Working at The Analyst Syndicate, AI ethics and sneaking into DARPA
Diana Kelley of The Analyst Syndicate is on the podcast to chat about her 25-year-long career in security. She touches on artificial intelligence and machine learning ethics, sneaking into DARPA in the '70s and much more.
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- 0:00 - Intro
- 3:14 - Getting into cybersecurity
- 11:51 - Cybersecurity changes in the past 25 years
- 15:34 - Choosing exciting cybersecurity projects
- 19:49 - What is The Analyst Syndicate?
- 23:00 - Editorial process at The Analyst Syndicate
- 26:26 - Changes in security from the pandemic
- 32:22 - Combating fatigue at home
- 34:35 - Digital transformation
- 39:25 - Bringing more women into cybersecurity
- 43:08 - Tips for hiring managers
- 46:16 - Using AI and ML ethically
- 51:50 - Tips to get into cybersecurity
- 55:15 - Kelley's next projects
- 56:18 - Learn more about Kelley
- 57:08 - Outro
[00:00:00] Chris Sienko: Today on Cyber Work, I get to talk to Diana Kelley of The Analyst Syndicate and, well, a lot more things. We talk about Diana’s inspiring 25-year security journey, her many projects aimed at educating new generations of cyber security professionals, the ethics that need to go into the practice of AI and machine learning and hails of sneaking into DARPA in the 1970s for the nefarious purposes of accessing instructional manuals. That’s all today on Cyber Work.
Also, let’s talk about Cyber Work Applied, a new series from Cyber Work. Tune in as expert infosec instructors and industry practitioners teach you a new cyber security skill and then show you how that skill applies to real-world scenarios. You’ll learn how to carry out a variety of cyber attacks, practice using common cyber security tools, engage with walkthroughs that explain how major beaches occurred and more. And believe it or not, it is all free. Go to infosecinstitute.com/learn or check the link in the description below and get started with hands-on training in a fun environment while keeping the cybersecurity skills you have relevant. That’s infosecinstitute.com/learn.
And now, let’s begin the show.
[00:01:11] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cyber security industry.
Diana Kelley’s security career spans over 30 years. She is cofounder and CTO of Security Curve and donates much of her time to volunteer work in the cyber security community including service on the ACM Ethics and Plagiarism Committee, CTO and board member at Sightline Security. Board member and inclusion working group champion at Women in Cyber Security, cyber security committee advisor at CompTIA, advisory counselor at Bartlett College of Science and Mathematics, Bridgewater State University and RSAC US Program Committee.
Diana produces the My Cyber Why series and is the host of BrightTALK’s The (Security) Balancing Act and cohost of Your Everyday Cyber podcast. Diana’s also a principal consulting analyst at TechVision Research and a member of The Analyst Syndicate. She was the cybersecurity field CTO for Microsoft, global executive security advisor at IBM Security, GM at Semantic, VP at Burton Group, now Gartner, and manager at KPMG. She is a sought-after keynote speaker, the coauthor of the books Practical Cybersecurity Architecture and Cryptographic Libraries for Developers. Has been a lecturer at Boston Colleges master’s program in cyber security, the EWF 2020 Executive of the Year and one of Cybersecurity Venture’s 100 Fascinating Females Fighting Cyber Crime.
You can see Diana isn’t one to spend a lot of time waiting for opportunities, so today’s episode is going to cover a lot of ground. From Diana’s security journey, her wide-reigning media offerings, podcasts, lectures, The Analyst Syndicate and some thoughts on the impending changes that might be happening in the cyber security industry post-COVID. So let’s get to it.
Diana, thank you for joining us today on Cyber Work.
[00:03:02] Diana Kelley: Oh, thanks so much for having me here, Chris.
[00:03:05] CS: My pleasure. So as you can see, that was a multi-minute scroll of your accomplishments. So obviously we have to ask about your origin story. What got you interested in cyber security in the first place? What was the attraction?
[00:03:21] DK: Well, it started actually with technology. So there were sort of two technology to security incidence that happened in my life. So my first, I absolutely fell in love with technology when I was 9-years-old and my dad brought home a programmable Texas Instrument’s calculator and I was like, “Oh my God!” And I think he thought my brother might be more interested not because of a gender thing, but just because my brother was a little bit older and seems to be more technical and I was kind of more arty. But I absolutely fell in love with this thing. I was like, “Oh my God! You can program this calculator,” and I thought it was absolutely amazing.
And then a few years later we built a Heathkit computer together and ultimately I was –
[00:03:58] CS: Oh cool! Heathkit, that’s a name I haven’t heard in ages. That’s so cool. Oh man!
[00:04:02] DK: Yeah. So for listeners, we are talking the mid to late 1970s. We’re taking you back a little bit.
[00:04:10] CS: Yeah. Yeah. Heathkit was a whole range of things you could order through the mail and it just had all your circuit boards and you just build it all yourself. You build a radio. You build a – I didn’t know you could build a computer. That’s amazing.
[00:04:19] DK: You could. You could. I mean, then like we could advance to like the TRS-80s, the level 1 and level 2. So like then it was like the PC started to be a thing. But yeah, early on you had to build your own. And if you’ve ever seen the movie WarGames with Matthew Broderick.
[00:04:34] CS: Oh yeah, many times.
[00:04:35] DK: I think actually in my time I had a dial phone, but you need to take this phone and put it into –
[00:04:40] CS: Take the whole phone receiver.
[00:04:42] DK: A modem coupler. Yeah, that’s how I got started. My dad was a research professor at MIT and Lincoln Labs so he was able to get an account. So it was a limited account. The DARPA, because MIT was connected to the DARPA in the 70s, so I was able to modem couple in to Tech Square at MIT in Cambridge with their PDP-10th and 11th and that they were connected then to what was the DARPA at the time, which was I think I forget the exact number, but we’re talking like maybe 200 servers total on that. So the “Internet” is these 200 devices.
