CISO Leadership Panel

All right, we are going to get started here with our leadership panel. >> Hopefully everyone had a good lunch. Was it a good lunch? >> Pretty good. >> Yes. All right. I'm so hungry. I haven't had time to eat yet. So have to live through you. All right, looks like we're all set up here. We're good to go. All right, on the dot. Look at this. Oh, where's Philip Py? >> I'll go find him. I'm going to hand this microphone over to Dell. He's going to be our moderator. I just want to say again, thank you to everyone of you who are here today, the audience and our panel. So, please give yourselves the loudest round of applause you can

because I want people in the hallway to hear you. Excellent. Excellent. Excellent. All right. So, today we have representation from our own water utility authority here in Albuquerque, Bernalo County. We have Sarah from CISA. We have Ryan from the FBI. We have Anthony from the city. couple, you know, former former colleagues there until the recent uh disconnection between the utility and the city government. And then we have Demetrius with the state. So, thank you all for being here today. I'm going to hand it over to you, Dell. Take it away. >> Awesome.

>> Test test check. All right. Can everybody hear me? >> All right. Awesome. Well, welcome uh welcome to the CISO panel uh CISO in leadership, cyber leadership. And I want to uh again reiterate and thank everyone on this panel for saying yes uh to being on the panel. I know it's not always fun at times to to do public speaking, but uh as a leader uh that's one of the things that you have to do. uh you have to you know put yourself out there and uh you know make sure that you communicate and get your point across. One of the important things about this panel that I want everyone to understand and and to know uh kind of our goal and

what we want to get to uh our goal is to uh have you the audience understand what it takes to become a leader right and so we're not going to get into questions that go deep into you know um what's the the seven layers of the OSI model right um no we're going to get deeper into questions about uh traits of leadership We're going to get into questions about their thoughts on on AI and and we're going to get into their thoughts of how they became a leader and what um what are the the things that they look for in uh future leaders and how you can become a future leader if that's a path that

you want to take. So, with that being said, what I'd like to do is is I'd like to start off quickly and have each person introduce themselves and and just kind of say what they do at their organization. Uh oh. still. Sorry about that. >> Oh, no. You're good. >> Hey, if you're going to be late to anything, it's good to be late to your funeral, you know. Uh, so Philip has joined us. I'm going to start at the end with Cody. So, Cody, go ahead and state who you are, who you work for. Uh, and we're going to go right down the line.

>> Yeah, we don't we're not hearing you. So, are you is that button? >> Did that die? There it goes. >> Y'all hear me now? >> Okay. >> Uh, coach Stinson, uh, chief information officer for the local water utility here. Um, just glad to be here. I've been in my position for almost 13 years now with utility as a CIO. It's been enlightening watching how security cyber security is influenced. some of our workes, right? They impact other groups more so than ever imagined. So fun, right? We have both enterprise and process area

the remote nature of our water distribution system. here. >> Yeah, thank you, Cody. You know, again, uh what Cody does is he he resides over the protection of our water system here in Albuquerque. So, it's it's a very important job and uh you know, um you know, we appreciate him for that. Next, Sarah. >> Good afternoon. I'm Sarah Gamble. I am a supervisory protective security adviser with SIZA, which is the Cyber Security and Infrastructure Security Agency under the Department of Homeland Security. Um I'm your resource here. I cover the state of New Mexico and oversee our work here in New Mexico and in Texas. Um, and I also have two colleagues, some of you may know them already. Uh, Andy

Bushbomb, he's our state cyber security coordinator. Uh, he's based in Santa Fe but but covers the state as well as well as uh, Felix Via who is based in El Paso but also supports the southern portion of the state. Uh, he's uh, one of our cyber security adviserss. So for those of you uh, you likely would have worked with them mostly as to me, but uh happy to be here on their behalf since they can't uh join today and look forward to the conversation. Thank you. >> Awesome. Thank you, Sarah. Okay, next. Ryan. >> Hey, I'm Ryan Davis. I am a special agent with the FBI working cyber cases. I've been doing that for three years

now. >> Awesome. Thanks, Ryan. >> Yeah. >> Hi, uh Anthony Balon, information security officer for the city of Albuquerque. Um we support about uh 6,000 employees plus contractors and temp workers um across just about uh almost 30 departments that sometimes act like 30 different companies. So, it's uh it's a lot to uh support and it's definitely uh challenging and rewarding at the same time. >> Yeah, I know all about that. And again, you know, not only just 6,000 employees, but also, you know, the half over half a million uh Albuquerque uh uh citizens, you know, any of your information that that's submitted to the city, he also protects that. >> Yeah, I was surprised by the stat that

