Cybersecurity careers: Risk management, privacy and healthcare security

Learn about different cybersecurity roles and career paths in this wide-ranging conversation with today’s guest Tyler Cohen Wood. Tyler discusses working as a senior intelligence officer for the Defense Intelligence Agency (DIA), overseeing cyber risk for AT&T and writing her book Catching the Catfishers. We talk about online privacy, implementing complex cybersecurity systems, healthcare security shortcomings in the age of COVID — and her blue-haired, pre-cyber years working in the record industry!

We’re also excited to share a new, hands-on training series called Cyber Work Applied. Every week, expert Infosec instructors and industry practitioners teach you a new cybersecurity skill and show you how that skill applies to real-world scenarios. You’ll learn how to carry out different cyberattacks, practice using common cybersecurity tools, follow along with walkthroughs of how major breaches occurred and more. And it's free! Click the link below to get started.

[00:00:00] CS: Today on Cyber Work, Tyler Cohen Wood, shares her journey as a Senior Intelligence Officer for the DIA, overseeing cyber risk for AT&T and writing the book Catching the Catfishers. We talk online privacy, implementing complex systems, healthcare, security shortcomings in the age of COVID and her pre-cyber years with Blue Hair working in the record industry. That's all today on Cyber Work.

Also, I want to tell you about a new hands-on training series called Cyber Work Applied. Every week, expert Infosec instructors and industry practitioners teach you a new cyber security skill and show you how that skill applies to real-world scenarios. You'll learn how to carry out different cyber-attacks, practice using common cyber security tools, follow along with walkthroughs of how major breaches occurred and more, and it's free. Go to infosecinstitute.com/learn, or check out the link in the description and get started with hands-on training in a fun environment. It's a new way to learn crucial cyber security skills and keep the skills you have relevant. That's infosecinstitute.com/learn.

Now, on with the show.

[00:01:06] CS: Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of Infosec professionals and offer tips for breaking in, or moving up the ladder in the cyber security industry.

Today's guest, at the risk of overusing a cliché has really done it all. Tyler Cohen Wood is a cyber authority with 18-plus years of highly technical experience. As a cyber intelligence, national security expert, three-time author and public speaker, Tyler’s relied on for her wealth of knowledge and unique insights. She served with the Defense Intelligence Agency as a Senior Intelligence Officer, where she developed highly technical cyber solutions and made recommendations, significantly developing and changing critical cyber policies and directives affecting current and future intelligence community programs.

She helped the White House, DOD, federal law enforcement and the intel community thwart many cyber threats to the USA. She is the author of the book Catching the Catfishers and is currently working on a healthcare security venture. There's a chance that we're going to have more to discuss than we have time for in one episode and I have loads of questions for Tyler. Let's just get into it and we'll see where our conversation leads us. Tyler, welcome to Cyber Work.

[00:02:17] TCW: Well, thank you so much for having me, Chris.

[00:02:20] CS: I want to start at the beginning, of course, looking through your work background. It's pretty clear that you've been interested in IT and cyber security for quite some time. What was it that first drew you into the field?

[00:02:31] TCW: Well, I was always a nerdy kid. I was really into Star Trek and sci-fi. When I was in college, this was the very, very late 90s, we didn't have cyber security like we do today. At the time, I was very into music. Right after I graduated, I moved to New Orleans where I was a DJ at a radio station. I worked for a record label and a nightclub. I had blue hair, the whole nine yards. It was great.

[00:03:09] CS: We would have gotten along famously. That sounds exactly like my path at the time. That's so cool.

[00:03:13] TCW: Really? That's really cool.

[00:03:14] CS: Oh, yeah. I was a college DJ and then I worked a DJ at the UFC station, even though I wasn't a student there. Yeah, all that stuff.

[00:03:21] TCW: Oh, that's awesome.

[00:03:23] CS: Yeah, yeah. Anyway, so was there a certain connection? The sci-fi aspect was a through line, but was there something about going from music and that interest into certain computers and tech?

[00:03:36] TCW: The radio station that I worked for in New Orleans got bought and they were changing formats. I had gotten very interested in computers. I decided that I would move to San Francisco, because it was at the beginning of the dot-com phase. I knew that they would hire anyone that wanted to learn, because they needed to have talent. I really started off at the bottom. I started off as a sysadmin. Very soon, discovered that I really liked complex systems and helping people protect themselves. That was what led me into cyber security, from sysadmin.

