The Secret CISO: Navigating the Human and Technical Challenges in Cybersecurity

Jim Love

Welcome to Cybersecurity Today on the weekend and our show the Secret ciso. The show is where John Pennard and I invite people in the CISO or similar role for a conversation about their work, the industry, but most of all about them. And if you're looking for interviews and questions, this isn't the show for you. This is a conversation that we have to get to know people and talk about things in a relaxed atmosphere. So we'll start with our introductions. Now this is a bit like a party at my house. Everybody out there already knows me, but we'll start by getting the guests introduction. John, why don't you start?

John Pinard

Sure. My name is John Pinard. I'm VP IT Operations, Infrastructure and Cybersecurity for a financial institution in Toronto. I've been in IT for longer than I'd like to admit, but yeah, that's me, Priya.

Jim Love

Great to meet you. Why don't you introduce yourself?

Priya Mali

Sure. Thank you for having me. Jim and John, pleasure to be here. Yeah. So I'm. You didn't tell me how long I should take, so I'm.

Jim Love

Take as long as you want. I know this marvelous editor so you can take as long as you want to introduce yourself. Take the whole show. We'll also, we'll have coffee.

Priya Mali

I want to hear about the great things you all do as well. Yeah. I'm Riya Mali, I'm the CSO at Sheridan College here in Ontario, very much in Ontario, Canada. So I'm. I cover all aspects, information security, privacy, resiliency, compliance, managed pockets of IoT security as well. I work very closely with my peers, not only in it, but risk management, campus security, research and other departments at the institution as well, including faculty. I do have a part time role as well, serving as a key strategic advisory council member, as we call it, to my CEO and to the board and I'm part of the PAN Institutional policy review committee as well. And it helps me to understand all the policies the institution make and then see where's the best fit. Right. Like to be able to talk about technology, information security. So just before I move Sheridan, move to Sheridan, I have, in total I have about 20 years of experience in the space of cybersecurity, privacy, risk management, compliance, resiliency and I will say data and today certainly AI governance. We did not talk about AI and just in terms of my path into cybersecurity was not linear. I graduated with an engineering degree. I started my career as a software developer, did that for about four years and then two things I wanted to do. I did not want to do coding and testing for the rest of my life, but I did want to use my grounding in technology, so to speak to do two things right. One is to understand the intersection of technology with business. And the second was since I am a person that's motivated by challenges, I did want to challenge myself to become a subject matter professional in another area of technology that was up and coming. And at that time this was back in 2010 back in India where cybersecurity was just being spoken about. So that's how I got my star. After my software development experience I went on to do my mba and after that I landed roles with the Big four consulting firms and filled with three or four Big four starting with Deloitte where again I focused on Initially I focused on enterprise risk management and then moved into technology risk and cybersecurity cybersecurity. But then before I moved to Canada, I spent close to a decade in the United States advising both technology giants in the Bay Area. So the likes of the very large known technology giants in the Bay Area one named the names. After that I spent about six years in New York where I was supporting a lot of some of the most prominent and well known names in Wall Street. Besides that, I've lived and worked in six countries outside of the US and Canada, so some of them being the uk, China, India and Spain. And my journey has taken me from both working with operational teams to build cybersecurity programs from ground up and working with the senior leadership and the boards of organizations to be able to build robust and agile cyber risk and really resiliency strategies. I'm very fortunate that I've had a lot of global exposure and this global exposure has helped me to work in a multicultural environment. To work in a multicultural environment by having a global mindset and really being able to work with people from different backgrounds, thinking styles and being able to communicate to them in their language. It also does help with being empathetic and adaptable as well. So that's that. Fun Facts About Me Outside of work I write poems. So that's my stress buster. I think we may all need a stress buster. I have about 35 poems that I've written in English published globally. I am a wildlife nerd. What can I say? Especially with respect to creditors. Besides that I do love to travel. So I traveled to over 20 countries and I do intend to increase the count. That's that. By the way, in preparation for this, I did do have my mom visiting from India and I was asking her, like, how would you describe me? Like a few words. And so she was saying that there's a few things outside of her knowing me as very ambitious and career oriented. I am someone who's motivated by challenges. I will say persistence is smart, my middle name. It's important to be able to embrace failures, learn from them, but learn from them and pivot your approach every time. So I will say persistence is my middle name. And I strive for excellence and try to achieve perfection in everything I do. Yeah, so that's me. Another thing I will add is outside of what I do at work and where I met Milton and, and John, and now you, Jim, is that I keep myself very active in the industry in terms of networking, in terms of being actively speaking, speaking at conferences, panels, just sharing thoughts, brainstorming on ideas and all of that. So I do keep myself active in the industry there, not only on cyber data and AI topics, but DEI is close to my heart as well, especially when it comes to women empowerment. Because I'll say this, I've made a lot of mistakes in my life. I do want to give back to the community. I strongly believe in paying it forward. So I want to see younger people accelerate their career. So that's why I take the time to do it.

