June 14, 2025 • 51 mins
In this episode of 'Cybersecurity Today,' hosts John Pinard and Jim Love introduce their unique show, 'The Secret CISO,' which aims to dive deep into the lives and thoughts of CISOs and similar roles, beyond the usual interview-style format. The guest for this episode is Priya Ali, CISO at Sheridan College, who shares her journey from engineering to cybersecurity, her global experiences, and how she manages her multifaceted role. Another guest, Mosen, Director of Cyber Defense in the financial sector, discusses his career path, which includes notable stints in entertainment and consulting. The conversation explores the pressing challenges in cybersecurity such as AI threats, burnout, and vendor tool overload, while emphasizing the importance of people skills and relationship-building within organizations. The episode wraps up with a promise of a follow-up discussion to delve deeper into the impact of AI on cybersecurity.
00:00 Introduction to the Secret CISO Show
00:51 Guest Introductions: Meet Priya Ali
01:59 Priya's Career Journey and Insights
06:44 Mosen's Background and Career Path
13:12 John's Career and Cybersecurity Evolution
15:58 Current Cybersecurity Challenges
24:04 Adapting to New Roles in Cybersecurity
25:36 Managing People and Preventing Burnout
27:08 Servant Leadership and Team Dynamics
31:16 Strategic Hiring and Team Cohesion
33:42 Handling Stress and Personal Well-being
35:46 The Role of CISOs as Organizational Psychologists
40:54 Influencing Behavior and Building a Security Culture
44:28 Coping with the Barrage of Cybersecurity Tools
51:10 Conclusion and Future Discussions
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Cybersecurity Today on theweekend, and our show, the Secret CISO.
The show is where John Pinard and I invitepeople in the CISO or similar role for
a conversation about their work, theindustry, but most of all about them.
And if you're looking for interviews andquestions, this isn't the show for you.
(00:21):
This is a conversation that we haveto get to know people and talk about
things in a relaxed atmosphere.
So we'll start with our introductions.
Now, this is a bit likea party at my house.
Everybody out there alreadyknows me, but we'll start by
getting, the guest's introduction.
John, why don't you start?
Sure.
My name is John Pinard.
I'm VP IT operations, infrastructureand cybersecurity for a
(00:43):
financial institution in Toronto.
I've been in it for longer than I'dlike to admit, but, yeah, that's me.
Priya, great to meet you.
Why don't you introduce yourself?
Sure.
Thank you for having me, Jim and John.
Pleasure to be here.
Yeah, so I'm, you didn't tell mehow long it should take, so I'm
gonna take as long as you want.
(01:03):
I know this marvelous editor, soyou can take as long as you want to
introduce yourself, take the whole show.
We'll have coffee.
No.
I wanna hear about the greatthings you all do as well.
Yeah.
I'm Priya Ali.
I'm the CISO at, SheridanCollege, here in Ontario.
Very much in Ontario, Canada.
So I'm, I cover all aspects, information,security, privacy, resiliency, compliance,
(01:25):
managed pockets of iot security as well.
I work very closely with my peers,not only in IT, but risk management,
campus security research, and otherdepartments at the institution
as well, including, faculty.
I do have a part-time role as well.
Serving as a key strategic,advisory council member, as we call
it, to my CEO and to the board.
(01:45):
And I'm part of the PanIN institutional,policy Review Committee as well.
And it helps me to understand all thepolicies the institution makes and
then see where's the best fit, right?
Like to be able to talk about,technology and information security.
So just before I move,she, move to Sheridan.
I have, in total, I have about 20 years ofexperience in the space of, cybersecurity,
privacy, risk management, compliance,resiliency, and I will say data.
(02:09):
And today, certainly AI governance.
We not talk about ai.
And just in terms of my path intocybersecurity was not linear.
I graduated with an engineering degree.
I started my career asa software developer.
Did that for about four years.
And then two things I wanted to do.
I did not wanna do coding andtesting for the rest of my life.
But I did wanna use my groundingin technology, so to speak,
(02:32):
to do two things, right?
One is to understand the intersectionof technology with business.
And the second was, since I am aperson that's motivated by challenges,
I did wanna challenge myself tobecome a subject matter professional
in another area of technology.
That was up and coming.
And at that time, this was back in2010, back in India where cybersecurity
(02:52):
was just being spoken about.
So that's how I got my start.
After my software development experience,I went on to do my MBA and after that I
landed roles, with the big four consultingfirms, something with three of the
four big four starting with Deloitte.
Where again, I focused on, initiallyI focused on enterprise risk
management and then moved into,technology risk and cybersecurity.
(03:15):
But then before I moved to Canada,I spent close to a decade, in
the United States, advising both,technology Ja Giants in the Bay Area.
So the likes of, the very largeknown, technology giants in the
Bay Area, one name, the names.
after that I spent about six yearsin New York where I was supporting
a lot of, some of the most prominentand well-known names in Wall Street.
(03:36):
Besides that, I've lived and worked in sixcountries outside of the US and Canada.
So some of them being, theuk, China, India, and Spain.
And my journey has taken me fromboth working with operational teams
to build cybersecurity programsfrom ground up and working with the
senior leadership and the boards oforganizations to be able to build.
(03:56):
Robust and agile cyber risk andreally resiliency strategies.
I'm very fortunate that I've had a lot ofglobal exposure and, this global exposure
has helped me to work in a multiculturalenvironment, to work in a multicultural
environment by having a global mindset andreally being able to work with people from
different backgrounds, thinking styles,and being able to communicate to them in
(04:20):
their language, it also does help withbeing empathetic and adaptable as well.
So that's that fun factsabout me outside of work.
I write poems.
So that's my stress buster.
I think we may all need a stress buster.
I have about 35, poems, that I'vewritten in English, published,
globally, I am a wildlife nerd.
What can I say?
Especially with respect to predators.
(04:41):
besides that, I do love to travel.
So I've, traveled to over, 20 countriesand I do intend to increase the count.
That's that.
By the way, in preparation for this,I did, I do have my mom visiting
from India, and I was asking herlike, how do you describe me?
Like a few words.
And so she was saying there, there'sa few things outside of her knowing me
(05:02):
as very ambitious and career oriented.
I am someone who'smotivated by challenges.
I will say persistence is my middle name.
it's important to be able to embracefailures, learn from them, but learn from
them and pivot your approach every time.
So I will say persistence is my middlename and I. Strive for excellence and try
to achieve perfection in everything I do.
(05:23):
Wow.
Yes so that's me.
Another thing I will add is outside ofwhat I do at work, and where I met Mosen
and, and John, and now you, Jim, is thatI keep myself very active in the industry
in terms of networking, in terms ofbeing, actively speaking at conferences,
panels, just sharing thoughts,brainstorming on ideas and all of that.
So I do keep myself active in the industrythere, not only on cyber data and AI
(05:45):
topics, but DEI is close to my heartas well, especially when it comes to,
women empowerment because, I'll say this,I've made a lot of mistakes in my life.
I do wanna give back to the community Istrongly believe in paying it forward.
So I wanna see younger peopleaccelerate their career.
So that's why I take the time to do it.
When do you sleep?
(06:06):
Okay.
I'll be honest, I get asked that a lot.
So no, I, I do sleep.
it's all about time managementand prioritization, right?
It's not about, You need to becomfortable with the fact that
some things can wait for tomorrow.
And so how I do it is you areconstantly thinking, you're constantly
on your toes and prioritizing, right?
What is it that I absolutely needto get done today versus the things
(06:29):
that come ready for tomorrow?
Otherwise, you're not gonnayou're gonna end up with no.
Wow.
Mosin.
How many countries have you been to?
I feel like I haven't traveled enough.
I've been to a few too.
I've been to a few, but, no.
This is exciting.
Good morning everybody.
I. Maybe I'll, talk alittle bit about, myself.
Like John, I'm also in, financial sector.
(06:50):
So I'm a director of cyber defense.
And, over the past, many years, I wouldsay probably 25, I've been in the IT
industry, going from one role, to another,
just prior to my current role,I was with, Walmart, Canada.
traveling to, many areas.
And prior to that, I was in theentertainment and consulting sector.
(07:13):
And I had the opportunity, towork to also, travel to Europe,
US and, far east as well.
One thing, that I can say that, overthe course of, many years, being in
a leadership position and going, froman IT to IT security, I've learned
so many things, that, most of thatrelates to how you collaborate and
(07:35):
communicate, with your community.
Same as, John, yourself and Priya.
I'm also participating insoftware community, events.
So some, companies such as,cyber X, Ivana, Gartner.
And so those are some of, the forumsthat I tried to participate in.
back in the days when I, startedthe, inception of digital, I was
(07:58):
part of the entertainment, industryand, basically creating the first
standard for MPAA, which is a motionpicture, association of America.
Since then, done quite a few in themovement of, digitization of the
organization as well as, protecting and,using, the knowledge that I have to help
(08:20):
others to also elevate themselves as well.
Cool.
Absolutely.
So we've got a fairbit of experience here.
This is good.
I'm gonna learn a lot.
let's talk about, I want to dip intoa couple things and Priya I wanna
go briefly into this, but I do wannaask the question because, I've been
a big proponent of women in it.
I've taught in engineeringschools, and I knew.
(08:44):
Years ago, there are morewomen in engineering roles now.
Thank heaven.
you must have been pretty earlyin the game India's a pretty
straight ahead country pretty rigidin some of its aspects of this.
what was it like when you toldyour mom and dad, that you
wanted to, go into engineering?
Did you get big support?
Okay.
Yeah, I appreciate the question, Jim.
I will say yes, I did get support.
(09:08):
my parents were very forward looking,so they were like, you own your
career, whatever you wanna do, right?
Whatever you are passionate about,and also be realistic because at the
end of the day, you have bills to pay.
let's be realistic, right?
Have a real job.
This is what they said.
with respect to engineering I'llalso say this about, myself, I
did not initially start as a veryacademically oriented student.
(09:31):
But I think things changed.
There's a few things thathappened while I was growing up.
There were some financial, scenarios, thatwe had to deal with that got me thinking.
And then early on, like high school,about the time where I was like,
okay, so I do need a good job.
A good job means a high payingjob, so let's work my way backward.
What does that mean?
(09:51):
I need my scores high, right?
Okay.
So let's focus on my academics, right?
So that's what happened, right?
It's because of some things thatwe went through while growing up.
So that's one.
Now with respect to answering yourquestion on the engineering, no,
like I said, my parents were like,whatever you are passionate about.
And actually why I chose Jim was, I don'tknow if I should say this, but while I
(10:14):
knew I wanted to become an engineer withrespect to honing On which specialty?
No.
At that time I didn't know better.
Right there, there was notreally Google at the time.
There was certainly nochat g PT at the time.
I based it on, okay, so If I do thiswill be the potential career path.
And then, so it's justabout talking to people.
