers have in building strong security systems within devices they create. There’s nothing like a lapse in security that could potentially halt the growth of a business or bring more cybersecurity awareness to a board.

I discussed these matters with this week’s Inside Out Security Show panel – Forrest Temple, Kilian Englert and Mike Buckbee.

First in line to be discussed was the shocking revelation that while car manufacturers enabled users to control their vehicles with an app, they never thought through what happens when it’s sold. What’s the harm? In the words of the car owner, “If I were a criminal, I could’ve stolen the car.”

In another alarming article, a security researcher recently discovered that anyone can connect and control a cuddly CloudPets via Bluetooth, recording private conversations with the built-in microphone. If you’re a parent who finds this IoT toy a cute way to leave messages with your child, your privacy may be at stake.

Additional recent news articles we discussed include:

Tool of the week: Chaos Monkey is a resiliency tool that helps applications tolerate random instance failures.

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] More Scout Brody: Bringing Design Thinking to IoT

[Podcast] More Scout Brody: Bringing Design Thinking to IoT

By now, we’ve all seen the wildly popular internet of things devices flourish in pop culture, holding much promise and potential for improving our lives. One aspect that we haven’t seen are IoT devices that not connected to the internet.

In our follow-up discussion, this was the vision Simply Secure‘s executive director Scout Brody advocates, as current IoT devices don’t have a strong foundation in security.

She points out that we should consider why putting a full internet stack on a new IoT device will help users as well as the benefits of bringing design thinking when creating IoT devices.

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:


Cindy Ng: I also really liked your idea of building smart devices, IoT devices, that aren’t connected to the internet. Can you elaborate more?

Scout Brody: Yes, you know, I like to say, when I’m talking to friends and family about the internet, there are a lot of really interesting, shiny-looking gadgets out there. But as someone who has a background in doing computer security, and also someone who has a background in developing production software in the tech industry, I’m very wary of devices that might live in my home and be connected to the internet. I should say, low power devices, or smaller devices, IoT devices that might be connected to the internet.

And that’s because the landscape of security is so underdeveloped. We think about where…I like to draw a parallel between the Internet of Things today and desktop computers in the mid-90s. When desktop computers started going online in the 90s, we had all sorts of problems because the operating systems and the applications that ran on those machines were not designed to be networked. They were not designed, ultimately, with a threat model that involved an attacker trying to probe them constantly in an automated fashion from all directions. And it took the software industry, you know, a couple of decades, really, to get up to speed and to really harden those systems and craft them in a way that they would be resilient to attackers.

And I think that based on the botnet activity that we’ve seen in just the past year, it’s really obvious that a lot of the IoT systems that are around the internet full-time today, are not hardened in the way that they need to be to be resilient against automated attacks. And I think that with IoT systems, it’s even scarier than a desktop, or a laptop, or a mobile phone because of the sort of inevitable progression toward intimacy of devices.

We look at the history of computing. We started out with these mainframe devices or these massive god awful things that lived in the basement of the great universities in this country. And we progressed from those devices through mainframes and, you know, industry through personal computers and now the mobile phones. With each step, these devices have become more integrated into our lives. They have access to more of our personal data and have become ever more important to our sort of daily existence. And IoT really takes us to the next step. It brings these devices not just into our home, but into our kitchens and into our bathrooms, and into our bedrooms, and our living rooms with our children. And the data they have access to is really, frankly, scary. And the idea of exposing that data, exposing that level of intimacy, intimate interaction with our lives, to the internet without the hardening that it deserves, is just really scary. So, that’s, you know, a bit of a soapbox, but I’m just very cautious about bringing such devices into my home.

However, I see some benefits. I mean, there are certainly…I think that a lot of the devices that are being marketed today with computer smarts in them are, frankly, ridiculous. There are ways that we could, sort of, try and mediate their access or mediate a hacker’s access to them, such that they were a little less scary. One way to do that is, as you mentioned, and as we discussed before, to not have them be just online. You know, have things be networked via less powerful protocols like Bluetooth low energy, or something like that. That poses challenges when it comes to updating software or having, you know, firmware or software on a device, or having a device being able to communicate to the outside world. If we want to be able to turn our light bulb on the back porch on from our phone when we’re 100 miles away, it’s difficult. More difficult if the light bulb is only really connected to the rest of our house by Bluetooth, but it’s still possible. And I think that’s something that we need to explore.

