April 22, 2026 • 53 mins
Cybersecurity is one of the most important and fastest-growing fields in the world—and Omar Sangurima is breaking down why. In this must-watch episode of Coding Conversations, we dive into AI, cybersecurity, digital safety, innovation, and the future of tech careers. Omar shares his personal journey, industry insights, and powerful advice for young people looking to stand out in a world driven by technology, data, and security. This episode is full of high-impact insights, career inspiration, and future-focused conversations that will challenge the way you think about the digital world. Watch now and discover why cybersecurity skills, AI knowledge, and STEM education are more critical than ever.
👉 SUBSCRIBE to Coding Conversations - https://www.buzzsprout.com/2136122/subscribe
✔ Early Access to New Episodes
✔ Real conversations with changemakers
✔ Insights at the intersection of STEM, wellness & equity
✔ Stories that inspire action and growth
https://www.linkedin.com/company/stem-educational-institute
https://www.instagram.com/stemeducationalinstitute/
https://www.facebook.com/people/STEM-Educational-Institute/100066630527785/
You’re listening to the STEM Educational Institute Podcast. The information in this program is for educational purposes only and not a substitute for professional advice. This podcast is for informational purposes only and does not provide legal, medical, tax, or professional advice. The views expressed are solely those of the hosts and guests and do not reflect the positions of STEM Educational Institute or its leadership. STEM Educational Institute and its affiliates assume no liability for any actions and/or decisions taken based on the content of this program.
Listen
Watch
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 4 (00:11):
Welcome to Coding Conversations, produced by the
STEM Educational Institute.
I'm Nikisha Alcindor, presidentand founder of the STEM
Educational Institute, where weprovide free programming in
financial literacy, STEM, andmental health.
We work with high schoolstudents, they go through a
one-year program.
At the end, they earn a collegescholarship.
(00:31):
Coding Conversations are waysto bring exciting voices to you,
the viewer, about things in theareas of STEM financial
literacy and mental health.
And today we have an excitingtopic as well as an exciting
guest.
We're going to be talking aboutcybersecurity, particularly
cybersecurity and health.
And to help us with thatconversation is Omar Sangurima.
(00:51):
Welcome, Omar.
Speaker (00:52):
Thanks for having me.
Excited to be here.
Speaker 4 (00:54):
We're so happy to have you.
So Omar is the head of cyberprogram management and
third-party risk management atMemorial Sloan Kettering Cancer
Center.
You can think of Omar's job asbeing the digital bodyguard for
the hospital.
And Omar's goal is to buildstrategies that stop hackers
from stealing information fromdisrupting the technology that
(01:16):
doctors use to save lives.
And he teaches, he treats hiswork as like a high-stakes chess
game, if you will.
And what he does is he has topredict what bad folks might do
and find the weak spots in MSKdefenses and fix them before
anyone can attack.
And so if you love solvingpuzzles or beating tough bosses
(01:38):
in games, cybersecurity is thecareer for you.
And when not protecting hostiledata, he's usually strategizing
in other ways, whether it beobsessing over fantasy football
lineups or tackling difficultchallenges in single-player RPG
video games.
Omar is always trying to dothings that are innovative and
(01:59):
high risk, right?
And so welcome, Omar.
We're so glad to have you heretoday.
Speaker (02:04):
Thank you.
Thanks for having me.
Speaker 4 (02:06):
So it's not a conspiracy, but Omar, like
myself, for you the those of youwho watch the show is from
Queens, right?
Is it just you know somethingin the water?
Something in the water.
We just we just keep going,right?
And so, Omar, you got yourdegree, you got your MBA from
Maris College in Piskix inPoughkeepsie, and then you went
(02:26):
on to get your doctorate.
Yes.
So obviously those are verydifficult things to obtain and
agrees, degrees to obtain.
But before that, take us backto your origin.
Where did you grow up and howdid you start to realize
cybersecurity was your l fieldof interest?
Speaker (02:43):
So as you said, uh grew up in Queens till I was around
nine, moved up to Massachusetts,followed my sister.
She got a residency up there,Bay State Medical Center.
So uh she grabbed me and andour mother, we went up to to
right outside of SpringfieldMass.
Um there again, the theoverriding goal, right?
(03:06):
The the first generation inthis country, it's uh
education's a silver bullet.
It's uh keep at gettingeducated, look at your sister,
look at what she's done.
So I just kept my head in thebooks, uh, kept kept uh chipping
away.
High school, college,undergrad.
Even then, it was it was odd.
Cyber wasn't exactly I wasn'tborn with a computer in my hand.
(03:28):
There's some people that I workwith, you can tell, uh, they're
amazing.
Uh, but that it wasn't thatwasn't the origin story.
I I I'm a career switcher.
Um so about 12 years ago, 12,13 years ago, decided to switch
over from financial advising andtried to get into a field that
you know I thought was gonna be,you know, innovative, uh
(03:51):
challenging, constantlydifferent, different things to
to focus on.
And it's been that, thankfully.
So, you know, it's it's beenalways interesting and never
never a dull day in the field,I'll say that.
I love that.
I love when you know going fromfinancial services industry to
cybersecurity.
Can you talk about kind of whatwas it or what are what are
(04:15):
some of the courses or thingsthat you did to prepare you or
you think prepared you to gointo cybersecurity?
So I remember this is funnybecause the there's one
certification that I said, letme give this a try, kind of a
test run before I went full boreinto say a degree in cyber.
Uh the the Comp TIA SecurityPlus.
(04:35):
Uh I remember I I chuckle nowbecause w when I'm, you know,
when anybody's asking me about,you know, how do I break in,
what certs to start with, I say,you know, I studied for that
thing for nine months.
I usually pause for laughter atthat point because that was a
long time, like one cert, but Iwas just so I had to I was
taking a leap.
It was something that I wasn't,you know, of course,
(04:57):
classically trained in uh forschool.
So studied for nine monthsthere, thankfully passed.
Um, you know, my my originstory would be completely
different, I think, if I hadstumbled, if I had stumbled
then.
But, you know, did that, thenstarted taking a couple courses
for an MIS.
Right.
That was my first kind ofteaser.
I didn't know.
And tell us what MIS on Mastersof Information Systems.
(05:19):
Yep.
So uh to uh started doing thateven while I was still kind of
you know one foot in thefinancial field, but definitely
looking uh to to move out.
The cert and beating beinggetting that beating, but
getting that certification, Ithink then I was hooked.
Like I I just loved the idea ofbeing able to take a look at a
(05:43):
certain level of challenges,right?
It's always, you know, my mywife has heard this many times,
is another it's another windmillto tilt at.
I just love, you know, seeingseeing something on the horizon
and saying, you know what, maybeI could figure that out.
And the industry, cybersecurityespecially, at that point was
still more heavily focused oncertification.
(06:03):
So once I started really kindof chaining those together, I
started to convince myself thatmaybe I could do this.
And then from there, you know,uh networked a little bit.
I I got my first job throughsomeone I knew.
It wasn't necessarily it wasjust, you know, surreptitiously
mentioning it to a a buddy ofmine at at Jiu Jitsu.
(06:24):
We were it was an open mat,right, in Brazilian jujitsu on a
Saturday, and he, you know,he's like, Hey, I hear you're in
this cyber thing, you keeptalking about it.
Right.
Speaker 4 (06:32):
Okay, first of all, you can't just throw in while I
was doing jujitsu.
There has to be an explanationfor that.
So we got it.
So are you is that kind of oneof the other things that you
still practice?
Speaker (06:45):
I I mean, sort of now.
My body's a little busted up,so I I'm I kind of you know, I'm
I'll make appearances at OpenMats uh here here and there.
But I started started Brazilianjujitsu, it was after so I was
on the national team fortaekwondo, uh, under the under
seven the under-18 team.
Okay.
Went to North Korea.
That was the first uh worldchampionships, the second world
(07:06):
championships were thankfully inPuerto Rico, right?
So definitely much nicer thanNorth Korea, I'll say that.
Um five days in North Korea asa 15-year-old.
Uh wild wild times.
Wild times.
I'm sure.
Yeah, yeah.
Um yeah, did that, uh, wrestledin high school, and then you
know, I didn't want to continuedoing the the you know on the
(07:27):
adult team for for taekwondo.
I was too too grindy.
So um I I got into BrazilianJiu-Jitsu.
There was a school nearHartford, Connecticut, where I
went to undergrad.
It was uh West Hartford,Connecticut.
And back then it was a it was ahuge deal to have like a purple
belt teach the class.
Sure.
It was you know, because therewas not a lot of black belts uh
in the United States at thetime.
(07:48):
And uh I got hooked.
I uh you know, and I've beengrappling since 99, 2000.
Um yeah, like I said, right?
You know, if I if I shakesomeone's hand or if I put my
hand down, like you can see likethe gnarled fingers here and
there a little bit, right?
Or if I had if I stretch out, Ican remember times when I
should have tapped and I didn't.
(08:09):
Uh but uh you know, still loveit.
Um but yeah, it was again gotinto never would have thought
that that would have led to youknow a career.
Speaker 4 (08:18):
So what I love about that is that your physicality
actually is translating to yourability, your s your mental
strength in terms of what you doand your critical thinking.
And we often see that with withathletes being able to
transition kind of their workand their physicality into
(08:39):
difficult fields.
Because I remember the termcybersecurity coming out of when
people were starting to gethacked or identity theft.
Do you remember this?
Like identity theft came out,and then everyone would you
would go to the police andthey'd be like, Can't help you,
ma'am.
Right?
Do you remember that?
Like it's like so someone stolemy identity, and it was like
(08:59):
the best, the best way toprevent that is to have all
these different alerts and allthese things.
And so that was in my mind,that was the scope.
I'd love to see to to get yourthoughts on where that scope has
has trended towards becauseback then it was just okay
(09:20):
individual information gettingstolen, but now we're talking
about ransom, like people takingdata from companies and data's
having you know, companieshaving to pay for that.
So talk to me a little bitabout what you've how you've
seen the idea of cybersecurity,like that definition
transforming over the years.
(09:41):
So it's really amazing thatthat you kind of pinpoint it
that way, because I see it askind of a Venn diagram or uh a
sine wave, right?
Like down, up, down.
It started with individualidentity protection, as you
said.
It was kind of very much scopedtowards you you're you're gonna
get your own your own SocialSecurity number taken, or
(10:01):
somebody's gonna start taking,you know, writing checks in your
name or taking out loans inyour name.
And then I think as business,as enterprise got more
interconnected just by virtue oftechnology advancing, then I
think uh cybersecurity took on abit more of an enterprise uh
(10:22):
scope, as you said.
It went then, you know, thenbusiness data could get stolen,
then intellectual property couldget stolen, then not only that
of the of the businessthemselves, but then what about
the business's customers, right?
So then you have you starthaving, wait a second, the the
scope starts expanding.
Now what I've been seeinglately is kind of a return
(10:45):
towards first principles where,you know, it's still data
governance is taking up privacyis I think privacy now, the the
concept of privacy and privacyengineering is having kind of
the same renaissance thatcybersecurity did maybe 10 years
ago, 10, 11 years ago, kind ofwhen I started.
And it's you know, the and andto think that they're not
(11:08):
distinct fields is is uh is afallacy.
I think there's there's there'soverlap, but there's v fine,
fine professionals in privacyengineering that sing a
different tune, dance adifferent dance than the ones in
cyber, kind of cousins.
We kind of, you know, wedefinitely reinforce each other,
but it's it's the the dayswhere it's it's the same, you
(11:31):
know, are are kind of are kindof gone.
Same as I'd imagined, and thiswould this would be a little bit
before my time, but I've donesome some studying in the
history of the field that I'min, is kind of where the the
break happened between likeinformation security and
cybersecurity, right?
Where it was like, you know,we're making sure that you know
physical records are you know uhuh thrown out when they need to
(11:52):
be, making sure that folks onlyhave access to you know the
hard copies of papers.
Th there it kind of broke away,and then you had the
cybersecurity, informationsecurity.
Folks still kind of they don'tdisambiguate the terms, you
know, but now I think that's abit more distinct.
And I think the same thing'skind of happening now with with
privacy and cybersecurity.
(12:12):
Fields that are very connectedbut not anywhere the same and
demand different skill sets.