And at the end how I picked it, I waslike, okay, so between computer science
(10:37):
and electronics and communicationsengineering, there's a maximum
number of people going for this.
And I picked ECE, which was electronicsand communications engineering because
that's where most of my peers were headed.
Yeah, my dad, when I told him I,I wanted to be an entertainer, and
I actually was for quite a while.
I still play music and things like that.
But my dad said, gave methe great encouragement.
He said, follow yourdream, but learn to type
(11:03):
that sound advice.
And in the first computer rooms, theguys who could type were people who
were desirable to have, you could do keypunch, you could do testing, you, and
you could be fast at doing that stuff.
Sometimes our parents give us the bestadvice, which is have a plan B, yeah.
How about you?
You had an interesting career.
So you've gone through the entertainmentindustry and all this sort of thing.
(11:26):
How did you drift into cybersecurity?
I have to say, come froma, a technical background.
I have an engineering degree.
when it all started forme, I had, I always had the
passion for everything tech.
I have this lab in my placethat I built electronics.
I built, garage door openers.
I build, CV radios and all kindsof things, everything, electronics.
(11:49):
I try to build and use them.
So it was natural for me togradually get into the tech sector.
It all started with the IToperation for me and then.
When I started with, deluxe,media Corporation, which is the
entertainment sector back then, theywere at the juncture of moving from
the analog world digital, cinema.
(12:10):
So I, had a part during thatmigration to go from the analog
format to the digital format.
So that was a big change atthe time in the industry.
a lot of things that used to happen,that movies get pirated and, they
are on people's computers beforethey actually get on the screen.
We were tasked to make sure thatdoes not happen, and that's where
(12:32):
we actually started, forming aconsortium and building the first,
cybersecurity standard that environment.
going to cybersecurity, I always thoughtthat I can probably, use my knowledge
and, have a little bit more impact.
also being a father and appreciatingthe world that they're coming to with
the young generation, I always thoughtthat I can, make more impact, helping
(12:56):
the people around me and people that Icare about, community, that I care about,
everybody that I care about to actuallyhave a better life and protect the most
valuable assets that they have, which istheir personal and organizational data.
Cool.
And John, this is always weird with youbecause some of the audiences coming
here knows you because they've eitherseen you on Project Synapse or one of the
(13:19):
shows that you've actually hosted here.
just a little bit of backgroundon you, to orient people
Yeah, I guess at a high level, I startedout as a programmer and have worked
in a number of different industries,a number of different companies.
I was joking with somebody theother day that I have never
worked in the same industry twice.
Throughout my almost 40 year career.
(13:42):
it's been interesting.
I've worked in pharmaceutical, I'veworked in healthcare, I've worked in,
non-profit, I've worked as a consultant.
I think it was on the last showwe talked about, how did you
get to be in cybersecurity.
For me, when I was started out as aprogrammer and probably until the mid
eighties, the consulting company Iworked at, we didn't even have internet.
(14:05):
So cybersecurity wasn't really anissue when you don't have internet.
And things have changeddramatically since then.
there was no cybersecuritycertifications or anything at the time.
And so for me it's all been, self-taught.
it's actually self lived because, thereis no better teacher about cybersecurity
(14:27):
than getting hit with ransomware whenyou're working for a large conglomerate
that, takes your entire organization down.
I've lived through that too.
I'm so old that I rememberwhen we put passwords in.
and then we still do I, westill do, I was heading up.
No, but we didn't have passwordson any of our computers.
(14:47):
They, when we first started,we had, we ran a deck mini,
and that was, the whole thing.
And there were no passwords.
Matter of fact, we hada program called wipe.
And usually you went onto the programsand you waited to get to, okay.
And you click okay.
If you want the program to go.
There's a program called Wipe.
And one of the guys, one of themanagers there on his last day
wondered what it did, and you'd waitfor the pro program conversation.
(15:09):
You typed in wipe and hitreturn and it had no okay on it.
Like we learned a lot by, oh.
The stuff happened in financialservices in the early days, you
would just, you would laugh.
But so I, yeah.
The I and I, because I was supposed to, Iwanted to get some mainframe experience.
'cause I was, if you were on a mini, youdidn't make as much like if that was,
(15:31):
you wanted to get to the mainframe world.
So I got a job on, working forNational Trust at the time and
they, they had a fairly big trustsystem and all this sort of stuff.
And then somebody came up to me, said,that lady over there, she works for you.
What'd she do?
Security.
Oh, okay.
We had great training in those days.
She worked for you, anyway.
Yes.
(15:51):
So we've all come to this in a differentway and we've come to this world where
we are bringing all that experience.
What I'd like to do is just tofocus a bit on the current world
and what the challenges that you seewith all, and they don't have to be
the classical ones that everybodytalks about, but what are the big.
Challenges that you see in theworld of Cybersecurity and it
(16:13):
today, mos, do you wanna start?
Yeah, sure.
So as, everybody mentioned we doparticipate in, events and, conferences.
So one of the conferences that is,really dear to me, try to attend
whenever I can is the RSA conference.
So this year I had the opportunityto actually be there, with
more than 45,000 other people,leaders from around the world.
(16:36):
Some of the key messages that Iheard, that I think, it still makes
sense for, many other organizationsis the challenges that we, today we
have, to using ai, AI both being asa threat and also as a friendly tool.
So that, that's a big challengethat is in front of us.
Like any other time that thereis a sort of a, evolution or a
(16:59):
change in the tech sector and more?
noticeably.
Now with what is happening in the AIworld, there are two aspects of it.
One is a good side of it,one is the bad side of it.
So how you deal with that, Ithink it's the top of a lot
of the conversation today.
One other thing that I also noticed that,was at the top of the agenda was how
(17:19):
this, fatigue with, many aspect of the,SOC operation is actually kicking in.
So there is a lot of burnouts.
there is, a bit of a shortage of thetalents and, the companies get inated
by, various, type of alerts events, andthey have to start making sense of it
and how they protect their organization.
So that's also.
(17:40):
A big challenge at this point.
the last thing that I mentioned,as part of the top three are,
basically a platform consolidation.
many of us, through the work that wehave done, put many tools and platforms
and try to stitch them together.
this is becoming a bit of a challengefor everybody, including myself,
(18:01):
to actually starting, making senseand have these platforms talk to
each other and consolidate them.
Because at the end of the day is thespeedy and agility of the response
that really, is important whensomething potentially goes wrong.
Yeah, we'll come back to that onebecause I think is part of the, it fits
into burnout as well is the, just thenumber of things that we have to master.
(18:24):
Priya, what do you,what are your top three?
Sure.
Yeah, I'd say first of all,completely agree with all the
points that Mosen mentioned.
so three things.
number one, starting with, outside ofthe gen AI part, we continue to live
in a hyperconnected world, right?
And when I say hyperconnectedworld, it's not only.
Organizations usingmultiple cloud partners.
(18:45):
It's also remote work.
It's a lot of, usage of, IOT devicesacross the board and a lot of third
party, fourth party, fifth party,whatever, integrations, right?
So it's the extended, I will say, vendorsslash business partner ecosystem as
a result of which as cyber defenders,our attack surface just exploded.
So that is one, top, challenge.
(19:08):
And then the second point thatcomes to mind is, just unpacking
recent cybersecurity incidents andalso paying attention to what's
happening in the global scenario atstage there's a lot of geopolitical.
Scenarios and tensions emerging.
Hackers are continuously evolvingtheir game where it's not just the
data or affecting one institution,The motive can to, look at an economy
(19:33):
as a whole, multiple economiesat a whole, at a whole, right?
And attacking the weakest pointto be able to cripple right us.
So again, I don't mean to sound likea doomsday person, but again, like
we need to build our immunity, right?
Like it's not a matter of if, but when,so my focus is around cyber resiliency.
It's not just cyber security risk anymore.
(19:54):
It's around resiliency, being ableto bounce back within your times
and keep your business operating.
The third part I will say is,we are in an inherently digital
environment today, right?
for everything.
It's a phone, it's a button clickaway on the laptop or on the phone.
And we live in a globallyconnected system.
So I would call ourselvesthe cybersecurity teams.
(20:17):
We are not just insurance forthe business anymore, right?
Like we are the business enablers.
And so to this effect, what I havedone internally, I know we're talking
about challenges, but I'll also giveyou a window into what I've been doing
here at Sheridan is that, just inthe Canadian higher education sector.
It's not as heavily regulatedas financial services.
I spent the longest time,in financial services.
(20:38):
So I miss regulations, I'llsay, if I can be honest.
But that said, I've had to, come inand pivot my approach, Where I focus on
building relationships not only withinIT within HR finance, but also across
the business lines, because you do wantthem to see you as a business enabler.
And I focus on building relationshipswith them through my credibility and
(21:00):
not being the naysayer all the time.
Hear them out, understand their use case.
And there can absolutely be a middleground that can be arrived at.
So being able to build those relationshipsthrough credibility and also showing
that you can speak their language, right?
Speaking the business, speak.
Yeah.
Good.
John, what's your reaction to all this?
(21:23):
I agree with everything that Mosen andPriya have said, especially the Gen ai.
based on our other, podcast, I love ai.
I think it's an amazing tool, but itcan very easily be used against you
and it is being used against you.
It's, escalating the intensityand the speed of cyber incidents.
(21:45):
So to me is definitely a big one.
One of the things that I wantedto add too though, is people like,
and I'm not talking about hackers,I'm not talking about external.
People, I'm talking about internalwithin your organizations, and
it's not intentional, but it'sjust the lack of thought, right?
(22:06):
Just in the sense that they getan email, they see a link, they
automatically click on it, clickfirst, think later kind of thing.
that is, that's what comesback to really bite you, is
that people don't think enough.
And we've spent an awful lot of time withtraining and education in general to our
(22:29):
staff on, think about what it is whenyou get an email that's got a link or
it's got a QR code or it's got something,think about it before you touch it
It was actually very relieving because weran a phishing campaign, a couple of days
ago, and I had three people that normallywould click first and think later actually
(22:54):
come up to me and say, I got this email.
It looks odd to me.
What should I do?
Ooh.
So that was, I have to, it's such asmall thing, but I have to tell you,
it was the highlight of my week.
Yeah.
Don't you wish when people ask thatquestion, you had someplace in your drawer
where you could reach in, pull at a $200and say, take your family to dinner and
(23:18):
celebrate the fact that you're great.
Yes.
That's a piece.
Let's start with that.
I promise you, we won't let AI get awayfrom us let's start with that, because.
My perception is right now that alot of us had a technical background
and I had those corners brokenoff me by a great woman coach that
I had partway through my career.
(23:38):
'cause I thought of the world as thearmy when I started out in business.
It was the army.
We did things in it.
You did them, you weretold, you just did them.
Then we met all these peoplein the business and they
didn't actually listen to us.
that was a big revelation for me.
Somebody gave me a book called,power and Persuasion and said,
Jim, they're two different things.
