Can I Sign New Hampshire Banking Document

Can i industry sign banking new hampshire document mobile

today on cyberwork i get to talk to diana kelly of the analyst syndicate and well a lot more things we talk about diana's inspiring 25-year security journey her many projects aimed at educating new generations of cyber security professionals the ethics that need to go into the practice of ai and machine learning and tales of sneaking into darpa in the 1970s for the nefarious purposes of accessing instruction manuals that's all today on cyberwork also let's talk about cyberwork applied a new series from cyberwork tune in as expert infosec instructors and industry practitioners teach you a new cyber security skill and then show you how that skill applies to real world scenarios you'll learn how to carry out a variety of cyber attacks practice using common cyber security tools engage with walkthroughs that explain how major breaches occurred and more and believe it or not it is all free go to infosec institute dot com learn or check the link in the description below and get started with hands-on training in a fun environment while keeping the cyber security skills you have relevant that's infosec institute dot com slash learn and now let's begin the show welcome to this week's episode of the cyberwork with infosec podcast each week we talk with a different industry thought leader about cyber security trends the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry diana kelly's security career spans over 30 years she is co-founder and cto of security curve and donates much of her time to volunteer work in the cyber security community including service on the acm ethics and plagiarism committee as cto and board member at sightline security board member and inclusion working group champion at women in cyber security cyber security committee advisor at comptia advisory counselor bartlett college of science and mathematics bridgewater state university and rsac u.s program committee diana produces the my cyber y series and is the host of bright talks the security balancing act and co-host of your everyday cyber diane is also a principal consulting analyst at tech vision research and a member of the analyst syndicate she was the cyber security field cto for microsoft global executive security advisor at ibm security gm at symantec vp at burton group now gartner and manager at kpmg she is a sought after keynote speaker the co-author of the book's practical cyber security architecture and cryptographic libraries for developers has been a lecturer at boston college's master's program in cyber security the ewf 2020 executive of the year and one of cyber security ventures 100 fascinating females fighting cybercrime as you can see diana isn't one to spend a lot of time waiting for opportunity so today's episode is going to cover a lot of ground from diana's security journey her wide-ranging media offerings podcasts lectures the analyst syndicate and some thoughts on the impending changes that might be happening in the cyber security industry postcovid so let's get to it diana thank you for joining us today on cyberwork oh thanks so much for having me here chris my pleasure uh so you know as you can see i uh that that was a a multi-minute uh uh scroll of your your accomplishment so i i you know obviously we have to ask about your origin story what got you interested in cyber security in the first place what was what was the attraction well it started actually with technology so there were sort of two technology to security incidents that happened in my life my first i absolutely fell in love with technology when i was nine years old and my dad brought home a programmable texas instruments calculator and i was like oh my god and i think he thought my brother might be more interested not because of a gender thing but just because my brother was a little bit older and seemed to be more technical and i was kind of more already um but i i absolutely fell in love with this thing i was like oh my god you can program this calculator and i thought it was absolutely amazing and then a few years later we built a heath kit computer together and ultimately that's a name i haven't heard in ages that's so cool oh man so for listeners we are talking the mid to late 1970s we're taking you back a little bit yeah yeah heathkit was a whole a whole range of things you could order through the mail and it was just had all your circuit boards and you just built it all yourself you build a radio you build it i didn't know you could build a computer that's amazing you could you could and and then i mean then it was like we could advance to like the trs 80s the little ones level two so like that it was like the pc started to be a thing but yeah early on you had to build your own and and we had if you've ever seen that the movie war games with matthew's i think actually he might have i had a dial phone but you know he takes his phone the whole phone receiver into a modem coupler yeah so that was that's how i got started my dad was a research professor at mit lincoln lab so he was able to get an account um so it was like it was a limited account on the the darpa because mit was was connected to the darpa in the 70s and so i was able to couple modem couple into the uh to tech square at mit and cambridge with their pdp 10s and 11s and that they were connected then to what was the darpa at the time which was i i think i forget the exact number but we're talking like maybe 200 servers total on this so the quote unquote internet in the 70s for folks who don't know what darpa net is like that you're we're talking about the literal like birth of the internet you were right you were right there yeah and i fell in love i was absolutely i was just i could talk to people you know in california and this is back in a time when again for people that that aren't you know of a certain age as i am um you might forget that it actually was extremely expensive to call outside of your calling circle back in the day so even calling to a different state going across the country was cost prohibitive for a lot of people so as a kid for durations like that yeah and i didn't have access to being able to call it so but now suddenly i i was on on systems and i could speak with people in real time in california and in dc and again you know a lot as we think back to the 70s people may not realize that we actually had email we had instant messenger it was called talk but it was it all existed it didn't look as pretty and it was not mobile you know and that you could like carry it around in your pocket but we had those and so i was just blown away i was like i'm absolutely in love with this and um i wanted to know more about how the systems work and i found very quickly that i didn't have access to read some of the manuals that were online and i then found out that there was a flaw in the login system so that when you logged in what you saw on your screen was actually uh asterisks as you typed your password but there was a vulnerability in that and you could actually ghost the system you could kind of see what other people were typing so i got the password of an admiral and i logged in i was essentially super used because i was logged in as me and then i logged in and says i did at that point have access to all the manuals i wanted to read but promptly the next day my father had to sit me down and have a conversation with me because the admins of the system saw what i did and said look now again if you're a 13 year old child in 2021 and you say oh i didn't know what i was doing i didn't mean any harm you don't have a lot of possible deniability but in 1978 1979 um that was actually these were