Cybersecurity needs in megacorporations

Gene Yoo, CEO of Resecurity, and Cyber Work podcast host Chris Sienko discuss the specific needs for megacorporations, how to recover from cyber-attacks, career strategies and achieving gender parity in cybersecurity.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • Transcript
    • Chris Sienko: Hello and welcome to today’s episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. At this point, any company from the smallest mom and pop shop to the biggest multinational conglomerate needs to devise and implement a cybersecurity strategy that protects them the best, but what are the specific needs of the largest companies in the world? Gene Yoo has over 25 years of experience in cyber security for some of the world’s largest brand names such as Warner Brothers, Sony, Computer Science Corporation, Coca-Cola, Symantec and more. More recently he served as Senior Vice President and Head of Information Security for City National Bank. He has provided security for the largest of the large across a range of industries, so if there are specific needs for these megacorps, Gene will know all about them. We’re gonna talk today about the specific skills and experiences you need if you want to run security for these types of industry giants. Gene Yoo, thank you for joining me today.

      Gene Yoo: Thank you, Chris.

      Chris: So, tell me a little bit about your security journey. This is, obviously you’ve come quite a way but how and when did you first get interested in tech and computers and security?

      Gene: Wow, I mean that goes all the way back to 1992 when I started out as a network engineer for Internet Service Provider, was one of the first internet service providers here in California but it was specific to providing services for Japanese clientele like Toyota, Honda and Nissan because they had a headquarters there, so all these people when they came to the United States because of the language barrier and the communication needed. And that’s why we actually started a hosting company just in Japanese even though I can’t even read or write Japanese. So, it was an interesting learning experience.

      Chris:  Yeah, and 1992, you were very much ahead of the curve in terms of a lot of corporations probably weren’t even thinking about internet until the mid ’90s or late ’90s or whatever. So, that seems like that was right at ground zero there for a lot of people.

      Gene: Yeah yeah, absolutely, interesting times.

      Chris: Yeah, well so, tell me a little bit about that. What was it like being an internet service provider at a point when they weren’t ubiquitous like that.

      Gene: Well, I think the key thing is always having a good mentor and being curious about what it is. You may not understand it or know what it is but just the methodical or mechanical way of what we do in the engineering space is very prevalent. So, I think it goes without saying, having that mentorship goes far long than any kind of curve path and I’ve been very fortunate in having those kind of people around.

      Chris: So, were you drawn from early in life to work for a large company specifically or was that just something that happened through cumulative life experience?

      Gene: I think I’m very fortunate. I think going, I don’t think it’s a matter of the size but I’m very fortunate in the sense that all these large companies, the leadership or the management took a chance on me. And I’m very thankful and blessed for all those opportunities. It’s not like I actually tried to go for them. It’s just that many of those companies were near in Los Angeles where I’m from so it made it really easy for moving forward.

      Chris: Plus the fact that you were there since 1992, I imagine there weren’t a ton of people who had comparable experience going that far back, right?

      Gene: Yeah, it was but I think if compared to other states I think LA has a very unique position and a lot of companies and it just, you just, kind of like the Hollywood thing, right, you gotta know somebody to get in the business.

      Chris: Yeah, yeah, okay, we definitely want to talk more about that later, but tell me a bit about your learning path. Did you study computer science in school? Were you self taught? And what are your strategies now for learning new things?

      Gene: So, I’m actually self taught. My original field of studies actually was architecture, civil engineering, mechanical engineering, but I think it goes without saying, the mentality of the engineer doesn’t really change. So for me, again, it goes back to having the right mentorship and being curious. And I think it’s also a type of personality you have. Well, I think it’s with any business in being able to adapt. Now, nowadays being in an operator now running a company it’s a different kind of learning curve. Again, it goes back to now I have more, obviously I’m reading constantly, listening to podcasts like yours and just absorbing a lot of information. But really for me now is how do I apply all of this knowledge and also again, going back to having the right mentors.

      Chris: Okay, was there any sort of crossover specifically between being a security architect in terms of designing a security system and being an actual architect? Were there certain structural issues or things that you can apply one way or the other?