Jim Love

When do you sleep?

Priya Mali

Okay, I'll be honest, I get asked that a lot. No, I do sleep. It's all about time management and prioritization. Right. It's not about. You need to be comfortable with the fact that some things can wait for tomorrow. And so how I do it is you're constantly thinking, you're constantly on your toes and prioritizing. Right. What is it that I absolutely need to get done today versus the things that come ready for tomorrow? Otherwise you're not gonna. You're gonna end up with no sleep.

Jim Love

Oh, most of them. How many countries have you been to? Oh, you're having trouble.

Mohsen

I've been to a few too. I've been to a few, but no. This is exciting. Good morning everybody. Maybe I'll talk a little bit about myself. Like John, I'm also in financial sector, so I'm a director of cyber defense. And over the past many years, I would say probably 25, I've been in the it's industry going from one role to another. Just prior to my current role, I was with Walmart Canada traveling to many areas. And prior to that I was in the entertainment and consulting sector. And I had the opportunity through work to also travel to Europe, US and Far east as well. One Thing that I can say that over the course of many years being in a leadership position and going from an IT to IT security, I've learned so many things that most of that relates to how you collaborate and communicate with your community. Same as John, yourself and Priya. I'm also participating in some of the community events. Some companies such as CyberX, Event Gartner and so those are some of the forums that I try to participate in. Back in the days when I started the inception of digital, I was part of the entertainment industry and basically creating the first standard for mpia which is a motion picture association of America. Since then done quite a few in the movement of digitization of the organization as well as protecting and using the knowledge that I have to help others to also elevate themselves as well.

Jim Love

Cool. Absolutely. So got a fair bit of experience here. This is good. I'm going to learn a lot. Let's talk about. I want to dip into a couple of things and Priya, I want to go briefly into this, but I do want to ask the question because I've been a big proponent of women in it. I've taught in engineering schools and I knew years ago there are more women in engineering roles now. Thank heaven. You must have been pretty early in the game. India is a pretty straight ahead country, pretty rigid in some of its aspects of this. What was it like when you told your mom and dad that you wanted to go into engineering? Did you get big support?

Priya Mali

Oh yeah. I appreciate that question, Jim. I would say yes, I did get support. My parents were very forward looking, so they were like, you own your career, whatever you want to do, right? Whatever you're passionate about. And also be real realistic because at the end of the day you have bills to pay. Let's be realistic, right? Have a real job. This is what they said with respect to engineering. I'll also say this about myself. I did not initially start as a very academically oriented student, but I think things changed. There's a few things that happened while I was growing up. There was some financial scenario that we had to deal with that got me thinking. And then early on, like high school, about the time where I was like, okay, so I do need a good job. A good job means a high paying job. So let's work my way backward. What does that mean? I need my scores high, right? Okay, so let's focus on my academics. Right? So that's what happened, right. It's because of some things that we went through while growing up. So that's one now with respect to answering your question on the engineering, no, like I said, my parents were like, whatever you're passionate about. And actually why I chose GEM was. I don't know if I should say this, but while I knew I wanted to become an engineer with respect to honing on which specialty. No, at that time, I didn't know better. Right there. There was not really Google at the time. There was certainly no chatgpt at the time I based it on. Okay, so if I do, this will be the potential career path. And then so it's just about talking to people. And at the end how I picked it, I was like, okay, so between computer science and electronics and communications engineering, there's a maximum number of people going for this. And I picked ece, which was electronics and communications engineering, because that's where most of my peers were headed.

Jim Love

Yeah, my dad, when I told him I, I wanted to be an entertainer and I actually was for quite a while, I still play music and things like that. My dad said, give me the great encouragement. He said, follow your dream, but learn to type. And in the first computer rooms, the guys who could type were people who were desirable to have. You could do key punch, you could do testing you and you could be fast at doing that stuff. Sometimes our parents give us the best advice, which is have a plan B. Yeah, you had an interesting career. So you've gone through entertainment industry and all this sort of thing. How did you drift into cybersecurity?

