Transcript

Patrick Spencer 0:00 

Hey, welcome to Kitecast cohosted by Tim Freestone and Patrick Spencer, that features interviews with IT security, compliance and risk management leaders and influencers.

Hey everyone, welcome back to another kite cast episode. I’m Patrick Spencer, one of your hosts, my cohost Tim Freestone is on the line as well. Tim. Good morning. How are you doing,

Tim Freestone 0:22 

Patrick? Great. How are you?

Patrick Spencer 0:24

I’m doing well. It’s a Friday. We have a real treat today Tim. Dr. Rebecca Wynn is the founder and host of the Soulful CXO podcast has spent her career in a number if you take a look at their LinkedIn profiles, cybersecurity, data privacy, etc. leadership roles. She is also the host on the threat watch bright Talk series, so everyone should Google both that as well as the Soulful CXO podcast. Once you’ve listened to our episode today, she is joining us currently Rebecca is the global chief cybersecurity strategist in CISO. For click Solutions Group, her prior roles include global CFO for spring health chief cybersecurity strategist for adult on a health care, I’ll say that correctly yet. Global CISO Chief Privacy Officer served at 24 seven.ai CISO Data Protection Officer for matrix medical network I could go on, she’s held a lot of different roles. She’s on the Forbes Technology Council, and she’s a member of the board of advisors at the cyber wire and a member of the board advisors at cybersecurity tribe in cyber theory. She holds a bunch of different degrees, a doctorate, couple masters have master’s degree. Tim, I don’t know all the guests we have always make us look pretty miniscule, with all the things that Rebecca, thanks for joining us today. We’re looking forward to this conversation.

Rebecca Wynn 1:49 

No, thank you very much. And just a little tidbit, I also played trombone professionally, just to go ahead and do something else in life.

Tim Freestone 1:58 

I played trombone from fourth grade to ninth grade. I think it’s a great instrument.

Rebecca Wynn 2:06 

It’s awesome. I one of the key groups I am I’m the associate principal here at the Scottsdale Philharmonic is one of the four Wow,

Patrick Spencer 2:12 

awesome. She’s a leader in a number of different roles, including in the music realm. So it well, tell us a little bit about your career. I mean, you’ve held a bunch of different roles. How did you get into podcasting? You’re doing the show with bright talk, then you start your own show? How did all that start?

Rebecca Wynn 2:31 

was interesting, I really it goes back to durian who’s with the cyber tribe, I actually first met her at matrix medical network, I had just started. And actually one of our VPs was actually supposed to be going to the event. And they’re like, Hey, you want to go? And I’m like, Sure, I’ll go ahead and go. And I saw a person out there who is leading the event, and being the moderator all kinds of stuff. I’m like, you know what, I could do that. And we connected, she invited me to another event at that event, to the speakers due to weather and sickness couldn’t make it and I was giving like a small talk. And she’s like, could you go ahead and bond and I’m like, you know what? In the hot water, I got used to do that when I do D work. So I gave two presentations there. And then the more you do, the better you get. And the one thing that people I get two things that people call me They call me the Melissa McCarthy a cybersecurity thing because I make fun of myself, I make fun of errors I’ve made and I think people can learn when they can do story. So I’m kind of like Brené Brown storyteller. And then when I would go ahead and be leading moderating panels, I like to go ahead and get to the heart and soul and learn why you thought that way or what’s your process. So people also call me the Oprah Winfrey of cybersecurity. So, an actual me going Hey, let me go ahead and try a podcast and see if I can go ahead and not do a podcast do a podcast by like telling stories. And that’s where we’re at right now at 15. Out. They release every Tuesday, but it’s hard and so like people like Theresa Payton, who is the first female White House CIO, and low spoiler, she talks about not even almost taking the call, because when someone says the White House wants to ask you about the CIO position, she thought she was being phished, and we talked about that.

Patrick Spencer 4:11 

So cybersecurity and women, that’s a topic that is of interest to us. I used to do research reports at Fortinet going back a few jobs, actually, when I worked for Tim back then as well. And we would survey the industry to see, you know, across different industries, you know, sectors, how well women were doing, and it did seem that things were improving. Is that your sense over the past few years that we’ve seen more women get into cybersecurity, or is it kind of still the same or is it getting worse?