Okay, so you we you brought up the term Venn
diagram, right?
And so when I think about kindof privacy settings settings,
everyone gets those pop-ups thatsay, do you want to load
cookies?
Most people don't read them,they'll say accept, manage, or
(12:34):
reject all, depending on whatyour options are.
And then you have this kind ofcybersecurity malware hacking
things.
But then to me, there's like ain the middle, there's some sort
of ethical, maybe it's notcalled ethics, but who gets to
decide what goes into whatbucket and I guess consumer
awareness?
Like who who is like how isthat being dished out or
(12:56):
divided?
Speaker (12:56):
So it's I think for me, the the way I'd split those uh
uh it's a matter of outcomes.
So in where where I work, it'susually, well, okay, privacy is
gonna sit there and tell us whatwe need to lock down, uh why to
how long for how long, to whatextent, you know, makes the that
privacy and more datagovernance says, listen, this is
(13:20):
this is important, this is whyit's important, whether it's
like uh laws, regulations,whether it's intellectual
property, right, it's it's uhproprietary to uh to the
organization.
Then okay, we've sussed allthat out.
Now cyber, come over here andmake sure that what we want to
have happen with this data, withthis information, for these
(13:40):
purposes, which is where theprivacy comes in for the doctors
or for the patients.
Make sure you lock it down.
So that's where you know we wesaddle up.
Um where I think then, at leastthat's that's what happens in
the organization.
I think you bring up a greatquestion in terms of who's doing
that writ large.
Speaker 2 (13:59):
Yes.
Speaker (14:00):
I don't know.
That's w you know, uh th thisis one of the things that I
always harp on when it when youwhen I get on my soapbox here
is, you know, the United Statesdoesn't have a national privacy
law.
Speaker 3 (14:10):
Right?
Speaker (14:11):
Europe has kind of figured it out.
Yes.
Um they're at the forefrontwith the EU AI Act as well,
which is, you know, in add inaddition to the GDPR.
But you y we have a patchworkin the United States, which I'll
tell you what, makes um lockingdata down fun when when
depending on on the scope of theenterprise that that you're
that you're working workingwith.
So I think that, you know,right now it's anyone's guess in
(14:35):
terms of who you you have anethical folks in the industry do
have a compass.
We do kind of know listen, andand you have a compass and you
also try to balance it out with,okay, for what purposes are we
doing this for?
Speaker 2 (14:48):
Yeah.
Speaker (14:49):
So, you know, because w what my boss says, I I love the
man, right?
Um, you know, the the mostsecure system is the one that's
not connected to the internetand it's at the bottom of the
ocean, but how useful is it?
So you have to kind of balancethat out.
But many folks in the field inprivacy and data governance as
well as cybersecurity, we havethat true north where we're
like, listen, we're we're tryingto lock this down.
(15:11):
We want to make you we we treatit like as if it was our own
family's kind of data.
And we understand like w wouldI want my data out there, would
I want my family's.
Uh in in the hospital for sure,it's it's not hard to make the
connection towards patient harm.
Yeah, sure.
And and privacy, especiallywith the the type of care that
we provide.
Sure.
And so, but in terms of writlarge, that's a really good
(15:32):
question.
Well, you know, it's somethingthat I think about often,
particularly for when I I I do alot in in artificial
intelligence.
A lot of my research is inartificial intelligence, and I
start when I'm building models,I start with the ethical
questions.
Like what is the worst that canhappen?
Right?
And when I think about thereare pros and cons to having your
(15:57):
data taken from you when itcomes to privacy.
Because frankly, you know, Ilike getting coupons at the
store based on my buying habits.
Absolutely, right?
Speaker 3 (16:06):
Absolutely, yeah.
Speaker 4 (16:06):
I like that.
But I don't like my insurancepremiums being determined by
information that I might havegiven up voluntarily without
knowing or without knowing.
Right?
And so I'm wondering when youthink about kind of
cybersecurity and healthcare,what are some myths and what's
the kind of reality?
(16:27):
Like what what is actually whatdoes that actually mean in the
context of healthcare?
Speaker (16:31):
So one of the things that I think, and it was an aha
moment for me, and and and I'llbe the first to admit, I it
wasn't even I think I was maybeone or two years into working at
the hospital at at MSK atSloan, where it really dawned on
me, hey, it's a data breachhere is a horse of a different
color because uh medical data isimmutable.
(16:53):
You can change your socialsecurity number, it's a pain,
but you can do it.
You can change your name, it'salso a pain, but you can do it.
You can't go back and rewriteyour medical record, your
medical history.
So in terms of the myth that Iwould think I think permeates is
that it's just like any otherdata breach.
(17:16):
I think, you know, at the riskof sounding biased uh because
it's the field I work in, thosetypes of breaches can be so
harmful because you can't y whatif there's diagnoses on there
that you don't want public?
Sure.
And once it's out there, I canalmost guarantee you, once it's
out there, and if it'sunencrypted, if it's an actual
(17:38):
breach, if you know all allthose bad steps happen, it's out
there but who knows what it'sgetting used for, who knows how
it's being monetized.
So I think the myth is thatit's just like any other data
breach.
Um it's not a myth thatpractitioners share, I'll tell
you that, because the folks inthe field understand that this
(18:00):
is, you know, there's very smallroom for error when it comes to
allowing that.
There's you could do creditmonitoring, you could do this,
you could do that, but what areyou gonna do for someone's uh
medical information once it getsout there?
Yeah, you're absolutely right.
And I kind of feel like that iswhen HIPAA came out in the
early 2000s, and it was likethis whole thing, and patients
(18:23):
were trying to figure out whatit is.
It the hope of HIPAA was toprevent kind of data
transferring, right?
Right.
And patient information beingout there without the knowledge
of patients and just kind ofsecuritizing that.
Now, where HIPAA is, I don'treally know how far it's come
along, but I kind of feel likeit's a joke.
(18:44):
You walk into your doctor'soffice and they're like, sign
this, and you're like, well,what am I signing?
It's like, oh, you're signingthat we gave you the HIPAA
booklet.
It's like, well, what is that?
What does that mean?
Does the HIPAA booklet saythat?
Like, you're gonna take mygenome secrets?
Like, what does the HIPAAbooklet, like what does it say?
And I bring that up becauseyou're absolutely right when it
(19:04):
comes to these sorts of databreaches, even sharing
information between hospitals,right?
When you think about there'slike the whole medical records
thing, right?
What is the um what are thewhat are the consequences or
what are the potential thingsthat could happen when you're
sharing medical records, right?
And so I'm wondering for you,what what are things well I
(19:29):
don't want to ask you becausethen people might use it.
But when you think of thosetypes of things, how do you kind
of align yourself and your teamto start thinking about like
what are your internal meetingsabout?
Like how do you guys say, hey,um these are things that we're
thinking about?
Is there a like what's yourprocess?
Sure, sure.
And I I it's you bring up ajust even as a meta point,
(19:52):
right?
Taking a step back.
Thinking about what why we'relocking this down.
I think is is one thing thatmakes us better at the job, but
then also I think it makes usbetter partners in an
organization.
What I like to always say is,you know, nobody says, hey, I
have to go to MSK because Iheard they have a phenomenal
(20:12):
cybersecurity department.
As much as I'd love to.
Yes, yes.
So what are we doing it for?
And I think that a lot of ourinternal meetings, I'll be, you
know, I I like being the one inthe room that kind of brings us
back to that question, if wedrift, because I think it guides
us if we're, you know, are welocking down a medical trial?
(20:33):
Are we locking down acollaboration between a couple
of different institutions?
Uh so who are we working with?
Are we working withresearchers?
Are we working with clinicians?
Are we working with people thatare wearing both hats?
Are we talking about patientdata?
Are we work you know working ona system that's patient-facing?
Is it internal to us in termsof you know understanding the
(20:53):
guts of the network, which issomething, of course, we don't
want out there?
Sure, absolutely.
Thinking about exactly whatwe're trying to lock down then
shapes and why shapes the how.
So and it shapes, like you likeyou were alluding to, the
ethical question of okay, whereon the spectrum of available and
(21:13):
locked down are we gonna land?
And where are we gonna feelokay sleeping at night that yes,
this is this is the right tightrope to walk, where it's
available, but it's encrypted,it's locked down, etc.
I think there, that's reallyone of the guiding principles
that I like to bring forwardbecause it can devolve into,
(21:35):
well, we know that this is thebest encryption, this is what we
have to do, we're gonna lock itdown six ways.
But then, you know, to yourpoint, HIPAA, you know, the
recent updates to HIPAA havebeen all about interoperability.
You want to allow that patientto more ownership over their
medical record so that they cango and make go to where they
(21:57):
wanna be seen.
And it shouldn't be an issue ofwell, you You know, I'd go to
this other provider, but thatother provider can't read my
medical record because of theway the the my initial provider
encrypted it or the system thatit's in.
I love that concept, and soit's forced my field to be a bit
more agile, be a bit more, youknow, on its on its toes in
(22:18):
terms of, okay, listen, we haveto make it available, but we
still have to lock it down.
That was I remember when theinteroperability rules really
came into effect.
Sure.
It was a big it was a big waita second, hold on.
Right.
Um but I think it was a a greatmoment for the industry to
understand, hey, there's, youknow, yes, folks want their
stuff locked down, but theinformation is there to
(22:40):
facilitate care.
We have to figure out a way tosuss out this issue.
How can we make it safe, buthow can we make it secure and
available?
So, you know, I think that in alot of those meetings, that's
really bringing that back,bringing that question back in
has has been, I think, uhprobably one of the contributors
to you know the type of teamthat that we have.
(23:02):
I don't care.
Speaker 4 (23:03):
Yeah, and I love that because especially in the
elderly, right?
So we have baby boomers thatare now retiring, they're older.
A lot of them may or may nothave a caretaker that can go to
them to the doctor.
And giving they don't theydon't remember their medical
history.
And so it's it's a huge dealfor doctors to see that,
(23:26):
pharmacies to see what's what'sgoing on in terms of that, to
flag medication and to say, hey,this may or may not be good for
you.
So it's completely it's asomething that's super
important.
And as as I hear you talk aboutthe different facets of
cybersecurity, what are someskills I can already kind of put
(23:46):
make a checklist based on whatwe've talked about?
But if you were to say there isa skill that every
cybersecurity person or someonewho wants to go into
cybersecurity, what would yousay it would be?
Speaker (23:57):
I can identify and I can find, you know how you can
say I can find my people in theroom?
Sure.
You you have to you have towant to tinker.
You have to.
And and one of the things Iremember I said it, it just came
came to mind.
I said, once you starttinkering, you're you're
starting to hack.
Yeah.
That's the thing.
You w you you sometimes if I'minterviewing folks, if I can
(24:21):
tell that they will havephysical discomfort if they
can't figure something out, evenif they don't have, you know,
the type of the system on theirresume that we use or the
specific set of skills, I wantthat person on my team.
We can we can teach them theMSK way of cyber you know,
(24:44):
that's on us.
But if I can tell that someoneis gonna it's gonna bother them,
it's gonna burn their mind whenthey can't figure out why
something didn't work or whythey couldn't get into something
or why they couldn't come upwith that technical solution to
a problem that's gonna helppeople, that's a person I'm on
on the team.
And I think that if you if youpresent that, that's what I say
(25:04):
to a lot of folks that ask me,like, hey, how do I prepare for
an interview?
I just had this on actually onon Friday, uh you know, which is
what yesterday, right?
Um how do I prepare?
I said, listen, let that comethrough.
I can tell you're curious.
I can tell you like to tinker,I can tell you like to break
things down and build them up,and maybe they don't work again.
And then that's going to driveyou to you know, learn the
(25:27):
system even even more so.
Um let that shine through.
That's a person that I want onthe team.
What I love about that is soclose to being a coder and
writing computer code becausethe the thing that always
bothers me, there is like a memeof someone um sleeping and the
code is in the you're trying tofigure out what is it, and now
(25:50):
of course code assistance canhelp you with that, but you
still are kind of, why isn'tthis working and your head is
bothering you, right?
And so I I really love that.
And the the other thing that'sinteresting, and you probably
have better statistics than Isee and I have seen, but I've
seen in the past, like there aredashboards that companies have
(26:10):
that literally show the amountof attacks that are happening in
seconds that are coming fromall over the world.
