June 12, 2024 • 78 mins
Patrice Drake, Senior Manager at Deloitte, sits down with Ryan to walk through her career, discuss her experience in cybersecurity, and to talk about her thoughts on hiring and being hired.
Connect with Patrice on LinkedIn: https://www.linkedin.com/in/patricedrake/
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the Good Fit Careers podcast where we explore perspectives on work that fits.
I'm Ryan Dickerson, your host.
Today's guest is Patrice Drake.
Patrice is a senior manager focused on cybersecurity with Deloitte.
Deloitte employs 457,000 people, generates $65 billion in annual revenue, and is ranked
(00:26):
68 on the Fortune 500 list.
Patrice started her career as a knock technical lead with secure mission solutions, then worked
with Booze Allen Hamilton, and Raytheon before joining Deloitte in 2019.
Patrice, thank you for being here.
Oh, a pleasure.
Thanks for having me.
Deloitte, I have you on.
So, to get us started and to kick this all off, would you tell us a little bit about
(00:49):
the work that you do today?
Aside from saving the world, I'd be happy to.
Yes.
No, so I work in cybersecurity half for about 18 years, and in my day to day, I'm overseeing
multiple cybersecurity teams.
So that ends up being protecting organizations from adversary movement.
(01:11):
We say sometimes the bad guys are bad girls that are trying to get unauthorized access
into our companies.
How interesting.
Before we dive into the real depth of your work, can you give us a foundation?
Help us build our frame of reference.
What were you like as a kid?
Yes.
If I might, there's a great book that I love.
(01:34):
It's called "Stringsfinder," something that's used by, I think it was Dr. Clifton, also used
by Gallup, but it really highlights how people have intrinsic traits, intrinsic habits.
And I tend to notice when I took my test against this that as a kid and as an adult, I was
(01:54):
a restorative type.
I loved taking things that were either dilapidated or broken and making them like new, bringing
them to their restorative state.
Fast forward to now, same thing.
I like going into complex problems, complex organizations, cyber lens itself to that, computer
(02:15):
science lens itself to that, and restoring it, bringing order to chaos.
But on the day to day, I got this way because of my father.
Love him.
Same bulldog, shout out to bulldog, who was a longtime chief in the US Navy.
He built computers in his lab.
So like daughter, kind of wanting to be near him.
(02:39):
I was in his lab tinkering, building, taking apart.
He really encouraged that.
And so that's where I got my start and that's how I was as a kid alongside him.
Right on.
Did you know that cybersecurity was going to be your path from way back when?
Of course not.
Cyber wasn't even.
It was somewhere in some military installation.
(03:01):
But at that time, it was very much still IT focused.
So look at the internet and how it's really skyrocketed.
This year we're seeing AI adoption like never before.
Same thing, tech goes through these waves.
And so in the beginning, having a personal computer was a huge deal.
(03:22):
I started on a Commodore 64.
So to those who may or may not know, that's one of the first iterations of personal computers
that you could have in your home.
No one was really thinking about breaking into those or protecting against those, not
if you were just the regular PC user.
So I've really seen this industry grow up.
I've really grown up with it, even though I myself have been here 18 years as an employment
(03:47):
prior to that.
I saw my father and others using it as just regular tech.
Sure.
How cool.
Would you tell us a little bit about your education, please?
Yeah.
It's a funny story to Ryan because I wish I could say that I came up on tech by happenstance.
But I actually had come out of a relationship where at the end of it, I was young, 18, hadn't
(04:13):
figured out where I wanted to do right after I finished high school.
And I remember at the end of that relationship, one of the conversations they had was, well,
what are you going to do with your life?
Stunned in the summer of I think 2000, if not 2020, yeah, 2000, 2001, I'm sitting there
thinking, well, what am I going to do with my life?
(04:33):
Coming back home, heard a advertisement for ECPI.
So ECPI is one of the, it's a technical school here in Virginia.
They've got several locations in Virginia, North Carolina.
And they really specialized in teaching IT.
So that's where I got my initial degree was from ECPI University, got it in associates,
(04:54):
went on to finish my bachelor's in business at St. Leo University.
And that was on purpose because I was very technically focused, recognized that although
I knew the tech, it was important for me to know the business and why leaders cared about
what they cared about and how they were making decisions that may not be aligned with tech.
(05:15):
Huge, huge recommendation I make to people these days, understand the entirety and the
mission that you're working for.
And then from there went on to, I'm wearing my Carnegie Mellon shirt today, went on to
a CISO program for Carnegie Mellon that I just finished last year.
Fantastic program.
And a CISO is a chief information security officer.
They are the top, they are the top officer for an organization when it comes to cyber.
(05:40):
So I did great there.
And so that's my educational path today.
Beautiful.
That makes a lot of sense.
And I love the approach on knowing that you are naturally inclined towards the technical
work and forcing yourself to go through the business side to get a more complete perspective.
Yeah, 100%.
You have to, especially in tech, people get a kind of myopic view of doing their thing,
(06:03):
programming this particular application, protecting this corner of the world.
But all of them, all of we all work for a business and if we're not enabling that business,
the revenue, the mission, then we're not aligned to some of the things that those leaders care
about.
So you completed your education.
You've gone through your various degrees and certification programs.
(06:26):
Would you tell us a little bit about how you landed your first full-time job?
I'd love to.
I'd love to.
Through my father, actually, right, I was not ashamed to network because even though
I had my associate's degree from a pretty reputable university in the Virginia Beach
area, by the way, that's where I went to the Virginia Beach campus in Virginia, I still
(06:48):
could not get a job.
I applied to multiple jobs, multiple entry-level jobs in tech and got very little, very little
back in the way of interest.
And it was very discerning to me, too, because I thought I was a great candidate for all
intents and purposes.
(07:09):
I graduated pretty well.
I think I was the second in my class for graduating.
I knew the tech.
Resume looked great.
Hitting all the key words I thought I should hit.
No nibbles.
And so talking with my father and my dad, he was in tech.
Like I said, he had a friend who had an opening at a company that was since bought by Hewlett
(07:31):
Packard, and that landed me the interview.
So getting to that interview was a struggle, right?
And when I got there, I knew that if I sat in front of somebody, I could nail it.
But up until that point, wow.
So his name is John.
Shout out to John.
Thank you so much for that, for giving me that head start.
(07:51):
That's all I needed because since then I've done very well, been able to understand and
navigate.
But yeah, that's originally how I got my start.
That's amazing how that first job is often the hardest one to even just get considered
for.
And it's so nice to hear that your network really came through for you there.
Yeah, yeah.
I will say something too.
(08:12):
We are seeing this in tech, these unrealistic expectations of what people consider entry.
I don't know if other industries are seeing this as well, but I've seen enough of people
like me, experts who are calling out these job descriptions that may not have realistic
qualifications on either education or experience or skill sets.
(08:34):
And then having us hiring managers go back and take a look and say, "Does this make sense?
Do you remember what it was like when you first got into the industry?"
Because clearly your JD or your job description isn't reflecting that.
The entry level job with 15 years of required experience, right?
Yeah, for tech that might have only been existing for three years, that's a common joke.
(08:58):
We want you to have 15 years experience with chat GPT.
Sure.
Got it.
I invented it.
So tell me a little bit about what that first job was actually like.
Well, luckily, ECPI had me do an internship.
So I spent the summer prior to the first job working with people already in my field.
(09:24):
Huge advantage.
I'm currently recommend internships and apprenticeships.
I am a part of Deloitte's interns in apprenticeship program currently because of that.
I strongly believe that and have my entire life.
So having the experience of working with and knowing how techs work, my first job was
on a help desk.
It was customer oriented.
(09:48):
Users called in password resets.
"Hey, my computer doesn't turn on.
Man, is it plugged in?"
Thank you so much.
It wasn't.
It was along those lines.
Troubleshooting without the actual computer in front of you and users do this today still
really helped that understand.
(10:08):
It gave me the highest level of empathy with my users today.
But it was very remedial, very low level, but we cut out low level, very entry level
type stuff.
And yeah, that was the bulk of Patrice's career first job.
This computer job, by the way, yeah.
Is it true that just restarting your computer tends to resolve almost all the problems?
(10:32):
100%.
When a tech asks you to reboot, some part of it is a script, but some part it is the
programs.
You just may have too many running.
You may be taking advantage of some of the things there.
A clean reboot, I can't even imagine.
I can't even express how accurate that is.
(10:53):
Right.
So from that first job to today, is there anything that you carry with you from that first job?
It sounds like the empathy for the end user is a key piece.
What else did you bring with you from that first experience?
Oh, several relationships that I still have today.
First manager I had, his name was Jack Pearson.
(11:15):
He interviewed me during the role.
I often see him, in fact, coming Labor Day weekend.
I'll be staying with him down in the Virginia Beach area and several other coworkers that
I worked with as well.
Right.
So from a skill set, I can get into that.
But if I can just tell you, having and keeping and maintaining your relationships, networking
(11:39):
with people, the industry feels big, but then it gets small.
As you notice, people stay with you.
Key.
Super key.
I'm going to throw a book out there as well too.
There's a book called Captivate.
I think it's the art and science of networking.
Something that's been hugely beneficial to me, even though I'm an extrovert and I love
people, I've noticed some of the people I've worked with are introverts.
(12:01):
And that's been helpful for them.
Other skill sets or other things I've taken with me since that first job, empathy, 100%.
As a, I'll say it's a full spectrum, starting as a tech on the help desk, but now leading
multiple teams inside of Deloitte.
I don't know if we got into that, but I'll work for Deloitte.
(12:23):
I'm often facilitating and advocating.
My job is making sure that if there's something that comes my way, I've got leaders, multiple
leaders that I need to advocate for, enable, make sure that they get what they need.
And I clear that path using empathy, understanding some of the pain points that my customers
(12:46):
have, my peers have, other leaders have, and collaborating also been fantastic.
There are other hard skill sets too that you build upon.
So in tech, if you learn something and make it, make it something that you repeatedly use,
it'll follow your whole life, the knowing how to reboot a machine, right?
(13:09):
Install operating systems, protect against certain attacks.
You don't forget these things, you build upon them and they stay with me as well too.
It was a great question.
It was a great, great question.
Makes a lot of sense.
And it's amazing how our foundations really show through in the years and decades that
follow.
Decades, oh, that hit me hard, but yes, you're right.
(13:30):
I am decades with an S.
Thanks for having me.
Yeah, it's a plural now.
In terms of your inflection point, you had been technically inclined as a younger person.
Your training was both business and on the technical side.
The first role in tech kind of focused on supporting the end customer and making sure
(13:50):
that they were in a good place from a cybersecurity standpoint.
Was there a moment when you realized that that was the work that you really wanted to
do?
2013, I remember it like it was yesterday.
Up to that point, tech had this abstract concept of what we thought the adversary was
(14:11):
or who we thought the adversary was.
We knew that there were bad people out there trying to gain unauthorized access.
Like I said, what we do on a day to day, but a company called Mandiant that now was bought
by Google, this part of Google, had published a report called the advanced and persistent
(14:32):
threat, AAPT.
I'm going to say that acronym, APT.
So the advanced persistent threat, one.
And in this report still exists today, public, they had pictures of people that were on teams
hacking for a nation.
(14:53):
They had detailed reports of where they worked, what they were targeting.
We had never seen anything like that.
We'd never seen a report that tied back to a group of individuals acting together on
behalf of a nation to accomplish a cyber mission.
(15:14):
Now when I say that, I'm saying as the public, I'm sure military personnel had.
I'm sure three letter agencies had, right?
But wow, we were able to leaf through this.
And from that point, it went from being a abstract concept to me to being a real intrinsic
(15:34):
and internal thing that I was able to latch onto.
I couldn't get enough of it.
At the time I was at a consulting company called Booz Allen, and I've spent the majority
of my career in consulting companies.
And still in tech, but I found myself pivoting over to cyber projects and cyber clients,
(15:55):
right?
I went to my leadership actually saying, hey, I'm passionate about this.
I wanted to fend against this.
I got my first big break and we were responding to a high profile client who had just been
breach, a retail client, and they needed response.
They needed us to help shore up and augment their cyber teams.
(16:18):
So it actually materialized pretty quickly for me, like being able to be an offensive,
a defensive role, acting on behalf of an organization, looking for the adversary, kicking
the adversary out, talking about it as opposed to before when it was more conceptual or me
kind of doing what's called auditing against adversary movements.
(16:39):
I was able to be a defender and not just a policy maker or an auditor.
Wow.
2013, man.
That's awesome.
Most people don't have a single moment or a date.
It's like, oh, I kind of fell into it.
It's so exciting to see that there was just like that instant, that report that I really
got you there.
Yeah, I should tell Kev.
(17:00):
So his name is Kevin Mandia.
He runs that company.
I've met him once in a job sense.
And I didn't get a chance because I was starstruck to tell him that, hey, what you did probably
set course for dozens, if not hundreds of cyber defenders today.
(17:22):
Mm-hmm.
What a beautiful thing.
When you're thinking through what you had to master and what you had to learn your way
into being technically inclined, but not yet into cybersecurity to the depth that you
are today, what did you have to really work at to get good at in the cybersecurity field?
Yeah.
So back to some of those intrinsic traits that I had pointed to in strengths finder.
(17:47):
I don't remember the exact category, but I do tend to kind of self-test and notice where
I have gaps and address those gaps, not just from a professional standpoint, same from
a personal standpoint too.
And I did recognize that there were a few areas, not just the business.
(18:09):
I think I also had issues with like writing policies and understanding by policies that
mean legal.
So countries come up with legal policies that affect cyber.
One that Biden is talking about now.
So if you listen to this, President Biden, one that he's talking about now is putting
regulations around AI, right, and artificial intelligence.
