2024 Security BSides // CISO Roundtable

thank you thank you so much hello I'm car Sage uh you may know me from previous years I run a company called pocket ciso and I specifically serve small and midsize businesses building cyber security and compliance programs to my left Mick bachio who you met earlier um Mick I'm gonna let you give your uh I'm Gonna Let each of you give like a two or three minute introduction to yourself um Mick is a a friend of mine who has I'll give a little pre- inro to them who has has done some amazing work um in the US federal government Pam of course you all know I don't know anyone who embodies Cay in cyber security better than than Pam uh

and Adam who is a former ciso of PayPal and has moved on to doing some other advisory work so Mick I'm going to let you kick off with your introduction and then I'll start uh moving it down and then I'll ask folks some questions I feel like I just did this a couple hours ago uh so Mick bacho again I started off in the military and kind of work my way up through incident response and blue team and network defense eventually coming into leadership roles um it was definitely a unique experience uh most of my work was in the federal government so having been exposed to different organizations the Pentagon um a bunch of work in the intelligence Community

ending up with the white house and then becoming a ciso for Pete bud judge I I felt really really unique to be have that position and have that experience I think uh a lot of what we do in the field um to when you get that ceso title you want to try and take all the lessons you've learned throughout your career and apply that and hopefully that's what I was able to do and now I'm a um Global cyber security adviser for a company called Splunk and I just travel around and talk to people about security and do security research amazing so my my name is Pamela green I'm the I'm the first ceso for the Cayman

Islands government sorry so so that's that's never lost on me um when I speak at conferences and I know that I seees so so we had a really good foiling of an attack in February but I know you're as good as your last foil so to speak my background is 30 years plus in technology telecommunications I started off as a software developer programmer they called it in those days and I've pretty much done all of the roles along the system development life cycle from systems analyst business analyst and I got into leadership program management program director and um fell into cyber security through auditing I decided I wanted to get go in the auditing route

so I I qualified as an auditor and spent few years auditing and uh doing consultancy around cyber security for really saying well I'm going to make the plunge and uh really do it full-time as a you know in a cyber security ciso type role so yeah I'm I'm loving it it's the it's the best job in the world and uh delighted to be here today yeah thank you for joining us Adam hello everyone Adam Ariano my pronouns are he they which basically means I'm a bit too masculine for anybody else to think anything but he when they look at me and I'm fine with that um I started my career in the Marine Corps as an

avionics Tech became a Communications officer with a social work degree which was extremely useful um moved on to Salesforce ran compliance um in the federal government there and then have spent time at a couple startups one that was AI focused and another that was foster care and adoption focused which was a very um appropriate place for me to land and I was very passionate about the mission that we had there um helping you know kids who are in foster care most recently I was at PayPal as the vice president of Enterprise cyber security um Department started there in July and since then have been doing some Consulting currently my my time is spent with a company called traceable where we

are answering and uh improving API security across the board and it's a product that I believe in and I wouldn't put my name on it if I didn't um but I'm advising them as a technology adviser in the meantime great and I got into cyber security after about 20 years in it and support operations management for large companies like Netgear Netflix um where I actually built out help centers so if you've ever had a Netflix issue and went to help. netflix.com to solve it you're welcome that was my baby uh I ended up at a small company called fire eyes that uh was about 300 people um they grew to about 1100 people in eight months I was an Enterprise

architect it was very exciting uh I did not get a lot of sleep and then we went public and then we purchased a little company called mandiant which eventually sold us all and got purchased by Google so I kind of uh came into cyber security very differently because I was in it Ops and uh I was actually the platform manager for the content management system in the communities and the marketing guy they hired for the communities with neither technical nor terribly interested in security so I ran the communities for four years um so you know now that you have a little bit of background about about Folks up here um I'm going to I'm going to ask the first question I'm

going to we're going to have kind of a conversation uh if if there are pressing questions um let's try maybe to hold them to the end unless they're really PR to what we're we're talking about um I'm going to hold you off for last on this one uh I feel like we've gone through the a the AI hype cycle uh we're we're starting to see what it does and what it doesn't do we're starting to see where we can reasonably apply it so my question to you is Mick how are you seeing your customer using AI to enable or in other ways in their organizations I think in general across the industry we've seen the

implementation of AI into systems and applications whether there are use cases that are associated with those implementations I'm not 100% convinced um I have seen I guess I would put it like a u right think of it like AI like a u where on this side people don't really know what they're doing yet they're very very nent in in their AI journey and implementing those systems and adopting it on the other end of that U you have organizations who are so well resourced and so well healed and so far ahead of the game they're building their own llms instead of relying on third party providers like your open AI your dollies what what have you so I think

most folks kind of fall in the bot um I think that AI the hype has definitely died down and the Practical use cases are being implemented um One Federal agency I was doing some work with what their big plan for AI implementation was just customer service right not much to do with security at all but when you log on to a website to want to pay your taxes in the US uh you have little customer service chat Bots and those have gotten so much better in the past couple years you hear oneoff things or like oh look I tricked it and get me a cheap plane ticket all right cool stunt hacking will never go