And I believe you have one.
Can you give us a sense ofmaybe a statistic, maybe like
how many happen like an hour?
Like how many attempts are doyou you guys monitor that?
I'm sure that you mire that.
I'll say I'll say we get millions a month.
(26:30):
It's always it's you know I Iliken it to you have and now of
course, obviously with AIsystems, that's even that's I
think that's going to skyrocket.
That's only going to go becauseyou can automate what what it
what I liken it to is you know,you're checking you're checking
the doors and the windows.
Right.
If you if you've you know grownup in Queens, it happens,
(26:53):
right?
You you you you keep an eye outif anyone's kind of near your
car.
Sure, sure.
Why are they hanging out by thecar?
It's not you know, it's uh it'sa Chevy Cavalier, it's old.
What are you doing?
Like if it's not yeah, what areyou checking for?
Right?
And I think that that isconstantly now that's
automatable.
And it's just all the time.
And if anything and as even as,say, you know, I talk to uh
(27:16):
some folks that are you knowfront-end web developers.
And uh one of the things thatthey you have to set up, right,
when you're setting up anyinternet presence is you have to
set up some sort of filteringto be able to distinguish like
what's real interest, right?
SEO, yeah, oh I'm I'm gettingso many hits.
I'm getting so much interest.
Wait a second, is it just thefact that you have bots checking
(27:37):
out if if there's somethingthat's vulnerable, a door or a
window that's open?
Sure.
And you know, I what's thequote, right?
Like, why do you rob banks?
That's where the money is.
Well, of course.
You put any sort of medicalpresence out on the open
internet, it's gonna getconstantly you know, just
tap-tap, check, is this open?
(27:57):
Is this open?
Is that there?
Day and night.
Speaker 4 (28:00):
Day and night.
And it's like bots, you know,that are going to be.
You know, it's interesting whenyou talk about kind of the
amount of tax and the skillsthat you need, right?
Um it seemed just by meetingyou and knowing you, not only do
you have to have like a umintellectual knowledge, but you
also have to have common sense,right?
(28:22):
A sense of common sense and uhbe able to kind of question,
question the things.
And I'm wondering, um uhearlier today, you to you talked
to our students and you get youguys can take a look here, um,
some some film of Omar talkingto our students.
And one of the things that cameup was the how do you get in
(28:42):
like the entry-level positionsand how these positions are
being posted and they'll sayentry level, but then when you
read it, it's like you have tohave all these certifications
and two to three yearsexperience.
And then you have this great umsaying that tech is kind of
cannibalizing or its pipeline.
Tell tell us more about that.
Yeah, it's it's cannibalizingthe pipeline.
(29:03):
It's eating its own tail.
I uh it there's I the math justabsolutely doesn't math.
You you brought up thecertifications.
I I I that that was a keenpoint.
I did I didn't mention that,but you have some of these
entry-level positions where it'sasking for certain certs that
the industry knows, oh, you needfive years in the field to have
(29:23):
that cert.
If you see an entry-levelposition and it's asking for the
CISSP, like either a bot putthat up or you know, some
unbeknownst, you know, not notknocking my friends in HR, but
somebody put the someone signedoff on a job spec that asked for
a five-year cert on anentry-level position.
(29:44):
And even then it the the comedygets worse, or the tragedy,
which one would you want to say?
But it gets worse when then theexperience only says two to
three years.
Wait a second, you're askingfor a five-year cert.
You want two to three yearsexperience in the field.
You know, some some folks, uhmaybe the comment section or
whatnot will say, hey, you know,you can you can take some of
that experience requirement off.
(30:06):
I get that, right?
With a degree you can maybe loplop it down to about three
years.
But even then, then we'retalking about a three-year cert,
two to three years ofexperience for, again, what I
say is an entry-level position.
Yeah.
It doesn't jive.
It doesn't make any sense.
And what gets me is that notonly is that obviously that's
(30:27):
gatekeeping, that's keepingamazing folks in.
I always say this, like i Iliken it to when, you know, my
my my oldest niece graduated acouple years ago.
My youngest niece is about tograduate this year.
When they were getting intoschool, right?
When they were getting intoundergrad, I said, I I I would
never I would have never gottenin with the type of barriers and
(30:50):
things that they have to do.
Or then I thought back to myundergrad.
Would I would I get intoTrinity College now?
I don't think so.
I don't know.
So I look back now, there's noway I'd get in as a career
switcher now with with the typesof of barriers that are there.
There's there's thatgatekeeping aspect.
Then the other thing that's abit more down the road but is
(31:10):
worrisome to me, is where do themid and senior level people
come from in a field normally?
The juniors that stuck it outand got the salt on them and
stayed in and and graduated tohigher levels of proficiency.
Where are we getting thosefolks now?
The ether?
(31:31):
Like i if if we're making allthese hoops and and and
honestly, like in they there'sno congruency to the things that
we're asking folks to do to getinto the field.
Not even to mention that yousee those jobs and they're still
trying to pay junior levelmoney.
(31:52):
So I I just don't understandwhat we're we're setting
ourselves up for a tsunami of wedon't have people to fill the
roles that we need.
And and another thing thatreally just irks me.
Yeah, you can tell this wholethe whole subject does, but the
thing that does irk me is thecyber field in particular goes,
oh, there's no good people outthere.
(32:13):
Wait a second.
Yes, there are tons of folksthat I know would be phenomenal,
but we don't let them in.
We don't have pipelines, wedon't have bridges, we don't go
out into communities thatpotentially like mine, right?
Like uh my origin story, Ididn't mention tech till many
years later.
You uh we don't go out intocommunities and say, hey,
(32:35):
there's you know, tech couldwork.
Yes.
This is a path.
This is a way to, you know, toimprove improve your uh your
situation.
It's it's it's maddening.
Well, you know, one of theproblems that I find is that the
people who are putting thosepositions don't even understand
them.
So a lot of times they'll go toa chat GPT or some AI source
(32:56):
and ask it to write a jobdescription and they'll post it,
and then the person or whomeverwill get into the interview and
they'll either ask about, youknow, the bullet points, the 500
bullet points, and then theperson interviewing be like, oh,
we just put that in there.
Have you ever that I that I'vehad that experience, and I'm
(33:17):
sure a lot of people have hadthat experience.
And so, well, we'll well, justyou putting that in there has
turned away so many applicants.
I'm sure if you've ever been onLinkedIn, and you always know
if a job is actually alegitimate job based on the, you
know, how they put the numberof how many people apply.
Like if it's over a hundred,it's probably not a real job.
(33:38):
But if it's honestly if it'slike 30 people apply, it's like
it's probably a real job.
Maybe, yeah.
Yeah, it might maybe a realjob.
Speaker (33:46):
The chances are better, right?
You're still playing roulette.
Speaker 4 (33:49):
Yeah, because it's like, okay, a hundred people
apply.
Why are you telling it's justlike why am I gonna apply?
It does it's like nonsensical,right?
No.
And you had this beautifulsaying kind of out of your
Genesis story.
Um, your it starts with yourmom saying, Mijo, I want you to
talk about that and like howthat really got you having a
firm um foundation.
Speaker (34:09):
So it was, you know, again, you know, I I did school,
went to business school, didthe financial advising, and my
and my and my undergrad wasn't afinancial advising degree,
right?
It was it was philosophy.
So my mother at this stage oflife is going, okay, Mijo, you
know, plantate con lo piefirmamente debajo.
(34:30):
Like put your feet firmlyunderneath you.
If you're gonna make thischange, make sure you're going
in eyes open, you're doing yourresearch.
She was the best career coachat that point in time to make
sure that, hey, I wasn't justgonna, you know, try this for a
year or two and then say, oh,this is not for me.
Um, because she had she hadseen that obviously with
(34:51):
undergrad and then the financialadvising.
Um but even then, what whatkills me now is that somebody
can do that, can do theresearch.
I have tons of folks that reachout on LinkedIn, I'll sit with
them, I'll, you know, I have asaying with my my CISOs, I'll
talk to them all.
Speaker 3 (35:08):
Right?
Speaker (35:08):
If they reach out, I'll make a half hour, let's how can
I help you?
How can I be a service?
I like starting theconversation that way.
And they'll tell me, hey, Ihave it, I have it planned out
this way, this is what I'mgetting into.
They'll tell me, they'll tellme some deep part of
cybersecurity, and they'll havea roadmap all the way to get
there, right?
And and it warms my heart, butthen it also makes me sad
(35:31):
because like they're not gonnaget the chance in a lot of cases
to get there.
They've they have a betterroadmap than I did when I
started.
They have their feet f morefirmly underneath them than even
I did, right, according to mymom.
And it's still the thepipeline's just just not there.
Speaker 4 (35:48):
You know what's interesting because I I think a
lot of similar to artificialintelligence, a lot of CEOs and
a lot of um a lot of businessowners, everyone's like, we
gotta get this AI thing, right?
Most of them don't even knowwhat AI is.
Oh no.
They think it means Chat GPT,and it does not.
And so I I feel like the samething is happening when it comes
(36:08):
to cybersecurity.
Like no one realizes thatartificial intelligence,
generative AI is a subdomain,and that there are all these
different pieces of artificialintelligence.
It's been around for a verylong time.
And I'm wondering how do youget leaders to one understand
cybersecurity and without givingwithout using fear tactics.
(36:31):
Like how what does that looklike?
Speaker (36:33):
I think the the best advice I ever got and that I
hold to mind is I'm a businessproblem solver whose tool is
cybersecurity.
Speaker 1 (36:45):
Oh, I like that.
Speaker (36:46):
Since turning that perspective around, and again,
shout out to my director as wellas my CISO.
I'm blessed with a greatleadership team.
Um love working for those two.
If you're then able to say,hey, what are the business
problems that you're facing, Imight be able to help you.
Here's how I can help you in mylane, you start then going,
(37:11):
wait a second.
The person you're talking tostarts going, wait, they're not
just trying to beat me over thehead with cyber, they're not
just trying to wave around ITterms, or they're not just
trying to, you know, throw IT atme and then just just trust me,
right?
Sources trust me, bro.
No, that's not that's thatcan't happen.
But if you sit there andlisten, and and it's funny
(37:31):
because it goes recursively,obviously, back to like my sales
background.
That's how you know you sitthere and try to qualify the
customer, understand like whatis the problem that they're
coming to you for to solve.
Speak to the benefits, speak tothe outcomes, speak to what new
(37:52):
future your solution can offerversus I'm just gonna lock this
down and you know, you you cantell.
And sometimes it even happensto me.
Like I I try to practice this alot, but you can tell folks'
eyes will glaze over.
Yeah if you start going off inthe cyber world.
Cool, you're showing off thatyou know some terms.
Yes.
Amazing.
Yes.
But they're coming into you tosolve a problem.
(38:12):
So go back to that and and andtalk to that.
Then I think, and you don'thave to bring up the fear.
You you know, that that's kindof understood a little bit,
where it's like, hey, listen, ifyou don't do this, then it's
out in the open and that's allshe wrote.
But you don't have to harp onthat.
How can I help you?
What am I solving for you?
What pain point am I gettingrid of?
Cool, I have a cyber tool thatcan help that.
(38:34):
Right.
And if I don't, be honest.
Speaker 4 (38:36):
Now let me ask you, you provided our students with
kind of some tips and safetytips about cybersecurity.
Do you ever use things like umyou can give us some examples of
you know some of the thingsthat but do you ever use
analogies to for people in kindof higher positions, executives,
for their personal life so thatthey can kind of better
(38:57):
understand so that you don't getthose those gay glazing over.
Speaker (39:04):
Absolutely.
I I always I like to bring itback to one one of the the the
things that I jumped on in termsof getting into IT really to
begin with was one time my mymom, you know, she's from Puerto
Rico and she said, Omar, I wantto learn about this email.
(39:27):
Help me with this email, right?
She had never sent an email.
Not you know, it wasn't itwasn't part of her her skill set
there, right?
But she knew that it was a wayto maybe potentially talk to the
folks back home.
Right.
And I just remember walking herthrough, it was the simplest
thing for me, but just patientlyanswering her questions and and
(39:48):
walking her through, setting upher Gmail account, and seeing
just like her eyes lit up withthis is magic.