(18:32):
So those things affect cybersecurity too, especially when ransomware came out and ransomware is
the attack where the adversary breaks in, gets something of value, holds that ransom,
and will threatens to release the knowledge that they have something important with the
(18:54):
intent of damaging your brand, damaging your reputation, in hopes that you'll pay them,
right?
So they're ransoming that.
It can affect client relationships.
Colonial pipeline was a huge ransomware issue where it shut down operations.
And so rather than have that happen, companies tend to pay.
(19:18):
But back to me and recognizing that companies, or excuse me, countries put policies around
that.
I didn't have that type of skill set.
I didn't have the business understanding the mission, didn't have the policy understanding
regulations around it, and then some other nuances around cyber.
So I internally, and working with some mentors who recognize my gaps, found systematically
(19:44):
going through and seeking out resources, seeking out relationships, seeking out projects in
my company when I had the opportunity to that shore those gaps up was beneficial.
It does take a while, right?
I mean, there is a lot that you don't know.
Like is huge, every industry is huge, but prioritizing what's most impactful for your
(20:06):
career, setting a strategic path, which is what I did, like working strategically.
That really helped narrow my focus.
So I didn't, well, as they say, I don't know if they're still saying it as boil the ocean
because you can't do everything.
You need to be strategic and focus about how you approach it.
Right on.
It makes a lot of sense.
(20:26):
So purely out of my own curiosity, let's say that we're in a ransomware scenario and I
pay the people who are holding whatever I have, ransom.
Do they tend to be good actors at that point and follow through on the agreement?
This introduces something called double extortion, where if you do pay, we see an uptick of threat
(20:48):
actors coming back and asking again.
So going back to my policy statement, we worked with the United States.
I was a part of a ransomware task force where we published something right at the start
of Biden's administration and presented it to him.
Concerns we had around the threat of ransomware and also targeting these payments to these
(21:15):
bad actors.
But yeah, you do see they will try through something called social engineering, pretending
to be Ryan, talking to Patrice and asking for a thing.
We're simply taking advantage of an opening that you have.
We call those vulnerabilities to get inside and then get access to a thing and then ask
(21:36):
for an amount.
So yes, some people do pay at the threat of getting their operations back on track.
They've got revenue that's being affected.
But those victims or targets do tend to be retargeted.
We caution about paying that.
And so does the FBI and several agencies caution against paying and giving these threat actors
(22:01):
what they want.
Great question.
I'm going to attacks and will or I want to walk you through kind of an adversary, a
day in the life of a adversary because I'm giving you days in the life of a defender
myself.
But that's an interesting what we saw in the industry.
We hadn't seen the type of push from organizations like we did with ransomware.
(22:26):
Preaches have always been a thing.
We've seen break-ins and then you've seen passwords.
I'm sure you've seen where I think who was it recently AT&T had a large number of those
passwords leaked.
So that has been a concern, but not nearly as much of as ransomware has been recently.
(22:50):
And AT&T paid me a whopping $5 for the inconvenience of having my password and personal information
shared.
It's everything's better now.
Sounds like you've been made whole to me.
So before we dive into a day in the life of a defender and the day in the life of an adversary,
let's talk about where you fit within Deloitte.
(23:10):
So help me understand, roughly this is an enormous company, hundreds of thousands of
employees.
What's the structure look like for you?
Deloitte's interesting in that it's a private company.
I think I was speaking with somebody recently and they were like, "You're so huge.
I forget that you're private."
And yeah, it's a series of partnerships.
So they're essentially LLP's and they are grouped.
(23:32):
If you can imagine almost like a franchise, right?
Places are grouped by country.
So there's a Deloitte US, a Deloitte Spain, Australia, fill in the blank.
We are almost in every country and in multiple cities in every country.
Our bread and butter is tax and audit.
So we're primarily known for our tax and auditing services.
(23:57):
And as ancillary, there is other supporting functions too because we're consulting.
I am in the cyber division.
And how does that look?
So even though there are multiple countries and multiple Deloitte's, each of those countries
has consultants that are working alongside clients.
I used to do that.
(24:17):
So I used to provide cyber services for the Deloitte US practice and clients in the US
before eventually I was asked to do so for my own company.
I love it.
Deloitte stood up a cyber practice and asked their cyber professionals to help them build
it and advise on it.
And eventually I took over running roles.
(24:38):
So I'm corporate.
I'm now corporate cyber.
I protect what I think now is roughly 420,000 employees that are performing those services
worldwide.
Man, is that a challenge?
Is that is one of the most challenging things I've done in my career?
Because you're talking about and across different time zones, different cultures, different adversaries,
(25:01):
different industries and verticals.
Yeah, it's probably one of the most challenging environments I've ever been in as opposed
to right before this when I was on Capitol Hill protecting the US House of Representatives.
That was also a very, very different and challenging environment as well.
So that's what that looks like.
My protection against and my protection for, you know, those hundreds of thousands of employees
(25:27):
spread across, I don't know, I think we're at least in 100 countries, if not, roughly.
Wow.
And tell me a little bit about your team, the people that you lead and the work for you.
Yeah.
So you have to understand tech a little bit.
I'm often on LinkedIn, shout out to LinkedIn, doing collaborative articles and answering
(25:49):
questions around, well, what does certain tech look like?
What does certain cyber look like?
One of the questions I get most often is Patrice, if I'm in traditional IT, so tech is an umbrella
term, but really it starts off with information technology.
If I'm in information technology, how do I transition over to cybersecurity?
(26:10):
And that's a fantastic question.
I tell them it's two sides of the same coin.
You need to understand the underlying tech in order to defend that tech.
So if you came from, like me, configuring, we say layer three, you have to understand
there's different layers in IT.
(26:31):
If you came from the layer three, which is traditionally routers, if you have Wi-Fi at
your home, you have a router, I configure those in large scale and organizations.
So if you have routers, switches, firewalls, then defending those is what I do now.
That's called the intrusion detection and prevention.
(26:52):
So I run teams that are network security and network security based and thwart attacks
against and in those domains.
That is high level, what I do, and I do it in lots of countries at the same time, right?
And with a team that's spread across three different regions.
(27:17):
So we do break the world up into three.
This is very common for organizations our size and we have teams in the Americas region.
So we break it up in Americas and Europe and Mediterranean and then Asia Pacific.
Right on.
And what does a good year look like for you and your team?
What a fantastic question.
(27:38):
Constant, yeah, so I'm going to answer this in two ways.
First at the tactical level, at the cyber level.
We see attacks constantly just from the footprint of Deloitte.
So a good year for me is when I can take a Christmas break in its entirety.
(28:01):
Avocaries are smart, right?
They know that when teams go on vacation, the likelihood of responding quickly to an
attack goes down.
And when you have defensive measures in place, when your policies are working well, then
(28:22):
absolutely that's a great year for me.
Taking a full vacation.
Any seats I will tell you the same like that, there's some statistics around milestones
missed because of attacks.
But at a professional level, right, as a leader, a good year for me is when we are operating
(28:43):
at a higher maturity, then we were last year.
So when I look at how my teams perform, I love there's a saying about not having the
same problem you've had previously.
I'm butchering the summarization of that.
But I agree.
If you run into a problem as a leader and your teams and organizations are facing a problem
(29:05):
and you're facing that same problem next year with the same level of lack of resiliency,
lack of readiness, then that to me is not a good year, right?
We haven't done due diligence.
I'm not saying you won't see that problem again, but the response around it, right?
That's not where it needs to be.
We didn't have a good year, friend.
(29:27):
Mm hmm.
That makes a lot of sense.
In a little bit more of a philosophical sense, can you tell us a little bit about what your
work means to you?
Mm.
I struggled with this for a while because tech moved so quickly, cyber moved so quickly.
(29:48):
And it, it, at some point, it felt like I wasn't making an impact.
I wasn't doing and being enough.
I didn't know enough.
So I found that the reason, or at least I think the reason that was, is because I wasn't
spending up time at the human level.
I wasn't connecting with some of the, the people I was working with.
(30:11):
Well, we're sending the ladder back down, which I do now.
Like I'm very heavily invested into answering questions and making sure that apprentices,
interns, people that are coming into the industry, understand those collaborative articles I
talk about on LinkedIn, I answer that simply because of the same thing.
(30:31):
I have knowledge.
I want to go ahead and give it out.
Additionally, there are affinity groups inside of Deloitte that I'm a part of that are cyber
related.
So women in cyber, women in tech, also a part of lesbians who tech, right?
So just trying to be present.
There's a national society of black engineers that as a part of, too.
I mean, Ryan, you hit the nail on the head here because the job used to mean once in
(30:57):
zeros, we say in tech, right?
It's very binary thing.
Until I literally immersed myself in the industry itself and the work means so much more now.
It means showing up, definitely doing and performing the role, but the life of a defender
is that you're defending with others, right?
(31:18):
You're raising others up.
You're pouring into others.
And I found that that has been way more beneficial than simply sitting and configuring or deploying,
which is what you can do day in and day out, depending on what your role is.
That's beautiful.
(31:38):
I hope that answered your question.
I know that that was a little bit around the way, but yeah, it's something else when
you get in there.
Get beyond that.
Should I even be here in posture syndrome that we see in tech?
Get beyond the, hey, I don't know enough.
Text huge, text moving, text this.
Am I making a difference to you?
(32:00):
You're never going to know everything.
Embrace that.
Embrace that.
Text always changing.
Cyber is always changing.
It's exciting, right?
And what doesn't change is the human, the human, your others that you're working with,
even on the other side, the defenders are also human too.
They've got their own limitations.
That's a beautiful way to answer the question.
(32:20):
We'll get back to the conversation shortly, but I wanted to tell you about how I can help
you find your fit.
I offer one-on-one career coaching services for experienced professionals who are preparing
to find and land their next role.
If you're a director, vice president, or a C-suite executive and you're ready to explore
new opportunities, please go to goodfitcareers.com to apply for a free consultation.
(32:44):
I also occasionally send a newsletter which includes stories from professionals who have
found their fit, strategies, and insights that might be helpful in your job search,
and content that I found particularly useful or interesting.
If you'd like to learn more, check out goodfitcareers.com and follow me on LinkedIn.
Now back to the conversation.
In terms of the work that you're personally most proud of, what does that look like?
(33:08):
Mmm.
A real pause here.
A real pause.
Ah, this is going to sound so corny coming through a podcast, but every time I have the
best time at the House of Representatives, I am the most proud to work there.
That team is under-constant fire of the adversary.
(33:34):
That team is under-constant fire of the adversary.
Starting in public spaces and shout out to them because when the riots happened on January
6th, there was a screenshot of someone getting to Nancy Pelosi's computer.
(33:56):
The team behind that are the tech teams and the cyber teams and defending against having
the public have access to public figures.
Now they shouldn't have access to computer systems like that, but that was such an interesting,
hard, but great experience.
(34:18):
I am the most proud of that section of my career.
It's not a tangible product that I can point to.
I do have a few of those.
It's not a concrete thing.
It's an experience.
It's those people that are still working alongside there.
What made that great is that they were and continue to be very skilled.
(34:43):
They are such kind people.
They recognize, I think when you're in those spaces, you loosen up a bit.
You see a lot.
The things that you tend to maybe get petty over in an organization, that goes away because
you all are commonly joined against this real gold admission here.
(35:09):
That's what I can attribute it to, but they're just awesome folks.
That's where I also met Kevin Mandia.
That's where right after the DNC hacks, at the Democratic National Convention, I started
with that team and although they weren't hacked as a result of that, it was the same victims
that were in the DNC had computers in that network.
(35:34):
There was very much a real focus and defense in that time.
How cool you get to watch history play out in the moment, right there.
That's amazing.
Yeah.
You don't know it's history until you look back.
You can feel like this is significant, but you don't know.
(35:57):
No.
I feel like maybe at that time we did.
Yeah.
I was like, at that time we did.
I will be honest, I was not working for the house at that time.
I had already started working for Deloitte, but you better believe I reached out to my
colleagues there and offered my condolences, which is something we do in tech when we see
a real breach or a noticeable thing.
(36:20):
The longer you're in tech, those are your friends that are defending or your colleagues
that are defending, and you've defended too.
There's a real high level of empathy when they're like, "Hey, Patrice, I know you're
going through it right now.
I hope everything's okay.
Make sure you're taking care of yourself.
I'm giving them a hard time.
I know you're out there, but when you see those attacks, I don't think people realize
(36:45):
that on the other side are defenders that are doing the best they can to thwart those
adversaries.
Yeah.
That's awesome.
So Patrice, I would love for you to teach us a little bit of something about your field.
We had talked a little bit about the anatomy of a cyber attack.
I love to.
(37:06):
I love this portion of it.
There are many ways, many ways an adversary can break in, but we tend to find there's
a commonality in the sequence and how they break in.
There's something called the cyber kill chain.
There were three smart individuals who worked for Lockheed Martin that had come up with this
(37:31):
concept that they borrowed from the military.
The thought is, if you break any of the sequence of events, you will thwart a tax downstream.
So the sequence is seven.
It's seven stages or seven sequences that an adversary must go through or tends to go
through to be successful.
Let's walk through it and I'll give you a scenario.
(37:55):
This is one that I usually teach to incoming students or people that are new to the field.
And it's very, very, very well done.
So we're going to start with reconnaissance.
So recon is the concept that in order to know and attack my target, I need to figure
(38:17):
out a little bit more about them.
In spy movies, you'll see people staking out.
They'll sit outside of a person's work.
They'll watch them come in and out.
They may follow them on the street.
If you imagine them walking down the street kind of tailing them or trailing them or staking
out, we'll adversaries do this too.
They'll either pull you up on Google, either you, the company or who works for you.
(38:42):
They'll take note of what technology you have or don't have, what partnerships you are undergoing
or not.
They'll see if they can figure out and build a dossier or some type of sheet on you for
reconnaissance.
They tend to do this passively, Ryan, because if they do it actively, then it'll show up
(39:04):
in someone's tool.
