Working in manufacturing security: Top challenges and career advice

Chris Sienko: 0:00

Okay, today on Cyber Work, I talk with AT&T Cyber Security's Head of Evangelism, teresa Lanowitz. Now Teresa has an amazing and wide-ranging career set of achievements from her time with analyst firms like Gartner and Voke, her work on Java's JBuilder environment, and strategic marketing for the Gini project, which, this blew my mind, was a proto-IoT going back to the late 90s With all these incredible stories. We talked far and wide about the problems of manufacturing security. Right now, she breaks down some key pain points around edge computing and talks extensively about her love of both the English language and programming languages of all sorts. They all have grammar and they all have style, and if you're a linguist or a lover of learning new languages, it might be possible that computer languages are an opportunity you hadn't pursued. All that and a ton more. Seriously, I could have talked to Teresa for hours on today's new episode of Cyber Work.

Chris Sienko: 0:54

Hello and welcome to today's episode of Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. My guest today, teresa Lanowitz, is currently the head of evangelism at AT&T Cybersecurity. Before joining AT&T, teresa was an industry analyst with boutique analyst firms Voke and Gartner. While at Gartner, teresa spearheaded the application quality ecosystem, championed application security technology and created the successful Application Development Conference. As a product manager at Borland International Software, teresa launched the iconic Java integrated development environment, jbuilder. While at Sun Microsystems, teresa led strategic marketing for the Genie project, a precursor to IoT. Teresa's professional career began with McDonnell Douglas, where she was a software developer on the C-17 military transport plane. That is a massive set of accomplishments and I look forward to hearing about all of them. So, teresa, welcome to CyberWork. Thanks for joining me today.

Theresa Lanowitz: 1:59

Hi, chris, thanks so much. It's great to be here with you.

Chris Sienko: 2:02

Yeah, the pleasure's all mine, so I'm forward to this. So, teresa, to help our listeners get a better sense of your background and your connection in the field I mean, the bio speaks for itself in terms of your long-term accomplishments, but can you tell us about your early interests in computer and tech and security? Was there something that initially drew you, that excited you, and once it, what? Where did you go to learn more about computers?

Theresa Lanowitz: 2:27

So for as long as I can remember I loved math and you know most parents would be thankful that their kids love math. Right, so I loved math. I love science, whether it is nature, biology, experimenting, and of course I had a chemistry set growing up. I also loved language, anything having to do with language Writing, understanding different languages, understanding grammar structures, that sort of thing. Those three things math, science and language really propelled me to have a continuing and ongoing interest in science.

Theresa Lanowitz: 3:02

I was the kid who I went to science fair. I loved going to science fair. I wanted. I went to spelling bees. I love spelling bees, won them, did writing competitions, math competitions. And then when I was introduced to my first computer, first programming, when I was gosh probably about a freshman in high school, and I understood that you can make this computer do anything you want. You can build games, you can make it format a report that you're writing, you can make this computer do anything you want by the language you are working with. I thought that was just the greatest thing in the world and that propelled my interest and my continuing and ongoing love and curiosity for all things technical, all things science related and, of course, all things language related. So it was a perfect storm of those three things coming together with being able to program a computer.

Chris Sienko: 3:52

Yeah, I think that's probably the most well-rounded set of interests that we've heard. Yet it's very rare to hear someone on the show, you know. I mean I know that there's a lot of well-spoken folks and whatever, but to say like I love language, I love writing, you know like those are such important things in this industry and we don't hear it as often. So, knowing like with me that you know there, when you were first learning about computers, there probably wasn't, you know, an internet as we know it now in terms to learn. So where where did you sort of learn about all these sort of programming languages? Were you getting books from the library? Were there like community college classes you were taking? Were you just breaking things and putting them back together?

Theresa Lanowitz: 4:34

So my high school was exceptionally I would say exceptionally different. They really catered to your interest and my interest was in math, science, language and then of course, computer programming once I discovered it. So I learned a lot in high school and then I went on to college at the University of Pittsburgh and I studied computer science there. So once I got there, I mean there was a whole host of languages. So everything from Fortran I don't know that anybody even remembers Fortran any longer but Fortran, learning how to program at the assembly level, pascal, learning about recursion in Pascal, being able to say, ok, I'm going to be able to create a game now, a really good game, because I understand recursion. Other languages that followed on and that love of language that I had, from just my English language and other languages that I like to study, really led to me to say yes, computer science and understanding these different languages is something that's critically important.

Theresa Lanowitz: 5:34

As I move forward and then, of course, as my career evolved, looking at the different types of languages, I was early on in Java with JBuilder at Borland. That was something new, that was something different. So many of the problems that we had had in the past from a computer science perspective. Java cleared all of those things away. And then, of course, looking at some of the scripting languages that came because of that. So things such as JavaScript, ecmascript developed from sort of the D-based construct and so on, know ECMAScript developed from sort of the D-based construct, and so on. So language was a big part of my evolving career, my interest in how I got to where I am today.