away but I think those practical implementations at a customer level are what's going to have the most impact immediately and I think those are the organizations I've seen be successful Pam how about you how are you using it either to enable internally or how are you trying to help educate externally since you have a very dual-sided role in your protection yeah so for the Cayman Island government our adoption of AI is is pretty much organic like most organizations it's it's bottom up it's been driven by Ministries departments and individuals who recognize a need for such tools with with AI capabilities built into that and that that's that's going quite well I mean I'd like to say that uh we're going

to take a strategic approach a national strategic approach I was reading before coming here today that Singapore is one of the leading countries and invest very many millions to take that approach to force through the adoption of AI through their public sector and also to upskill their people I mean that that's surely where most governments need to lean towards but but the organic way is also good and uh we're seeing that and we've got a light touch governance over the way we handle that so entities are not allowed to deploy an AI tool onto our government's Network without it first being security assessed by the department that I'm part of and I lead on actually and um we are so we do that

security assess assment as part of the light touch we give them guidance about policies and the types of data they should put in and not put in and some of the risks but we certainly don't stop them because as one of the previous speakers said you have to let people be those early adopters you know and use it and get the benefits from it um and in terms of cyber security well all all of us who are in the cyber security field know that AI is absolutely critical long gone are the the rule-based signature type systems you actually need AI to mine through the data in the way that it does and that it's good at to really

give you high fidelity alerts and alarms that you can investigate so that you're ahead of the Cyber attack so you don't end up with an incident and you're actually dealing with it early stage miter attack framework and so and so forth so for us it's critical now if we didn't go as a cyber security department to AI in the first instance I think my team would have needed to be four times the size it currently is when people see the size of the team I have they say really is it just those few of you there I don't know if any of my team are here actually if they are like you to stand up because uh I think that uh you know

we got some nice praise earlier on and it's good for you to anybody from my teamate Wonder all right thank you very much right so I've got two people there these are two people that came in sort of let's call it the intern route and now a fully fledged anybody else in the in the room for my team no okay but but it's quite small and as I say without without AI capabilities which we implemented back in 2019 we would not be able to to do what we're doing and to defend our government's Network excellent very excellent points all right Adam I know you have a lot of insight around AI especially in security enablement uh

protection Etc go for it yeah and understand that I am currently representing a company traceable that that does use artificial intelligence and machine learning to great effect and as a previous customer of traceable we were leveraging those capabilities at a previous role and it was doing some amazing things um in particular we were able to get it data um in a way that was so much we were able to more efficiently get it data that that would show us where we were having bot attacks where we were having fraud take place and things like that and so I'll say that to answer the question directly there are a few companies that are not playing around with AI there are few

companies who are doing it extremely well to the to the you point right um what I would say to this audience in particular those of you that are here um is is to take A playbook out of my father-in-law's actions in the 70s so this guy was a uh you know he's a a Filipino immigrant who came to the states with a degree in accounting of course had to go back through the school system because the United States didn't accept that degree but when he was finally got a job at a law at a accountancy firm they brought in a new computer system you know like a typewriter with a TV on it basically um

and he went spent his own money bought an identical system and took it home and learned it backwards and forwards not knowing exactly what was going to happen with that computer system at the time like who would have thought that that would become the only way that you do accounting but it did become that and he became an indispensable part of that company because he got deep into it before anybody else and understood it as it grew and so I don't think any of us really know exactly where artificial intelligence is going to take us but we we know that it's going to do something you may as well get into it now and start understanding it so that you can

be in the Vanguard of understanding what's happening and if you think about you know what year was that probably like ' 85 86 that he bought the computer that's my sorry I'm looking at my wife and talking to her because she knows since she's here but it was a little bit later than that but if you think about it in into the 2000s there were probably still accountants who had not learned how to use a computer to a good effect as accountant and there's a 20-year Gap there of somebody that had been doing it for 20 years and somebody that was just begrudgingly going for it don't be on the tail end of that like be at the

front of it and it doesn't matter what you're doing who you are at some Point you're going to need to learn how to interact with artificial intelligence especially large language models so get on it now and I have so much more to say but I'll you know attempt I I I really agree with Adam's point on learning the tools that become available um I think one of the biggest things that we've shifted as an industry is on Prem to Cloud right and we all know someone that like oh Cloud's a phase it's not going to stick around and now people's environments are organizations who live off AWS they function off AWS completely so learning cloud architecture

infrastructure became critically important as an analyst as a responder and AI Falls in that same boat um I don't see AI going away anytime soon it's here you're not going to put that you can't close Pandora's Box so whatever happens happens but know that that tool is going to be something that you have to learn how to use yeah and and just to add to that it's even more important than that there's been a three industrial Revolutions of we know so and we've had um we've had railroads we've had cold and gas and steel and then we've had after that Electronics computers and telecommunication and this is the next big thing uh Ai and and it

it will make the difference between a nation being wealthy and and a winner in this and a nation losing out if they lag behind in the the adoption so each and every one of us as an individual needs to do it for ourselves personally as part of the organ organizations we are because AI will create value and it will create wealth and I want to touch on something that Mick said about cloud services right 10 15 years ago um cloud services were things that very big companies bought into right right and now you can be a oneperson company you buy Google workspace or Microsoft 365 uh you buy a domain you get your business license you

are in the same space that big companies much bigger companies than you are are playing and you know 20 30 years ago that company would have been 500 a thousand people before they could have gotten to that point so you know I see AI very much the same way and that it levels the playing field I think over time we'll see we'll see more and more enable enablement for smaller companies uh I think from the security standpoint all of the pieces that that the bigger companies are putting into AI will eventually trickle down and actually enable the smaller companies that is my hope we we'll come back in 10 years and find out yeah any