[00:04:20] CS: Okay. Yeah, because I was going to say, your work history and bio act almost as a pathway to the creation and use of what are now commonplace jobs. I looked at it and in 2003, it says you conducted internal and customer security vulnerability assessments using ethical penetration testing. By 2004, you were working as a digital forensics instructor. Two years after that, you were doing the same thing for NASA. Am I right in thinking that this is right around when the notion of digital forensics was just starting to become well-known?

[00:04:50] TCW: It was. It was. The lab that I would work for in 2004, it really got its start in 1999, right when I was in there.

[00:05:02] CS: You’re at the ground floor then.

[00:05:03] TCW: Yeah, I was on the ground floor. I’ve always been one that likes to investigate things. Forensics just really fit what I wanted to do. I really loved it a lot.

[00:05:19] CS: Yeah. How did NASA enter into that? Like you said, you were working in complex systems. Was there something about the work you were doing at the time that attracted them to you, or were you actively seeking to work with them and showing what you were doing as a model?

[00:05:35] TCW: Well, I actually worked for the Department of Defense Cyber-Crime Center twice. NASA was in the middle. I know it sounds crazy. The decision was based mostly on – Actually, it was based on I had a three-hour commute each way sometimes. I wanted to have a less of a commute. At the lab, a lot of the incident response was done for us. This was a good way to really get in incident response under my belt as well.

[00:06:16] CS: Okay. Okay. Yeah. Can you talk about your progression through those different things, the different aspects that you were doing? Going from incident response and digital forensics, to becoming cyber branch chief and then deputy division chief, science technology for the DIA. What were some of the milestone projects that you were working on, or just skill level ups, or whatever that you were doing that allowed you to jump so quickly into these high-ranking positions?

[00:06:48] TCW: Well, I’ve always taken my job very seriously, but I still know how to have fun. I wish that I could say I had strategically planned for it to go the way that it did, but that's just not true. That's just how it progressed. I think, one of the most important things was also building these strong relationships. Actually, that's how I got the job at DIA, because one of the agents that I had supported at the Department of Defense Cyber-Crime Center, he actually had the position at DIA. He was afraid they would fill it with someone that didn't have any cyber knowledge at all. He kept saying, “Apply, apply, apply, apply.” Finally, I said yes. I did. It was a great progression. It was like, going from forensics to the other side of the coin, so anti-forensics.

[00:07:52] CS: Okay. Can you talk a little more about that? How did your job responsibilities change and what you were looking at?

[00:08:01] TCW: Well, it changed pretty dramatically. Because now, I was no longer doing forensic cases, but leading a team that was developing a lot of the gadgets and a lot of the technologies, keeping our special forces safe when they were on their missions. I can't go into too much detail, but I don't know, I guess, it's the person who developed all those cool gadgets that James Bond had.

[00:08:32] CS: Yeah. You were Q.

[00:08:35] TCW: I mean, I had my hand in so many different things. I was on working groups. I helped pen some of the DOD initiatives and directives that are still being used today.

[00:08:48] CS: Did you have certain specialties in terms of the knowledge or experience that you had at the time? How did you leverage that into that job?

[00:08:55] TCW: Well, the thing I loved the most about this job was coming up with bizarre, complex systems that are actually very simple to use. Very unique ways to make something act, like it's supposed to and appear as it's supposed to, but also have other abilities. I really like out of the box thinking and I like thinking about futuristic things and also, piecing together, taking a problem and finding a solution. No matter how weird that solution may be, finding a solution.

[00:09:38] CS: Right. Now, I want to break into the notion of complexity, because I imagine a complex system in 2004 might be on a different scale than with the intense complexity that cyber security and connected systems and IoT and stuff have and big data and whatever have provided in the past 15 years. Can you speak to the notion of what complex systems were like in 2004, versus the same things happening now?

[00:10:06] TCW: Well, I went to DIA. I was there from 2010 to the end of 15. I mean, obviously, things have changed from 2016 to 2021. A lot of the same responsibilities are there. I wouldn't be surprised if some of the developments that our team created are still being used.