Mohsen

I have to say I come from a technical background. I have an engineering degree. When it all started for me, I had, I always had the passion for everything tech. I have this lab in my place that I build electronics. I build the garage door openers, I build CV radios and all kinds of things. Everything electronics, I try to build and use them. So it was natural for me to gradually get into the tech sector. It all started with the IT operations for me. And then when I started with Deluxe Media Corporation, which is the entertainment sector, back then they were at the juncture of moving from the analog board digital cinema. So I had a part during that migration to go from the analog format to the digital format. So that was a big change at the time in the industry. A lot of things that used to happen that movies get pirated and they're on people's computers before they actually get on the screen. We were tasked to make sure that does not happen. And that's where we actually started forming a consortium and building the first cybersecurity standard. That environment going to cybersecurity I always thought that I can probably use my knowledge and have a little bit more impact also being a father and appreciating the world that they're coming to with the young generation. I always thought that I can make more impact helping the people around me and people that I care about, community that I care about, everybody that I care about to actually have a better life and protect the most valuable assets that they have, which is their personal and organizational data.

Jim Love

Cool. And John, this is always weird with you because some of the audiences coming here knows you because they've either seen you on Project SYNAPSE or, or one of the shows that you've actually hosted here. Just a little bit of background on you to orient people.

John Pinard

Yeah, I guess at a high level. I started out as a programmer and have worked in a number of different industries, a number of different companies. I was joking with somebody the other day that I have never worked in the same industry twice throughout my almost 40 year career. It's been interesting. I've worked in pharmaceutical, I've worked in healthcare, I've worked in nonprofit, I've worked as a consultant. I think it was on the last show we talked about. How did you get to be in cybersecurity? For me, when I was started out as a programmer and probably until the mid-80s, the consulting company I worked at, we didn't even have Internet. So cybersecurity wasn't really an issue when you don't have Internet and things have changed dramatically since then. There was no cybersecurity certifications or anything at the time. And so for me it's all been self taught, it's actually self lived. Because there is no better teacher about cybersecurity than getting hit with ransomware. When you're working for a large conglomerate that takes your entire organization down. I've lived through that too.

Jim Love

I'm so old that I remember when we put passwords in and then we still do. I was heading up. No, but we didn't have passwords on any of our computers. They when we first started we had, we ran a deck mini and that was the whole thing and there were no passwords. Matter of fact, we had a program called Wipe and usually you went onto the programs and you waited to get to okay and you click okay if you want the program to go. There's a program called Wipe and one of the guys, one of the managers there on his last day wondered what it did and you'd wait for the pro program conversation. You typed in wipe and hit return. And it had no okay on it. We learned a lot by, oh, the stuff in financial services in the early days you would just, you would laugh. But so yeah, the I and I, because I was supposed to, I wanted to get some mainframe experience because I was, you know, if you were on a mini, you didn't make as much like that was you wanted to get to the mainframe world. So I got a job on working for National Trust at the time and they, they had a fairly big trust system and all this sort of stuff. And then somebody came up to me said that lady over there, she works for you? What she do? Security. Oh, we had great training in those days. She works for you. Anyway, we've all come to this in a different way and we've come to this world where we are bringing all that experience. What I'd like to do is just to focus a bit on the current world and what the challenges that you see with all, they don't have to be the classical ones that everybody talks about, but what are the big challenges that you see in the world of cybersecurity and it today. Bosu, do you want to start?

Mohsen

Yeah, sure. So as everybody mentioned, we do participate in events and conferences. So one of the conferences that is really dear to me, try to attend whenever I can, is the RSA conference. So this year I had the opportunity to actually be there with more than 45,000 other people, leaders from around the world. Some of the key messages that I heard that I think it still makes sense for many other organization is the challenges that we today we have to using AI. AI both being as a threat and also as a friendly tool. So that's a big challenge that is in front of us like any other time that there is a sort of a evolution or a change in the tech sector and more noticeably now with what is happening in the AI world. There are two aspects of it. One is a good side of it, one is the bad side of it. So how you deal with that, I think it's the top of a lot of the conversation today. One other thing that I also noticed that was at the top of the agenda was how this fatigue with many aspects of the SOC operation is actually kicking in. So there is a lot of burnouts, there is a bit of a shortage of the talents and the companies get inaudible by various type of alerts, events and they have to start making sense of it and how they protect their organization. So that's also a big challenge at this point. The last thing that I Mentioned as part of the top three are basically a platform consolidation. Many of us through the work that they have done, but many tools and platforms and try to stitch them together. This is becoming a bit of a challenge for everybody, including myself, to actually starting making sense and have these platforms talk to each other and consolidate them. Because at the end of the day is the speedy and agility of the response that really is important when something potentially goes wrong.

Jim Love

Yeah, we'll come back to that one. I think he's part of the. It fits into burnout as well, is just a number of things that we have to master. Priya, what are your top three?