thought Mick has a thought on that I can tell already I think it's the concept of fail faster AI is the most tremendous Force multiplier I have ever seen or used um every security team that I have ever worked on um starting in the military ending at the White House Pentagon everywhere in between I have never been on a team where we've had enough people we've never been fully staffed and if you're in an organization where your security team is fully staffed I think you need to be honest with yourself and we could probably use some more bodies so AI is that Force multiplier um it just exponentially increases the amount of workload can be

resolved now the problem I see with organizations at Level Playing Field that equalizers that your bad idea of a company will just fail faster now and and I do think that is kind of levels things uh you have the opportunities that are there but you know if you look uh how many what was itai the domain made like a couple hundred million dollar last year like that was the big winner at RSA was the a domain um so companies do organizations do have that ability to become on that big stage but a lot I don't think are quite ready yet so you're saying that my idea for a jump to conclusions using AI is probably going

to fail faster okay well now I know I don't think it's a bad thing that fail faster personally no I think it's a good thing but I think we we'll see a lot of that yeah I think we will I think we're already seeing a lot of that I'm already seeing a lot of even start security startups that were in the AI space they're already getting acquired or they're realizing they're going to have to shut down because they can't deliver on what they promised earlier today Adam Pennington was going through the miter attack framework and kind of explaining how you can mature into that and one of the one of the important things that that he touched on was the fact that you

know getting to red team and having your own red team is is kind of a tall order but that doesn't mean you can start you can't start elsewhere up like further up in the in the attack chain and and defending your company and I think that's another wonderful use case for being able to just do the things that are possible now regardless of the size of your team or your company get done the small things first and then you can move up and get more and more over time but not being able to have a red team that uses AI to defend is not a reason to not use as much as you can in advance

it's a great Point okay I feel like we've had some really good conversations around AI I'm going to move on to the next topic all right diversity and inclusion it's we've seen we saw the big ramp up of Dei we saw we've seen in the US at least a huge defunding of Dei in the last year um when I think of diversity and I want to set the the context here very specifically one of my mentors Linton Wells former CIO of the dod uh former under Secretary of State at the US uh in the US I asked him once he he is a hardcore military DOD guy but he also volunteers at a hacker Con in Vegas every year

called Defcon uh pretty much since year two or three for the last 30 years and I I asked him Linton why does an a Navy DOD guy go to Defcon what what do you get out of that and why have you done it for the last 30 years and you know Linton very seriously because he is an amazing human being looks at me and he says carota I understood 30 years ago that I need diversity of thought to protect my country and I cannot wait for that diversity to come to me I have to go out and seek it and I will always go out to seek it uh so I I think it's important

that we remember that what diversity we're really talking about is diversity of thought and all other indicators gender sexuality uh uh economic status all of those simply are quick easy indicators for us to see diversity of thought now within with that framing uh Pam I know you have done a tremendous amount of work in this area for for kayman and I would really love for you to describe some of that to us yeah I mean from a cyber security perspective I mean who are we trying to defend against we're trying to defend against cyber adversaries hackers we know they are from different countries we know they come from different cultures we know they're different ages and so on and so

forth they're diverse um that's who we're up against that's what we have to pit our wits against um we may have to make sure that our teams that are tasked with defending our nation are also diverse in terms of the age the the background I mean experience is an interesting one actually sometimes no experience is a good thing but maybe just the passion and the aptitude and so forth so I think that uh you know you have to go out you have to seek out the right talent you have to be open and flexible people that are diverse want different working patterns different working Styles different office environments different personalities you have to cater for all of that if you

really want to build the best teams that you can build I think that's a fantastic Point Mick I think Dei as a concept um has gets a bad rap right to your point you want diversity of thought you want diversity of experience well you need to go out and seek that because it's not going to come seek you or you have to give it a chance when it does seek you out and I think as an industry we kind of need to do better at that overall and realize that the most um paper qualified candidate might not be the best candidate one of the best things that the team on on at Splunk surge we made a hire a few

years ago she was a former broadcast journalist and she's like I want to I want to do cyber and she did and like she didn't have the background in it and we She interviewed really well we we gave her the shot and she has crushed it she just left the team and took a role on a threat intelligence team uh internally like it's and her thought process that she brought to the team the diversity of experience diversity of thought that we're trying to to round out our analytical ability is if we all grew up the same way we all had the same experiences and we're going to have the same answers and I think we're seeing

more and more to your point where a global threat requires a Global Response and seeking that diversity I think should be more of a point that we do uh but the problem with it becomes I you can't mandate it if you mandate it I don't think it's going to be genuine so I need to instill that mindset in the people and I think it's going to take a long long time to do that the same way cyber security awareness month we've been beating the MFA drum for almost 15 years now and one day we'll get there and I think Dei Falls in that same pain just keep doing it it's frustrating so frustrating sometimes but you just can't stop yeah

and I think the point you're making about the fact that um there's been blowback on it and it's been frustrating and that it's something that you have to keep trying like it it will get there like and it does it gets better and I you know you try to think about other examples of that but um you know for for my experience especially career-wise you know joining the Marine Corps right after September 11th was the floodgates were open that anybody could join and there was a lot of discussion about you know do we take every 6 foot tall white dude from Iowa that can lift 600 pounds and nobody else and there was a lot of

