Risk management and understanding what matters most

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec, the weekly podcast where industry thought leaders share their knowledge and experience in order to help us all keep one step ahead of the bad guys. As part of Infosec's effort to close the skills gap and empower people through security education, CyberSpeak, will continue to be speaking with diverse and interesting women in the cybersecurity industry and hearing their stories including today's guest. An experienced technology executive Liz Mann leads the Life Sciences and Health sectors in Americas Cybersecurity at EY Advisory. She helps executives and boards seek balance in an increasingly disruptive digital economy.

Having worked in information security for more than 25 years, she established her leadership position early in discipline development looking at security from the identity, access and privilege management perspective. As an advocate for risk oriented resiliency based approach to cybersecurity, she loves understanding why people do what they do. Liz also leads efforts for gender parity, actively promoting cybersecurity and risk management as engaging careers for women. She is the executive sponsor for several family and women initiatives at EY. She received a BA in Biological Basis of Behavior and Spanish and an MA in Romance Languages and Literature from the University of Pennsylvania. Liz, thank you so much for being here today.

Liz Mann: Thanks for having me.

Chris: So to start at the beginning, we always ask this to all of our guests, how and when did you first get started in computers and security? Was tech computers and security always part of your interest or did you move down that avenue later in life?

Liz: Well, you just mentioned my majors in college, so it's... I've been pretty clear at this.

Chris: Yeah.

Liz: Slightly unconventional, right?

Chris: Sure. So how did you make the jump over?

Liz: Well, it's a great journey. First of all, I'll tell you that I am a strong believer in a diverse education as an undergraduate, and that's really what I went after. So I started off college thinking I was going to be a doctor, and after a premed program, fell in love with foreign languages, studied some of that, got a chance to edit journals, deliver speeches around the world, do all kinds of really exciting things. And at one point when I was nearing the conclusion of a PhD in Romance Languages and Literatures, which I loved and continue to love, I thought, "Well, I wonder what the rest of the world is doing and what I might do out in the business world."

So I went out looking for an opportunity to engage in the business world, understanding that my degrees were not specific to any kind of real business opportunity, but that my brain was well trained and that I was someone who could contribute. So I found an opportunity at a financial services organization that was having some trouble and they were navigating the rehabilitation of their organization, and so I found a way in as kind of a special project person. I like to think of myself as that kid on the bench who was just there to have a brain deployed at a difficult problem. And when we looked at the list of problems that were on the table, one of them was technology. And being the kid that I was, I picked the thing I knew the least about rather than the thing I knew the most about, and I dug in and it was in my mind, just another language and another thing to study.

So that's really how the journey began. We were looking back in those days at how to navigate a distributed environment where data was in a lot of different places. So that very neatly led me to the world of identity and access management, trying to understand how to grant people who were sitting in different offices in different locations across the landscape, access to the same data without corrupting that data or compromising that data in any way. So it was an unusual journey, but one that benefited, I think from my communication skills and from my willingness to go solve problems.

Chris: So tell us about your work at EY Advisory now. What do you do as the leader of Life Sciences and Health sectors in Americas Cybersecurity?

Liz: It's kind of a big set of words, right? What it really means.

Chris: Yeah. I had to take a minute to parse as I was looking at multiple websites, but yeah tell me about it.

Liz: I know. No doubt. Well, basically when we look at our cybersecurity business at EY, we focus very strongly on the different business sectors into which our clients are on. So what it really means to be a sector leader in cybersecurity is that I think about what does cybersecurity mean to clients or organizations who are part of that broader health ecosystem? What are they most worried about? What are the things that they're most concerned about? We're going to talk during the course of today's chat about risk and about prioritization of the things that you address. And one of the ways that we do that is by looking at what matters most? What are the things that really can't go wrong? How do we figure out how to make sure that we're optimizing our resources in our approaches.

So being a sector leader, what I'm really doing is focusing on understanding what is happening in that sector. What are people strategically worrying about? And then it would be my job to derive from those transformative forces in the industry, derive the risks that really would be significant and where cybersecurity could become an enabler of managing those issues. Does it make sense?