So it'll do as much as they can without touching your environment or any of the environments
around you.
Recon is a very effective way, but it's one that we never see.
So if there's some way that you can forth that and we do recommend keeping as little
information as possible, right, don't accept requests from people you don't know, making
(39:31):
sure that if you are hiring for a certain thing in your job descriptions like I am, that you're
mindful of how much information you're giving, because yes, you want to have a good candidate,
but you also don't want to make yourself a target.
Okay.
So that's one of the things that we're going to do is we're going to do a little bit of
(39:52):
reconnaissance, right?
This is, we start there.
The second stage is weaponization.
I found out about Eupetries.
I know you work at Deloitte.
I know you work on firewalls.
Maybe I even know what type of firewall that you work on.
So I am going to try to craft some type of exploit or maybe make some software that will
allow me to break in to this technology that I now know about, right?
(40:17):
I'm going to build something unbeknownst to you that I will then try to launch against
you later.
So the second stage is weaponization.
Also a pretty difficult place to defend against, but it's not as secret as recon, right?
We either see adversaries downloading what's called proof of concepts or exploits, trying
(40:42):
to craft something together.
You may see a little bit of people on forums asking questions, maybe buying ransomware,
right?
There are underground markets where we do that.
So weaponization is that one too.
Intelligence teams, other defensive teams are how we recommend thwarting against that.
I'm going to give you the defender as well as the adversary.
(41:05):
Okay, so I know about you.
I've made a tool.
Next thing is I need to deliver it, right?
So we see the next stage is the delivery, right?
Where I'm going to send it to you or I'm going to call you.
I'm going to try to get you to essentially take this tool that I have this weapon and
(41:28):
it in your environment, give me a foothold.
I'm going to try to get in there.
You don't know what I'm trying to get, but I will get in there.
So we see this as the delivery, right?
This delivery stage.
Fishing is the most common way adversaries get inside of an organization that they're
not already in.
They'll send you a link, a gift card, a "Hey, I delivered a package."
(41:49):
Just click this link and you'll get your whatever it is you want, right?
The other way to defend against that is email, right?
Email system, email security systems, user awareness, right?
We do a lot of that.
So recon, weaponized, delivery.
Now we're in.
(42:09):
Now we're exploitation.
I love this because I'm like, "Oh no, now we're actually in.
We're going to exploit you."
Right?
Now I'm on the fourth stage here where I definitely am putting something malicious on your computer
and now we're exploitation and this means that I have successfully gotten past whatever
(42:30):
defenses you tried to throw at me.
I am now on the system or machine and I will be running my code, right?
It may not be the same code that got me past your firewall, but it is something that's
malicious.
We are talking about like, "I'm about to execute something inside."
This is where we see an ask for organizations to put something local to your machine.
(42:56):
So you'll see things like semantic, right?
Used to be very big, bit defender.
This is where we ask for firewalls on the actual laptop itself and you're seeing the
machine itself do defenses at this point, exploitation.
Okay.
Well, your firewall wasn't up or it wasn't up to date because I was able to run my code
(43:18):
successfully as an adversary.
I'm now going to install something.
I want to stay.
I'm past your defenses.
I have code here, but it's not big enough.
Avocaries typically don't send enough of malicious code in the first go round to really
do what they need to do.
So in step five, they install something.
(43:40):
They'll pull down a downloader or other things to make themselves more robust on the machine.
We see this as malware.
So there's probably malware that most likely happened before, but there's definitely malware
that's being installed and malware is short from malicious software.
A bunch of families out there, so we categorize malware in different families and different
(44:01):
categories depending on what they do.
Ransomware being one type of malware.
And this is where you would see ransomware now installed and active on your machine.
But other things like Trojans, so Trojans is another type of malware.
Maybe I want to stay on your machine silently and get access to it later or a backdoor info
(44:24):
stealers.
Maybe I just want to stay on the adversary.
I just want to steal information.
So every time you type on a keyboard, I'm sending that information back to step six command
and control.
So the malware is local, but I can't stay on your machine, Ryan.
I actually have headquarters back in my house, my station, my country, and we call this C2.
(44:50):
So command and control is where I'm able to talk to and from this node, the server back
and forth just to make sure that I have a direct connection to you.
And I stay there.
And then lastly, lastly, seven is now I'm here and I'm going to get what I came for,
which is actions on objectives, right?
(45:13):
Up to this point, I just tried to get to you, but maybe I want that secret formula.
Maybe I want the blueprints.
Maybe I'm corporate espionage.
This is where the adversary is revealing their intentions by either going after a particular
set of data inside a particular victim inside, but we see the motive at this point or the
(45:35):
action that led to this whole attack in step seven.
So this cyber kill chain, this steps, the recon, the weaponization, delivering, exploiting,
installing C2.
And then later, lastly, actions on objective, the thought is if you defend and break at
any point in time, then you should be able to successfully stop the attack upstream.
(46:00):
And in these last ones, it's the hardest seven and one are the hardest to defend really
two through five or two through six is where we do the bulk of our protections.
So hopefully that helped a little bit with understanding how adversaries work and have
the linear progression that they'll go through.
(46:20):
And I can actually overlay any real attack.
If you look at a breach of some sort, you'll have imagined that they most likely went
through those seven steps before they got AT&T's data, right?
Or before they got the before they installed the ransomware and held the company for ransom,
they most likely had to have gone through those steps in order to be successful.
(46:41):
Wow.
That is absolutely fascinating.
I feel like I hear about corporate espionage in like movies or, you know, this ethereal
sense, but how real is that?
It's not so much from one competitor, I was going to be one competitor spying on another
competitor via cyber means.
(47:03):
It's for cyber espionage.
I misspoke a little bit where you're seeing one nation interested in the policies or decisions
or votes or elections in another country and using the espionage and the way of espionage
to understand.
(47:24):
We see this and there's a malware called Pegasus and we see and we have seen countries using
this malware specifically to target journalists.
They want to know what do they know this malware is designed to sit in and on mobile devices.
And we have seen victims be prominent journalists with the intention of espionage, right?
(47:48):
Like figuring out what is it that they know?
What is it that they are researching?
What do they know about me and so that I can take and understand a little bit more?
Not so much in the corporate sense in that instance, but it is understanding like there's
that that traditional like, you know, when you think about spies and things like that,
(48:08):
that espionage there.
So it's common.
It's very common with APTs like I mentioned before right now.
I think we're up to 45 if not 47 APTs that have been identified through the world.
Then starting in 2013, but now in 2024, I would say we're probably up to 47 or 48.
(48:29):
Each of these APTs or collections of highly skilled, highly motivated, high resourced individuals
and groups of individuals usually backed by a country of some sort.
And this is where I would most align those espionage activities.
Wow.
How fascinating.
What a cool perspective.
It is, it's you can that's why I go back to the house of representatives, right?
(48:56):
Man, of course you would want to know what your local, you know, film the blank is working
on what is interesting to the United States.
And if you're an adversary and you can simply get a foothold through those seven steps into
an organization and find out.
Yeah, you'll see that as well.
(49:16):
Man, that's awesome.
You had talked about sending the latter back down and helping to bring the people around
you up and develop the up and coming folks.
We talked a little bit before we started recording about the Deloitte technology pathways
program.
So this is like apprenticeships and internships.
Can you tell us a little bit about what it is and what you do with them?
(49:38):
Yeah, I'm on my third or fourth year, I think three years going into four and Deloitte recognized
that we are underemployed in cybersecurity.
I think at one point we were at a negative employment.
We did not and I think still do not have enough people to fill the demand that the industry
(50:00):
needs.
We're not the only ones.
There's several other companies if you look out there that saw this gap and Deloitte specifically
decided one of the ways that we could address it is by teaching on campus and in selective
partnerships early in career professionals.
(50:23):
So the Deloitte technology pathways program is a pathway to the technology teams and working
for the technology teams inside of Deloitte.
We originally targeted sophomores and juniors because at that time we could see where they
had declared a major and that they were pretty confident staying in their major around tech
(50:44):
and cyber or excuse me and computer science and cyber.
I think that sits expanded so we're looking at other avenues to maybe in some technical
conferences and things like that.
What I did was I wrote the curriculum for that which was cybersecurity largely using anatomy
of a cyber attack a day in life of a defender and adversary as well as other technical modules.
(51:09):
Again, just making sure that we are bridging that gap by going to accredited schools and
locations targeting individuals that are interested in cyber in technology in AI, teaching a little
bit about it, blending the company and then offering an internship and apprenticeship
program, even a mentorship program as well too because of this real need.
(51:33):
That's awesome.
When we're thinking about perceptions and perhaps misconceptions here, how do you believe
the world sees your job?
I made a joke and still do largely around mission impossible.
Tom Cruise has a character that repels down from the sky in order to get that thing and
(51:59):
then you'll cut to the person in the van who is behind a computer enabling all the locks
or disabling all the locks, thwarting a lot of these defensive.
I think for a long time when people saw me in tech, saw me in cyber doing, I used to be
an ethical hacker, doing these ethical hacking, they envision that's largely what we did.
(52:25):
We were in a corner just able to overcome any obstacle in cyber to get to the thing that
we wanted to get to, knew all the things.
Some of that's true.
I will say with enough time, you can from a digital standpoint really have more information
than you should, but we have limitations.
(52:47):
So does the adversary.
The misconception I think people walk away with is that we're able to do almost anything
in tech.
We're able to solve all problems in tech.
I made a joke about solving the world earlier in the podcast, but that is true.
There's just some thought that we know everything.
We have specialties, specializations.
(53:09):
This misconception tends to lend itself I see to the imposter syndrome where people do think
they need to know everything because they are asked about so many things in tech.
So I would say that.
I would say that that's really the misconception that I see in my role.
As we're speaking to a broader audience, not necessarily just people who are already well
(53:31):
established in cybersecurity or have a depth of understanding, is there one thing that
you wished the broader population knew or perhaps behaved or did differently from a
cybersecurity standpoint?
Yes.
Cyber is like flossing.
Changing your password is hygiene.
(53:52):
Not writing them down, not reusing the same passwords.
It is a hygiene thing.
Most people understand flossing is healthy for you.
You should do with some consistency.
It's actually a good thing.
The amount of people that floss or keep up with their flossing is much less.
Much, much less.
And so for cyber, I wish that I could tell people something as simple as keeping better
(54:18):
hygiene around protecting yourself, about not sharing your passwords, just recognizing
that yes, you are interesting.
You can't determine whether the adversary thinks you're interesting or not.
I see so many people who are like, "Butreeze, I don't know anything.
I don't have access to anything.
(54:38):
Why me?
Why not you?"
Right?
You don't get to determine that.
They do.
So I do wish without sounding alarmist, more people understood that simple things, simple
hygiene is beneficial.
It'll keep you out of 99% of issues around attacks by just stepping that up.
(55:00):
And yeah, that's my soapbox.
I'm going to stand on.
Yeah, right on.
Thank you for that.
Floss, right.
[laughter]
Cybersecurity, hygiene people.
If you were to set expectations for someone who is excited about your field, perhaps similarly
technically inclined, want to start to get into this path and go down this road, what's
(55:22):
sort of expectations would you set for them?
Yeah, it really depends on where you start your path is where I would give my answer.
So I'll give two broad ones.
I'm going to assume you're starting your path from entry level, right?
You're coming out of school, maybe you're early in your career, you're pivoting over
(55:43):
to something.
My recommendations there is that understanding tech, either by studying self-studying through
certifications, if you're trying to keep costs low, is a great place.
There are a lot of free or low cost resources out there.
Without a degree, I do recommend you going for something that is a certification base.
(56:09):
That doesn't mean that you have to spend a lot of money.
So at the time of this podcast, there's an organization called ISC squared that's offering
a certified and cybersecurity free of charge.
Google has and has made their academy pretty low cost.
There are a couple of free certifications you can get from them as well.
(56:31):
I highly recommend doing a certification because it shows your employer or your potential employer
that you have this body of knowledge that you have accomplished and you have the aptitude
to learn because this is something I hear often.
Do I need a certification?
Do I need a degree, Patrice?
What's going on?
(56:52):
Do I still hold true?
Degrees still are good for the same reason.
Outside of a startup, startups tend to really want to see the body of work.
I'll be honest.
So if you are doing some type of coding, some type of application, something tangible, make
that known.
Put that in a repository.
Let people see the work that you've done.
(57:13):
Could be in school, could not be in school.
So basically I would echo having some defensible or tangible artifact.
This is super high level, but it's true, is helpful, especially for companies that are
established, especially for those that the further you get away from your startups, the
more companies tend to want to lean on that.
(57:33):
If you're starting from there, if you are what we call an experienced professional, meaning
you've either been in the industry for a while, maybe doing something else, or you're pivoting,
or maybe you were in tech, but you want to continue into cyber network network network.
Okay.
Oftentimes when you're early in career, you just don't have access to people that have
(57:55):
been in a industry for a long period of time, because you're younger.
No issues there.
You do have your professors, you do have your peers.
Keep those relationships there.
Help as you go through.
Show up to conferences and different organizations.
But I find the experience hires, because they've been in a career of some sort, tend to be
(58:17):
more assertive, right?
They do tend to be more proactive with reaching out either through LinkedIn or showing up on
webinars or showing up in spaces where they can make the kind of connections and ask outright,
"Hey, I'm interested in a thing and you happen to do that thing too.
Can I learn a little bit more?
Can I talk to you a little bit more?
(58:38):
Can I understand a little bit more?
I see you're hiring for trees.
What are you looking for?"
So for my experience hires, lean into that, lean into your experience as with what you
have them.
I think that's a fantastic way for pivoting over.
It's not that you don't need artifacts.
I will say to Ryan, these people, experience hires might have a degree in geology.
(59:00):
They might have a degree in music.