so new these systems are so new that they gave me the benefit of the doubt i've been told since then by some people in the government like don't worry uh because i i was not there was no a hacker saying they just said look we saw what you did we know that you just wanted to read the manuals but what you did was wrong you can't take somebody else's password for their access so i never did anything like that again i learned my lesson but i got really interested in the whole you know that when their applause or vulnerability systems work differently fast forward now to when i'm actually out in a professional career i didn't go to college computer science i didn't think that i didn't know what kind of you know career future there would be so i actually was an english major and when i graduated i was working for publishing companies but i was always the go-to computer person and i worked my way up to being an assistant editor where i was doing acquisitions of software to go with the math textbooks of the company that i worked for and this was early on software was pretty new for math textbooks seems like you could have the um the quizzes and the professors could could print them out and everything um but this was all very new and it fell on me because i was always the go-to computer person and uh someone saw me the woman who ran the network saw me and said you know i think that you actually should be our computer person and so it was very exciting and we're going to tie together our networks for all the different divisions of the parent company of them too we're in the boston area so super excited um i did take the job i was a little scared and i am so grateful to the person who supported me and and saw something in me yeah which is one of the reasons i spend a lot of time giving back now because you know my life has changed because of her belief in me and i'm so grateful but any case and then i started working my way up uh in now i'm in the technology field i'm no longer in editorial i'm working technology i became the global manager of a network in the cambridge area with nine offices around the world and linking them together so that we could do our work globally with a startup company someone got onto the network and again that's where that fire up of security so you know thinking back to like the vulnerability way back with the darpa you know and then um now i'm at a company where my life's work i thought was you making this this network and tying everybody together so they could they could work together what i thought the darpa before the company that i had built and manage this network for and someone got onto it and i realized that the reason that they got onto the network was because i didn't understand security i didn't understand how to build really strong resilient systems so at that point i decided um i love technology i love connecting people but if i don't know how to build these securely they're not people can't recognize or realize the benefits of the tech so i i said i'm going to focus on security exclusively we didn't call it cyber back then it was infotech and a number of people this i still think back to this you know a number of people said i was basically destroying my career because i had a great career and networking but security all the problems were going to be figured out it was too niche it was you know people in business didn't want to worry about security securities no guy i should stay with with networking and not focus on security exclusively but i was just so convinced that if we don't do this because we're not networking securely we can't uh you know benefit from it so i decided to focus on security and that was 25 years ago and clearly never looked back and and also clearly was was not like you you went into a niche that wasn't wasn't a growth industry i know i know so yeah i mean like one of the things that i think about when you say that you know on the original darpa there were you know 200 servers there were you know a few hundred people using this kind of thing and even you know i i got on you know the internet in college in like 92 90 you know for when i start really sort of seeing the outside world but there was still that that that feeling that not everyone was going to ever get on this you know i never really got a sense at the time that this was going to be as universal as it is and similarly i mean like you said you know that there was wasn't going to be this this need for this kind of global security based on that so i that that leads perfectly to my next question which you know i can you just give me sort of a 10 000 foot view of the cyber security landscape has as it's changed over these past 25 years because obviously you've you've been there since the beginning and you can you can see all the changes but like what are some of the some of the sort of surprising things about it in those decades i think i think the biggest change and you touched on this is just i i didn't i wasn't able to see that it was going to go from a closed off you know data room you know these elevated data centers behind glass and the big huge systems that it would be something that we literally carried with us and we depended on every day in our daily lives so it was the ubiquity it's the ubiquity of the technology that i didn't understand that it would be absolutely everywhere and when we were looking at you know just a couple of hundred systems you know connected or you know with me building out the network for the the startup in cambridge the the scope was really limited i mean i think that's i mean this is a crazy story but when we first got on the internet at that startup what i did was i tailed the syslog of the pro the server i had between the firewall you know between you know going in and out of the network and by tailing that syslog i i was basically doing you know some level of sim detection at the company which in retrospect is like what you know there's there's no way you can do that but that was actually because the amount of data we had to look at the amount of systems that were connected it was just so much smaller so there's the there was a scope of how ubiquitous it is also the number of devices that we had to manage and now you think about what we use software and technology it's everything from when you depress the big brake pedal in your car that's software that's doing the translation and actually doing the braking to you know the automatic adjustment of the temperature in our homes with the smart device so it's really it's it's woven into the fabric and because it's woven into the fabric of our life the other thing that's changed in in addition to the scope of the number of systems and where they are is unfortunately the negative impact that it can have on our lives so um you know when i was early on in my career i thought somebody getting on the network and and actually what they did was they they messed up our ftp server i was like oh my gosh that's like the worst thing that can happen people can't download these patches from our ftp server and then later on it was well what if somebody gets into your bank account and clears your bank account well your bank's going to keep you whole but um i thought these are the worst things that could happen in tech and now we're in a situation where health systems have struggled recently yeah with disruption with an outages based on attacks that can then lead to negative health outcomes you know we have utilities like water and electricity that are connected and remotely accessible and recently in old market florida they had somebody get into a water utility system and change the amount of lie that would be acceptable that would have been