      Gene: Absolutely, you don’t want the building to fall down and it’s like everything I always tell people. It’s like you’re building a fence or you’re building a wall or you’re building a castle. The schematics in how you approach and schematics as to how you execute doesn’t really change fundamentally the laws of gravity and everything else is really the same. Now, the only difference is that I know how to build a castle. I know how to make sure it’s safe, but I have to be able to know what’s outside the horizon and having the right watch tower to be able to see what’s going on because that’s the reality of what we’re dealing with now.

      Chris: Okay so yeah, there’s a lot of guard towers basically.

      Gene: Yeah.

      Chris: Yeah, yeah, so, because some of our viewers are just starting in cybersecurity or are even just considering jumping in for the first time, could you walk me through your day to day work as a senior level cybersecurity director? What types of jobs and responsibilities are part of your daily workday? And what time does your day start? And do you ever get to clock out or are you on call forever?

      Gene: Well, good Lord that’s a lot.

      Chris:  That’s a lot of questions all at once.

      Gene: Oh, no no.

      Chris: These are the ones people want to know. Do I get weekends?

      Gene: No, so I get so many of these questions about the profession and because I spend a lot of time with giving lectures and conversations at schools, so I get that comment. So, I actually have a actual same answer which is when I was an operator or when I was an engineer, director, manager, it doesn’t make a difference, at the end of the day there is this 80% of work where you start from nine to five, let’s call it. And then out of that work is really around enabling business, executing projects that enable business for technology improvements or enhancements. And then a lot of administrative stuff like documentation, presentation and also trying to also making sure you get the budget so you could actually invest in the things that you need. Day to day life is really spending time with your peers, your coworkers, your management to really understand what’s going on but offset of that is either you’re building or you’re responding or you are strategizing. And that’s they way I would commonly tell it. Now, I know a lot of students and people who are starting. They say, “Well, I want to do engineering. “I want to do application security. “I want to do IT.” And I think everybody’s capable of doing any kind of job from the development. The question really is you gotta enjoy what you’re doing because day in day out corporate life could be exciting or it could be very benign. And you just gotta love what you’re doing.

      Chris:  Would you say there’s sort of a one third, one third, one third break down of three main pillars you said there of building and monitoring?

      Gene: I wish it was that easy but

      Chris:  Yeah, it changes from day to day?

      Gene: Yeah, but what I tell people is at the end of the day you have to be 80/20. And when I say 80/20, not 80% work and 20% thinking. I really mean 80% to innovate what you’re doing or to really stand out. And what I mean by that is if you are not looking at your day to day operation and you’re not automating it, you’re not making it easier for you, then you’re just, you’re spending 80% of the time, you’re wasting everybody’s time. So, I always tell people 80%, you need to be thinking about how to make your job easier, how to make this automated and how to look beyond what your day to day is. And 20% is where I expect you to spend doing the day to day work. And unless we shift that paradigm I think people get, every day it’s email at seven o’clock and then responding to emails, writing presentations, spreadsheet. It’s just you gotta get out of that mentality and innovate.

      Chris:  We had a cybersecurity analyst on who said basically the way to move up in the ladder on that position is to innovate yourself out of your own job.

      Gene: Exactly.

      Chris: Or to automate yourself out of your job, yeah.

      Gene: Exactly, that’s exactly it.

      Chris:  So, moving on to larger scale things here, I would imagine that for cybersecurity pros who would want to work for major corporations, whether in the entertainment industry or the finance industry, there’s gotta be a lot of applications, so as a result a lot of techniques that HR uses to call candidates for not having the right skills or experience are probably happening to them without knowing it, so how does one get on the first rung of the ladder to work at these type of companies? I know you said you were there, you knew some people. You were there from early point. But what are some common skills or experiences that companies are looking for when considering you for their team?

      Gene: So, I’m gonna probably say something that HR’s not gonna like but for every job that I had I never asked HR to do any pre-screen. I want to see their resume for myself and the team.

      Chris:  Yeah, everything.