Chris: Yeah, it definitely does. So I guess to go one step down from there, for someone who's considering this type of work, walk me through your day to day. Like what kind of things do you work on a... obviously every day is different, but what kinds of things do you work on a daily basis? Where does your time go in an average week day?

Liz: Well, I think that the fun part about being in advisory business is it does change a lot, right? So some of my days are spent onsite with my clients and those are really fun days, right? Those are days where I'm onsite with people that I'm there to support with a team of EY professionals where we're talking about how do we make the most of the time spent with the client to make sure that we're doing the best that we can, that we're delivering quality. But there we're thinking, right? So since we're a part of an advisory business, while my business is cybersecurity, my colleagues around that client environment and around my firm are doing a all kinds of things, finance, accounting kind of work, people advisory, transaction advisory, all kinds of things.

So we get to look at the broader landscape of things. But if I can go back to what happens in a day, some days I'm onsite with clients, some days I'm working with my team, trying to make sure that we understand that industry and we understand the commonalities that we see between clients so that we're bringing the best of the sector to our client's experiences. And other times I'm looking at our cybersecurity business and making sure that we're listening to the learnings from our clients and shaping our business going forward by listening to what seems to really be needed.

Chris: So it seems like you're customizing the solution to each individual group that you work with and each one has different set of challenges and so forth?

Liz: Yeah, I mean, there's a lot of challenges that are common, right? When we look at pharmaceuticals for example, you know, pharmaceutical companies are going to be concerned with product safety, patient safety, safe distribution of their products, safety of their inventions, their clinical trials. Those kinds of things are going to be common from people who are trying to address disease in a safe and secure way. And you go to perhaps a health insurer who would be part of that same health ecosystem but is less worried about IP around medicine and perhaps more worried about personal health information that they carry for their constituents. So, it's trying to understand the business of this ecosystem and aligning accordingly.

Chris: Okay. You describe yourself as an advocate for risk oriented resiliency based approach to cybersecurity. What does this mean and how does this approach to cybersecurity differ from the strategies most often utilized by organizations or security professionals?

Liz: We use a lot of big, long words. So yeah, to describe what we do. I think that one of the things I like to talk about in this topic is that cybersecurity started off as something that was like this weird scary thing in the back office in a data center someplace. And then it became the fear factor. It became the thing that everyone was using to scare people out of touching anything, right? "I'm on my computer, I can't click here, I can't open this, Oh my God, do I have a virus?" Et cetera, right? So there was a lot of fear involved. Then we to a point where the pervasiveness of cyber threat and the actual understanding that cyber threat is a weapon that is used routinely today across the globe. You like it, you don't like it, you're afraid of it, you're not afraid of it, but the reality is that it's a part of our business world today.

Liz: So the question became can we turn that fear based tactic into something more positive? So when we talk about resiliency and a risk based approach, we're trying to convert from, "Don't touch that computer system." To what are the things that we're really banking on and can we make risk and exciting thing I think that enables transformation and at the same time embed the types of controls into that process from the very beginning. Here already where we reference a term called trust by design. So we think about the idea of resiliency and cybersecurity as an enabler of trust because we want our users to trust our systems, we want our customers to trust our product, we want our distributors to trust our formulas, et cetera, et cetera, right? So trust by design, cybersecurity at the early stage of an evolution of something and turning a negative into a positive, making security and enabler of transformation.

Chris: Okay. Can you give me an example of a process that was one way and then you came in and with this in mind, you changed the company's methods to a different one?

Liz: So one example might be a company that's considering a particular geography for a new location. So the question would be, should the company go to that geography, set up shops, start doing business with that company, and then explore the cyber threat that, that region of the world imposes? Or could we look at the question of cyber threat from a geographic perspective and say, "Let's get you a briefing before you go there on how to do business safely in that geography?" So that would be one way to change the game in a positive rather than saying, "You just set up this whole office and this whole feature and by the way, you're horribly exposed and everything's been stolen already." right?

Chris: Yeah, "Good luck."

Liz: Right. So it's not only more dangerous but more expensive to do it that way. It's much more efficient if we can put that into the design of the innovation or of the move. Another kind of an example might be if you're setting up a trial for a new medicine. So in a clinical trial environment, there's a lot of controls that go into clinical trials, but sometimes we're not thinking about the periphery, what third parties are accessing data, how is access being managed to that data? We talked about me as an identity and access management professional, and those things sometimes aren't thought of when you think about research, right? Researchers think that the IT people have it handled, and the reality is that that peripheral layer of access control could be the difference between a successful trial and an unsuccessful one. And that means big dollars too from the company.