if they hadn't caught it it could have been um you know a loss of life or potential poisoning situation right you know and in the cyber it is and in cyberspace the it's an operational domain for nato now so that means that cyberspace is a war zone which and and not in a in a hyperbolic way but that's truly the way that nato thinks of it so looking at that it's that the scope the ubiquity and then the the potential for negative impact because of the ubiquity yeah yeah that's great we actually are going to have a guest in a few weeks who's an expert on infrastructure security and and sort of the iot implications of that and i had her on a couple years ago and and we're definitely going to talk about that that florida case because that is that is scary stuff yeah yeah um so you know like i said reading your professional history was such a t eat because it has so many twists and turns along the way you know uh global executive security advisor to ibm cyber security thought leader team at you know team lead at microsoft you've got you know consulting analysts for tech vision research board member of women in cyber security uh you know you've got your your everyday cyber podcast host of the monthly video panel the security balancing act so you know i i really and so many of these that are happening sort of concurrently with each other so i guess i want to know what's the through line between all of these disparate projects what are the things about all these diverse projects that excites you and keeps bringing you to these new opportunities well i think the brightest through line is is cyber security it comes back to the that same feeling i had um when i realized that you know the integrity of the system could have impacted what people could see uh you know back in on the darpa days or when somebody got onto my my network you know so just cyber security and this love of of technology and knowing that the only way we can love technology and use it is to make sure that it's resilient and operating as expected uh but there are some other screw lines i think that maybe might not be quite as as obvious and one is this deep seated need to communicate i was an english major and i really i want to share information and knowledge with others and learn from others so just back and forth so my cyber life for example is a celebration of people who are doing work in cyber that we might not have thought of and the for one of the first guests was the person who inspired the entire series uh because i i met him he's a top finnish aviation security expert and he was explaining to me what cyber security in aviation means and he works with international aviation consortium because that you know obviously the air space when you're flying around the world you go from one one government's airspace to another so there has to be a there has to be working together and i didn't even know that that existed yeah and he was telling me about the work he did and i thought you know we we get so caught up in uh the hacker in the hoodie and mr robots forget about these wonderful people doing this work every day that we may not have even thought of so there's just need to i just i love to communicate i love to be with friends you know your everyday cyber limour custom and my co-host she's a dear friend of mine for many years and we were saying you know it's kind of unfortunate because it's hard to explain to non-technical people about security and and both of us were doing a lot of kind of calming people down when there was something in the news and and trying to help help less less security um deep insecurity people understand what they why not to be too panicked but also why there are steps that need to be taken in order to protect themselves so this desire to communicate and help people feel like you know the world can be a safer place for them and then the the last through line i think between all of that especially as you see what i've been doing more and more work of in later on in my career is just an extreme sense of gratitude for being lucky enough to have had a career that i loved that i was able to excel in for you know my whole life and now wanting to help others be able to to have that wonderful rich experience so donating a lot of my time as a mentor and supporter of these different um you know because a lot of what you talked about they're communities comptia is a you know a professional association bridgewater is a you know state university so you know trying to help out um the the next generation and others to be able to benefit from from the field too it's also interesting just the way you know like you say you started at this point where where security was you know this big and and you know and it's just the way it's sort of grown exponentially and like all these different things that you grab seem to be like trying to sort of like get your arms around this bigger and bigger thing like like you said i if you didn't know about this aspect of of the sort of security interconnectivity between you know countries and nato and all this kind of stuff then you just you just find ways as security gets bigger to continue to put your arms all the way around it and sort of like see all the sort of contours and nuances of it which i think is fantastic yeah so um uh you know of all the jobs and projects that you mentioned the one that i most wanted to speak about here is the analyst syndicate which is a multi-dimensional platform through which the world's best technology and business analysts publish their research and recommendations can you give me the origin of this organization and and what was the original impetus for the founding of it and what what problems were you trying to solve with its creation sure so it was founded by tom mauston and french caldwell and you know the the original members are all long-term analysts predominantly it was gartner analysts originally yep um and a colleague of mine from burton group karen hobert who then went after the acquisition by gartner she continued to work for gartner for a number of years when i left microsoft she said hey i'm part of this new thing that the the analyst indicator dancing um and you know would you would you be would you like to join and i was just so excited because i really felt that tom and french were very much on to something that it was really time to rethink the traditional analyst firm you know industrialization top down control it doesn't always service the wants and needs of analysts or their clients these days and and the analyst syndicate is we love people who love being analysts advisors coachers innovators yeah confidants and what we really wanted to do was to bring that to a new kind of analyst firm you know we love what we do and we wanted to you know mix things up with 90 of the top it firms have outsourced their analysts relation because that fundamental you know relationship is changing right now so we wanted to you know take a different look and look at you know clients that were seeking a unique perspective looking for their own needs not just that big general here's a report that's going to apply for the world but customers that wanted to get a little bit closer to things that really mattered to them that had a coaching element a real one-on-one relationship kind of element um so you know that was really a big part of it the syndicate we respect different opinions and positions and drive research work to bubble up from the analyst we collaborate with each other we we bring ourselves to we we challenge ourselves because we come from so many different backgrounds to think new things i'm learning so many things being part of this because you know another analyst may be