Chris Sienko: 6:12

I want to talk a little bit more about that. I have other questions, but I'm very curious about that because you know we're always sort of trying to find ways into cybersecurity for people who don't. Who weren't, you know, tech-focused from childhood or whatever, and can you talk a little bit about the way that your love of the English language and language structure and stuff and how that influenced your ability to sort of absorb these programming languages? Were there certain commonalities in like English grammar and programming grammar that you were able to see, and do you think that still applies to sort of current programming languages?

Theresa Lanowitz: 6:51

Oh, it's extremely applicable.

Theresa Lanowitz: 6:52

If you understand English grammar. If you understand the grammar of the language, your native language, you can learn other languages far more easily, whether they are spoken languages or computer languages. So understanding that language brings about that idea of logic, and so, of course, when you're programming, when you're doing software development, there's the idea of logic that comes along with it as well. So logic, language, everything all fits together to make a well-rounded person who can understand what's going on with the technology, understand what's going on with the language, understand what you want to do with the language, whether that is in the spoken form, written form, or whether we're communicating bits and bytes with a computer.

Chris Sienko: 7:35

Yeah, yeah, you know I've had those moments of you know brain explosion in the past where people have said that you know, like child psychiatrist was a really good computer forensics person, because they were able to sort of understand things happening on you know hundreds of thousands of text messages between you know, you know victim and and her you know whatever. And and it's always interesting to hear these, these entry points, because I think maybe if someone is, uh, you know, polyglot, you like knows a lot of languages, that they might not necessarily think oh well, that would translate really well to learning applications, you know programming language or anything like that. So I think that's a really cool insight that we have not heard on the show before. So thank you for pointing that out and making that.

Theresa Lanowitz: 8:18

Oh, thank you. Anytime I can talk about grammar, as it's related to technology, I'm thrilled, so thank you.

Chris Sienko: 8:24

Just as a quick aside, can you talk about grammar as it's related to technology? I'm thrilled, so, thank you. Just as a quick aside, can you talk about sort of the modern programming languages and how they do? Like you said that they've definitely solved some issues that you had, you know, in the days like Fortran and so forth. But, like, what are your thoughts on? Like, maybe some of the things that old school programming languages that don't get used as much? Is there anything that's lost in that that you wish would come back? Or are you more happy with the sort of frameworks that we have now?

Theresa Lanowitz: 8:51

I think we've evolved quite nicely. Not everybody needs to program at that bare metal level and move forward, because so much has changed. The language structure has changed, the way we're able to develop software has changed, the speed with which we're able to get software out has changed as well. And if you think about software and the software that you're developing, software only has to do three things, and this is a very interesting point when you think about software and what it has to do. It has to work, so it has to be functional. It has to be performant, so that somebody's not going to abandon it because they're not getting what they want when they want that sort of thing. And software also has to be secure. You're not going to want to use software that is going to compromise your security, your safety, in any way possible. So those three things, from a software development perspective, are extremely critical to what you're going to do, and people tend to think of them from a functional working to non-functional types of requirements.

Theresa Lanowitz: 9:52

Performance security tend to be those non-functional types of requirements that are so, so important as we move forward. And I would say, you know, probably 20 years ago or so the idea of performance wasn't something that was top of mind and we've seen now. As you know, probably 20 years ago or so, the idea of performance wasn't something that was top of mind, and we've seen now. As you know, we can all remember back to the year 2000, 2001 or so, when internet shopping for the holidays the first time there was a critical mass of people doing internet shopping we saw so many outages around the holidays, and that's when performance became top of mind, because we've now gone to these web type of applications that we can't control inside of our own data centers and performance now became something that was critical and had to be instrumented and engineered into the applications that we were creating and using. And then the idea of security.

Theresa Lanowitz: 10:43

Security started to come about the moment compute became democratized. So the moment computing came out of the four walls of the data center and went to that idea of client-server connected through local area networks, you started to see the ability to hack. So we saw in the beginning, with client-server, maybe more of the adversary become more determined and the adversary being now focused on monetary gain, financial gain. Maybe it's some sort of street credibility that they want, maybe it's the disruption of an entire nation. So the adversary has become far more targeted in what they want to do and far more aware of what's going on, and they know that they're able to use it to their advantage to the crime businesses that they're running.

Chris Sienko: 11:55

For sure. Yeah, and I was going to ask you a question, but I think this even you almost kind of answered it here but in terms of the way that people speak and use language, that if you're really good at it you can have a certain sort of flair or your own style to it, and I was going to ask if people sort of program, if programming allows you to sort of you know, have these kind of you know like, do people program the same language differently with like different inflections and things like that?

Theresa Lanowitz: 12:22

I would say yes, you can look at somebody's source code and say, oh, that was developer A or that was developer B.

Theresa Lanowitz: 12:29

There is some personality to it, how they do things, some of the tricks that they like to use, some of the shortcuts that they like to use. So you can see that signature. And that's one of the things with the cyber adversaries is when they're trying to determine which group, which cyber group, for example, is responsible for this. You'll hear news articles mention the signatures that they were using. They'll say you know, the signature can point to this nation state group, or the signature can point to this sort of ransomware group. So, understanding just the way and it's also true with us as well we speak in a different cadence, we speak with different inflections, we tend to use the same words frequently, so it's very, very similar.