[00:05:20] CS: For folks who don’t know what DARPANET is, like we’re talking about the literal like birth of the internet here, and you were right there. Yeah.
[00:05:30] DK: Yeah, and I fell in love. I could talk to people in California, and this is back in a time when, again, from people that are of a certain age as I am. You might forget that actually it’s extremely expensive to call outside of your calling circle back in the day. So even calling through a different state, calling across the country was cost-prohibitive for a while. And so as I kid I didn’t –
[00:05:56] CS: Especially for durations like that.
[00:05:57] DK: Yeah. And I didn’t have access to being able to call. But now suddenly I was on systems and I could speak with people in real-time in California and in D.C. Again, as we think back to the 70s, people may not realize that we actually had email. We had instant messenger, it was called talk. But it all existed. It didn’t look as pretty and it was not mobile and that you could like carry it around in your pocket, but we had those. And so I was just blown away. I was like I’m absolutely in love with this. And I wanted to know more about how the systems work and I found very quickly that I didn’t have to access read some of the manual that were online.
And then I found out that there was a flaw in the login system so that when you logged in what you saw in your screen was actually asterisks as you type your password, but there was a vulnerability in that and you could actually go through the system. You could kind of see what other people were typing. So I got the password of an admins and I logged. This is essentially super used code. Logged in as me and then I logged in as this admins. I did at that point have access to all the manuals I wanted to read, but promptly the next day my father sat me down and have a conversation with me because of the admin of the system saw what I did and said, “Look.” Again, if you’re a 13-year-old child in 2021 and you say, “Oh, I didn’t know what I was doing. I didn’t mean any harm.” You don’t have a lot of flaws and liability. But in 1978, 1979 that was actually – These were so new. These systems were so new that they gave me the benefit of the doubt. I have been told since then by some people in the government like, “Don’t worry,” because there was no hacker thing .They just said, “Look, we saw what you did. We know that you just wanted to read the manuals. But what you did was wrong. You can’t take somebody else’s password for their access.” So I never did anything like that again. I learned my lesson. But I got really interested in the whole when there are flaws or vulnerability systems work different.
Fast forward now to when I’m actually at in a professional career. I didn’t go to college computer science. I didn’t think that – And know what kind of career future there would be. So I actually was English major and when I graduated I was working for publishing companies. But I was always the go-to computer person. And I worked my way up to being an assistant editor where I was doing acquisitions of software to go with the math textbook to the company that I worked for. And this is early on software was pretty new for math textbooks. It seems like you could have the quizzes and the professors could print them out and everything, but this is all very new and it fell on me because I was always the go-to computer person and someone saw me as the woman who brand the network, saw me and said, “I think that you actually should be our computer person.”
And so it was very exciting and we’re going to tie together our network for all the different positions in the parent company of them too were in the Boston area. So super excited. I did take the job. I was a little scared and I’m so grateful to the person who supported me and saw something in me, which is one of the reasons I spend a lot of time giving back now because my life has changed because of her belief in me and I’m so grateful.
But any case, then I started working my way up. Now I’m in technology field. I’m no longer in editorial. I’m working in technology. I became the global manager of a network in the Cambridge with 9 offices around the world and linking them together so that we could do our work globally with the startup company. [inaudible 00:09:42] network. Again, that’s where that fire up of security. So thinking back to like the vulnerability back with the DARPA and then now I’m at a company where life work I felt was unique in this network and tying everybody together so they could work together sooner when they start the DARPA [inaudible 00:10:02] and someone got on to it.
And I realized that the reason that they got on to the network was because I didn’t understand security. I didn’t understand how to build really strong resilient systems. So at that point I decided I love technology. I love connecting people. But if I don’t know how to build this securely, people can’t recognize or realize the benefits of attack. So I said, “I’m going to focus on security exclusively.” We didn’t call it cyber back then. It was infosec.
And a number of, people, I still think back to this, a number of people said I was basically destroying my career because I had a great career in networking, but security, all the problem were going to figured out. It was too niche. People [inaudible 00:10:46]. Why worry about security? Security is no guy. I should stay with networking and not focus on security exclusively. But I was just so convinced that if we don’t do the secure, if we’re not networking securely, we can’t benefit from it. So I decided to focus on security and that was 25 years ago and clearly never looked back. There’s more to do now than ever.
[00:11:11] CS: And also clearly was not like you went into a niche that wasn’t a growth industry.
[00:11:17] DK: I know. I know. I know.
[00:11:18] CS: Yeah. I mean, one of the things that I think about when you say on the original DARPA there were 200 servers. There were a few hundred people using this kind of thing. And even I got on the Internet in college in ’92, ’94 when I start really sort of seeing the outside world, but there was still that feeling that not everyone was going to ever got on this. I never really got a sense at the time that this was going to be as universal as it is. And similarly, I mean as you said, there wasn’t going to be this need for this kind of global security based on that. So that leads perfectly in my next question, which can you just give me sort of a 10,000-foot view of the cybersecurity landscape as it’s changed over this past 25 years? Because obviously you’ve been there since the beginning and you can see all the changes. But like what are some of the sort of surprising things about it in those decades?
