The Audit

Cybersecurity Jobs, Breach Communication & The Infosec Landscape with Leah McLean

November 27, 2023 IT Audit Labs Season 1 Episode 31
The Audit
Cybersecurity Jobs, Breach Communication & The Infosec Landscape with Leah McLean
Show Notes Transcript Chapter Markers

In this episode of The Audit, Leah McLean shares her insights from over 10 years in cybersecurity and IT with companies like Cisco, and now Mastercard.  

We’ll cover: 

  • How to get a job in cybersecurity 
  • Navigating the ethical challenges of AI in Cybersecurity 
  • Work-life balance in cybersecurity jobs 
  • Perspectives on success for cybersecurity leadership 
  • Emerging infosec technologies 
  • Mental health for infosec professionals  

We navigate the shifting terrain of cybersecurity talent acquisition, stressing the need for aptitude and ongoing education. Leah delves into AI's role and ethical dilemmas in cybersecurity, provides tips for balancing work and life in remote contexts, and examines upcoming cybersecurity technologies. The discussion also highlights veterans' vital roles in cybersecurity, underscores the importance of mental health in stressful settings, and gives a sneak peek into future 'Elevate Exchange' podcast episodes on topics like AI and quantum computing. 

Speaker 1:

You are listening to the audit presented by IT Audit Labs. Today, we are joined by IT Audit Labs team member, nick Mellum, to speak with our guest, leah McLean. Leah represents a strong female lead in the cybersecurity world wearing many hats, notably as the vice president, cybersecurity specialist at MasterCard Data and Services and the co-founder and board advisor for the whole Cyber Human Initiative. You are listening to the audits. As usual, my names Eric Brown and Nick Mellum from IT Audit Labs is with us today and joining us is Leah McLean, so thanks so much for being on, leah. It's a pleasure to have you and really excited to talk to you about some of these topics today.

Speaker 2:

Thank you. Eric and Nick Appreciate being part of this. Thank you.

Speaker 1:

Leah, you are in Texas and enjoying some of the nice Texas weather.

Speaker 2:

Yes.

Speaker 1:

And are there any security meetups that you're attending here this fall? I know we've got Wild West Hacking Fest coming up here. Are you planning on going to that? That's all the way up in South Dakota.

Speaker 2:

Yeah, I don't know if I'll be at that one, but we have quite a few in the Dallas Fort Worth area that I try to make as many as I can Awesome.

Speaker 1:

Well, Leah, do you want to just give us a little background on what it is you do day to day?

Speaker 2:

Sure. So I have been at MasterCard for just under two years now. I'm a vice president of cybersecurity specialist. I'm actually within a business unit, and part of that business unit is a cybersecurity practice that's fairly new newer, and so my day to day it's really never a dull moment. I am currently focused on helping to build out more capabilities in our cyber risk quantification approach, and there's just a lot of collaboration I do with different teams and business units to really, you know, understand where mutual goals are, where we can help each other create efficiencies, look for ways to improve how we work with customers and partners, and also the technologies that we're using across the board and where they can be leveraged. And then, of course, you know, monitoring the current threats globally, consistently and, lately, a lot of contract reviews and a lot of time with the legal team.

Speaker 3:

Well, we know the current risk landscape with now, israel and the Palestinian issue. We were working, you know, closely with a lot of issues from the Ukraine-Russia conflict. Are you, are you noticing anything with the landscape because of these conflicts in the Middle East?

Speaker 2:

Yeah, I mean, I would say, when looking at overall the big risks out there, right, what I think is just going to unfortunately be more and more, and probably the bigger ones, are the geopolitical tensions and issues. Right, I mean, we're seeing it now again with Israel. I think we still see it with Ukraine-Russia and it's scary because now part of war is cyber warfare, right, and the political activists and you know they are they're taking down critical infrastructure and it's, yeah, it's like a whole new level right.

Speaker 1:

I think there was a book I think it's called the sixth domain, but it might be the fifth domain of warfare, and it talked about how cyber is that relatively new domain, but it the interesting thing about cyber is it brings in civilians and civilian companies and companies that have huge impacts to our overall cyber infrastructure. You look at companies like SpaceX, for instance, right, how that's been playing into the Ukraine conflict, and certainly the company you're at, mastercard right, which takes a huge number of credit cards, and a blip on the MasterCard side could have really large downstream impacts for organizations to pay their vendors to process credit cards. Of course Do you approach security maybe differently than you did at other companies that maybe weren't at the forefront.