working on you know what's the next generation what's the next thing of you know transportation so you don't have this deep dive on autonomous cars and security's a part of it there are so many other things that come into that conversation so um you know we really value the the working relationships with each other as well as with the clients and trying to create you know a new way for communication and for the analyst world to look yeah there's something very sort of i mean in-depth but also very accessible about looking at the analysts and to get site like it it does feel like the sort of like halfway point between like a think tank and a news blog you know like i'm you know it's it's it's not dry like i'm looking through i'm like oh that looks interesting what's that oh what's going on over here you know do do you guys have a you know you said that you know you're learning so much and you're getting all these different voices do you have an editorial policy for the analyst syndicate are there what is like the sort of the vetting process or what is the sort of give and take when people say i want to bring this idea to the table i want this to sort of be involved and and and you know do you sort of have certain things where it's like okay that's that's too much or we need to sort of like get a second opinion on that or does it is it pretty much uh like a free-for-all uh no it's it's not it's not a full free-for-all although we do it it's very much there are a heterogeneous thinking is absolutely encouraged but you know bottom up generally um creates more collaboration on high interest and high value topics so as i said we do meet at least weekly to debate research topics we also um before something gets published on the site you have the option to ask for help either from your your analyst in that research meeting or you can just touch base with different analysts within the syndicate that you want to have feedback from or there's just a there's a distribution list and you can just go out to everybody outside of the weekly meeting and say i just publish i want to publish something this is my thinking and what are your thoughts on it and this peer review is really it's very engaging again because we come from different backgrounds and there's no and i i love that there's no sort of at a lot of analyst firms there was this because i worked twice in the analyst field once at burton and once it at hurwitz and there could be this sense of like you have to be the smartest person in the room and there's a real fight with each other and and our peer reviews are more about let's try and get deeper and dig down and understand the different viewpoints and consideration and i love seeing how our research will change through that peer review and just become broader and more thoughtful so it really improves the value that gets delivered for the the um the readers and but we don't have this like guilty to a single you know single point of view or a single prediction so it's really it's an amazing group to be in and it's a fascinating halfway point between between a news blog and a think tank tank and you're not gonna get that out of the standard industrialized research firm right now do you do you sort of uh seek out certain you know is it is it entirely sort of based on pitches that come to you or ideas that come to you or do you say we need to talk you know we need something some anal analytics on here about infrastructure or something like that do you ever sort of like reach out to people or do you have enough of an ingrown group of regulars you know that you that you sort of uh let them do the do the the deciding for you it is a really creative group so each each each analyst is coming up with their own ideas and it may start out with i i've got an idea can we flesh this out in a research project we also a lot of us have other consulting that we do in addition to our work with the analyst syndicate so it may be something that we're working on we're saying hey i'm seeing this problem or this trend can we talk about it or you know in some cases it's something that an analyst has been looking at for five or six years and always meant to write on and they're like you know this is the time and then bring that to the group and we will talk about it and help them think through and again you know it's really the enrichment from the other analysts but it's a really lively creative crew so there's no uh there's no need to to push people people are coming up with ideas that's great uh so yeah i want to talk about some of the pieces that i was looking at on your site one of the big topics that i saw in the analyst syndicates recent articles is how work from home you know which saved an unexpected amount of white collar jobs compared with you know the possibility of a similar pandem pandemic hitting in say 2005 you know which was able to you know transition to a fractured home-based work environment in ways that service industries and blue-collar positions obviously can't uh can you speak to some of the long-term changes of work from home on the security landscape in the next five years you know after after a year of this type of stuff you know it almost feels like we have a handle on it you know quote unquote but uh what you know what with the new normal coming like this what what are some long-term changes that you think even season work from home people won't be expecting yeah i think you're right i think that overall in the past year we've kind of smoothed out a lot of those rough spots i was kind of surprised that when a work from home became like an overnight just about a year ago now in march 2020 how many organizations had not thought about a modern approach to their workforce so they were mistaking a mobile workforce with a remote workforce yep and they're very very different although it seems like but i can check my email anywhere yeah but can you actually do 100 of your work anywhere and never go into an office and that's actually where there's a difference so yeah so they kind of got they got their vpn architectures updated to be more modern you know things like would drop ship out laptops and and do remote um uh orchestration and and setup of them uh but long term i think one thing that i'm actually really excited about the change is i'm really hoping that this is finally going to bring us closer to the ability for information workers at least because i know there are some jobs you need to be there in person but for a lot of information a lot of white collar uh you know that we could stop hiring just within our geo circle and start hiring the best people for the job and i think that this has some really positive social implications because cities are getting denser and denser and then the concentric circles of the suburbs around those cities become denser and denser and you find absolutely madness like you know i have friends in the san francisco area that will commute 90 minutes into the city and you know and these kinds of this is not good for mental health it's not good for the environment it's not good for your worker because although i know some workers that can do some good quote windshield time uh you know conference calls really you know you you continuous partial attention right it's yes it's not it's still stopping away at our energy overall so i think that a big positive could be that we're going to be able to we live in a a big wonderful country there's a lot of space i actually live in one of the less dense states in the country i live in new hampshire there's we can we can we don't all have to be in cities for people that want to be in cities that's wonderful but i think over over you know in the long term i'm very