[00:12:11] DK: And I think the biggest change, and you touched on this, is just I wasn’t able to see that it was going to go from a closed-off data room, these elevated data centers behind glass and the big huge systems that it would be something that we literally carried with us and we depended on every day in our daily lives. So it was the ubiquity. It’s in ubiquity of the technology that I didn’t understand that it would be absolutely everywhere. And when we were looking at just a couple of hundred systems connected or was me building out the network for the startup in Cambridge, the scope was really limited. I mean, I think back – And this is a crazy story, but when we first got on the internet at that startup, what I did was I tailed the syslog of the server I had between the firewall between going in and out of the network and by telling that syslog I was basically doing some level of SIM detection at the company, which in retrospect is like there’s no way you can do that without [inaudible 00:13:14] actually the amount of data we have to look at, the amount of systems that were connected, it was just so much smaller. So there was the scope of how ubiquitous it is, also the number of devices that we had to manage. And now you think about what we use software and technology. It’s everything from when you depress the brake pedal in your car, that’s software. It’s doing the translation and actually doing the braking to the automatic adjustment to the temperature in our homes with a smart device. So it’s woven into the fabric. And because it’s woven into the fabric of our life, the other thing that’s changed in addition to the scope of the number of systems and where they are is unfortunately the negative impact that it can have on our lives. So when I was early on in my career I thought somebody getting on the network, and actually what they did was they messed up our FTP servers like, “Oh my gosh! That’s like the worst thing that can happen. People can’t download these patches from our FTP server.” And then later on it was, “Whoa! What if somebody gets into your bank account and clears you bank account?” Your bank is going to keep you whole. I thought these were the worst things that could happen in tech. And now we’re in a situation where health systems have struggled recently with disruption with and outages based on attacks that can then lead to negative health outcomes.
We have utilities like water and electricity that are connected and remotely accessible. And recently in Oldsmar, Florida, they had somebody get into a water utility system and change the amount of why that would be acceptable that would have been if they haven’t caught it, could have been a loss of life or potential poisoning situation.
[00:14:51] CS: Right. Really scary.
[00:14:52] DK: It is. In cyber space, it’s an operational domain for NATO now. So that means that cyber space is a war zone, and that in a hyberbolic way, but that’s truly the way that NATO thinks of it. So looking at that, the scope, the ubiquity and then the potential for negative impact because of the ubiquity.
[00:15:17] CS: Yeah. Yeah, that’s great. We actually are going to have a guest in a few weeks who’s an expert on infrastructure security and sort of the IoT implications of that. And I had her on a couple years ago and we’re definitely going to talk about that Florida case, because that is scary stuff.
[00:15:33] DK: Yeah. Yeah.
[00:15:35] CS: So like I said, reading your professional history was such a treat because it has so many twists and turns along the way. Executive security advisor to IBM, cyber security thought leader team lead at Microsoft. You’ve got consulting analyst for TechVision Research, board member of Women in Cyber Security. You’ve got your Every Day Cyber podcast, host of the monthly vide panel of The (Security) Balancing Act and so many of these that are happening sort of concurrently with each other. So I guess I want to know what’s the through line between all of these disparate projects? What are the things about all these diverse projects that excites you and keeps bringing you to these new opportunities?
[00:16:12] DK: Well, I think the brightest through line is cyber security. It goes back to that same feeling I had when I realized that the integrity of the system could have impacted what people could see back in on the DARPA days or when somebody got onto my network. Just cyber security and this love of technology and knowing that the only way we can love technology and use it is to make sure that it's resilient and operating as expected.
But there are some through lines I think that maybe might not be quite as obvious, and one is this deep seated need to communicate. I was an English major and really I want to share information and knowledge with others and learn from others. So just back and forth. So My Cyber Why, for example, is a celebration of people who are doing work in cyber that we might not have thought of. And one of the first guests was the person who inspired the entire series because I met him. He's a top Finnish aviation security expert and he was explaining to me what cyber security in aviation means. And he works with international aviation consortium because that obviously the airspace, when you're flying around the world, you go from one government's airspace to another. So they have to be working together.
And I didn't even know that that existed. And he was telling me about the work he did and I thought, “We get so caught up in the hacker hoodie and Mr. Robot, but we forget about these wonderful people doing this work every day that we may not have even thought of.” I love to communicate. I love to be with friends, your everyday cyber. Limor Kessem, my co-host, she's a dear friend of mine for many years and we were saying it's kind of unfortunate because it's hard to explain to non-technical people about security. And both of us were doing a lot of kind of calming people down when there was something in the news and trying to help less security deepen security people understand why not to be too panicked, but also why there are steps that need to be taken in order to protect themselves. So this desire to communicate and help people feel like the world can be a safer place for them.
And then the last through line I think between all of that and especially as you see what I’ve been doing more and more work of later on in my career is just an extreme sense of gratitude for being lucky enough to have had a career that I loved that I was able to excel in for my whole life and now wanting to help others be able to have that wonderful rich experience. So donating a lot of my time as a mentor and supporter of these different – Because a lot of what you talked about the communities, CompTIA is a professional association, Bridgewater is a state university. So trying to help out the next generation and others to be able to benefit from the field too.
[00:19:11] CS: It's also interesting just the way, like you say, you started at this point where security was this big and it's just the way it's sort of grown exponentially. And like all these different things that you grab seem to be like trying to sort of like get your arms around this bigger and bigger thing. Like you said, if you didn't know about this aspect of the sort of security interconnectivity between countries and NATO and all this kind of stuff, then you just find ways as security gets bigger to continue to put your arms all the way around it and sort of like see all the sort of contours and nuances of it, which I think is fantastic.
Yeah. So of all the jobs and projects that you mentioned, the one that I most wanted to speak about here is The Analyst Syndicate, which is a multi-dimensional platform through which the world's best technology and business analysts publish their research and recommendations. Can you give me the origin of this organization and what was the original impetus for the founding of it and what problems were you trying to solve with its creation?
[00:20:13] DK: Sure. So it was founded by Tom Austin and French Caldwell, and the original members are all long-term analysts. Predominantly it was Gartner analysts originally. And a colleague of mine from Burton Group, Karen Hobert, who then went after the acquisition by Gartner. She continued to work for gartner for a number of years. When I left Microsoft she said, “Hey, I’m part of this new thing, The Analyst Syndicator [inaudible 00:20:42]. And would you like to join?” And I was just so excited because I really felt that Tom and French were very much onto something that it was really time to rethink the traditional analyst firm.