Chris: Yeah, absolutely. So it always comes down to at the end.

Liz: Well, for the company doing the research, right? Imagine going all the way down that path and then finding out that something had been compromised and therefore the research is unacceptable to regulate.

Chris: Back at square one again.

Liz: Right? Yeah. There you go.

Chris: Absolutely. So you also note that at EY we are risk professionals and yet the pace of change today is so fast that an organization has the resources and capacity to address every risk with equal fervor. Since the pace of change isn't likely to slow down anytime soon, what are your strategies and recommendations for giving each risk to the appropriate amount of energy and priority?

Liz: Yeah, so a lot of it goes back to that question of thinking about risk as a part of the journey, right? That we no longer can live by avoiding risk and cyber risk is no different, right? There are all kinds of risks that happen to actions in the marketplace, but cyber risk is here to stay. So the question is, have you thought about the questions about what really has to go right, right? What might surprise you down the path? Can you imagine what might surprise you and what could go wrong? And just try to, rather than say, "Oh my God, I hope nothing goes wrong," try to actually imagine what could go wrong? And then what controls can we build to make sure that that doesn't happen and nothing's perfect.

But again, it connects to that notion of aligning resources to the things that really, really matter in the strategy of an organization so that if the organization understands its purpose and that by definition that purpose drives certain prioritization that through a lens of cybersecurity, we're going to see risk in a slightly different way than perhaps a finance professional would or a procurement professional or an operations professional, right? So we like to say that we take that cyber risk lens to the question of what has to go right and then suggest what controls can we optimize to give you the best possible outcome.

Understanding that nothing's perfect, nothing's forever, but that iterative agile approach is what we would advocate because risk is changing fast, technology changes quickly, everything keeps moving, moving, moving. So the notion of a... I think the other thing that's important to note is that it's really a change from the world of compliance based controls to a more risk orientation, right? Understanding that, "Yes, we certainly have obligations to comply with, regulations and things like that, but if we only do compliance, then we're likely to fail on things that are critically important to us as a business." So that's what taking that risk lens to it means, and as we proceed through some of your questions today, I think talk probably about the notion of how different kinds of perspectives inform that risk. And that's how we as cybersecurity professionals then can build the controls that seem to align most of that risk.

Chris: Yeah, we hear that a lot of people who, something goes wrong and they say, "Well, we were in compliance," and stuff. But if that's all you're thinking about, then that doesn't necessarily cover everything. That's just a baseline.

Liz: Not as suitable strategy today, right? Again, it's not to say that compliance isn't important. It's certainly an obligation and a responsibility, but at the same time, looking at critical corporate risks, and I think the exciting thing about cyber today is when an organization is willing to look at risks with eyes wide open, most of the risks are going to be tied to some new initiative that is likely to have a digital component to it. Because where does innovation happen today if it's not digital at some level, right? Everyone's looking at automation and artificial intelligence, a cloud, at whatever you name it, right? So somewhere somehow there's something digital involved in the landscape. So the question is can we early on say, "What are the vulnerabilities? Where are the things that we should really build stronger defenses against? What are the crown jewels that, if they were tangible, I would put them in a really big safe." Right? And let's see what kind of digital protections I can build around them.

Chris: Okay. So as I mentioned at the start of the show here, we have been speaking for the last month or so to a number of women in the cybersecurity industry, women of color and getting their voices and experiences in the cybersecurity industry. So could you tell me a little bit about your experience as a woman in the cybersecurity field? Have there been some specific challenges and setbacks that you've had to endure that are likely not put upon men of similar background and skillset and how do you overcome them?

Liz: It's funny because I get asked that question a lot, and I think that when I grew up in this business, there were so few females that... I don't even know how to answer it from my personal experience. I think it's probably better if I answer that question on behalf of the women that I mentor and the people who experience it today, right? Because the world has changed since I started and I was always the only woman at the table and now I'm one of two at the table, or... it's not that much better to be honest. But we're trying and I would say that what happens with women is that part of the problem is that there are still so many fewer women in stem or steam based programs in college that the number of women coming through with good quality education in this area is still small.