Albuquerque is actually the 33rd largest city in the country. So, >> that's crazy, right? Uh I'd rather be on that list than on some of the other lists. >> Amen. >> All right. Next we have Demetrius. >> My name is Demetrius Brandon. I am the chief information security officer for the health care authority. At the healthcare authority, we provide uh services in healthcare, income support, and other services to the citizens of New Mexico. And that entails a lot of federal and state uh health and other personal identifiable information. And so my job is to oversee the protection of that data. >> Awesome. and we thank you for that. So appreciate it. And last certainly not

least Philip. >> Yeah. So I'm Philip Wy. I'm the uh evangelist, the I extended IoT security evangelist at Plas for cyber security. We're a solution that uh protects IoT and OT environments. My background is offensive security. So I I've been in cyber security for over 21 years. Most of my career has been spent on the offensive security side. And I leverage that uh threat actor mindset to assess companies and look for for risks. All right. Awesome. All right. So, let's go ahead and get started. Let's go ahead and jump right into the questions. And like I said, we're not going to get super technical here. What we're going to jump into is is we're going to get to

the uh emotion uh uh of being a leader. We're going to get into uh talking about how they personally ground themselves. So, let's let's go into to my first question. to the panel. And my first question is is during uh during times of crisis, how do you ground yourself? How do you uh keep yourself calm? And how do you uh address a very stressful situation uh whenever that comes up? And you don't have to disclose the situation. I know there's sensitivity around that, but how do you ground yourself? And it doesn't have to be work things. How do you do that? Let's let's let's start with Demetrius. Let's go. I think that what I first do is assess

the situation, right? Is it as serious as someone has said that it actually is? And then based on that, then you design your uh avenue to approach it. Uh hopefully you have systems and strategies already in place in the way of business continuity, disaster recovery, etc. And then you execute on those plans. >> Awesome. That's great. All right. Anybody want to expand or jump in on that. I will stop pointing. >> Let's go to uh let's go to Sarah. >> Well, nice. I think um you know, one of the things from my standpoint that's really beneficial is first prior to an incident really investing in the partnerships both within your team and across your organization as well as

external to the organization. If you you know I often think of it in the context of sort of train like you play, right? You need to know who who's on your team and what assets and resources they have. You have to have good lines of dialogue and communication. You need to understand what uh capacity you have across the entire organization to leverage depending on the circumstances. And then know who your partners are external to the agency that you can lean on if you find yourself in a situation that might exceed your capacity. Because if you have all of that foundational knowledge and you have good lines of communication, you're you're not in the moment of scrambling to figure out who

the right client contact is or who has the right expertise or who has the right resource if it's not within your own organization. You already have that knowledge in place and a support network to kind of lean on. So I would just uh offer that as kind of a foundational principle. >> Awesome. All right. This next question I'm going to direct to Cody. Okay. So when you're sitting down with the and you have uh uh situations that you need to talk to about uh cyber security and whether you're sitting down with uh you know Mark and some of the other people that are on your team you know how what what are the conversations like

uh within that group you know uh give give the audience a sense of you know how do you guys approach it are you guys loose and free are you guys very regimented you know how do you approach these these cyber situations that can typically pop up and it's kind of a play on on the previous I would say it's more regimented, right? I mean, given the nature of cyber security today, we have, you know, playbooks, table talk exercises so that when events occur, we kind of script it out. That's what it's going to be. Um, in terms of communication with upper management, it's always for me, it's like you can't prevent everything. So, it's not it's not a win. And how

prepared are you to to deal with that, right? from a just a a response standpoint, but making sure you have disaster recovery of that nature in place so that you are compromised, you have the ability to stand up your priority workloads in another environment with as little down as possible, right? >> Awesome. All right, I'm going to give you the same question. So, basically, when you're around leadership and you're coming across situation, whether it be with clients or whatever the case, how do you what are the conversations like? >> Sure. I think one of one of the things you need to make sure you're doing too is is really be organized with it because if you you're not keeping good