(23:59):
But we have to deal with the humanity inthat, the burnout and things like that.
how have you adapted to this new need tobe either an organizational psychologist
or whatever you want to describe that.
How has that changed how you think aboutyour job and how have you adapted to that?
Mo do you wanna start?
Sure.
So this is an area that is, becoming topof mind more and more, as we go through
(24:24):
our hiring practices, through evaluatingwho actually can do the work for us.
I think there is merit to,the fact that, we need to.
Hire problem solvers ratherthan technical people.
there are certain disciplines thatyou do need that huge technical
background to actually do the work.
But a lot of other things inthe cybersecurity world is you
(24:48):
actually need those bright minds.
You need those people that theycan actually, maneuver through
many areas of the organization.
They are, willing to participatein business, mission and, drive
that business mission forward.
They are willing to participate as a team.
They're prepared to take your securityagenda to the highest level of the
(25:11):
organization and basically be a voice.
For, things that you would like to do.
So I think there is a lot of merit inthe fact that those people, with people
skills and those people that theycan actually talk and solve problems.
play a big role incybersecurity practice today.
(25:32):
And in a world where there'sa shortage of those people,
that presents a real challenge.
Priya, how do you deal with that?
So is your question aroundburnout or around managing people.
I think you came out of a big five firms.
You know what I'm talking about.
we did what we were told.
And now there's a whole newworld out there that we have to
persuade, including our own staff.
(25:52):
Holding onto good people is not amatter of what it used to be that
people applied for a job and they stayedwith you for a long time and you gave
'em their annual review and all thatsort of, we have to motivate them.
We have to deal with burnout, we haveto deal with persuading and educating,
as John pointed out, the user community.
I was a prophet and taught a numberof places and the politics of
(26:12):
education have defeated many people.
they're complex organizationswhere everybody's smarter than you.
That's, everybody I dealt withwhen I was at doing a university
aspect was really smart.
So it wasn't, you have challenges ofpersuading people in those environments.
So how do you deal with the peopleissues and a reason I separate that out
is because we started in technology.
(26:34):
I mean that we learned technology,we spent our time in tech, and
suddenly we have to become realexperts at people and behaviors.
Yeah, that's the longestquestion in the world.
But no, it's not thelongest, but it is loaded.
So I'll say with respect to peoplemanagement Yeah, you are Exactly.
Ha you're exactly right.
Now, with respect to the jobmarket and with respect to
(26:55):
all the other perks, right?
Outside of salary, like hybrid work andthings like that, like the individual's
preferences too have changed, right?
For example, if an organizationdoes not offer any hybrid work, even
if they pay me a million dollars,say, yeah, I'm not gonna take it.
So I guess with respect to peoplemanagement, my style is that, and
again, I don't mean to throw the bookat you, but then, there, there is a
(27:15):
philosophy of, servant leadership,right where you are, where I.
Where I do my best to bea servant leader, right?
Where it's, I am there to serve theteam and be that enabler, right?
Where I trust my team, I make themfeel empowered, but at the same time,
I am accommodating in the sense thattypically I do get an understanding of
(27:38):
the things they wanna work on versus not,
the tasks they wanna work on, theprojects they wanna work on, their
work preferences, hybrid versus onsite.
Of course, making sure you meet thecompany policy, and the communication
preferences and styles, So I typically,before I start working with my immediate,
team, directly reporting to me ormy extended team, I typically have a
(27:59):
one-on-one conversation with everyone.
So I understand the personas a human being, right?
More than what they bring, to theorganization, just to understand
what makes them tick, right?
What's their life like?
Like for example, dothey have a family here?
did they grow up here?
And things like that, right?
Because at the end of the day,my philosophy, Jim, is that if
(28:20):
at all anyone has a question orproblem or challenge work related
or not, I want them to be able to.
Be comfortable enough to be able topick up the phone and call Priya, right?
So that's how I build the relationships.
I will say it is not at all easy, right?
It's never a one and done.
You've got to keep the relationship alive.
(28:40):
You've got to keep it going, right?
And you've got to be accommodatingas well and help them.
Like for example, today, what's happeningin the higher education space here is,
yes, outside of the super smart peoplein the room, there's, international
student quota restrictions, right?
As a result of which there's a lot ofCanadian colleges shared and included,
where we're quite tight, financially,where we're really needing to take
(29:03):
a hard look at our finances, right?
And one of the quickest waysthat finances, reductions can
be met is headcount reductions.
That's just, truth being told.
So there is a lot of anxiety anduneasiness in the environment, not only
within my team, but also outside, butbeing able to be there for them and
being able to hear them out and supportthem and offer them advice, like not
(29:27):
only as their performance manager, butas their true outside of work, even
career coach and mentor has worked well.
So I'll say at the end of, in summary,just be a real human being with a
good heart, John, you work in anenvironment that you try to keep
quite personal, but the questionI keep coming back to, because I
(29:48):
totally appreciate servant leadership.
I totally appreciate understandingpeople, but the reality is there's the
nuts and bolts that we've gotta do.
There are rooms where people watchand they get alerts, and they have
to make sure they track them down.
And, they may not find personalfulfillment in that, but it's
the work that's gotta get done.
How do we keep our own staff motivatedand avoid pressure and burnout?
(30:12):
Yeah.
that's a tough one.
I have dealt with that for the last.
Three years where I am now, thatorganizations are looking at
tightening the purse strings, whichmeans either, letting people go
or not hiring additional people.
it means doing more with less, andthat's a difficult task when you
(30:37):
have a finite number of resourcesand you have to juggle getting the
work done and preventing burnout.
I'm extremely lucky in the sense that Ihave 13 people that work for me, and I
would say that every single one of themis extremely dedicated to their job,
to the point where I don't have to askanybody to put in extra time to do a job.
(31:03):
In actual fact, I have a few of themthat I actually call them on the weekends
when I see them online and tell themto get off that they need to have,
their own time that's outside of work.
it's tough.
one of the things Mosen had saidwas, when you're hiring people
is hiring strategic thinkers.
(31:23):
And I would agree completelythat you can teach.
from an IT perspective, you canteach somebody how to program
in a certain language or how tomanage portions of a network.
It's very difficult or impossible to teachsomeone how to be a strategic thinker.
(31:44):
you either have it or you don't.
So you know it, when I'm recruiting,one of the things that I do is it's not
only do they have the skills to do thejob, it's are they a good character fit?
Are they gonna fit in well withthe people that are already in
my team and at the organization?
(32:04):
And can they think on their feet?
Do they have that ability to be astrategic thinker, that it's not just, oh,
I'm doing this because of this, it's alsoI'm doing this because of this, but if I
do that, what impact is it going to have?
Not only within it, but alsoon other areas of the business?
(32:29):
Yeah.
So can I just add one?
Absolutely.
Point to that.
Yeah.
John.
I completely agree with what, youand, Wilson said, especially on the
strategic thinking aspect of it, Yeah.
Like when I hire for the team as well,yes, I do look for some foundational
technology, foundational cybersecurityknowledge, but then that's not all right.
So it's really around strategic thinking.
(32:51):
But then some of the things I tryto gauge in an interview process are
someone being a self-starter, someonebeing open to learning, because.
Let's be honest, we areall learning as we go.
And it would never stop.
So someone being very open tolearning and learning quickly
and exactly like you pointed out,being able to gel with the team.
Because the last thing you wanna havehappen is you have a tight, cohesive
(33:14):
team working well, and autopilotmode, and then you have a new person
coming in and being disruptive.
So being able to gel with the team.
Absolutely.
being a self-starter and being opento having the intellectual curiosity
to learn and get the job done.
Okay.
And Melissa, I'm gonna give youthe last word 'cause you obviously
have, you're just rolling in dough.
(33:34):
You have no problem with resources.
You just hire anybody you want, right?
How do you cope with this situationof, scarcity, burnout, motivation?
and the hiring that we talked about.
So when I think about, the burnoutand the fact that everybody has
to do so much every day, I usuallythink about, life's ups and downs.
There are so many ups and downs in life.
(33:55):
There is so many stress factors in ourown lives that, when things happen and,
the things go a little bit haywire, I tryto approach it from that point of view.
So say, this is just anotheraspect of the way of life.
So I be, I have to be able to manage it.
Same as, what Pia mentionedabout writing poetry.
You have mechanism, to actuallycope with that kind of a stress.
(34:18):
you participate in sports.
I do a lot of, playing, instruments,more specifically guitar, lately.
Priya can be the lyricist.
We can do a jam night.
Will be, Yeah.
We can do a jam night, jam.
Alright.
Yeah.
So I think music saved me.
I was very driven, I was very worried formost of my career because of the pressures
(34:39):
that I would have, I always felt likea bit of an imposter through my whole
career because I was always advancing.
And I'd get there and I'd go, how dowe from, I can do this from, yeah.
But if I bring it a little bit closerto home, like from a point of view of,
looking at the organization and theteam, I try not to, one thing that I
really try hard is not to add to thestress level that is already there.
(35:01):
So I try to be helpful.
I try to create process notto do the same mistake twice.
So if I can do all that and nothave to be extra stressed that
everybody experiencing, I thinkI'm a little bit ahead of the game.
It took me a long time to learn that,and I'm just being honest about it.
(35:23):
you have to choose who you're goingto be under pressure and, if you're
driven, you might not respond inthe ways that leaders should behave.
And that took me a long time to learn.
But I think, as I said, music,poetry, John, you're an outdoors guy.
I know that, and you do a lot of stuff aswell, but getting away is something you
have to, not just phoning the people out,telling 'em to get away on the weekend.
(35:43):
You have to phone yourself sometimes.
Yep.
I wanna flip this a little bit andtalk about, because I think there's a
new role for CISOs and I think we'reall adapting to it, and that's of
the organizational psychologist andsomebody put this together, and I got
the greatest insight into this when wewere thinking about this and said, we
want people to behave in a certain wayso that we can combat social engineering.
(36:06):
But in reality we're socialengineers, we're trying to get
people to behave in a proper way.
How have you reacted to that?
How have you understood that?
What is that?
John, do you wanna start?
Yeah, I think, I have never really thoughtabout it that way, but yes, you're right.
We are social engineers in thesense that we are telling people
(36:27):
what they can and can't do andhow they're supposed to do things.
I think we have to though that, in anenvironment where we are, my staff or
other employees at our organization,I can make suggestions as to things
that they should or shouldn't do ontheir personal computers and in their
personal lives to protect their own data.
(36:48):
But at the end of the day, they can go dowhatever the hell they want, but when they
walk through the door or when they turn onthe company computer, we have to dictate
what, what is acceptable and what isn't.
To keep our data safe.
And in our case, because we're a financialinstitution, keep our members' data safe.
(37:13):
Priya's gotta look after thestudents and the faculty moss
in the same boat as I am that wehave, we look after people's money.
I think one of the things that wetry to do where I am, is not only
educate people about why you have to dothings a certain way at Duca, but also
(37:37):
why you should be doing it, period.