Industrialization, top-down control, it doesn't always service the wants and needs of analysts or their clients these days. And The Analyst Syndicate, people who love being analysts, advisors, coachers, innovators feel confidant. And what we really wanted to do was to bring that to a new kind of analyst firm. We love what we do and we wanted to mix things up. 90% of the top IT firms have outsourced their analysts relation because that fundamental relationship is changing right now. So we wanted to take a different look and look at clients that were seeking a unique perspective, looking for their own needs. Not just that big general, “Here's a report that's going to apply for the world,” but customers that wanted to get a little bit closer to things that really mattered to them that had a coaching element, a real one-on-one relationship kind of element.
So that was really a big part of it. At the syndicate, we respect different opinions and positions and drive research work to bubble up from the analyst. We collaborate with each other. We bring ourselves. We challenge ourselves because we come from so many different backgrounds to think new things. I’m learning so many things being part of this. Another analyst may be working on what's the next generation – What's the next thing of transportation? So you’d have this deep dive on autonomous cars and security is a part of it. There are so many other things that come into that conversation. So we really value the working relationships with each other as well as with the clients and trying to create a new way for communication and for the analyst world to look.
[00:22:37] CS: Yeah, there's something very sort of, I mean, in-depth but also very accessible about looking at The Analyst Syndicate site. Like it does feel like the sort of like halfway point between like a think tank and a news blog. It's not dry. Like I’m looking through it and like, “Oh! That looks interesting. What's that? W what's going on over here?” Do you guys have – You said that you're learning so much and you're getting all these different voices. Do you have an editorial policy for The Analyst Syndicate? What is like the sort of the vetting process or what is the sort of give and take when people say I want to bring this idea to the table or I want this to sort of be involved? And do you sort of have certain things where it's like, “Okay, that's too much or we need to sort of like get a second opinion on that.” or is it pretty much like a free-for-all?
[00:23:26] DK: No. It’s not a full free-for-all. Although we do – Very much there are a – Heterogeneous thinking is absolutely encouraged, but bottom-up generally creates more collaboration on high-interest and high-value topics. So as I said we do meet at least weekly to debate research topics. Before something gets published on the site you have the option to ask for help either from your analyst in that research meeting or you can just touch base with different analysts within the syndicate that you want to have feedback from, or there's a distribution list and you can just go out to everybody outside of the weekly meeting and say, “I want to publish something. This is my thinking. And what are your thoughts on it?” And this peer review, it's very engaging again because we come from different backgrounds. And I love that there's no sort of – At a lot of analyst firms there was this – Because I worked twice in the analyst field once at Burton and once it at Hurwitz and there could be this sense of like you have to be the smartest person in the room. And there's a real fight with each other. And our peer reviews are more about let's try and get deeper and dig down and understand the different viewpoints and consideration. And I love seeing how our research will change through that peer review and just become broader and more thoughtful. So it really improves the value that gets delivered for the readers, but we don't have this like guilty to a single point of view or a single prediction. So really it's an amazing group to be in and it's a fascinating halfway point between a news blog and a think tank. And you're not going to get that out of the standard industrialized research firm.
[00:25:10] CS: Right. Now do you sort of seek out – Is it entirely sort of based on pitches that come to you or ideas that come to you or do you say, “We need something, some analytics on here about infrastructure or something like that.” Do you ever sort of like reach out to people or do you have enough of an ingrown group of regulars that you sort of let them do the deciding for you?
[00:25:37] DK: It is a really creative group. So each analyst is coming up with their own ideas and it may start out with, “I’ve got an idea. Can we flesh this out in a research project?” Also, a lot of us have other consulting that we do in addition to our work with The Analyst Syndicate. So it may be something that we're working on. We're saying, “Hey, I’m seeing this problem or this trend. Can we talk about it?” Or in some cases it's something that an analyst has been looking at for five or six years and always meant to write on and they're like, “This is the time,” and then bring that to the group, and we will talk about it and help them think through. Again, really the enrichment from the other analysts. But it's a really lively, creative crew. So there's no need to push people. People are coming up with ideas.
[00:26:26] CS: That's great. Yeah, I want to talk about some of the pieces that I was looking at on your site. One of the big topics that I saw in The Analyst Syndicate’s recent articles is how work from home, which saved an unexpected amount of white collar jobs compared with the possibility of a similar pandemic hitting in, say, 2005, which was able to transition to a fractured home-based work environment in ways that service industries and blue-collar positions obviously can't. Can you speak to some of the long-term changes of work from home on the security landscape in the next five years after a year of this type of stuff? It almost feels like we have a “handle on it”. But with the new normal coming like this, what are some long-term changes that you think even season work from home people won't be expecting?
[00:27:12] DK: Yeah, I think you're right. I think that overall in the past year we've kind of smoothed out a lot of those rough spots. I was kind of surprised that when work from home became like an overnight just about a year ago now in March 2020, how many organizations had not thought about a modern approach to their workforce? So they were mistaking a mobile workforce with a remote workforce. They're very, very different, although it seems like. But I can check my email anywhere. Yeah, but can you actually do 100% of your work anywhere and never go into an office? And that's actually where there's a difference. So yeah, so they got their VPN architectures updated to be more modern. Things like would drop, ship out laptops and do remote orchestration and setup of them.
But long term, I think one thing that I’m actually really excited about the change is I’m really hoping that this is finally going to bring us closer to the ability for information workers at least, because I know there are some jobs you need to be there in-person. But for a lot of information, a lot of white collar, that we could stop hiring just within our geo circle and start hiring the best people for the job, and I think that this has some really positive social implications because cities are getting denser and denser. And then the concentric circles of the suburbs around those cities become denser and denser. And you find absolutely madness like.
I have friends in the San Francisco area that will commute 90-minutes into the city. And this is not good for mental health. It's not good for the environment. It's not good for your worker, because although I know some workers that can do some good “windshield time” conference calls, really, it’s continuous partial attention, right? It's still sapping away at our energy overall. So I think that a big positive could be that we're going to be able to we live in a big wonderful country. There's a lot of space. I actually live in one of the less dense states in the country. I live in New Hampshire. We don't all have to be in cities. For people that want to be in cities, that's wonderful. But I think in the long term, I’m very excited about the possibility of using a little bit more of the country, but still having a really great workforce.