[00:10:36] CS: Okay. Yeah. You were definitely in the height of it at that point. How does that compare to what people think of as creating a more conventional security system? Can you walk me through what a little bit – just a real ground level thing of what a complex system looks like, versus the types of systems that would be normally created by someone in say, not a DIA type job?

[00:11:03] TCW: Well again, and I’m trying not to give away too much, because this is a difficult question to answer. I’ll put it this way. I’ll give you a hypothetical. If you had, say Chris, you were going to a country that had a very heavy cyber presence and you knew that you were being watched to make sure that you maintain your integrity that you were supposed to be maintaining, but you would essentially be able to hide in the noise. There's a lot of moving parts that go along with things like that. Honestly, I think that's much more difficult to do today than it was in 2016.

[00:11:56] CS: Interesting. Just because of, there's a lot more counter-measures?

[00:12:00] TCW: There's a lot more counter-measures, but also, in terms of technological growth, I almost can't believe how quickly things move.

[00:12:11] CS: How so?

[00:12:14] TCW: I mean, I remember when IoT was – 2015-16, IoT was getting big and telematics. Well actually, telematics was before that. All of these different systems were starting to come online and we had a lot of personal devices around us at all times, but we have significantly more of those now. There are just more threat vectors. It's just, the more technology that you have, statistically, the higher probability of an incident is going to be there.

[00:12:55] CS: Right. Okay. To move from – obviously, it’s a fairly sensitive topic of DIA and so forth. After this, became the director of cyber risk management for AT&T, could you talk a little bit about what it's like analyzing and creating solutions for a worldwide mega corporation like this and does that scale of things change, versus attempting to work with smaller companies or networks?

[00:13:20] TCW: Well, it's a really interesting question, because I have to say, there were a lot of similarities working in big government and also going to a major corporation. You're just dealing with a lot of – some of the same, I don't want to call it bureaucracy, but you just have to know the steps that you can take, so that you're making sure that you're always staying within your lane. It was similar, but different at the same time, because it's a more – You can talk about it. People used to ask my husband if he hated the fact that I couldn't tell him what I did. He's like, “No way. She can't complain about work. It's great.”

[00:14:19] CS: You can find the upsides where you can.

[00:14:21] TCW: Exactly.

[00:14:24] CS: Okay. It sounds like, most of the difference in terms of working with something on that scale is like you say, some of the clearances and working around the built-in provisions and so forth of a large corporation like that.

[00:14:40] TCW: Well, whenever you have a giant corporation, you're going to have a lot of other smaller businesses that you can incorporate –

[00:14:50] CS: You’re working with the whole ecosystem, I suppose.

[00:14:52] TCW: Right. It's a difficult way to work. As you're continuing, you're starting to remove those temporary band-aids and putting genuine solutions in place, so that all of the different systems run together.

[00:15:09] CS: Okay. Got you. I mean, is there any aspect of that job that you can talk about in terms of things that you implemented, or that were particularly interesting, or that you're especially proud of?

[00:15:25] TCW: I think some of the things that I worked on may be more – even more confidential than when I was at DIA.

[00:15:33] CS: Okay. Got you. No worries. Yeah, I guess to move from that, from all the – because you have these confidential, or also, these high-level large corporate, or large – nationwide things, you moved from all of this to becoming a keynote speaker and private consultant primarily. Can you talk about what the impetus was to make this massive change? Was there a certain feeling of you'd gone as far as you could in this particular direction and you wanted to use your insights otherwise?

[00:16:06] TCW: Well, I wrote Catching the Catfishers in 2014. I was still at DIA. I started doing a lot of media and speaking about the book and moving into doing cyber security keynotes. Doing that as a senior intelligence officer, especially at the level that I was at, it just gets really tricky. It was one of those things where I had to make that decision, which way do I want to go. It was very hard for me to leave DIA. I loved it there. It was very important to me to be able to reach a larger audience on a grander scale. That is why I switched.

[00:17:00] CS: Okay. What types of projects and events do you work on now in this capacity? What is your average work day as a go-to security consultant, or at large cyber security authority look like?

[00:17:16] TCW: Well, I think it looks like I see the future of work looking like, where you're working on different projects. Not necessarily working for one company where you go in, you do your job and you're always focused on that particular job. Now it's more presentations doing writing. Also, working within the cyber security influencer community too. There's just a lot of different things. I am starting a new venture, which is taking up quite a bit of time, which we’ll go into, I think, in a later question.