Priya Mali

Yeah, I'd say first of all, completely agree with all the points that Mohsen mentioned. So three things. Number one, starting with outside of the Gen AI part, we continue to live in a hyper connected world, right? And when I say hyper connected world, it's not only organizations using multiple cloud partners, it's also remote work. It's a lot of usage of IoT devices across the board and a lot of third party, fourth party, fifth party, whatever integrations, right? So it's the extended, I will say vendor slash business partner ecosystem as a result of which as cyber defenders, our attack surface just exploded. So that is one top challenge. And then the second point that comes to mind is just unpacking recent cybersecurity incidents and also paying attention to what's happening in the global scenario at stage. There's a lot of geopolitical scenarios and tensions emerging. Hackers are continuously evolving their game where it's not just the data or affecting one institution. The motive can to look at an economy as a whole, multiple economies at a whole, at a whole, right? And attacking the weakest point to be able to cripple, right, us. So again, I don't mean to sound like a doomsday person, but again, like we need to build our immunity, right? Like it's not a matter of if, but when. So my focus is around cyber resiliency. It's not just cybersecurity risk anymore. It's around resiliency, being able to bounce back within your times and keep your business operating. The third part I will say is we are in an inherently digital environment today, right? For everything. It's a phone, it's a button click away on the laptop or on the phone. And we live in a globally connected system. So I would call ourselves as cybersecurity teams. We're not just insurance for the business anymore, right? Like we are the business enablers. And so to this effect what I have done internally. I know we're talking about challenges, but I'll also give you a window into what I've been doing here at Sheridan is that just in the Canadian higher education sector, it's not as heavily regulated as financial services. I spent the longest time in financial services, so I missed regulations. I'll say I can be honest. But that said, I've had to come in and pivot my approach where I focus on building relationships not only within it, within HR Finance, but also across the business line because you do want them to see you as a business enabler. And I focus on building relationships with them through my credibility and not being the naysayer all the time. Hear them out, understand their use case and there can absolutely be a middle grounds that can be arrived at. So being able to build those relationships through credibility and also showing that you can speak their language. Right, Speaking the business speak.

Jim Love

Yeah. Good.

John Pinard

John, what's your I agree with everything that Mohsen and Priya have said, especially the Gen AI, based on our other podcast. I love AI. I think it's an amazing tool, but it can very easily be used against you and it is being used against you. It's escalating the intensity and the speed of cyber incidents. So to me it is definitely a big one. One of the things that I wanted to add too though, is people like and I'm not talking about hackers, I'm not talking about external people, I'm talking about internal within your organizations. And it's not intentional, but it's just the lack of thought. Right. Just in the sense that they get an email, they see a link, they automatically click on it. Click first, think later kind of thing. That is. That's what comes back to really bite you, is that people don't think enough. And we've spent an awful lot of time with training and education in general to our staff on Think about what it is when you get an email that's got a link or it's got a QR code or it's got something. Think about it before you touch was actually very relieving because we ran a phishing campaign a couple of days ago and I had three people that normally would click first and think later actually come up to me and say, I got this email. It looks odd to me. What should I do? So that was. I have to. It's such a small thing, but I have to tell you, it was the highlight of my week.

Mohsen

Yeah.

Jim Love

Don't you wish when people ask that question, you had Someplace in your drawer where you could reach in pulling a $200 and say, take your family to dinner and celebrate the fact that you're great. Yes, that's a piece. Let's start with that. I promise you we won't let AI get away from us. Let's start with that. Because my perception is right now that a lot of us had a technical background and I had those corners broken off me by a great woman coach that I had in partway through my career because I thought of the world as the army. When I started out in business, it was the army. We did things in it. You did them, you were told, you just did them. Then we met all these people in business and they didn't actually listen to us. That was a big revelation for me. Somebody gave me a book called Power and Persuasion. He and said, jim, they're two different things, but we have to deal with the humanity in the burnout and things like that. How have you adapted to this new need to be either an organizational psychologist or whatever you want to describe that? How has that changed how you think about your job and how have you adapted to that? Mohsen, do you want to start? Sure.

Mohsen

So this is an area that is becoming top of mind more and more as we go through our hiring practices, through evaluating who actually can do the work for us. I think there is merit to the fact that we need to hire problem solvers rather than technical people. There are certain disciplines that you do need that huge technical background to actually do the work. But a lot of other things in the cybersecurity world is you actually need those bright minds. You need those people that they can actually maneuver through many areas of the organization. They are willing to participate in business mission and drive that business mission forward. They are willing to participate as a team. They are prepared to take your security agenda to the highest level of the organization and basically be a voice for things that you would like to do. So I think there is a lot of merit in the fact that those people with people skills and those people that they can actually talk and solve problems play a big role in cybersecurity practice today.

Jim Love

And in a world where there's a shortage of those people, that presents a real challenge. Priya, how do you deal with that?

Priya Mali

So is your question around burnout or around people?