Also, one of my analyst syndicate cohorts, Karen Hobert, actually has predicted that this is going to lead to more green spacing within sides of cities and maybe like repurposing of some of the buildings that we have in the city. So that's kind of exciting to think about maybe get a bit more green space, which again could be healthier for all of us.
Technically, I think that we're going to continue to see this move towards zero trust or if you want to call it deparameterization, the old Jericho Forum. But, again, like getting outside of the old school security which never really worked this way but we kind of that people hoped it would that here's the inside, here's the outside, here's my firewall and outside untrusted, inside everything's trusted. Like that was never quite as like – It was never as simple as that and companies that tried to do that even in the 90s when I was doing architectures. No. But there was this belief that that's how it was. And so I think that this is good actually looking at this zero trust model because it's thinking of deep parameterization and access continuous verification about all the assets that you're going to go connect to and it's wonderfully suited for this new cloud world that we're living in where we're not living on-premise anymore. We are actually living mostly in the cloud. And I kind of love it. I’m doing assessments with companies that were born in the cloud, live in the cloud. They don't have a data center. Because a lot of assessment questions would be like, “Well, is your data center locked up? Do you have proper tooling?” And it's like, “I don't know.” They've got their laptops and they’re born and live in the cloud. So I’m really kind of excited about that. I think that it's kind of pushed – Push forward for that. But I do think, one thing that I’m kind of hoping that we will think about because a problem I see coming down the pike is we are not planning for burnout and we're not planning for how much harder it is for a lot of people to work from home. Yeah, you got rid of the commute. That's wonderful, especially those 90-minute commutes. that's fantastic. But a lot of people, if you think about it, I sometimes feel like I’m fusing into my chair because I will be in calls. And we never thought about this when we were physically with each other because it was always – Yeah, I’d have to walk to this other meeting. You would need walk time to go from place to place. Now we just sit in a chair and the calls, it'll go like one minute over. So you're not one minute late to your next meeting. You click on the next link. You're going link to link. So I think there's going to be a special kind of burnout.
There's also like – We're burning some of our energy and our brains looking at ourselves all the time because we're constantly on video. So I think we're going to have to rethink. When you work from home, you're always at work. So I think we're going to find that there's going to be a lot of fatigue and potential mental health issues that we're going to have to address.
[00:32:22] CS: Yeah. I mean, can you speak to that at all? Like any advice on that? Because I was going to ask about the security implications and you said you know zero trust and the cloud and stuff. But are your thoughts on sort of combating metal fatigue and burnout and just – Yeah, I’m the same way. Like sometimes I just have to like stand up and do squats at my desk because it's like I haven't walked for five hours. It's literally just one thing to the next. But what do you suggest? I mean, some people, their whole life is in one room right now. Like what do we do about that?
[00:32:57] DK: Yeah. I mean, I think that being in the one room is a thing. But I think what's more damaging is when we just sit in one place and talk and talk. I mean, I’ve done a lot of calls where people will they say, “Look, I got to step away for a minute,” and they turn their mic and their video off. Occasionally they forget. And they have to run to the bathroom because like they don't have any – They have to run and get some water because they haven't had water in four hours. So I think that companies should start to really look at and address this and think about what some companies and larger companies have already started to adopt, which is no meeting times. So just say, there's one or two hours every day on the count – You don't have to go and eat lunch. You don't have to go take a walk or whatever, but you can't have a meeting during this time. These are forbidden. So that it forces you to have a couple of hours in the day where at least you can get up, at least you can walk around.
The other like trick that a lot of companies are starting to do is that hour-long meetings are no longer allowed. The maximum amount of time for a meeting is 50 minutes or 25 minutes so that there's that forced five minutes or ten minutes so you don't get into that just complete fusion and then get up and walk around even if it – Yeah, do the squats. Or if you have any inclination, I strongly recommend getting a dog or a couple of dogs because they're wonderful reminders that you got to get out and move.
[00:34:21] CS: Oh yeah, ball of energy.
[00:34:23] DK: But companies have to – Like I said, they have to get on board with us and do things like force time when you can't have a meeting scheduled and maybe consider 50-minute meetings.
[00:34:36] CS: Yeah. So I want to move in a sort of lateral direction here. I’m quoting the title of one of the articles on your site. Despite COVID-driven tech investments, the majority of manufacturers will fail in digital transformation through the end of 2022. Can you speak further to this concept of digital transformation? Like what are some of the long-term changes that need to be implemented across industries that currently aren't or that you think aren't being implemented quickly enough?
[00:35:01] DK: Yeah. I mean digital transformation, it becomes sort of this bucket of buzzword that people just, “I need to digitally transform.” But I think they just need to step back and think about what it really fundamentally is. It's about a change in the processes and procedures that are used to run the business and connect with customers. So it gets conflated very often as it just means moving to the cloud. And I’m not saying that's not a part of it, because it is. But it's not about just firing up an EC2 instance. You didn't transform because you did that. Transformation is about understanding the capabilities that are available in the cloud and integrating those into the fabric of how the organization operates. So it could be something like adopting Google Workspace so now you can as a distributed team start working on documents, which I’m super excited about.
I mean, one thing way back in my history was I was a Lotus Notes admin and I had always been super excited about the promise of Lotus Notes, which was real-time distributed collaboration. And the technology wasn't quite there. We didn't have the bandwidth. There wasn't – But it's here now and I absolutely love it whether you're in Google Workspace or you're in Microsoft's Productivity or 365. We can actually do that and share that. So I think that that's powerful. But then you look at companies that are it moves on to like the entire customer experience with AI and customization and automation. So all of that comes into digital transformation. And in the long run you look at like how transformation can support or enhance a business. You have things like health care where you have to balance digital transformation with what makes sense. I think every industry needs to step back and think a little about when we think about changing our processes, what’s going to benefit the business, what’s going to benefit the customers, and what is possible for us.