excited about the possibility of using a little bit more of the country but still having um really great a really great workforce also one of my analyst syndicate um cohorts karen hobert actually has predicted that this is going to lead to more green spacing within sides of cities and you know maybe like you know repurposing of some of the um the uh the buildings that we have in the city so that's kind of exciting to think about maybe you know get a little bit more green space which again could be healthier for all of us uh i think that um we're going to continue to see this move towards zero trust or you know if you want to call it deparameterization in the old jericho foreman forum but you know again that getting outside of the old school security which never really worked this way but we kind of thought there were people hoped it would that you know here's the inside here's the outside here's my firewall and outside untrusted inside everything's trusted you know like that that was never quite as like it was never as simple as that and companies that tried to do that even in the 90s when i was doing you know architectures no but there was this belief that that's how it was um and so i think that this is good actually looking at this zero trust model because it's thinking of deep perimeterization and and access continuous verification about all the assets that you're going to go connect to and it's wonderfully suited for the this new cloud world that we're living in where we're not living on premise anymore we are actually living mostly in in the cloud you know and i kind of love it i'm doing assessments with companies that were born in the cloud live in the cloud they don't have a data center you know because a lot of assessment questions you'll be like well is your data center locked up do you have proper cooling and it's like i don't know you know they've got their laptops and they've worn and live in the cloud so i'm really kind of excited about that i think that that's it's kind of pushed um push forward for that um but i do think one thing that i'm kind of hoping that we will think about because a problem i see coming down the pike is we are not planning for burnout yes and we're not planning for how much harder it is for a lot of people to work from home yeah you got rid of the commute that's wonderful especially those 90 minute commutes that's fantastic right but a lot of people are you think about it right i sometimes feel like i'm fusing into my chair because i will be in calls and we don't we never thought about this when we were physically with each other because it was always yeah you i'd have to walk to this other meeting you would need walk time to go from you know place to place now we just sit in a chair and the calls it'll go like one minute over so you're not one minute late to your next meeting you click on the next link you're going link to link so i think there's going to be a special kind of burnout there's also um a like we're burning you know some of our our energy and our brains looking at ourselves all the time because we're constantly on video so i think we're going to have to rethink when you know when you work from home you're always at work so i think we're going to have to we're going to find that there's going to be a lot of fatigue and potential mental health issues that we're going to have to address yeah i mean can you can you speak to that at all like any any any advice on that because you know we you know i was going to ask about the security implications and you and you said you know zero trust and and the cloud and stuff but what are what are your thoughts on on sort of combating metal fatigue and burnout and just you know yeah i'm the same way like sometimes i just have to like stand up and do squats at my desk because it's like i haven't walked for four five hours you know it's literally just one thing to the next but um what do you what do you suggest i mean some people you know their their whole life is in one is in one room right now you know i'm like what do we do about that yeah i mean i think that the being in the one room is is a thing um but i think what's more damaging is when we just sit in one place and you know talk and talk and i mean i've not a lot of calls where people will they say look i gotta step away for a minute and they they turn their their mic and their video off occasionally they forget um and they have to run to the bathroom because like they just they don't have any you know they have to run and get some water because they haven't had water in four hours so i i think that that companies should start to really look at and address this and think about uh what some companies and larger companies have already started to adopt which is no meeting times so just you know say there's one or two hours every day on the count you don't you don't have to go and eat lunch you don't have to go take a walk or whatever but you can't have a meeting during this time these are forbidden to so that it forces you to have a couple of hours in in the day where at least you can get up at least you can you can walk around the other like trick that a lot of companies are starting to do is that hour-long meetings are no longer allowed the maximum amount of time for a meeting is 50 minutes or 25 minutes so that there's that forced five minutes or ten minutes so you don't get into that just complete fusion and then get up and walk around even if it yeah do the squats or if um if you have any inclination i strongly recommend getting a dog or a couple of dogs because they're wonderful reminders that you got to get out oh yeah ball of energy but companies have to like i said they have to to get on board with us and do things like forced time when you can't have a meeting scheduled and and maybe consider you know 50-minute meetings yeah so i'm i want to move in in a sort of lateral direction here i'm quoting the title of one of the articles on your site uh despite covet-driven tech investments the majority of manufacturers will fail in digital transformation through the end of 2022. uh can you speak further to this concept of digital transformation like what are some of the long-term changes that need to be implemented across industries that currently aren't or that you think aren't being implemented quickly enough yeah i mean digital transformation it becomes sort of this bucket of buzzword that people just i need to digitally transform right but you know it's i think they just need to step back and think about what it really fundamentally is and it's about a change in the processes and procedures that are used to run the business and connect with customers so it gets conflated very often as it just means moving to the cloud and i'm not saying that's not a part of it because it is but it's not about just firing up an ec2 instance you know what this is you didn't transform because you did that transformation's about understanding the capabilities that are available in the cloud and integrating those into the fabric of how the organization operates so it could be something like adopting google workspace so now you can as a distributed team start working on documents which i'm super excited about i mean i was one thing and way back in my history was i was a lotus notes admin and and i had always been super excited about the promise of lotus notes which was you know real-time distributed collaboration and it just and the technology wasn't quite there we didn't have the bandwidth there wasn't but it's here now and i absolutely love it whether you're in google workspace or you're in and microsoft's productivity or 365. we can actually do that and share that so i think that that's that's