notes and you're not staying organized, make it a lot less uh productive and cause a little more panic. And I think one of the things too is trying to keep the others calm. You know, you mentioned earlier how you kind of stay calm or whatever. You just really need to uh all that you're engaging with keep them calm because when people kind of get upset and emotions get involved, things get overlooked. I think we need to to look at the the basic type of things too because sometimes some incidents are not as complex as we think. You see some of these breaches in the news and you think it's some elaborate hack and it was

something like an S3 bucket wasn't secured well or an open share. just kind of uh the basics. I think that's really the key to everything is to start with the basics and don't over complicate it and just kind of gradually get into it as you investigate the situation advance the complexity from your >> Awesome. All right. I I would just wanted to add um that um you definitely want to um have some kind of risk. Um how How are you going to frame that risk to your upper management who may not be technical and how to keep the language and the the terminology in a simple simple uh language that uh these higher executives can easily

digest and uh without in um without um inserting fear and uncertainty. I think you have to as a leader you have to fall back to what is it that we actually know and have proof of and then being able to describe you know what are the potential consequences of what you know to be true today um that is um probably a practice that we're all you know always sharpening our skills and um it's just it's a never learning I don't think anybody masters it's there's always some improvement on every single um security situation or event that comes up um that you you you're basically um um employing these principles. So >> awesome. And speaking of fear, Ryan with

the FBI and the reason why I laugh is as Ryan knows me very well. When I worked for the city of Albuquerque, I had situations that uh did involve fear where they came in and they had to talk to me about certain situations. So Ryan, as you know, I know I've asked this through uh different questions, but you're in a a little bit different situation because you're coming in because you have information that something could be happening and you also uh know that you could also be invoking that fear, which is something that I had whenever you came through the door. But uh uh how how do you kind of temper that? How do you uh you know

approach uh an organization that might be having a problem or you have an issue that they're unaware of. How do you go about doing that? >> Well, I I think it depends on the circumstances and the level of severity, but usually I just try to reach out to the most technically skilled person first because if you just start talking to a manager about, you know, just having to hear from the FBI in general and talking about a cyber security concern is just going to probably raise more alarm bells than what is actually needed. Um, so yeah, if I can start the conversation with a person who actually can uh just boots on the ground, works

cyber security, will understand the concepts that I'm talking about. Usually I can kind of just be a little bit more straightforward. It won't invoke as much of an alarmist response. Uh and then from there start to incorporate talking with management, whatever I need to do or if they want to do it themselves. But yeah, I think I think just kind of cutting to the chase with the person who actually will be able to solve the problems is my usual approach. providing that kind of potentially disturbing information. >> All right, so you practitioners out there, you hear that, right? Uh the FBI is going to go in and talk to the most technical person. So that just goes to

show that leadership is not the first person you really need to go to to solve the problems, right? And I'm being uh um uh so thank you Ryan for that. Um so next what I want to get into uh with a show of hands, how many people know what zero trust is? Raise your hand. All right. Awesome. How many people actually have implemented zero trust? Okay. Okay. It's also Yeah. Okay. Okay. All right. Awesome. So, my next question to the panel uh is about zero trust and it's about implementation of zero trust and and again like I said it's not going to get super technical. Basically, my question is around uh you know the principles of zero trust. You know,

understanding how Are you going to implement it within your organization? Have you and you know, have you implemented parts of it? Is it a part of your road map? You know, just kind of get into some of the the things with with that. I'm just going to go right down the line here. The filter um a lot of solutions can make your life easier when trying to implement something like zero trust. There's a product out there thread locker and one of the things it does is it takes processes and applications that should be trusted and blocks by by default you have to allow things. So while you're going in and doing the the setup of zero trust doing

network segmentation and putting all in place a solution like this you can put in place that kind of gives you a lot of impact early on and it kind of even goes beyond the uh just applying zero trust in general because one of the things threat actors leverage is living off the land binaries. has as security evolved and got better, these endpoint protection systems are making more difficult to get a foothold and threat actors are having to leverage things like living off the land binaries and actual authorized tools on those systems to exploit those systems. So these are things you have to watch there. I mean a recent Black Hills, it's actually probably years old now. They