So the women who come in, they come in still as a minority and they're still counting on interactions with men in the field. So one of the things I like to say is that we're doing our women a little bit of a disservice today if we tell them that they should seek out other women mentors in this field to help them through. I'd like to think that those of us who are senior women in this field are teaching some of our male colleagues to be better mentors to the young women who come in. Because if we limit women to only women, then by definition we're going to run out and the equation isn't going to get any better. So I think in terms of obstacles, I often think that the very nature of the fact that women and men will by nature look at things a little bit differently and see challenges a little bit differently, they're, I hate to generalize, but as long as we're generalizing the reality is that women see challenges in a slightly different way than men do.

And the classic example is a set of requirements for a new job, right? A woman classically will look at a set of requirements. There are 10 on the list. She's got eight out of the 10 and she says, darn, "I'm not qualified." And a guy will look at the list of 10 and he'll have two out of the 10 and he'll say, "Oh, I got a shot." Right? It's just a slightly different bravado that comes into the process. So I think that women sometimes put, we put ourselves at a disadvantage from the outset because we see things very comprehensively and genuinely, and we're hard on ourselves a little bit professionally, balancing a lot of priorities. So it gets to be tricky. I think as a woman in cybersecurity specifically, it's been important to get used to being in an environment where there will be a lot of men and a lot of technically savvy men.

And we as women in the industry have to have both the competency and the willingness to push ourselves into a slightly less comfortable space. But you have to have the competency also. So you got to be willing to be a good student of this, to build the skills to know that you're not going to be easily snowed among a sea of people who have had different kind of training.

Chris: Yeah, we've heard those statistics before with regards to their postings and stuff. And I think another thing tied to that is we keep hearing about that there's this tendency in HR to create these job descriptions that are for a unicorn candidate. You need five years of this and these six certifications. And that further pushes things out because again, now you really have these uncrossable chasms. And if women are saying, "Well I definitely can't do that." And guys are like, "Oh, what the hell, throw a rope across, see what happens." But every incremental thing like that just pushes things in a backwards direction.

Liz: I think that it's a great point and the question of job descriptions is a great one, right? Because if we think back to the earlier part of this conversation about all of the things that impact our to zero in on cyber risk, I will tell you that my science experience helps me with the sector that I'm in. I can sit down and talk to a researcher and feel pretty comfortable having that conversation. I can't do that work anymore, but I'm not afraid to have discussions about DNA and RNA engineering and things like that. I understand what that is. So those skills actually help me a lot. Political science majors, history majors, good writers, good presenters, all of those skills bring a tremendous amount of value into this field. Now you have to learn the technical skills. You have to have an aptitude. You have to... because you don't want to be in this business with no skills technically because it starts to be like, "What are you doing here?" Right?

But at the same time, everyone has to learn when they come into a new field. So the one thing I would say at a firm like EY, what's great and what's exciting is that you don't have to have all of your skills on day one. We expect young people who come into the job market and need to build some skills in a practical manner. So that's kind of normal. So I would say challenge the job descriptions that people see and really take a shot at saying, "Look, I bring these things to this job and I'm going to need you employer to help me acquire these other things." And ask for it because you know what? Employers are struggling to find great talent today. They're really struggling. There is no unemployment in cybersecurity today. So don't tell me that there isn't a case to be made for someone with a slightly unconventional background who has an aptitude for technology and a willingness to learn couldn't make a case for a lot of these roles.

Chris: I totally agree. So tell me about your mentor and sponsorship roles for women in cyber and steam roles. How many young women do you mentor and/or sponsor?

Liz: A lot. Different levels obviously because I can't do the same for everybody. But what I do is... A lot of the work that I do in that area is through different organizations. So two of the ones that I help right now started at a very young age, they're working with high school students. So one is called GenHERation. The HER kind of highlighted in the middle. And another one is called Girls Who Code which I'm sure you've heard of. These are two organizations that are targeting education and exposure for young women to understand what's out there.