      Gene: And we set aside a time and look for it. And it’s important because I think often times they, a lot of good candidates get slashed because of some degree or some experience or their certificates. So, I try to remove that barrier and give a lot of people opportunity. Now, separately I think when professionals are starting and that when they put their resume, the most important thing is create your objective, write your objective very clearly and concise because we know you may not have experience but ask for the opportunity. Speak English in a very simple way to say, “I want this job” and show them. Don’t care about your job description, like what you worked at or what role. But the other aspect is forget about the certificate. I would focus on the type of work that you are doing and don’t make it up. Just say, “Look, I’ve done this.” And show a little bit of progression. Or just say, “Hey, I worked at McDonald’s.” It’s okay. “But I studied all this.” Show me those by saying in the resume, “Hey, I didn’t have a job but look “at all the self study I have done.” You show and prove to us that, hey, you are really interested and serious about it. And also of course networking and handing your resumes out or getting business card is critical I think.

      Chris:  Are there any red flags that you see on resumes that make you instinctively breeze past a candidate?

      Gene: No, because unless, I’ll be honest with you. I have this rule, I get a big stack of resumes. I print it out and I go through once view, first view, and those are the first cut. And the red flags that I would normally, would be seeing is when they have done something in a sequence or a job that looks like the role or the function doesn’t make sense to be against their title. Or they overemphasize something that doesn’t, for example, somebody said, “I deployed data loss prevention “and completed to project execution in two months.” I work for Symantec, I deploy DLP. There’s no way you could do that.

      Chris: Yeah, oh okay, okay, that’s definitely a red flag.

      Gene: Yeah, it’s like, “I was involved or I was “part of the project.” But don’t say, “I ran the project.” Little language verbiage like that is where I catch up on things.

      Chris: Yeah, yeah, yeah, yeah, what was I gonna say about it? Yeah, to that end do you see a red flag when you see someone with, we call it “cert collector” where someone is maybe is low in the industry but they somehow magically have 14 random certifications. Does that have a red flag to you or is just being

      Gene: Oh no, absolutely not, absolutely not.

      Chris:  No?

      Gene: For me, it’s like there is two types of people. I mean, two approaches to life, academic versus reality. And some of these people may not have the experience but they’re well-versed and technically they could articulate exactly academic and that’s fine.

      Chris: Yeah, I mean, that’s

      Gene: Not a red flag for me.

      Chris: Yeah, sometimes that’s the only option if you’re in a small town but you want to move to a big town.

      Gene: Exactly.

      Chris: Keep learning. So, you’ve worked across, and I know that maybe this isn’t necessarily across the board but you’ve worked across a huge range of mega corporations and all sorts of industries. Are there any commonalities between them in terms of their cybersecurity needs? Like specific issues that they face that are less common amidst smaller companies?

      Gene: No, I think after 2002, the shift to information security, the CSOL, the cybersecurity all really I think even now continues to morph. The commonality hasn’t really changed. The lack of budget and investment of organization to invest on people, process and technology or time, resource and money, I think still lacks. You could go across the entire hemisphere and it will still be 2%. This is the reality. And then there is the little snowflakes. But I think as a general rule for me, whether it’s a small or big company, it hasn’t really changed. There is still the management layer. There’s the business layer and then there’s the IT layer. And I think the key for everybody to understand is to make sure that this isn’t about IT. This is about at the end of the day enabling business and protecting the business. And if you can’t articulate that or see that as more of a business acumen then take a step back but you know it’s a process.

      Chris: Okay, so jumping back to what you said there about not enough budget, not enough like, what would you say is a more appropriate level of budgeting for these type of issues and what would the extra budget money be spent on?

      Gene: I think the first part is, as much as I’m a vendor, but what I would say is really investing on the people. And when I say that, and the appropriate training. Get them to the conferences. Often times even as Resecurity we go to clients and everybody’s been there for ten, fifteen years. And they go to one training a year, which is you know, and it’s not fair because if you look at the IT-scape, they’re constantly going but security people, we also need to socialize and network to see what’s outside the box and we need, they need to really look at investing that. But also, giving people opportunity because we don’t have enough security professionals anyways but when you hire somebody with no skills have a plan of action. What is their professional career development is gonna look like? Educate them, send them to training. Have a plan for how to onboard staff.