kind of mentioned in Black Hills information security mentioned how a lot of attacks are coming from other systems outside of just uh the endpoints. And another example is the Aira ransomware. They could get a foothold in the environment because endpoints were too too secure. They exploited a webcam I think that like default credentials did a SMB share to the internal network and then spread the ransomware that way. So I think When you look at zero trust in your environment in general, we need to look at everything. Some of the things you may think that are not a risk like your IoT, OT devices, even video cameras because cameras outside get a foothold environment. Cameras can expose

sensitive data and uh private information to thread actors. Thread actors get information from that. So, we need to look at a holistic approach to make sure we're securing everything. >> Well, yeah. And you mentioned, you know, devices, you know, things that we, you know, typically will put on our network and and not think twice about, right? We and we trust, right? So that that that coffee pot that can automatically start brewing at a specific time, but it needs to be connected to the internet. We'll just plug it in and say, "Okay, that's that's perfect. I don't have to worry about it." And, you know, with zero trust principles, you would not trust that device at all, you know, and it

would have to be authenticated or whatever the case every single time. So, no, that's that's great. Thank you for that. features. >> I think that we've implemented zero trust across this network in most instances, right? The initial authentication and as you move from system to system and even periodic reauthentication, right? But the interconnected systems are a challenge particularly with APIs um interconnecting with your system. So we need to enhance our zero trust um strategy to account for interconnected systems. >> Awesome. All right. And Anthony, >> yeah, I'm going to focus more so on some of the challenges that we have on the topic >> because I I you know because that's the thing I I've been there. I I know that

there's challenges implementing I mean in in the beginning and I still think it's the case. It's it's understanding what zero trust is. It's it can mean something different to each different organization. Right. So, and you don't want to hinder productivity, right? >> Exactly. So, like I said, we're close to uh 30 city departments that basically behave like your own businesses. Um sometimes it it uh well, I'll say most of the time it's a challenge. um you know where do you insert IT approval or any kind of security approval process in their purchasing process without hindering um you know a lot of the times u we won't even be notified until it's already bought and you're reading about

it on the news and you know in your head well that is still going through a security review. So um you're having to deal with um um some some different cycles um dealing with these um organizations. So, it's not um I would say that there's definitely a challenge. So, we don't always know what's being plugged into the network. Um so, that's um presents itself into problems that um often surface down the line and it's usually when there's a problem with a device or a device is suddenly doing something that other devices are are complaining about. So, then that's when we find out about it because because we don't necessarily have a good inventory of what's on the network or department

XYZ didn't say hey we're going to be hooking up this whole infrastructure here to do whatever um you know the IT security team doesn't know and we we're basically investigating at ground zero and u first you know little simple things that we all take for granted such as identifying which device it is and and where is it at can 10 times the amount of effort than it should. So um it's very very challenging at least in our environment. Um there's things that you know we we're doing to um address it more more so on the policy side, but with city policy it's a longer process to actually get these things approved and processed. We we definitely have a

robust approval cycle um at the city and um so that's what we're looking to kind of uh address them from a policy side. Um and then you also have your um your audits. Um sometimes uh I know you know Dell and I we came up from the accounting um structure. So you know it's ingrained with us that you know oh auditors you know be scared. Um auditing was auditors weren't a good thing when you're in finance um arenas but here in security I think of the things that was interesting to learn was a complete shift in that philosophy that the auditors can be your friends um to help accelerate some of these policies that you need. Um maybe you've been talking

to you know this department about whatever and um you haven't been successful in getting any kind of movement. All of a sudden if it's an audit finding now you got some wind in your sales and you could have some of that momentum to get you going and cross the line and actually accomplish some things that you're looking to do. So I would say that was coming from an accounting background, you know, that switch into the um into auditors and looking at them differently and even to the to the extent that you can um even point them in certain directions where you're having some issues with whatever it is, you know, leverage those um audits that your your organization is

already doing or performing assuming that it's third party and they can definitely you know help move any of your policies um forward that you're you might might have been stuck getting out of the gate for various reasons. >> Yeah. No, I I think that's great. And you know, I always, you know, as Anthony says, I always leverage audits to to help me also buy products too, right? Products that you know that's going to help your organization. It's not just for leaders, it's also for practitioners. you know, if if you're running up against something and you're like, "Hey, that's a part of our audit and a part of our GRC and we we need to uh implement this product, you can