discussion in there like is that the right thing to do and really what the Marine Corps decided to do in the military in general was to make sure that we did have a diverse pool of candidates that that came in and my wife and I both are good examples of the fact that we're not the mold like if you look at this you don't think Al that was probably a marine at some point there a couple of you might but um this is not what I look like the whole time but my diversity of thought my diversity of experience the fact that as as a gender queer person I could think around corners that other people couldn't that

was helpful and my wife who just because she's here and I'm getting brownie points she know she's a 4ot 10 and a half 4ot 10 and a half very cute little Filipina that that you know grew up in Boston and Brockton in the meet streets like she was able to Corral generals like you don't even understand these very confused older men that were running you know the biggest military machine in the world would snap to attention and do what she says because that's who she is and you don't get that out of you know having a group full of alpha males that can't you know talk to each other and so that what I find is going to be most effective and

what I found most effective in the organizations I've existed in is talking about the business imperative of diversity you are just not as Pam like you were saying you said it beautifully your your adversary is anyone and everyone that can get at you and you should have anyone and everyone and every type of person there to help you defend to be most effective most economically so I personally my my problem that we have in in in Security in particular is that we don't have enough people at the top who are diverse and that is yes it's a promotion problem it's a funnel problem because we're not letting enough people in the door through diverse means to get into

the industry so I spend most of my time time at community colleges don't spend a lot of time at universities like University people are great they'll take care of themselves they'll be fine community colleges are where you're going to find people that know how to move left and right and get over obstacles and work at Starbucks for four years while they go to college so they can just make it out of where their parents couldn't and that's that's who we need that's the kind of person that's going to be super effective and that's incredibly insightful um I I I want to pick up on something that that we've been saying and maybe said earlier today and and

have folks here address it um we do talk a little bit sideways there's always a nod to culture and ethics right and Jules had some really fantastic insights about culture culture is really hard to define i define it as if you were in the room earlier I Define it as what we know plus what we share and how we share it and then how we hold each other accountable when we break the social contract that's my definition do you do any of you have I'll start with I'll pick on you Adam do you have a definition of culture or is there a framework that you look to when you're trying to build culture the Toyota production management

system if anybody's listened to me for the last six months I've been reading and rereading this book about uh it's called the machine that changed the world it's about the way that Toyota became name the PowerHouse of in the automotive industry and I won't shut up about it for some reason um but everybody mistakes what they were doing as very efficient manufacturing and and everybody that's tried to replicate it has has has gone to the technical details of what they were up to as the as the as the way they're going to copy Toyota and there are so many companies entire Frameworks like lean Six Sigma like I'm sorry if I'm offending anybody that loves lean

Six Sigma but it completely misses the point the Toyota production management system is a culture of respect for worker and customer and providing value to that customer and if that piece isn't in place nothing else you do can be successful there's no way in the world with the most skilled machinists technicians Etc that in 1985 Ford could consistently put a car out that was always going to run and always always be good because their culture was wrong the culture was to serve the Factory serve the line and conversely in 1985 you couldn't buy a Toyota Corolla that was a lemon because the culture was such that they every single time set the conditions for success and that culture

is what made it better and so I harp on this all the time because it's it's hard to think about culture in cyber security or insecurity being Central it helps to AB ract it to another place and think about ways you can Implement that but that's generally the way that I approach it how can I respect both my customer who's normally the company or the or the actual customer by providing them with security and how can I respect my people by providing them with the care and feeding the time for in Innovation and the respect of their time that I don't make them do a bunch of repetitive things and that's that's how I've always

approached that to varying success by the way not always great but I tried I love it though I really do Pam well for me um we could all read different textbooks and come up with all different definition but for me culture is something tangible you should feel the culture of a country an organization a family so you know it's a it's to do with values if you have a common and a shared set of values that breeds the culture if there's an organization with 4,000 people and the MD the CEO walks around and speaks the man at the top and a man at the bottom they should be saying the same thing every car that

comes off the production line is going to be 100% correct I mean the culture that I try to build with in my cyber security team is not on our watch right everybody knows what that means it's not going to happen no one's going to take us down we ain't going to let anybody hack into our systems and we build everything after that that means that we are fastidious about looking into alerts we're not waiting for an incident we're looking at it when it's a cyber security event yes right and we're making sure that we we're pouring over it we're making sure that it's not an early stage attack myel framework again we're stopping it in its tracks we're not

waiting for it to become an incident we know it's not acceptable and you know that came from the top you know when I we've got uh a Deputy Governor head of the Civil Service honorable France manderson I I I spoke to him one day just to assess when I started security posture and he said I've got no tolerance for any data breach or any attack none at all he did need to say it to me twice I knew exactly what that meant and that's what I bred down into my team so every day we throw our bodies across the line and every day we make sure that we checked and we double check we don't leave anything to chance we

make sure that when we go home when we finish our we don't work well we do long hours but not because we have not done something properly it's because you know we want to we want to be sure but I say to my team go home at 5: if your shift ends then cuz you know that you've done everything you can do in that time and for me it's about what else do I need to do to make sure I deliver on that statement that not on our watch I love the point you make about um not letting things balloon into incidents before you pay attention to them I think one of the things that that we as a industry do

really poorly is catch near misses and catch the first indicators and that's where we want to stop things like like just Mark things benign and just move the next postive oh let's it again jinx jinx yeah I mean I I I have a tattoo on my arm that every near Miss I've ever had um Health you know whatever way you want to look at that I have a tattoo that says not today and anytime that I almost catch the big one but don't I add to the tattoo to remind myself that like that was close maybe re-evaluate things and see why that happened but what we say to the god of death not today so so when I think of culture um I