Speaker 2:

I would say yes, just in terms of from the other companies I've been at in my career. They've been on the vendor side in cybersecurity, so it has been pretty different to see, coming from you know, a cyber vendor company and what they're doing in security as well as even like the CISO role there Sometimes it was more of an evangelist and then to an organization you know, a brand everybody knows financial services is considered critical infrastructure and just to see the breadth of the security that we have. And it's interesting because our cybersecurity team is responsible for both physical security as well. Oh, interesting, one thing I've definitely had to learn in my time here is that whole financial services ecosystem. So we are the card provider but then there's like all the, the ecosystem of players that do the processing, the, the banks, right, the merchants. So it's, it's, it's. Yeah, I didn't realize that until I worked here, but I think unless you're in in the sector, it's. It is complex, but it's interesting to see how it all works.

Speaker 1:

We've been on the other side of that, helping companies go through their PCI audits and now going from three dot, two dot, one to four dot, oh, it's certainly something that's, I believe, top of mind for a lot of the larger organizations that are that are going to have to do an ROC or an AOC to be compliant. And one of the things that we do is is pen test as part of that, looking at the card holder data. And some of the things Nick does is the social engineering on the physical side. So that's now that you have responsibility of both physical and the cyber piece. Do you do tests where you're trying to see if somebody can get in with a UPS uniform on and plug something into a network, jack, and kind of that level of detail?

Speaker 2:

Yeah, I mean we definitely have a fair amount of testing. I can't speak broadly about you know much more. But yeah, we definitely do. We have all of our groups under our different security works, have quite a bit of testing that we're doing obviously.

Speaker 3:

Well, that's yeah, I love the social engineering aspect and you know, I think with the social engineering and the planet penetration testing and all the stuff that goes into protecting the organization that brings up the public relations portion as well, are you able to comment on how you navigate those waters when it can get a little bit tricky?

Speaker 2:

Good question. So I mean I'm not personally within that realm that our company and you know, so I can't really speak to that necessarily, but I mean I will definitely say that you know, we, we definitely are seeing more and more come out in the news, right, and I think it's just important to and I personally my background in my career, while it's always been an IT and security, it hasn't always been to where I am at today- so I actually started my career in PR and marketing, and so right there, by definition, right is how do we get the information out to the public that's factual and informative and backed up and supported by the data? So I think it's important for us to, you know, realize what we do see in the news. We hope it's all correct and accurate, but it's not always. It's less reactions in terms of, well, they didn't have this, they didn't have that, and then it takes to Twitter and it goes down a whole nother rat hole and in terms, and instead, what can we learn from that? Right, because no one is 100% safe. And so, instead of the blaming and pointing fingers, how can we actually just look at the facts, look at the data, understand what happened to one company, one team and how that you know, transfold it, and then also, what can we take away from that and where can we share with others, so that you know we're all going to be compromised at some point, but how can we minimize that and continue to educate each other? So I think that needs to be really the main focus and what we, I think we can learn when we do hear more and more of these incidences coming to the public.

Speaker 3:

So like spending more time on the offense versus the defense, being more reactionary? Yeah, absolutely, you said. One portion there that you said I kind of want to dive in on is you were in the public relations marketing, if I picked up on that correctly, and you branch to cybersecurity. Can you give us a little background on yourself, how you got there, what makes it tick and you know how you got to this point?

Speaker 2:

Yeah, so I mean, prior to living in Texas, I actually grew up in California Silicon Valley, so I was surrounded by technology, right, sure. But yeah, my career path was definitely nontraditional. So I did start in PR and marketing, but I was always working for IT and networking companies and technology was really interesting to me. That was also that type of person that in order to fully understand the technology so I could write about it or position it in simple terms, I had to get my hands on the tech. So I'd go to the engineering teams and basically ask them to show me how it worked. Right, like, I understand the what, now let me see the how. And they loved it because they were always looking for more help and so they would teach me. And then, when I was at Cisco I was there for just over three years they acquired their first cybersecurity company, sourcefire, and they had asked if I wanted to move to cyber. So I mean, at the time it was a little daunting but it was also fascinating to me, and so I said yes and I never looked back. And then I've kind of put my own skills I gained in PR and marketing the use.