      Chris: Yeah, have you had to spend a lot of time thinking about the cybersecurity skills gap as they call it?

      Gene: It’s pretty serious because when I was in various companies it took us good three to six months once we post. And it’s really never about how much they want. It’s having everybody buy in versus your gut feeling. And I think the important part is obviously to get everybody’s buy in but then I always remind even my old staff when they’re hiring, it’s like, “Well, she doesn’t have any experience.” I’m like, “Okay, and like you did when you started?”

      Chris: Yeah right, exactly.

      Gene: And I’m very, I wouldn’t say I’m very angry about it but often times I think everybody is kind of like in their head.

      Chris: Yeah, the job description calls for ten years of experience on something that’s only five years old or other unicorn issues.

      Gene: Exactly, exactly, exactly.

      Chris: Or you need all of the certs and a Master’s degree just in case.

      Gene: Right.

      Chris: Yeah, so, looking into your personal bio, you worked for Sony in cybersecurity and Sony is obviously famous for the hack via a nation state attacker in 2014. And it looks like you were there the two years following, so I’m guessing you were brought in to mitigate the issue?

      Gene: No, it’s part of, I think, one of my old boss said, it’s like, I get into a job where I can’t go wrong because it’s already bad.

      Chris: Right, right, yeah.

      Gene: Be careful what it’s worth, okay?

      Chris: Stop sinking.

      Gene: No, it wasn’t a cleanup. It was actually, to actually modernize and improve their program.

      Chris: Yeah, great, that’s what I was gonna ask. So yeah, tell me a little bit about what the strategy was after that happened.

      Gene: No, so I think Sony and just in general the team, the global team and the pictures, these are the set of some, whatever happened before is one set of the conversation, but what has happened after the people getting together understanding now the value of security, what they need to do potentially. A lot of this information and the people that was brought into cleanup and then to modernize, it goes without saying, it’s probably one of the most monolithic effort in putting the best security model you could ever think of into a company. And it was just amazing to learn and see what they did obviously. My role was very specific to improving vulnerability management, application securities, security hardening and all those things. It was very focused task and it’s what I love doing so it was a fun time for me.

      Chris: Was the result pretty similar to what you envisioned, when you’re planning, “I hope we can do this, this, this and this,” were all those things pretty much implemented to your satisfaction?

      Gene: Well, not to my satisfaction, but to my management.

      Chris: Okay, that’s good.

      Gene: No, like anything else, this is the irony of the problem in industry, it’s general for IT and security. They spend money and they expect it to turn and turnkey and everything to work. Implementation is, whether it’s a technology or a process, it’s a very methodical way you have to do things. Otherwise you break things in and it doesn’t work. And then you wonder why it didn’t work because your implementation plan was 30 days. Well, that doesn’t work like that. Because of my Symantec background, implementation is a very key thing in making sure you understand what the next steps are. But for us, and especially when I was at Sony, having and making sure the stakeholders understand exactly what the output is going to be and also the most important thing, what is the long term running model is gonna look like because it’s built on place. Because you have to be repeatable and it has to be repeatable. That’s the key.

      Chris: So, I want to jump back into Sony specifically but also large corporations in general. Are there, I think of the movie “Men in Black” where there’s these specific issues that are happening but they say this stuff is happening all the time. Are with large corporations like this, what sort of constant barrages are companies like this dealing with on a day to day basis? Are there constant, I’m sure there’s not nation state attacks every single day and stuff like that but is there this constant barrage of people trying to wiggle their way in or social engineer this thing or that thing?

      Gene: Well, it’s kind of like your house. You get lots of mail, right, somebody stuck the mail in. So, it knocks on your door and needless to say, to the level that do we know it’s a nation state? Nobody really knows. So, I’ll, but the reality is there’s a small set of team that is actively monitoring all of this information, like oceans of data just trying to build this lake or pond to actually make some sense out of it. It’s very tough and I feel for them because an incident responder before managing an incident response, it’s not an easy thing. Now separately, unfortunately, with very small team, lots of data, they’re expected to deliver a lot of things. And then you’d have this other big team of compliance and risk who are expending exorbitant amount of time to make sure that there’s a regulatory governance, compliance and everything else. So, it’s, like when I said there’s a shortage of team, I really mean there’s shortage of team.