I think I'm reminded most of my time on the Buddha judge campaign in 2019 so being the first ceso has anyone ever worked on a campaign before you know what that's like it's probably the most eight months fun of your life right but it's going to end you everybody knows that most of the staff are comprised of kids it's like their first job at a college or it's their second job at a college and the first one's on a campaign no one knew what a ceso was so I I you know did a big presentation and I'm like hey I'm trying to create a culture of security heavy on the cult you know and I'm not trying to create a

cult I haven't seen the movie yet so I don't know how um but the idea of you are trying to make people care about security you're trying to make your organization care about security and you have to find a way to make that message resonate like if I'm at work and a system gets compromised the average bear does not care if corporate daddy loses some money that day I'm still going to get paid but to implement that security mindset into a person to convince them maybe to start using a password manager at home and start using MFA on their personal accounts it's that mindset that you're building in people the importance of security and that carries through an

organization um you know uh DOD we kind of grew up in the dod and like the dod Department of Defense has a very DOD culture I can't describe it exactly but if you've ever been in the military you know exactly what I'm talking about uh and that didn't happen overnight that happens over time but I think reinforcing your job as a security professional is to make security resonate with people in a way they understand and a way they care about you can't just hey look you should do this because fishing emails and don't click uh I think fishing test are are the dumbest thing an organization can do or bad fishing test I'll say that all right

um if your organization does a fishing test and you don't include a landing page for people enter credentials then you're just doing gotcha tests like somebody clicked on something so what that's the Internet it's exactly what we do we click on things we made a box to click on stuff that's the only thing the internet's for so you can't ding people for that but entering credentials in that's a no no right and and I think we have to change that mindset and create that culture so for me it's it's making people care about Security in a way that resonates for them personally because that does carry the organization that's a a really good point has a fractional

or part-time VC so virtual C so I'm working with small companies they only get a portion of my time so I'm I'm often serving as ceso for multiple small companies at once and if their marketing person calls me and says hey Carlota we want to implement this product uh like could you take a look at it and let me know if you you're okay with it before I bring it to it I know I have won my client over right because their marketing team is asking me to look at something before they even take it to the IT team and I love that I love getting to that point with a client Okay so we've talked about the cultures

inside of a company let's talk about the culture in our industry because you know has a brownish woman in Tech in the US I've I've had some struggles I know shocking right is the New York Times here they should write that down and you know I think one of the first things my one of my first interactions with you Mick was was so refreshing because I I had started out as a a part-time ceso for an 80 person nonprofit I'd put the NIS maturity model in front of them and their eyes glazed over uh right so I created what I call the security health model doesn't replace any security models that we use but it Maps those Concepts into into

business speak right it's a Rosetta Stone and I showed it to Mick and he gave me such great feedback on it and as it evolved he he eventually said hey can I share this with people and I had never had that experience with someone of his level until that time so you know and you've referred to this earlier in your talk we do a terrible job at mentoring people so what are the pieces in our industry the culture of our industry that you would like to see evolve over the next few years and I'm going to start with you Mick I would like people to stop being shitbags like that would make me so happy um I think a lot of people kind of

Overlook that cyber security in general the whole cyber scene was B born out of a criminal element right like hacking was never legal let's be super clear on that and we just turned it into a whole industry problem is a lot of people that grew up in that other criminal industry got real big person jobs and adult jobs and are still there and that ethos that mindset is still there too um you had people that weren't the cool kids who are now the cool kids are in charge of things and if there's one thing that people like it's power and if there's something people like more than power it's abusing that power so I would like

to see if you see dumb if you see people doing dumb call it out don't don't hesitate to do that that's the only way this industry changes that's the only way people change is if you hold them accountable for the things that they do the things that they say and I think that's the biggest change the industry needs is if you want this diversity of thought if you want this diversity of experience if you want people that look different than you in this field then stop being a dick to them and let them work in this field uh we do a bad job at mentoring because I only Mentor the people that I want to I

don't I don't hold wide classes I don't hold wide webinars for anyone that wants to attend right and and that's just a general mindset so get involved I I do a lot of work with blue team Village Defcon I've been a mentor there for years now and you know one of the the first cats that I mentored he started Boston University earlier last year so like it's amazing to see something like that happen you know him being able to come from India and and start school here it's that wouldn't happen if we don't encourage it so I I guess all of you I encourage all of you just to hold people accountable and hold doors open

for other people it's amazing thank you Pam fa yeah I think you know to see this event you know I was here last year and it didn't have the same energy or the same Vibe or the same turnout see so many people turnout it's just f fantastic I think wherever you are whether you work in cyber security or not or you aspire to work on it pursue that dream you can all have a career in cyber security or it can be an ad junk to whatever your main profession is so you know educate yourself you know reach out to people reach out to me I will help you I will guide you try to find