In other words, why do Ineed to protect my data?
Why do I need to not click on things?
Because we're trying to educatethem about, safe and effective
use of computers in general.
So that they will go home anddo the same thing and, hopefully
(37:59):
share it with their family.
I did this for years with my father thatI would call him up and go, dad, you're
gonna get an email from somebody that saysto do this, or somebody's gonna call you.
Don't fall for it.
So I think it's trying to educate ourstaff, but not only for work purposes,
(38:22):
it's to try to make things better for themacross the board from an IT perspective.
I get financial advice from peoplethat I work with that are on the
financial side of the business.
They're doing that to helpme on a personal note.
So why shouldn't I do the same thingfor them from an IT perspective?
(38:46):
Priya talked earlierabout giving back to me.
This is one way to give back is giveback to the people you work with,
give back to your friends, to helpto educate people on, the things
that we have learned throughout timewithin our IT slash cyber world.
(39:08):
Oh yeah.
Awesome.
Yeah.
I can, relate to that.
Definitely I, in a world that, we,it's so fast paced and the way that
we are expected to perform at work,we don't pay a lot of attention
to that chemistry between people.
So a lot of times, we simply droppedinto, certain tasks or projects and, we
(39:32):
wanna see it from, start to the finish.
But there is a lot of nuances in betweenhow you can actually get a more productive
environment in place, how you can actuallyhave people talk better to each other.
a lot of what we do, we bring,many things from home to work.
We bring many things from work to home,so that, area of, separation between
(39:55):
the two is becoming thinner and thinner.
So I think that there is definitely.
A reason that, organizations suchas ourselves, we are actually
paying attention and we are hiringpsychologists to actually come.
I have to give you an example thathappened to us not too long ago, maybe
a couple of months ago, that there wasthis chemistry between a couple of teams
(40:16):
that wasn't really quite working, andthere was a bit of a friction, and we
actually had to sit in the room and wehave to put everything on the table and
we have to, be a little bit candid abouteach other and the way that we want to
put, certain guiding principles in place.
So I think all that, has aplace in this fast paced,
environment that we live today.
(40:39):
Interesting.
Yeah.
Hard to do that over Zoomor teams, eh, very hard.
Yeah.
Priya, what do you Yeah, sure.
So I don't know if I can, I, I thinkMosen and John have covered it all yeah.
A couple more things I'll say interms of influencing behavior.
I, I will say, yeah, culture,that, that was mentioned.
(41:00):
I think John was alluding to that.
So with respect to culture, someof the things we do are certainly
training, phishing awarenesstrainings and phishing awareness
campaigns, and also the information,security trainings, that we do.
And it's not only to staff,it's also to students and to
students, and staff of course.
(41:20):
Yeah.
We speak to them in their language, right?
And in fact, for students, like we havededicated, as opposed to sending them a
link, we do awareness sessions for them.
And we did quite a bunch of them veryrecently, where it's to talk about,
because their lives are very differentwith respect to what we do, right?
So there it was to really double clickand talk about these are the different
types of social engineering attacks.
(41:42):
Extortion is a thing, right?
So that's one.
And then we also spokeabout, deep fake scams.
Be careful about what you post aboutwhat pictures you have on there, right?
Because, again, we all know based onCrowdStrike's most recent, report,
social engineering scams are on therise with wishing related scams enabled
(42:02):
by deep fake, going up by 400%, right?
So we bring that back andsay, deep fake, watch out.
Be careful about what you post.
stay vigilant, stay suspicious,Stay vigilant in terms of like,
when you look at an email thatlooks weird, right from an unknown
sender and it's too good to be true.
For example, click this linkto win a million dollars.
(42:23):
It's too good to be true.
So exercise the caution tobe able to do that, right?
So I would say that works, right?
Like from a culture, perspective.
So again, like we tailor that todifferent levels of the audience, right?
Again, like we have it for faculty, forstudents, and for the executive teams.
Tabletop exercises work verywell in terms of being able to.
(42:44):
But then that is great in terms ofbringing awareness that it's not a
matter of if, but when, so let's justmake sure we build the muscle memory
today so that when we know if somethingwere to go all right down the line,
everyone knows what exactly to do.
So that's like from a culture standpoint,I will say, in terms of influencing
behavior, back to your point, I thinkthat's why we have policies, right?
(43:05):
And I think John alluded to this, so theacceptable use policy, and we have an
information security policy as well interms of, how, in terms of talking about
appropriate use of the network, of yourdevices, of the data, how you access
sites, what you need to be careful about.
So that's the second thing.
And then the third thing I wouldsay, similar to what I mentioned
earlier, and I think both John andMosin alluded to this, was, is around
(43:28):
being a business enabler, right?
when in doubt they want toreach out to you, right?
When in doubt they wanna reach out to you.
And when they're looking at a newsolution, for example, because you are not
seen as a sledgehammer, they're not gonnago around you, they're gonna consult you.
So that is what I wishfor that to continue.
But again, I think that's where, thoseare some of the things that we can
(43:51):
do from a, behavioral aspect in termsof influencing behavior and telling
them why it matters in their language.
So this has been afascinating conversation.
I'm cognizant we've only bookedyou for about an hour, so I wanna
make sure we get through, can Iinvite you back to talk about ai?
Because I think if we startedtalking about AI right now, you
wouldn't be able to get back towork for the rest of the day.
(44:13):
can we do Part two?
Yeah.
Sure.
I can probably, in a differentconversation, give you a few example
of some of the things that I'vebeen, involved with and some of
the learning that I've experiencedover the past, year or so.
That'd be great.
So we'll pick that up.
But I want to do one thing before ourhour is up, and that's, it's a lightning
ground because we talked about it,and this has been a fascination to me.
(44:34):
I once saw a picture of all ofthe tools that are available for
cybersecurity, and it was a huge poster.
The, everything was sosmall I couldn't read it.
There are tons of tools and how doyou cope with the constant barrage of
new tools of all of that, especially,there's just all kinds of pressures.
(44:56):
How do you guys cope with that?
I.
do you want me to go first?
Sure.
Yeah.
Yes.
So I alluded to the fact that, and ifyou have the answer, we can all go home.
No, I don't think I have theanswer, but I can probably, guide
myself in the right direction.
Yes, this is a challenge.
I think I mentioned at the top ofthe call that, it actually being
(45:17):
brought up at the highest, forumsand all the conferences that this
is starting to become a challenge.
You, every time that you go to thesevendor events or conferences, there are
tons of vendors that trying to sell aproduct or they wanna, bring you as part
of the pilot group to test it and so onSo I think it's a big challenge for all
(45:37):
of us to make sense of this diverse.
Number of tools that we have.
Yes, they do serve a purpose.
But is there a better way of handlingand having them talk to each other?
Can I potentially combine two of themthat each one do 20% of that, work for
(46:00):
me and get a collective 50% from one?
So there are definitely alot of synergies to be had.
And, this is, something that I'm, really.
Deeply looking at today in my portfolioto see how I can actually make sense
because there is a lot of these toolsthat they have low utilization, like they
(46:20):
have so many features, but guess what?
We only use two of the 10 features thatthey have and the rest of it we just
leave for who knows when we actuallyget to it and we never do so there is
definitely a merit into all that to makesense of all these, the tools stack that
we have, and consolidate the best we can.
(46:43):
That's an interesting, observation.
If you just went through all the toolsyou had and find out the things you
weren't using properly, and before youbuy something new, or before you even
look for something new, that'd be that,
sorry that it's obvious,but it's something I think.
Yeah.
I challenge my team say rather thangoing to after a new tool, see if
that, area that you're not utilizing anexisting tool can actually be utilized.
(47:08):
in the old days when we had softwarein, used to come in cases and things
like that, we'd do inventories and I'dgo back and find things, and we made
actually, as consultants, this was agreat way to make a lot of money, go
do a software inventory, found out thestuff they bought, but aren't using
tell 'em to cancel it.
And the savings were astonishingbecause people buy tools all the
(47:28):
time and then they forget about them.
Yep.
Good stuff.
Priya, what do you think?
The shiny new, toys, right?
not be subject to that, but thenreally taking, so two things that
I do is, certainly completely agreewith what Mo said, making the best
use of our existing in-house tools.
That's one.
And then let's just say if there'sa new tool in the market, and I know
(47:51):
that, sorry I'll just take a step back.
First thing is making use ofthe existing tools you have.
But the second thing is goingback to first principles, right?
Like for example, understanding whatyour crown jewels are and knowing
which controls need attention.
That's one angle I use.
Another angle I use is,are there any blind spots?
(48:11):
So if there's any vendor solution, likefor example, DSPM is on the market, right?
everything has an SSPM, ithas an SPM in addition, right?
Data Security, posture Management,that seems to be the new acronym added
to the cybersecurity alphabet soup.
we desperately needed another acronym.
I'm so glad the alphabet silkcontinues to grow in our world.
(48:31):
are there any blind spots, for us?
And there's a tool that can helpus point attention to that and
be able to enforce control there.
That's another area aswell, that I look at, right?
And for that, of course, youneed to, understand what your
known, control failures are.
You need to have visibilityinto your environment.
so say that.
And then the third angle, is,
(48:52):
this is again, making sure that youhave a defense in depth approach, right?
it's not just passwords, Make sure youhave your pin, your MFA and all of that.
with respect to looking at vendor tools aswell, if there is a tool or solution that
can give it all for me, sure, why not?
So those are the things I think about.
And this goes back to what Moses said.
sometimes the new acronym isthe old tools renamed as well.
(49:15):
I think this is a real danger we run intosomebody said this in one meeting, they
were meeting with their management team,and then somebody looked at them and said,
nothing that another $250,000 won't solve.
And can't be seen as Dr No anymore,we can't be seen as Dr. Watts money.
you know what Money Penny, I thinkwas the other James Bond hero
that, we could try not to be.
(49:36):
John, how do you cope with all ofthe onslaught, the tsunami of tools?
Yeah.
I think for me, one of the things thatI work with my team on is, don't get,
blinded by the shiny new tools that,there's every time you turn around,
like I get probably 20 emails a dayfrom vendors trying to sell me the
(49:59):
newest tool that's gonna save my day.
The fact is my day is spent maintainingwhat we have to ensure that our
environment is safe and secure.
And if the tools we have are working, theold adage if it ain't broke, don't fix it.
Somewhat applies in an ideal world, youwould have one tool that does everything.
(50:23):
But one of the things that I'vefound is that's like a silver bullet.
there are very few of theseone tool fits all things.
you have to have at leasta few different tools.
And, using the ones thatwork for you, right?
What we use may not work for PREAor may not work for mosen, and they
(50:45):
need to go and find the tools thatare best suited for their team.
But once you've got something, aslong as it's, as long as you're
making sure that it's keeping up withthe new threats, to me that works.
That focus on making sure thatyou're secure rather than making
sure that you've got the latestand greatest of all the new toys.