you know that's powerful but then you look at um you know companies that are you know it moves on to like the entire customer experience with ai and customization and automation so all of that comes into digital transformation yeah and in the in the long run you look at like how transformation can it support or enhance a business you have things like healthcare where you have to balance digital transformation with what makes sense and i think every industry needs to step back and think a little bit about when we think about changing our processes what's going to benefit the business what's going to benefit the customers and what is is possible for us so i was talking about some of these built built-in cloud companies right and built in the cloud isn't going to be right for every every sector and in healthcare for example you've got things like medical devices mris they've still got really complex networks in the in the medical and health systems because you have these medical devices that need to be on the network and i have to go in you have to interact with that mri but that doesn't mean you can't do digital transformation within healthcare because there are also some really um you know forward-thinking health systems that are doing things like they have essentially icu physician socks and you get a bunch of the top icu physicians that are available in a state for example and they stay in one place and they can visit patients in multiple different hospitals through screens and there's a nurse there but now you've got to you know and this is really creative transformative kind of thinking you know some other things for you know healthcare is telehealth which has all become realistic for us now in in the pandemic and there was a lot of oh you couldn't possibly do that over the video well we learned to do it so i think that that's going to be a big one in transformation is not just saying because health care is immediately you could go there and you could say you have to be in person and in some cases you do but not in all cases so i think for any sector thinking about you know getting creative and starting to think about what parts do need to stay on-prem and what can we get creative about what have maybe we've really been resistant to in the past things like that you know telemedicine is you know what it works really well for a lot of different um you know different kinds of meetings and yet then sometimes you do have to go in and be in person too so that's what i would say about digital transformation it's just a little bit creative are there any sort of industry sectors that you think are being especially resistant right now that that need to sort of speed things up or or is it is it does it vary from place to place you know it it varies there was a lot of resistance initially and finance in some financial services companies but now there's a massive embrace the government because obviously for the sensitivity of a lot of the work but there now are you know government specific cloud clouds that are being built out so i think that all sectors are looking at it it's just um some sectors are it and it really does go sort of company to company like in healthcare some healthcare systems are really not looking at digital transformation and then other like i had talked about and they've got these really creative solutions like you know i you know an icu sock essentially yeah so um i want to move a little bit to some of your other uh activities here as well um you're you're a board member of women in cyber security and that's one of our our things we like to talk about here on on cyber work is bringing more more women and more diverse candidates into the industry do you have any tips you would give to women entering the world of security right now and also for companies who are trying to recruit more women and minority and and differently abled professionals what what advice would you give them to not only prioritize hiring diversely but to make themselves desirable to the professionals they're trying to recruit yeah so the the first advice i'd give to men and women which is figure out what you love about cyber and then build skill set this is a really broad uh profession right now and a lot of people i that want to get into it that's my first question to anybody is why do you want to do it um so figure that out first uh but then as far as like you know how how we get more women what companies can do you know research indicates that women often feel less capable and technical roles than men and you know i would say to all the women out there you are capable you are technical don't get in your own head uh are there gonna be jerks out there yes absolutely i've i've encountered some doozies in my career but you know don't let them take your power so don't question your capabilities stay centered in what you know and for the company number one check your job requisitions i mean the way that job wrecks are written it can be like really crazy there's research out of the hewlett packard at hewlett packard that said that men will apply for a job when they hit about the 60 mark of qualification and women wait until they're at 90 or 100 and if you look at a lot of these job wrecks they're basically kitchen sinks yes you know like the the the hiring manager in in and and hr uh came up with these requisitions sometimes i read job requirements i'm like who has this experience you feel like i'm not qualified for this and this is a mid-level thing yeah right right yeah or they you know crazy stuff you know they want 10 years of experience but they're paying you know entry-level kind of yeah so really or 10 years of experience on something that's only been around five years or you know and i've talked to hiring managers and said outright i know you don't need all these skills why are you putting down they're like well we want to get somebody well-rounded so we figure if we ask for more so they're going from that mindset of you know people are going to apply at the 60 point so they put 100 and they figure well we'll get a good you know um but instead really write that job wreck with what you need that person to have and you know really scope it down to what they absolutely have to have and think about also things like pronouns in the job requirement and you know the job wreck itself if it says he has to that's gonna some people are gonna read that and think oh maybe that's not going to apply to me so be really careful about how you how you you write them and then expand that circle of recruitment i mean i it's did you really post that job where you know diverse people may be looking at least this is a great example women in cyber security go to recep's job posting looking for jobs so if you're not finding a more diverse workforce think about where you've posted it and have you reached out outside of your your normal circle of contacts to additional people to try and just expand that circle of recruitment because most of the time when you're hearing oh there's absolutely nobody who's available that's a more diverse candidate they all look the same we've got a bunch of people that look exactly the lake and that's the only people we can find for this yeah it's very often i tried everything yeah i know it's like we tried and it's like did you really and when you really dig down it boils down to they just haven't expanded the search circle can you sort of on the other side of that can you speak to sort of hr hiring uh managers who you know like can you give them any tips on how to read a resume pile in in terms of looking for you know because i think sometimes you know people who have to screen candidates are already sort of overworked and