opportunities for yourself and uh really I mean the more people that we have in this jurisdiction that understand the field it's going to it's the better because we're highly digitized in financial services jurisdiction and there's a lot to protect more is coming down the road with AI and other Technologies so I would encourage you all the the doors open for all of you there's enough jobs for everybody if not here then on another Island but for here for certain how about you Adam what would you like to see change H so much um I what what worked for me is that I had uh the smell of the Marine Corps on me still when I was trying to start and

because that group of disgruntled weird people that eats crayons we we like each other we would Mentor each other and give each other time that we didn't necessarily deserve there's a I can't remember his title right now but his name is Sam Allen was he's been at Salesforce forever had no business ever talking to me on the phone 10 minutes after I got out of the Marine Corps none like I he's a busy person person with important things to do I had some really dumb questions to ask and he was patient enough to answer them that's what we should be spending our time doing it's cool that you Mentor somebody that is like headed towards your spot it's much

better to go all the way down to the student level to the people that are trying to break in spend time with them and give them advice because they're going to be the ones that are securing your pension check at the end of the day it's like the reason you're nice to their kid your kids is cuz they're going to pick your retirement home be good to them be good to the young people in the industry because they're going to protect you in the future uh and and I don't think that especially at the senior level I don't think we spend enough time showing Junior people in the industry that we're actually people and we don't spend enough time sharing with

them the Deep impostor syndrome that wakes us up at night and you know if you don't have impostor syndrome I don't believe you a B I don't think you're honest with yourself and C like what are you doing here like you should be president if you don't have impostor syndrome you need that kind of huis um but admit that to other people you know Jason Chan who he might listen to this I doubt it but that the the king of Netflix security has been my hero for a very long time ever since I found out about chaos monkey and I saw him in person one time time and after I stopped squealing internally I asked him about it and he

admitted like no I just feel like I really don't have what it takes sometimes and he's like the King of Everything security at Netflix which is like they won Emmy Awards at Netflix for security who else has an Emmy Award for security like nobody like that's amazing and he would wake up with impostor syndrome as well admit that to your people admit that to your mentees that there are days you wake up up and you're like I don't think anybody understands how bad I am at this and this is going to go bad and then you keep going but other people need to understand that you're human that you're a fallible human with imposter syndrome

with great hair I'm just kidding that is that's actually really ironic because I don't suffer from impostor syndrome and I'm going to tell you why um I thought it was because I thought it was because I was born with the cocky Jee um I actually had a very traumatic childhood and came through a lot but most recently I was diagnosed as being on the autism spectrum and I just genuinely believe in myself and it it always I think it's the most Soul crushing thing for me to realize that my friends don't believe in themselves because I believe in them um I believe in them just as much as I believe in myself and so a few of us

don't have Oster syndrome but we we probably on the Spectrum I have nothing to say in public about that I forgot where I heard the quote and honestly I think it may have been lizo um it was you know she said I want you to believe in yourselves as much as I believe in you and and that resonated with me so much is because I think a lot of us have so much wow you're so good at this wow you're such a good analyst you're so wow but we don't feel that way about ourselves and and and that I think um is a reflection on you as a person which goes back to hey how do we change

industry never stop growing as a person like you're only as good a person as you know how to be if you've never seen a genuinely good person then your bar is down here so keep trying to get better keep trying to get more in touch with the things you don't know about and become a better person and that does change the things that does change the culture and maybe get over that impostor syndrome but I'll be honest with you if I figured out I'd write a book on how to get over it i' make millions so but I haven't yet so okay Pam do you feel like you have imposter syndrome not at all maybe it's a woman thing maybe we've

just been through so much we know it not at all yeah every day tested every day you come in you really don't know what's there for you as a ciso not at all I mean that's not to say I don't have a little bit of self-doubt every now and then a little bit of self-doubt is healthy it makes us question what we're doing and it it does force us to grow sometimes right self-doubt is healthy when you you are constantly doubting yourself that's when it becomes impossible oh that's when it's a problem that's when it's unhealthy that's when it's m I think I think you know when when you're when you're a ceso and you

have to make decisions in that moment you know you're pulling together all your experience and you're sort of homing in on it right and you're asking God let this be the right decision right but you just have to make it and you have to drive it through and you know people will sort challenge it because they don't see your vision or maybe you're not communicated it right but I don't think there's any need I think any day you wake up in a job as a ciso and you're not not sure it's time to make take the exit yeah that's fair I think that's I can I just say like I've served under a lot of interesting Battlefield

commanders and Pam is a great example of the kind that you want to get behind any chance you get doesn't matter what you want to do get behind somebody like Pam cuz you follow somebody like that and it's not just for entertainment value like you follow other people just to see what's going to happen it's because you know that things are going to go well because you have somebody steady like this in in the lead so I I applaud you and and and following me means come into the trenches come into the trenes right we're going to go deep but we're going to come out the other side excellent yes that's exactly what you want on a leader

right you want you want your leader to say we're in this together and we're going to get through it I I think that's perfect uh for leadership I think leadership in cyber security is unique on its own right where where leaders in in cyber are not like leaders in other fields or or verticals um and I do think that to your point it's it's a generational thing I think you know there are great leaders in cyber but there's not enough great leaders in cyber and that generational change the those Junior analysts that you're talking about now that are going to get automated Away by AI apparently um it's the field years from now that I'm encouraged for that I'm hopeful for