Rebecca Wynn 4:42 

I think you hear about it more just because we have cyber divas and we do that’s a group that actually tries to highlight the women and we have some other people say what’s who’s the top 100 women? I don’t know I’ve been on that list too. Don’t know exactly how they determine who’s the top women so we have some, some people like that who try to bring more exposure. But to be honest, I don’t think so. And I do find more women who I talked to privately that more of us are for lack of a better word today like disgruntled, disappointed, not feeling supported. Along those lines it for me it’s always interesting because I’m very strong technologist you know, I started out as a can math we type major like kind of stuff I started out where I thought it was going to be pre vet, because like animals lot that couldn’t handle the blood. And that’s why you can see my background I was really big in photography is really big and sports, I played softball and stuff like that, got photography degree, went ahead and did suffer Sports Illustrated and things like that. But on Hawking cameras for a long time, I was like, I’m too smart for that. Like to do as a hobby, went back, got my double MBA was in financial services for a long time, and then one nation reach a woman doing with financial, but it wasn’t my heart and soul. And then I went back and got my degree and it so that’s one reason I always explain people I, you know, my journey is like cricket. But I think all those life lessons makes me a better person than I am today, I find that quite a bit when I actually interviewed women, a lot of people, you know, we start out with STEM, or we might have come from more of a liberal arts background. So a lot of times were broader and bigger. But when I it’s interesting when I interview for like, Rebecca, when you come be our Cisco full time, and not help all these other side companies that that you do wonder, you know, click solution scope, but I’m like, I’m always open to that. But I’ll be like, You’re too much into governance, risk and compliance. And I’m like, Guys, I have to meet those requirements, or we can find ourselves in legal Jeopardy. So I have to devise counsel and things along those lines. I don’t know how not to do that. When I look at Enterprise Risk Management. To what right, are we going towards our contracts? And if you look at our contracts, they refer to what is your minimum standard that you have to keep, as well as what regulations? So that times people say you speak about that a lot. And I’m like, that’s one way you can do it from a technology perspective. I’m really mindful. And I think that I got that really be training for Department of Defense, right? I was always going ahead and even begun leading lead assessor across the world leading teams being able to say, can you keep this connected to the government grid? or disconnected and anonymous, we did do that. It’s like Rebecca, what’s going on? Now we need you to leave that security team or that networking team to fix it. Well, failure is not an option. So if there’s something going on with the firewall, there’s something going on the core, there’s something going on the routers all that, yeah, I can deep dive those I look at the config files from text file, and I can map out architectures from that. So I don’t lose that. But we do lose that today. Not only talking about men, but women, but when you talk about women specifically, I think, are they technical, they’re not technical, they’re just going to be GRC or Nachi. Or see what are they going to be? And if you are a little bit more hybrid, like me, it makes it tough. And then the whole thing, there is a thing going on, women find it a little bit more than men. It’s the whole thing about, you know, how popular Are you the second of the day? I hate that. I don’t know if you guys seen that. But a lot of companies out there starting to like a poll every day on how popular you are your staff, I think that makes it very hard for it and a Cisco to do their job if you have to be popular enough time.

Tim Freestone 8:11 

Yeah, that’s actually a good segue into a question I have for you. There’s a lot of different generations now in the workforce, right? And I had a conversation with a woman the other day, she’s about 36. So kind of right in the millennial framework. And she and it’s not a question, I’m just interested in your take on this. She said the millennial our group has a very challenging road in, in the workplace, because on one side, you’ve got the boomers and the Gen Xers who grew up predominantly in a work environment. That is, you go to work to work, and you take orders, you give orders. Again, it’s not so much that way anymore, but that’s predominantly how we grew up. And on the other side, you have Gen Z, which would rather not take any pay, as long as the work environment was appreciative and nurturing and cultivating in those types of things. And then Millennials are in between trying to balance both sides of those and lead gen Z’s and, and, and up manage up to Boomers and Gen X. What do you think of that comment? I’ve been thinking about it for days now. And whether it’s true or not, or you know, just the whole demographic and dynamic of different generations in the workforce, especially in the context of cybersecurity, where it’s so critical that sometimes you have to just do what you’re told, but at the same time, you have to balance people’s generations and what do you think?