Wait a second.
I can s you know, I I'mreconnecting back to my home
country.
Like, you know, yeah, she hasthe phone, of course, and that
but like being able to, youknow, have that asynchronous
(40:09):
communication.
And then obviously that werewas the training wheels to then
getting her like more on theinternet.
Sure.
Right?
Then then the whole worldopened up for.
And it's just it just I alwaysremember that in terms of then
coming back to, hey, what whatare you trying to do here?
Right.
The analogies that I that Ibring up, I usually just bring
(40:31):
them back to whatever the perthe a person will tell you, I
always say like, they'll tellyou like what their pain points
are and what their hopes andaspirations are.
They'll hint at it in the firstlike five to ten minutes of
talking to you.
Mm-hmm.
If you're listening.
Sure.
If you're focused on I'm smartand I'm just trying to tell you
something, you'll miss thesigns.
(40:52):
But if you sit there and youjust take a beat and you they'll
folks will tell you.
Folks will tell you what'simportant to them.
Speaker 4 (40:59):
Well you know what I love about that, and especially
the the example of your mother,is that the older generation,
they I feel like they are beingtargeted so hard right now.
Um and it's it's just sointeresting because the naivete
that happens and it's it's sadbecause they are not able to
(41:23):
distinguish if someone's lyingto them and selling something
and it always comes on a phonecall.
How, you know, for ouraudiences, a growing audience,
how would how would yourecommend they protect
themselves or their caretakershelp them navigate like
difficult like, you know, umcalls and all the stuff that
floods their inboxes?
(41:44):
I always say, and this is thisis still for all the tech
solutions that we've come upwith, one of the main ways that
an enterprise gets compromisedis still social engineering.
So it's a great, it's a greattopic that that you're pivoting
to.
Now with AI, the old schoolways of saying, well, the
(42:06):
grammar's bad, that's out thewindow.
Uh even non-native Englishspeakers can use an LLM to craft
an amazingly worded uhtargeting message to an audience
that they don't speak thenative language of.
So that's out the window.
So grammar, um, you know, youcan spoof email addresses, all
(42:26):
the technical things are stillthey're they're increasingly
less of a checklist that you cango to.
But still the main thing that Itry to instill in in any
security awareness training thatI I support take a beat.
If there's if there's a senseof urgency that's coming from
(42:48):
the other side of thatcommunication, take two beats.
It very it doesn't it's notfail-safe.
Could very well be, you know,you might get that panicked
phone call from a family member.
It happens, life happens.
But nine times out of ten, ifthey're going, you have to do
this now, uh, wait a second,your your your stuff is
(43:08):
compromised, click here, orcalling you, hey, I need this, I
need your information, we'redoing an investigation.
Or uh this is the help desk.
You know.
If there's a sense of urgencybeing foisted on you, that
should ring alarm bells.
Sure.
Do a little bit more duediligence there.
Take a step, right?
(43:29):
Not to mention why would a helpdesk be calling you if you
didn't call them to get help,etc.
But that's a little bit more, Ifeel it's it's not like that
one rule I can say.
But if someone's trying to getyou to do something quickly, you
the hairs on the back of yourneck should come up and then
take a couple steps and reallyexamine.
(43:49):
Then you can startunderstanding.
Okay, then uh the other tipsmight start to show themselves.
Like why are they calling me?
Where is this coming from?
Is there an extra letter?
In the address that youwouldn't have noticed if you
didn't take that step.
But that social engineering isalways keyed in.
And again, sadly, like you say,it's targeting those
(44:09):
populations.
But if it's urgent, doublecheck it.
Absolutely.
And you know, it's interestingbecause when I I think also
avoidance, for lack of a betterterm, is like putting on there
are blockers you can put on homephones so that they the caller
has to talk and explainthemselves.
With text messaging, now theytext you for anyone who's out
(44:34):
there when someone's texting youabout a job.
I actually have one person whokeeps calling the spammer back.
Those are fun.
Those are fughts.
There are vulnerabilities insome of their some of the way
(45:00):
they communicate to each other.
What are some tips that you cangive parents when it comes to
to that if you if you were likea kid?
I feel like sometimes a kidwith a cell phone is not too
much of a good idea.
It's uh it's one of thosethings and it's something I'm
facing now, right?
I I have a two-year-old and Iknow that conversation is
coming.
Uh she's already very keen onwhat's mom or dad doing on the
(45:24):
laptop, what's mom or dad doingon the phone, right?
She notices that a lot.
And one of the things that I'veI've seen, and because this is
a question I've been askingmyself to my peers, what what
are you doing, what's going on?
I think you have to take sadly,not sadly, but uh it's an extra
step.
You have to take an active rolein what they're doing with
(45:45):
those devices.
Um does the person need to havecommunication capabilities if
they're playing Roblox.
What why?
Yeah.
Who's on the front?
Having the conversationsappropriately at whatever age
they're at and saying, listen,this is not just the character
(46:06):
that you're talking to on thisDiscord server or in in this uh
chat room before you you knowyou drop in and play a couple
rounds of of battlefield orwhatnot.
It's these are other people.
Yes.
Right?
And and there's very littlethat they need to know about you
in order to play, right?
You don't want to be the no funfolks, because then what's
(46:26):
gonna happen?
They're just gonna work aroundyou.
Sure.
So you know, engage andunderstand that, yeah, yeah,
there's there's need for this.
But I'll tell you what,personally for me, that that
cell phone conversation is gonnabe is gonna be a difficult one
because I just, you know, nowwe're seeing it's kind of a
recursive loop, right?
A sine wave.
You're seeing schools go, youdon't need it all day.
No.
(46:47):
Deposit it.
So, you know, I get the tug ofyou want to be able to
communicate, but at what cost?
You're seeing countries nowdetermine that under 16 you
don't need social media.
No.
More of those, and I'm I'm kindof in favor of that.
No, I agree.
I mean, I I I I observed my myson actually, he was playing
(47:09):
chess and some way the settingwas on like a he was playing the
computer, but the computer wasactually another person.
And the person had a name, andI was like, whoa, whoa, whoa,
who is this?
And then I had to go to asetting, it was like buried to
like turn it off.
And so all these things,because you know, who doesn't
want their kid to play chess?
(47:29):
Of course.
But then you have some youdon't know who this person is
playing chess with it with theyou know, a kid.
And so it just becomes um, youknow, really, really tricky.
Yes.
Um and I love that you f youpicked up the idea that schools
are turning away fromtechnology.
You know, and in my my opinionis that as a parent, you have to
(47:52):
be involved.
I mean, there are there are noperfect parents, you can't be
everywhere with your kids.
But I feel like, just like Ifeel with SEI, our goal is to
empower our kids.
Obviously, when they'reyounger, you have to intervene
and play an active role.
But at the end of the day,we're sending them out,
especially high school students,we're sending them out into the
world.
We're not gonna be there,you're not gonna be there,
right?
(48:12):
And so you want them to have belike, mm, I remember Omar was
on coding conversations and hesaid, he said I should not do
this.
So that we kind of, you know,we're teaching them, right?
Um I love that.
So, Omar, if you could leave avoice message for your younger
self um on uh day one incybersecurity, what would you
(48:33):
say?
Speaker (48:33):
It's uh it's a phrase that my my father used to say to
me, you know, he's not he's notwith us now, and and it's
something that I hear uh andespecially on days when
Barcelona soccer plays, right?
Which was today.
And they've they won threenothing big.
Speaker 4 (48:45):
Oh congratulations.
Speaker (48:47):
A banner day for me today.
Um Tranquilo, mijo.
Like relax.
Relax.
It's you're not late, you're ontime for where you need to be.
Speaker 1 (48:59):
Okay.
Speaker (49:00):
It'll work itself out.
Speaker 1 (49:02):
Okay.
Speaker (49:02):
Because I remember again as a career switcher, I
felt like I was behind theeight-ball.
I felt like, wait a second, allthese people uh have ten years
on me.
I'm just trying to break in,right?
I'm 30, what am I doing?
Oh no.
And just that's something Itell myself and it's it's funny.
Now it's advice I give, and Ialways preface it with, you
(49:23):
know, f if uh you know, if mywife were in the room, she'd
laugh because like there'sdefinitely nothing tranquilo
about how I was trying to breakin.
I was trying to make up forlost time.
But you know, you're you'rerunning your own race.
You gotta be better than youwere yesterday, and that's it.
Speaker 2 (49:38):
Yeah.
Speaker (49:39):
That's all.
That's that's really what Ibecause I think I'd enjoy it
more.
Speaker 2 (49:42):
Yeah.
Speaker (49:43):
To start, right?
You know, I I'd I'd again mywife, you know, there's gonna be
a time when you're not ananalyst and you're gonna look
back and remember those daysfondly.
And I said, What are youtalking about?
I want to get promoted, I wantto continue, I want to hard
charge.
And she was a hundred percentcorrect.
Speaker 2 (49:57):
Yeah.
Speaker (49:57):
There's days I'm like, oh, I remember when I was just a
risk contract analyst.
Those were amazing days.
I had so much, it was great.
Um you know, not that I don'tlike where I'm doing or where
I'm at now, but it was just itwas a different time.
And I I think, you know, beingmore present, relaxing,
tranquilo, chill, it'll come.
Speaker 4 (50:17):
I love that.
I I feel like I just had thatconversation in regards to being
an AI and building algorithmsand was talking to a bunch of
people, uh, and I said, youknow, do you ever feel like
you're going too slow?
And they were like, everyonefeels that way.
Yeah.
Everyone in this room feelsthat way.
We all feel like we can't,we're developing too slow.
(50:38):
And uh it's just so I guessit's I think in God's time is
the way to look at it, right?
Absolutely.
And so we're rounding out ourconversation here with Omar.
We have a lightning round.
Okay.
And so this is how it goes.
Now, a lot of guests try to sayboth, but you have to pick one.
Okay?
It's gonna pin you down.
All right, so I'm gonna giveyou two choices and you you
gotta pick one, okay?
(50:59):
Which one you prefer?
Okay, so let's kick it off withthe most important one.
Coffee or tea?
Speaker (51:03):
Bustello, coffee.
Speaker 4 (51:05):
All that.
All day.
Did you use the press?
Do you do the press?
Uh no, not that fancy.
Not that fancy.
No, no, no, no, no.
Uh control alt delete or stayon this page.
Speaker (51:14):
Three finger salute.
Control alt delete.
Absolutely.
Speaker 4 (51:16):
100%.
I love that.
Morning meetings or afternoonmeetings?
Afternoon meetings.
Okay.
Oh, yeah.
Um, iPhone or Android.
iPhone.
Work from home or in theoffice?
Speaker (51:26):
Work from home.
Speaker 4 (51:27):
Slack messages or email?
Speaker (51:29):
Am I in trouble?
Because I prefer like Slackmessages, but I will be the
first one to email if I need areceipt.
Like if it's official, if it'ssome, if I you know, and and I
feel the same way.
I I definitely put that onpeople.
Yeah.
Right?
Why are you emailing me?
Like, are you trying to wait asecond?
Speaker 4 (51:45):
Are you trying to record?
Well, well, Slack I feel drivesme a little crazy.
Speaker (51:50):
Oh no, the pings are nuts.
Speaker 4 (51:51):
The pings are like, you're like, what's going on?
And it's like a hundredpercent.
And no one follows the rules.
No.
Speaker (51:57):
No one follows the rules.
And that little message thatsays, oh, send it during hours.
No, they don't believe in theirmothers.
It's like that.
Terrible.
Speaker 4 (52:06):
I I can't stand it.
Okay.
Dark mode or light mode.
Dark mode.
Okay.
Password manager or I'llremember it.
Speaker (52:13):
Oh, password manager.
Okay.
Oh, yeah.
There's no way.
I can't remember all that.
Yeah.
Speaker 4 (52:22):
Automation or manual control?
Speaker (52:24):
Automation.
Speaker 4 (52:25):
Okay.
Biggest pet peeve, just clickapprove, or can we circle back
next quarter?
Speaker (52:30):
Oh, can we circle back next quarter?
Speaker 3 (52:33):
No.
Speaker (52:34):
The best time to sort something is yesterday, and the
second best time is today.
I don't like I'm no.