They've already have a degree and sometimes that's helpful too because we see them as
someone that has that aptitude who can learn and may or may not need to have the specific
electrical engineering or computer science or cybersecurity degree depending on whether
or not they have the plus-up of maybe certifications to help as well.
(59:23):
The thing that I'm taking away that I find so interesting is that often, at least on just
a pure business side of things, maybe 20 or 30 years ago, getting an MBA or better yet
getting a degree from a prestigious university was a golden ticket over the last 10 or 20
years.
Now, it's almost irrelevant.
What I'm hearing you say is that from a cybersecurity standpoint, there are not enough people to
(59:47):
fill all the roles, to fill the demand and then getting a certification and having a little
bit of a portfolio of your accomplishments there actually makes a difference and can
make it easier for you to actually get a job in that space.
Yeah, and it's surprising too to people.
I have seen a little bit of disbelief around that.
Now, keep in mind, depending on the company that you're trying to target, never hurts
(01:00:12):
to network.
By the time a resume gets to me, if I have an idea who the candidate is, either through
word of mouth, a reference, or just meeting you, that always goes a long way.
But if I'm looking at two candidates and one has shown a clear demonstration in the thing
I'm hiring for through certification, through experience, but not necessarily through an
(01:00:37):
MBA or a BBA or a full bachelor's, if my client isn't requiring it, so some contracts
do want a certain level of knowledge because contractually, that's just how that client
and contract is, then largely in cyber, because of the changing nature, we are looking for
(01:00:59):
demonstrated experience and we do tend to find through certification and stuff that
those can be satisfied.
If I could say one more thing, think of what we're looking at now.
How many people are certified in AI?
How many people are certified in large language models?
(01:01:19):
This is common in tech where there is a demand for skill sets and I bet companies that see
people that are learning either data science or certified in some discipline aligned to
that are more likely to talk to you and entertain hiring you as opposed to saying, do you have
(01:01:40):
a full four year degree in this discipline?
And I want to encourage people for that.
Cyber is in that same realm.
It's a relatively new field when we look at tech overall.
It's constantly evolving and changing.
It's constantly expanding in disciplines.
So really leaning into the application, learning at home, certifying, becoming more involved
(01:02:06):
goes a long way.
It's not the same as passing the bar in legal where you have to have a very strict and rigorous
selection process and testing process to be considered.
No, no, tech is understaffed, my friend.
Tech needs people.
Cyber needs people.
Yeah, tech is hiring.
(01:02:29):
And Patrice, I think this is a great segue into talking about hiring.
Can you tell us a little bit about your approach to hiring, perhaps your philosophy on hiring
for your own team?
Yeah, I'd love to talk about what, when I'm a candidate looking for from an organization,
and then as a hiring manager, what I'm looking for from the candidates, right?
(01:02:51):
Before I even apply to a role, and this is relevant to those out there, again, if I'm
earlier in my career, I have a larger set of requirements that I'm willing to entertain,
right?
And I suspect and hope your listeners do as well, right?
When you apply to a tech company, maybe you're just looking for a job.
(01:03:15):
Like, maybe you're just looking for a job.
And that's okay, right?
That's okay to start and get your foot in the door.
But if it's an internship and you need to be paid, then look for a paid internship, right?
So you do come with a set of requirements that I do think starts to, you'll add more
and more as you go along.
(01:03:35):
Same thing.
I have an idea of what I'm looking for for an organization, what kind of company and
dynamic I'm looking for, and does this fit with my overall trajectory and career goal?
I do want to be a CISO, we talked about that.
So I do look for roles that are executive type roles now, that have leadership type roles,
even inside of Deloitte.
(01:03:57):
And so I would recommend that to have an idea of the long-term goals that you're looking
for and whether or not this company fits, right?
Is it the kind of company that you'll be happy at?
Is it the kind of brand that you'll be happy at?
I tend to really like outgoing commercial companies or companies that are quite large.
Okay.
When it comes to my candidates, too, or when I'm hiring against, what am I looking for?
(01:04:22):
Right?
I'm looking for that you understand the company that you're applying to.
So many candidates, what I asked them about.
Well, tell me why you decided Deloitte, right?
What do you know about the company?
I get a lot of people who don't understand, right?
Who don't understand the company they're applying for and what it is they do day in day
(01:04:42):
hours.
I have a little bit of more understanding there.
For the role itself and for some of the things that I see, I see lots of resumes, right?
I do work with my Human Resources Department.
And so we're looking for applicable skill sets, applicable experience, right?
Have you done the thing that I'm looking for you to fill the role in?
(01:05:03):
Are you familiar with the technology, either directly or comparably, that I need in this
role?
Can you demonstrate that when I talk to you?
Right?
I'll take it aside here, Ryan, and say that we're seeing an uptick of AI being used to
(01:05:23):
answer questions in interviews.
And so we thought against that too.
So I need, when I say, do you know it, I'll be testing against your knowledge, things
that maybe an AI or an AI engine would not be able to do, right?
And then I'm also looking for regular, so some regular what we call table stakes or baseline
(01:05:48):
requirements, like good communication.
Are you able to tell me reasonably your ideas and convey them to me in a way that I can
trust that you'll be able to do the same when you're on my team and working with others?
Is your grammar, I mean, little thing is the grammar, okay, did you pay enough attention
to detail in the deliverable you gave me and the Word document PDF, whatever you sent to
(01:06:14):
say, okay, yep, this looks correct or did you miss like large things?
I'm not going to penalize you for a missed period.
But I do see times where candidates just aren't paying enough attention to the presentation
of their resume and it can be a disqualifier.
It might not even make it to me depending on how human resources looks at it.
(01:06:34):
I'm also looking for passion and enthusiasm.
Do you want the role, right?
Are you passionate about it?
Talk to me about, you know, why, why tech, why cyber and what are you doing even outside
of our interview or your application to my team in the way of the industry?
So show me you, you care.
(01:06:55):
It could be you're participating in a Reddit form, LinkedIn groups, webinars, you understand
a little bit more about the industry.
I love seeing that.
I love seeing that from a candidate that's definitely going to separate you from some
of the others and it will showcase too when I sit in front of you and talk to you.
So see, there's some of the things that I look for in a candidate applying to roles.
(01:07:17):
I have roles that are open now and I'm constantly like sourcing people again, going back to
that under employment in the industry.
And these are what make candidate successful, you know, when applying against others.
So Patris, let's say that there is someone out there who's trying to switch into the field
of cybersecurity and they don't have a ton of technical experience.
(01:07:40):
They don't have the certifications or training quite yet.
They're working their way towards it.
What are the other things that you might encourage folks to do as they're moving into
the field that might give you the reason to take a chance on them?
About four years ago, I had this very situation where I was looking for the most qualified
(01:08:01):
candidate and put a role out for managers and had a bunch of candidates that whittled
down to my top five.
If it or not, the one who came out in front runner was a journalist.
You had a journalistic background, worked for, I think, a newspaper in Baltimore.
I didn't have any strong technical acumen really.
(01:08:26):
What ended up separating him, not on the onset, but throughout the interview process, was
that each time I asked him a question, actually the top two candidates, each time I asked him
a question.
If I came back to ask him that same question in a following interview, so companies such
as mine tend to have three rounds, at least three rounds of interviews, pretty tightly
(01:08:48):
done, that was no longer a knowledge gap they had.
They showed real passion.
They showed the ability in a quick time to learn, to go after that knowledge, come back
and shore up their knowledge.
I really appreciated that.
Really appreciated that.
Generally speaking, though, he had acumen.
(01:09:09):
He had aptitude.
He brought other skill sets and was able to communicate effectively how his experience
in journalism really helped prepare him for the role that was a technical role and technical
ability.
He cross-correlated those things in such a way that he did very well and is still doing
(01:09:31):
well here at the firm.
I love that.
That makes a lot of sense.
If we're thinking about leadership and performance management and accountability, can you teach
us a little bit about your approach to holding your team accountable and helping them perform
at a high level?
Some of it is the understanding the maturity of the team.
(01:09:51):
As a technical team, there are several benchmarks that a leader can use to see, are they performing
at a certain place and delivering at what's preferred in a cyber organization?
That helps.
Looking at your team's maturity, you can also look at the individual's maturity, meaning
(01:10:12):
from a professional standpoint, what gaps, what knowledge gaps might they have.
In holding, accountability is first setting an expectation of what did we agree upon?
What does he agree upon role, expectation, and outcome that I'm setting, that the company
is setting, and that I expect from you?
(01:10:34):
Then there's a deviation against that.
There is direct feedback, so that feedback is affirming.
So I need the listener to know that there's two types as affirming feedback.
"Hey, Ryan, that thing that you did?"
Well done.
You enabled me and the team to move faster because you delivered on time.
Please keep it up.
(01:10:55):
Or it's corrective.
"Hey, Ryan, I noticed you got that in late."
In doing so, you actually caused the teammate of yours to be late with his deliverable.
Looking forward, how can we best navigate through that?
We talk about it and then, "Okay, let's change that going forward."
In the moment, I hold my team accountable against the expectations that we set early on and
(01:11:16):
agreed upon feedback in the moment and then in performance snapshots that we have in the
company, but some delivery that we see in other companies as well as companies as well.
That makes a lot of sense.
As we shift our sights to the future, and I'd like to start with macro and then I'd like
to dive into what your field will specifically look like, but what are you excited about
(01:11:40):
for the future?
It's all throughout this interview, artificial intelligence.
I have not seen the level of adoption from what's essentially in the tech industry like
I do now.
Ten times when I started talking about ransomware, in fact, when I published the report on ransomware
(01:12:02):
with the Institute of Standards and Technology, I think that was about three, four years ago,
it was before the colonial pipeline hack and trying to tell people why ransomware was
important and why certain cyber things are important can be an uphill battle.
I go to talk about AI, Chad GPT, and some other platforms like perplexity and people
(01:12:24):
that are not in the industry, they get it.
They can talk at length about it.
They can teach me how they're using it.
I'm excited for that.
I'm very excited for that and the possibilities around that.
Yeah.
Perplexity is such a cool way to approach search.
I love that tool.
Yes, I love perplexity.
I love how they build themselves as the answer engine.
(01:12:47):
You've got the search engine, they're the answer engine.
In the same way, that's impacting all industries.
It's made it a lot easier to attack companies.
AI has lowered the barrier of entry and knowledge and understanding.
We are seeing an uptick in either pretending to be somebody else through deepfake or finding
(01:13:10):
out vulnerabilities and holes in organizations and then attacks a crapped it around that.
I see I'm excited about that and I'm also seeing that that's really the trend that we
see specifically in cyber.
It still feels like we're so early.
To give a shout out to one of the generative companies that doesn't get a lot of attention
(01:13:31):
and anthropic cloth, they just came out with their first mobile app today.
It's May 1st.
Just to think that this is the very beginning is so exciting to me.
I'm excited.
I'm a tech geek.
I love playing with certain aspects of tech.
Normally, it's historically been through either releasing a new mobile device.
(01:13:56):
People were excited about the cyber truck.
They like seeing iterations of tech.
Boy, am I excited about AI.
What do you think cybersecurity is going to be like six years from now?
Recording this in May of 2024, what do you think 2030 is going to be like for your work?
Oh, I hope I can time castle this and see how accurate I was.
(01:14:17):
If I was making predictions, some of it's now, which is we see more and more use of AI,
not just by the adversary, but by the defender.
I'm not the one who coined it, but I heard someone say it's less likely that your job
will be immediately replaced by AI as much as it will be.
(01:14:37):
You will be replaced by someone using AI alongside you to do the same rule that you're
doing.
I see a larger adoption of that.
I see there's also regulation around that.
There's talk about that too and competitiveness around it.
If I have thought about cyber too, I wonder if there's going to be a reduction in workforce
(01:14:58):
because of things being replaced.
I said it immediately, but long term with AI making things easier.
I also wonder if we're going to see a rise of other professionals and professional skill
sets that we've never seen before historically, like prompt engineering, but prompt engineering
in the cyber way.
The NSA just released guidance around securing large language models and other AI for guidance
(01:15:25):
for organizations.
I do see it heavily, heavily centered around that.
Tangentially, we do see other things too.
There is still an interest around cryptocurrency and smart contracts.
We might see some of the blockchain still be a thing.
Cloud is heavy.
These are things where people are using less of their own physical devices and someone
(01:15:50):
else's storing things outside of having to pay for it locally.
I see cyber adopting more of these tangential industry use cases that are affecting us.
How exciting.
Patrice, you've been so very generous with your time and your wisdom here.
(01:16:11):
Is there anything that you'd like to promote or anything that we skimmed over or closing
words for the audience?
Hmm.
I don't have anything specific that I'm working on between my family and growing.
It's another baby coming.
I've been so heavily focused on myself, but I do encourage your listeners to really,
(01:16:34):
really engage in the tech industry, whether it's in traditional cyber, traditional tech,
AI, get out there, learn, do become a part of.
There's organizations, again, we'll be happy to share that with you, that I would highly
recommend them be a part of.
Ryan, thank you so much for having me.
I had a great time on today's podcast.
(01:16:56):
It was so great to have you on.
Thank you for joining me and thank you for sharing your perspective.
Absolutely.
Our next episode is with Matt Russell, CEO of Colossus.
It feels overwhelming to think about, "Oh, I might have that responsibility," where my
name is attached to all that stuff and I can't even imagine what that would be like.
And then you get closer and closer to it and then it just feels very natural as a transition
(01:17:20):
is made.
If you enjoyed this episode, make sure to subscribe for new episodes, leave a review and tell a
friend.
GoodFit Careers is hosted by me, Ryan Diggerson, and is produced and edited by Melo Vox Productions.
Marketing is by StoryAngled and our theme music is by Surftronica with additional music
from Andrew Espronceda.
(01:17:40):
I'd like to express my gratitude to all of our guests for sharing their time, stories,
and perspectives with us.