Jim Love

I think you came out of a big five firm, so you know what I'm talking about. We did what we were told and now there's a whole new world out there that we have to persuade, including our Own staff holding on to good people is not a matter of what it used to be that people applied for a job, they stayed with you for a long time and you gave them their annual review and all that sort of. We have to motivate them, we have to deal with burnout, we have to deal with persuading and educating. As John pointed out, the user community, I was a prophet and taught a number of places and the politics of education have defeated many people. They're complex organizations where everybody's smarter than you. That's everybody I dealt with when I was doing a university aspect was really smart. So it wasn't. You have challenges of persuading people in those environments. So how do you deal with the people issues? And a reason I separate that out is because we started in technology. I mean we learned technology, we spent our time in tech and suddenly we have to become real experts at people and behaviors. That's the longest question in the world. But.

Priya Mali

It'S not the longest, but it is loaded. So I'll say with respect to people management, yeah, you're exactly, you're exactly right now with respect to the job market and with respect to all the other perks, right outside of salary, like hybrid work and things like that, like individuals preferences too have changed, right. For example, if an organization does not offer any hybrid work, even if they pay me a million dollars a year, I'm not going to take it. So I guess with respect to people management, my style is that. And again, I don't mean to screw the book at you, but then there is a philosophy of servant leadership, right? Where you are, where I, where I do my best to be a servant leader, right where it's, I am there to serve the team and be that enabler. Right? Where I trust my team, I make them feel empowered. But at the same time I am accommodating in the sense that typically I do get an understanding of the things they want to work on versus not the tasks they want to work on, the projects they want to work on, their work preferences, hybrid versus on site, of course, making sure you meet the company policy and the communication preferences and styles. So I typically, before I start working with my immediate team directly reporting to me or my extended team, I typically have a one on one conversation with everyone. So I understand the person as a human being, right. More than what they bring to the organization, just to understand what makes them take. Right. Like what's their life like? Like for example, do they have a family or do they grow up here and things like that. Right. Because at the end of the day, my philosophy, Jim, is that if at all anyone has a question or problem or challenge, work related or not, I want them to be able to be comfortable enough to be able to pick up the phone and call Priya. Right? So that's how I build the relationships. I will say it is not at all easy, right. It's never a one and done. You've got to keep the relationship alive, you've got to keep it going. Right. And you've got to be accommodating as well and help them. Like for example, today, what's happening in the higher education space here is. Yes, outside of the super smart people in the room, there's international student quota restrictions, right. As a result of which there's a lot of Canadian colleges currently included, where we're quite tight financially, where we're really needing to take a hard look at our finances. Right. And one of the quickest ways that finances reductions can be met is headcount reductions. That's just truth being told. So there is a lot of anxiety and uneasiness in the environment, not only within my team, but also outside. But being able to be there for them and being able to hear them out and support them and offer them advice like not only as their performance manager but as their true outside of work, even career coach and mentor has worked well. So I'll say at the end of, in summary, just be a real human being with a good heart.

Jim Love

John, you work in an environment that you try to keep quite personal. But the question I keep coming back to because I totally appreciate servant leadership, I totally appreciate understanding people, but the reality is there's the nuts and bolts that we've got to do. There are rooms where people watch and they get alerts and they have to make sure they track them down and they may not find personal fulfillment in that, but it's the work that's got to get done. How do we keep our own staff motivated and avoid pressure and burnout?

John Pinard

Yeah, that's a tough one. I have dealt with that for the last three years. Where I am now, that organizations are looking at tightening the purse strings, which means either letting people go or not hiring additional people. It means doing more with less. And that's a difficult task when you have a finite number of resources and you have to juggle getting the work done and preventing burnout. I'm extremely lucky in the sense that I have 13 people that work for me and I would say that every single one of them is extremely dedicated to their job to the point where I don't have to ask anybody to put in extra time to do a job. In actual fact, I have a few of them that I actually call them on the weekends when I see them online and tell them to get off, that they need to have their own time that's outside of work. It's tough. One of the things Mohsen had said was when you're hiring people is hiring strategic thinkers. And I would agree completely that you can teach from an IT perspective. You can teach somebody how to program in a certain language or how to manage portions of a network. It's very difficult or impossible to teach someone how to be a strategic thinker. You either have it or you don't. So you know it. When I'm recruiting, one of the things that I do is it's not only do they have the skills to do the job, it's are they a good character fit? Are they going to fit in well with the people that are already in my team and at the organization and can they think on their feet? Do they have that ability to be a strategic thinker that it's not just, oh, I'm doing this because of this, it's also I'm doing this because of this. But if I do that, what impact is it going to have not only within it, but also on other areas of the business?

Jim Love

Yeah.

