March 15, 2023 • 34 mins
This episode dives into the crucial topic of Cybersecurity as Eveline Oehrlich and Dr. Nikki Robinson provide key insights about what we should be aware of in this ever-evolving digital world.
Dr. Nikki Robinson is an experienced Security Architect with a demonstrated history of working in the IT and Cyber fields. Skilled in Statistical Data Analysis, Windows Server, Team Leadership, Penetration Testing, and Risk Management. Strong IT professional with a Doctorate of Science focused in Cybersecurity from Capitol Technology University. Recently completed a PhD in Human Factors to help bridge the gaps between users, technology, and security.
Enjoy the Humans of DevOps Podcast? We’re incredibly grateful to be voted one of the Best 25 DevOps Podcasts by Feedspot.
Want access to more DevOps-focused content and learning? When you join SKILup IT Learning you gain the tools, resources and knowledge to help your organization adapt and respond to the challenges of today.
Have questions, feedback or just want to chat about the podcast? Send us an email at podcast@devopsinstitute.com
Dr. Nikki Robinson is an experienced Security Architect with a demonstrated history of working in the IT and Cyber fields. Skilled in Statistical Data Analysis, Windows Server, Team Leadership, Penetration Testing, and Risk Management. Strong IT professional with a Doctorate of Science focused in Cybersecurity from Capitol Technology University. Recently completed a PhD in Human Factors to help bridge the gaps between users, technology, and security.
Enjoy the Humans of DevOps Podcast? We’re incredibly grateful to be voted one of the Best 25 DevOps Podcasts by Feedspot.
Want access to more DevOps-focused content and learning? When you join SKILup IT Learning you gain the tools, resources and knowledge to help your organization adapt and respond to the challenges of today.
Have questions, feedback or just want to chat about the podcast? Send us an email at podcast@devopsinstitute.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Narrator (00:02):
You're listening to the Humans of DevOps Podcast, a
podcast focused on advancing thehumans of DevOps through skills,
knowledge, ideas and learning,or the SKIL framework.
Dr. Nikki Robinson (00:17):
You know, it can be it was almost there was
this friction between IT andsecurity. And then when I got
really interested inspecifically vulnerability
management and sort of made thehop over to security, I started
seeing those same patterns butfrom the security side.
Eveline Oehrlich (00:33):
Welcome to Humans of DevOps Podcast. I'm
Eveline Oehrilch, Chief ResearchOfficer at DevOps Institute. Our
topic today is focused onCybersecurity: What You Should
Know. Today we have with us Dr.Nikki Robinson. Let me give you
a little bit about Nikki and herbackground. I of course, did
(00:57):
some digging into what she hasdone and give me some time. So
Dr. Robinson, earned a Doctor ofScience in cybersecurity has
several industry certificationsand is a security architect at
IBM right now and also anadjunct professor. She has more
than 10 years of experience inIT Ops. So Nikki that we have in
(01:19):
common before moving into thesecurity field about three years
ago. She studied vulnerabilitychaining concepts and completed
her PhD in human factors tocombine psychological and
technical aspects to improvesecurity programs. She has a
passion for teaching, obviously,yes, she's an adjunct and
(01:41):
mentoring others on riskmanagement, network defense
strategies, and digitalforensics and incident response.
As I said, she's a securityarchitect and has technical
experience and continuousmonitoring, risk management,
digital forensics and incidentresponse. She is a speaker at
many conferences on a variety oftopics from human factor
(02:04):
security, engineering, maliciouswebsite, Grant, graphing and Dev
SecOps. She's also the co hostof a podcast titled Resilient
Cyber Podcast with the goal todiscuss variety of cybersecurity
and it with many, many subjectexperts, and many of you might
have listened to her podcast.Finally, one more important
(02:25):
thing. She is a volunteerspeaking for InfraGard also
Women in Cyber Chapters, whichis why size I think Information
Systems Security Association,which is ISSA, and Cyber Jitsu
Organization, welcome to ourpodcast. Nikki,
Dr. Nikki Robinson (02:45):
Thank you so much for having me today.
Eveline Oehrlich (02:47):
Very excited that you're here. Now, the first
thing you have to talk about isCyber Jutsu. Can you help me on
that one?
Dr. Nikki Robinson (02:57):
Sure. Yeah, this is actually a this is a
great organization that theytheir focus is really a to focus
on getting women into thecybersecurity field. So they're
working to close the gender gap.They're trying to help mentor
young women to get intocybersecurity. And they host all
(03:17):
kinds of events, they dowebinars, they do workshops on
everything from PythonProgramming, and then they do
cyber competitions and capturethe flags or CTFs. So they do a
lot of different events to sortof help help encourage young
women to get into cybersecurity.And and they host a lot of
conferences as well.
Eveline Oehrlich (03:39):
Are they global? Or are they are also
regional events?
Dr. Nikki Robinson (03:43):
I think I believe both. I know that they
do a lot of regional because Ithink they have different
chapters, sort of like women incyber or Rhesus. But But yeah,
so they do have a lot ofregional events.