you know and I think it's those incremental changes that we make today you know best time in Planet Trias today right so it's it's that years from now is what we're preparing for that's fantastic all right I'm going to shift gears again because we've got about uh you know time for one more question across the four of us um I I was once asked what the difference between a SEO and a virtual ceso is and I said I sleep better at night than a ceso because right because I am the great thing about being a consultant is that you are outside the organization and there is an understanding that you do not own anything I

advise I tell you what the risk is I make a recommendation but at the end of the day it is your decision and you own the consequences business owner or or business unit owner so you know for me I it's kind of a joke but it's also kind of real I never pursued a full-time ceso role uh from my part-time ceso role with the nonprofit I went straight into virtual ceso in cyber security Consulting um so I I'm going to ask our our cesos and former cesos here when you were a ciso mick actually I'm G to start with pam pam you're the current ciso what keeps you awake at night nothing good nothing white noise machine or ey

man do you know do you know you know I'm I'm a quick sleeper and I'll sleep for the full eight hours as I put my head down be asleeping why cuz I know what I've got in place I know the team I have behind me and I can sleep at night D because in the morning I've got another 12-hour shift to do and it's going to be a good ride and I'm going to do all the things to make sure not on this watch so I love it I love it no that's great and I think it doesn't matter if you're virtual seeso or a full-on seeso if your name means something to you and you don't want to get sued

it's the same thing I don't want anybody to Google my name and for all that is to come up I don't want that even after I've retired right so um I think it doesn't matter so my name is associated with the Cayman Island government and cyber security I cannot let anything happen that's my mindset fair enough all right Adam I'm gonna I'll leave big for last because I want to I want to hear from him and about his his audience so before today what would keep me up cuz today and forward what's going to keep me up is like how can I be more like Pam like sleeps at night like just fine and and and has the the resolution to get

through this stuff I'm just Kidd but um I think what normally especially when I'm in the seat as the owner of risk and of the of the um you know the entire security construct it was almost always my people that I would spend my my off hours thinking of um no matter what happens as a security leader your hands at some point will leave a keyboard your feet will leave the office and your eyes will leave your computer screen at some point but your people if well trained will be there in your spot to take care of things and so my primary concern is almost always with my team you there's a whole idea of mission accomplishment

first and Troop welfare second to me that that was always a non-negotiable dichotomy that if you can't take care of your people you won't accomplish the mission and you can't take care of your people and not accomplish the mission because you they need to be successful as well so I would stay up and think about how is my rockar doing how is the person that's always saving the team doing right now are they sleeping do they have enough support have I told them that they're amazing and have I pulled them out of the team so the team can feel the pain of not having the rockar around so that another rockar can develop themselves that's the

kind of thank you that's the kind of stuff that I think about is because you can't you know there's a a good friend of mine Gary that worked at Salesforce he's like I'm not a rock star I'm a roadie and you only need so many people to trash a hotel room and sing you need a couple people that are going to be able to plug in the amps and make sure the lighting's okay and I think that that that's what we need to Foster in our teams make sure that you know your team you help them grow so that when you're not there you can sleep at night I love it all right Mick you have

experience both as a ciso and as a global adviser to very large Enterprise cesos uh what kept you up at night and and what do you think keeps your customers up at night I think I'm looking back my time at the White House at the campaign and like to Adam's point when you're a security leader your job to me is to put your people in the best possible position for Success Y what can I do like how can I throw my weight around throw my authority around to give you the tools the resources the training whatever it is is going to make you better at your job because you being better at your job makes me look good so

it's really selfish when you think about it like I want to look good and and the way for me to look good is for you to be awesome so as long as I get credit at the end of it I'm fine with a n there's there's that humility that you were telling about yeah yeah so I I think it's you know putting those people in a position for success I think you know during my time in the Buddha judge campaign I had just left the White House um you know as there for the 2016 election so I know why I got the job it was maybe three people that were around for it and I was one of them and for me

the biggest fear was like you were the first person to do this you better not screw up like it's it's all pressure that I put on myself but like hey man if you make the paper as the first guy that did this you know how bad that's going to look for everybody else it goes back to you if you Google me you'll yeah I don't want that to happen so it was always don't make the paper uh create that security culture keep sending out reminders be that annoying person just hey guys we' talked about it a million times but just one more make sure you do XYZ so I I think um for me it was you

know bad press bad media especially on a political camp pain is just something you don't want uh the idea that any press is good press that is not true you can have some bad press and we've seen it recently so um and now I think a lot of the folks I talk to a lot of the organizations I talk to Across The Globe the the concept of resilience and it's such a buzzword and I don't really think I understood what it meant until I honestly pretty recently because my background in the government like we don't shut down it's not an option like you the government stays running unless budget but that's a whole other thing

but so the idea of like your organization your business is critical it cannot shut down and and that is what keeps people up because this Ru Goldberg machine that we've turned the internet into one small thing goes wrong some library that you didn't even know is in your environment goes haywire and all of a sudden you're down for four days um so it's just the interconnectedness of the world now and I do think it's not worse but getting more interconnected more systems more API calls more services more threads more strings everything beyond that we're making everything so complex but as the smallest thing goes wrong the results can be catastrophic and and I think that is what keeps