I was talking about some of these built in the cloud companies, and built in the cloud isn’t going to be right for every sector.
In healthcare, for example, you’ve got things like medical devices, MRIs. They still got very complex networks in the medical and health systems because you have these medical devices that need to be on the network, and I have to go wait. You have to interact with that MRI. But that doesn’t mean you can’t do digital transformation within healthcare because there are also some really forward-thinking health systems that are doing things. They have essentially ICU physician [inaudible 00:37:24], and you get a bunch of the top ICU positions that are available in a state, for example. They stay in one place and they can visit patients in multiple different hospitals through screens, and there’s a nurse there. But now, you’ve got to –
This is really creative and transformation kind of thinking. Some other things for healthcare is telehealth which has all become realistic for us now in the pandemic. There was a lot of – You can possibly do that over the video. Well, we’ve learned to do it.
[00:37:58] CS: Yup, we had to.
[00:37:57] DA: I think that that’s going to be a big one in transformation is not just saying – Because healthcare is immediately you could go there and you could say you have to be in person. In some cases, you do but not in all cases. So I think for any sector, thinking about getting creative and starting to think about what parts do need to stay on-prem and what can we get creative about what and what has made you – We’ve really been resistant to in the past. Telemedicine is – You know what? It works really well for a lot of different kinds of meetings. Sometimes, you do have to go and then in person too. That’s what I would say about digital transformation is just being a little bit creative.
[00:38:36] CS: Are there any sort of industry sectors that you think are being especially resistant right now that need to sort of speed things up or does it vary from place to place?
[00:38:46] DK: It varies. There is a lot of resistance initially in some financial services companies. But now, there’s a massive embrace with the government because, obviously, for the sensitivity of a lot of the work. But there now are government-specific clouds that are being built out. So I think that all sectors are looking at it. It’s just some sectors are – It really does go sort of company to company like in healthcare. Some healthcare systems are really not looking at digital transformation. Then other, like I talk about, I mean, they’ve got these really creative solutions like an ICU SOC essentially.
[00:39:26] CS: I want to move a little bit to some of your other activities here as well. You’re a board member, a woman in cyber security, and that’s one of the things we like to talk about here on Cyber Work is bringing more women and more diverse candidates in the industry. Do you have any tips you would give to women entering the world of security right now and also for companies who are trying to recruit more women in minority and different abled professionals? What advice would you give them to not only prioritize hiring diversely but to make themselves desirable to the professionals they’re trying to recruit.
[00:39:58] DK: The first advice I’d give to men and women, which is figure out what you love about cyber and then build a skill set. This is a really broad profession right now, and a lot of people that want to get into it, that’s my first question to anybody is why do you want to do it. Figure that out first. But then as far as like how we get more women and what companies can do, research indicates that women often feel less capable in technical roles than men. I would say to all women out there, you are capable. You are technical. Don’t get in your own head. Are there going to be jerks out there? Yes, absolutely. I’ve encountered some doozies in my career. But don’t let them take your power, so don’t question your capability. Stay centered in what you know.
For the companies, number one, check your job requisitions. I mean, the way that job reqs are written, it can be like really crazy. There’s research that had to deal at Hewlett-Packard that said that men won’t apply for a job when they hit about the 60% mark of qualification. Women wait until there at 90 or 100 percent. If you look at a lot of these job reqs, they’re basically kitchen sync. They hiring manager and HR came up with these requisitions. Sometimes, I read job requirements that I’m like, “Who has this experience?” You see like how much experience I have.
[00:41:22] CS: I’m not qualified for this, and this is a mid-level thing. Yeah, right.
[00:41:25] DK: Right. Yeah. Or crazy stuff. They want 10 years of experience but they’re paying entry-level kind of – So really –
[00:41:33] CS: Or 10 years of experience on something that’s only been on 5 years.
[00:41:36] DK: I talk to hiring managers and said to them outright, “I know you don’t need all these skills. Why are you putting that?” They’re like, “Well, we want to get somebody well-rounded. So we figure if we ask for more –” They’re going from that mindset of people are going to apply at the 60% point, so they put 100% and they figure what will get a good – But instead, really write that job req, what you need that person to have, and really scope it down to what they have absolutely have to have.
Think about also things like pronouns in the job requirement, the job req itself. If it says he has to, some people are going to read that and think, “Oh, maybe that’s not going to apply for me.” So be really careful about how you write them and then expand that circle of recruitment. I mean, did you really post that job where diverse people may be looking? This is a great example. Women in cyber security go to [inaudible 00:42:32] job posting looking for jobs. If you’re not finding a more diverse workforce, think about where you posted it and have you reached out outside of your normal circle of contacts to additional people to try and just expand that circle of recruitment.
Because most of the time, when you’re hearing, “Oh, there’s absolutely nobody who’s available that’s a more diverse candidate, they all look the same. We’ve got a bunch of people that look exactly the like, and that’s the only people we could find for this. It’s very often.
[00:42:59] CS: Yeah. And they’re like, “Well, I tried everything. Yeah.”
[00:43:01] DK: I know. It’s like, “We tried.” It’s like, “Did you really and really dig down? [inaudible 00:43:05], it just kind of expanded the search circle.
[00:43:09] CS: On the other side of that, you can speak to sort of HR or hiring managers who – Can you give them any tips on how to read a resume pile in terms of looking for – Because I think sometimes people who have to screen candidates are already sort overworked, and so they see 40 candidates and they’re like, “I don’t know. Just which ones tick all the boxes?” But can you sort of give any tips to – Because we hear this all the time on the show. People say like, “As long as you have the interest or the obsession, we can teach you the tech. We just want to see the thought process behind you.”
But like how do you convey that in a resume and how does a hiring manager know to sort of look for that? There’s still a disconnect in terms of like what people on the ground in security are telling us that they want from candidates versus how you actually get that type of person through the resume firewall.