Don't call me, I'll call you.
Let's figure this out now.
Speaker 4 (52:41):
I love that because then the to-do list becomes uh
it's never gonna happen.
100%.
Once we go into the to do to-dolist, we're done.
It's not gonna happen.
Speaker (52:50):
It's a myth.
Speaker 4 (52:52):
I love that.
Well, thank you so much, Omar.
It was a pleasure to see you.
And where can we find you?
I think on LinkedIn.
Speaker (52:59):
Yep, LinkedIn, Dr.
Omar S.
Speaker 4 (53:01):
I love that.
Dr.
Omar S on LinkedIn.
Thank you so much.
Thank you for joining us ontoday's episode of Coding
Conversations.
Remember to like and subscribeand check out our swag.
Thank you again.
Welcome to Coding Conversations, produced by the
STEM Educational Institute.
I'm Nikisha Alcindor, presidentand founder of the STEM
Educational Institute, where weprovide free programming in
financial literacy, STEM, andmental health.
We work with high schoolstudents, they go through a
one-year program.
At the end, they earn a collegescholarship.
(00:31):
Coding Conversations are waysto bring exciting voices to you,
the viewer, about things in theareas of STEM financial
literacy and mental health.
And today we have an excitingtopic as well as an exciting
guest.
We're going to be talking aboutcybersecurity, particularly
cybersecurity and health.
And to help us with thatconversation is Omar Sangurima.
(00:51):
Welcome, Omar.
Speaker (00:52):
Thanks for having me.
Excited to be here.
Speaker 4 (00:54):
We're so happy to have you.
So Omar is the head of cyberprogram management and
third-party risk management atMemorial Sloan Kettering Cancer
Center.
You can think of Omar's job asbeing the digital bodyguard for
the hospital.
And Omar's goal is to buildstrategies that stop hackers
from stealing information fromdisrupting the technology that
(01:16):
doctors use to save lives.
And he teaches, he treats hiswork as like a high-stakes chess
game, if you will.
And what he does is he has topredict what bad folks might do
and find the weak spots in MSKdefenses and fix them before
anyone can attack.
And so if you love solvingpuzzles or beating tough bosses
(01:38):
in games, cybersecurity is thecareer for you.
And when not protecting hostiledata, he's usually strategizing
in other ways, whether it beobsessing over fantasy football
lineups or tackling difficultchallenges in single-player RPG
video games.
Omar is always trying to dothings that are innovative and
(01:59):
high risk, right?
And so welcome, Omar.
We're so glad to have you heretoday.
Speaker (02:04):
Thank you.
Thanks for having me.
Speaker 4 (02:06):
So it's not a conspiracy, but Omar, like
myself, for you the those of youwho watch the show is from
Queens, right?
Is it just you know somethingin the water?
Something in the water.
We just we just keep going,right?
And so, Omar, you got yourdegree, you got your MBA from
Maris College in Piskix inPoughkeepsie, and then you went
(02:26):
on to get your doctorate.
Yes.
So obviously those are verydifficult things to obtain and
agrees, degrees to obtain.
But before that, take us backto your origin.
Where did you grow up and howdid you start to realize
cybersecurity was your l fieldof interest?
Speaker (02:43):
So as you said, uh grew up in Queens till I was around
nine, moved up to Massachusetts,followed my sister.
She got a residency up there,Bay State Medical Center.
So uh she grabbed me and andour mother, we went up to to
right outside of SpringfieldMass.
Um there again, the theoverriding goal, right?
(03:06):
The the first generation inthis country, it's uh
education's a silver bullet.
It's uh keep at gettingeducated, look at your sister,
look at what she's done.
So I just kept my head in thebooks, uh, kept kept uh chipping
away.
High school, college,undergrad.
Even then, it was it was odd.
Cyber wasn't exactly I wasn'tborn with a computer in my hand.
(03:28):
There's some people that I workwith, you can tell, uh, they're
amazing.
Uh, but that it wasn't thatwasn't the origin story.
I I I'm a career switcher.
Um so about 12 years ago, 12,13 years ago, decided to switch
over from financial advising andtried to get into a field that
you know I thought was gonna be,you know, innovative, uh
(03:51):
challenging, constantlydifferent, different things to
to focus on.
And it's been that, thankfully.
So, you know, it's it's beenalways interesting and never
never a dull day in the field,I'll say that.
I love that.
I love when you know going fromfinancial services industry to
cybersecurity.
Can you talk about kind of whatwas it or what are what are
(04:15):
some of the courses or thingsthat you did to prepare you or
you think prepared you to gointo cybersecurity?
So I remember this is funnybecause the there's one
certification that I said, letme give this a try, kind of a
test run before I went full boreinto say a degree in cyber.
Uh the the Comp TIA SecurityPlus.
(04:35):
Uh I remember I I chuckle nowbecause w when I'm, you know,
when anybody's asking me about,you know, how do I break in,
what certs to start with, I say,you know, I studied for that
thing for nine months.
I usually pause for laughter atthat point because that was a
long time, like one cert, but Iwas just so I had to I was
taking a leap.
It was something that I wasn't,you know, of course,
(04:57):
classically trained in uh forschool.
So studied for nine monthsthere, thankfully passed.
Um, you know, my my originstory would be completely
different, I think, if I hadstumbled, if I had stumbled
then.
But, you know, did that, thenstarted taking a couple courses
for an MIS.
Right.
That was my first kind ofteaser.
I didn't know.
And tell us what MIS on Mastersof Information Systems.
(05:19):
Yep.
So uh to uh started doing thateven while I was still kind of
you know one foot in thefinancial field, but definitely
looking uh to to move out.
The cert and beating beinggetting that beating, but
getting that certification, Ithink then I was hooked.
Like I I just loved the idea ofbeing able to take a look at a
(05:43):
certain level of challenges,right?
It's always, you know, my mywife has heard this many times,
is another it's another windmillto tilt at.
I just love, you know, seeingseeing something on the horizon
and saying, you know what, maybeI could figure that out.
And the industry, cybersecurityespecially, at that point was
still more heavily focused oncertification.
(06:03):
So once I started really kindof chaining those together, I
started to convince myself thatmaybe I could do this.
And then from there, you know,uh networked a little bit.
I I got my first job throughsomeone I knew.
It wasn't necessarily it wasjust, you know, surreptitiously
mentioning it to a a buddy ofmine at at Jiu Jitsu.
(06:24):
We were it was an open mat,right, in Brazilian jujitsu on a
Saturday, and he, you know,he's like, Hey, I hear you're in
this cyber thing, you keeptalking about it.
Right.
Speaker 4 (06:32):
Okay, first of all, you can't just throw in while I
was doing jujitsu.
There has to be an explanationfor that.
So we got it.
So are you is that kind of oneof the other things that you
still practice?
Speaker (06:45):
I I mean, sort of now.
My body's a little busted up,so I I'm I kind of you know, I'm
I'll make appearances at OpenMats uh here here and there.
But I started started Brazilianjujitsu, it was after so I was
on the national team fortaekwondo, uh, under the under
seven the under-18 team.
Okay.
Went to North Korea.
That was the first uh worldchampionships, the second world
(07:06):
championships were thankfully inPuerto Rico, right?
So definitely much nicer thanNorth Korea, I'll say that.
Um five days in North Korea asa 15-year-old.
Uh wild wild times.
Wild times.
I'm sure.
Yeah, yeah.
Um yeah, did that, uh, wrestledin high school, and then you
know, I didn't want to continuedoing the the you know on the
(07:27):
adult team for for taekwondo.
I was too too grindy.
So um I I got into BrazilianJiu-Jitsu.
There was a school nearHartford, Connecticut, where I
went to undergrad.
It was uh West Hartford,Connecticut.
And back then it was a it was ahuge deal to have like a purple
belt teach the class.
Sure.
It was you know, because therewas not a lot of black belts uh
in the United States at thetime.
(07:48):
And uh I got hooked.
I uh you know, and I've beengrappling since 99, 2000.
Um yeah, like I said, right?
You know, if I if I shakesomeone's hand or if I put my
hand down, like you can see likethe gnarled fingers here and
there a little bit, right?
Or if I had if I stretch out, Ican remember times when I
should have tapped and I didn't.
(08:09):
Uh but uh you know, still loveit.
Um but yeah, it was again gotinto never would have thought
that that would have led to youknow a career.
Speaker 4 (08:18):
So what I love about that is that your physicality
actually is translating to yourability, your s your mental
strength in terms of what you doand your critical thinking.
And we often see that with withathletes being able to
transition kind of their workand their physicality into
(08:39):
difficult fields.
Because I remember the termcybersecurity coming out of when
people were starting to gethacked or identity theft.
Do you remember this?
Like identity theft came out,and then everyone would you
would go to the police andthey'd be like, Can't help you,
ma'am.
Right?
Do you remember that?
Like it's like so someone stolemy identity, and it was like
(08:59):
the best, the best way toprevent that is to have all
these different alerts and allthese things.
And so that was in my mind,that was the scope.
I'd love to see to to get yourthoughts on where that scope has
has trended towards becauseback then it was just okay
(09:20):
individual information gettingstolen, but now we're talking
about ransom, like people takingdata from companies and data's
having you know, companieshaving to pay for that.
So talk to me a little bitabout what you've how you've
seen the idea of cybersecurity,like that definition
transforming over the years.
(09:41):
So it's really amazing thatthat you kind of pinpoint it
that way, because I see it askind of a Venn diagram or uh a
sine wave, right?
Like down, up, down.
It started with individualidentity protection, as you
said.
It was kind of very much scopedtowards you you're you're gonna
get your own your own SocialSecurity number taken, or
(10:01):
somebody's gonna start taking,you know, writing checks in your
name or taking out loans inyour name.
And then I think as business,as enterprise got more
interconnected just by virtue oftechnology advancing, then I
think uh cybersecurity took on abit more of an enterprise uh
(10:22):
scope, as you said.
It went then, you know, thenbusiness data could get stolen,
then intellectual property couldget stolen, then not only that
of the of the businessthemselves, but then what about
the business's customers, right?
So then you have you starthaving, wait a second, the the
scope starts expanding.
Now what I've been seeinglately is kind of a return
(10:45):
towards first principles where,you know, it's still data
governance is taking up privacyis I think privacy now, the the
concept of privacy and privacyengineering is having kind of
the same renaissance thatcybersecurity did maybe 10 years
ago, 10, 11 years ago, kind ofwhen I started.
And it's you know, the and andto think that they're not
(11:08):
distinct fields is is uh is afallacy.
I think there's there's there'soverlap, but there's v fine,
fine professionals in privacyengineering that sing a
different tune, dance adifferent dance than the ones in
cyber, kind of cousins.
We kind of, you know, wedefinitely reinforce each other,
but it's it's the the dayswhere it's it's the same, you
(11:31):
know, are are kind of are kindof gone.
Same as I'd imagined, and thiswould this would be a little bit
before my time, but I've donesome some studying in the
history of the field that I'min, is kind of where the the
break happened between likeinformation security and
cybersecurity, right?
Where it was like, you know,we're making sure that you know
physical records are you know uhuh thrown out when they need to
(11:52):
be, making sure that folks onlyhave access to you know the
hard copies of papers.
Th there it kind of broke away,and then you had the
cybersecurity, informationsecurity.
Folks still kind of they don'tdisambiguate the terms, you
know, but now I think that's abit more distinct.
And I think the same thing'skind of happening now with with
privacy and cybersecurity.
(12:12):
Fields that are very connectedbut not anywhere the same and
demand different skill sets.
Okay, so you we you brought up the term Venn
diagram, right?
And so when I think about kindof privacy settings settings,
everyone gets those pop-ups thatsay, do you want to load
cookies?
Most people don't read them,they'll say accept, manage, or
(12:34):
reject all, depending on whatyour options are.
And then you have this kind ofcybersecurity malware hacking
things.
But then to me, there's like ain the middle, there's some sort
of ethical, maybe it's notcalled ethics, but who gets to
decide what goes into whatbucket and I guess consumer
awareness?
Like who who is like how isthat being dished out or
(12:56):
divided?
Speaker (12:56):
So it's I think for me, the the way I'd split those uh
uh it's a matter of outcomes.