Chris Sienko: 13:10

Yeah, that's amazing. Like I said, the show is all about getting newcomers into cybersecurity, and I think that's a really interesting angle that we haven't really talked about before in terms of getting people excited who might feel that the bar is set too high for them or whatever. Like, if you know languages, if you really have a flair for language, like you're going to pick this up faster if you know languages, you can understand and recognize patterns too.

Theresa Lanowitz: 13:35

pattern recognition is a big thing, yeah, and you want people with different backgrounds who have done different types of things, because not all adversaries are created, because not all adversaries are created equal.

Chris Sienko: 13:46

Not all adversaries are going after the same thing, so this idea of and they're not playing by the same rules either right, right.

Chris Sienko: 13:52

It's not like they're just like running up to the front door and hitting it with a hammer or something like that. They're going to find new and unusual ways in you that you have to be watching for. Yeah, so, yeah. So, teresa, I wanted to sort of move from your initial interests here to your career now. Obviously, it's fascinating and varied and incredibly accomplished, but includes everything from product managing and product marketing and app security to time as a Gartner analyst and your current work as a cybersecurity evangelist. So can you talk about some of your career high points or pivot points, things that you're especially proud of, that helped you start from where you started and got you to where you are now?

Theresa Lanowitz: 14:33

That is a huge question and I think if you look at my career first working as a software developer right out of college with McDonnell Douglas on the C-17 program, that C-17 military transport that was an incredible entree into corporate life but also an incredible entree into a lot of the problems that we were solving then are still some of the same problems that we're solving now. So working on the C-17 was just it was. It was incredible and it's it's interesting. One of the younger people on our AT&T cybersecurity team when he found out that I worked on the C-17, he was just fascinated and he's early in his career and it's not too often that you have somebody who says, oh, a cargo plane, a transport plane, is something that I'm extremely interested in. So he and I always have great conversations and talk about sort of what that plane can do, some of the capabilities of that plane. But I would say some of the other career highlights certainly working for Taligent, which was the Apple, ibm, hp consortium, where we were trying to create one unified application environment, the idea before Java of write once run anywhere.

Theresa Lanowitz: 15:47

And then also working for Sun Microsystems on the Genie project, and Genie was this. It started out as a Skunkworks project at Sun Microsystems, and what we were trying to create was at the time we were calling it a personal area network, so the idea that you could enter an environment, a physical environment, and take advantage of the compute that was in that environment. So you could enter your car and have your car be connected to some personal device that you might be carrying. You could enter into your home, into your kitchen, and say I want to make dinner with the contents of my refrigerator and have recipes downloaded from the Internet to your oven, for example. And this was back in the Genie project was back in 1998, 1999. So this idea of connectivity was just starting to come to fruition.

Theresa Lanowitz: 16:42

And then, of course, working on a lot of the Borland products that I worked on Paradox for Windows, which was early on, and complete paradigm change in terms of how developers were interacting with that, and then, of course, borland J Builder as well. So those are some of the high points really were. They were about new technologies coming into the market at a particular point in time when the market really wanted to grasp that new technology and move forward with that new technology. So those are some of the highlights that I can think of.

Chris Sienko: 17:20

Yeah, those are all great. Now I want to talk about your current role, because I think, as with a lot of the C-suite positions, the role of evangelist at a company can mean something completely different from company to company to company. So I wonder if you could sort of talk me through an average day in your current role as head of cybersecurity evangelism at AT&T Cybersecurity. Are there certain responsibilities or sets of roles that you're doing every week and current tasks, or is it completely different from day to day?

Theresa Lanowitz: 17:50

I'm so glad you brought that up, that the idea of evangelist changes from company to company.

Chris Sienko: 17:56

And.

Theresa Lanowitz: 17:56

I am so fortunate at AT&T cybersecurity because this role is far more encompassing than what you might find in a traditional analyst role. So, as part of this evangelism role, what I do is I lead our thought leadership program. So we create thought leadership. We have thought leadership products that we publish once a year and then we have derivative works that we create from those. As an evangelist, what I do is I go out and I speak about that thought leadership to get the message out to the market.

Theresa Lanowitz: 18:26

I do a lot of internal work as well, evangelizing that idea of thought leadership about what's coming next. And what's coming next is really the one to three year horizon. It's not let's look in the crystal ball and see what we're going to be doing 40, 50 years from now. It's let's get organizations prepared for what is coming in the next. You know it's let's get organizations prepared for what is coming in the next. You know a foreseeable timeframe 12 to 36 months or so.

Theresa Lanowitz: 18:51

And also, as head of evangelism, I'm very fortunate I get to do so much work with on the PR and social side. So a lot again, a lot of the communications going back to some of those things that I love. So working with our PR team, doing press media interviews, like we're doing here now, and also working on the messaging again from a language perspective, being able to pull in the top level messaging of what AT&T cybersecurity is all about, who we are, why somebody would want to engage with AT&T cybersecurity, what our unique value proposition is, and so on. So those are some of the things that are really encompassed in what I'm doing today as head of evangelism at AT&T cybersecurity.