so they see 40 candidates and they're like i don't know just you know which ones tick all the boxes but can you sort of give any tips to because you know we hear this all the time on the show people say like as long as you have the the interest or the obsession or you know we can teach you the text we just want to see the the you know the the thought process behind you but like how do you convey that in a resume and how does a hiring manager know to sort of look for that you know because that there's there's still a disconnect in terms of like what people on the ground in security are telling us that they want from candidates versus uh how you actually get that type of person through the the resume firewall well you know you actually said one of the most important things which is like hr reading the the resume because unfortunately one of the biggest problems right now is the automation and things like the ats systems that are looking for you need 10 keywords and you may say well as long as i get you know nine of these 10 then this resume gets through if i if i only have seven of these 10 the resume doesn't get through so you've got a candidate that may have to rewrite their resume for every single job they apply for just to get through that keyword match so that and very few candidates have time to rewrite their resumes and i've heard heartbreaking stories of candidates who have tried submitting hundreds of resumes and never even get because it's like it's like the ghost of christmas future you know it's like they there there's no words back sometimes you don't even get acknowledgement that the resume disappears yeah it evaporates so i would say first look at what you're kicking out automatically from your system because if you're just doing this hard keyword search you're probably missing a lot of people and then translate that to the human being because that whole and it's true almost everybody i know in in cyber that's a good good manager we do we believe i can teach you that part of the tech right but if you're just doing a keyword search then they may not have it and if hr hasn't been if they're not in tune with how you want to hire and they're going to do the human version of just the keyword search again you're going to lose those so work with hr and say i'm not necessarily looking for somebody who knows who's got you know all these cert this this this exact cloud certification i'm looking for somebody who maybe has worked with the cloud in the past because if you say somethi g like i want you to be aws certified and they've got azure certification you've got a cloud expert there and they can pick up aws but if you're they're going to get kicked out on that keyword either by a human or by a system you're going to miss out on some so i would say yeah work more closely with with hr and help hr understand how to find candidates even if you're not always getting that exact match and keywords now i want to move to another uh very interesting program i'm looking forward to uh checking this out it's called the security balancing act it's a web series is that right yeah it is it's a monthly series so in the description of the show it says as we realize uh the transformative power of the cloud ai and machine learning has our culture of responsibility and ethics kept pace how do we harness our new technological capabilities to the understanding of how to use them well and that's a that's fascinating to me i don't i don't feel like i always uh get to talk with with guests about this kind of thing can we speak a bit about the ethics and responsibility of these new technologies like what are some of the issues that are being blown past at the moment by organizations in a rush to implement new time saving tech yeah so this is such a big topic but you know i was thinking i know i i i hate that we're we're kicking into it this late in the show but can we do a little quickie version yeah we can let me let me to to do that let me focus on one area specifically let's take a look at ml and ai and i am a huge fan of of machine learning and artificial intelligence and what it can bring technologically but there are some serious ethical concerns that we have to think about you know it's partly because when we use a system we very often believe it so i get that a lot of us may see our netflix recommendations and not always go oh i know i have to watch that movie but if you get if you put in numbers in a calculator whatever that calculator tells you is the number you probably believe that you're not going to go i'm just going to double check that and do that long division by hand right you're like oh i believe that so now when we think about ai and ml and how it's being used um that that blanket belief could be a risk ethically you know if you think about machine learning that's you know being used for sentencing in the courts for example and you know it comes out and it says this this offender is 80 likely to reoffend well the judge is going to then say okay 80 that's what the tool told me and they're going to base their decision on that but if that what if that tool had biased data going in what if the data about re-offense was biased towards this particular class right that would be a problem ethically so we need to think about the data we're using to train and another example is um a racist faucet right you would never think that was a water faucet gonna be racist but there are actually some smart faucets that were designed uh for the people that were doing the design they did testing with people who had very light skin and so when you put your hand under the sensor you had very light skin it it um reacted but they never tested people with very dark skin under the same sensor so the people with very dark skin were not able to turn because it hadn't been tested that way not able to turn the faucet on so there there's an ethical problem and we've ended up with a racist water faucet uh so we have to be really really careful and these are just a couple of examples but we need to need to think about how we're tuning and training these systems ensuring that they're going to work for everybody that needs them to work because that is it's an ethical failure if we don't we also have to think about the threat models related to the failure modes of machine learning okay both intentional and unintentional in order to make sure that they're going to be safe for use and you know autonomous vehicles for example uh you know they're designed to understand if there's a little if there's a red octagon this is a stop sign but an intentional failure mode could be if somebody you know spray painted over the stop stein an unintentional failure would would be you know enough snow has gathered on that stop sign that now that that vehicle is not able to recognize it as a stop sign and we know how risky that can be right because now that the vehicle could potentially blow to the stop sign that could be loss of life at its highest impact there's also intentional attacker modes on ml you know things like a security detection system that has been trained over time to classify malicious behavior as normal or not malicious or looking at the leakage from the output of the system and understanding how the classification process works and then tricking this detection system into believing that malicious software is benign so there are a lot of different angles to look at that at the the ethical use of machine learning and ai as there are across security but you know at the all of these if we get back and we think about threat modeling building security in building privacy and building ethics in then we can we can address them but you know we we tend to in tech you