      Chris: Okay, so as the security person around the time of the Sony attack, does all the public discourse around the gossip of celebrity and entertainment, is that from leaked emails effect your department? So, not just large scale security attacks but are you also protecting your artists’ mobile phones from being hacked? Or company emails from being leaked and things like that? Is there a macro and a micro level of security at work or are they on their own?

      Gene: So, you want the secret sauce about the media industry basically?

      Chris: Just curious, I think our listeners will be interested.

      Gene: So, in a media company it’s like a bank in that the talents as we call them are basically deposits. So, that’s why you see celebrities or talents tie to a studio and having their production company in the studio. That’s how they build relationships. So, in essence the financier of the studio gives them a lot of leeway because they want the talent to be making movies and producing movies in their lot. Which also everybody makes money in one way or another. But there are very, I won’t say they’re snowflakes but they have a different lifestyle. They have different, they have business managers and they have, so, we treat them, they’re a whole other, it’s kind of like the secret sauce of Coca-Cola. You just don’t go in there and say, “Hey, how ya doing?”

      Chris: Sure, of course, it seems like you would be a massive scale BYOD issue where you’re dealing with all these external forces that are coming and going from your organization.

      Gene: Right.

      Chris: So, how do you deal with that much logistics?

      Gene: So, each production company or those talents, they have unique needs and when I was in the studios, obviously we have a pretty deep, good relationship with them, especially if they’re, if it’s one of the Marvels or DCs and you really have to work closely with them but I think with the advent of a lot of these attacks on celebrities and all these cloud and everything else, they’re more conscientious so you’ll see even now even with us, we actually pivoted into providing services for high net worth or high risk individuals and monitoring against threats. So, there’s a lot more consumption of these talents and high net worth individuals or high risk individuals where they are now saying, “Okay, maybe I need “to understand what’s in the dark web about me. “Or is somebody really talking about my movie or me “or my friends?” So, there is an elevated awareness in protecting against those consumer ones.

      Chris: Now, with the sheer number of not competing, but collaborating production companies, do each of them have their own security strategy or does everything come under the master umbrella? These are the security rules that we are, when you’re here you’re playing by our rules kind of thing?

      Gene: Not necessarily because the most important thing for the production companies or the studios is when you’re filming that’s a whole other set and a lot of the directors now are very security-conscious so they put a lot of those measures in like everybody leaves their phone, nothing goes outside of the dailies, but the reality is that once the production is done, there is another set of risks that starts because now you have the directors cut, now you have to have a master, you have to have audio done. So, in between the supply chain is where a lot of these things are happening.

      Chris: Yeah, that’s so many moving parts. So, you said that you, maybe I misheard you, but it sounds like you have a reputation for being able to come in after the damage has been done and you said it couldn’t get any worse or whatever and you can make it better. So, in general when massive breaches or hacks or just big problems happen at any major industry like that, what are some lessons to be learned that you’ve learned or techniques to be used going forward that can help protect these things in the future or prevent them?

      Gene: Unfortunately, there is no techniques for lessons learned.

      Chris: Every one is a new issue?

      Gene: It’s, so it’s no, so it’s not a snowflake. Everybody from my perspective and my personal experience, we all know that, let me rephrase that, if we had the resources and if we had the right investment and the right testing on an annual basis and like an annual check, I guess you could say that is a lesson learned, but the reality is these holes and stuff like that, it’s going to happen no matter what. You could prevent it by having a good playbook, having annual tests, annual review of all your security controls, which is supposed to be part of your IT general controls or your PCI requirement. So, where’s the gap between you got an A from PCI council or B, A from PwC saying that, “Oh, your SOX control is great.” But how do we get there? That doesn’t make any sense.

      Chris: On the other side of that coin, oh sorry, did you have more?

      Gene: No, no, no.

      Chris: Okay, so on the other side of that coin, have you seen any common but wrong actions that companies who have been hacked or compromised in any way take in the immediate aftermath of the event? I mean I’m sure passions are running high in the days after, but is there something that, oh, we’ve gotta go to the media and you shouldn’t, or we gotta hide it and we shouldn’t. What are some of the things that you see again and again that people would be wrong about, first steps?