Chris Sienko: 19:36

Okay, yeah, now can you talk about what you're sort of? Where are you locked in in terms of the company? I guess who in AT&T cybersecurity are you evangelizing to? And you mentioned, you know, the PR department. You're working with sort of media and messaging and so forth, but, like when you said you're evangelizing the idea of certain near future technologies and so forth, who's like what parts of the company? Are you specifically doing that? Or is it sort of like dispatch from Teresa? Here's what's going. Parts of the company are you specifically doing that? Or is it sort of like dispatch from Teresa? Here's what's going on in the world.

Theresa Lanowitz: 20:11

So there are two components to that. The first is internal and I'll take internal first and then the second is external. So internally, at&t is a big company, as I think everybody knows, and AT&T cybersecurity. Internally, when we get new thought leadership information I'll certainly present it to our AT&T cybersecurity team. But then we have other parts of the organization that are extremely interested in what we're doing from an AT&T cybersecurity perspective, especially from the thought leadership research that we do. Because our thought leadership research is it's empirical. So we go off and we do quantitative research surveys around the world. We look at companies of different sizes, different titles inside of those companies and so on, so that quantitative research helps a lot of people inside of AT&T.

Theresa Lanowitz: 21:03

So I'll go off and present to sales teams, to technical teams, to other marketing teams, just to let them know what AT&T cybersecurity is doing from a thought leadership perspective. And then externally, I'll speak with members of the press, I'll go off, I'll speak at conferences. We're starting conference season now. We have the big security conferences coming up RSA and Black Hat. Rsa, of course, in May and Black Hat in August. So I'll go off and I'll speak at those. At those conferences Our PR team will go off and say, ok, let's meet with these members of the press who are going to be at these conferences and let's talk about what you've found in your research.

Theresa Lanowitz: 21:48

Research. We also have our sales organization is incredible here at AT&T Cybersecurity. So I go off and I speak to a lot of our clients, a lot of our prospects, about what we're finding through our research, about the types of things that organizations should be looking for and from a thought leadership perspective. There are stats out there, independent stats that show that nine out of 10 decision makers inside of an organization want to consume thought leadership from a company before they say we're going to do business with you. So this idea of going out and talking about thought leadership, our quantitative information that we've been able to get back and we produce in the form of a report that is vendor neutral, which is so critical, it's forward looking and it's actionable. So those are the types of things that I do, both internally as well as externally.

Chris Sienko: 22:31

Yeah, that's really interesting. I've never really thought about the idea that if a vendor is looking to work with you, they want to get a sense of what AT&T is thinking about as much as like what they're offering.

Theresa Lanowitz: 22:44

Most definitely.

Chris Sienko: 22:45

Yeah, really cool.

Chris Sienko: 22:46

So to that end, I want to talk to you today, because we're currently discussing manufacturing sector security at Cyborg.

Chris Sienko: 22:53

We've got a couple of guests in a row who are going to be talking about this stuff, and AT&T Cybersecurity recently released a manufacturing-focused cybersecurity insights report, which I think will have a lot of jumping off points for us to talk through. Obviously, you're already blowing my mind here, so the first and most important concept listeners will need to grasp, I think, is the concept of edge computing, especially as it translates to manufacturing specific use cases. So, to start pardon if this is oversimplified edge computing is sort of a set of technologies and practices that allow tech that is on the quote unquote edge of a network, maybe operating remotely or operating on direct contact with the central network of the data processing facilities, allowing for advanced data processing and other high order uses from what parts would have been previously considered peripheral parts of a network. So could you expand on the concept of edge computing? Am I getting that right? Is that? Where is that like what we're talking about specifically in terms of dominating the manufacturing sector?

Theresa Lanowitz: 23:49

Absolutely. You did a great job of getting it right. And let's break that into smaller, maybe a little bit more consumable chunks. And if you think about the word edge, if you talk to 10 different people, you'll probably get 15 different answers on what they think edge might be. And so, for the purposes of this research that we conducted and the purposes of our report, we say edge is defined as having three common characteristics. The first characteristic is it is software defined and that is either on-prem or in the cloud. The second characteristic is that the workloads, the applications, the hosting, it's closer to where that data is being generated and consumed. It's all about the data. And the third thing is it's a distributed model of management, intelligence and networks. So now you bring that all together and what that says is wait a second, everything seems to be changing with edge. Our network is changing, our applications are changing, the use cases are changing, how we interact with that software is changing, and we are all experiencing and using edge computing on a daily basis, and we may not even know it.

Theresa Lanowitz: 24:58

So think about this very simple example you pull into a parking structure, a public parking structure, and you're greeted with that big digital scoreboard that says here you are on the first floor, you have two available parking spaces, but on the second floor you have 50 available parking spaces. And you say I'm going to the second floor because there are more parking spaces available. There are probably more suitable for what I might need. So you go to that second floor, you pull into a parking space and that big digital scorecard automatically decrements. That's edge computing in action. Because what we're seeing is those parking spaces. They're equipped with a series of cameras and sensors.