So I do some work with those organizations to help young women consider how they might explore a career in cybersecurity. And then there's you know, look, I'm a mother of two high school daughters, so I have, I think an appreciation for the way young women look at the world and want to explore, and I have studied the big macroeconomic trends that go on in the world today. We're over history I should say. And right now where we are is that people are coming into a workforce wanting responsibility, but also understanding that they don't have to on day one do what they're going to be doing on year 10, right?

They recognize that the longevity that is in front of them and they're willing to do things and explore and experiment a little bit more than maybe generations prior. So I like to spend time with them and with younger people and try to make sure it's on their radar as a possibility so that they don't think a career in cyber means sitting in a basement writing code, that there's more to it than that. And then inside of EY, I founded an organization called Women CyberSecurity, which is simply a national organization that seeks to connect women in cyber and cyber related fields to one another within EY, just for building a community. We know that women benefit from knowing that there are other women who are doing similar kind of work.

Chris: Absolutely. So I noticed that in 2017 you joined the Executive Women's Forum Board of Advisor. This board is a network of highly influential female thought leaders from the information security, risk management and privacy industries. Are you still with this organization?

Liz: I am.

Chris: And can you tell me a little bit about their work advocating for women in information security?

Liz: So we love this organization and I love being a part of their leadership team, but EY has been a sponsor of theirs for many, many years. In fact, I think one of the first sponsors, I think we celebrated 15 years with them last year. And this organization seeks to bring women in positions in the cybersecurity, cyber risk kind of professions together across the industry. So there's an annual meeting every fall where we get 500, 600, 700 women together. And it's really empowering for women who are thinking about these careers to see that many of us, right? We laugh because we put a women's sign on the door to the men's room because we know men.

Chris: Tell me.

Liz: So we can double the capacity.

Chris: There you go. That's great.

Liz: And then a very dear friend and client of mine, a man who came and spoke to this group two years ago, he stood in front of this whole giant group of women and was talking to them and said, "You know, I'm just kind of noticing that the only other men in the room are serving you all lunch." So it's an opportunity to see what the other side feels and to build a little bit of that spirit of leaning in to this field because you know that it's not anywhere near as tiny as it seems in terms of the network of women that are out there. So you get women from all different industries, companies, government, university, et cetera. You build a great network of friends and supporters.

And then the other thing that this organization that we've started doing is creating opportunities for younger women executives to have almost a millennial version of what we do at the more senior levels in this group, so that they're connecting with one another in a language and in a style that makes most sense to them. So it's being led by young women for young women and celebrating the rising stars of the industry. So, it's another way to really celebrate the power of women in this field and less quick comment is that an offshoot of this Executive Women's Forum has been an annual event on Capitol Hill where women from this organization gathered together and meet with senators and various government officials talking about opportunities for women to impact the world of cybersecurity, cyber risk management in the United States. So that's been interesting too and really exciting to get to interact with people in that capacity.

Chris: Yeah. One of the things I'm really interested in speaking with you about here is you mentioned that you have the top level leadership group and then you have the millennial version freebie who are getting a little earlier in the industry and stuff. And you're a strong advocate for the goal of creating gender parity in cybersecurity, including in management leadership roles, and I feel like this is a pretty multifaceted challenge because you're not just moving a lot of women into the entry level, although that's the case, but you have to have this deep bench that you can keep promoting them into management positions, leadership positions, CSOs, CEOs, and things like that. So requiring doing decades of industry-wide shortsightedness at most charitable, not right discrimination at the worst. So what are some of the most vital strategies to bring more women and minority professionals who are in the cybersecurity position at all levels?

Liz: So I think it's well one thing that you mentioned in terms of rising people up is to really look at a strategy around retention. Because the ability to move people up the ranks, it implies by design that you have some sort of strategy for them to feel like they want to stay the course in your organization. You know, as we invest in our more junior professionals, we want them to feel that they have a home in our practice. And even if they were to decide to depart for a period of time, I spoke with a young woman recently who has been exploring industry-based opportunities and I don't think for a minute that she's exploring this because anything's wrong with what we're doing today. I think she's exploring it to accelerate her level of experience in the field and with an intent to be able to come back as an advisor in the future.