Rebecca Wynn 9:48 

I think it’s true, and I will tell you a what we’ve been talking behind everybody’s back lately. Actually, I do have this on a podcast. It’s actually just released to Tuesday with tiny then Kelly, who this past Tuesday, we talked about it, we call it right now the price syndrome is what we’re talking about. And I think Jennifer Beck just posted something similar to that on LinkedIn, or at least I went ahead and made a comment on it. So called on price syndrome. And it’s right that age bracket you’re talking about. so anxious to be achieved in the name. And I tell people and I write about this don’t aspire to be so aspire to be the best holistic person that you can be doing what you love. And whatever that title will be. You, you will become that and especially in our field, that that’s transitioned so much on what that title means. You know, maybe that means you’re VP of information security, maybe that means your chief security digital officer, or maybe there’s just officer don’t worry about that as much because we’re one of those things that’s not congruent yet. But there’s so much want to be a title and a lead, that the people who are above them have the years of experience who have a topic, I’m surprised that you can see my nose because I’m falling on my face so many times I’m still there, exactly have to go on some bruises to get there. And they don’t want to do that. And so one of the ways to do that is to take out the leader above them, what they’re better at, and a lot of ways is doing all the networking and getting my team and stuff like that I’ve actually had that before when I’ve gone in for people before consulted. And so it’s my team, they listen to me, they don’t listen, anybody else, I think is extremely dangerous. And I actually went to the executives and said, you have a dangerous person here. We literally have where it’s my team, I have 18 people or 22 people or 20 people who are listening to me, they believe what I say and all the stuff that I said you need to get rid of that person doesn’t matter about what their skill sets were, it doesn’t matter what projects you can deliver. They’re literally the ones who can torpedo you that was never accepted holistically in the older age forces. And when you go to the younger force, they the younger generation who come to mentor me, they said, you know, we want to be able to balance her life. But I want to have a good career. And this is what I want to do this is who I want to be holistically as a person. And so I do you find them easier to mentor and lead not saying I don’t have people who are 3436 and 38, that I mentor and anybody out there who really wants to be mentored, you can reach out to me, there’s several of us out there, but they’re more open. But I think it’s the prices that are that want to get that title quicker. Now, I will say on the flip side, I did meet a lady a couple weeks ago at a conference. And she was having a very stellar career has had a lot of things that she’s proven in her time and teams and stuff like that she can lead. And she’s been following a guy from company to company, he’s with a big company now brought her in, she’s moved up. And he said you I’m still training her up to at some point in time be a deputy, Cisco. And I will tell you, me and a bunch of other women like you need a bail out of that. There’s these type of companies that you have the skill sets to actually lead them to a great place. You don’t have to, to single your life depending on one person being a male or female. And you never need to follow a person from career to career to career in a company and thinking that they needed to find you when they say you’re ready. Ready, I tell people to so there’s two things that I find in that gives that they’re a little older. But I do find that from that 3036 to 48. Because one thing is that women holistically and I’m included, if I look at a job, I’ll go ahead and say you want these 10 things I have nine so I applied or not. That’s generally not true with males holistically across the board. They’re like, I don’t have any of them. I don’t care, I’ll go for it. So that’s the one thing with women usually don’t apply for jobs unless April liberally think they can do that. And so that’s one thing that I tell my HR, I’m like, I don’t care who the woman is, I don’t care what your algorithm will say, I don’t care what the ATS as of a woman applies. I want to see that one or two things. One, I’m going to see if there’s no positions available for me, or I want to see if there’s someone else I know who has a position or sometimes I want to talk to him privately going, what you’re applying for. And what you’re saying is in your heart and soul, let me have a one on one. These are type positions that you may align with. And I just did it successfully with a woman who was underselling herself. She was really a strong GRC person was struggling with the analyst. And now she’s a manager GRC and rocking it. So that’s when I also want to talk about holistically women supporting women and helping each other and don’t be the pariah. But that’s what I see in that age group trying to get to where they are either holding themselves back to a situation that they can be in or trying to take out the person ahead of them. Especially when it’s when it’s a woman. It’s not it’s not okay being a male either. But that’s what’s going on right in that age group right there. It’s, I don’t know if that explained it to, but that’s what we’re seeing. And if I’m seeing it, and I’m talking to other global leaders out there, we’ve seen it, we want to help you, you just need to reach out so we can try to help you. But you are getting the reputation very quickly behind the scenes of being a pariah. And we do talk.

Patrick Spencer 14:58 

Yeah, how do you get more Gen Z see women interested in cybersecurity beyond stem and so forth, which is talked about in the marketplace today. But we’ve got to be other ways beyond just getting more of them in STEM programs.

Rebecca Wynn 15:11 

Well, I think trying to go ahead and from a STEM program I think, is wrong, to be honest with you. And that’s really holistically for anybody. You know, if you just look, it’s science, it’s technology, engineering, mathematics. Just when I said that half the audience probably fell asleep. But there are great things out there. I could tell you there’s Physics Girl out there on YouTube. If you haven’t watched Physics Girl, please go watch Physics Girl. She goes ahead and she like the rainbow. Why is it color above the rainbow and below the rainbow different? What’s happening? You know, so part of it is actually going ahead and using a different speech to make it interesting. Yeah, you know, one things like you just mentioned my podcasts. I just had someone else listen to who’s a decision and said, your podcast resonates with people regardless if they’re in technology or not. They can learn and energize. I think we need to go ahead and find out a new way to get people energized. And if you find new people, new way to energize them, fine. I think one thing that does happen for women for some reason, somewhere around them were in eighth grade to maybe you know definitely when your senior for some reason, the energy on how cool and interesting math and science and stuff like that is not there and part of his we don’t have great models along those lines. TV shows it, you know, until we had my imbecilic in The Big Bang Theory. Come on. As a female scientist on the show. It was Guy scientists who were quirky. But what was what being Penny doing? Penny was struggling actor who you know, was waitressing, but didn’t like it on stuff. That was the model. I love the show. And I love Penny, don’t get me wrong. But we didn’t see that there was a woman who could scientists. And then when we had a woman scientist, she was quirky and odd. So that’s why I said, we need to have more people like Physics Girl and stuff like that, who show that being in science and doing the stuff is really cool. We don’t have the models up there. Hopefully I’m being a model and cybersecurity and hopefully other women, but that’s part of things we lose in that age group. And if you look on TV, there’s not a lot of cool scientists out there male or female, but there’s definitely not that many cool females. Don’t get me wrong, I love my ability. And I like her. Her podcast as well.