(51:10):
And on that note that's our hour.
I wanna thank you Mosen.
Priya.
John, I wanna thank you for joiningus and for being so open on this.
And I hope I haven't put you on thespot, but I but I'm going to, with
all the people listening, I reallydo wanna do a part two of this and
we'll try and do it as soon as we can.
We can schedule it andwe'll talk about ai.
'cause I think that will, at least,that'll take a lot more time.
(51:33):
And all of you who've been listening outthere, thank you so much for your time.
You had other things you could have doneon your weekend, but you're listening
to this and we're glad for that.
If you have comments or questions,you can send them to me.
You can reach me ateditorial@technewsday.ca.
That's editorial@technewsday.ca.
. I'm your host, Jim.
Love.
Thank you for listening.
Welcome to Cybersecurity Today on theweekend, and our show, the Secret CISO.
The show is where John Pinard and I invitepeople in the CISO or similar role for
a conversation about their work, theindustry, but most of all about them.
And if you're looking for interviews andquestions, this isn't the show for you.
(00:21):
This is a conversation that we haveto get to know people and talk about
things in a relaxed atmosphere.
So we'll start with our introductions.
Now, this is a bit likea party at my house.
Everybody out there alreadyknows me, but we'll start by
getting, the guest's introduction.
John, why don't you start?
Sure.
My name is John Pinard.
I'm VP IT operations, infrastructureand cybersecurity for a
(00:43):
financial institution in Toronto.
I've been in it for longer than I'dlike to admit, but, yeah, that's me.
Priya, great to meet you.
Why don't you introduce yourself?
Sure.
Thank you for having me, Jim and John.
Pleasure to be here.
Yeah, so I'm, you didn't tell mehow long it should take, so I'm
gonna take as long as you want.
(01:03):
I know this marvelous editor, soyou can take as long as you want to
introduce yourself, take the whole show.
We'll have coffee.
No.
I wanna hear about the greatthings you all do as well.
Yeah.
I'm Priya Ali.
I'm the CISO at, SheridanCollege, here in Ontario.
Very much in Ontario, Canada.
So I'm, I cover all aspects, information,security, privacy, resiliency, compliance,
(01:25):
managed pockets of iot security as well.
I work very closely with my peers,not only in IT, but risk management,
campus security research, and otherdepartments at the institution
as well, including, faculty.
I do have a part-time role as well.
Serving as a key strategic,advisory council member, as we call
it, to my CEO and to the board.
(01:45):
And I'm part of the PanIN institutional,policy Review Committee as well.
And it helps me to understand all thepolicies the institution makes and
then see where's the best fit, right?
Like to be able to talk about,technology and information security.
So just before I move,she, move to Sheridan.
I have, in total, I have about 20 years ofexperience in the space of, cybersecurity,
privacy, risk management, compliance,resiliency, and I will say data.
(02:09):
And today, certainly AI governance.
We not talk about ai.
And just in terms of my path intocybersecurity was not linear.
I graduated with an engineering degree.
I started my career asa software developer.
Did that for about four years.
And then two things I wanted to do.
I did not wanna do coding andtesting for the rest of my life.
But I did wanna use my groundingin technology, so to speak,
(02:32):
to do two things, right?
One is to understand the intersectionof technology with business.
And the second was, since I am aperson that's motivated by challenges,
I did wanna challenge myself tobecome a subject matter professional
in another area of technology.
That was up and coming.
And at that time, this was back in2010, back in India where cybersecurity
(02:52):
was just being spoken about.
So that's how I got my start.
After my software development experience,I went on to do my MBA and after that I
landed roles, with the big four consultingfirms, something with three of the
four big four starting with Deloitte.
Where again, I focused on, initiallyI focused on enterprise risk
management and then moved into,technology risk and cybersecurity.
(03:15):
But then before I moved to Canada,I spent close to a decade, in
the United States, advising both,technology Ja Giants in the Bay Area.
So the likes of, the very largeknown, technology giants in the
Bay Area, one name, the names.
after that I spent about six yearsin New York where I was supporting
a lot of, some of the most prominentand well-known names in Wall Street.
(03:36):
Besides that, I've lived and worked in sixcountries outside of the US and Canada.
So some of them being, theuk, China, India, and Spain.
And my journey has taken me fromboth working with operational teams
to build cybersecurity programsfrom ground up and working with the
senior leadership and the boards oforganizations to be able to build.
(03:56):
Robust and agile cyber risk andreally resiliency strategies.
I'm very fortunate that I've had a lot ofglobal exposure and, this global exposure
has helped me to work in a multiculturalenvironment, to work in a multicultural
environment by having a global mindset andreally being able to work with people from
different backgrounds, thinking styles,and being able to communicate to them in
(04:20):
their language, it also does help withbeing empathetic and adaptable as well.
So that's that fun factsabout me outside of work.
I write poems.
So that's my stress buster.
I think we may all need a stress buster.
I have about 35, poems, that I'vewritten in English, published,
globally, I am a wildlife nerd.
What can I say?
Especially with respect to predators.
(04:41):
besides that, I do love to travel.
So I've, traveled to over, 20 countriesand I do intend to increase the count.
That's that.
By the way, in preparation for this,I did, I do have my mom visiting
from India, and I was asking herlike, how do you describe me?
Like a few words.
And so she was saying there, there'sa few things outside of her knowing me
(05:02):
as very ambitious and career oriented.
I am someone who'smotivated by challenges.
I will say persistence is my middle name.
it's important to be able to embracefailures, learn from them, but learn from
them and pivot your approach every time.
So I will say persistence is my middlename and I. Strive for excellence and try
to achieve perfection in everything I do.
(05:23):
Wow.
Yes so that's me.
Another thing I will add is outside ofwhat I do at work, and where I met Mosen
and, and John, and now you, Jim, is thatI keep myself very active in the industry
in terms of networking, in terms ofbeing, actively speaking at conferences,
panels, just sharing thoughts,brainstorming on ideas and all of that.
So I do keep myself active in the industrythere, not only on cyber data and AI
(05:45):
topics, but DEI is close to my heartas well, especially when it comes to,
women empowerment because, I'll say this,I've made a lot of mistakes in my life.
I do wanna give back to the community Istrongly believe in paying it forward.
So I wanna see younger peopleaccelerate their career.
So that's why I take the time to do it.
When do you sleep?
(06:06):
Okay.
I'll be honest, I get asked that a lot.
So no, I, I do sleep.
it's all about time managementand prioritization, right?
It's not about, You need to becomfortable with the fact that
some things can wait for tomorrow.
And so how I do it is you areconstantly thinking, you're constantly
on your toes and prioritizing, right?
What is it that I absolutely needto get done today versus the things
(06:29):
that come ready for tomorrow?
Otherwise, you're not gonnayou're gonna end up with no.
Wow.
Mosin.
How many countries have you been to?
I feel like I haven't traveled enough.
I've been to a few too.
I've been to a few, but, no.
This is exciting.
Good morning everybody.
I. Maybe I'll, talk alittle bit about, myself.
Like John, I'm also in, financial sector.
(06:50):
So I'm a director of cyber defense.
And, over the past, many years, I wouldsay probably 25, I've been in the IT
industry, going from one role, to another,
just prior to my current role,I was with, Walmart, Canada.
traveling to, many areas.
And prior to that, I was in theentertainment and consulting sector.
(07:13):
And I had the opportunity, towork to also, travel to Europe,
US and, far east as well.
One thing, that I can say that, overthe course of, many years, being in
a leadership position and going, froman IT to IT security, I've learned
so many things, that, most of thatrelates to how you collaborate and
(07:35):
communicate, with your community.
Same as, John, yourself and Priya.
I'm also participating insoftware community, events.
So some, companies such as,cyber X, Ivana, Gartner.
And so those are some of, the forumsthat I tried to participate in.
back in the days when I, startedthe, inception of digital, I was
(07:58):
part of the entertainment, industryand, basically creating the first
standard for MPAA, which is a motionpicture, association of America.
Since then, done quite a few in themovement of, digitization of the
organization as well as, protecting and,using, the knowledge that I have to help
(08:20):
others to also elevate themselves as well.
Cool.
Absolutely.
So we've got a fairbit of experience here.
This is good.
I'm gonna learn a lot.
let's talk about, I want to dip intoa couple things and Priya I wanna
go briefly into this, but I do wannaask the question because, I've been
a big proponent of women in it.
I've taught in engineeringschools, and I knew.
(08:44):
Years ago, there are morewomen in engineering roles now.
Thank heaven.
you must have been pretty earlyin the game India's a pretty
straight ahead country pretty rigidin some of its aspects of this.
what was it like when you toldyour mom and dad, that you
wanted to, go into engineering?
Did you get big support?
Okay.
Yeah, I appreciate the question, Jim.
I will say yes, I did get support.
(09:08):
my parents were very forward looking,so they were like, you own your
career, whatever you wanna do, right?
Whatever you are passionate about,and also be realistic because at the
end of the day, you have bills to pay.
let's be realistic, right?
Have a real job.
This is what they said.
with respect to engineering I'llalso say this about, myself, I
did not initially start as a veryacademically oriented student.
(09:31):
But I think things changed.
There's a few things thathappened while I was growing up.
There were some financial, scenarios, thatwe had to deal with that got me thinking.
And then early on, like high school,about the time where I was like,
okay, so I do need a good job.
A good job means a high payingjob, so let's work my way backward.
What does that mean?
(09:51):
I need my scores high, right?
Okay.
So let's focus on my academics, right?
So that's what happened, right?
It's because of some things thatwe went through while growing up.
So that's one.
Now with respect to answering yourquestion on the engineering, no,
like I said, my parents were like,whatever you are passionate about.
And actually why I chose Jim was, I don'tknow if I should say this, but while I
(10:14):
knew I wanted to become an engineer withrespect to honing On which specialty?
No.
At that time I didn't know better.
Right there, there was notreally Google at the time.
There was certainly nochat g PT at the time.
I based it on, okay, so If I do thiswill be the potential career path.
And then, so it's justabout talking to people.
And at the end how I picked it, I waslike, okay, so between computer science
(10:37):
and electronics and communicationsengineering, there's a maximum
number of people going for this.
And I picked ECE, which was electronicsand communications engineering because
that's where most of my peers were headed.
Yeah, my dad, when I told him I,I wanted to be an entertainer, and
I actually was for quite a while.
I still play music and things like that.
But my dad said, gave methe great encouragement.
He said, follow yourdream, but learn to type
(11:03):
that sound advice.
And in the first computer rooms, theguys who could type were people who
were desirable to have, you could do keypunch, you could do testing, you, and
you could be fast at doing that stuff.
Sometimes our parents give us the bestadvice, which is have a plan B, yeah.
How about you?
You had an interesting career.
So you've gone through the entertainmentindustry and all this sort of thing.
(11:26):
How did you drift into cybersecurity?