Priya Mali

Can I just add one point to that? Yeah. John, I completely agree with what you and Mohsen said, especially on the strategic thinking aspect of it. Yeah. Like when I hire for the team as well. Yes. I do look for some foundational technology, foundational cybersecurity knowledge. But then that's not all right. So it's really around strategic thinking. But then some of the things I try to gauge in an interview process are someone being a self starter, someone being open to learning, because be honest, we're all learning as we go and it will never stop. So someone being very open to learning and learning quickly and exactly like you pointed out, being able to gel with the team because the last thing you want to have happen is you have a tight cohesive team working well in autopilot mode and then you have a new person coming in and being disruptive. So being able to gel with the team. Absolutely. Being a self starter and being open to having the intellectual curiosity to learn and get the job done.

Jim Love

Mohsen, I'm going to give you the last word because you obviously have, you're just rolling in dough. You have no problem with resources. You just, anybody want Right. How do you cope with this situation of scarcity, burnout, motivation, and the hiring that we talked about?

Mohsen

So when I think about the burnout and the fact that everybody has to do so much every day, I usually think about life's ups and downs. There are so many ups and downs in life. There is so many stress factors in our own lives that when things happen and they think go a little bit haywire or try to approach it from that point of view. So say this is just another aspect of the way of life. So I be. I have to be able to manage it. Same as what Priya mentioned about writing poetry. You have mechanism to actually cope with that kind of a stress. You participate in sports. I do a lot of playing instruments. More specifically guitar. Lately, Priya can be the lyricist. We can do a gym night. We can do a jam night. Gym.

Jim Love

Yeah. So I think music saved me. I was very driven. I was very worried for most of my career because of the pressures that I would have. I always felt like a bit of an imposter through my whole career because I was always advancing, and I'd get there and I'd go, how do I can do this?

Mohsen

Yeah. But if I bring it a little bit closer to home, like from a point of view of looking at the organization and the team, I try not to. One thing that I really try hard is, is not to add to the stress level that is already there. So I try to be helpful. I try to create process, not to do the same mistake twice. So if I can do all that and not add to the extra stress that everybody experiencing, I think I'm a little bit ahead of the game.

Jim Love

Took me a long time to learn that. I'm just being honest about it. You have to choose who you're going to be under pressure. And if you're driven, you might not respond in the ways that leaders should behave. And that took me a long time to learn. But I think, as I said, music, poetry. John, you're an outdoors guy. I know that. And you do a lot of stuff as well. But getting away is something you have to be, not just phoning the people out, telling them to get away on the weekend. You have to phone yourself sometimes.

John Pinard

Yep.

Jim Love

I want to flip this a little bit and talk about. Because I think there's a new role for CISOs, and I think we're all adapting to it. And that's of the organizational psychologist. And somebody put this together. And I got the greatest insight into this when we were thinking about this. Said we want people to behave in a certain way so that we can combat social engineering. But in reality we're social engineers. We're trying to get people to behave in a proper way. How have you reacted to that? How have you understood that? What is that? John, do you want to start?

John Pinard

Yeah, I think I have never really thought about it that way. But yes, you're right. We are social engineers in the sense that we are telling people what they can and can't do and how they're supposed to do things. I think we have to though that in an environment where we are my staff or other employees at our organization, I can make suggestions as to things that they should or shouldn't do on their personal computers and in their personal lives to protect their own data. But at the end of the day they can go do whatever the hell they want. But when they walk through the door or when they turn on the company computer, we have to dictate what, what is acceptable and what isn't to keep our data safe. And in our case because we're a financial institution, keep our members data safe. Priya's gotta look after the students and the faculty. Mohsen's in the same boat as I am that we have. We look after people's money. I think one of the things that we try to do where I am is not only educate people about why you have to do things a certain way at Dukkha, but also why you should be doing it, period. In other words, why do I need to protect my data? Why do I need to not click on things? Because we're trying to educate them about safe and effective use of computers in general so that they will go home and do the same thing and hopefully share it with their family. I did this for years with my father that I would call him up and go, dad, you're going to get an email from somebody that says to do this or somebody's going to call you. Don't fall for it. So I think it's trying to educate our staff, but not only for work purposes. It's to try to make things better for them across the board. From an IT perspective. I get financial advice from people that I work with that are on the financial side of the business. They're doing that to help me on a personal note. So why shouldn't I do the same thing for them from an IT perspective? Priya talked earlier about giving back to me. This is one way to give back is give back to the people you work with. Give back to your friends to help to Educate people on the things that we have learned throughout time within our IT slash cyber world.

Jim Love

Oh.