[00:44:06] DK: Well, you actually said one of the most important things, which is like HR reading the resume. Because unfortunately, one of the biggest problems right now is the automation and things like ATS systems that are looking for unique 10 key words and you may say, “Well, as long as I get 9 of these 10, then this resume gets through. If I only have 7 of these 10, the resume doesn’t get through.”
So you’ve got a candidate that may have to rewrite their resume for every single job they apply for just to get through that keyword match. And very few candidates have time to rewrite their resumes, and I’ve heard heartbreaking stories of candidates who’ve tried submitting hundreds of resumes and never even get – Because it’s like the ghost of Christmas future. It’s like there’s no words back. Sometimes you don’t even get acknowledgement that the resume was received.
[00:44:58] CS: It just disappears. Yeah, it evaporates.
[00:45:01] DK: So I would say first look at what you’re kicking out automatically from your system, because if you’re just doing this hard keyword search, you’re probably missing a lot of people. And then translate that to the human being, because that whole – And it’s true. Almost everybody I know in cyber that’s a good manager, we do. We believe. I can teach you that part of the tech. But if you’re just doing the keyword search, then they may not have it. And if HR hasn’t been – If they’re not in tune with how you want to hire and they’re going to do the human version of just the keyword search. Again, you’re going to lose those. So work with HR and say, “I’m not necessarily looking for somebody who knows who’s got all these certain, this exactly cloud certification. I’m looking for somebody who maybe has work with the cloud in the past.” Because if you say something like I want you to be AWS certified and they’ve got Azure certification, you’ve got a cloud expert there, and they can pick up AWS. But if they’re going to get kicked out on that keyword either by a human or by a system, you’re going to miss out on some. So I would say, yeah, work more closely with HR and help HR understand how to find candidates even if you’re not always getting that exact match and keywords.
[00:46:17] CS: Now I want to move to another very interesting program. I’m looking forward to checking this out. It’s called the security balancing act. It’s a web series, is that right?
[00:46:27] DK: Yeah, it is. It’s a monthly series.
[00:46:29] CS: So in the description of the show it says as we realize the transformative power of the cloud, AI and machine learning, has our culture responsibility ethics kept pace? How do we harness our new technological capabilities to the understanding of how to use them well? And that’s fascinating to me. I don’t feel like I always get to talk with guests about this kind of thing. Can we speak a bit about the ethics and responsibility of these new technologies? Like what are some of the issues that are being blown past at the moment by organizations in a rush to implement new time saving tech?
[00:47:01] DK: Yeah. So this is such a big topic, but I was thinking at the back –
[00:47:04] CS: I know. I hate that we’re kicking into it this late in the show, but can we do a little quickie version?
[00:47:11] DK: Yeah, we can. And to do that, let me focus on one area specifically. Let’s take a look at ML and AI. And I am a huge fan of machine learning and artificial intelligence and what it can bring technologically. But there are some serious ethical concerns that we have to think about. It’s partly because when we use this system, we very often believe that. So I get that a lot of us may fear Netflix recommendations and not always go, “Oh! I know. I have to watch that movie.” But if you put in numbers in a calculator, whatever that calculator tells you is the number. You probably believe that. You’re not going to go, “I’m just going to double check and do that long division by hand.” You’re like, “Oh, I believe that.”
So now when we think about AI and ML and how it’s being used, that blanket belief could be a risk ethically. If you think about machine learning that’s being used for sentencing in the courts for example and it comes down and it says, “This offender is 80% likely to reoffend.” Well, the judge is going to then say, “Okay, 80%. That’s what the tool told me,” and they’re going to base their decision on that. But what if that tool that biased data going in? What is the data about re-offense was biased towards this particular class, right? That would be a problem ethically. So we need to think about the data we’re using to train.
Another example is a racist faucet, right? You would never think, “How is a water faucet going to be racist?” But there are actually some smart faucets that were designed for the people that were doing the same. They did testing with people who had very light skin. And so when you put your hand under the sensor, you had very light skin. It reacted. But they never tested people with very dark skin under the same center. So people with very dark skin were not able to turn because they hadn’t been tested that way. Not able to turn the faucet on. So there, there is an ethical problem and we ended up with a racist water faucet.
So we have to be really, really careful, and these are just a couple of examples. But we need to think about how we’re tuning and training these systems ensuring that they’re going to work for everybody that needs them to work because it’s an ethical failure if we don’t. We also have to think about the threat models related to the failure modes of machine learning both intentional and unintentional in order to make sure that they’re going to be safe for use. And autonomous vehicles, for example. Hey are designed to understand if there’s a red octagon, this is a stop sign. But an intentional failure mode could be if somebody spray painted over the stop sign and unintentional failure would be – Enough snow has gathered on that stop sign that now that vehicle is not able to recognize that there’s a stop sign and we’d now how risky that can be because now the vehicle potentially blew through the stop sign. That could be loss of life at its highest impact.
There’s also intentional attacker modes on ML, things like a security detection system that has been trained overtime to classify malicious behavior as normal or not malicious or looking at the leakage from the output of the system and understanding how the classification process works and then tricking this detection system into believing that malicious software is benign. So there are a lot of different angles to look at the ethical use of machine learning and AI as there are across security. But all of these, if we get back and we think about threat modeling, building security in, building privacy in, building ethics in, then we can address them. But we tend to tech, I do it too. You get so excited about the possibilities. We don’t always step back and think about.
[00:50:53] CS: Okay. Yeah, definitely everybody go out and check out The (Security) Balancing Act. So do you invite different – Do you invite like counterpoint of people who have been working on this? Is this Analyst Syndicate who would do these? Or who are the guests on this monthly show?