Speaker 1:

As you were transitioning through that PR piece and moving in up through the management ranks and having responsibility for security across multiple domains, getting that awareness out not only to the staff but the larger organization and then the public, depending on the organization that you're with. Well, as we look at some of the recent attacks right, most attacks, if they're if they're not nation state, then usually they're based from a financial perspective. The malicious actors are looking to do something to get money and we've seen a lot of ACH fraud recently. And going through that conversation to educate people and not necessarily place the blame within the organization, but try to raise that awareness up. Have you found strategies that have worked that have allowed organizations to talk about breaches when they happen? I've personally seen where something happens and then the compliance piece of the organization, the legal teams, come together, the insurance company comes, gets involved and then it's just mums the word and it's really difficult to talk about what's happening and even to let your peers in other industries know what's going on so that they can protect themselves, because everyone's so worried about the downstream effects, legally, of protected information getting out. Can you comment at all about any successes that you've had in breaking down that stereotype and breaking down the ability to be able to communicate and share with others what's going on, so that everybody can be protected.

Speaker 2:

Yeah, I mean, I get it right. It's a company's brand reputation, ip, it's everything right. But at the same time, I think the more that we can educate people, even those other companies who are not cybersecurity focused or in a cyber role, the better right. And then we can make it personal to them and make it simple, right? I mean, we all own phones and devices and we probably are all getting all sorts of fishing scans and texts and emails. So when you can realize that personal lives, where we can be victims, are susceptible to that, I think they start to want to understand it more and then put more focus on how can they do their part in a company. But I also think the well, not just it's not necessarily that, I think, but I'm more confident now too that companies will come forward. I think we had an example was that last year with a big ride share company example that you know, let's look at who all does need to be at the table, right? You did mention several different people at a company. It's not just the CISO, right, and we can't point fingers and put blame. And, yes, it is a brand. But at the same time, we should all be of the understanding that, while we hope whatever company we're interacting with and putting data, providing our information to, we want to trust that they're secure, but we should also know that it's not 100%. So we to some degree have to take on us on the risk that we put right on ourselves by doing that, but then also we need to know about it and we need to inform them with the mandates and requirements in certain sectors and public companies and, like the SEC, mandates that's going to have to be publicly disclosed and I think that's good, because the last thing you want what was it, I would always say, with Watergate? Right, it's not the crime, it's the cover up, right.

Speaker 3:

Sure.

Speaker 2:

And I think that's a good point, because you need to know you have to take the measures then, for, like the post breach right and just the understanding that every company is susceptible, doesn't matter how strong your barriers and measures are, it could happen, and so be as prepared as you can and then have an entire strategy around the communication and so that's a piece of having that communication within your team and those others who are at the forefront of protecting the organization.

Speaker 1:

How do you bring in new talent to your team? How do you grow that younger talent to bring them in and make them aware of not just the analytics, that somebody might be starting out as a junior person doing analytical work and maybe not aware of the big picture of what's going on across the organization?

Speaker 2:

Yeah, I mean and that's actually kind of one of the reasons I started a not role with a group of folks. We started a nonprofit called the whole cyber human initiative and we started that because first week we were providing these services that were for free to veterans but also to non non veterans. So basically anyone that's looking to enter into a cyber security career, to have a starting point and with a design course that has a mix of the hands on practical skill sets and theory, and it's all free, because we saw people spending thousands of dollars on certifications, not getting interviews, let alone a cyber position in a cyber security role. So we go beyond just the technical skill sets and we work with them on how can they also really understand the business of a company right, what enables the business, how cyber security can contribute to that. You know, building relationships with cyber professionals, their interviewing skills, promoting themselves appropriately on LinkedIn and resumes, and I think, one thing that we also work. We work with companies who are open to changing the hiring process, and so I do think it's very important to take a look at, well, what's in your job description, is it realistic? As well as you're not going to find a unicorn right, they don't exist. So how can you look at the skill sets a person has but then know and each company is different but you do need to have some sort of level of training for your employees right and all levels and hopefully pathways right For their career. And I think when you can have that sort of a model where you have a pathway for them to grow, you have the training and the skill sets that they need for their role and job and that's available and open to them and you support that and can help provide that right Even if it's you know it might be a cost to the company, but you know larger companies can partner with a lot of these training providers Then you are going to be make sure that your employees on your cybersecurity team just are more knowledgeable or more aware, have that understanding, and I think that's where it falls short. A lot is where they don't have access to that or there's not necessarily that mandate right that they need to go through that, because in cyber we always have to be learning, we always have to be upskilling. Like technology is changing super fast, the environments are right now everything's in the cloud, so that's really important to have in place and I think it can prevent, and I will always put an emphasis first on people taking care of our people right, people processes, technology.