Mohsen

Yeah, I can relate to that definitely. In a world that we. It's so fast paced and the way that we are expected to perform at work, we don't pay a lot of attention to the chemistry between people. So a lot of times we simply dropped into certain tasks or projects and we want to see it from start to the finish. But there is a lot of nuances in between. How you can actually get a more productive environment in place, how you can actually have people talk better to each other. A lot of what we do, we bring many things from home to work. We bring many things from work to home. So that area of separation between the two is becoming thinner and thinner. So I think that there is definitely a reason that organizations such as ourselves, we are actually paying attention and we are hiring psychologists to actually come. I have to give you an example that happened to us not too long ago, maybe a couple of months ago, that there was this chemistry between a couple of teams that wasn't really quite working and there was a bit of a friction and we actually had to sit in the room and we have to put everything on the table and we have to be a little bit candid about each other and the way that we want to put certain guiding principles in place. So I think all that has a place in this fast paced environment that we live today.

Jim Love

Interesting. Yeah. Hard to do that over zoom or teams, eh? It's hard. Very hard.

Mohsen

Priya.

Priya Mali

Yeah, sure. So I don't know if I can. I think Mohsen and John covered it all.

John Pinard

Yeah.

Priya Mali

A couple more things I'll say in terms of influencing behavior, I will say. Yeah, culture that was mentioned. I think John was alluding to that. So with respect to culture, some of the things we do are certainly training, phishing awareness trainings and phishing awareness campaigns and also the information security training that we do. And it's not only to staff, it's also to students and to students and staff, of course. Yeah. We speak to them in their language. Right. And in fact for students like we have dedicated as opposed to sending them a link, we do awareness sessions for them and we did quite a bunch of them very recently where it's to talk about because their lives are very different with respect to what we do. Right. So there it was to really double click and talk about. These are the different types of social engineering attacks. Sextortion is a thing. Right. So that's one. And then we also spoke about deepfake scams, be careful about what you post, about what pictures you have on there, right? Because again, we all know based on CrowdStrike's most recent report, social engineering scams are on the right with wishing related scams enabled by deepfake going up by 400%. Right? So we bring that back and say deep fake. Watch out, be careful about what you post. Stay vigilant, stay suspicious, stay vigilant. In terms of like when you look at an email that looks weird, right? From an unknown sender and it's too good to be true, for example, click this link to win a million dollars, it's too good to be true. So exercise the caution to be able to do that, right? So I would say that words, right, like from a culture perspective. So again, let me tailor that to different levels of the audience. Right? Again, like we have it for faculty, for students and for the executive teams. Tabletop exercises work very well in terms of being able to. But then that is great in terms of bringing awareness that it's not a matter of if, but when. So let's just make sure we build the muscle memory today so that when we know if something were to go awry down the line, everyone knows what exactly to do. So that's like from a culture standpoint, I will say in terms of influencing behavior, back to your point, I think that's why we have policies, right? And I think John alluded to this, so the acceptable use policy and we have an information security policy as well in terms of how. In terms of talking about appropriate use of the network of your devices, of the data, how you access sites, what you need to be careful about. So that's the second thing. And then the third thing I would say similar to what I mentioned earlier, and I think both John and Mohsen alluded to this was is around being a business enabler, right? When in doubt, they want to reach out to you. Right? When in doubt, they want to reach out to you. And when they're looking at a new solution, for example, because you are not seen as a sledgehammer, they're not going to go around you, they're going to consult you. So that it was hard wish for that to continue. But again, I think that's where those are some of the things that we can do from a behavioral aspect in terms of influencing behavior and telling them why it matters in their language.

Jim Love

So this has been a fascinating conversation, cognizant. We've only booked you for about an hour, so I want to make sure we get through. Can I invite you back to talk about AI? Because I think if we started talking about AI right now, you wouldn't be able to get back to work for the rest of the day. Can we do two? Yes.

Mohsen

Can probably in a different conversation, give you a few example of some of the things that I've been involved with and some of the learning that I've experienced over the past year or so.

Jim Love

That'd be great. So we'll pick that up. But I want to do one thing before our hour is up and that's it's a lightning round. Because we talked about it. This has been a fascination to me. I once saw a picture of all of the tools that are available for cybersecurity and was a huge poster. Everything was so small I couldn't read it. There are tons of tool. And how do you cope with the constant barrage of new tools? Of all of that especially, there's just all kinds of pressures. How do you guys cope with that?

Mohsen

You want me to go first?

Jim Love

Sure. Yes.

Mohsen

So I alluded to and if you.

Jim Love

Have the answer, we can all go home.