leverage that." Uh, you know, so Anthony, thank you for that. I'm going to shift gears here with Ryan. Uh, we're going to talk about the the the public private partnership, right? And and so that's where my question is going to uh uh you know, kind of revolve around. I want to understand, you know, what is a successful uh, you know, public private partnership look like to you in your eyes, you know, being, you know, with the FBI and in working with the different private organizations or public organizations, but that partnership that that what you guys bring. Can you explain? >> Sure. Yeah. So, um, the FBI in the past decade or so has gotten a lot better at

being able to share information with private sector. And so, that does start to open up kind of a a two-way street to where traditionally you might expect the FBI just hoovering up all of the information but guarding it closely because it it is difficult for us to release information when we have open investigations. Uh, but other cyber security laws have have passed that make it much easier for us to share information. Uh, and that just makes it a lot easier for us to begin to develop relationships with, uh, with you guys here, with community partners, uh, to where not only can we tackle cyber security threats together, but it's also not just a one-way street, and it just

feels awkward anyways. So, I'm I'm always happy to be able to share any information that I can. Uh, I I enjoy being able to come out to this kind of stuff, the chili se, which has been mentioned multiple times, and just being a part of the groups uh, where uh, we can collaborate and again, You know, I first and foremost, I'm a law enforcement officer. I am not a extremely skilled technical wizard by any means. So, I do rely on the experts here in this room in order to conduct cyber investigations. So, I don't want it to be a street. Um, so because these are global threats and cyber actors that are far more sophisticated than I'll

ever be, I rely on you guys. So like I said, uh just by being able to share information, develop relationships outside uh through groups like Chile, uh just helps that free flow of information and that collaborative effort in tackling these big threats. >> Awesome. Same question for Sarah. >> Yeah, thanks. Um so I you know I mentioned initially the importance of partnership as a as an organizational leader, but that really applies across the board. Uh um when we're think about broader risk issues within SIZA. Specifically, our role at the federal level is to serve as the nation's risk manager and coordinator for infrastructure security and resilience. But the reality is that right, majority of infrastructure is

privately owned and operated. It's not something that we can manage, control, direct, right? So it requires partnership in order for us to collaboratively understand what the current and potential future threat landscape looks like and partner on how to mitigate that threat collectively. There are a lot of different ways to do that. But you know if you think about it very locally I'm not in everybody's backyard. I don't want to be in everybody's backyard just to be clear. But there are a lot of things that you may see as a oneoff or a blip or something. In reality, that's an indicator of a potential threat actor that's maybe testing waters or maybe initiating something that is going to

spread into something much larger. And having an open line of communication with SIZA, with the FBI, with the state fusion center, with your local partners is really critical not only to addressing what your immediate needs are related to that incident, but trying to get ahead of any potential further cascade of that particular impact or hasn't actually executed an attack. We can identify those indicators, share that information more broadly with other infrastructure partners within the the appropriate sectors and then everyone can take the necessary actions to mitigate the exposure they might have to that threat so they don't become a victim. So, um really being able to know who's uh who are your partners that you

can share information with, what resources you have to leverage through those partnerships um so that you can be better educated and then um you know collectively working together to raise the level of security across the board for our infrastructure. >> Awesome. All right, next question. And uh before we do that, I want to take a survey. uh Mark Leech earlier uh the uh CIO for the city of Albuquerque uh talked about AI and so my next question obviously is going to be about AI. Uh first question very easy. How many of you show of hands? How many of you use AI in your day-to-day lives? Okay, that's good. That's really good. How many use it in their professional

lives? And be honest. Okay. All right. Awesome. All right. So, obviously, you know, the reason why I asked those two questions is because in your personal life, yes, there are personal things that you can put within those models. And then in your private uh in your professional life, there are certain things that you can put in those models. And I know what the panel is is is is afraid of is um putting data and information in there that is critical u mission critical to the organization and and just being mindful of that and understanding that all it takes is the right prompt engineering to pull that information out uh uh for somebody that's savvy enough on the other end.