[00:18:00] CS: Absolutely. Can you give any tips to people who maybe are working for a company right now, but might want to go into business for themselves as a consultant in cyber security? What are some pitfalls that you have learned to avoid over the years?

[00:18:16] TCW: Well, when you're working for yourself, you really have to be passionate about what you're doing. You also have to be very self-motivated. If you're like me, you have to make sure that you can stick to a schedule. Because I like to do lots of different things at the same time. I’ve learned that it's easier to stick with one thing at a time and then move on to whatever the next thing is.

[00:18:50] CS: Okay. Among other things, you definitely need the ability to uh create your schedules rigorously, so that you don't find yourself chasing down rabbit holes.

[00:19:03] TCW: Right. Also, I think it's really important to sit down and have a very honest conversation with yourself and really plug out your strengths and weaknesses, so that you can – if you're building partnerships, you can make sure that the people that you're bringing on to your company help fill those gaps that you may have. It's very hard to do a business in a vacuum. You really do have to work with other people.

A lot of it is relationship building. A lot of it is being flexible too and understanding that the idea that you have in the beginning, it may not be exactly what you hope for. You have to be flexible, but you also have to pick your battles and pick your battles wisely, because there will be some things that you have to stand your ground on.

[00:19:59] CS: Yeah. Now, do you have a support staff that helps you with bookings and scheduling and all that?

[00:20:06] TCW: I do. I work with a speaker's bureau for that.

[00:20:09] CS: Okay. Okay. Yeah, so let's talk about the book a little bit. In 2014, you published Catching the Catfishers: Disarm the Online Pretenders, Predators, and Perpetrators Who Are Out to Ruin Your Life. It's a book you described as being even more relevant now. Can you talk about the book for people who haven't read it, or don't know about it and how the world of online privacy has changed since 2014?

[00:20:31] TCW: Sure. When I wrote the book, when I was at DC3, Department of Defense Cyber-Crime Center, I worked intrusion cases, which are cases where something's been hacked. Then, I also work major crimes cases. The major crimes cases really had an impact on me. Those involved exploitation of children, sexual assault, strangely enough, suicides, because it has to be investigated. Then fraud, embezzlement, that stuff.

Just seeing the things that I saw while I was there, I really wanted to find a way to teach kids and parents how to protect themselves in this online domain in a very easy to understand way. I looked to see if there was some book that did that, so that I could recommend it to people, but there wasn't, so I wrote it. I have this weird forecasting, future casting, I guess, ability where the things that I’m talking about, they tend to be a little bit before their time.

This book came out in 2014 and I talked about the privacy that you're giving up when you're using social media sites, talked about the terms of service. I warned about a Cambridge Analytica type event happening. Also, when we're dealing with the online persona and vetting of who you're talking to is actually who you say they are, or who they say they are, all of those techniques are still very relevant today.

[00:22:26] CS: To speak to that, obviously, people are always – every day, I go on Facebook and I see people who are still playing the what Harry Potter character are you game, or whatever, where they're giving their identity off to third-party groups. What are some of the more egregious things that you see happening even now that we “should know better”? What are some of the worst cases that you think are really still causing the worst of the problems?

[00:22:54] TCW: Well, I think that we have some issues, because there's a lot of information that's already out about every individual. Some of it, even if you don't have a Facebook or a social media account, there's still information that's being collected on you based on someone who puts up your picture, or like, “My husband doesn't have his own Facebook account.” I post pictures of him. We talk about him. All of that information is being recorded.

Even though they strip the Exif data, which is metadata, it's information about where about the camera that took the photograph, including the exact geographic location. Even though they strip that out for what's posted, they still keep that information. They tell you what they're doing. The difference between 2021 and 2014 is that it's not just enough to read the terms of service. If you want to have a professional life and a professional profile, you have to use these different types of social media outlets. We're seeing right now that there's a lot of calls to action with a lot of the technology companies in terms of who owns that data and what can they do with that data.

[00:24:30] CS: Yeah. Now, do you have any quick tips? Like you said, a lot of this stuff, we can't get away from using social media anymore, especially if you're in a public position, like you have to have a Twitter presence, or you need to have this or that. What are some things that you recommend across the board that people don't always do to make themselves safer in this regard?