Mohsen

I don't think I have the answer, but I can probably guide myself in the right direction. Yes, this is a challenge. I think I mentioned at the top of the call that it actually being brought up at the highest forums and all the conferences that this is starting to become a challenge. You every time that you go to these vendor events or conferences, there are tons of vendors that trying to sell a product or they want to bring you as part of the pilot group to test it and so on. So I think it's a big challenge for all of us to make sense of this diverse number of tools that we have? Yes, they do serve a purpose, but is there a better way of handling and having them talk to each other? Can I potentially combine two of them that each one do 20% of that work for me and get a collective 50% from one. So there are definitely a lot of synergies to be had. And this is something that I'm really deeply looking at today in my portfolio to see how I can actually make sense. Because there is a lot of these tools that they have low utilization, like they have so many features. But guess what? We only use two of the 10 features that they have and the rest of it we just leave for who knows when we actually get to it and we never do. So there is definitely merit into all that to make sense of all these, the tools that we have and consolidate the best we can.

Jim Love

That's an interesting observation. If you just went through all the tools you had and find out the things you weren't using properly and before you buy something new or before you even look for something new. Sorry that it's obvious but it's something I think.

Mohsen

Yeah, I challenge my kinsey. Rather than going through after a new tool, see if that area that you're not utilizing an existing tool can actually be utilized.

Jim Love

In the old days when we had software in used to come in cases and things like that, we'd do inventories and I'd go back and find things and we made actually as consultants this was a great way to make a lot of money. Go do a software inventory, find out the stuff they bought but aren't using and tell them to cancel it. And the savings were astonishing because people buy tools all the time and then they forget about them. Yeah, good stuff. Priya, what do you think?

Priya Mali

The shiny new toys, right. Will not be subject to that. But then really taking. So two things that I do is certainly completely agree with what Mohsen said. Making the best use of our existing in house tools. That's one. And then let's just say if there's a new tool in the market and I know that. Sorry, I'll just take a step back. First thing is making use of the existing tools you have. But the second thing is going back to first principles, right? Like for example, understanding what your crown jewels are and knowing which controls need attention. That's one angle I use. Another angle I use is are there any blind spots? So if there's any vendor solution, like for example DSPM is on the market, right. Everything has an sspm, has an SPM in addition. Right. Data Security, Posture Management, that seems to be the new acronym added to the cybersecurity.

Jim Love

We desperately needed another acronym. I'm so glad.

Priya Mali

The Alphabet zoop continues to grow in our world. Are there any blind spots for us? And there's a tool that can help us point attention to that and be able to enforce controls there. That's another area as well that I look at. Right. And for that of course you need to understand what your loan control failures are. You need to have visibility into your environment. So I say that. And then the third angle is this is again making sure that you have a defense in depth approach. Right. It's not just passwords. Make sure you have your pin, your MSA and all of that. With respect to looking at vendor tools as well, if there is a tool or solution that can give it all for me. Sure. Why not so those are the things I think about.

Jim Love

This goes back to what Mohsen said sometimes the new acronym is the old tools renamed as well. I think this is a real danger we run into. Somebody said this in one meeting. They were meeting with their management team and then somebody looked at them, said Nothing that another $250,000 won't solve and can't be seen as Dr. No anymore. We can't be seen as Dr. Wants money. You know, Moneypenny, I think was the other James Bond hero that you try not to be. John, how do you cope with all of the onslaught, the tsunami of tools?

John Pinard

Yeah, I think for me, one of the things that I work with my team on is don't get blinded by the shiny new tools that there's every time you turn around. Like, I get probably 20 emails a day from vendors trying to sell me the newest tool. That's going to save my day. The fact is, my day is spent maintaining what we have to ensure that our environment is safe and secure. And if the tools we have are working. The old adage, if it ain't broke, don't fix it somewhat applies. In an ideal world, you would have one tool that does everything. But one of the things that I found is that's like a silver bullet. There are very few tools of these. One tool fits all things. You have to have at least a few different tools and using the ones that work for you. Right. What we use may not work for Priya or may not work for Mohsen. And they need to go and find the tools that are best suited for their team. But once you've got something, as long as it's. As long as you're making sure that it's keeping up with the new threats, to me, that works, that focus on making sure that you're secure rather than making sure that you've got the latest and greatest of all the new toys.

Jim Love

And on that note, that's our hour. I want to thank you, Mohsen, Priya, John, I want to thank you for joining us and for being so open on this. And I hope I haven't put you on the spot, but I hope. But I'm going to, with all the people listening, I really do want to do a part two of this and we'll try and do it as soon as we can, we can schedule it and we'll talk about AI because I think that will at least that'll take a lot more time. And to all of you who've been listening out there, thank you so much for your time. You had other things you could have done on your weekend. But you're listening to this and we're glad for that. If you have comments or questions, you can send them to me. You can reach me at editorialechnews. That's editorialechnewsday. Ca. I'm your host, Jim Love. Thank you for listening.