Speaker 1:

What's the name of the organization that you mentioned that helps people enter that field or enter that workforce?

Speaker 3:

Yeah, whole cyber human initiative, Thank you, I think you were kind of touching on it. You know, leah, just what, what, what when we're hiring cyber talent, is there one or two things that you're looking at specifically? You know we're. You're talking about the. You know a company, what a company needs to do for you know new hires and bringing in new talent. Is there something that you're looking for? You know, in that talent first, before they join?

Speaker 2:

Yeah, aptitude, a willingness to learn, motivation it's primarily those skill sets, right, if someone is putting in the work, right, they're doing on their own time, they're studying, they're maybe they are getting a certification, but they're always consistently upskilling, learning and asking questions. They're motivated, they're driven and they have the desire and the passion. Yes, I will. I would personally take them and train them and give them on the job training. I mean anyone can learn if they have that in them. I'm an example, right, I didn't start off with my career path in transition. It's possible. So those are the type of skill sets I look for. I mean, in addition to, yes, you do have to have certain skills with certain roles, but at the same time, people can be taught.

Speaker 3:

So it's not right now so important to only have the bachelor's degree or master's degree. Having the certs and the willingness just to learn and get in the trenches and do the work Can be equally as important. That's awesome to hear.

Speaker 1:

Leah, what's your thought on the intersection of AI and cyber? And, just to set the stage, you've been on the vendor side before. You've worked at A-10, you've worked at Cisco, a couple other places where you're selling to professionals now such as yourself. So now, being in the buyer's seat, lots of vendors have the magic AI bullet, so to speak, and I think every day there's new dozens of solutions, quote unquote, that are AI driven, that can really solve your security problems anything from an AI pen test to AI tools that will look at your SIM and tell you all the things that are going on. Where do you see that intersection, really see that intersection of AI and cyber, and where do you think that's going?

Speaker 2:

Oh, it's definitely here and coming and we'll continue to right. How did I know that we wouldn't get? to be on this conversation without addressing it. Now, I mean, look, there's so many great things that AI can do right and can help us overall in our jobs. But I mean, like everything, we also have to understand the risks, right. And then you know, is there policy in place? Are there guardrails? What does that look like? What's the plan? Does everyone in the company understand that? How is it being used? It's like with any new convergence, right, like cloud, remember that seems so long ago. Yeah, it's still needed some companies. So it is a good thing, but it's also like all good things, they also have their risks. So, you know, it'll be interesting to see where it goes in the future and I think it's it's important to really understand the benefits you can get from it. But then, what do you need to put in to protect right? And also, what does it mean when a company says AI, because everyone says AI, what does that mean?

Speaker 1:

Do you have any favorite AI tools that you're looking at?

Speaker 2:

Well, I'm more focused on chat GPT right now.

Speaker 1:

That's a good one.

Speaker 2:

Well, I do. I really do like to. I will be a little bit. Well, I'll mention one company, but I should preface I am on their board of advisors. It's a startup called Cloud Defense. So they are, they just added some AI capability to their data security solution in the cloud, leveraging LLMs, and basically can help detect those language models. And that's about all I could say on it, because they're still startup, but they they have some pretty cool stuff that they're working on, so it'll be exciting to see where they go in the future with the AI piece and you mentioned chat GPT.

Speaker 1:

If you haven't played around with the paid version yet the the fordado or the paid version you can now add plugins to it, so I haven't run the paid one yet. I saw a plug in the other day that looked across tens of thousands of peer-reviewed scientific papers. So the explosion of the content, the third party content, that now these tools not just chat, GPT, but others have access to, is really quite interesting. And and I wonder at some point if if not right around the corner we're going to be having conversations not only about the ethics of AI and data, but also really understanding what is truth as we look at and go beyond just the visual media of deep fakes Now into the audio and video components of deep fakes. It kind of starts to question what is reality. Because you could, you could take an organization that curates a lot of content and then feeds that content which may or may not be true into an AI engine that then the the, the user who is maybe looking for information, and and, and the AI picks up that maybe untrue information. Now you have a distorted sense of of reality that is controlled by another entity. So that's, I think, right around the corner for us as cyber professionals. But you know, I'm I'm still trying to read and learn and stay on top of of what's going on. If you have any insights or guidance, I'd love to hear it.