Theresa Lanowitz: 25:37

As a car gets into the parking space, that big digital scoreboard number decrements and as a car leaves a parking space, that big digital scoreboard number increments. So as a car leaves a parking space, that big digital scoreboard number increments. So that's edge computing. It's near real time. You didn't have to open an app and say on your phone, for example, and say I'm going to the parking garage on the corner of Maple. And third, what does the parking situation look like? So it is near real time. It's being processed right there, near real time. That information is being served up to you and you, as the driver of the car, you're able to make that decision. Do I want to park on the second floor, first floor, fourth floor, whatever. So that's an example of edge computing that we see every single day in our lives.

Chris Sienko: 26:35

And I mean that's such a great straightforward. You know everyone has used this kind of example. Then, when you start to blow it out into the concept of the capital M manufacturing sector, like you, canousing and video quality control inspection immediately brings with it the understanding that tech like this could also have huge security concerns attached to it. So, teresa, can you tell me some of the biggest security issues in the tech or the setups or the software themselves that your report found in the manufacturing sector?

Theresa Lanowitz: 27:03

Definitely, and you highlighted two of the top use cases. So in 2023, our top use case was this idea of smart warehousing. In 2022, our top use case was video quality inspection on the assembly line. And if you look at both of those use cases, what you're able to really glean from that is that there are business outcomes that are being generated because of that edge computing use case. In the case of smart warehousing and manufacturing, it's the ability to very easily understand what you have in a warehouse at a certain location. Is it really coinciding with, maybe, what the region wants? Are you going to be able to cut down on your delivery costs? That sort of thing? In the case of video quality inspection, it's the idea of saying, from a business perspective, that production line can be stopped as soon as a defect is inserted somewhere along the production line and that limits or really limits the number of recalls that you might have on a particular product further down the line. So those are two of the top use cases.

Theresa Lanowitz: 28:11

And now, from a security perspective, we asked our survey participants, our manufacturing survey participants, as well as all the participants in the survey. We said what are the top attack concerns that you have for your edge computing use cases in manufacturing. And the top attack concern came back as DDoS. They said we are really concerned about any of these devices that we might be using our robots, our cameras, our sensors, our gauges, anywhere that we might be using in this manufacturing environment. We're worried about a DDoS attack on those.

Theresa Lanowitz: 28:49

And if there is a DDoS attack, what that does is it interrupts business, so it takes your business down for some period of time. So if you're in a manufacturing environment and you're losing 30 minutes of your production time or 45 minutes of your production time, that's a serious impact to your business cost. If you're in a manufacturing environment, you have a DDoS attack and those adversaries can get into one of those devices that they are now attacking from a DDoS perspective. For example, perhaps they can move laterally through the network and cause other types of damage. So those are some of the top security concerns and the big security concerns that manufacturing organizations are looking at. The other types of security concerns that manufacturing survey respondents told us about is, they said they're worried about personal information exfiltration and they're worried about phishing attacks. So more on that social engineering side of things, and that's something that every organization out there needs to be concerned about are those social engineering types of attacks, because they're still quite prevalent.

Chris Sienko: 29:52

Yeah, yeah that we. We have yet to crack the code on making making ourselves fish proof, unfortunately.

Theresa Lanowitz: 29:59

And I don't think we ever will, because you know, we're only human right.

Chris Sienko: 30:02

Exactly so. Yeah, my, my previous guest, thomas Pace. We were talking about ICS, security and infrastructure and municipal sort of services and you get a sense of what the you know. We were talking about things like nation state attacks and you know like these organized, you know, cyber crime groups. Can you speak a little bit about what you know about the sort of actors that are taking advantage of manufacturing sector edge computing security issues? Is this coming, similarly, from sort of nation states are looking to disrupt economy as a whole? Is this a thing that, like you know, rivalries are like? What? Is it any different or is it? Are they? Is the intention largely the same in this area?

Theresa Lanowitz: 30:44

The intention is largely the same. It's about disrupting business and if you look at sort of the nation state attacks, those nation state attacks, they like to go after things such as critical infrastructure and manufacturing can certainly be considered critical infrastructure, and one of the things that came out in the news last week is that the Department of Energy said that they are, they're saying that they're going to invest $45 million in cybersecurity research for exactly this type of thing. So it's great to see that this idea of security is being taken seriously. And I think another way that we can look at this and say security is being taken quite seriously in manufacturing is the way organizations are investing in their edge computing use cases. And in the core report and then we doubled down on this in the manufacturing report we said if you take your overall edge computing budget, where are you allocating it? And the answers came back they said well, we're allocating about 22% for security, we're allocating about 22% for applications, we're allocating 30% for the network and 23% for strategy and planning. So if you take a look at those numbers, those numbers are fairly balanced and fairly even. You don't have any one of those others overshadowing any of the others, and I think that is something that is critical and something that we need to think about as we embark on this idea of edge computing. Are we working collaboratively internally, cross-functionally, internally including security applications, the network, and then also from a planning perspective? And then, once we go to production with these edge computing use cases, are we bringing in a trusted third-party advisor who can help you on that journey to edge computing? And from a manufacturing perspective manufacturing 66% of our survey participants said that once they hit production with their edge computing use case, they actually bring in a trusted third-party advisor to help them on that edge computing journey.