Tim Freestone 17:34 

You know, I throw another line that you get to my stage in career, you have a lot of lines that your kind of build up throughout life. But this one is you can’t motivate someone but you can definitely demotivate them. Would you agree with that? And then yes or no? How do you see motivation different from energizing? Because you said, you know, we got to get people energized. And it got me thinking about the line that I just said and are they different? But what do you what do you think of that?

Rebecca Wynn 18:08 

I think it’s true. I think it’s true, whether you’re male or female, and I’ll give you again, I’m a storyteller and I like to tell from my heart. Not too long ago, I was you know doing work busting my butt pulling way a lot of hours thinking holistic and appraiser’s management level and stuff like that. had a meeting with the person who was a CTO who is the boss of my time. And out of nowhere, I was blindsided by his wrath is like Don’t you understand your contract? Don’t you understand how we get paid? You know, you’re looking at this holistically and how to fix it, but that’s going to affect my bonus and all that kind of stuff. And it traumas I’ll be honest, it traumatized me. It traumatized me where it was like, I froze, right? I like I could tell inside crumpling one. I think security by design compliance by design, privacy by design. The way Rebecca thinks are that the cyber criminals are out there. I’ll point in time. We’re in the cyber war, no point in time they have to win once we have to win all the time. You can have a person internally, do it on purpose. Or try to go to website or do something nefarious go ahead and get to GitHub and stuff like that. And now we can get nailed that way. Just because they didn’t know and so we need to holistically think about stuff. I never look at how was I never looking at doing the right thing and how it’s going to affect my paycheck. I do the right thing because doing the right thing is doing the right thing. So that traumatized me. And I really had to reach out for some really good people on Is it me or whatever. And I reached out some very top CISOs like Jim Ross or some Peyton Terragraph Steen? And I’m like, what in the heck is going on here? Yeah, we’re in a very toxic situation. Okay, that’s a toxic situation for anybody. But part of it is having those mentors and people that you can reach out and I should tell Having a those were mentors for me, that’s different from a sponsor in that company, your sponsor will have your back at all points in time, it might say something like that in the meeting you presented this way. This is how in the future we can present it better. And let me support that’s a sponsor. But a lot of times we go into roles thinking we have a sponsor, when we have a mentor, maybe, or we have a person who hired us, which is, which is different. I don’t, I want to try to answer a little bit more holistically. But that’s the part where I think it doesn’t matter if you’re a Cisco CTO CIO doesn’t matter if you’re a talent scout or anything like that. That’s holistically damaging companies as a whole.

Patrick Spencer 20:41 

How do you go, you brought up an interesting point, how do you go find a good mentor or set of mentors who can help you, they probably should not be within the organization, you’re working in most cases, you want to find someone who’s outside the organization and will have a unique perspective? And you need more than one, you know, how do you go about building that? That bench, if you may,

Rebecca Wynn 21:03 

so part of it is you want to mentor for what, and I’ll give you an example, when I was working with DOD, I ended up having a great DoD person who signed off on all my reports, and those reports, you have to be spot on, right? They can go to legal things along those lines and done. But she was a very, very top security engineer, and she was picky as heck. But when I was I went to and I said, Look, I want to learn how to write these better, I want to go ahead and be able to make a powerful impact. Can you teach me because I’m teachable? And I really will put in the work. Right? And that was very specific. I didn’t look at her about, you know, how do I grow my network and stuff like that? So part of it is looking at what do you need from that person? And then if you go ahead and listen to podcasts or different things on the signs, you look at people writing, you’ll find that person, if you listen to your heart, what is it that nugget that it is that they can go ahead and give you. So I think one of the things is that we look at like when I go to Jim Ross, I go to Jim Ross, usually when I’m like, hey, I need to send a check. This is what’s going on. This is what I’m thinking. There’s a holistic look at work and the leadership and stuff like that. And I go for him very specifically, I do trees, paintings, and way teragram Fontaine very specifically. But if I want to know holistically as an individual, on stuff that I’m struggling with, those are different people. So I think when you try to get a mentor for can be all in one encompassing where human beings, good mentors, I do not know a good mentor out there, who also does not have mentors. I don’t know a good mentor out there who doesn’t have multiple mentors, that they go very specifically for different things. And that’s not a huge set. That that is a you know, a subset like I personally have three mentors I go to at any point in time for a variety of things, but there’s like really five and they’re not only just on Cisco work, if that answers your question, so resonate, and then ask, I don’t I don’t say yes to everybody. The people I say yes to is their heart and soul has resonated with me, the way that I approach life, they need to approach it similarly. Why? Because we’re going to help them think through it, not that they do what I say that we can think through it, discuss it, and they can get down the path how they want to get through the path quicker, because we’re all in alignment.