      Gene: Well, I think the public needs to also recognize that there is a need for information, but keep in mind, public needs to understand business is actually suffering on a daily basis and they’re trying to recover their business operation, so I think some level of patience is required from the public side because that, and the media forces everybody to like, okay, what happened? It’s like, everybody calm down. There is a lot of stuff, we can’t just like say it’s this or that. I mean, it’s like get all the facts first before you say it’s something else. You just gotta, because of the media and the PR and all of these social media, I think just everybody needs to just slow down and calm down. I don’t think, unless it’s like, there’s not a time when the companies are ever trying to hide it. They’re just trying to find facts before they could actually publicly announce it.

      Chris: Before they make the announcement.

      Gene: Because perceptions and assumptions could really create a havoc in a lot of different ways and it doesn’t help anybody. It’s already high stress job anyways.

      Chris: Yeah, in our talk with Keatron Evans who’s an internet responder, he said “Yeah, don’t panic. “You’ve already been breached. “You can’t become more breached.”

      Gene: Don’t say that because we’ve seen that happen.

      Chris: Of course there are always exceptions, but yeah. So, on the career side of things, what advice would you give for someone who feels mired in their current cybersecurity role who wants to jump to working in a bigger organization or another town. Are there certain combinations of certs or experiences or skills that you recommend to make yourself more desirable?

      Gene: The most important things is don’t go to these conferences and ask the question of, “How do I get into your company?” Or the common one I hear is, “I have no experience “and I like to understand which, how do I grow “into this professional career?” First thing I tell them is, “Okay so, what do you want to do in life? “What do you want to do? “Is it money, is it fame?” The best advice I have, it’s the same advice I give to everybody is just relax. All these people were where you were at two, three years ago. Find a good mentor and then network yourself. Don’t stress over your cert, what you need to study. Keep the course of what you’re passionate about but try to network and find good mentors through LinkedIn or go to these, listen to your podcast, and if from your listeners, if somebody says, “Oh, I’ll add myself to LinkedIn and email Gene,” I will tell them exactly the same thing. It’s like, “Great, what are you passionate about? “How can I help you?” That’s all the time to what these new recruits because this is our new workforce for the future.

      Chris: Right, yeah, yeah and that’s, people asking you, “What part of cybersecurity should I go into?” That’s something you gotta figure out for yourself I suppose but once you say, “I definitely like doing this kind of thing,” then it’s time to find a mentor in that area.

      Gene: I tell them like this. I first, I figure out what they’re interested in doing. I ask them, “Hey, do you know about building houses?” They’re like, “Yeah, my dad’s a plumber.” I was like, “Oh great, so do you want to be an electrician? “Do you want to be plumber? “Do you want to be a drywall specialist? “You want to be a roofer or you want to be a gardener?” And he immediately gets it, so I think that’s another thing that, but anyways.

      Chris: Yeah, so looking into the future do you think that, what do you think are gonna be the biggest cybersecurity challenges facing large groups or any security areas with a prominent public face in the years to come? What’s coming?

      Gene: I would say, this is my hiring model, too. There are many of us, I wouldn’t call myself a dinosaur, but I’m pretty much getting there. But I think it’s the need for bringing in fresh ideas and fresh talent to have a different look at what we’re doing today I think is key. The technology landscape, all the innovation is one set of a thing but at the end of the day no amount of AI and machine learning is ever gonna replace human and we need smarter people to really think about how to defend and protect environments and companies or governments and so forth, but I think that’s the key.

      Chris: Yeah, we’re big advocates of a more diverse workforce, not just for diversity which is important, but also because someone with a disability is going to show you a certain thing that a differently-abled person is not going to see. And women are gonna see a thing that men aren’t.

      Gene: Exactly.

      Chris: And so forth, so yeah, I mean, can you give me some concrete, any concrete example of surprising things that have come out recently that you saw that would not have necessarily been realized with a less diverse group of people you were working with?