people awak night is just what risk have I not accounted for I think we definitely saw that with crowd strike uh a couple of months ago right what happened crowd strike I'm just kidding right did you miss that one I know what Happ I missed that that got that little thing so you know it was very funny to me because you know all of my friends were texting me are you okay like are you drowning I'm like my clients can't afford crowd strike I'm fine right crowd strike got me the next day when I tried to fly Delta so right so yeah but I I do want to come back to this concept of resilience and not necessarily

understanding what it means because I think a lot of people think of resilience as our ability to kind of stand back up or bounce back and resilience is really our ability to surpass where where we were right to not only get knocked down but to come back and come back better um is there a different definition for resilience across the the leaders here I mean I I consider for me resilience I think and Jules gave a great talk about this earlier and and I really appreciate some of the points that she brought up for me resilience is necessarily what happens when you get punched in the face and I think too many times we think like well I'm going to do

it just I'm just going to make this happen so I don't get punched in the face H solid plan Mike Tyson's still alive you might want to plan for something right like what are you going to do when you get punched in the face is what resilience is about it's not necessarily that you lose but you're going to get hit um and if you don't have a good plan in place a good team that's well trained and you know the capability to recover from that hit then why are you here and and too many times we try to protect our you know shiny white suit and keep it pristine we never learn how to wash the

thing just in case the ketchup comes like we need to do that as well Disaster Recovery planning practicing never letting a good uh you know incident go to waste or near miss those are the things that I think resilience brings to mind for me um and I completely respect that like the government can't shut down it does right budgetary there's other ways that it's happened but the the real point is like what do we do after that and if you don't have a plan for it you're not going to know or if if you have an unrehearsed plan for it you're going to have a bad day yeah real bad day my nose is crooked for some reason

because of that I bet you Pam because you you know the we're talking about the US which government's very large your government is much more intimate in in terms of how involved that you are how involved dayto day you are with your constituents so so what's your definition so so I'm still at Old School okay so for me resilience is architecturing resilience you know you're having different nodes the ability to have active active to fail over that's what resilience is and that doesn't matter whether it's a Cyber attack or natural disaster weather system or whatever it might be that's what resilience is and and and business continuity is the ability to practice that resilience and disaster recoveries

again but resilience in the Cyber context is for me try to make it not happen in the first place right and then there's the recovery if it does happen recover quick that's that that's these are my definitions so architecting the resilience in your software layers and whatever layers you have uh geographically or whatever it is that you're doing put it there in the first place that's what resilience is that's fantastic we have just a few minutes left so what I would like to do is is there is there a subject in cyber or in general that's near and dear to your heart that that you wanted spend one minute telling us about I'll start I'll start on the end

Adam and work our our way in here yeah the thing that I have been studying all summer since I left my previous role is identity I don't think with with a couple exceptions um I don't think that we're paying attention to Identity like we should be right now identity is can you solve a hard math problem with a phyto key or with you know UB key that's great is that going to be extensible and scalable for the for all time and I hate to break it to all of the technical people in the room but that is a philosophical question first understand the philosophy of identity understand what it means that you perceive my identity differently

right now now than you did 30 minutes ago than you did 45 minutes ago than you did when you just saw me wandering around and understand that that's the level of identity variability that we have to deal with especially with artificial intelligence and gen agents thank you so two things are I think zero trust architectures is important but I'm not going to go too much into that and if Miss georger in the room I have to say this to you Miss Georgia collaboration and information sharing yeah yay so uh good okay all right Mick I think if you personally have not seen the 1986 classic by John Carpenter big trouble little China it is one of

the best movies it actually is the best movie and I think you should spend some time watching it it stars a young Kurt Russell and for a non-horror movie I think it's one of John Carpenter's finest okay thank you very much and for my own my own thing I just want to remind everyone here well a thank you for coming and listening to us that's amazing really appreciate it uh but also a lot of us in this room are technologists and we tend to lead with technology uh and and in cyber it's a much bigger problem we're always hearing you know align people processes and technology and and I want you to start leading with the people piece of that um

because we're we are people we are serving people we are helping people we are hurting people with everything that we do in cyber right so I just next time that your impulse is to throw a technology of some technology is going to solve that problem I want you to put a pause on it and I want to I want you to think about the people first and then how they will use that technology or how that technology will impact them so o wait I uh your mental health is super important we work in a super stress industry uh we have for such a long time for some reason we don't take a lot of time off

because a job demands that or we think it does take care of your mental health like if you're not seeing a therapist you probably should um yes everybody 100% everyone needs a therapist even if your therapist is your dog but really get a real therapist yeah take care of your health your your mental health is super important and um if you're not taking care of it you're not going to be good at this job and you're not going to last in this job you're going to burn out I've seen it happen it's happened to me so take care of your mental health hash therapy yeah yeah and I think you know if you saw Alex's talk uh this morning

if the criminals are telling people to take a day off and take care of themselves we better be saying it to ourselves as well uh because it is it we only have this one life around the Sun Well H you know reincarnation but we only have this one current thing that we're in AI version will live forever all right on that note I think we're going to call it done um I know John I think is going to come up is it John next Mary I'll let I'll let Mary come up thank you everyone give a big round of applause thank you so much everyone thank you and thank you all