Tim Freestone 23:22 

I It’s interesting, I think back in my career and the mentors, all of them happened organically, you know, I never went purposefully and tried to find a mentor. I don’t know if that’s unique, or that’s how most of them happen. But, you know, three or four that just, they just mentored me organically. I didn’t say Hey, will you be a mentor? Is that what do you think of how often that’s the case? And I remember the one time I had someone, frankly come up to me and say, I need a mentor, will you be my mentor? It was it was actually at 14 that I was sort of taken aback because I didn’t know how to answer the question. Of course, I said yes. But I didn’t know what that meant in terms of responsibilities. Because again, everything that I had been mentored on, just happened by course of careers and needing information, and what are your thoughts on organic versus purposeful mentorship?

Rebecca Wynn 24:23 

So I would, I would go ahead and say that that was purposeful. I would say personally, what I say is when there’s a person like that, you feel that heart to heart connection, you feel that openness, that openness to discussion, it’s fluid, and they keep coming back in your life and you keep coming back in their life at that point in time. So I say that that just happened on an inner soul level. And the words didn’t have to be said because that connection was there. So I think it’s there. I do have people who reach out to me, I don’t know them for from anything. I don’t feel that connection at all. Maybe if I have time, I’ll go ahead and meet them for that five or 10 minutes. But there’s Amelie that heart and soul. Now, it’s interesting if someone actually writes me, and they go ahead and I look them, I feel I can feel that connection. And it’s interesting we get when we talk, we can do that. So I think it happens on a soul level. They might be a little bit too spiritual for people. But I think there’s an innate and when you talk about are the people, Jim Roth, I mentioned, Roth and Jim Roth, and I mainly just talk flicked, he was open, I was open, I asked him, I said, Hey, can I go? Can I Can I call you at times? If I’m struggling? Seven, he goes, absolutely. I said the same thing to Teresa pain. That’s why I said I didn’t say mentoring. I did have one person in my life that I did. Reach out as a mentor was a great VP in the company that was struggling some stuff in the company. They were like, the Guru. And I asked them, can we meet on a regular basis? So I can learn these areas? Can you mentor me in it? It’s like 13 years later, we’re friends, but they still are like that big sister that I’ve never had in my life. So I think it when you say organically and organically, I think it does happen on an inner soul level. You the way that I see it, you just know you’re there. Like you said a conference, it’s either that quick content in part of it, you have to know that they’re sincere. And they’re open. And they really mean it.

Patrick Spencer 26:26 

It happens organically.

Tim Freestone 26:28 

Yeah, what I’m what you said the word soul a lot. I know, we know why your book is titled what it is, at what point in your career did you decide, geez, I should write a book about this and what inspired it. And then maybe you can talk a little bit about what people can take away and why they should read the book.

Rebecca Wynn 26:46 

Well, I haven’t written the book has not come out yet. But there is a becoming. But I do this so full on CXO. I have written other