And finally, thank you to all of our listeners.
If you have any recommendations on future guests, questions, or comments, please send
us an email at hello@goodfitcareers.com.
[music]
Welcome to the Good Fit Careers podcast where we explore perspectives on work that fits.
I'm Ryan Dickerson, your host.
Today's guest is Patrice Drake.
Patrice is a senior manager focused on cybersecurity with Deloitte.
Deloitte employs 457,000 people, generates $65 billion in annual revenue, and is ranked
(00:26):
68 on the Fortune 500 list.
Patrice started her career as a knock technical lead with secure mission solutions, then worked
with Booze Allen Hamilton, and Raytheon before joining Deloitte in 2019.
Patrice, thank you for being here.
Oh, a pleasure.
Thanks for having me.
Deloitte, I have you on.
So, to get us started and to kick this all off, would you tell us a little bit about
(00:49):
the work that you do today?
Aside from saving the world, I'd be happy to.
Yes.
No, so I work in cybersecurity half for about 18 years, and in my day to day, I'm overseeing
multiple cybersecurity teams.
So that ends up being protecting organizations from adversary movement.
(01:11):
We say sometimes the bad guys are bad girls that are trying to get unauthorized access
into our companies.
How interesting.
Before we dive into the real depth of your work, can you give us a foundation?
Help us build our frame of reference.
What were you like as a kid?
Yes.
If I might, there's a great book that I love.
(01:34):
It's called "Stringsfinder," something that's used by, I think it was Dr. Clifton, also used
by Gallup, but it really highlights how people have intrinsic traits, intrinsic habits.
And I tend to notice when I took my test against this that as a kid and as an adult, I was
(01:54):
a restorative type.
I loved taking things that were either dilapidated or broken and making them like new, bringing
them to their restorative state.
Fast forward to now, same thing.
I like going into complex problems, complex organizations, cyber lens itself to that, computer
(02:15):
science lens itself to that, and restoring it, bringing order to chaos.
But on the day to day, I got this way because of my father.
Love him.
Same bulldog, shout out to bulldog, who was a longtime chief in the US Navy.
He built computers in his lab.
So like daughter, kind of wanting to be near him.
(02:39):
I was in his lab tinkering, building, taking apart.
He really encouraged that.
And so that's where I got my start and that's how I was as a kid alongside him.
Right on.
Did you know that cybersecurity was going to be your path from way back when?
Of course not.
Cyber wasn't even.
It was somewhere in some military installation.
(03:01):
But at that time, it was very much still IT focused.
So look at the internet and how it's really skyrocketed.
This year we're seeing AI adoption like never before.
Same thing, tech goes through these waves.
And so in the beginning, having a personal computer was a huge deal.
(03:22):
I started on a Commodore 64.
So to those who may or may not know, that's one of the first iterations of personal computers
that you could have in your home.
No one was really thinking about breaking into those or protecting against those, not
if you were just the regular PC user.
So I've really seen this industry grow up.
I've really grown up with it, even though I myself have been here 18 years as an employment
(03:47):
prior to that.
I saw my father and others using it as just regular tech.
Sure.
How cool.
Would you tell us a little bit about your education, please?
Yeah.
It's a funny story to Ryan because I wish I could say that I came up on tech by happenstance.
But I actually had come out of a relationship where at the end of it, I was young, 18, hadn't
(04:13):
figured out where I wanted to do right after I finished high school.
And I remember at the end of that relationship, one of the conversations they had was, well,
what are you going to do with your life?
Stunned in the summer of I think 2000, if not 2020, yeah, 2000, 2001, I'm sitting there
thinking, well, what am I going to do with my life?
(04:33):
Coming back home, heard a advertisement for ECPI.
So ECPI is one of the, it's a technical school here in Virginia.
They've got several locations in Virginia, North Carolina.
And they really specialized in teaching IT.
So that's where I got my initial degree was from ECPI University, got it in associates,
(04:54):
went on to finish my bachelor's in business at St. Leo University.
And that was on purpose because I was very technically focused, recognized that although
I knew the tech, it was important for me to know the business and why leaders cared about
what they cared about and how they were making decisions that may not be aligned with tech.
(05:15):
Huge, huge recommendation I make to people these days, understand the entirety and the
mission that you're working for.
And then from there went on to, I'm wearing my Carnegie Mellon shirt today, went on to
a CISO program for Carnegie Mellon that I just finished last year.
Fantastic program.
And a CISO is a chief information security officer.
They are the top, they are the top officer for an organization when it comes to cyber.
(05:40):
So I did great there.
And so that's my educational path today.
Beautiful.
That makes a lot of sense.
And I love the approach on knowing that you are naturally inclined towards the technical
work and forcing yourself to go through the business side to get a more complete perspective.
Yeah, 100%.
You have to, especially in tech, people get a kind of myopic view of doing their thing,
(06:03):
programming this particular application, protecting this corner of the world.
But all of them, all of we all work for a business and if we're not enabling that business,
the revenue, the mission, then we're not aligned to some of the things that those leaders care
about.
So you completed your education.
You've gone through your various degrees and certification programs.
(06:26):
Would you tell us a little bit about how you landed your first full-time job?
I'd love to.
I'd love to.
Through my father, actually, right, I was not ashamed to network because even though
I had my associate's degree from a pretty reputable university in the Virginia Beach
area, by the way, that's where I went to the Virginia Beach campus in Virginia, I still
(06:48):
could not get a job.
I applied to multiple jobs, multiple entry-level jobs in tech and got very little, very little
back in the way of interest.
And it was very discerning to me, too, because I thought I was a great candidate for all
intents and purposes.
(07:09):
I graduated pretty well.
I think I was the second in my class for graduating.
I knew the tech.
Resume looked great.
Hitting all the key words I thought I should hit.
No nibbles.
And so talking with my father and my dad, he was in tech.
Like I said, he had a friend who had an opening at a company that was since bought by Hewlett
(07:31):
Packard, and that landed me the interview.
So getting to that interview was a struggle, right?
And when I got there, I knew that if I sat in front of somebody, I could nail it.
But up until that point, wow.
So his name is John.
Shout out to John.
Thank you so much for that, for giving me that head start.
(07:51):
That's all I needed because since then I've done very well, been able to understand and
navigate.
But yeah, that's originally how I got my start.
That's amazing how that first job is often the hardest one to even just get considered
for.
And it's so nice to hear that your network really came through for you there.
Yeah, yeah.
I will say something too.
(08:12):
We are seeing this in tech, these unrealistic expectations of what people consider entry.
I don't know if other industries are seeing this as well, but I've seen enough of people
like me, experts who are calling out these job descriptions that may not have realistic
qualifications on either education or experience or skill sets.
(08:34):
And then having us hiring managers go back and take a look and say, "Does this make sense?
Do you remember what it was like when you first got into the industry?"
Because clearly your JD or your job description isn't reflecting that.
The entry level job with 15 years of required experience, right?
Yeah, for tech that might have only been existing for three years, that's a common joke.
(08:58):
We want you to have 15 years experience with chat GPT.
Sure.
Got it.
I invented it.
So tell me a little bit about what that first job was actually like.
Well, luckily, ECPI had me do an internship.
So I spent the summer prior to the first job working with people already in my field.
(09:24):
Huge advantage.
I'm currently recommend internships and apprenticeships.
I am a part of Deloitte's interns in apprenticeship program currently because of that.
I strongly believe that and have my entire life.
So having the experience of working with and knowing how techs work, my first job was
on a help desk.
It was customer oriented.
(09:48):
Users called in password resets.
"Hey, my computer doesn't turn on.
Man, is it plugged in?"
Thank you so much.
It wasn't.
It was along those lines.
Troubleshooting without the actual computer in front of you and users do this today still
really helped that understand.
(10:08):
It gave me the highest level of empathy with my users today.
But it was very remedial, very low level, but we cut out low level, very entry level
type stuff.
And yeah, that was the bulk of Patrice's career first job.
This computer job, by the way, yeah.
Is it true that just restarting your computer tends to resolve almost all the problems?
(10:32):
100%.
When a tech asks you to reboot, some part of it is a script, but some part it is the
programs.
You just may have too many running.
You may be taking advantage of some of the things there.
A clean reboot, I can't even imagine.
I can't even express how accurate that is.
(10:53):
Right.
So from that first job to today, is there anything that you carry with you from that first job?
It sounds like the empathy for the end user is a key piece.
What else did you bring with you from that first experience?
Oh, several relationships that I still have today.
First manager I had, his name was Jack Pearson.
(11:15):
He interviewed me during the role.
I often see him, in fact, coming Labor Day weekend.
I'll be staying with him down in the Virginia Beach area and several other coworkers that
I worked with as well.
Right.
So from a skill set, I can get into that.
But if I can just tell you, having and keeping and maintaining your relationships, networking
(11:39):
with people, the industry feels big, but then it gets small.
As you notice, people stay with you.
Key.
Super key.
I'm going to throw a book out there as well too.
There's a book called Captivate.
I think it's the art and science of networking.
Something that's been hugely beneficial to me, even though I'm an extrovert and I love
people, I've noticed some of the people I've worked with are introverts.
(12:01):
And that's been helpful for them.
Other skill sets or other things I've taken with me since that first job, empathy, 100%.
As a, I'll say it's a full spectrum, starting as a tech on the help desk, but now leading
multiple teams inside of Deloitte.
I don't know if we got into that, but I'll work for Deloitte.
(12:23):
I'm often facilitating and advocating.
My job is making sure that if there's something that comes my way, I've got leaders, multiple
leaders that I need to advocate for, enable, make sure that they get what they need.
And I clear that path using empathy, understanding some of the pain points that my customers
(12:46):
have, my peers have, other leaders have, and collaborating also been fantastic.
There are other hard skill sets too that you build upon.
So in tech, if you learn something and make it, make it something that you repeatedly use,
it'll follow your whole life, the knowing how to reboot a machine, right?
(13:09):
Install operating systems, protect against certain attacks.
You don't forget these things, you build upon them and they stay with me as well too.
It was a great question.
It was a great, great question.
Makes a lot of sense.
And it's amazing how our foundations really show through in the years and decades that
follow.
Decades, oh, that hit me hard, but yes, you're right.
(13:30):
I am decades with an S.
Thanks for having me.
Yeah, it's a plural now.
In terms of your inflection point, you had been technically inclined as a younger person.
Your training was both business and on the technical side.
The first role in tech kind of focused on supporting the end customer and making sure
(13:50):
that they were in a good place from a cybersecurity standpoint.
Was there a moment when you realized that that was the work that you really wanted to
do?
2013, I remember it like it was yesterday.
Up to that point, tech had this abstract concept of what we thought the adversary was
(14:11):
or who we thought the adversary was.
We knew that there were bad people out there trying to gain unauthorized access.
Like I said, what we do on a day to day, but a company called Mandiant that now was bought
by Google, this part of Google, had published a report called the advanced and persistent
(14:32):
threat, AAPT.
I'm going to say that acronym, APT.
So the advanced persistent threat, one.
And in this report still exists today, public, they had pictures of people that were on teams
hacking for a nation.
(14:53):
They had detailed reports of where they worked, what they were targeting.
We had never seen anything like that.
We'd never seen a report that tied back to a group of individuals acting together on
behalf of a nation to accomplish a cyber mission.
(15:14):
Now when I say that, I'm saying as the public, I'm sure military personnel had.
I'm sure three letter agencies had, right?
But wow, we were able to leaf through this.
And from that point, it went from being a abstract concept to me to being a real intrinsic
(15:34):
and internal thing that I was able to latch onto.
I couldn't get enough of it.
At the time I was at a consulting company called Booz Allen, and I've spent the majority
of my career in consulting companies.
And still in tech, but I found myself pivoting over to cyber projects and cyber clients,
(15:55):
right?
I went to my leadership actually saying, hey, I'm passionate about this.
I wanted to fend against this.
I got my first big break and we were responding to a high profile client who had just been
breach, a retail client, and they needed response.
They needed us to help shore up and augment their cyber teams.
(16:18):
So it actually materialized pretty quickly for me, like being able to be an offensive,
a defensive role, acting on behalf of an organization, looking for the adversary, kicking
the adversary out, talking about it as opposed to before when it was more conceptual or me
kind of doing what's called auditing against adversary movements.
(16:39):
I was able to be a defender and not just a policy maker or an auditor.
Wow.
2013, man.
That's awesome.
Most people don't have a single moment or a date.
It's like, oh, I kind of fell into it.
It's so exciting to see that there was just like that instant, that report that I really
got you there.
Yeah, I should tell Kev.
(17:00):
So his name is Kevin Mandia.
He runs that company.
I've met him once in a job sense.
And I didn't get a chance because I was starstruck to tell him that, hey, what you did probably
set course for dozens, if not hundreds of cyber defenders today.
(17:22):
Mm-hmm.
What a beautiful thing.
When you're thinking through what you had to master and what you had to learn your way
into being technically inclined, but not yet into cybersecurity to the depth that you
are today, what did you have to really work at to get good at in the cybersecurity field?
Yeah.
So back to some of those intrinsic traits that I had pointed to in strengths finder.
(17:47):
I don't remember the exact category, but I do tend to kind of self-test and notice where
I have gaps and address those gaps, not just from a professional standpoint, same from
a personal standpoint too.
And I did recognize that there were a few areas, not just the business.
(18:09):
I think I also had issues with like writing policies and understanding by policies that
mean legal.
So countries come up with legal policies that affect cyber.
One that Biden is talking about now.
So if you listen to this, President Biden, one that he's talking about now is putting
regulations around AI, right, and artificial intelligence.
(18:32):
So those things affect cybersecurity too, especially when ransomware came out and ransomware is
the attack where the adversary breaks in, gets something of value, holds that ransom,
and will threatens to release the knowledge that they have something important with the
(18:54):
intent of damaging your brand, damaging your reputation, in hopes that you'll pay them,
right?