So the combination of retaining women in our organization and retaining our network of alumni who depart and will consider coming back into the organization is strategically where I would look at how we maintain that network of connectedness to our women. But the women on my team know that there's nothing I like better than to see them rise through the ranks and work me out of jobs. I'll go find something else to do. It's a big firm, lots of things to do, lots of places to make an impact. So I love to see that. But I do want to say that I love to see it with the men that work in my team as well and what I don't like and what I worry about sometimes is our efforts around gender parity and our efforts around supporting our women. I don't want it to make our high-performing men think that they're not going to get the opportunities for advancement that they've also earned.

So I like to try to remember that we earn advancement and what we're trying to do with gender parity is made sure that women get their fair share of opportunities. But we're not saying that we should promote women who are not likely to be successful in a given... I think some organizations are failing by pushing women into roles that they're not well suited for or not prepared for because they're trying to balance the numbers. And I think that that's a risk, right? Because the last thing we want is to push women into a field and then have them feel like they're not [crosstalk 00:31:01] prepared or can't be successful. Right.

I tell it to my kids all the time. There's no problem with someone opening a door for you, but remember that once that door has been open and you walk inside, it's all on you. So don't walk through a door where you're not prepared to tackle the challenges that are going to be on the other side. So I think a lot of it for me is making sure that our women who are coming through the ranks are prepared. That we have programs to help them, that we have support there for them and that they see that we're investing in them so that they are the best choice. And then we can achieve gender parity and gender balance because it's good and because everybody who's advancing is earning it.

Chris: Right. I mean, the adverse of that of course is that women candidates might be the most qualified and then go through the ranks and then there's still that sort of feeling of, "Oh, she just got it because she's a woman," or whatever but that's...

Liz: Well, it's part of what we fight, right?

Chris: Yeah, to fight against. Yeah.

Liz: It's part of the problem and it's unfortunate, right? You know, to look at someone and say, "Well, she only got that because of X, Y, Z." And my guidance around that is that if someone thinks you only got there because you're a woman, then prove them wrong not by arguing with them, but by doing a great job. Because it may require a little bit of patience, but excellence at what you do is what unwinds those assumptions. The just defending your position generally will not solve that problem.

Chris: So how can we make the tech industry understand that more women in tech ultimately makes the entire industry stronger and more capable of solving problems in new and innovative ways? You mentioned that before a little bit, but...

Liz: Yeah. It's such a great topic and I do think that the tech industry is starting to recognize it more. I think that the recognition is there, the candidates aren't there. So I think that if we could fill the funnel more successfully that we might actually see some more impact. But I think that what I would say is that diversity of thought is really what solves hard problems. And whenever you are sitting at a table and everyone thinks the same way and everyone's nodding to passively agree with everybody around the table, you're probably not bringing the best and most creative solutions to a given problem. When I think about how complex cybersecurity is and how complex it is to make decisions about how to prioritize what you're doing, understanding that you're leaving yourself vulnerable in certain areas, right?

Understanding that you're going to walk into a board of directors and say, "Look, these are your top 10 risks. I've got funding and capacity to address the top four. I'm going to apply kind of basic hygiene to the ones at the bottom of the list and I'm going to hope for the best, but you need to understand that we have some exposure here and everyone has to make some very difficult choices." So we can't get to those choices without some really good thinking. And the good thinking comes from that diversity, whether it's gender diversity or educational diversity or geographic, religious, ethnic, I mean all people come to these things. At the end of the day, Advisory is a people oriented business, right? We rely upon all that different thinking to come to better conclusions and even to ask better questions.

Chris: And there also has to be an understanding at the management level or the leadership level that getting a bunch of different opinions when you think you have the answer already, hearing other things is not the enemy. You know, like there's definitely a lot of organizations where it's like, "Well we heard 12 different opinions, but I still like the one I had first." It's like you got to listen.

Liz: That's right. Absolutely. Absolutely. And it seems so obvious until you're in it, right? You know, and then you're in it and it's not so easy always to be the dissenting opinion in a sea of people who are all head nodding.

Chris: Nodding, yeah.