So in where where I work, it'susually, well, okay, privacy is
gonna sit there and tell us whatwe need to lock down, uh why to
how long for how long, to whatextent, you know, makes the that
privacy and more datagovernance says, listen, this is
(13:20):
this is important, this is whyit's important, whether it's
like uh laws, regulations,whether it's intellectual
property, right, it's it's uhproprietary to uh to the
organization.
Then okay, we've sussed allthat out.
Now cyber, come over here andmake sure that what we want to
have happen with this data, withthis information, for these
(13:40):
purposes, which is where theprivacy comes in for the doctors
or for the patients.
Make sure you lock it down.
So that's where you know we wesaddle up.
Um where I think then, at leastthat's that's what happens in
the organization.
I think you bring up a greatquestion in terms of who's doing
that writ large.
Speaker 2 (13:59):
Yes.
Speaker (14:00):
I don't know.
That's w you know, uh th thisis one of the things that I
always harp on when it when youwhen I get on my soapbox here
is, you know, the United Statesdoesn't have a national privacy
law.
Speaker 3 (14:10):
Right?
Speaker (14:11):
Europe has kind of figured it out.
Yes.
Um they're at the forefrontwith the EU AI Act as well,
which is, you know, in add inaddition to the GDPR.
But you y we have a patchworkin the United States, which I'll
tell you what, makes um lockingdata down fun when when
depending on on the scope of theenterprise that that you're
that you're working workingwith.
So I think that, you know,right now it's anyone's guess in
(14:35):
terms of who you you have anethical folks in the industry do
have a compass.
We do kind of know listen, andand you have a compass and you
also try to balance it out with,okay, for what purposes are we
doing this for?
Speaker 2 (14:48):
Yeah.
Speaker (14:49):
So, you know, because w what my boss says, I I love the
man, right?
Um, you know, the the mostsecure system is the one that's
not connected to the internetand it's at the bottom of the
ocean, but how useful is it?
So you have to kind of balancethat out.
But many folks in the field inprivacy and data governance as
well as cybersecurity, we havethat true north where we're
like, listen, we're we're tryingto lock this down.
(15:11):
We want to make you we we treatit like as if it was our own
family's kind of data.
And we understand like w wouldI want my data out there, would
I want my family's.
Uh in in the hospital for sure,it's it's not hard to make the
connection towards patient harm.
Yeah, sure.
And and privacy, especiallywith the the type of care that
we provide.
Sure.
And so, but in terms of writlarge, that's a really good
(15:32):
question.
Well, you know, it's somethingthat I think about often,
particularly for when I I I do alot in in artificial
intelligence.
A lot of my research is inartificial intelligence, and I
start when I'm building models,I start with the ethical
questions.
Like what is the worst that canhappen?
Right?
And when I think about thereare pros and cons to having your
(15:57):
data taken from you when itcomes to privacy.
Because frankly, you know, Ilike getting coupons at the
store based on my buying habits.
Absolutely, right?
Speaker 3 (16:06):
Absolutely, yeah.
Speaker 4 (16:06):
I like that.
But I don't like my insurancepremiums being determined by
information that I might havegiven up voluntarily without
knowing or without knowing.
Right?
And so I'm wondering when youthink about kind of
cybersecurity and healthcare,what are some myths and what's
the kind of reality?
(16:27):
Like what what is actually whatdoes that actually mean in the
context of healthcare?
Speaker (16:31):
So one of the things that I think, and it was an aha
moment for me, and and and I'llbe the first to admit, I it
wasn't even I think I was maybeone or two years into working at
the hospital at at MSK atSloan, where it really dawned on
me, hey, it's a data breachhere is a horse of a different
color because uh medical data isimmutable.
(16:53):
You can change your socialsecurity number, it's a pain,
but you can do it.
You can change your name, it'salso a pain, but you can do it.
You can't go back and rewriteyour medical record, your
medical history.
So in terms of the myth that Iwould think I think permeates is
that it's just like any otherdata breach.
(17:16):
I think, you know, at the riskof sounding biased uh because
it's the field I work in, thosetypes of breaches can be so
harmful because you can't y whatif there's diagnoses on there
that you don't want public?
Sure.
And once it's out there, I canalmost guarantee you, once it's
out there, and if it'sunencrypted, if it's an actual
(17:38):
breach, if you know all allthose bad steps happen, it's out
there but who knows what it'sgetting used for, who knows how
it's being monetized.
So I think the myth is thatit's just like any other data
breach.
Um it's not a myth thatpractitioners share, I'll tell
you that, because the folks inthe field understand that this
(18:00):
is, you know, there's very smallroom for error when it comes to
allowing that.
There's you could do creditmonitoring, you could do this,
you could do that, but what areyou gonna do for someone's uh
medical information once it getsout there?
Yeah, you're absolutely right.
And I kind of feel like that iswhen HIPAA came out in the
early 2000s, and it was likethis whole thing, and patients
(18:23):
were trying to figure out whatit is.
It the hope of HIPAA was toprevent kind of data
transferring, right?
Right.
And patient information beingout there without the knowledge
of patients and just kind ofsecuritizing that.
Now, where HIPAA is, I don'treally know how far it's come
along, but I kind of feel likeit's a joke.
(18:44):
You walk into your doctor'soffice and they're like, sign
this, and you're like, well,what am I signing?
It's like, oh, you're signingthat we gave you the HIPAA
booklet.
It's like, well, what is that?
What does that mean?
Does the HIPAA booklet saythat?
Like, you're gonna take mygenome secrets?
Like, what does the HIPAAbooklet, like what does it say?
And I bring that up becauseyou're absolutely right when it
(19:04):
comes to these sorts of databreaches, even sharing
information between hospitals,right?
When you think about there'slike the whole medical records
thing, right?
What is the um what are thewhat are the consequences or
what are the potential thingsthat could happen when you're
sharing medical records, right?
And so I'm wondering for you,what what are things well I
(19:29):
don't want to ask you becausethen people might use it.
But when you think of thosetypes of things, how do you kind
of align yourself and your teamto start thinking about like
what are your internal meetingsabout?
Like how do you guys say, hey,um these are things that we're
thinking about?
Is there a like what's yourprocess?
Sure, sure.
And I I it's you bring up ajust even as a meta point,
(19:52):
right?
Taking a step back.
Thinking about what why we'relocking this down.
I think is is one thing thatmakes us better at the job, but
then also I think it makes usbetter partners in an
organization.
What I like to always say is,you know, nobody says, hey, I
have to go to MSK because Iheard they have a phenomenal
(20:12):
cybersecurity department.
As much as I'd love to.
Yes, yes.
So what are we doing it for?
And I think that a lot of ourinternal meetings, I'll be, you
know, I I like being the one inthe room that kind of brings us
back to that question, if wedrift, because I think it guides
us if we're, you know, are welocking down a medical trial?
(20:33):
Are we locking down acollaboration between a couple
of different institutions?
Uh so who are we working with?
Are we working withresearchers?
Are we working with clinicians?
Are we working with people thatare wearing both hats?
Are we talking about patientdata?
Are we work you know working ona system that's patient-facing?
Is it internal to us in termsof you know understanding the
(20:53):
guts of the network, which issomething, of course, we don't
want out there?
Sure, absolutely.
Thinking about exactly whatwe're trying to lock down then
shapes and why shapes the how.
So and it shapes, like you likeyou were alluding to, the
ethical question of okay, whereon the spectrum of available and
(21:13):
locked down are we gonna land?
And where are we gonna feelokay sleeping at night that yes,
this is this is the right tightrope to walk, where it's
available, but it's encrypted,it's locked down, etc.
I think there, that's reallyone of the guiding principles
that I like to bring forwardbecause it can devolve into,
(21:35):
well, we know that this is thebest encryption, this is what we
have to do, we're gonna lock itdown six ways.
But then, you know, to yourpoint, HIPAA, you know, the
recent updates to HIPAA havebeen all about interoperability.
You want to allow that patientto more ownership over their
medical record so that they cango and make go to where they
(21:57):
wanna be seen.
And it shouldn't be an issue ofwell, you You know, I'd go to
this other provider, but thatother provider can't read my
medical record because of theway the the my initial provider
encrypted it or the system thatit's in.
I love that concept, and soit's forced my field to be a bit
more agile, be a bit more, youknow, on its on its toes in
(22:18):
terms of, okay, listen, we haveto make it available, but we
still have to lock it down.
That was I remember when theinteroperability rules really
came into effect.
Sure.
It was a big it was a big waita second, hold on.
Right.
Um but I think it was a a greatmoment for the industry to
understand, hey, there's, youknow, yes, folks want their
stuff locked down, but theinformation is there to
(22:40):
facilitate care.
We have to figure out a way tosuss out this issue.
How can we make it safe, buthow can we make it secure and
available?
So, you know, I think that in alot of those meetings, that's
really bringing that back,bringing that question back in
has has been, I think, uhprobably one of the contributors
to you know the type of teamthat that we have.
(23:02):
I don't care.
Speaker 4 (23:03):
Yeah, and I love that because especially in the
elderly, right?
So we have baby boomers thatare now retiring, they're older.
A lot of them may or may nothave a caretaker that can go to
them to the doctor.
And giving they don't theydon't remember their medical
history.
And so it's it's a huge dealfor doctors to see that,
(23:26):
pharmacies to see what's what'sgoing on in terms of that, to
flag medication and to say, hey,this may or may not be good for
you.
So it's completely it's asomething that's super
important.
And as as I hear you talk aboutthe different facets of
cybersecurity, what are someskills I can already kind of put
(23:46):
make a checklist based on whatwe've talked about?
But if you were to say there isa skill that every
cybersecurity person or someonewho wants to go into
cybersecurity, what would yousay it would be?
Speaker (23:57):
I can identify and I can find, you know how you can
say I can find my people in theroom?
Sure.
You you have to you have towant to tinker.
You have to.
And and one of the things Iremember I said it, it just came
came to mind.
I said, once you starttinkering, you're you're
starting to hack.
Yeah.
That's the thing.
You w you you sometimes if I'minterviewing folks, if I can
(24:21):
tell that they will havephysical discomfort if they
can't figure something out, evenif they don't have, you know,
the type of the system on theirresume that we use or the
specific set of skills, I wantthat person on my team.
We can we can teach them theMSK way of cyber you know,
(24:44):
that's on us.
But if I can tell that someoneis gonna it's gonna bother them,
it's gonna burn their mind whenthey can't figure out why
something didn't work or whythey couldn't get into something
or why they couldn't come upwith that technical solution to
a problem that's gonna helppeople, that's a person I'm on
on the team.
And I think that if you if youpresent that, that's what I say
(25:04):
to a lot of folks that ask me,like, hey, how do I prepare for
an interview?
I just had this on actually onon Friday, uh you know, which is
what yesterday, right?
Um how do I prepare?
I said, listen, let that comethrough.
I can tell you're curious.
I can tell you like to tinker,I can tell you like to break
things down and build them up,and maybe they don't work again.
And then that's going to driveyou to you know, learn the
(25:27):
system even even more so.
Um let that shine through.
That's a person that I want onthe team.
What I love about that is soclose to being a coder and
writing computer code becausethe the thing that always
bothers me, there is like a memeof someone um sleeping and the
code is in the you're trying tofigure out what is it, and now
(25:50):
of course code assistance canhelp you with that, but you
still are kind of, why isn'tthis working and your head is
bothering you, right?
And so I I really love that.
And the the other thing that'sinteresting, and you probably
have better statistics than Isee and I have seen, but I've
seen in the past, like there aredashboards that companies have
(26:10):
that literally show the amountof attacks that are happening in
seconds that are coming fromall over the world.
And I believe you have one.
Can you give us a sense ofmaybe a statistic, maybe like
how many happen like an hour?
Like how many attempts are doyou you guys monitor that?
I'm sure that you mire that.
I'll say I'll say we get millions a month.
(26:30):
It's always it's you know I Iliken it to you have and now of
course, obviously with AIsystems, that's even that's I
think that's going to skyrocket.
That's only going to go becauseyou can automate what what it
what I liken it to is you know,you're checking you're checking
the doors and the windows.
Right.
If you if you've you know grownup in Queens, it happens,
(26:53):
right?
You you you you keep an eye outif anyone's kind of near your
car.
Sure, sure.
Why are they hanging out by thecar?