      Gene: Oh, all the time, you get the years and the security guys and it’s about managing the product. And then they’re not focusing on the data anymore. They’re just like, look at the bells and whistles. And we hired, so I was very fortunate in my previous jobs where we had a good internship program. And we would bring these people in and often times I am very diverse and even half my management team is all female, and even the interns I brought in, she would when I had an interview with her, she was like, “I have zero experience.” And I was like, “That’s okay, I’m glad you told me that. “I like the fact that you told me the truth. “What do you want to do?” And when we brought her in, she actually was better than I don’t want to say too many percent, but it was a good percentage. Her skills were so advanced and she saw things in a different way and I was blown away. Even the data scientist we hired from college, a Fresno intern, they were telling him to like, “Hey, do this thing, like security thing.” And I’m like, so I got involved because he was getting a little frustrated and I was like, “Listen, why don’t you look at the set of the data “and tell me what you think is important. “You’re the scientist, right? “Show me things that I should be, that’s interesting “for you based on your mathematics or algorithm.” And sure enough, he presented things and I bet you if he got a job at a security company or a trading company, he’s gonna make a lot of money.

      Chris: Oh yeah, no, those are amazing stories. I’m thrilled to hear them. We have women on the show a lot and we always ask them about how to achieve gender parity in cybersecurity which is not a gender parity oriented industry at the moment here, but how did you specifically? Were you actively recruiting for women? Were you, how did you find them? Because there’s such an issue with building a deep bench where it’s not just getting people in on the ground floor but having women in management positions and leadership positions and stuff like that and that requires a large workforce of people who have been kept out over the years and so forth. What was your strategy?

      Gene: Well, very, believe it or not, this may sound really simple but there’s a lot of women in technology, like groups and forum, and women in something. And usually I would have HR or I would reach out to the chairperson and say, “I need your help. “Here’s what I want to do.” I think it’s important, obviously, organization aside. I need fresh ideas and talents and I partner with them. It’s like, why am I wasting my time going to job sites when I could go directly to a lot of these people. And a lot of executives in the company, they sponsor and are part of these organizations so I’m always constantly saying, “Look, there’s a gap “and we need to fix it and I need you to help me fix it.” And they’re like, “Gene, are you sure you want to do that?” I was like, “What do I got to lose?”

      Chris: Literally just asked you for the idea. So, speaking of that, tell me a bit about your organization, Resecurity. What are some specific services or benefits that you offer your client? What are you all about?

      Gene: I’m sure our marketing team, I completely forgot about it. No, we are all-source, we provide data that’s for consumers, organizations and government agencies and that’s our customer base. We provide data, a lot of people say we’re the data broker but we provide a platform where you could make sure, kind of like what I said about the whole, the castle thing. So, there’s a castle and there’s the people in the watch tower but they could only see far. Our job is to provide what’s beyond their scope and what they’re actually doing.

      Chris: What’s on the horizon.

      Gene: Exactly, so we provide the horizon data.

      Chris: Okay, so if people want to learn more about Gene Yoo or Resecurity, where can they go online?

      Gene: LinkedIn is the best way. We also have a lot of blogs and a lot of our press is there. Reach out any time if it’s more business-related. But again if a lot of people who are starting and just want advise, you can always reach out to me via LinkedIn and everybody that knows me will tell you, I have an inbox zero mentality. If you email me, I almost likely respond. There’s no way that I would not forget it, that’s just me.

      Chris: That’s great, so and it’s Resecurity.com I assume?

      Gene: Yes, sir.

      Chris: Okay, Gene, thank you so much for taking the time to join us today. This was really fascinating.

      Gene: Chris, any time.

      Chris: I really appreciate that and thank you all as well for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to YouTube.com and type in Cyber Work with Infosec. Check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice. To see the current promotional offers available to listeners of this podcast, go to InfosecInstitute.com/podcast And to reiterate from past episodes, we have a free election security training resource to educate poll workers and volunteers on the cybersecurity threats they face during this next election season. For more information about how to download your training packet, visit InfosecInstitute.org/IQ/election-security-training or click the link in the description. Thanks once again to Gene Yoo and thank you all for watching and listening. We’ll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.