Theresa Lanowitz: 32:54

So if I look at this, I'm very optimistic about the way things are going, because security is being brought to the table from the beginning. It's not an app. It's not saying let's put this out there and see what happens. Security is being brought to the table from the beginning. It's not an apocot. It's not saying let's put this out there and see what happens. Security is being brought to the table from the beginning, which is incredibly encouraging. There's planning going on. We're looking at different types of application development. It's no longer this interaction where we are tethered to a phone or a tablet or a laptop or a desktop. It is near real time, so I think all of those things coupled together paint a very positive picture for the manufacturing world and where they can go and the possibilities that exist with edge computing.

Chris Sienko: 33:41

Now I would be remiss if I didn't jump back to the fact that you said that one of your areas of expertise in terms of preventing DDoS or securing these edge cases more securely, is there anything that you're very excited about beyond the planning stage? But the actual cool tech?

Theresa Lanowitz: 34:19

So, from a tech perspective, the thing that I'm encouraged about most is that there is this balanced investment strategy. There's this idea that, yes, we have to collaborate, and that security has moved from being a technical issue to being a business requirement. Nobody is going to talk about anything having to do with the business unless they understand how it's going to be secure. How are our customers going to be secure, how is the environment going to be secure? So security now has that full seat at that proverbial table. So the idea of security being there is incredibly important.

Theresa Lanowitz: 34:54

One of the other things that we noticed from our research is that endpoints are shifting. Endpoints are changing. So what we found is that 47% of our survey participants from the larger survey and we surveyed over 1400 people for that report 47% of them said that our endpoints are the usual suspects phones, tablets, desktops, laptops but then 30% of our survey participants said you know what our endpoints are changing? Think about things such as robots, and this was the top endpoint for manufacturing. So manufacturing is starting to lead the way in terms of differentiable types of endpoints. So robots, autonomous drones, autonomous vehicles, wearables so all of those things combined together say that things are changing.

Theresa Lanowitz: 35:42

Things are moving and one of the other things that we found in our research is that we found that the more edge computing use cases an organization has, the more likely they are to implement cybersecurity controls. So I take away a positive reflection from that and say that the more edge computing use cases you have, the more you're concerned about cybersecurity controls says the more you're going to plan for and invest in security as part of your overall edge computing use case. So on the whole, again, I think that's quite positive.

Chris Sienko: 36:17

Yeah, yeah, that sounds really great. And hearing about the sort of varied endpoints and you know, we've talked in the past with people at the DOD and so forth, talking about the you know the directives towards, you know asset inventories and knowing exactly what's on your network and knowing all the you know all the places that things can get in it sounds very encouraging that there's a similar thought in manufacturing in terms of like knowing the sort of full topography of your company, whether it's like you said, whether it's your employees or whether it's your non-human employees, like, like robots and so forth.

Theresa Lanowitz: 36:52

so, um, yeah, and you bring up such a such an interesting point. You're saying you really have to know what you have inside of your company. Yeah, so you may start some type of experimental iot type of project and put all these these IoT types of devices out there and then abandon the project for whatever reason, but you have to make sure that you are decommissioning them from the network. So understanding exactly what is attached to your network, exactly where it is, exactly what it is and should it even be allowed to be attached for your network, shouldn't even be allowed to be attached for your network. Those are the types of problems that we're going to see in the future, because there are so many types of devices that are out there connected to the network now and we don't have control of them.

Theresa Lanowitz: 37:35

They're not necessarily all within the four walls of our organization. They're far flung, they're scattered, they're in a manufacturing environment. There are different manufacturing facilities around the world. Maybe you're a multinational manufacturing organization. Do you know what every single manufacturing plant has in terms of devices connected to the internet? Should they all be allowed? Are they all protected? Have you reset the passwords recently? Have you moved away from the default password? So those are a lot of the things that you have to ask yourself and a lot of the questions that you have to ask yourself.

Chris Sienko: 38:09

Fascinating. I love that. Yeah, we had so many people talk about the fact that you know, once they did a you know asset detection on their network, they found, oh yeah, there's like several terminals that you know ex-employees you know or not anything happened like you need to know that. That's that that can be and should be shut down. So, yeah, that's, that's really fascinating. And then you said with with you know new mechanicals and new edge cases and so forth, I imagine that's just gonna exponentially jump right most definitely, and you brought up a good point.

Theresa Lanowitz: 38:43

There might be a terminal that an employee was using left seven years ago. Have you disabled that that device? But have you also disabled that employee's credentials? Can that employee still get access to your network? And if so, you better decommission those credentials immediately.