So they're ransoming that.
It can affect client relationships.
Colonial pipeline was a huge ransomware issue where it shut down operations.
And so rather than have that happen, companies tend to pay.
(19:18):
But back to me and recognizing that companies, or excuse me, countries put policies around
that.
I didn't have that type of skill set.
I didn't have the business understanding the mission, didn't have the policy understanding
regulations around it, and then some other nuances around cyber.
So I internally, and working with some mentors who recognize my gaps, found systematically
(19:44):
going through and seeking out resources, seeking out relationships, seeking out projects in
my company when I had the opportunity to that shore those gaps up was beneficial.
It does take a while, right?
I mean, there is a lot that you don't know.
Like is huge, every industry is huge, but prioritizing what's most impactful for your
(20:06):
career, setting a strategic path, which is what I did, like working strategically.
That really helped narrow my focus.
So I didn't, well, as they say, I don't know if they're still saying it as boil the ocean
because you can't do everything.
You need to be strategic and focus about how you approach it.
Right on.
It makes a lot of sense.
(20:26):
So purely out of my own curiosity, let's say that we're in a ransomware scenario and I
pay the people who are holding whatever I have, ransom.
Do they tend to be good actors at that point and follow through on the agreement?
This introduces something called double extortion, where if you do pay, we see an uptick of threat
(20:48):
actors coming back and asking again.
So going back to my policy statement, we worked with the United States.
I was a part of a ransomware task force where we published something right at the start
of Biden's administration and presented it to him.
Concerns we had around the threat of ransomware and also targeting these payments to these
(21:15):
bad actors.
But yeah, you do see they will try through something called social engineering, pretending
to be Ryan, talking to Patrice and asking for a thing.
We're simply taking advantage of an opening that you have.
We call those vulnerabilities to get inside and then get access to a thing and then ask
(21:36):
for an amount.
So yes, some people do pay at the threat of getting their operations back on track.
They've got revenue that's being affected.
But those victims or targets do tend to be retargeted.
We caution about paying that.
And so does the FBI and several agencies caution against paying and giving these threat actors
(22:01):
what they want.
Great question.
I'm going to attacks and will or I want to walk you through kind of an adversary, a
day in the life of a adversary because I'm giving you days in the life of a defender
myself.
But that's an interesting what we saw in the industry.
We hadn't seen the type of push from organizations like we did with ransomware.
(22:26):
Preaches have always been a thing.
We've seen break-ins and then you've seen passwords.
I'm sure you've seen where I think who was it recently AT&T had a large number of those
passwords leaked.
So that has been a concern, but not nearly as much of as ransomware has been recently.
(22:50):
And AT&T paid me a whopping $5 for the inconvenience of having my password and personal information
shared.
It's everything's better now.
Sounds like you've been made whole to me.
So before we dive into a day in the life of a defender and the day in the life of an adversary,
let's talk about where you fit within Deloitte.
(23:10):
So help me understand, roughly this is an enormous company, hundreds of thousands of
employees.
What's the structure look like for you?
Deloitte's interesting in that it's a private company.
I think I was speaking with somebody recently and they were like, "You're so huge.
I forget that you're private."
And yeah, it's a series of partnerships.
So they're essentially LLP's and they are grouped.
(23:32):
If you can imagine almost like a franchise, right?
Places are grouped by country.
So there's a Deloitte US, a Deloitte Spain, Australia, fill in the blank.
We are almost in every country and in multiple cities in every country.
Our bread and butter is tax and audit.
So we're primarily known for our tax and auditing services.
(23:57):
And as ancillary, there is other supporting functions too because we're consulting.
I am in the cyber division.
And how does that look?
So even though there are multiple countries and multiple Deloitte's, each of those countries
has consultants that are working alongside clients.
I used to do that.
(24:17):
So I used to provide cyber services for the Deloitte US practice and clients in the US
before eventually I was asked to do so for my own company.
I love it.
Deloitte stood up a cyber practice and asked their cyber professionals to help them build
it and advise on it.
And eventually I took over running roles.
(24:38):
So I'm corporate.
I'm now corporate cyber.
I protect what I think now is roughly 420,000 employees that are performing those services
worldwide.
Man, is that a challenge?
Is that is one of the most challenging things I've done in my career?
Because you're talking about and across different time zones, different cultures, different adversaries,
(25:01):
different industries and verticals.
Yeah, it's probably one of the most challenging environments I've ever been in as opposed
to right before this when I was on Capitol Hill protecting the US House of Representatives.
That was also a very, very different and challenging environment as well.
So that's what that looks like.
My protection against and my protection for, you know, those hundreds of thousands of employees
(25:27):
spread across, I don't know, I think we're at least in 100 countries, if not, roughly.
Wow.
And tell me a little bit about your team, the people that you lead and the work for you.
Yeah.
So you have to understand tech a little bit.
I'm often on LinkedIn, shout out to LinkedIn, doing collaborative articles and answering
(25:49):
questions around, well, what does certain tech look like?
What does certain cyber look like?
One of the questions I get most often is Patrice, if I'm in traditional IT, so tech is an umbrella
term, but really it starts off with information technology.
If I'm in information technology, how do I transition over to cybersecurity?
(26:10):
And that's a fantastic question.
I tell them it's two sides of the same coin.
You need to understand the underlying tech in order to defend that tech.
So if you came from, like me, configuring, we say layer three, you have to understand
there's different layers in IT.
(26:31):
If you came from the layer three, which is traditionally routers, if you have Wi-Fi at
your home, you have a router, I configure those in large scale and organizations.
So if you have routers, switches, firewalls, then defending those is what I do now.
That's called the intrusion detection and prevention.
(26:52):
So I run teams that are network security and network security based and thwart attacks
against and in those domains.
That is high level, what I do, and I do it in lots of countries at the same time, right?
And with a team that's spread across three different regions.
(27:17):
So we do break the world up into three.
This is very common for organizations our size and we have teams in the Americas region.
So we break it up in Americas and Europe and Mediterranean and then Asia Pacific.
Right on.
And what does a good year look like for you and your team?
What a fantastic question.
(27:38):
Constant, yeah, so I'm going to answer this in two ways.
First at the tactical level, at the cyber level.
We see attacks constantly just from the footprint of Deloitte.
So a good year for me is when I can take a Christmas break in its entirety.
(28:01):
Avocaries are smart, right?
They know that when teams go on vacation, the likelihood of responding quickly to an
attack goes down.
And when you have defensive measures in place, when your policies are working well, then
(28:22):
absolutely that's a great year for me.
Taking a full vacation.
Any seats I will tell you the same like that, there's some statistics around milestones
missed because of attacks.
But at a professional level, right, as a leader, a good year for me is when we are operating
(28:43):
at a higher maturity, then we were last year.
So when I look at how my teams perform, I love there's a saying about not having the
same problem you've had previously.
I'm butchering the summarization of that.
But I agree.
If you run into a problem as a leader and your teams and organizations are facing a problem
(29:05):
and you're facing that same problem next year with the same level of lack of resiliency,
lack of readiness, then that to me is not a good year, right?
We haven't done due diligence.
I'm not saying you won't see that problem again, but the response around it, right?
That's not where it needs to be.
We didn't have a good year, friend.
(29:27):
Mm hmm.
That makes a lot of sense.
In a little bit more of a philosophical sense, can you tell us a little bit about what your
work means to you?
Mm.
I struggled with this for a while because tech moved so quickly, cyber moved so quickly.
(29:48):
And it, it, at some point, it felt like I wasn't making an impact.
I wasn't doing and being enough.
I didn't know enough.
So I found that the reason, or at least I think the reason that was, is because I wasn't
spending up time at the human level.
I wasn't connecting with some of the, the people I was working with.
(30:11):
Well, we're sending the ladder back down, which I do now.
Like I'm very heavily invested into answering questions and making sure that apprentices,
interns, people that are coming into the industry, understand those collaborative articles I
talk about on LinkedIn, I answer that simply because of the same thing.
(30:31):
I have knowledge.
I want to go ahead and give it out.
Additionally, there are affinity groups inside of Deloitte that I'm a part of that are cyber
related.
So women in cyber, women in tech, also a part of lesbians who tech, right?
So just trying to be present.
There's a national society of black engineers that as a part of, too.
I mean, Ryan, you hit the nail on the head here because the job used to mean once in
(30:57):
zeros, we say in tech, right?
It's very binary thing.
Until I literally immersed myself in the industry itself and the work means so much more now.
It means showing up, definitely doing and performing the role, but the life of a defender
is that you're defending with others, right?
(31:18):
You're raising others up.
You're pouring into others.
And I found that that has been way more beneficial than simply sitting and configuring or deploying,
which is what you can do day in and day out, depending on what your role is.
That's beautiful.
(31:38):
I hope that answered your question.
I know that that was a little bit around the way, but yeah, it's something else when
you get in there.
Get beyond that.
Should I even be here in posture syndrome that we see in tech?
Get beyond the, hey, I don't know enough.
Text huge, text moving, text this.
Am I making a difference to you?
(32:00):
You're never going to know everything.
Embrace that.
Embrace that.
Text always changing.
Cyber is always changing.
It's exciting, right?
And what doesn't change is the human, the human, your others that you're working with,
even on the other side, the defenders are also human too.
They've got their own limitations.
That's a beautiful way to answer the question.
(32:20):
We'll get back to the conversation shortly, but I wanted to tell you about how I can help
you find your fit.
I offer one-on-one career coaching services for experienced professionals who are preparing
to find and land their next role.
If you're a director, vice president, or a C-suite executive and you're ready to explore
new opportunities, please go to goodfitcareers.com to apply for a free consultation.
(32:44):
I also occasionally send a newsletter which includes stories from professionals who have
found their fit, strategies, and insights that might be helpful in your job search,
and content that I found particularly useful or interesting.
If you'd like to learn more, check out goodfitcareers.com and follow me on LinkedIn.
Now back to the conversation.
In terms of the work that you're personally most proud of, what does that look like?
(33:08):
Mmm.
A real pause here.
A real pause.
Ah, this is going to sound so corny coming through a podcast, but every time I have the
best time at the House of Representatives, I am the most proud to work there.
That team is under-constant fire of the adversary.
(33:34):
That team is under-constant fire of the adversary.
Starting in public spaces and shout out to them because when the riots happened on January
6th, there was a screenshot of someone getting to Nancy Pelosi's computer.
(33:56):
The team behind that are the tech teams and the cyber teams and defending against having
the public have access to public figures.
Now they shouldn't have access to computer systems like that, but that was such an interesting,
hard, but great experience.
(34:18):
I am the most proud of that section of my career.
It's not a tangible product that I can point to.
I do have a few of those.
It's not a concrete thing.
It's an experience.
It's those people that are still working alongside there.
What made that great is that they were and continue to be very skilled.
(34:43):
They are such kind people.
They recognize, I think when you're in those spaces, you loosen up a bit.
You see a lot.
The things that you tend to maybe get petty over in an organization, that goes away because
you all are commonly joined against this real gold admission here.
(35:09):
That's what I can attribute it to, but they're just awesome folks.
That's where I also met Kevin Mandia.
That's where right after the DNC hacks, at the Democratic National Convention, I started
with that team and although they weren't hacked as a result of that, it was the same victims
that were in the DNC had computers in that network.
(35:34):
There was very much a real focus and defense in that time.
How cool you get to watch history play out in the moment, right there.
That's amazing.
Yeah.
You don't know it's history until you look back.
You can feel like this is significant, but you don't know.
(35:57):
No.
I feel like maybe at that time we did.
Yeah.
I was like, at that time we did.
I will be honest, I was not working for the house at that time.
I had already started working for Deloitte, but you better believe I reached out to my
colleagues there and offered my condolences, which is something we do in tech when we see
a real breach or a noticeable thing.
(36:20):
The longer you're in tech, those are your friends that are defending or your colleagues
that are defending, and you've defended too.
There's a real high level of empathy when they're like, "Hey, Patrice, I know you're
going through it right now.
I hope everything's okay.
Make sure you're taking care of yourself.
I'm giving them a hard time.
I know you're out there, but when you see those attacks, I don't think people realize
(36:45):
that on the other side are defenders that are doing the best they can to thwart those
adversaries.
Yeah.
That's awesome.
So Patrice, I would love for you to teach us a little bit of something about your field.
We had talked a little bit about the anatomy of a cyber attack.
I love to.
(37:06):
I love this portion of it.
There are many ways, many ways an adversary can break in, but we tend to find there's
a commonality in the sequence and how they break in.
There's something called the cyber kill chain.
There were three smart individuals who worked for Lockheed Martin that had come up with this
(37:31):
concept that they borrowed from the military.
The thought is, if you break any of the sequence of events, you will thwart a tax downstream.
So the sequence is seven.
It's seven stages or seven sequences that an adversary must go through or tends to go
through to be successful.
Let's walk through it and I'll give you a scenario.
(37:55):
This is one that I usually teach to incoming students or people that are new to the field.
And it's very, very, very well done.
So we're going to start with reconnaissance.
So recon is the concept that in order to know and attack my target, I need to figure
(38:17):
out a little bit more about them.
In spy movies, you'll see people staking out.
They'll sit outside of a person's work.
They'll watch them come in and out.
They may follow them on the street.
If you imagine them walking down the street kind of tailing them or trailing them or staking
out, we'll adversaries do this too.
They'll either pull you up on Google, either you, the company or who works for you.
(38:42):
They'll take note of what technology you have or don't have, what partnerships you are undergoing
or not.
They'll see if they can figure out and build a dossier or some type of sheet on you for
reconnaissance.
They tend to do this passively, Ryan, because if they do it actively, then it'll show up
(39:04):
in someone's tool.
So it'll do as much as they can without touching your environment or any of the environments
around you.
Recon is a very effective way, but it's one that we never see.