They can do that without even having to go into your organization. So with that, my question again, it's not going to get super technical. My question is is what keeps you up at night with AI or what do you love about AI as far as uh using it within your organization or using it personally? So, let's start on the end with Cody. Do first of all, do you use AI? Because I I know you >> I've dabbled with it. >> You dabbled. >> Yeah. Okay. I would say the Skynet proposition is what keeps me at night. >> Yeah. Taking over. >> Yeah. Sket. It's really more for my biggest concern is data security. We have data sets that

need to be secure. So, making sure that you know consult is is so we're taking baby steps with that right it's notable adoption across the authority using AI small use cases we are we've chosen to kind of kind of l back a little bit and see kind the tool so that's great that's great Sarah >> yeah I think you know As was indicated by everybody's response, AI is just this awesome capability, right? It can help make our lives so much more efficient um and streamlining business processes. But the technologies rapidly evolving and the adoption rates are are so high that it's really easy to fall behind the curve on security. I think and from our

standpoint is a you know, you need to really ensure that you're integrating security considerations from the very thinking about integrating or adopting AI, whether it's purchasing a capability or using an app or whatever, or if you're building your own, making sure that you're integrating security principles into everything from the very beginning of the development phase all the way through the life cycle of utilization of those AI solutions because it's really easy otherwise to kind of lose sight of that and find that the technology has moved much faster than the security protections that you have in place. Awesome. Ryan, I know you guys aren't allowed to use this. >> Yeah, I think I'd get into some trouble

if I put some entered some classified information into the Yeah. Um, so I rely on people like all of you to tell me whether or not I be need to be concerned about AI because, you know, you can ask 10 people and get 10 different opinions. But as far as AI right now, the biggest thing that that we're concerned about that we're monitoring closely is just that it is making fraudsters and uh you know bad actors just streamlines their workflow. They can be much more efficient whether it's uh you know jailbreaking some AI and being able to uh work on their code or if it's just making you know deep fix. You know we we

come across a new cyber fraud uh swindle every day and they're just becoming more sophisticated, harder to detect and uh it's definitely a growing problem for us. >> Awesome. Thank you, Anthony. >> All right, so um a AI um I don't think we can make it to a conference these days without having an AI topic um being brought up. But uh personally, I'm very excited. Um I've looked at my in my background. I'm part of that old generation where we, you know, the internet came about, you know, and I remember making HTML pages with a text editor, you know, so I fall back to, you know, what kind of, you know, what have I seen that's been like this in my, you

know, lifetime? And I would have to say, um, you know, back in the early internet days and the dot, um, um, boom. Um, I would say that the only thing that's changed is things are going to accelerate a hundred or a thousand times faster than what we saw and experienced with the internet coming about. Um, so it can be very exciting. I personally subscribe to the um saying as above so below. As as it gets really exciting, there's also the other side of the, you know, the evil side if you will. um everything seems to you know apply a certain kind of a balance. So um as we see AI capable of doing great and

tremendous things just remember that you know on the other side of the fence it's also going to be turned uh against us um um in in in ways that we haven't even thought of yet. So um um what I'm looking forward to is you know people with small security teams or you know um at being asked to do more with less um is is using AI to manage all those points of um of indicators uh all the logs correlate data. It's tremendous. I I the last time I looked the city processes about one just over one pabyte of data through their switches each month. So that generates a lot of logs and a lot of endpoints and it's

impossible um to expect a security team to be looking at all these pieces of information. So it's more become a survival tool I think for us as we see some of our vendors um you know build in these AI capabilities into these existing tools. It's been a real um um um force multiplier if you will for some of the tools that we're we've had for years and it's great to see them getting better and improving. >> Awesome. Thank you Demetrius. I'm excited about uh artificial intelligence uh systems. The the benefit of course is as previously mentioned law of analysis. We generally have a log ingestion rate. We purchase about 200 gig per day, right? But being able to analyze those

logs is impossible. But the thing that concerns me about uh the use of AI particularly by end users a lot of the federal systems require that those that the data not leave the continental United States. So when you're putting that data or if you put that data into a system, where is that analysis actually being done? So you have to make sure that it's on a fair moderate um data center. Uh but you also have to uh be concerned about whether that information I'll give you an example. Uh you user reached out to me wanting to use an AI system for translation. Um, okay. I understand that it will do that, but where is it doing an analysis

of that? >> Exactly. Exactly. No, we definitely have to be careful of that building. >> Sure. Yeah. I've got two points that everyone's had some great uh observations and experiences that they shared. Couple things I think we got to really look at is you really people are going to use it. You shouldn't discourage them. This should be part of your security awareness program and just training in general teach people how to use it securely so that way it's a little lower risk and another thing that we need to think about too is companies are having pentest performing if your applications or systems that are have AI integrated we need to be testing those to testing those because some cases you