Speaker 2:

I mean it is definitely moving fast, but I do think you're right about the ethics, right, and I think again, like those guardrails, that we need to, especially when you think about who's the person using it. Right, because, like to your point, I mean right now some of the emails we're getting, the phishing emails, they're harder to tell. Right, because now the spelling is a little bit better, it looks like so. I mean it's scary, but you know that person on the other end, right Again, are they trained and knowledgeable enough to know like what, if they look something up and it's about some port right or configuration, and then they accidentally release and then the code goes out there in the wild and you're in a company that's forbidden, right, and so you just broke policy. But so the things like that we really have to be careful of, and I think you know it does need to have a little bit of scrutiny at a company level. That's my view. I know some others are a little more lax, but everyone's open, you know, has their right to their opinions, but it's, it is scary at the same time. As much as it's fascinating can be useful, can be helpful. It's scary, it's just you. What do you believe anymore?

Speaker 1:

Right, it really is and as we talk about this, right, this is kind of the bleeding edge of cybersecurity and information security, and then, on the other end, we have organizations that have trouble just keeping up with the current level of patching. So Nick and I were just talking about this the other day as we were working with an organization, that the date has come and gone when 2012 is end of life and end of extended support. Right, yeah, the environment still has 2012 in it, and it's well. Why is that? Well, there's these dependencies and I mean you can, you could just get a list of excuses, right, and sometimes that you know, as the, as the CISO, you just hear a ton of excuses about things that you, the dog, ate my homework. The excuses you hear about why that particular server is still in the environment are are pretty interesting and could fill volumes of books. But it's the dichotomy between we can't even stay on top of something that we knew about for eight years was going to be end of life, and now we have new AI threats that are that are emerging right now. It's just the level of those two. Things are at opposite ends and sometimes difficult to deal with and pivot the organization to be mindful.

Speaker 2:

Yeah, it's. It's hard to see, right, those of us in security, especially when you see some companies and some of them are smaller that they didn't even have ahead of security, let alone you know their person responsible for it. We didn't know much about security and they get breached and all of a sudden you know, I mean, and you just, I hope we see a day come where that is less and less and people realize they have to, you know, act now, not post-breach, ideally right until you're in the news, and then it matters. But you want to. I want it to go the other way.

Speaker 1:

Never waste a good breach.

Speaker 2:

Right.

Speaker 1:

This adds to the overall stress of the job and Nick and I were just talking about this too, where and Nick you know, maybe you're best on this one because of your military background and that crossover.

Speaker 3:

Yeah, leo, our part of our conversation was well, burnout, stress of the job, and you know you don't have to be a military member to have stress or PTSD or something of the nature. Right, it's relative to your industry, what you're used to, it's relative to the person, and you know I think we can digress in the military portion, although I have had that experience you know what we're seeing all these new tools, these new threats around the world, whether it's the Middle East, russia, whatever has it, something on our front door step here in America, wherever you are, there's a stressor and I think you know, as a leader in the industry, is there a specific way that you're you're maybe navigating that stress for for your junior employees, people coming into the industry, is there some, some way that you're assisting them navigating those waters? Maybe, maybe the listeners could really be gaining some knowledge from you on that portion.

Speaker 2:

Yeah, that's a good topic and point and, interestingly enough, nick, a lot of veterans I know, yeah they, they actually helped me remain calm okay, I think they kind of overcome so much stress and learn how to deal with it better, right that? and obviously, when you're in a room and there's a bunch of people stressing, there's the calm person you kind of want to gravitate to them. Right? And personally, in my personal life, I've struggled with stress and anxiety, but you know, I had to learn how to figure that out, like if there's a lot of tools out there, things that we can do, you know diet, sleep, exercise, breathing techniques there's an app for all of that now too, by the way, right absolutely you know, for me, I just I just always remember I think it was actually one of my colleagues from my Cisco days would say you know, we are not doctors saving lives, and sometimes it feels like that. But when you look at the worst case scenario, what are the things that could happen? And if you, I think you start there and then you break it down and say, but is that really that bad? No, and it could be fixed right, and then you walk it back. I think that helps. But the number one thing is, I think, teaching them that the worst case scenario can be fixed. Remaining calm will help with the overall thinking and the problem solving. And you know, take the vacation. You have vacation time. Take the time. Don't burn out, don't overwork. We all will do it to ourselves at some point in time. But choose the healthier alternative and try to do that because it will help with the overall stress. Like I work out every day, it doesn't matter of app to wake up at 4am to get my workout in. I do it, but that helps me throughout the day to maintain a more calm demeanor. So I think we just need to pass those you know tools and tricks on to people and emphasize that you know things will happen and they can be bad. But the worst case scenario if you really break it down is that so bad after all? It might seem like it in that point in time, but if it can be fixed it's not that bad and then change the mental state right absolutely.