Patrick Spencer 26:53 

title, the book isn’t going to be the full CX. It’s got to be

Rebecca Wynn 26:57 

right. So one of the things I noticed myself throughout my whole career on impostor syndrome, and trying to be everybody how they wanted me to be and that who I was at my soul. And one of the things that was really pivotal in my life is I took care of my elderly parents before they passed. And one of the things they did is they wanted to travel back on less time to you know, where they’re raised. And I met a person there who you know, you know, I remember you and your three. And one of the things they went ahead and they said, you know what, I felt a little knock on my door, and I came in the door, and I had picked, you know, some sort of wildflowers. I hand on the flowers and smiled. When I left. I didn’t ask for anything; I didn’t ask for a piece of candy. I didn’t ask for Thank you. I just smiled and went on. And that’s who I am at my core. And I made a pivotal decision. Like, I’m not going to apologize anymore, that I’m analytical, I can get big jobs done, I can think holistically. But I want to try and do it in a caring manner. Don’t get me wrong, I’m not going to let a pariah eat me, as well, either. But holistically, I think of the human, we’re having a human experience. And that’s the way I see things from a heart and soul perspective. And when I look at the books from the people, I read, those people who always resonate me, when I looked at my close circle people, that’s where they come from people who just want to earn money, for example, great, you can offer me $3 billion a year to go ahead and take a job. And if it does not resonate with me, I will not take it. On the flip side, if you want offered me a job for no money, I do a lot of stuff for charity, I would have to see if I agree with that charity work. So I’m not going to work for free either, unless I’m doing charity work. But does that make sense? It I it’s I think it’s bigger than, you know, just the dollar. And I’ve never functioned in my life by the dollar. So that’s why when someone comes to me and says, we look this bonus structure, and all that kind of stuff, it’s never going to resonate with me, it’s going to resonate me about, you know, how’s this affecting other people? How’s it affecting people internally or externally? How’s it affecting us to be able to, you know, protect, you know, our customers from being attacked. And this is what’s going to be the implications, or how’s this going to protect the United States and stuff like that. And so you will see that the jobs generally I go to, sometimes there’s been failures because it ends up not being aligned. But it’s your vision and mission is to be bigger than yourself. And that’s why you’ll find me in healthcare quite a bit. You’ll find me in emerging technologies quite a bit. And then you’re finding financial services because everybody should be able to have a financial plan and be secure. Everybody should be able to have health care, wellness at some point. And technology can make your life easier. It can make us harder as well too. But you can use technology you can have more time and more human connection. So that’s why people always go like she’s always in these three, you know, trains of thought, but that’s the reason why if that answers your question, but yes, there will be a book called the soulful CXO it’ll be not only about me, but great stories about other people who think more like minded like myself, and how that has shaped our career, and how we have also learned from failures and failures only failure if you stay in it. Failure can if you use springboard that to be a better human and make a better ripple effect in the whole world and your family, then that’s a win. And so what I that’s what I tried to do, again, I should have a flat nose because I feel I wish I wasn’t that way. But I learned a lot from failing.

Tim Freestone 30:24 

See, I’m going to take that line now and add it to my library. The flat nose line, that’s a good,

Patrick Spencer 30:30 

that’ll be the name of Tim’s book.

Tim Freestone 30:35 

Those stories with Dr. Rebecca, when,

Patrick Spencer 30:37 

you know, I think Tim and I’ve interviewed a number of folks who started off in the military typically. And it seems that they picking up a trend here talk more about GRC than others they you know, cybersecurity issues, cybersecurity risks. How do you go about addressing those? Implementing GRC seems to be one of the critical tools in their toolbox. Rebecca, can you comment on that, you know, you your military background? Do you think that gives you a unique lens? And do you see that, because you’ve been at a lot of different companies, those who have a military background? Do they tend to use GRC more often than other strategies to address cybersecurity risk?

Rebecca Wynn 31:21 

I think if you come from somebody from financial services, banking, for example, when you do go ahead and come somebody who is used to protecting the D to D, one of the things is that we understand very quickly, the negative impact of being attacked. And the one way to go ahead and try to mitigate it as quickly as possible, find out about it as quickly as possible and resolve it as quickly as possible, because both those sectors have been nailed is to have some sort of governance Risk and Compliance framework or following. Their thing is, as you talked about, Tod we use to secure technical invitation guides. Why is because other people have figured out how to lock down windows or apples or servers or you know, other devices and stuff like that, and can actually show you step by step how to do that mindfully for whatever security posture you need. So we already get it right. We use NIST and security, technical limitation guys, DOD. When you talk about financial services, they get it. I think one of the dangers right now is when I work with startups, and I just had this lunch bonus as if we’re not going to get a Cisco anymore. Why? Because we have more critical hires. Okay, good luck on that one. You know what, watch yourself on that one, that’s probably a breach waiting to happen. And I do follow up quite a bit on breaches and help companies post breach, but I’m like, you know, doing the right thing. From access controls, privilege level access, and stuff like that, it does not change really, we’ve been doing the exact same, those same concepts, we’re on 1950s 1960s. What has changed is the attack vectors, and how quickly attack vectors can go ahead and be on steroids. Same thing, when people talk about AI, right? If we can use AI for good, the bad guys can use AI also for bad and they can go ahead and then I’ll just give you fishing, for example, all those spelling Arizona kind of stuff. And I use chat GTP or open AI or whatever plethora of the 1000 other variations out there, they can now go ahead and write that very intelligently and maybe get through easier because of that. So I tell people, that’s the thing is, is that the tech factors have changed in the frequency that people can attack you has gone up on steroids. When you talk to financial services, when you talk to government, they already get it.