I have to say, come froma, a technical background.
I have an engineering degree.
when it all started forme, I had, I always had the
passion for everything tech.
I have this lab in my placethat I built electronics.
I built, garage door openers.
I build, CV radios and all kindsof things, everything, electronics.
(11:49):
I try to build and use them.
So it was natural for me togradually get into the tech sector.
It all started with the IToperation for me and then.
When I started with, deluxe,media Corporation, which is the
entertainment sector back then, theywere at the juncture of moving from
the analog world digital, cinema.
(12:10):
So I, had a part during thatmigration to go from the analog
format to the digital format.
So that was a big change atthe time in the industry.
a lot of things that used to happen,that movies get pirated and, they
are on people's computers beforethey actually get on the screen.
We were tasked to make sure thatdoes not happen, and that's where
(12:32):
we actually started, forming aconsortium and building the first,
cybersecurity standard that environment.
going to cybersecurity, I always thoughtthat I can probably, use my knowledge
and, have a little bit more impact.
also being a father and appreciatingthe world that they're coming to with
the young generation, I always thoughtthat I can, make more impact, helping
(12:56):
the people around me and people that Icare about, community, that I care about,
everybody that I care about to actuallyhave a better life and protect the most
valuable assets that they have, which istheir personal and organizational data.
Cool.
And John, this is always weird with youbecause some of the audiences coming
here knows you because they've eitherseen you on Project Synapse or one of the
(13:19):
shows that you've actually hosted here.
just a little bit of backgroundon you, to orient people
Yeah, I guess at a high level, I startedout as a programmer and have worked
in a number of different industries,a number of different companies.
I was joking with somebody theother day that I have never
worked in the same industry twice.
Throughout my almost 40 year career.
(13:42):
it's been interesting.
I've worked in pharmaceutical, I'veworked in healthcare, I've worked in,
non-profit, I've worked as a consultant.
I think it was on the last showwe talked about, how did you
get to be in cybersecurity.
For me, when I was started out as aprogrammer and probably until the mid
eighties, the consulting company Iworked at, we didn't even have internet.
(14:05):
So cybersecurity wasn't really anissue when you don't have internet.
And things have changeddramatically since then.
there was no cybersecuritycertifications or anything at the time.
And so for me it's all been, self-taught.
it's actually self lived because, thereis no better teacher about cybersecurity
(14:27):
than getting hit with ransomware whenyou're working for a large conglomerate
that, takes your entire organization down.
I've lived through that too.
I'm so old that I rememberwhen we put passwords in.
and then we still do I, westill do, I was heading up.
No, but we didn't have passwordson any of our computers.
(14:47):
They, when we first started,we had, we ran a deck mini,
and that was, the whole thing.
And there were no passwords.
Matter of fact, we hada program called wipe.
And usually you went onto the programsand you waited to get to, okay.
And you click okay.
If you want the program to go.
There's a program called Wipe.
And one of the guys, one of themanagers there on his last day
wondered what it did, and you'd waitfor the pro program conversation.
(15:09):
You typed in wipe and hitreturn and it had no okay on it.
Like we learned a lot by, oh.
The stuff happened in financialservices in the early days, you
would just, you would laugh.
But so I, yeah.
The I and I, because I was supposed to, Iwanted to get some mainframe experience.
'cause I was, if you were on a mini, youdidn't make as much like if that was,
(15:31):
you wanted to get to the mainframe world.
So I got a job on, working forNational Trust at the time and
they, they had a fairly big trustsystem and all this sort of stuff.
And then somebody came up to me, said,that lady over there, she works for you.
What'd she do?
Security.
Oh, okay.
We had great training in those days.
She worked for you, anyway.
Yes.
(15:51):
So we've all come to this in a differentway and we've come to this world where
we are bringing all that experience.
What I'd like to do is just tofocus a bit on the current world
and what the challenges that you seewith all, and they don't have to be
the classical ones that everybodytalks about, but what are the big.
Challenges that you see in theworld of Cybersecurity and it
(16:13):
today, mos, do you wanna start?
Yeah, sure.
So as, everybody mentioned we doparticipate in, events and, conferences.
So one of the conferences that is,really dear to me, try to attend
whenever I can is the RSA conference.
So this year I had the opportunityto actually be there, with
more than 45,000 other people,leaders from around the world.
(16:36):
Some of the key messages that Iheard, that I think, it still makes
sense for, many other organizationsis the challenges that we, today we
have, to using ai, AI both being asa threat and also as a friendly tool.
So that, that's a big challengethat is in front of us.
Like any other time that thereis a sort of a, evolution or a
(16:59):
change in the tech sector and more?
noticeably.
Now with what is happening in the AIworld, there are two aspects of it.
One is a good side of it,one is the bad side of it.
So how you deal with that, Ithink it's the top of a lot
of the conversation today.
One other thing that I also noticed that,was at the top of the agenda was how
(17:19):
this, fatigue with, many aspect of the,SOC operation is actually kicking in.
So there is a lot of burnouts.
there is, a bit of a shortage of thetalents and, the companies get inated
by, various, type of alerts events, andthey have to start making sense of it
and how they protect their organization.
So that's also.
(17:40):
A big challenge at this point.
the last thing that I mentioned,as part of the top three are,
basically a platform consolidation.
many of us, through the work that wehave done, put many tools and platforms
and try to stitch them together.
this is becoming a bit of a challengefor everybody, including myself,
(18:01):
to actually starting, making senseand have these platforms talk to
each other and consolidate them.
Because at the end of the day is thespeedy and agility of the response
that really, is important whensomething potentially goes wrong.
Yeah, we'll come back to that onebecause I think is part of the, it fits
into burnout as well is the, just thenumber of things that we have to master.
(18:24):
Priya, what do you,what are your top three?
Sure.
Yeah, I'd say first of all,completely agree with all the
points that Mosen mentioned.
so three things.
number one, starting with, outside ofthe gen AI part, we continue to live
in a hyperconnected world, right?
And when I say hyperconnectedworld, it's not only.
Organizations usingmultiple cloud partners.
(18:45):
It's also remote work.
It's a lot of, usage of, IOT devicesacross the board and a lot of third
party, fourth party, fifth party,whatever, integrations, right?
So it's the extended, I will say, vendorsslash business partner ecosystem as
a result of which as cyber defenders,our attack surface just exploded.
So that is one, top, challenge.
(19:08):
And then the second point thatcomes to mind is, just unpacking
recent cybersecurity incidents andalso paying attention to what's
happening in the global scenario atstage there's a lot of geopolitical.
Scenarios and tensions emerging.
Hackers are continuously evolvingtheir game where it's not just the
data or affecting one institution,The motive can to, look at an economy
(19:33):
as a whole, multiple economiesat a whole, at a whole, right?
And attacking the weakest pointto be able to cripple right us.
So again, I don't mean to sound likea doomsday person, but again, like
we need to build our immunity, right?
Like it's not a matter of if, but when,so my focus is around cyber resiliency.
It's not just cyber security risk anymore.
(19:54):
It's around resiliency, being ableto bounce back within your times
and keep your business operating.
The third part I will say is,we are in an inherently digital
environment today, right?
for everything.
It's a phone, it's a button clickaway on the laptop or on the phone.
And we live in a globallyconnected system.
So I would call ourselvesthe cybersecurity teams.
(20:17):
We are not just insurance forthe business anymore, right?
Like we are the business enablers.
And so to this effect, what I havedone internally, I know we're talking
about challenges, but I'll also giveyou a window into what I've been doing
here at Sheridan is that, just inthe Canadian higher education sector.
It's not as heavily regulatedas financial services.
I spent the longest time,in financial services.
(20:38):
So I miss regulations, I'llsay, if I can be honest.
But that said, I've had to, come inand pivot my approach, Where I focus on
building relationships not only withinIT within HR finance, but also across
the business lines, because you do wantthem to see you as a business enabler.
And I focus on building relationshipswith them through my credibility and
(21:00):
not being the naysayer all the time.
Hear them out, understand their use case.
And there can absolutely be a middleground that can be arrived at.
So being able to build those relationshipsthrough credibility and also showing
that you can speak their language, right?
Speaking the business, speak.
Yeah.
Good.
John, what's your reaction to all this?
(21:23):
I agree with everything that Mosen andPriya have said, especially the Gen ai.
based on our other, podcast, I love ai.
I think it's an amazing tool, but itcan very easily be used against you
and it is being used against you.
It's, escalating the intensityand the speed of cyber incidents.
(21:45):
So to me is definitely a big one.
One of the things that I wantedto add too though, is people like,
and I'm not talking about hackers,I'm not talking about external.
People, I'm talking about internalwithin your organizations, and
it's not intentional, but it'sjust the lack of thought, right?
(22:06):
Just in the sense that they getan email, they see a link, they
automatically click on it, clickfirst, think later kind of thing.
that is, that's what comesback to really bite you, is
that people don't think enough.
And we've spent an awful lot of time withtraining and education in general to our
(22:29):
staff on, think about what it is whenyou get an email that's got a link or
it's got a QR code or it's got something,think about it before you touch it
It was actually very relieving because weran a phishing campaign, a couple of days
ago, and I had three people that normallywould click first and think later actually
(22:54):
come up to me and say, I got this email.
It looks odd to me.
What should I do?
Ooh.
So that was, I have to, it's such asmall thing, but I have to tell you,
it was the highlight of my week.
Yeah.
Don't you wish when people ask thatquestion, you had someplace in your drawer
where you could reach in, pull at a $200and say, take your family to dinner and
(23:18):
celebrate the fact that you're great.
Yes.
That's a piece.
Let's start with that.
I promise you, we won't let AI get awayfrom us let's start with that, because.
My perception is right now that alot of us had a technical background
and I had those corners brokenoff me by a great woman coach that
I had partway through my career.
(23:38):
'cause I thought of the world as thearmy when I started out in business.
It was the army.
We did things in it.
You did them, you weretold, you just did them.
Then we met all these peoplein the business and they
didn't actually listen to us.
that was a big revelation for me.
Somebody gave me a book called,power and Persuasion and said,
Jim, they're two different things.
(23:59):
But we have to deal with the humanity inthat, the burnout and things like that.
how have you adapted to this new need tobe either an organizational psychologist
or whatever you want to describe that.
How has that changed how you think aboutyour job and how have you adapted to that?
Mo do you wanna start?
Sure.
So this is an area that is, becoming topof mind more and more, as we go through
(24:24):
our hiring practices, through evaluatingwho actually can do the work for us.
I think there is merit to,the fact that, we need to.
Hire problem solvers ratherthan technical people.
there are certain disciplines thatyou do need that huge technical
background to actually do the work.
But a lot of other things inthe cybersecurity world is you
(24:48):
actually need those bright minds.
You need those people that theycan actually, maneuver through
many areas of the organization.
They are, willing to participatein business, mission and, drive
that business mission forward.
They are willing to participate as a team.