Speaker 3:

Yeah, you really got to find that purge valve right, like you're saying every morning or wherever it is when you're. Every time you're finding that stress relief in a workout. That's huge, it's so important. You know we did that. Obviously in the military we're paid to work out, you know, and staying good shape right. So, and kind of one of your points, one of my senior leaders you know further back was he would out if something was going wrong. He would just ask me and look me right in the eye and say is anybody dying? right no, right, we're safe, everybody's fine, you know, does it hurt right now? Yes, it's painful right now this mistake that was made, but you also touched on it. We can fix that mistake and we can learn from that mistake and hopefully we don't make it again, right? So turning into a teachable moment and teaching junior, you know, it staff to unpack their pack, right, let's have that conversation. So communication, I think, is so big and you know, maybe earlier on people weren't willing to have those conversations or it was, you couldn't talk uphill to senior leaders. So I think opening that door now we're seeing that more often, that they're having those conversations is huge and I think that's a little bit of a stress relief, you know. And as far as training, going to just making, making us better, making that tip of the spear, because we're training that now, right, we've seen that kind of gap in the industry and now the, the ones that we're training and you know we're training me are now leaders. So that's really interesting to see. But the stress is, I think I think what people are seeing is they're carrying that stress home because they're worried about the landscape right now. You know, what didn't I do today, that might impact us tomorrow, and that's more of the worry of the burnout. So that's what led me to your, to your question, and you know, when I'm thinking about it myself, I compare it to the military, because that's what I know and when we're looking at. I think that we have to be okay with what we're doing, right, with the work we're doing it's good enough, right and learn how to unpack that pack, ask the questions and continue to learn. I could go on with this, you know, forever, because it's something I always think about and somebody I had the opportunity to pass it along myself and that was my advice as well, pat, you know, pay it forward and I was able to ask somebody this is years ago now, you know, is anybody dying? And yeah, there was no, and and we moved on from it and so, yeah, I don't know if you, if you guys, have any other thoughts on the stress, but I think that's the biggest uphill battle right now. Is the landscape, the AI coming in. It's all stressful and that is probably the biggest area to navigate. Is not only the tech and technology coming in teaching, you know juniors, you know technology, but navigating their day to day and how that looks. And maybe, lee, this is a good portion. You know we've kind of been talking about all these different tools. You know, what does your day to day look like?

Speaker 2:

you know, for you yeah, well, one thing you mentioned they wanted to keep talk or touch on is the perspective, right. So I remember, and I think, that perspective, passing it on to people so that they can try to switch their mental state from stress realizing, oh, not so bad. I had a manager once he grew up in India and he said, look, you know where you walk. Do you have to watch for landmines? Like no, you know. Or where you have to, like if you're, if you have a prescription for some medication you have to take, can you just go to Walgreens and get it? Yes, you don't have to be like three months without it, right, because there's a shortage or whatever. And I think that perspective, it just makes you think about there are worst cases, it's a case scenarios out there. And then look at, you know what you're in and how it can be, you know not as bad, right, and and you have to do those mental tricks. And it is important to pass on to people because I've definitely seen some people stressed out to the point where it's like that it's not worth it, right, it's not your mental health and thankfully, companies now I think a lot more, at least compared to when I started my career, where you didn't even talk about mental health in the workforce are addressing it and, you know, are putting things in a place that can help with that, like MasterCard we do. We try to do like every couple months, meeting free days, right, and things that just help and resources. So it's good, but I'm I'm more focused lately on helping to build out some capabilities for one of our approaches for cyber risk, and you know there is a lot of collaboration that has to be done with different teams, not just IT and security, but the business teams, the sales people, all sort of different folks. And I think that's really important because I remember, as I was transitioning in my career, I was always getting stuck on. I didn't. I didn't come from a background of like engineering and deep tech, right, and I do think more and more now we see leaders in cyber. They need to be much more business focused, right and looking at how do you enable the business and and have a conversation and narrative where it's understandable and relatable to an executive team, and I'm hopeful that that will continue because I think I hope it then breaks down the barriers and makes it easier for people to get into cybersecurity because of that.