Patrick Spencer 33:31 

That’s how about you. We Tim and I had a conversation about health care just recently and the fact that it seems to have more attacks, successful attacks, and for that matter, than virtually any other industry. In fact, I think they were number one in the last IBM Ponemon and Costas data breach report that came out or maybe it’s the data breach investigations report from Verizon. But why is health care always up there at the very top list when it comes to phishing attacks and ransomware attacks? And, you know, the exposure of pH I data which is critical information, you don’t want that out in there in the public. But that seems to be the piece of the puzzle that’s talked about most often.

Rebecca Wynn 34:14 

Yeah, I think there’s a couple of reasons I think for that. It’s not that it’s not from lack of caring or anything along those lines. So one of the reasons is that used to be pretty much on a taboo list it used to behind the scenes, hacker’s kind of had like this handshake that we won’t go ahead and we want to attack hospitals and universities and things like that, as it has grown and gotten more and state sponsored doesn’t really do this much. But when you look at all these other syndicates, one of the things is they look at IP P ranges, things like that, and so you might have somebody who’s going through university steps to the hospital and then the hospital gets nailed. So collateral damage compared to there was we will go ahead and we will see what IP addresses are thrown and we will literally not attack them because we know can affect lives and a few years ago, in Germany, there was a woman who was being rushed to a hospital. And that hospital was taken down by ransomware. Because they were trying to hit the University next to it. They had a university in the name there an IP address, and they take it down, and she had to get rushed to the next hospital and she died in transit. So it was the first potential case of I’m not I wouldn’t say manslaughter, but like Aneurin, you know, wasn’t first degree murder. And you didn’t mean to, but you took off away services that actually caught someone’s life. And so now if we go ahead and get you now, we’re going to go ahead, and we’re going to charge you with that crime. So that’s part of the reasons for that, too, when you think about when hospitals, especially even with the pandemic, it was all about, we need to save lives today, and how we’re, we need to save lives today. So we’re getting equipment in, it’s not going through all the security checks and things along those lines, because it’s, you know, I need to save your life now, or do you want me to go ahead and on the security check for the first eight hours first, right, you’re going to be doing that. So part of it is the type of work. The other thing is, is that there has not been a very good in framework or methodology around a lot of equipment, when you think of an imaging machine and stuff like that. Now, you know, before wasn’t connected to, you know, the internet at all, then it starts connected, and it wasn’t being connected, where we thought that hackers literally couldn’t hack your Paik pacemaker, they can hack your imaging machine or your dialysis machine, there wasn’t even a thought that that was always saving the lives. So part of it was just when the equipment was developed, it wasn’t think that way. So we have a lot of legacy equipment that’s used to save lives, saving lives is always going to be come first. No argument there. Now, when you go ahead and look when the new equipment comes, how are you going to do that? That’s, that’s part of the challenges on that with hospitals. And again, they’re not no longer than that safety protection zone. There. And then when you think when you have heads of states and presidents and stuff like that going to hospitals and stuff like that, that also then increased those tech vectors. It’s not only a physical protection anymore, now you’re looking at every piece of equipment that actually touches them could be exploited. That’s when you also saw like when Cheney left the hospital and stuff like that with pacemakers, if you want to go back and read all that, could his pacemaker and stuff like that be potentially hacked and stuff like that? Yeah. So it’s an entry question. I think so they’re lagging. But it wasn’t what the purpose legging is, they were kind of in a safety bubble, that thing is no longer a safety bubble. And now they’re behind the curve. And not only can you go ahead and make a lot of money on the health records, but you also go ahead and when you have people who you might see as actors or actresses or people and political parties or influencers or whatever you want to have that might be important to you. That is a place maybe to go ahead and get them and you can actually exploit them because you can not only can if you can get the information, remember behind the scenes, you can say I will make this public if you don’t pay me off. So there’s a payoff of that as well to that is more than just, let’s go ahead and breach the hospital. And let’s go ahead and take everything offline. There’s Can I go ahead and exploit that information and get a paid

Patrick Spencer 38:03 

per finding? Yeah. Is privacy by design that part of the solution? You’ve written a lot about that you’ve in fact, you had a podcast, I think with and work in? Who’s the mother of privacy by design? As you may know, is that part of the solution? In your opinion?