[00:24:54] TCW: Well, one of the things that I would highly recommend and this isn't – I don't think this is a safety issue, but I’ve noticed a lot of people getting into political fights. It's almost political wars. I’m always very cautious about that, because I just don't – I just think that if someone is looking at your profile, and this may not actually even be true, because 2020 really threw everything up into people. Prior to 2020 –

[00:25:32] CS: Anybody’s game. Yeah, right.

[00:25:33] TCW: - I would have said, don't do that, because there are employers that are checking, are looking at your social. Future employers looking at your social media. This stuff is even if you delete it, it still exists somewhere. 2020 has thrown things for a loop.

[00:25:53] CS: Yeah. I mean, in terms of the political landscape, or the work from home landscape, or just the way that we operate in in the online world.

[00:26:03] TCW: All the above. All the above. We still don't know what things are going to look like. We're going to see a lot of changes, a lot of changes and in this space too.

[00:26:20] CS: Now, I mean, this is obviously is a topic that's been done to death for the last 10 months or whatever, but you have any thoughts on how privacy and online literacy have changed, or have to change in the wake of COVID-19 and the mass work from home push?

[00:26:35] TCW: Well, I think privacy and online literacy, they're more important than ever, especially in the era of COVID. I believe, general attitudes toward privacy are changing due to this new normal that we're in and also with working from home. It's just changed us a little bit. There's a heightened awareness around online privacy, but people still freely give away personal information online and sometimes you have to and sometimes you may have to.

Phishing is still rampant and hackers are starting to use AI and machine learning to really ramp up their attacks. I think in terms of privacy, bringing on contact tracing and other COVID-tracing capabilities, I think we're going to have a – there's a war, basically, being waged between privacy and trying to contain this pandemic. Somewhere in the middle is where I think things will fall out. I do think that HIPAA's going to have to change too. There are going to have to be some changes to it.

I don't know if you knew this, but during the – in March when we were really aware of the pandemic and people started moving to telehealth, a lot of the HIPAA penalties for telehealth were lifted. I think we're going to see a lot of changes in a lot of the structures that we hold dear. I will say this too, I love technology, but it also scares me a little bit, because I’ve been trained my entire career to be paranoid and look for problems and issues and holes. I think, that I may be a little bit paranoid, but I do think that we're going to move to a lot more managed services and I think we're going to see an explosion in home cyber security as well.

[00:28:55] CS: Okay. Can you talk about that a little bit? What are the strategies, or products that you see on the horizon for people? Because we're all basically our own office at this point.

[00:29:06] TCW: Well, we're going to see more products for securing your phone and more AI type products warning you, do you really want to let this emoji app have access to your camera, your microphone, or other types of things? I think we'll start seeing a lot more programs that actually help us with that. We're going to start seeing a lot more helper apps. That's, I guess, what I would call them, that would do that for you. Would say, “Hi, Tyler. Did you know that this application is doing this? Are you sure you want for it to have this access?” We're going to start seeing a lot more helper apps, not just for exercise, health, weight loss. We're going to start seeing them for security as well, cyber security.

[00:29:57] CS: I think that's good. When you hear about people being exploited by backdoor, or this thing, or that thing, a lot of times they're like, “I didn't have the slightest idea that this was going on.” How would you? Like you say, if you're not reading – even if you are reading terms of services, not always written to be the most translucent, or what have you. It seems like that would make a good sense to have a backup like that. You see it a little bit now with malware programs installed in your browser and it'll bounce you back from a site and say, “Uh-uh. Not there.”

[00:30:31] TCW: Not there.

[00:30:32] CS: Oh, no. Not that. Yeah. You think that's going to be a pretty commonplace thing, is that they're going to be things that will be checking your system and saying, “You're losing a lot of data this way, or your camera is being looked at through this other thing.”

[00:30:48] TCW: Exactly. A lot of it will be more based on also, the home network, because let's say this vaccine works great, everything's great. Well, people have now seen that we can work remotely. I think that that's going to open a lot of doors for a lot of businesses that are doing home security type of applications.