[00:51:10] DK: The guest are sourced mostly by the program manager for the BrighTALK series, Maria. And then I coordinate with her and sometimes I’ll bring in guests that I know I feel we need to balance out the view point. So we don’t go for like a point counterpoint. I mean, it’s not – Like I’m not trying to get like a Jane Curtin and Dan Aykroyd thing going on. There’s my age again.
[00:51:35] CS: I was right there with you. Yeah. Yeah.
[00:51:37] DK: So we’re not going through that, but we do want people with different backgrounds and viewpoints so that we can have a lively conversation rather than just to, “Oh! There’s only one way to solve this problem.”
[00:51:46] CS: It’s not a dissemination of information. There’s a discussion. Yeah, absolutely.
[00:51:50] DK: Yeah. Yeah.
[00:51:50] CS: So as we wrap up today, you’ve done so many thing in so many parts of the industry. What recommendations would you have for people who might want to get into cyber security but feel stuck in a current job or might be unemployed and feel that their lack of tech background earlier in life may have doomed them to never catch up? Are there things that people can do tonight that would put them on the right path?
[00:52:14] DK: Yeah. The most important thing is don’t get discouraged. I actually know people that reskilled in their 50s and have SOC analyst jobs now. So you’re not too old. Don’t worry about you’re being too old. You can go back and you can reskill. But what can you do tonight? The most important thing, ask yourself why you want to be in cyber security. What is it that’s drawing you to it? Is it because you’ve heard that there’s like no unemployment in cyber security? Okay. That’s a little as we were talking about, right? It’s not 100% that everybody who wants a job gets a job. But there are some jobs that are hiring more frequently entry level SOC analysts and hunters, for example, are a big – That’s an area. If you want to go be a CISO, there are fewer jobs for CISOs right off the bat. Also, you’re going to need to build a pure experience. But ask yourself what it is you want to do.
If it’s the money – And you know what, Chris? A lot of people come to me and say, “I want to cyber.” And I say, “Why?” And they say, “Because it makes a lot of money.” I’m like, “Okay.” That’s not for me to judge. But what I can say is that some jobs make more than other jobs in security and some sectors you’re going to earn more money. So be honest with yourself. Is it the thrill of hunting and stopping the bad guys? Just be honest with yourself about what it is that you want to accomplish and then start looking at the jobs that are out there and the people that are doing it. What their backgrounds were? What certifications they have, because that’s going to help you to start to get a feel for how you’re going to be able to advance.
If you find people that are doing exactly what you want to do, don’t be afraid to reach out to them on LinkedIn and say, “Hey, do you have a few minutes to spend with me?” And not everybody has time. If you reach out to one person and they don’t have time, hey, this is just – But reach out to a few people and you may hit somebody at exactly the right time and they are able to speak with you about it or ask people that you know that are in the field if they can spend a little bit more time about it so that you can get a feel for sort of the day in the life.
Do you look into the certifications and training. If for example you’re just interested in cyber security in general. You don’t know which aspect you like best. Look at something like the CompTIA Security+ and go get certified for that. If you really love applications and web and you want to do testing, for example, on that, then you go read the OWASP app testing guide. Try the OWASP ZAP tool for example. But if you want to prosecute cyber criminals, you probably need to go to law school, which I mean that’s the job.
[00:54:45] CS: You’re that forensics, yeah. Yeah.
[00:54:48] DK: And that’s his job. Yeah, so think about what it is you want to do and then you can start building more of an attack path on how to get there.
[00:54:56] CS: Okay. Well, Diana, this has been so much fun. I could talk to you for hours and thank you very much for indulging me all of my questions here. But usually at this point in the program I ask the guests to talk about what project their company is working at and that they’re most excited about. But with you there’s – That could be any of 6 or 7 or 8 different things. So I’ll ask it this way. What’s next for Diana Kelley? What are you excited about working on in the coming years?
[00:55:19] DK: Yeah. To continue my volunteer work, I’m really excited to see some of these. How [inaudible 00:55:24] is growing and engaging more women in cyber security. The work at Sightline with the assessment tool to help nonprofits be more resilient. So I’m really excited to see how that goes. My Cyber Why, we’ve got an intern and she’s now got another media intern. So watching the community grow is really I’m very excited to be a part of that. Technically, it’s really about the next generation of what we can do with ML and AI. I’ve seen in my career data stack and stack. We’re so good at creating systems and devices that create more and more data. I know we’ve got this huge rich amount of data. We couldn’t get through it all. And aha! Machine learning, what does it need data is fuel for machine learning. The reason that we’re in to get better. So I’m just very excited to see what we’re going to come up with as we’ve created all these data. How we’re going to use ML to get smarter about how we use it and benefit from that data.
[00:56:19] CS: All right. One last question, this is for all the marbles. If our listeners want to learn more about Diana Kelley, The Analyst Syndicate or any of your other places, where they can go online?
[00:56:26] DK: Well, Thansyn. The Analyst Syndicate is thansyn.com is a great starting point. And then also I’m on LinkedIn. I do try and respond to everybody that reach out to me. I apologize. I do get overwhelmed and I can’t speak with everybody, but I do try and connect as much as possible. And also you can find there information about My Cyber Why, Your Every Day Cyber, Security Balancing Act. And Your Every Day Cyber and My Cyber Why are very much community-focused. So we’d love to get engagement from the community about what you like us to address on Your Every Day Cyber. Who would be a great person to interview for My Cyber Why.
[00:57:04] CS: Great. Diana, thank you so much for your time and insights today. This was a blast.
[00:57:07] DK: Thank you, Chris.
[00:57:08] CS: And thank you all as always for listening and watching. New episodes of the Cyber Work podcast are available every Monday at 1 pm central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. And don’t forget to check our hands-on training series called Cyber Work Applied. Tune in as expert infosec instructors teach you a new cyber security skill each week and show you how that skill applies to real-world scenarios. Just go to infosecinstitute.com/learn. Stay up to date on all things Cyber Work.
Thank you once again to Diana Kelley and thank you all as always for watching and listening. We’ll speak to you next week.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.