It's not you know, it's uh it'sa Chevy Cavalier, it's old.
What are you doing?
Like if it's not yeah, what areyou checking for?
Right?
And I think that that isconstantly now that's
automatable.
And it's just all the time.
And if anything and as even as,say, you know, I talk to uh
(27:16):
some folks that are you knowfront-end web developers.
And uh one of the things thatthey you have to set up, right,
when you're setting up anyinternet presence is you have to
set up some sort of filteringto be able to distinguish like
what's real interest, right?
SEO, yeah, oh I'm I'm gettingso many hits.
I'm getting so much interest.
Wait a second, is it just thefact that you have bots checking
(27:37):
out if if there's somethingthat's vulnerable, a door or a
window that's open?
Sure.
And you know, I what's thequote, right?
Like, why do you rob banks?
That's where the money is.
Well, of course.
You put any sort of medicalpresence out on the open
internet, it's gonna getconstantly you know, just
tap-tap, check, is this open?
(27:57):
Is this open?
Is that there?
Day and night.
Speaker 4 (28:00):
Day and night.
And it's like bots, you know,that are going to be.
You know, it's interesting whenyou talk about kind of the
amount of tax and the skillsthat you need, right?
Um it seemed just by meetingyou and knowing you, not only do
you have to have like a umintellectual knowledge, but you
also have to have common sense,right?
(28:22):
A sense of common sense and uhbe able to kind of question,
question the things.
And I'm wondering, um uhearlier today, you to you talked
to our students and you get youguys can take a look here, um,
some some film of Omar talkingto our students.
And one of the things that cameup was the how do you get in
(28:42):
like the entry-level positionsand how these positions are
being posted and they'll sayentry level, but then when you
read it, it's like you have tohave all these certifications
and two to three yearsexperience.
And then you have this great umsaying that tech is kind of
cannibalizing or its pipeline.
Tell tell us more about that.
Yeah, it's it's cannibalizingthe pipeline.
(29:03):
It's eating its own tail.
I uh it there's I the math justabsolutely doesn't math.
You you brought up thecertifications.
I I I that that was a keenpoint.
I did I didn't mention that,but you have some of these
entry-level positions where it'sasking for certain certs that
the industry knows, oh, you needfive years in the field to have
(29:23):
that cert.
If you see an entry-levelposition and it's asking for the
CISSP, like either a bot putthat up or you know, some
unbeknownst, you know, not notknocking my friends in HR, but
somebody put the someone signedoff on a job spec that asked for
a five-year cert on anentry-level position.
(29:44):
And even then it the the comedygets worse, or the tragedy,
which one would you want to say?
But it gets worse when then theexperience only says two to
three years.
Wait a second, you're askingfor a five-year cert.
You want two to three yearsexperience in the field.
You know, some some folks, uhmaybe the comment section or
whatnot will say, hey, you know,you can you can take some of
that experience requirement off.
(30:06):
I get that, right?
With a degree you can maybe loplop it down to about three
years.
But even then, then we'retalking about a three-year cert,
two to three years ofexperience for, again, what I
say is an entry-level position.
Yeah.
It doesn't jive.
It doesn't make any sense.
And what gets me is that notonly is that obviously that's
(30:27):
gatekeeping, that's keepingamazing folks in.
I always say this, like i Iliken it to when, you know, my
my my oldest niece graduated acouple years ago.
My youngest niece is about tograduate this year.
When they were getting intoschool, right?
When they were getting intoundergrad, I said, I I I would
never I would have never gottenin with the type of barriers and
(30:50):
things that they have to do.
Or then I thought back to myundergrad.
Would I would I get intoTrinity College now?
I don't think so.
I don't know.
So I look back now, there's noway I'd get in as a career
switcher now with with the typesof of barriers that are there.
There's there's thatgatekeeping aspect.
Then the other thing that's abit more down the road but is
(31:10):
worrisome to me, is where do themid and senior level people
come from in a field normally?
The juniors that stuck it outand got the salt on them and
stayed in and and graduated tohigher levels of proficiency.
Where are we getting thosefolks now?
The ether?
(31:31):
Like i if if we're making allthese hoops and and and
honestly, like in they there'sno congruency to the things that
we're asking folks to do to getinto the field.
Not even to mention that yousee those jobs and they're still
trying to pay junior levelmoney.
(31:52):
So I I just don't understandwhat we're we're setting
ourselves up for a tsunami of wedon't have people to fill the
roles that we need.
And and another thing thatreally just irks me.
Yeah, you can tell this wholethe whole subject does, but the
thing that does irk me is thecyber field in particular goes,
oh, there's no good people outthere.
(32:13):
Wait a second.
Yes, there are tons of folksthat I know would be phenomenal,
but we don't let them in.
We don't have pipelines, wedon't have bridges, we don't go
out into communities thatpotentially like mine, right?
Like uh my origin story, Ididn't mention tech till many
years later.
You uh we don't go out intocommunities and say, hey,
(32:35):
there's you know, tech couldwork.
Yes.
This is a path.
This is a way to, you know, toimprove improve your uh your
situation.
It's it's it's maddening.
Well, you know, one of theproblems that I find is that the
people who are putting thosepositions don't even understand
them.
So a lot of times they'll go toa chat GPT or some AI source
(32:56):
and ask it to write a jobdescription and they'll post it,
and then the person or whomeverwill get into the interview and
they'll either ask about, youknow, the bullet points, the 500
bullet points, and then theperson interviewing be like, oh,
we just put that in there.
Have you ever that I that I'vehad that experience, and I'm
(33:17):
sure a lot of people have hadthat experience.
And so, well, we'll well, justyou putting that in there has
turned away so many applicants.
I'm sure if you've ever been onLinkedIn, and you always know
if a job is actually alegitimate job based on the, you
know, how they put the numberof how many people apply.
Like if it's over a hundred,it's probably not a real job.
(33:38):
But if it's honestly if it'slike 30 people apply, it's like
it's probably a real job.
Maybe, yeah.
Yeah, it might maybe a realjob.
Speaker (33:46):
The chances are better, right?
You're still playing roulette.
Speaker 4 (33:49):
Yeah, because it's like, okay, a hundred people
apply.
Why are you telling it's justlike why am I gonna apply?
It does it's like nonsensical,right?
No.
And you had this beautifulsaying kind of out of your
Genesis story.
Um, your it starts with yourmom saying, Mijo, I want you to
talk about that and like howthat really got you having a
firm um foundation.
Speaker (34:09):
So it was, you know, again, you know, I I did school,
went to business school, didthe financial advising, and my
and my and my undergrad wasn't afinancial advising degree,
right?
It was it was philosophy.
So my mother at this stage oflife is going, okay, Mijo, you
know, plantate con lo piefirmamente debajo.
(34:30):
Like put your feet firmlyunderneath you.
If you're gonna make thischange, make sure you're going
in eyes open, you're doing yourresearch.
She was the best career coachat that point in time to make
sure that, hey, I wasn't justgonna, you know, try this for a
year or two and then say, oh,this is not for me.
Um, because she had she hadseen that obviously with
(34:51):
undergrad and then the financialadvising.
Um but even then, what whatkills me now is that somebody
can do that, can do theresearch.
I have tons of folks that reachout on LinkedIn, I'll sit with
them, I'll, you know, I have asaying with my my CISOs, I'll
talk to them all.
Speaker 3 (35:08):
Right?
Speaker (35:08):
If they reach out, I'll make a half hour, let's how can
I help you?
How can I be a service?
I like starting theconversation that way.
And they'll tell me, hey, Ihave it, I have it planned out
this way, this is what I'mgetting into.
They'll tell me, they'll tellme some deep part of
cybersecurity, and they'll havea roadmap all the way to get
there, right?
And and it warms my heart, butthen it also makes me sad
(35:31):
because like they're not gonnaget the chance in a lot of cases
to get there.
They've they have a betterroadmap than I did when I
started.
They have their feet f morefirmly underneath them than even
I did, right, according to mymom.
And it's still the thepipeline's just just not there.
Speaker 4 (35:48):
You know what's interesting because I I think a
lot of similar to artificialintelligence, a lot of CEOs and
a lot of um a lot of businessowners, everyone's like, we
gotta get this AI thing, right?
Most of them don't even knowwhat AI is.
Oh no.
They think it means Chat GPT,and it does not.
And so I I feel like the samething is happening when it comes
(36:08):
to cybersecurity.
Like no one realizes thatartificial intelligence,
generative AI is a subdomain,and that there are all these
different pieces of artificialintelligence.
It's been around for a verylong time.
And I'm wondering how do youget leaders to one understand
cybersecurity and without givingwithout using fear tactics.
(36:31):
Like how what does that looklike?
Speaker (36:33):
I think the the best advice I ever got and that I
hold to mind is I'm a businessproblem solver whose tool is
cybersecurity.
Speaker 1 (36:45):
Oh, I like that.
Speaker (36:46):
Since turning that perspective around, and again,
shout out to my director as wellas my CISO.
I'm blessed with a greatleadership team.
Um love working for those two.
If you're then able to say,hey, what are the business
problems that you're facing, Imight be able to help you.
Here's how I can help you in mylane, you start then going,
(37:11):
wait a second.
The person you're talking tostarts going, wait, they're not
just trying to beat me over thehead with cyber, they're not
just trying to wave around ITterms, or they're not just
trying to, you know, throw IT atme and then just just trust me,
right?
Sources trust me, bro.
No, that's not that's thatcan't happen.
But if you sit there andlisten, and and it's funny
(37:31):
because it goes recursively,obviously, back to like my sales
background.
That's how you know you sitthere and try to qualify the
customer, understand like whatis the problem that they're
coming to you for to solve.
Speak to the benefits, speak tothe outcomes, speak to what new
(37:52):
future your solution can offerversus I'm just gonna lock this
down and you know, you you cantell.
And sometimes it even happensto me.
Like I I try to practice this alot, but you can tell folks'
eyes will glaze over.
Yeah if you start going off inthe cyber world.
Cool, you're showing off thatyou know some terms.
Yes.
Amazing.
Yes.
But they're coming into you tosolve a problem.
(38:12):
So go back to that and and andtalk to that.
Then I think, and you don'thave to bring up the fear.
You you know, that that's kindof understood a little bit,
where it's like, hey, listen, ifyou don't do this, then it's
out in the open and that's allshe wrote.
But you don't have to harp onthat.
How can I help you?
What am I solving for you?
What pain point am I gettingrid of?
Cool, I have a cyber tool thatcan help that.
(38:34):
Right.
And if I don't, be honest.
Speaker 4 (38:36):
Now let me ask you, you provided our students with
kind of some tips and safetytips about cybersecurity.
Do you ever use things like umyou can give us some examples of
you know some of the thingsthat but do you ever use
analogies to for people in kindof higher positions, executives,
for their personal life so thatthey can kind of better
(38:57):
understand so that you don't getthose those gay glazing over.
Speaker (39:04):
Absolutely.
I I always I like to bring itback to one one of the the the
things that I jumped on in termsof getting into IT really to
begin with was one time my mymom, you know, she's from Puerto
Rico and she said, Omar, I wantto learn about this email.
(39:27):
Help me with this email, right?
She had never sent an email.
Not you know, it wasn't itwasn't part of her her skill set
there, right?
But she knew that it was a wayto maybe potentially talk to the
folks back home.
Right.
And I just remember walking herthrough, it was the simplest
thing for me, but just patientlyanswering her questions and and
(39:48):
walking her through, setting upher Gmail account, and seeing
just like her eyes lit up withthis is magic.
Wait a second.
I can s you know, I I'mreconnecting back to my home
country.
Like, you know, yeah, she hasthe phone, of course, and that
but like being able to, youknow, have that asynchronous
(40:09):
communication.
And then obviously that werewas the training wheels to then
getting her like more on theinternet.
Sure.
Right?
Then then the whole worldopened up for.
And it's just it just I alwaysremember that in terms of then
coming back to, hey, what whatare you trying to do here?
Right.
The analogies that I that Ibring up, I usually just bring
(40:31):
them back to whatever the perthe a person will tell you, I
always say like, they'll tellyou like what their pain points
are and what their hopes andaspirations are.
They'll hint at it in the firstlike five to ten minutes of
talking to you.