[00:31:14] CS: Yeah. I mean, can you talk going one step further from that about the general muddling of the work-life balance, when everything is at home now like this, do you have any thoughts on how to – especially if you only have the one computer and you're splitting time with it, or your kids using your work tablet to watch SpongeBob or whatever. What do we do to keep these things as separate as possible?

[00:31:42] TCW: Well, I mean, I always recommend using a separate network for any of your work devices. Also, knowing and also making sure if you have any personal assistant devices, that you unplug it, or you turn off the recording features when you're actually in a business meeting, because we still want to protect intellectual property. I mean, I look at a lot of devices and I see insecurities. I see holes, but that's not entirely fair, because a lot of these systems, that's another thing is that there's been so much innovation in cyber security and in so many other verticals in just this year alone, because of necessity.

If you can, I would highly recommend that you do not let your kids play with your work computer, or your work tablet. In fact, that's probably in – if you had to sign a conduct contract for your employer, I would assume that is language that would probably be in there.

[00:32:53] CS: Yeah. That's definitely one where I don't think you would be able to get away with saying, “I didn't know I couldn't do that.”

[00:33:00] TCW: Well, and hackers they're very good. They know what they're targeting. Then, having your kids at home, in school, that's another method of entry into your network.

[00:33:15] CS: Yeah. At the start of the show, I mentioned the name of the show is Cyber Work and I’m enjoying talking about your cyber security journey. I was wondering if you have any tips, or suggestions for professionals who want to move up the ranks in similar ways that you did in forensics and risk management, or just start down the road in the first place. What are some soft skills, hard skills, certifications that you recommend for people just getting started now?

[00:33:43] TCW: I think the CISSP is a really good one to start with. For new graduates, one of the biggest problems, I think, that they face is that cyber security has so many different specialties. There may be a specialty that someone would be very good at that they may not even know exists, like forensics. How do you get from doing – do something like forensics? Well first, you have to know that forensics exists and that it would be something you're interested in.

In terms of soft skills, flexibility, really working hard and also, making sure that if say, you do know you want to get into forensics, well, go online, go on LinkedIn, go on Twitter, start exchanging messages with people that you respect, or would hope they would mentor you. You can certainly ask, “Would you be interested in mentoring me?” There's also some really great groups that mentor kids and they also mentor professionals that are trying to, whether they're in cyber trying to move to something else, or from a completely different career move into the cyber security field.

I will tell you, one thing that every single person trying to switch the career moving into cyber security has on their side is there is an enormous shortage of people in these positions and they need to be filled. Like, how I just with my blue hair, moved to San Francisco, I was able to get my first job. I think that trend is back now, because we do have such a shortage of skilled people.

[00:35:38] CS: Yeah. One of the things that I keep hearing from other guests is that people outside of a tech field can still do really, really well in cyber security. That the tech can be taught, as long as you have the problem solving skills, or the drive, or the communication skills, or the ability to explain your concepts to other people and so forth.

The other thing – mic there. The other thing that I’ve really noticed is that even people who are heads of companies and high-level, all kinds of ranking executives are all saying like, “Hey, hit me up on LinkedIn. I’m happy to answer any questions you have.” The cyber security community is astonishingly open in terms of helping people out, who are just getting started, it seems like.

[00:36:20] TCW: I mean, I’ve noticed that too. I think it's a really, really great community to be involved in, because there is a lot of compassion. I mean, I’ve just been pretty lucky, I guess, that the majority of people I’ve worked with and have known, they've been very helpful and they do want to help other people get into the field, because they understand the shortage.

You are right. I mean, for something like forensics, you want to make sure that you have the right soft skills before going into it. For that, you really need an investigative mindset, where you like solving problems, figuring out, “Well, who did it.” Also, doing the work to get there, because you can't just go from starting off to being a top-level person overnight.

[00:37:22] CS: Yeah, you're not going to be trying your first case in court in a week. Yeah. One of the things that we talk about in terms of the skills gap and believe me, if you take a drink every time we mention skills gap on this show, you'll be in the hospital. There you go. Take a drink. One of the things that's often brought up is that some of the hiring pool is maybe from shall we say, somewhat of a homogenized place, and that there are not as many women and minority candidates that are coming in, or they feel intimidated, or what have you, or don't think it's for them. Do you have any tips for any women entering the world of security, or attracting women into cyber security?