Speaker 1:

Going back to the stress piece, to me it seems like there's a line in the sand right around the pandemic. Right, we were kind of working up and then we went on this cliff with the pandemic and we opened up this whole new work from home concept. Not that we couldn't work from home before, but organizations were very resistant to some organizations were very resistant to employees working remotely, didn't feel that they could get the job done not being in the office, and we saw a lot of resistance in some industries and of course there's industries where remote work just isn't possible. So when you look at the work from home piece and the component of bringing work home and the stress associated with not being able to leave things at the office going from, you know if you're fortunate enough to have a large enough living space where you can have a separate office in your house rather than working at the kitchen table. Your job is just intermixed with your daily life and having that separation you don't even have the car ride home or the mass transit ride home to decompress before you get in the house. So any thoughts on that Leah or Nick around, maybe tips or tricks of what you've found successful with yourselves or your teams as to make that transition when you're still in the same physical space.

Speaker 2:

I mean I am fortunate because I have a home office so I can shut the doors, you know, close the laptops and shut the computers down. And then I think it's just, we have to have a lot more discipline now, for in that scenario, in terms of, okay, it's six o'clock or whatever, shut it down, leave right. And I guess, if you're don't have a home office and you have to work in the kitchen table or whatever, remove it and then just try to, you know, replace the thought with something else that's not work related. But you're right, I think it's really hard with that. I mean, I was always in an office until the pandemic and now, gosh, it's been like nearly three years. I've been working remote and part of me. I'm actually going to our headquarters next week. I'm like excited to be in an office for a couple of days, not gonna lie. But I try to really be diligent about not mixing it right and it's harder, but you have to do it, you have to absolutely do it.

Speaker 3:

Yeah, I think I'll jump in there too and throw my hat in the ring. I think we're all guilty of grabbing the laptop at 10pm sending that email. You know we see there's times that that's appropriate right and we have to do it, you know. But being able to cut that off I think is important. But creating the routine, you know, for me I've been working for a while now and very lucky to have that opportunity. But when I say creating the routine, you know in the morning you put on the podcast for half an hour, listen to radio station. You know I mentioned before you know we started recording that I grew up in Minneapolis. I live in Texas now. One of my favorite radio stations, kay Fan, the Morning Show. I still put that on an iHeart radio on my phone. I might listen to it for 15 or 20 minutes in the morning. If I don't have a meeting very early I'll put that on and listen to it and that, you know, kind of gets me into the day right. And then we so I still had that routine of driving in a vehicle, you know where you would listen to a podcast or radio station or call family member. So I think that's a little tidbit but that I think has helped me create some sort of normalcy and then you know, when you're done for the day, try to actually, you know, shut the laptop screen and go go about your day. So it sounds really simple, but I think if you're not actually having, you know, a commute, create that environment somehow and I think that does really help people separate you know the work from home piece, because an Eric, that is huge, I think we're. That's probably a lot of the stress, right is just not being able to separate the two. So real interesting topic Could write a book on it. Hold on to our episode on it. Yeah, about that.

Speaker 1:

And Leah. What are some of the things that you're planning on your podcast, your upcoming episodes? What are the some of the things that you're thinking of talking about?

Speaker 2:

So it has been a wide mix. So I'm actually now hosting a podcast that's affiliated with a IT cyber leadership group called Elevate Exchange. They have chapters in Dallas and Houston, and so I was lucky enough to be asked to be the chair for this year and then, as part of that, host for their podcast. But the nice thing about that for me, anyways, is I will talk to a range, not just CISOs, not just those in cyber right CIO CTOs and they you know I always ask what topics they want to cover, and it does range. It goes from AI to quantum computing to, you know, you name it, and there are definitely some areas that I don't know as in depth as they do. But it gives me that opportunity to do some research, learn what I can, enough to be conversational about it, which I love, right, because, like I need to get deeper in AI, I'm definitely not as deep as I'd like to be and, you know, I think we all need to do that to some degree. So it's a good range of conversations. We talk a lot, too, about what makes a good business leader. It's just a wide range. It's fun. I like getting to know different personalities and the different folks in those different roles.

Speaker 1:

And how often do the podcasts come out?

Speaker 2:

So we try to do it more frequently, at least once every couple of weeks or so, but it just depends on I guess it's more of a it's not necessarily a paid membership group, right? So you know you're working with volunteers and trying to get everyone's schedules and times for the recordings.