Rebecca Wynn 38:25 

Yes, it isn’t. Actually, she may be an ambassador of privacy by design on earth here. I think it’s about like 13 years ago now. So that’s no reason why I speak about it highly. Her and I met, she’s like you speak on this a lot. So we connected and I don’t know if you can see I have a blue board behind me. But that’s actually from her. So one of the things is, if you think about privacy by design, one of the things that we did is, is we have privacy after the fact, which I’m against I should not have to pay an organization to take me off all of these public websites constantly, that are putting my phone number out there, my personal address and all other kind of stuff out there. I shouldn’t have to pay them to remove it. I They should have to pay me to put it on. Right. So I am a proponent of you should have to opt in and not have to opt out. I’ve always been that way. When you think about your data and how that was structured if we went ahead and we take data upon creation with an expiration date. So you think about it, you could do that with an encryption key and different things like that we do that with email expiration about data have an expiration date. So if I went ahead and I apply for a job, for example, wind rose a 10 years later, just coming back with a resume that I turned to new 10 or 20 years later, that should have said you know, we will keep your resume on file for six months if you approve it, or one year if you approve it, and then it should expire itself off. We already do that with email. Why can’t we do that with some of these other data creations? That’s where I’m about. So when we create data we should sign off and that that should have an expiration on it for whatever records even when you have a company says that we can Keep this this personal record for 10 years, or 15, or 20 years, whatever. When I do analysis of companies all look at all that stuff. And I’m like, you guys have gigabytes upon gigabytes, whatever the biggest word of gigabytes is anymore. I always forget what it is Zuka bite, whatever it is, you have all this data that you actually promise people that you expire off in seven years and 10 years, you’re not doing it. Right. And I’ve even seen contracts where people say that we no longer are doing contract with this company. And we agree to destroy the data, like your data is all sitting there that because the way you have your database structure, you can’t expire it off Houston, you have a promo. So that’s one thing, I’m always about that security by design, enterprise risk management, by design, privacy, by design, we can build this in nicely. You can also go ahead and then you can anonymize the data, great. If someone wants to go ahead and use anonymize data, they can’t get back to you. But for a greater good, there’ll be no fear then for it to be done that way. And that’s always been my philosophy. And then when I met Anne, I was like, Oh, my God, you know, she is the queen. You know, I think ADA countries or something like that base all of their privacy regulations, all stuff on her now GDPR. And all that kind of stuff is based on her. But that’s why am I It makes sense. And we can do it. So that’s where I come from on that. So they answer your question holistically.

Patrick Spencer 41:20 

Did you do, we would argue that you want to cascade that down so that it’s the access to that data as well. You’re expiring those privileges and controlling them. And that’s where the shameless plug kite works comes into play. Because you can control all that using GRC practices, NIST, cybersecurity framework and so forth. So

Rebecca Wynn 41:40 

absolutely, they all go hand in hand, I think, if you think about data solely as $1 cost point short term, until we get away from that holistically, worldwide, it’s always going to be a problem. Playing the short game, I’ve yet to see ever wins long term. What you and I are talking about is how to holistically make this world work. privileges, things along those lines. So then you always will have longevity in the one thing I’ll go back on both of us, right? I come from a trust officer perspective, you guys come from trust. If we can help you go ahead and do this very mindfully that people can trust you that you’re good to your word? And if not, if the bad guys actually go ahead and nail you. And it’s a matter of when not if, can you go ahead and mitigate the damage as quickly as possible? Can you track how that damages? Can you track it back to your contracts? And how things are going effect? Can you go ahead and put a management action plan corrective action plan of action milestone, it’s the exact same thing just depends what industry you’re in? How we’re going to do that mindfully and track that. So you can trust us as customers and consumers, then it’s a win for everybody, that transparency is what you guys do is what I do. And I think that’s what the world really wants.

Patrick Spencer 42:59 

No, I think that trust is critical. So we’re unfortunately out of time, we’re going to have to do this again, when your book comes out. We need to have a whole additional podcast interview with you on all the great insights that you’ll have in that book. So we look forward to having that follow up conversation with you. So for our audience members who want to check out the Soulful CXO podcasts, where can they find it?

Rebecca Wynn 43:20 

It’s on all platforms. So Apple podcast, Amazon, Google, Spotify, it’s on every single podcast. New episode is every Tuesday 10 o’clock. Pacific time is really Mountain Standard Time because I’m in Arizona. I do sometimes release a special one on Thursday, but definitely every Tuesday. You can go ahead and catch that. And again, people like we’ve already talked about who’s Peyton and kabuki and Jim Ross Terragraph. Steen all those type people were on the show. And then if you’d like to be on the show, and you’re from a heart and soul type person, then CXO reach out to me at Rebecca at soulful CXO.com

Patrick Spencer 43:56 

No, that’s great. Great. Well, we appreciate your time today. Wish you the very best for our audience members who want to check out other kite cast episodes, go to kiteworks.com/kitecast. Appreciate your time. Look forward to having you on our next podcast. Thank you for listening to another tight cash Show. Check out other Kitecast shows at kiteworks.com/kitecast.

Rate. Comment Subscribe and listen. Wherever you get your podcasts

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Share
Tweet
Share
Explore Kiteworks