[00:38:12] TCW: Well, yes. I think, there's a – Not I think. I know. There's a lot of cyber security women organizations now that are really helping more women get into these roles. Diversity is something that's very big. It's something that has to happen too, because when you have diversity, you can see things from different perspectives, because you have different sets of eyes on a problem. Really with cyber security, one of the things I love the most about it is the – we're all in this together attitude, that most people that I’ve worked with, or worked for in the community that they have that attitude. They do want to help.

[00:39:04] CS: There definitely seems to be a title shift, especially in the last couple years where people are not so much deciding whether or not we need to be more diverse, but it's like, how are we going to fast track this so it actually happens?

[00:39:16] TCW: Right. Exactly. Again, it's just the being aware of what the opportunities actually are. That's something that we're starting to see more of, but it would be good – I want someone to create a great infographic that just shows all the different possibilities.

[00:39:37] CS: Yeah. All the scenarios, what are the better things that happen as a result and so forth. You teased it a little bit before and I want to talk more about it, but you're currently working on a new healthcare venture. We talked about HIPAA a little bit and healthcare security. Can you tell me a bit about this venture, how it connects to healthcare security at the moment and some of the things that you want to talk about with regards to the way HIPAA is doing its business?

[00:40:12] TCW: Sure. Well, there's going to have to be some changes to HIPAA, especially if contact tracing is something that we start doing. If people are now being required to prove vaccination or COVID test to get on a flight, there's just going to have to be changes, because data owners of this information, they haven't been – flights do not typically have healthcare information on them, but now they will, like airlines. We're going to see some shifts there.

In 2018, I got sick and went through the healthcare system. I started seeing some issues and in particular with my case, because what I have crosses specialties. Started developing some charts to help the doctors along the way. I really wanted to do this system. Eventually, it is this system that actually helped diagnose me. Obviously, confirmed by doctors. I suspect that I may not have gotten a diagnosis if I hadn't been testing logic statements for this system.

[00:41:39] CS: Wow. Okay. Can you tell me a little bit more about that, how that would be implemented on a large scale?

[00:41:47] TCW: Sure. What the venture is, what the system is and I can't talk a ton about it, because we're still waiting on a patent, which I literally just got – I told you, I got the discovery paperwork –

[00:42:01] CS: That's awesome.

[00:42:02] TCW: - just five minutes before we got on this call.

[00:42:04] CS: Wow. Yeah. You are literally hearing about this. I’ve got a scoop here, it sounds like. Very quiet scoop, but yes.

[00:42:13] TCW: I started realizing almost immediately that there's just a siloed approach in healthcare. Really being able to bring together the best of the healthcare system and the best of AI and machine learning to really up the ante, in terms of medical knowledge that we have. I mean, you can break it down to its most simplistic concept, which is you may not know the answer to what your health condition is, or your problem, but somebody knows the answer. Or a couple of somebodies, when put together have the answer. It's just a matter of bringing together the right people.

[00:43:04] CS: Okay. Now to that end, I want to talk about the security aspects of these things and specifically, about HIPAA. Back in the late 90s, I was working for the Chicago Medical Society and we were right at the point where HIPAA was just being uttered by doctors who had been still working in typewriters and paper up to that point. We were trying to get them to upgrade off of Windows 3.1 or whatever. I haven't really followed the arc of HIPAA in the meantime. I mean, obviously, we have a lot of articles on our site about healthcare security and so forth. Can you tell me a little bit about the way HIPAA works now, what you think is restrictive about it, the ways that you think it needs to change? It almost sounds like, it's maybe overcompensating at the moment right now to account for certain things? Because it was a real wild west in terms of sharing data in the late 90s and stuff like that. It almost sounds like they might have clamped down too hard maybe in your opinion?

[00:44:06] TCW: I don't know if it was that they clamped down too hard. I think that it was working pretty well. COVID threw everything into a tailspin. It has really changed everything. There's going to have to be some changes. There just will, because to be able to do the contract tracing, or to continue doing telehealth, there's just going to be some changes. We're going to see a lot of transformation in this industry. We've already started seeing it, but we're going to see a lot more in this coming year.