They're prepared to take your securityagenda to the highest level of the
(25:11):
organization and basically be a voice.
For, things that you would like to do.
So I think there is a lot of merit inthe fact that those people, with people
skills and those people that theycan actually talk and solve problems.
play a big role incybersecurity practice today.
(25:32):
And in a world where there'sa shortage of those people,
that presents a real challenge.
Priya, how do you deal with that?
So is your question aroundburnout or around managing people.
I think you came out of a big five firms.
You know what I'm talking about.
we did what we were told.
And now there's a whole newworld out there that we have to
persuade, including our own staff.
(25:52):
Holding onto good people is not amatter of what it used to be that
people applied for a job and they stayedwith you for a long time and you gave
'em their annual review and all thatsort of, we have to motivate them.
We have to deal with burnout, we haveto deal with persuading and educating,
as John pointed out, the user community.
I was a prophet and taught a numberof places and the politics of
(26:12):
education have defeated many people.
they're complex organizationswhere everybody's smarter than you.
That's, everybody I dealt withwhen I was at doing a university
aspect was really smart.
So it wasn't, you have challenges ofpersuading people in those environments.
So how do you deal with the peopleissues and a reason I separate that out
is because we started in technology.
(26:34):
I mean that we learned technology,we spent our time in tech, and
suddenly we have to become realexperts at people and behaviors.
Yeah, that's the longestquestion in the world.
But no, it's not thelongest, but it is loaded.
So I'll say with respect to peoplemanagement Yeah, you are Exactly.
Ha you're exactly right.
Now, with respect to the jobmarket and with respect to
(26:55):
all the other perks, right?
Outside of salary, like hybrid work andthings like that, like the individual's
preferences too have changed, right?
For example, if an organizationdoes not offer any hybrid work, even
if they pay me a million dollars,say, yeah, I'm not gonna take it.
So I guess with respect to peoplemanagement, my style is that, and
again, I don't mean to throw the bookat you, but then, there, there is a
(27:15):
philosophy of, servant leadership,right where you are, where I.
Where I do my best to bea servant leader, right?
Where it's, I am there to serve theteam and be that enabler, right?
Where I trust my team, I make themfeel empowered, but at the same time,
I am accommodating in the sense thattypically I do get an understanding of
(27:38):
the things they wanna work on versus not,
the tasks they wanna work on, theprojects they wanna work on, their
work preferences, hybrid versus onsite.
Of course, making sure you meet thecompany policy, and the communication
preferences and styles, So I typically,before I start working with my immediate,
team, directly reporting to me ormy extended team, I typically have a
(27:59):
one-on-one conversation with everyone.
So I understand the personas a human being, right?
More than what they bring, to theorganization, just to understand
what makes them tick, right?
What's their life like?
Like for example, dothey have a family here?
did they grow up here?
And things like that, right?
Because at the end of the day,my philosophy, Jim, is that if
(28:20):
at all anyone has a question orproblem or challenge work related
or not, I want them to be able to.
Be comfortable enough to be able topick up the phone and call Priya, right?
So that's how I build the relationships.
I will say it is not at all easy, right?
It's never a one and done.
You've got to keep the relationship alive.
(28:40):
You've got to keep it going, right?
And you've got to be accommodatingas well and help them.
Like for example, today, what's happeningin the higher education space here is,
yes, outside of the super smart peoplein the room, there's, international
student quota restrictions, right?
As a result of which there's a lot ofCanadian colleges shared and included,
where we're quite tight, financially,where we're really needing to take
(29:03):
a hard look at our finances, right?
And one of the quickest waysthat finances, reductions can
be met is headcount reductions.
That's just, truth being told.
So there is a lot of anxiety anduneasiness in the environment, not only
within my team, but also outside, butbeing able to be there for them and
being able to hear them out and supportthem and offer them advice, like not
(29:27):
only as their performance manager, butas their true outside of work, even
career coach and mentor has worked well.
So I'll say at the end of, in summary,just be a real human being with a
good heart, John, you work in anenvironment that you try to keep
quite personal, but the questionI keep coming back to, because I
(29:48):
totally appreciate servant leadership.
I totally appreciate understandingpeople, but the reality is there's the
nuts and bolts that we've gotta do.
There are rooms where people watchand they get alerts, and they have
to make sure they track them down.
And, they may not find personalfulfillment in that, but it's
the work that's gotta get done.
How do we keep our own staff motivatedand avoid pressure and burnout?
(30:12):
Yeah.
that's a tough one.
I have dealt with that for the last.
Three years where I am now, thatorganizations are looking at
tightening the purse strings, whichmeans either, letting people go
or not hiring additional people.
it means doing more with less, andthat's a difficult task when you
(30:37):
have a finite number of resourcesand you have to juggle getting the
work done and preventing burnout.
I'm extremely lucky in the sense that Ihave 13 people that work for me, and I
would say that every single one of themis extremely dedicated to their job,
to the point where I don't have to askanybody to put in extra time to do a job.
(31:03):
In actual fact, I have a few of themthat I actually call them on the weekends
when I see them online and tell themto get off that they need to have,
their own time that's outside of work.
it's tough.
one of the things Mosen had saidwas, when you're hiring people
is hiring strategic thinkers.
(31:23):
And I would agree completelythat you can teach.
from an IT perspective, you canteach somebody how to program
in a certain language or how tomanage portions of a network.
It's very difficult or impossible to teachsomeone how to be a strategic thinker.
(31:44):
you either have it or you don't.
So you know it, when I'm recruiting,one of the things that I do is it's not
only do they have the skills to do thejob, it's are they a good character fit?
Are they gonna fit in well withthe people that are already in
my team and at the organization?
(32:04):
And can they think on their feet?
Do they have that ability to be astrategic thinker, that it's not just, oh,
I'm doing this because of this, it's alsoI'm doing this because of this, but if I
do that, what impact is it going to have?
Not only within it, but alsoon other areas of the business?
(32:29):
Yeah.
So can I just add one?
Absolutely.
Point to that.
Yeah.
John.
I completely agree with what, youand, Wilson said, especially on the
strategic thinking aspect of it, Yeah.
Like when I hire for the team as well,yes, I do look for some foundational
technology, foundational cybersecurityknowledge, but then that's not all right.
So it's really around strategic thinking.
(32:51):
But then some of the things I tryto gauge in an interview process are
someone being a self-starter, someonebeing open to learning, because.
Let's be honest, we areall learning as we go.
And it would never stop.
So someone being very open tolearning and learning quickly
and exactly like you pointed out,being able to gel with the team.
Because the last thing you wanna havehappen is you have a tight, cohesive
(33:14):
team working well, and autopilotmode, and then you have a new person
coming in and being disruptive.
So being able to gel with the team.
Absolutely.
being a self-starter and being opento having the intellectual curiosity
to learn and get the job done.
Okay.
And Melissa, I'm gonna give youthe last word 'cause you obviously
have, you're just rolling in dough.
(33:34):
You have no problem with resources.
You just hire anybody you want, right?
How do you cope with this situationof, scarcity, burnout, motivation?
and the hiring that we talked about.
So when I think about, the burnoutand the fact that everybody has
to do so much every day, I usuallythink about, life's ups and downs.
There are so many ups and downs in life.
(33:55):
There is so many stress factors in ourown lives that, when things happen and,
the things go a little bit haywire, I tryto approach it from that point of view.
So say, this is just anotheraspect of the way of life.
So I be, I have to be able to manage it.
Same as, what Pia mentionedabout writing poetry.
You have mechanism, to actuallycope with that kind of a stress.
(34:18):
you participate in sports.
I do a lot of, playing, instruments,more specifically guitar, lately.
Priya can be the lyricist.
We can do a jam night.
Will be, Yeah.
We can do a jam night, jam.
Alright.
Yeah.
So I think music saved me.
I was very driven, I was very worried formost of my career because of the pressures
(34:39):
that I would have, I always felt likea bit of an imposter through my whole
career because I was always advancing.
And I'd get there and I'd go, how dowe from, I can do this from, yeah.
But if I bring it a little bit closerto home, like from a point of view of,
looking at the organization and theteam, I try not to, one thing that I
really try hard is not to add to thestress level that is already there.
(35:01):
So I try to be helpful.
I try to create process notto do the same mistake twice.
So if I can do all that and nothave to be extra stressed that
everybody experiencing, I thinkI'm a little bit ahead of the game.
It took me a long time to learn that,and I'm just being honest about it.
(35:23):
you have to choose who you're goingto be under pressure and, if you're
driven, you might not respond inthe ways that leaders should behave.
And that took me a long time to learn.
But I think, as I said, music,poetry, John, you're an outdoors guy.
I know that, and you do a lot of stuff aswell, but getting away is something you
have to, not just phoning the people out,telling 'em to get away on the weekend.
(35:43):
You have to phone yourself sometimes.
Yep.
I wanna flip this a little bit andtalk about, because I think there's a
new role for CISOs and I think we'reall adapting to it, and that's of
the organizational psychologist andsomebody put this together, and I got
the greatest insight into this when wewere thinking about this and said, we
want people to behave in a certain wayso that we can combat social engineering.
(36:06):
But in reality we're socialengineers, we're trying to get
people to behave in a proper way.
How have you reacted to that?
How have you understood that?
What is that?
John, do you wanna start?
Yeah, I think, I have never really thoughtabout it that way, but yes, you're right.
We are social engineers in thesense that we are telling people
(36:27):
what they can and can't do andhow they're supposed to do things.
I think we have to though that, in anenvironment where we are, my staff or
other employees at our organization,I can make suggestions as to things
that they should or shouldn't do ontheir personal computers and in their
personal lives to protect their own data.
(36:48):
But at the end of the day, they can go dowhatever the hell they want, but when they
walk through the door or when they turn onthe company computer, we have to dictate
what, what is acceptable and what isn't.
To keep our data safe.
And in our case, because we're a financialinstitution, keep our members' data safe.
(37:13):
Priya's gotta look after thestudents and the faculty moss
in the same boat as I am that wehave, we look after people's money.
I think one of the things that wetry to do where I am, is not only
educate people about why you have to dothings a certain way at Duca, but also
(37:37):
why you should be doing it, period.
In other words, why do Ineed to protect my data?
Why do I need to not click on things?
Because we're trying to educatethem about, safe and effective
use of computers in general.
So that they will go home anddo the same thing and, hopefully
(37:59):
share it with their family.
I did this for years with my father thatI would call him up and go, dad, you're
gonna get an email from somebody that saysto do this, or somebody's gonna call you.
Don't fall for it.
So I think it's trying to educate ourstaff, but not only for work purposes,
(38:22):
it's to try to make things better for themacross the board from an IT perspective.
I get financial advice from peoplethat I work with that are on the
financial side of the business.
They're doing that to helpme on a personal note.
So why shouldn't I do the same thingfor them from an IT perspective?
(38:46):
Priya talked earlierabout giving back to me.
