[02:35] Have you found there to be any arrogance in the Ph.D. sector?

When you are writing your dissertation, your research has to pertain to something new. Your dissertation committee may not have researched the specific area you are presenting, so there is a level of disparity there. For that reason, there has to be alignment between you and your committee.

[07:40] Do you see the correlation between that branch of academia and IT leadership?

If you are a leader and you don’t align with the needs of the business or the execs, good luck! You’re going to be frustrated because there are very few ways to have a direct impact on revenue. IT and cybersecurity are about investment and nothing happening. Cybersecurity is a unique industry because we are constantly working to put ourselves out of a job. If you are good at your job then there won’t be any attacks.

[11:00] Please plug your podcast.

My podcast is The MiC Club, minorities in cybersecurity, and it’s a video podcast so you can find it on YouTube.

[11:15] Would you say cybersecurity shouldn’t be a job in itself, it should be a part of other positions?

I agree that we need cyber-aware nurses, doctors, shopkeepers, etc. Saying these people don’t need to know these things because they have a cybersecurity team or person is ignorant and suggests that small businesses don’t run the country. To say only the team dictates security for everyone in a company is wrong. Everyone should have a say and some knowledge. On the flip side, there are some places where there should be a role for security individuals, like red teaming, blue teaming, and threat hunting.

[18:00] It’s not hard to put a human on the phone and start a scam.

I think that’s true because we don’t focus on the humanity of cybersecurity and the humanity of the digital environment we’ve created. The biological sensors that we have for fight and flight don’t kick in the same as they do when it’s a physical environment. If you’ve ever read a book and liked the book but then hated the movie, that’s why. It alienates the view you have of it. When you look at data breaches, between 90 and 94% of it is our fault.

[25:50] How do we stop people from becoming too comfortable? What are some of the rules you communicate?

It starts with knowing yourself and how you are susceptible. It’s about situational awareness and understanding how someone is looking to exploit you. How you feel is based on your emotional state, which is based on what is going on in the world. Hackers have gotten a lot smarter.

[28:00] What’s the craziest story you’ve heard recently?

I conduct a lot of phishing campaigns myself in three tiers. The first is “no one is going to click on this,” the second is “you would have to do some research to figure this out,” and the third is “I am cheating and you are almost certainly going to click on this.” I had an instance where someone in one of the organizations I was working with clicked on a first-tier message I sent out.

So, I continued the play to see how far it would go. He gave me all his info. We brought him in and explained that he had failed, and it came down to a real-life situation he was experiencing. Technology can’t patch that, and that is why you need situational awareness. In one instance when I worked with a company during the pandemic, they failed miserably. It was because people were scared of losing their jobs.

[35:25] To me, that is one way that cybersecurity makes the company money and how it’s demonstrated.

You’re right. Poor leadership is a vulnerability. If your name sparks fear, then people are more likely to fall for a scam.

[41:30] If there was one piece of advice that you could give, what would it be?

Security doesn’t exist, only levels of insecurity and what is accepted. Look at your job from that perspective.