know we i do it too we get so excited about the possibilities we don't always step back and think about okay so yeah definitely everybody go out and check out the uh the security balancing act so you you do you invite different so do you sort of invite like point counterpoint or people who have been working on this is this analyst syndicate people who do this or who are the guests on this uh this monthly show so the guests are sourced mostly by um the the program manager for the break talk series maria and then i i coordinate with her and we and sometimes i'll bring in guests that i know if i feel we need to balance out the um the viewpoint so we don't go for like a point counterpoint and it's not like i'm not trying to get like a you know a jane curtain and dan aykroyd thing going on there's my age again i was right there with you yeah yeah so we're not we're not going through that but we do want people with different backgrounds and viewpoints so that we can have a lively conversation rather than just a you know oh there's only one way to it's not a dissemination of information there's a discussion yeah absolutely yeah so as we wrap up today um you know you've you've done so many things in so many parts of the industry what recommendations would you have for people who might want to get into cyber security but feel stuck in a current job or might be unemployed and feel that their lack of tech background earlier in life may have doomed them to never catch up are there things that people can do you know tonight that would put them on the right path yeah the most important thing is don't get discouraged i actually know people that re-skilled in their 50s yeah and have stock analyst jobs now so you're no you're not too old don't worry about your being too old you can go back and and you can you can rescale but what can you do tonight most important thing ask yourself why you want to be in cyber security what is it that's drawing you to it is it because you've heard that there's like no unemployment in cyber security okay that's that's a little as we were talking about right there's not it's not 100 that you know everybody who wants a job gets a job but there are some jobs that are hiring more frequently entry-level um stock analysts and hunters for example are you know a big that's an area if you want to go be a cso there are fewer jobs for cesos right off the bat also you're going to need to build up your experience but ask yourself what it is you want to do um if it's the money and you know what chris a lot of people come to me and say i want to be in cyber and i say why and they say because it makes a lot of money and i'm like okay that is not i can't that's not for me to judge about but what i can say is that some jobs make more than other jobs and security and some sectors you're going to earn more money so be honest with yourself is it the thrill of hunting and stopping the bad guys just be honest with yourself about what it is that you want to accomplish and then start looking at the jobs that are out there and the people that are doing it what their backgrounds were and what certifications they have because that's going to help you to start to get a feel for how you're going to be able to advance um if you find people that are doing exactly what you want to do don't be afraid to reach out to them on linkedin and say hey do you have a few minutes to spend with me and not everybody has time you know like so i i you know don't if you reach out to one person and they don't have time hey you know this is just but reach out to a few people and you may get you may hit somebody at exactly the right time and they are able to speak with you about it or ask people that you know that are in the field if they can spend a little bit more time about so you can get a feel for um sort of the day in the life uh do look into the certifications and training if for example you you're just interested in cyber security in general you don't know which aspect you like best you know look at something like the comptia you know security plus and go get certified for that if you really love applications and web and you want to do testing for example on that then you go to read the os app testing guide you know try the oauth zap tool for example but it's got if you want to prosecute the cyber criminals you probably need to go to law school which i mean like that forensics yeah yeah and that's a job so but yeah so think about think about what it is you want to do and then you can start building more of an attack path on how to get there okay well diana this has been so much fun i could talk to you for hours and thank you very much for for indulging me all of my uh uh my questions here but usually at this point in the program i ask the guests to talk about what their what project their company is working on that they're most excited about but with you there's either it could be any of six or seven or eight different things so i'll ask this way what's next for diana kelly what are you excited about working on in the coming years yeah so to continue my my volunteer work i'm really excited to see some of this you know how we sis is growing and engaging more women in cyber security to work at sightline you know with the assessment tool to help non-profits be more resilient so i'm really excited to see how that's my cyber why we've got an intern and she's now got another media intern so watching these these watching the community grow is really i'm very excited to be a a part of that um and technically it's really about the the next generation of what we can do with ml and ai you know i've seen in my career data stack and stack and stuff all we're so good at creating systems and devices that create more and more data and now we've got this huge rich amount of data we couldn't get through it all and aha machine learning what does it need data is fuel for machine learning you know to reason over and to get better so i'm just very excited to see what we're going to come up with as we've created all this data how we're going to use ml to get smarter about how we use it and benefit from that data all right one last question this is for all the marbles if our listeners want to learn more about diana kelly the analyst syndicate or any of your other places where can they go online well stanson the analyst syndicate is stanson t-h-a-n-s is a great starting point and then i'm also i'm on linkedin i do try and respond to everybody that reaches out to me i apologize i get i do get overwhelmed and i can't speak with everybody but i do try and connect as much as possible and also you can find their information about my cyber y your everyday cyber security balancing act and your everyday cyber and my cyber wire very much community focus so we'd love to get engagement from the community about you know what what you'd like us to address on on your everyday cyber who would be a great person to interview for my cyber why great diana thank you so much for your time and insights today this was a blast thank you chris and thank you all as always for listening and watching new episodes of the cyberwork podcast are available every monday at 1pm central both on video at our youtube page and on audio wherever find podcasts are downloaded and don't forget our to check out our hands-on training series called cyberwork applied tune in as expert infosec instructors teach you a new cyber security skill each week and show you how that skill applies to real world scenarios just go to infosec institute dot com slash learn to stay up to date on all things cyberwork thank you once again to diana kelly and thank you all as always for watching and listening we'll speak to you next week