Speaker 3:

It depends on the current risk landscape.

Speaker 2:

Everyone's availability stressful Right exactly.

Speaker 1:

We just did one on storage and the future of storage, and the person that was on, bill Harris, talked about different architectures, like using DNA storage and crystalline storage, and it's you know as you think about. Well, what's next, what's coming in the future? We could very easily be sitting on a podcast like this 20 years from now and DNA storage is a real thing, which is just kind of mind blowing.

Speaker 2:

Yeah, eric, it's funny that you mentioned that about storage, because when your name was mentioned as part of the company and being a co-host on this podcast, it's the same name as this guy who worked at NetApp member, netapp storage company. I feel like I'm dating myself. So his name was Eric Brown and he was like their head of communications and for a minute I'm like I had to look you up on LinkedIn. I'm like is it the same one? And he transitioned into cyber.

Speaker 1:

I have worked with NetApp in the past, but never worked for NetApp.

Speaker 2:

Yeah.

Speaker 1:

Are you playing any pickleball, Leah?

Speaker 2:

I am not no.

Speaker 1:

I have to ask because I just started playing and it's a lot of fun.

Speaker 3:

If you haven't tried it yet. What's that, Nick? It's like the newest rage now.

Speaker 2:

It is actually. Yes, it is I mean some of the news around here offer it now.

Speaker 1:

It's a good way to meet people and relieve stress. At the same time, there's a CXO, CIO, CISOs, CFOs, whatever. Meet up here in the Twin Cities. That gets together and plays pickleball. I'm trying to get myself on the invite list, but I haven't made it yet.

Speaker 2:

You've got to get on that list.

Speaker 3:

I think that's a good portion too. Eric, that you're bringing up is like the pickleball thing to relieve stress for any leaders listening and get your team out to do an activity. It could be a board game or a go play pickleball. Do something like that. That's not doesn't have to be work related. Team building, I think, something that's really overlooked. Don't just do the pizza party in the office, meet somebody at a brewery and play games or a pickleball, as Eric brought up. But so many good things you could go do, I think Eric and I and the team. Last time I was in Minneapolis we did axe throwing.

Speaker 2:

I had some great conversation.

Speaker 3:

You can conversate about cybersecurity, but that team building portion, stress relief, throwing an axe, you might leave there a little less stressed.

Speaker 2:

The first time I did axe throwing was when I came to Dallas, and it was for a team building event.

Speaker 3:

It was a lot of fun. It was very fun.

Speaker 1:

That's a fun one. The axe throwing place that we went to also served beer, so that was kind of interesting. It didn't want you to wear open-toed shoes, but you could drink beer, no crocs, but all the beer you can drink. We did an escape room before too, which was fun. That is a good one. You got to come up. You got to come up to Minnesota. I'll check it out.

Speaker 2:

I'll be 48 degrees.

Speaker 3:

Now that I know Leah's so close to there Nick's Henderson meetup I'm going to have to link up and with you in person, leah. That'd be really fun.

Speaker 2:

It'd be fun. Yeah, let me know. I'll let you know if I'm down in Houston ever.

Speaker 3:

Please do yeah.

Speaker 1:

Thanks for joining us today, leah. We've had a lot of good topics that we've covered. We were able to dive in on a couple and scratch the surface on others, but that just means more conversation down the road. Thanks again for coming on and talking to us and talking about the whole Cyberhuman Initiative. We'll definitely link to that in our show notes. But that's a place for folks to go who are looking to join or looking to have a cyber career and it's a place for them to get started, get some education, network a little bit and find their pathway into either an internship or a role in an organization as a cyber professional.

Speaker 2:

Thank you, guys. This was a lot of fun, good conversation.

Speaker 1:

In the current technology landscape, managing risk, among other operations, can be incredibly challenging. Let IT audit labs experts provide a detailed, thorough examination and preparation for your upcoming audit. Contact us to learn more. Thanks to our producer, joshua J Schmidt, and our audio video editor, cameron Troy Hill. Please subscribe to be sure you don't miss our upcoming episodes. The audit is available wherever you source your podcasts. Thanks for listening.

Exploring Cybersecurity and Risk Landscape
Communication Breaches and Hiring Cyber Talent
AI's Role in Cybersecurity and Upskilling
AI Ethics and Data in Cybersecurity
Work-Life Balance and Remote Work Challenges