[00:44:54] CS: Yeah, it sounds to me like, it almost might require something similar to GDPR for healthcare, in the sense of really strictly enforcing the right to be forgotten and stuff. Because there's so much of like you say, for contact tracing, you're going to be harvesting just a bajillion amounts of data and you're going to have to find a way to safely dispose of it, I imagine at a certain point, right?

[00:45:19] TCW: Yes, yes. I’ll tell you something, one of the things that I’ve learned over my career is that just because I am paranoid and I’ve been trained to be paranoid to look for potential holes in every single capability, that doesn't equip – People that are not in cyber security, they just want to do their jobs and they just want to live their lives. Oftentimes, if you ask people, “Well, what do you think about cyber security? How often do you think about it?” I actually did this. I asked a lot of people in different verticals. All of them really came back with very similar responses. That response was, “I only think about cyber security when it's inhibiting me from doing my job.”

Somewhere in between, we can't be so paranoid that we've taken the steering wheel, the wheels, the seats off of the car, because no one's going to steal it, but you can't use it either. Finding that common ground.

[00:46:28] CS: Again, I keep going back to the doctor side of this, that a lot of the initial HIPAA regulations were – the main stick point was like you said, people just want to do their jobs. In this case, doctors were so overstretched anyway that the idea of implementing this new system, or this new oversight system was just impossible for them to sneak into a 16-hour a day. I mean, do you have any thoughts of how we're going to make these changes without disrupting service across multiple industries?

[00:47:02] TCW: Well, I think you're going to see managed compliance, managed service companies, which you're already starting to see that deal strictly with compliance. You're already starting to see specific cloud vendors creating healthcare clouds. I think, compliance may end up being something that's shifted off frequently to a third-party.

Again, there are going to be changes, because especially like you said, the healthcare professionals are – they're overworked, they're exhausted. They're dealing with something that we've never really seen before. I’m sure that at the end of a 10-hour day, or 12, or 14, or 16-hour day, that's probably not something that they're thinking about. I’m not so sure that it should be something that they have to think about. I think that it should be something that there are third parties, or there are applications, or there are tools um that can help take that burden off of them.

Because then, there's also no doctor can sift through hundreds of pages of records and put them in a chronological order. They just don't have time to do that. That's really where bringing together the best of the healthcare profession, which there are some really great, great things being done out there and some really wonderful doctors. Again, they don't have time to do all of that laborious work and that's where the machines can come in and take some of the heavy lifting off of them.

[00:48:53] CS: I think that's a great place to wrap up here. Now, I want to send you on your way here, but I also want to give you a chance to tell me a little bit about what sorts of things you've got coming on the horizon. Obviously, you have this very large project that we can't talk about, but do you want to do you want to plug any speaking events that you're doing, or any keynotes, or appearances, or any other things you want to talk about that are coming up for you?

[00:49:19] TCW: Well, I think right now, it's just keep watching, because this venture is going to be coming out pretty soon. Very excited about it. If anyone has any questions or anything like that, they can always find me online. I’m on LinkedIn. You just put Tyler Cohen Wood. Twitter, Tyler Cohen Wood. Facebook, Tyler Cohen Wood, I think. I don't use Facebook as much.

[00:49:51] CS: Okay. That's not the place to find her, folks. Okay, when you have more details on this new venture, you'll be announcing them in these places?

[00:50:00] TCW: Oh, yes, yes. We can even do a follow-up, so I can talk about –

[00:50:05] CS: Yeah, that sounds great.

[00:50:05] TCW: - how it works and what it will do and what it won't do.

[00:50:10] CS: All right. An appointment is being set as we speak. All right, so I will wrap up with that. Tyler, thank you so much for being my guest today. This was really, really interesting and fun.

[00:50:21] TCW: Thank you so much, Chris. I had a great time too.

[00:50:23] CS: Well, good. Thank you all, as always, for listening and watching. Just a reminder that new episodes of the Cyber Work Podcast are available every Monday at 1 p.m. central, both on video at our YouTube page and on audio, wherever podcasts are downloaded.

Also, don't forget to check out our hands-on training series titled Cyber Work Applied. Each week, expert Infosec instructors teach you a new cyber security skill and show you how that skill applies to a real-world scenarios. Just go to infosecinstitute.com/learn to stay up to date on all things Cyber Work Applied.

Thank you once again to Tyler Cohen Wood and thank you all again for watching and listening. We will speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.