This is one way to give back is giveback to the people you work with,
give back to your friends, to helpto educate people on, the things
that we have learned throughout timewithin our IT slash cyber world.
(39:08):
Oh yeah.
Awesome.
Yeah.
I can, relate to that.
Definitely I, in a world that, we,it's so fast paced and the way that
we are expected to perform at work,we don't pay a lot of attention
to that chemistry between people.
So a lot of times, we simply droppedinto, certain tasks or projects and, we
(39:32):
wanna see it from, start to the finish.
But there is a lot of nuances in betweenhow you can actually get a more productive
environment in place, how you can actuallyhave people talk better to each other.
a lot of what we do, we bring,many things from home to work.
We bring many things from work to home,so that, area of, separation between
(39:55):
the two is becoming thinner and thinner.
So I think that there is definitely.
A reason that, organizations suchas ourselves, we are actually
paying attention and we are hiringpsychologists to actually come.
I have to give you an example thathappened to us not too long ago, maybe
a couple of months ago, that there wasthis chemistry between a couple of teams
(40:16):
that wasn't really quite working, andthere was a bit of a friction, and we
actually had to sit in the room and wehave to put everything on the table and
we have to, be a little bit candid abouteach other and the way that we want to
put, certain guiding principles in place.
So I think all that, has aplace in this fast paced,
environment that we live today.
(40:39):
Interesting.
Yeah.
Hard to do that over Zoomor teams, eh, very hard.
Yeah.
Priya, what do you Yeah, sure.
So I don't know if I can, I, I thinkMosen and John have covered it all yeah.
A couple more things I'll say interms of influencing behavior.
I, I will say, yeah, culture,that, that was mentioned.
(41:00):
I think John was alluding to that.
So with respect to culture, someof the things we do are certainly
training, phishing awarenesstrainings and phishing awareness
campaigns, and also the information,security trainings, that we do.
And it's not only to staff,it's also to students and to
students, and staff of course.
(41:20):
Yeah.
We speak to them in their language, right?
And in fact, for students, like we havededicated, as opposed to sending them a
link, we do awareness sessions for them.
And we did quite a bunch of them veryrecently, where it's to talk about,
because their lives are very differentwith respect to what we do, right?
So there it was to really double clickand talk about these are the different
types of social engineering attacks.
(41:42):
Extortion is a thing, right?
So that's one.
And then we also spokeabout, deep fake scams.
Be careful about what you post aboutwhat pictures you have on there, right?
Because, again, we all know based onCrowdStrike's most recent, report,
social engineering scams are on therise with wishing related scams enabled
(42:02):
by deep fake, going up by 400%, right?
So we bring that back andsay, deep fake, watch out.
Be careful about what you post.
stay vigilant, stay suspicious,Stay vigilant in terms of like,
when you look at an email thatlooks weird, right from an unknown
sender and it's too good to be true.
For example, click this linkto win a million dollars.
(42:23):
It's too good to be true.
So exercise the caution tobe able to do that, right?
So I would say that works, right?
Like from a culture, perspective.
So again, like we tailor that todifferent levels of the audience, right?
Again, like we have it for faculty, forstudents, and for the executive teams.
Tabletop exercises work verywell in terms of being able to.
(42:44):
But then that is great in terms ofbringing awareness that it's not a
matter of if, but when, so let's justmake sure we build the muscle memory
today so that when we know if somethingwere to go all right down the line,
everyone knows what exactly to do.
So that's like from a culture standpoint,I will say, in terms of influencing
behavior, back to your point, I thinkthat's why we have policies, right?
(43:05):
And I think John alluded to this, so theacceptable use policy, and we have an
information security policy as well interms of, how, in terms of talking about
appropriate use of the network, of yourdevices, of the data, how you access
sites, what you need to be careful about.
So that's the second thing.
And then the third thing I wouldsay, similar to what I mentioned
earlier, and I think both John andMosin alluded to this, was, is around
(43:28):
being a business enabler, right?
when in doubt they want toreach out to you, right?
When in doubt they wanna reach out to you.
And when they're looking at a newsolution, for example, because you are not
seen as a sledgehammer, they're not gonnago around you, they're gonna consult you.
So that is what I wishfor that to continue.
But again, I think that's where, thoseare some of the things that we can
(43:51):
do from a, behavioral aspect in termsof influencing behavior and telling
them why it matters in their language.
So this has been afascinating conversation.
I'm cognizant we've only bookedyou for about an hour, so I wanna
make sure we get through, can Iinvite you back to talk about ai?
Because I think if we startedtalking about AI right now, you
wouldn't be able to get back towork for the rest of the day.
(44:13):
can we do Part two?
Yeah.
Sure.
I can probably, in a differentconversation, give you a few example
of some of the things that I'vebeen, involved with and some of
the learning that I've experiencedover the past, year or so.
That'd be great.
So we'll pick that up.
But I want to do one thing before ourhour is up, and that's, it's a lightning
ground because we talked about it,and this has been a fascination to me.
(44:34):
I once saw a picture of all ofthe tools that are available for
cybersecurity, and it was a huge poster.
The, everything was sosmall I couldn't read it.
There are tons of tools and how doyou cope with the constant barrage of
new tools of all of that, especially,there's just all kinds of pressures.
(44:56):
How do you guys cope with that?
I.
do you want me to go first?
Sure.
Yeah.
Yes.
So I alluded to the fact that, and ifyou have the answer, we can all go home.
No, I don't think I have theanswer, but I can probably, guide
myself in the right direction.
Yes, this is a challenge.
I think I mentioned at the top ofthe call that, it actually being
(45:17):
brought up at the highest, forumsand all the conferences that this
is starting to become a challenge.
You, every time that you go to thesevendor events or conferences, there are
tons of vendors that trying to sell aproduct or they wanna, bring you as part
of the pilot group to test it and so onSo I think it's a big challenge for all
(45:37):
of us to make sense of this diverse.
Number of tools that we have.
Yes, they do serve a purpose.
But is there a better way of handlingand having them talk to each other?
Can I potentially combine two of themthat each one do 20% of that, work for
(46:00):
me and get a collective 50% from one?
So there are definitely alot of synergies to be had.
And, this is, something that I'm, really.
Deeply looking at today in my portfolioto see how I can actually make sense
because there is a lot of these toolsthat they have low utilization, like they
(46:20):
have so many features, but guess what?
We only use two of the 10 features thatthey have and the rest of it we just
leave for who knows when we actuallyget to it and we never do so there is
definitely a merit into all that to makesense of all these, the tools stack that
we have, and consolidate the best we can.
(46:43):
That's an interesting, observation.
If you just went through all the toolsyou had and find out the things you
weren't using properly, and before youbuy something new, or before you even
look for something new, that'd be that,
sorry that it's obvious,but it's something I think.
Yeah.
I challenge my team say rather thangoing to after a new tool, see if
that, area that you're not utilizing anexisting tool can actually be utilized.
(47:08):
in the old days when we had softwarein, used to come in cases and things
like that, we'd do inventories and I'dgo back and find things, and we made
actually, as consultants, this was agreat way to make a lot of money, go
do a software inventory, found out thestuff they bought, but aren't using
tell 'em to cancel it.
And the savings were astonishingbecause people buy tools all the
(47:28):
time and then they forget about them.
Yep.
Good stuff.
Priya, what do you think?
The shiny new, toys, right?
not be subject to that, but thenreally taking, so two things that
I do is, certainly completely agreewith what Mo said, making the best
use of our existing in-house tools.
That's one.
And then let's just say if there'sa new tool in the market, and I know
(47:51):
that, sorry I'll just take a step back.
First thing is making use ofthe existing tools you have.
But the second thing is goingback to first principles, right?
Like for example, understanding whatyour crown jewels are and knowing
which controls need attention.
That's one angle I use.
Another angle I use is,are there any blind spots?
(48:11):
So if there's any vendor solution, likefor example, DSPM is on the market, right?
everything has an SSPM, ithas an SPM in addition, right?
Data Security, posture Management,that seems to be the new acronym added
to the cybersecurity alphabet soup.
we desperately needed another acronym.
I'm so glad the alphabet silkcontinues to grow in our world.
(48:31):
are there any blind spots, for us?
And there's a tool that can helpus point attention to that and
be able to enforce control there.
That's another area aswell, that I look at, right?
And for that, of course, youneed to, understand what your
known, control failures are.
You need to have visibilityinto your environment.
so say that.
And then the third angle, is,
(48:52):
this is again, making sure that youhave a defense in depth approach, right?
it's not just passwords, Make sure youhave your pin, your MFA and all of that.
with respect to looking at vendor tools aswell, if there is a tool or solution that
can give it all for me, sure, why not?
So those are the things I think about.
And this goes back to what Moses said.
sometimes the new acronym isthe old tools renamed as well.
(49:15):
I think this is a real danger we run intosomebody said this in one meeting, they
were meeting with their management team,and then somebody looked at them and said,
nothing that another $250,000 won't solve.
And can't be seen as Dr No anymore,we can't be seen as Dr. Watts money.
you know what Money Penny, I thinkwas the other James Bond hero
that, we could try not to be.
(49:36):
John, how do you cope with all ofthe onslaught, the tsunami of tools?
Yeah.
I think for me, one of the things thatI work with my team on is, don't get,
blinded by the shiny new tools that,there's every time you turn around,
like I get probably 20 emails a dayfrom vendors trying to sell me the
(49:59):
newest tool that's gonna save my day.
The fact is my day is spent maintainingwhat we have to ensure that our
environment is safe and secure.
And if the tools we have are working, theold adage if it ain't broke, don't fix it.
Somewhat applies in an ideal world, youwould have one tool that does everything.
(50:23):
But one of the things that I'vefound is that's like a silver bullet.
there are very few of theseone tool fits all things.
you have to have at leasta few different tools.
And, using the ones thatwork for you, right?
What we use may not work for PREAor may not work for mosen, and they
(50:45):
need to go and find the tools thatare best suited for their team.
But once you've got something, aslong as it's, as long as you're
making sure that it's keeping up withthe new threats, to me that works.
That focus on making sure thatyou're secure rather than making
sure that you've got the latestand greatest of all the new toys.
(51:10):
And on that note that's our hour.
I wanna thank you Mosen.
Priya.
John, I wanna thank you for joiningus and for being so open on this.
And I hope I haven't put you on thespot, but I but I'm going to, with
all the people listening, I reallydo wanna do a part two of this and
we'll try and do it as soon as we can.
We can schedule it andwe'll talk about ai.
'cause I think that will, at least,that'll take a lot more time.
(51:33):
And all of you who've been listening outthere, thank you so much for your time.
You had other things you could have doneon your weekend, but you're listening
to this and we're glad for that.
If you have comments or questions,you can send them to me.
You can reach me ateditorial@technewsday.ca.
That's editorial@technewsday.ca.
. I'm your host, Jim.
Love.
Thank you for listening.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.