may have an AI chatbot on a web application or your website and that gets overlooked this is you know these are the new threat vector vectors that people threat looking for trying to trying trying to exploit analysis certain lesser known and more complicated misunderstood so they're not being secured as well we really need to focus on assessing those those different AI technologies all right awesome all right last question that I have for the group and you know a lot of you out here are practitioners some of you are students uh some of you are either looking to get into the the cyber security realm or get into uh um you know potentially becoming a leader, maybe one day uh having one of

these jobs here. Uh so my question to the panel, if you had one piece of advice that you would give uh to to to the audience here uh about becoming a leader being in your job, what would that advice be? So let's start with Phil. My advice is going to be a little more broader because and this goes across no matter what level you're at networking. Get out and network with people. You can learn so much. There's lessons of things you can learn here outside of this this uh ballroom. You can talk to people oneon one. Learn what they're doing. Just get out there and network and and don't wait for conferences because conferences aren't

as frequent as your local meetups, your eyes groups, your ISSA groups, OASP, uh your Defcon groups, some of the different CISO organizations. Get out there and continually network. And as far as a leader goes, if you're looking practitioners. There's not a better way than going out into the network into these different conferences and events and meetups and meet people face to face. Those that I know that are in leadership that are looking for talent has a lot easier job, but they're not involved in the community. >> Awesome. Demetrius, >> my advice would be that you should understand if you're looking to go into the cyber security side that most cyber security jobs are not entry

level jobs. So you should become proficient in some area of IT, whether that's systems, networking, what have you, and then leverage that to choose which area of cyber security you would like to pivot into. >> Great advice, Anthony. I'll just add to what's already been said. I think having a mindset of being curious and always um progressing your skills and learning more. Um I think you'd have to have your head in the in the sand here to not be a not see all the opportunities that are afforded to you to to learn into that next position that you want to um your your your your mindset is you know that's my goal is to become XYZ.

um what is it that XYZ does. I think you can explore that right where you're at. Um I don't think there is a manager that would say you know no or not come up with some kind of a project um or or task that won't help you um further your your skills and understanding of that next step in your career. So um you know um networking um get getting plugged into different organizations um you know the people that you meet in this room are um you know a very connected in the state of New Mexico. Albuquerque itself is such a tight-knit uh security meeting. All you need to do is hit one of us and you have access to a whole

bunch of resources. um getting plugged into the Chile website. There is a lot of opportunity shared there, whether it be free training, um capture the flag events. One of our vendors um a couple months ago had a capture the flag event that was free, was hosted on Chile. Um it was hosted over at the um one of the uh facilities on the east side of the city, very accessible. Um so um having that uh curiosity and that that continuous learning um ethic um tools come and go. Um we can we can teach tools, we can teach skills um you know but that mindset, that work ethic, communication, you know uh people um um skills um are something that um

you know are are much harder to teach. Awesome. Thank you, Cody. If somebody wanted to be CIO of of water, what what what advice would you give them? >> And this is a man, aren't you retiring soon? >> After three bad days, that's that's the wheel credit. So, three consecutive bad days on the club. Haven't had one yet. So, there you go. Um, great question. Adam, I would say um, couple of points. I when I got into it, like I I enjoyed the technical aspect of it. So, as you progress into leadership, most likely you let go of technical responsibility, right? I would say if that's the route you choose, you really like the technical aspect of it,

leadership, may or may not be the path that you want to go, right? takes away the technical part of your job. So, second, I would say, you know, learning to be for me as being a servant leader in my situation, in most of our situations, we're never the expert in the situation. Everyone else is. So, just making sure your staff have the resources they do to to fulfill the organization. So, >> all right. Awesome. Yeah, and you're right. Uh, you know, again, we do let go of the technical uh side of it and but I will say that technical side of it plays in to some of the leadership decision decisions that you make within your

organization. And it's always good as a leader uh to be able to talk to your uh you know to your team and and being able to understand what they're saying. Well, that's all for today. I want to uh the panel here for uh not only just telling us about what cyber security is and and uh you know just telling us what leadership is but actually telling us about themselves and and and sharing uh you know a piece of themselves with us today. So let's give them a round of applause.

>> Thank you. Thank you very much.

All right. Thank you all very much. You are welcome to dis at this time. Um, real quick, Mark, if you're in the room, can you come and see over there? Thank you again panel. Can you give the panel a big round of applause here?