So if there's some way that you can forth that and we do recommend keeping as little
information as possible, right, don't accept requests from people you don't know, making
(39:31):
sure that if you are hiring for a certain thing in your job descriptions like I am, that you're
mindful of how much information you're giving, because yes, you want to have a good candidate,
but you also don't want to make yourself a target.
Okay.
So that's one of the things that we're going to do is we're going to do a little bit of
(39:52):
reconnaissance, right?
This is, we start there.
The second stage is weaponization.
I found out about Eupetries.
I know you work at Deloitte.
I know you work on firewalls.
Maybe I even know what type of firewall that you work on.
So I am going to try to craft some type of exploit or maybe make some software that will
allow me to break in to this technology that I now know about, right?
(40:17):
I'm going to build something unbeknownst to you that I will then try to launch against
you later.
So the second stage is weaponization.
Also a pretty difficult place to defend against, but it's not as secret as recon, right?
We either see adversaries downloading what's called proof of concepts or exploits, trying
(40:42):
to craft something together.
You may see a little bit of people on forums asking questions, maybe buying ransomware,
right?
There are underground markets where we do that.
So weaponization is that one too.
Intelligence teams, other defensive teams are how we recommend thwarting against that.
I'm going to give you the defender as well as the adversary.
(41:05):
Okay, so I know about you.
I've made a tool.
Next thing is I need to deliver it, right?
So we see the next stage is the delivery, right?
Where I'm going to send it to you or I'm going to call you.
I'm going to try to get you to essentially take this tool that I have this weapon and
(41:28):
it in your environment, give me a foothold.
I'm going to try to get in there.
You don't know what I'm trying to get, but I will get in there.
So we see this as the delivery, right?
This delivery stage.
Fishing is the most common way adversaries get inside of an organization that they're
not already in.
They'll send you a link, a gift card, a "Hey, I delivered a package."
(41:49):
Just click this link and you'll get your whatever it is you want, right?
The other way to defend against that is email, right?
Email system, email security systems, user awareness, right?
We do a lot of that.
So recon, weaponized, delivery.
Now we're in.
(42:09):
Now we're exploitation.
I love this because I'm like, "Oh no, now we're actually in.
We're going to exploit you."
Right?
Now I'm on the fourth stage here where I definitely am putting something malicious on your computer
and now we're exploitation and this means that I have successfully gotten past whatever
(42:30):
defenses you tried to throw at me.
I am now on the system or machine and I will be running my code, right?
It may not be the same code that got me past your firewall, but it is something that's
malicious.
We are talking about like, "I'm about to execute something inside."
This is where we see an ask for organizations to put something local to your machine.
(42:56):
So you'll see things like semantic, right?
Used to be very big, bit defender.
This is where we ask for firewalls on the actual laptop itself and you're seeing the
machine itself do defenses at this point, exploitation.
Okay.
Well, your firewall wasn't up or it wasn't up to date because I was able to run my code
(43:18):
successfully as an adversary.
I'm now going to install something.
I want to stay.
I'm past your defenses.
I have code here, but it's not big enough.
Avocaries typically don't send enough of malicious code in the first go round to really
do what they need to do.
So in step five, they install something.
(43:40):
They'll pull down a downloader or other things to make themselves more robust on the machine.
We see this as malware.
So there's probably malware that most likely happened before, but there's definitely malware
that's being installed and malware is short from malicious software.
A bunch of families out there, so we categorize malware in different families and different
(44:01):
categories depending on what they do.
Ransomware being one type of malware.
And this is where you would see ransomware now installed and active on your machine.
But other things like Trojans, so Trojans is another type of malware.
Maybe I want to stay on your machine silently and get access to it later or a backdoor info
(44:24):
stealers.
Maybe I just want to stay on the adversary.
I just want to steal information.
So every time you type on a keyboard, I'm sending that information back to step six command
and control.
So the malware is local, but I can't stay on your machine, Ryan.
I actually have headquarters back in my house, my station, my country, and we call this C2.
(44:50):
So command and control is where I'm able to talk to and from this node, the server back
and forth just to make sure that I have a direct connection to you.
And I stay there.
And then lastly, lastly, seven is now I'm here and I'm going to get what I came for,
which is actions on objectives, right?
(45:13):
Up to this point, I just tried to get to you, but maybe I want that secret formula.
Maybe I want the blueprints.
Maybe I'm corporate espionage.
This is where the adversary is revealing their intentions by either going after a particular
set of data inside a particular victim inside, but we see the motive at this point or the
(45:35):
action that led to this whole attack in step seven.
So this cyber kill chain, this steps, the recon, the weaponization, delivering, exploiting,
installing C2.
And then later, lastly, actions on objective, the thought is if you defend and break at
any point in time, then you should be able to successfully stop the attack upstream.
(46:00):
And in these last ones, it's the hardest seven and one are the hardest to defend really
two through five or two through six is where we do the bulk of our protections.
So hopefully that helped a little bit with understanding how adversaries work and have
the linear progression that they'll go through.
(46:20):
And I can actually overlay any real attack.
If you look at a breach of some sort, you'll have imagined that they most likely went
through those seven steps before they got AT&T's data, right?
Or before they got the before they installed the ransomware and held the company for ransom,
they most likely had to have gone through those steps in order to be successful.
(46:41):
Wow.
That is absolutely fascinating.
I feel like I hear about corporate espionage in like movies or, you know, this ethereal
sense, but how real is that?
It's not so much from one competitor, I was going to be one competitor spying on another
competitor via cyber means.
(47:03):
It's for cyber espionage.
I misspoke a little bit where you're seeing one nation interested in the policies or decisions
or votes or elections in another country and using the espionage and the way of espionage
to understand.
(47:24):
We see this and there's a malware called Pegasus and we see and we have seen countries using
this malware specifically to target journalists.
They want to know what do they know this malware is designed to sit in and on mobile devices.
And we have seen victims be prominent journalists with the intention of espionage, right?
(47:48):
Like figuring out what is it that they know?
What is it that they are researching?
What do they know about me and so that I can take and understand a little bit more?
Not so much in the corporate sense in that instance, but it is understanding like there's
that that traditional like, you know, when you think about spies and things like that,
(48:08):
that espionage there.
So it's common.
It's very common with APTs like I mentioned before right now.
I think we're up to 45 if not 47 APTs that have been identified through the world.
Then starting in 2013, but now in 2024, I would say we're probably up to 47 or 48.
(48:29):
Each of these APTs or collections of highly skilled, highly motivated, high resourced individuals
and groups of individuals usually backed by a country of some sort.
And this is where I would most align those espionage activities.
Wow.
How fascinating.
What a cool perspective.
It is, it's you can that's why I go back to the house of representatives, right?
(48:56):
Man, of course you would want to know what your local, you know, film the blank is working
on what is interesting to the United States.
And if you're an adversary and you can simply get a foothold through those seven steps into
an organization and find out.
Yeah, you'll see that as well.
(49:16):
Man, that's awesome.
You had talked about sending the latter back down and helping to bring the people around
you up and develop the up and coming folks.
We talked a little bit before we started recording about the Deloitte technology pathways
program.
So this is like apprenticeships and internships.
Can you tell us a little bit about what it is and what you do with them?
(49:38):
Yeah, I'm on my third or fourth year, I think three years going into four and Deloitte recognized
that we are underemployed in cybersecurity.
I think at one point we were at a negative employment.
We did not and I think still do not have enough people to fill the demand that the industry
(50:00):
needs.
We're not the only ones.
There's several other companies if you look out there that saw this gap and Deloitte specifically
decided one of the ways that we could address it is by teaching on campus and in selective
partnerships early in career professionals.
(50:23):
So the Deloitte technology pathways program is a pathway to the technology teams and working
for the technology teams inside of Deloitte.
We originally targeted sophomores and juniors because at that time we could see where they
had declared a major and that they were pretty confident staying in their major around tech
(50:44):
and cyber or excuse me and computer science and cyber.
I think that sits expanded so we're looking at other avenues to maybe in some technical
conferences and things like that.
What I did was I wrote the curriculum for that which was cybersecurity largely using anatomy
of a cyber attack a day in life of a defender and adversary as well as other technical modules.
(51:09):
Again, just making sure that we are bridging that gap by going to accredited schools and
locations targeting individuals that are interested in cyber in technology in AI, teaching a little
bit about it, blending the company and then offering an internship and apprenticeship
program, even a mentorship program as well too because of this real need.
(51:33):
That's awesome.
When we're thinking about perceptions and perhaps misconceptions here, how do you believe
the world sees your job?
I made a joke and still do largely around mission impossible.
Tom Cruise has a character that repels down from the sky in order to get that thing and
(51:59):
then you'll cut to the person in the van who is behind a computer enabling all the locks
or disabling all the locks, thwarting a lot of these defensive.
I think for a long time when people saw me in tech, saw me in cyber doing, I used to be
an ethical hacker, doing these ethical hacking, they envision that's largely what we did.
(52:25):
We were in a corner just able to overcome any obstacle in cyber to get to the thing that
we wanted to get to, knew all the things.
Some of that's true.
I will say with enough time, you can from a digital standpoint really have more information
than you should, but we have limitations.
(52:47):
So does the adversary.
The misconception I think people walk away with is that we're able to do almost anything
in tech.
We're able to solve all problems in tech.
I made a joke about solving the world earlier in the podcast, but that is true.
There's just some thought that we know everything.
We have specialties, specializations.
(53:09):
This misconception tends to lend itself I see to the imposter syndrome where people do think
they need to know everything because they are asked about so many things in tech.
So I would say that.
I would say that that's really the misconception that I see in my role.
As we're speaking to a broader audience, not necessarily just people who are already well
(53:31):
established in cybersecurity or have a depth of understanding, is there one thing that
you wished the broader population knew or perhaps behaved or did differently from a
cybersecurity standpoint?
Yes.
Cyber is like flossing.
Changing your password is hygiene.
(53:52):
Not writing them down, not reusing the same passwords.
It is a hygiene thing.
Most people understand flossing is healthy for you.
You should do with some consistency.
It's actually a good thing.
The amount of people that floss or keep up with their flossing is much less.
Much, much less.
And so for cyber, I wish that I could tell people something as simple as keeping better
(54:18):
hygiene around protecting yourself, about not sharing your passwords, just recognizing
that yes, you are interesting.
You can't determine whether the adversary thinks you're interesting or not.
I see so many people who are like, "Butreeze, I don't know anything.
I don't have access to anything.
(54:38):
Why me?
Why not you?"
Right?
You don't get to determine that.
They do.
So I do wish without sounding alarmist, more people understood that simple things, simple
hygiene is beneficial.
It'll keep you out of 99% of issues around attacks by just stepping that up.
(55:00):
And yeah, that's my soapbox.
I'm going to stand on.
Yeah, right on.
Thank you for that.
Floss, right.
[laughter]
Cybersecurity, hygiene people.
If you were to set expectations for someone who is excited about your field, perhaps similarly
technically inclined, want to start to get into this path and go down this road, what's
(55:22):
sort of expectations would you set for them?
Yeah, it really depends on where you start your path is where I would give my answer.
So I'll give two broad ones.
I'm going to assume you're starting your path from entry level, right?
You're coming out of school, maybe you're early in your career, you're pivoting over
(55:43):
to something.
My recommendations there is that understanding tech, either by studying self-studying through
certifications, if you're trying to keep costs low, is a great place.
There are a lot of free or low cost resources out there.
Without a degree, I do recommend you going for something that is a certification base.
(56:09):
That doesn't mean that you have to spend a lot of money.
So at the time of this podcast, there's an organization called ISC squared that's offering
a certified and cybersecurity free of charge.
Google has and has made their academy pretty low cost.
There are a couple of free certifications you can get from them as well.
(56:31):
I highly recommend doing a certification because it shows your employer or your potential employer
that you have this body of knowledge that you have accomplished and you have the aptitude
to learn because this is something I hear often.
Do I need a certification?
Do I need a degree, Patrice?
What's going on?
(56:52):
Do I still hold true?
Degrees still are good for the same reason.
Outside of a startup, startups tend to really want to see the body of work.
I'll be honest.
So if you are doing some type of coding, some type of application, something tangible, make
that known.
Put that in a repository.
Let people see the work that you've done.
(57:13):
Could be in school, could not be in school.
So basically I would echo having some defensible or tangible artifact.
This is super high level, but it's true, is helpful, especially for companies that are
established, especially for those that the further you get away from your startups, the
more companies tend to want to lean on that.
(57:33):
If you're starting from there, if you are what we call an experienced professional, meaning
you've either been in the industry for a while, maybe doing something else, or you're pivoting,
or maybe you were in tech, but you want to continue into cyber network network network.
Okay.
Oftentimes when you're early in career, you just don't have access to people that have
(57:55):
been in a industry for a long period of time, because you're younger.
No issues there.
You do have your professors, you do have your peers.
Keep those relationships there.
Help as you go through.
Show up to conferences and different organizations.
But I find the experience hires, because they've been in a career of some sort, tend to be
(58:17):
more assertive, right?
They do tend to be more proactive with reaching out either through LinkedIn or showing up on
webinars or showing up in spaces where they can make the kind of connections and ask outright,
"Hey, I'm interested in a thing and you happen to do that thing too.
Can I learn a little bit more?
Can I talk to you a little bit more?
(58:38):
Can I understand a little bit more?
I see you're hiring for trees.
What are you looking for?"
So for my experience hires, lean into that, lean into your experience as with what you
have them.
I think that's a fantastic way for pivoting over.
It's not that you don't need artifacts.
I will say to Ryan, these people, experience hires might have a degree in geology.
(59:00):
They might have a degree in music.
They've already have a degree and sometimes that's helpful too because we see them as
someone that has that aptitude who can learn and may or may not need to have the specific
electrical engineering or computer science or cybersecurity degree depending on whether
or not they have the plus-up of maybe certifications to help as well.