Chris Sienko: 39:02

Yeah, turn off this podcast and go do that right now. Yeah, turn off this podcast and go do that right now. So, teresa, as you probably know, the goal of Cyber Work, the podcast, is to help students and new cybersecurity professionals, as well as people entering the industry later in life, sort of sharpen the skills needed to enter the industry or, you know, change careers or start their careers. So, for those wanting to make their mark in manufacturing security and work with manufacturing specific tech and use cases, can you talk about what you think some of the most important skills or experiences or trainings or certifications or soft skills that they need to be actively pursuing now to do this type of work well and demonstrate, you know, excellence to their dream companies?

Theresa Lanowitz: 39:42

We know things are changing, we know that the careers of today are not necessarily the careers that we're going to see 15, 20 years from now. But I would say the first thing is be intellectually curious, always understand, always ask questions, always seek to gain understanding, because that will give you context for what you're about to encounter, whether it is from a software development perspective, whether it is from a hardware development perspective, changing processes, optimizing processes always be intellectually curious, understand what the outcomes of something are. I think those are important qualities, to just have, just general, innate qualities. And the thing that I would say is learn how to communicate.

Theresa Lanowitz: 40:27

Be a good writer, be a good presenter, be a good thinker, because you may have the most brilliant idea, but if you can't surface it, if you can't communicate it, that idea will just languish and oftentimes not see the light of day, and somebody else may have the same idea and is able to present that idea. Bring that idea to life. So understand how to communicate. Understand how to communicate what you're working on, what you want the outcome to be, is, I think, a critical skill to have.

Chris Sienko: 41:00

Your answer there may have answered my next question, but I'll ask it anyway. So what are the biggest skills gaps among people trying to work in manufacturing security? Are there certain skill areas that you see lacking in job candidates that you'd like to see become more universal? I'm assuming communication is part of it, but is there anything else that you see consistently being ignored by people coming up in the industry?

Theresa Lanowitz: 41:21

Certainly, communication being able to write, being able to speak, being able to tell a concise story, but also being able to take in context, because context does matter, so being able to understand why a question might be asked or what the next question is that's going to be asked. So I think understanding context is important as well.

Chris Sienko: 41:44

Yeah, awesome. So as we wrap up today, teresa, could you tell our listeners the best piece of career advice you've ever received? You've? You've worked for a lot of really interesting people. What's? What's some of the best advice you've gotten in terms of your career? Think.

Theresa Lanowitz: 41:58

That is the absolute best advice I've ever gotten, and it was early on in my career. And the person that said it to me said think. Think about the problem you're trying to solve, think about what you're going to do next, think about where you want to go personally, professionally, but just think.

Chris Sienko: 42:15

Again, context comes into play there, but think comes into play there but think, yeah, that's great advice, it's always great advice. So yeah, I want to. As we're wrapping up here, can you talk about where you see manufacturing security issues going? I mean, it sounds like you're pretty positive in terms of the intention of the manufacturing sector in terms of focusing on security. Like, where do you see the problems? Largely staying in the same spaces DDoS, phishing. Do you see new things on the horizon? Do you see improvements in certain areas? What's the next two, three years look like you think.

Theresa Lanowitz: 42:55

Manufacturing has, in the past couple of years, risen to one of the most advanced types of vertical markets in terms of how they're looking at security, how they're doing things differently, the way they're changing the manufacturing processes to include security, a supply chain that we haven't really even talked about. Supply chain plays a huge part in what's going on with manufacturing and making sure that supply chain is secure, making sure that you understand who is in that supply chain. What types of security controls are your suppliers actually using to get whatever they are giving to you through that supply chain? So understanding that supply chain is critical. One of the other pieces of data that we uncovered in our research is that 55% of the manufacturing organizations who took our survey said that they are moving to the cloud. They are combining their cybersecurity controls and their network functions in the cloud, so that is something I think that is encouraging, but along with that comes different types of problems that you have to solve.

Theresa Lanowitz: 43:58

So making sure that you are staying ahead of those problems, understanding what you need to do to solve those problems, and one of the things that I would offer up is take our AT&T Cybersecurity Insights Report our core report, as well as that AT&T Cybersecurity Insights Report, a focus on manufacturing. Take them back to your organization, look at them, ask your organization. Are these the types of things we're concerned about? Are we concerned about DDoS attacks? Are we prepared for DDoS attacks? Are we concerned about phishing? What are we doing to encourage our employees to be more aware of some of these social engineering tactics that are out there? So manufacturing is certainly continuing to change. Manufacturing has changed an incredible amount over the past couple of years. But making sure that you're staying ahead of that game, looking at your supply chain, those are things that are going to be important as we move forward.

Chris Sienko: 44:52

That's a great advice and I think if you brought that report to your board or your supervisors and they say, no, we're not focusing on DDoS and phishing, there'd be a great opportunity to say, well, can I help you focus on those things?