Liz: It's not so easy. But I will say that cybersecurity at the heart of it is a problem solving challenge and it's an industry that is seeking to do good things. Not to be the no police, but to be the people who are helping to secure the business operations that you're operating in, and to give you greater sense of confidence that your products, services, people, whatever it happens to be, will be more secure as a result of having done these things. But it's tricky, right? Because it's not an all or nothing. It's not an exact science. I don't know how many senior executives have come over to me and said, "Just tell me the things I have to do and I'll go do them."

Well, I wish I could give you a checklist because they just do these things, right? You know, people love to fall on, "I'm following the NIST framework and everything's going to be fine." Right? No. It's not as simple as that and yes, all of those things are our building blocks to good solutions. But in my mind, again, having the ability to change the game from, "No, no, no, you can't do that." To, "What can I as a cybersecurity professional do so that the executives in the companies that I serve say no less frequently?" Because they have trust in the systems that they've built because the security was built in from the beginning and they're not so worried about people misusing or damaging the data or the systems themselves. Then all of a sudden you build a culture of greater trust, greater excitement, greater enthusiasm, and then greater innovation comes forward.

Chris: So having worked in information security for more than 25 years, what tips would you give to women entering the world of security? What are some of the pernicious pitfalls that you've learned to sidestep over the years?

Liz: It's a great topic there are many, but I would say you know, not that many that necessarily are about being female. I would say that for me, one of the things is that what I've learned is that if you come into this business with an unconventional background, which many will which I did certainly that don't be accepting of not having the competency. You must learn what it is that you're representing. I am professional, an identity and access management professional. I don't want to be snowed by someone who knows so much more than I do because I know nothing, right? I might not be the senior most architect in our practice, but I'm pretty good at this stuff. I've got a lot of experience doing this and so I think that we have to not accept that we don't need to be technical enough to be a little dangerous in the discussion, right? We have to be able to be confident.

And I think that it's a classic failing. A woman will become a project manager and doesn't need the technical depth to understand how the code is being written or how the integration is being envisioned. She does need to lean in and say, "Show me, let me see the code." Code today is not a bunch of ones and zeros code can be read. So I think it's different. So that would be one, and the other lesson that I've shared before but that I really think is so important is that when you are in a difficult situation, check yourself and see if you're alone in that situation.

Because women tend to be very strong problem solvers and try to work hard to get them get something resolved. And a mentor of mine, a man by as an example, Chris said to me one day, "Well, you know what the problem is you're all alone in the boat and when you're alone in the boat, right? And the boat starts to sink, guess what? Your outcome is not likely to be very good. But if you have other people in the boat with you, you can put together a strategy where someone's going to patch and someone's going to row and someone's going to blow up lifeboat and you've got a much better chance at getting through." And I think that women by our nature have a tendency not to bring people into the boat when there's a problem and they seek to solve the problem. I have learned in my experience that being alone in the boat does not get you the best outcome. So that collaboration is critical.

Chris: So as we wrap up today, if we want to hear more from... if people want to know more about Liz Mann or EY Advisory, where can they find you?

Liz: They can find me on LinkedIn, they can find me on all the usual places and certainly they can connect with me at EY. I'm easily found on the ey.com public website, so you can find me. But LinkedIn is probably the easiest way. If someone wants to send me a message, I'm out there and happy to hear from people. We are certainly actively looking for great talent all the time. We all are. I personally think that our environment is one that welcomes people of all types with all different kinds of skills and even different kinds of challenges. People who are exceptionally great data scientists but don't want to be client facing, people who love to be client facing and strategic but are getting rusty on code. There's all kinds of ways to engage in this really exciting field that unfortunately or fortunately seems to be on the front page every day.

Chris: Yeah. Liz Mann, thank you so much for being here today.

Liz: Thank you very much for having me. I really appreciate it. Enjoyed the conversation.

Chris: Thank you. Me too and thank you all for listening and watching.

Liz: Take care.

Chris: If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in CyberSpeak with InfoSec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search CyberSpeak with InfoSec in your favorite podcast app. To see the current promotional offers available for podcast listeners and to learn more about our InfoSec grow-life bootcamps, InfoSec skills on demand training library and InfoSec IQ security awareness and Training Platform, go to infosecinstitute.com/podcast or click the link in the description. Thanks once again to Liz Mann at EY Advisory and thank you all for watching and listening. We'll speak to you next week.