(59:23):
The thing that I'm taking away that I find so interesting is that often, at least on just
a pure business side of things, maybe 20 or 30 years ago, getting an MBA or better yet
getting a degree from a prestigious university was a golden ticket over the last 10 or 20
years.
Now, it's almost irrelevant.
What I'm hearing you say is that from a cybersecurity standpoint, there are not enough people to
(59:47):
fill all the roles, to fill the demand and then getting a certification and having a little
bit of a portfolio of your accomplishments there actually makes a difference and can
make it easier for you to actually get a job in that space.
Yeah, and it's surprising too to people.
I have seen a little bit of disbelief around that.
Now, keep in mind, depending on the company that you're trying to target, never hurts
(01:00:12):
to network.
By the time a resume gets to me, if I have an idea who the candidate is, either through
word of mouth, a reference, or just meeting you, that always goes a long way.
But if I'm looking at two candidates and one has shown a clear demonstration in the thing
I'm hiring for through certification, through experience, but not necessarily through an
(01:00:37):
MBA or a BBA or a full bachelor's, if my client isn't requiring it, so some contracts
do want a certain level of knowledge because contractually, that's just how that client
and contract is, then largely in cyber, because of the changing nature, we are looking for
(01:00:59):
demonstrated experience and we do tend to find through certification and stuff that
those can be satisfied.
If I could say one more thing, think of what we're looking at now.
How many people are certified in AI?
How many people are certified in large language models?
(01:01:19):
This is common in tech where there is a demand for skill sets and I bet companies that see
people that are learning either data science or certified in some discipline aligned to
that are more likely to talk to you and entertain hiring you as opposed to saying, do you have
(01:01:40):
a full four year degree in this discipline?
And I want to encourage people for that.
Cyber is in that same realm.
It's a relatively new field when we look at tech overall.
It's constantly evolving and changing.
It's constantly expanding in disciplines.
So really leaning into the application, learning at home, certifying, becoming more involved
(01:02:06):
goes a long way.
It's not the same as passing the bar in legal where you have to have a very strict and rigorous
selection process and testing process to be considered.
No, no, tech is understaffed, my friend.
Tech needs people.
Cyber needs people.
Yeah, tech is hiring.
(01:02:29):
And Patrice, I think this is a great segue into talking about hiring.
Can you tell us a little bit about your approach to hiring, perhaps your philosophy on hiring
for your own team?
Yeah, I'd love to talk about what, when I'm a candidate looking for from an organization,
and then as a hiring manager, what I'm looking for from the candidates, right?
(01:02:51):
Before I even apply to a role, and this is relevant to those out there, again, if I'm
earlier in my career, I have a larger set of requirements that I'm willing to entertain,
right?
And I suspect and hope your listeners do as well, right?
When you apply to a tech company, maybe you're just looking for a job.
(01:03:15):
Like, maybe you're just looking for a job.
And that's okay, right?
That's okay to start and get your foot in the door.
But if it's an internship and you need to be paid, then look for a paid internship, right?
So you do come with a set of requirements that I do think starts to, you'll add more
and more as you go along.
(01:03:35):
Same thing.
I have an idea of what I'm looking for for an organization, what kind of company and
dynamic I'm looking for, and does this fit with my overall trajectory and career goal?
I do want to be a CISO, we talked about that.
So I do look for roles that are executive type roles now, that have leadership type roles,
even inside of Deloitte.
(01:03:57):
And so I would recommend that to have an idea of the long-term goals that you're looking
for and whether or not this company fits, right?
Is it the kind of company that you'll be happy at?
Is it the kind of brand that you'll be happy at?
I tend to really like outgoing commercial companies or companies that are quite large.
Okay.
When it comes to my candidates, too, or when I'm hiring against, what am I looking for?
(01:04:22):
Right?
I'm looking for that you understand the company that you're applying to.
So many candidates, what I asked them about.
Well, tell me why you decided Deloitte, right?
What do you know about the company?
I get a lot of people who don't understand, right?
Who don't understand the company they're applying for and what it is they do day in day
(01:04:42):
hours.
I have a little bit of more understanding there.
For the role itself and for some of the things that I see, I see lots of resumes, right?
I do work with my Human Resources Department.
And so we're looking for applicable skill sets, applicable experience, right?
Have you done the thing that I'm looking for you to fill the role in?
(01:05:03):
Are you familiar with the technology, either directly or comparably, that I need in this
role?
Can you demonstrate that when I talk to you?
Right?
I'll take it aside here, Ryan, and say that we're seeing an uptick of AI being used to
(01:05:23):
answer questions in interviews.
And so we thought against that too.
So I need, when I say, do you know it, I'll be testing against your knowledge, things
that maybe an AI or an AI engine would not be able to do, right?
And then I'm also looking for regular, so some regular what we call table stakes or baseline
(01:05:48):
requirements, like good communication.
Are you able to tell me reasonably your ideas and convey them to me in a way that I can
trust that you'll be able to do the same when you're on my team and working with others?
Is your grammar, I mean, little thing is the grammar, okay, did you pay enough attention
to detail in the deliverable you gave me and the Word document PDF, whatever you sent to
(01:06:14):
say, okay, yep, this looks correct or did you miss like large things?
I'm not going to penalize you for a missed period.
But I do see times where candidates just aren't paying enough attention to the presentation
of their resume and it can be a disqualifier.
It might not even make it to me depending on how human resources looks at it.
(01:06:34):
I'm also looking for passion and enthusiasm.
Do you want the role, right?
Are you passionate about it?
Talk to me about, you know, why, why tech, why cyber and what are you doing even outside
of our interview or your application to my team in the way of the industry?
So show me you, you care.
(01:06:55):
It could be you're participating in a Reddit form, LinkedIn groups, webinars, you understand
a little bit more about the industry.
I love seeing that.
I love seeing that from a candidate that's definitely going to separate you from some
of the others and it will showcase too when I sit in front of you and talk to you.
So see, there's some of the things that I look for in a candidate applying to roles.
(01:07:17):
I have roles that are open now and I'm constantly like sourcing people again, going back to
that under employment in the industry.
And these are what make candidate successful, you know, when applying against others.
So Patris, let's say that there is someone out there who's trying to switch into the field
of cybersecurity and they don't have a ton of technical experience.
(01:07:40):
They don't have the certifications or training quite yet.
They're working their way towards it.
What are the other things that you might encourage folks to do as they're moving into
the field that might give you the reason to take a chance on them?
About four years ago, I had this very situation where I was looking for the most qualified
(01:08:01):
candidate and put a role out for managers and had a bunch of candidates that whittled
down to my top five.
If it or not, the one who came out in front runner was a journalist.
You had a journalistic background, worked for, I think, a newspaper in Baltimore.
I didn't have any strong technical acumen really.
(01:08:26):
What ended up separating him, not on the onset, but throughout the interview process, was
that each time I asked him a question, actually the top two candidates, each time I asked him
a question.
If I came back to ask him that same question in a following interview, so companies such
as mine tend to have three rounds, at least three rounds of interviews, pretty tightly
(01:08:48):
done, that was no longer a knowledge gap they had.
They showed real passion.
They showed the ability in a quick time to learn, to go after that knowledge, come back
and shore up their knowledge.
I really appreciated that.
Really appreciated that.
Generally speaking, though, he had acumen.
(01:09:09):
He had aptitude.
He brought other skill sets and was able to communicate effectively how his experience
in journalism really helped prepare him for the role that was a technical role and technical
ability.
He cross-correlated those things in such a way that he did very well and is still doing
(01:09:31):
well here at the firm.
I love that.
That makes a lot of sense.
If we're thinking about leadership and performance management and accountability, can you teach
us a little bit about your approach to holding your team accountable and helping them perform
at a high level?
Some of it is the understanding the maturity of the team.
(01:09:51):
As a technical team, there are several benchmarks that a leader can use to see, are they performing
at a certain place and delivering at what's preferred in a cyber organization?
That helps.
Looking at your team's maturity, you can also look at the individual's maturity, meaning
(01:10:12):
from a professional standpoint, what gaps, what knowledge gaps might they have.
In holding, accountability is first setting an expectation of what did we agree upon?
What does he agree upon role, expectation, and outcome that I'm setting, that the company
is setting, and that I expect from you?
(01:10:34):
Then there's a deviation against that.
There is direct feedback, so that feedback is affirming.
So I need the listener to know that there's two types as affirming feedback.
"Hey, Ryan, that thing that you did?"
Well done.
You enabled me and the team to move faster because you delivered on time.
Please keep it up.
(01:10:55):
Or it's corrective.
"Hey, Ryan, I noticed you got that in late."
In doing so, you actually caused the teammate of yours to be late with his deliverable.
Looking forward, how can we best navigate through that?
We talk about it and then, "Okay, let's change that going forward."
In the moment, I hold my team accountable against the expectations that we set early on and
(01:11:16):
agreed upon feedback in the moment and then in performance snapshots that we have in the
company, but some delivery that we see in other companies as well as companies as well.
That makes a lot of sense.
As we shift our sights to the future, and I'd like to start with macro and then I'd like
to dive into what your field will specifically look like, but what are you excited about
(01:11:40):
for the future?
It's all throughout this interview, artificial intelligence.
I have not seen the level of adoption from what's essentially in the tech industry like
I do now.
Ten times when I started talking about ransomware, in fact, when I published the report on ransomware
(01:12:02):
with the Institute of Standards and Technology, I think that was about three, four years ago,
it was before the colonial pipeline hack and trying to tell people why ransomware was
important and why certain cyber things are important can be an uphill battle.
I go to talk about AI, Chad GPT, and some other platforms like perplexity and people
(01:12:24):
that are not in the industry, they get it.
They can talk at length about it.
They can teach me how they're using it.
I'm excited for that.
I'm very excited for that and the possibilities around that.
Yeah.
Perplexity is such a cool way to approach search.
I love that tool.
Yes, I love perplexity.
I love how they build themselves as the answer engine.
(01:12:47):
You've got the search engine, they're the answer engine.
In the same way, that's impacting all industries.
It's made it a lot easier to attack companies.
AI has lowered the barrier of entry and knowledge and understanding.
We are seeing an uptick in either pretending to be somebody else through deepfake or finding
(01:13:10):
out vulnerabilities and holes in organizations and then attacks a crapped it around that.
I see I'm excited about that and I'm also seeing that that's really the trend that we
see specifically in cyber.
It still feels like we're so early.
To give a shout out to one of the generative companies that doesn't get a lot of attention
(01:13:31):
and anthropic cloth, they just came out with their first mobile app today.
It's May 1st.
Just to think that this is the very beginning is so exciting to me.
I'm excited.
I'm a tech geek.
I love playing with certain aspects of tech.
Normally, it's historically been through either releasing a new mobile device.
(01:13:56):
People were excited about the cyber truck.
They like seeing iterations of tech.
Boy, am I excited about AI.
What do you think cybersecurity is going to be like six years from now?
Recording this in May of 2024, what do you think 2030 is going to be like for your work?
Oh, I hope I can time castle this and see how accurate I was.
(01:14:17):
If I was making predictions, some of it's now, which is we see more and more use of AI,
not just by the adversary, but by the defender.
I'm not the one who coined it, but I heard someone say it's less likely that your job
will be immediately replaced by AI as much as it will be.
(01:14:37):
You will be replaced by someone using AI alongside you to do the same rule that you're
doing.
I see a larger adoption of that.
I see there's also regulation around that.
There's talk about that too and competitiveness around it.
If I have thought about cyber too, I wonder if there's going to be a reduction in workforce
(01:14:58):
because of things being replaced.
I said it immediately, but long term with AI making things easier.
I also wonder if we're going to see a rise of other professionals and professional skill
sets that we've never seen before historically, like prompt engineering, but prompt engineering
in the cyber way.
The NSA just released guidance around securing large language models and other AI for guidance
(01:15:25):
for organizations.
I do see it heavily, heavily centered around that.
Tangentially, we do see other things too.
There is still an interest around cryptocurrency and smart contracts.
We might see some of the blockchain still be a thing.
Cloud is heavy.
These are things where people are using less of their own physical devices and someone
(01:15:50):
else's storing things outside of having to pay for it locally.
I see cyber adopting more of these tangential industry use cases that are affecting us.
How exciting.
Patrice, you've been so very generous with your time and your wisdom here.
(01:16:11):
Is there anything that you'd like to promote or anything that we skimmed over or closing
words for the audience?
Hmm.
I don't have anything specific that I'm working on between my family and growing.
It's another baby coming.
I've been so heavily focused on myself, but I do encourage your listeners to really,
(01:16:34):
really engage in the tech industry, whether it's in traditional cyber, traditional tech,
AI, get out there, learn, do become a part of.
There's organizations, again, we'll be happy to share that with you, that I would highly
recommend them be a part of.
Ryan, thank you so much for having me.
I had a great time on today's podcast.
(01:16:56):
It was so great to have you on.
Thank you for joining me and thank you for sharing your perspective.
Absolutely.
Our next episode is with Matt Russell, CEO of Colossus.
It feels overwhelming to think about, "Oh, I might have that responsibility," where my
name is attached to all that stuff and I can't even imagine what that would be like.
And then you get closer and closer to it and then it just feels very natural as a transition
(01:17:20):
is made.
If you enjoyed this episode, make sure to subscribe for new episodes, leave a review and tell a
friend.
GoodFit Careers is hosted by me, Ryan Diggerson, and is produced and edited by Melo Vox Productions.
Marketing is by StoryAngled and our theme music is by Surftronica with additional music
from Andrew Espronceda.
(01:17:40):
I'd like to express my gratitude to all of our guests for sharing their time, stories,
and perspectives with us.
And finally, thank you to all of our listeners.
If you have any recommendations on future guests, questions, or comments, please send
us an email at hello@goodfitcareers.com.
[music]
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.