Cindy Ng: Do you think that’s where design comes in where, okay, well, now we’ve created all these IoT devices and we haven’t incorporated privacy and security methodologies and concepts in it, but can we…it sounds like we’re scrambling to fix things…are we able to bring design thinking, a terminology that’s often used in that space, into fixing and improving how we’re connecting the device with the data with security and privacy?

Scout Brody: I think so. I mean, I think what’s happening today…the sort of, our environment we’re in now, people are saying, “Oh, I’m supposed to have smart devices. I want to ship smart devices and sell smart devices because this is a new market. And so, what I’m going to do is, I’m going to take my thermostat, and also my television, and also my light bulb, and also my refrigerator, and also my washer-dryer, and I’m going to just put a full internet stack in them and I’m going to throw them out on the big, bad, internet.” Without really stopping to think, what are the needs that actual people have in networking these devices? Like, what are the things that people actually want to be able to do with these devices? How is putting these devices online going to actually improve the lives of the people who buy them? How can we take these devices and make their increased functionality more than just a sales pitch gimmick and really turn this into something that’s useful, and usable, and advances their experience?

And I think that we, frankly, need more user research into IoT. We need to understand better what are the needs that people have in their real lives. Say, you want to make a smart fridge. How many people, you know, would benefit from a smart fridge? What are the ways that they would benefit? Who are the people that would benefit? What would that really look like? And based on the actual need, then try and figure out how to…and here’s where we sort of switched the security perspective, how do I minimize access? How do I minimize the damage that can be done if this machine is attacked while still meeting the needs that the humans actually have? Is there a way to provide the functionality that I actually know that humans want, that the human people need, without just throwing it on the internet willy-nilly.

And I think the challenge there is that, you know, we’re in an environment where IoT devices…that the environment is very competitive and everyone is trying to do, sort of, the early mover trying to get their device on the market as soon as possible. We see a lot of startups. We see a lot of companies that don’t have any security people. I know we have, sort of, one or two designers who don’t have the opportunity to really go in and do research and understand the actual needs of users. And I think, unfortunately, that’s backwards. And until that gets rectified, and you see companies both exploring what it is that people actually will benefit from, and how to provide that in a way that minimizes access, I think that I will continue to be pretty skeptical about putting such devices in my own home.

Cindy Ng: And, so we’ve spent some time talking about design concepts, and security, and merging them together. How can someone get started? How do they start looking for a UX designer? Is that something that Simply Secure, the nonprofit that you’re a part of, can you help in any way?

Scout Brody: Yeah. So, that is actually, kind of, exactly what Simply Secure has set out to do as a nonprofit organization. You know, we recognize that it’s important to have this partnership between design and security in order to come up with products that actually meet the needs of people while also keeping them secure and keeping their data protected. And so, Simply Secure works both in a sort of information sharing capacity. We try to, sort of, build a sense of community among designers who are interested in security and privacy topics as well as developers and security folks who are interested in learning more about design. We try to be sort of a community resource. We, on our blog, and our very small but slowly growing GitHub repository, try to share resources that both designers and software developers can use to try and explore and expand their understanding at the intersection of security and design.

We actually, as an organization, do ourselves what we call open research and consulting. And the idea here is that an organization, and it can be any organization, either a small nonprofit consortium organization, in which case, you know, we work with them potentially pro bono. Or, a large for-profit tech company, or a startup, in which case we would, you know, try to figure out some sort of consulting arrangement. But we work with these organizations to help them go through a design process that is simultaneously integrated with their security and privacy process as well. And since we are a nonprofit, we don’t just do, sort of, traditional consulting where we go in, do UX research and then come out, you know, with a design that will help the company. We also go through a process of open sourcing that research in such a way that it will benefit the community as a whole. And so the idea here is that by engaging with us, and sort of working with us to come up with a design or research problem…a problem that an organization is having with their software project, they will not only be solving their problem but also be contributing to the community and the advancements of this work as a whole.