Mm-hmm.
If you're listening.
Sure.
If you're focused on I'm smartand I'm just trying to tell you
something, you'll miss thesigns.
(40:52):
But if you sit there and youjust take a beat and you they'll
folks will tell you.
Folks will tell you what'simportant to them.
Speaker 4 (40:59):
Well you know what I love about that, and especially
the the example of your mother,is that the older generation,
they I feel like they are beingtargeted so hard right now.
Um and it's it's just sointeresting because the naivete
that happens and it's it's sadbecause they are not able to
(41:23):
distinguish if someone's lyingto them and selling something
and it always comes on a phonecall.
How, you know, for ouraudiences, a growing audience,
how would how would yourecommend they protect
themselves or their caretakershelp them navigate like
difficult like, you know, umcalls and all the stuff that
floods their inboxes?
(41:44):
I always say, and this is thisis still for all the tech
solutions that we've come upwith, one of the main ways that
an enterprise gets compromisedis still social engineering.
So it's a great, it's a greattopic that that you're pivoting
to.
Now with AI, the old schoolways of saying, well, the
(42:06):
grammar's bad, that's out thewindow.
Uh even non-native Englishspeakers can use an LLM to craft
an amazingly worded uhtargeting message to an audience
that they don't speak thenative language of.
So that's out the window.
So grammar, um, you know, youcan spoof email addresses, all
(42:26):
the technical things are stillthey're they're increasingly
less of a checklist that you cango to.
But still the main thing that Itry to instill in in any
security awareness training thatI I support take a beat.
If there's if there's a senseof urgency that's coming from
(42:48):
the other side of thatcommunication, take two beats.
It very it doesn't it's notfail-safe.
Could very well be, you know,you might get that panicked
phone call from a family member.
It happens, life happens.
But nine times out of ten, ifthey're going, you have to do
this now, uh, wait a second,your your your stuff is
(43:08):
compromised, click here, orcalling you, hey, I need this, I
need your information, we'redoing an investigation.
Or uh this is the help desk.
You know.
If there's a sense of urgencybeing foisted on you, that
should ring alarm bells.
Sure.
Do a little bit more duediligence there.
Take a step, right?
(43:29):
Not to mention why would a helpdesk be calling you if you
didn't call them to get help,etc.
But that's a little bit more, Ifeel it's it's not like that
one rule I can say.
But if someone's trying to getyou to do something quickly, you
the hairs on the back of yourneck should come up and then
take a couple steps and reallyexamine.
(43:49):
Then you can startunderstanding.
Okay, then uh the other tipsmight start to show themselves.
Like why are they calling me?
Where is this coming from?
Is there an extra letter?
In the address that youwouldn't have noticed if you
didn't take that step.
But that social engineering isalways keyed in.
And again, sadly, like you say,it's targeting those
(44:09):
populations.
But if it's urgent, doublecheck it.
Absolutely.
And you know, it's interestingbecause when I I think also
avoidance, for lack of a betterterm, is like putting on there
are blockers you can put on homephones so that they the caller
has to talk and explainthemselves.
With text messaging, now theytext you for anyone who's out
(44:34):
there when someone's texting youabout a job.
I actually have one person whokeeps calling the spammer back.
Those are fun.
Those are fughts.
There are vulnerabilities insome of their some of the way
(45:00):
they communicate to each other.
What are some tips that you cangive parents when it comes to
to that if you if you were likea kid?
I feel like sometimes a kidwith a cell phone is not too
much of a good idea.
It's uh it's one of thosethings and it's something I'm
facing now, right?
I I have a two-year-old and Iknow that conversation is
coming.
Uh she's already very keen onwhat's mom or dad doing on the
(45:24):
laptop, what's mom or dad doingon the phone, right?
She notices that a lot.
And one of the things that I'veI've seen, and because this is
a question I've been askingmyself to my peers, what what
are you doing, what's going on?
I think you have to take sadly,not sadly, but uh it's an extra
step.
You have to take an active rolein what they're doing with
(45:45):
those devices.
Um does the person need to havecommunication capabilities if
they're playing Roblox.
What why?
Yeah.
Who's on the front?
Having the conversationsappropriately at whatever age
they're at and saying, listen,this is not just the character
(46:06):
that you're talking to on thisDiscord server or in in this uh
chat room before you you knowyou drop in and play a couple
rounds of of battlefield orwhatnot.
It's these are other people.
Yes.
Right?
And and there's very littlethat they need to know about you
in order to play, right?
You don't want to be the no funfolks, because then what's
(46:26):
gonna happen?
They're just gonna work aroundyou.
Sure.
So you know, engage andunderstand that, yeah, yeah,
there's there's need for this.
But I'll tell you what,personally for me, that that
cell phone conversation is gonnabe is gonna be a difficult one
because I just, you know, nowwe're seeing it's kind of a
recursive loop, right?
A sine wave.
You're seeing schools go, youdon't need it all day.
No.
(46:47):
Deposit it.
So, you know, I get the tug ofyou want to be able to
communicate, but at what cost?
You're seeing countries nowdetermine that under 16 you
don't need social media.
No.
More of those, and I'm I'm kindof in favor of that.
No, I agree.
I mean, I I I I observed my myson actually, he was playing
(47:09):
chess and some way the settingwas on like a he was playing the
computer, but the computer wasactually another person.
And the person had a name, andI was like, whoa, whoa, whoa,
who is this?
And then I had to go to asetting, it was like buried to
like turn it off.
And so all these things,because you know, who doesn't
want their kid to play chess?
(47:29):
Of course.
But then you have some youdon't know who this person is
playing chess with it with theyou know, a kid.
And so it just becomes um, youknow, really, really tricky.
Yes.
Um and I love that you f youpicked up the idea that schools
are turning away fromtechnology.
You know, and in my my opinionis that as a parent, you have to
(47:52):
be involved.
I mean, there are there are noperfect parents, you can't be
everywhere with your kids.
But I feel like, just like Ifeel with SEI, our goal is to
empower our kids.
Obviously, when they'reyounger, you have to intervene
and play an active role.
But at the end of the day,we're sending them out,
especially high school students,we're sending them out into the
world.
We're not gonna be there,you're not gonna be there,
right?
(48:12):
And so you want them to have belike, mm, I remember Omar was
on coding conversations and hesaid, he said I should not do
this.
So that we kind of, you know,we're teaching them, right?
Um I love that.
So, Omar, if you could leave avoice message for your younger
self um on uh day one incybersecurity, what would you
(48:33):
say?
Speaker (48:33):
It's uh it's a phrase that my my father used to say to
me, you know, he's not he's notwith us now, and and it's
something that I hear uh andespecially on days when
Barcelona soccer plays, right?
Which was today.
And they've they won threenothing big.
Speaker 4 (48:45):
Oh congratulations.
Speaker (48:47):
A banner day for me today.
Um Tranquilo, mijo.
Like relax.
Relax.
It's you're not late, you're ontime for where you need to be.
Speaker 1 (48:59):
Okay.
Speaker (49:00):
It'll work itself out.
Speaker 1 (49:02):
Okay.
Speaker (49:02):
Because I remember again as a career switcher, I
felt like I was behind theeight-ball.
I felt like, wait a second, allthese people uh have ten years
on me.
I'm just trying to break in,right?
I'm 30, what am I doing?
Oh no.
And just that's something Itell myself and it's it's funny.
Now it's advice I give, and Ialways preface it with, you
(49:23):
know, f if uh you know, if mywife were in the room, she'd
laugh because like there'sdefinitely nothing tranquilo
about how I was trying to breakin.
I was trying to make up forlost time.
But you know, you're you'rerunning your own race.
You gotta be better than youwere yesterday, and that's it.
Speaker 2 (49:38):
Yeah.
Speaker (49:39):
That's all.
That's that's really what Ibecause I think I'd enjoy it
more.
Speaker 2 (49:42):
Yeah.
Speaker (49:43):
To start, right?
You know, I I'd I'd again mywife, you know, there's gonna be
a time when you're not ananalyst and you're gonna look
back and remember those daysfondly.
And I said, What are youtalking about?
I want to get promoted, I wantto continue, I want to hard
charge.
And she was a hundred percentcorrect.
Speaker 2 (49:57):
Yeah.
Speaker (49:57):
There's days I'm like, oh, I remember when I was just a
risk contract analyst.
Those were amazing days.
I had so much, it was great.
Um you know, not that I don'tlike where I'm doing or where
I'm at now, but it was just itwas a different time.
And I I think, you know, beingmore present, relaxing,
tranquilo, chill, it'll come.
Speaker 4 (50:17):
I love that.
I I feel like I just had thatconversation in regards to being
an AI and building algorithmsand was talking to a bunch of
people, uh, and I said, youknow, do you ever feel like
you're going too slow?
And they were like, everyonefeels that way.
Yeah.
Everyone in this room feelsthat way.
We all feel like we can't,we're developing too slow.
(50:38):
And uh it's just so I guessit's I think in God's time is
the way to look at it, right?
Absolutely.
And so we're rounding out ourconversation here with Omar.
We have a lightning round.
Okay.
And so this is how it goes.
Now, a lot of guests try to sayboth, but you have to pick one.
Okay?
It's gonna pin you down.
All right, so I'm gonna giveyou two choices and you you
gotta pick one, okay?
(50:59):
Which one you prefer?
Okay, so let's kick it off withthe most important one.
Coffee or tea?
Speaker (51:03):
Bustello, coffee.
Speaker 4 (51:05):
All that.
All day.
Did you use the press?
Do you do the press?
Uh no, not that fancy.
Not that fancy.
No, no, no, no, no.
Uh control alt delete or stayon this page.
Speaker (51:14):
Three finger salute.
Control alt delete.
Absolutely.
Speaker 4 (51:16):
100%.
I love that.
Morning meetings or afternoonmeetings?
Afternoon meetings.
Okay.
Oh, yeah.
Um, iPhone or Android.
iPhone.
Work from home or in theoffice?
Speaker (51:26):
Work from home.
Speaker 4 (51:27):
Slack messages or email?
Speaker (51:29):
Am I in trouble?
Because I prefer like Slackmessages, but I will be the
first one to email if I need areceipt.
Like if it's official, if it'ssome, if I you know, and and I
feel the same way.
I I definitely put that onpeople.
Yeah.
Right?
Why are you emailing me?
Like, are you trying to wait asecond?
Speaker 4 (51:45):
Are you trying to record?
Well, well, Slack I feel drivesme a little crazy.
Speaker (51:50):
Oh no, the pings are nuts.
Speaker 4 (51:51):
The pings are like, you're like, what's going on?
And it's like a hundredpercent.
And no one follows the rules.
No.
Speaker (51:57):
No one follows the rules.
And that little message thatsays, oh, send it during hours.
No, they don't believe in theirmothers.
It's like that.
Terrible.
Speaker 4 (52:06):
I I can't stand it.
Okay.
Dark mode or light mode.
Dark mode.
Okay.
Password manager or I'llremember it.
Speaker (52:13):
Oh, password manager.
Okay.
Oh, yeah.
There's no way.
I can't remember all that.
Yeah.
Speaker 4 (52:22):
Automation or manual control?
Speaker (52:24):
Automation.
Speaker 4 (52:25):
Okay.
Biggest pet peeve, just clickapprove, or can we circle back
next quarter?
Speaker (52:30):
Oh, can we circle back next quarter?
Speaker 3 (52:33):
No.
Speaker (52:34):
The best time to sort something is yesterday, and the
second best time is today.
I don't like I'm no.
Don't call me, I'll call you.
Let's figure this out now.
Speaker 4 (52:41):
I love that because then the to-do list becomes uh
it's never gonna happen.
100%.
Once we go into the to do to-dolist, we're done.
It's not gonna happen.
Speaker (52:50):
It's a myth.
Speaker 4 (52:52):
I love that.
Well, thank you so much, Omar.
It was a pleasure to see you.
And where can we find you?
I think on LinkedIn.
Speaker (52:59):
Yep, LinkedIn, Dr.
Omar S.
Speaker 4 (53:01):
I love that.
Dr.
Omar S on LinkedIn.
Thank you so much.
Thank you for joining us ontoday's episode of Coding
Conversations.
Remember to like and subscribeand check out our swag.
Thank you again.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.