Chris Sienko: 45:06

And then you find a new place for yourself in the company, because, yeah, like you said, those are really important things. This is almost probably too much of a topic. Maybe we can do it on another future episode, but could you give me just a quickie version of things that you, as a security person, should be watching out for in terms of your third party vendors and security? Because, I mean, I know that's a huge can of worms, but, like, what are some of the things that you really need to be aware of, especially if you're using lots and lots of different vendors, like that?

Theresa Lanowitz: 45:41

huge can of worms and manufacturing was one of those vertical markets as we were doing this research.

Theresa Lanowitz: 45:43

That said that we rely upon our supply chain an incredible amount, and what we also found is that there may be a handful of large manufacturers, but the number of smaller manufacturers that feed into the supply chain of what those larger manufacturers are you are using, is an infinite amount. So, from a manufacturing perspective, if you're a smaller manufacturing organization wanting to feed into the supply chain of a larger company, making sure that you have cybersecurity controls in place, making sure that you can prove that you can protect against a DDoS attack, that you have proper cyber hygiene training for your employees, that you are doing some of those basics, because the larger manufacturing organizations are going to come back down through that supply chain and check on those things. There's going to be a lot more rigor as we move forward because of regulations that are out there, because of maybe some defects in the supply chain that a manufacturing organization has encountered over the past couple of years. They're going to be far more thorough in how they're vetting that supply chain.

Chris Sienko: 46:49

Yeah, I imagine, if you're looking for a way to distinguish yourself in the industry, that one area would be to learn everything there is about edge computing security, but another would maybe even be to become sort of a master of understanding how to make your company more safe. You know, let your company know, like here's all the sort of third party risks and here's what we do to you know, like I imagine that's kind of a skill set unto itself, right?

Theresa Lanowitz: 47:19

Absolutely. It is Absolutely, and you have supply chain management professionals who can help you with that type of thing. And again, it's that collaboration, seeking that help from that third party trusted advisor and maybe that's something that, if you're a smaller manufacturing organization, maybe that's something where you can go off and seek some help from that trusted third party advisor to understand what should I really be doing to shore up my supply chain so that I make sure that my portion of the supply chain feeding into a larger manufacturer is secure and that that larger manufacturer is going to want to work with me?

Chris Sienko: 47:53

Fabulous. So all right, before we go, Teresa, we're coming to the hour here. I could talk to you all day. This has been a blast, but I just want to wrap up and ask you to tell our listeners more about AT&T, cybersecurity and what you're all about beyond this report.

Theresa Lanowitz: 48:07

AT&T cybersecurity. Our goal is to simplify security. Security is a daunting activity and we do that through three ways Through our experience with our AT&T cybersecurity consulting organization. Through simplicity with our AT&T cybersecurity managed security services. And through visibility with our AT&T cybersecurity alien labs threat intelligence team. So offering that experience, that simplicity and that visibility will help to simplify security, where we help you manage the risk and you reap the reward. And you can visit us at cybersecurityattcom to find out more.

Chris Sienko: 48:48

Great, and if our listeners want to connect with you, teresa Lanowitz, can they find you on LinkedIn? Do you do any kind of social media type stuff?

Theresa Lanowitz: 48:55

LinkedIn, linkedin definitely, I'm fairly active on LinkedIn and I am the only Teresa Lanowitz out there I'm fairly active on LinkedIn and I am the only Teresa Lanowitz out there, so nice, all right.

Chris Sienko: 49:04

Well, our listeners are very robust in their in their contacting, so hopefully some will contact you and get more insights from you. So, teresa, thank you so much for thanks, so much for joining me today. I really enjoyed talking to you.

Theresa Lanowitz: 49:15

Like I said, Thanks so much, Chris. This has been a great conversation. I look forward to having more conversations with you in the future.

Chris Sienko: 49:22

Absolutely Challenge accepted.

Theresa Lanowitz: 49:25

Opportunity taken.

Chris Sienko: 49:27

All right. Well, thank you again, teresa, and thank you to our Cyborg viewers and subscribers. We just passed 80,000 subscriptions on YouTube. Your input and your enthusiasm makes this a joy for me to do each week, so thank you. If you have any topics you'd like us to cover or guests you'd like to see on the show, you're always welcome to drop them in the comments below. We're watching, we're reading and we do course, correct appropriately.

Chris Sienko: 49:48

So before I let you go, I hope you'll remember to visit infosecinstitutecom slash free to get a whole bunch of free and exclusive stuff for CyberWork listeners. This includes our new security awareness training series, work Bites, which watch the trailer. It's so much fun. It's on YouTube. Do you have better security awareness skills than your coworkers? What if those coworkers were a pirate, a vampire, an alien, a zombie and a fairy princess? Go see for yourself. Infosecinstitutecom slash free is also the place to go for your free cybersecurity talent development e-book, where you'll find our in-depth training plans for the 12 most common security roles, including SOC Analysts, penetration Tester, cloud Security Engineer, information Risk Analysts, privacy Manager, secure Coder and more. One more time, that's infosecinstitutecom slash free, and, yes, we'll link it in the description below as well. So one last time, thank you so much to Teresa Lanowitz and AT&T Cybersecurity, and thank you all for watching and listening, and until next week, happy learning.