Eveline Oehrlich (03:55):
Okay, worth checking into. Super. Thank
you.. So as you can imagine,when I did research on your, on
your background, and what youdo, and all, all the wonderful
things you have been through andhave been studying, and there
was a lot of things I was like,Oh, I would love to talk to you
about that. I would love to talkto you about that. But, of
(04:17):
course, we cannot cover theseall. So there are two key things
we want to cover today. First, Iwant to dive a little bit into
your book minds, the tech, thetech gap, addressing the
conflicts between IT andsecurity. And then second, of
course, because I am a woman andI know we have some women on the
(04:38):
on the show. I want to I wantyou to share your experience as
women in technology. So thoseare the two things we're honing
in. I hope you are ready forthat. I know you are ready for
that. Thank you. So let's get tothe book first. I think that's
the most important one because Ithink it was published in
October of 22. So not that far,and not that long ago. As I
(05:00):
said, the book was called, or iscalled Mind the tech gap,
addressing the conflicts betweenIT and security. So first of
all, congratulations to theapplication. Fantastic. I think
I'm going to order it becausethat topic is something which is
also I have something I'veresearched in my career over the
(05:21):
years. Now in the book, youaddress, and I quote from the
book from a book review, you'resaying, or it says, the long
standing challenges between itand cybersecurity teams, and
you're exploring the differentjob functions, goals,
relationships, and other factorsthat might impact how it and
cyber security teams interact.Give us a little bit of an
(05:45):
overview of the book, because Ithink there are some powerful
things in there, which I wouldlike people to kind of listen
to. So enticing them to actuallybuy a book, and I'm not trying
to sell your book, I think thisis an important piece. Most
folks have not even thoughtabout, and I want you to do a
(06:05):
little bit of a review.
Dr. Nikki Robinson (06:07):
Yeah, thank you,, it's funny, because I'd
had this idea for this book forat least five years now, even
before I got into cybersecurity.So when I was on the IT side of
the house, you know, and workingwith sort of my security
counterparts on assessments oraudits, and literally sitting
through four or five hour longmeetings on, you know, security
(06:30):
controls and configurations. Andso I was sort of getting this
idea of you it can be it wasalmost there was this friction
between IT and security, becauseit was like, Oh, we're having
another audit, or oh, we haveanother assessment or this or
that, or all security does thisor security does that. And then
when I got really interested inspecifically vulnerability
management, and sort of made thehop over to security, I started
(06:53):
seeing those same patterns. Butfrom the security side, you
know, seeing sort of thefrustration, and the, it won't
do this, or I'm trying to workwith development, and we're
trying to get this done. Andit's difficult, or it's
challenging. And so that wasreally what sort of even having
that idea but coming intosecurity and saying, Oh, I'm
seeing this, you know, sort ofthis frustration and this
(07:16):
friction from both sides. Youknow, we're both having
challenges working with eachother. And it's not because, you
know, we both have importantmissions, we both have important
goals, but most of the time,those are somewhat conflicting.
So having teams that haveconflicting goals and missions,
makes it really challenging to,you know, sort of get together
(07:37):
and make these things happen.And so that was really what
spurred the the idea of thebook, and I wanted to dive into
sort of, from a historicalcontext to what traditional job
roles look like, you know, 20years ago, and how we built, you
know, IT teams and how they looknow, and how that sort of plays
into why relationships cansometimes be fractured between
(08:00):
the teams, and ultimately, thatthat leads to concerns with
risk, you know, and riskmanagement and how do you how do
you manage risk with the peoplethat you know, need to work
together? So that's really sortof the spirit of the book, and,
you know, hoping to shed somelight on why these challenges
exist. And then, you know, atthe end of the book, I provide
(08:20):
sort of a roadmap for Hey, theseare the questions you need to
start asking yourself and yourteams, depending on the type of
job role that you have.
Eveline Oehrlich (08:29):
I love that last part, you said, I think
that is essential for folkslistening in having a roadmap to
understand what what can theyactually do that actionable
advice, because sometimes, youknow, there are books out there,
and I'm done with it. And I putit aside and I'm thinking, Okay,
now what? Yeah, right. It'slike, okay, I'm not really sure
(08:52):
I understand, but I don't knowwhat so that is beautiful. Now,
one thing you were under, in thebook review, which talks about
that also, of course, you arehoning into into something
called empathy, and emotionalintelligence. And that is
something which I have keeninterest in, as I've done
research for the DevOpsInstitute on upskilling for the
(09:14):
past five years. And you wouldnot be surprised that I tell you
that the human skills, are theresignificant gaps there within
it, and they don't go away theseand they're particularly around,
you know, having that empathy,having these inter interpersonal
skills and really working anddeveloping collaboration and
(09:36):
coordination with others. Sothat is quite interesting.
Interesting. And of course,there is action, which means
people should upskill and humanskills and we've been kinda like
a preacher pin saying that, butwhy is it so hard? Why is it so
hard for a reverse it people I'man IT person, I think I have
(09:57):
human skills plenty. And my kidswould tell AMI you do, ma'am.
But why is it so hard sometimesfor folks in either on the
security side or on the IT side,no matter what role to think
about that human skill and andadding or working on them? What
are your thoughts on that?
Dr. Nikki Robinson (10:17):
Yeah, I think it's such an important
question to ask because and it'sa question I started asking
myself too, because I, you know,working in it, and security for
almost 15 years now, it's one ofthose things I haven't seen as
part of it programs, traditionalIT, whether it's academic or
certification programs, andinsecurity as well, I know that
(10:40):
there are some universities outthere that teach emotional
intelligence in their ITprograms, but I think that's a
newer thing. And I just haven'tseen as many programs that tout,
you know, emotion, emotionalintelligence, empathy,
relationship, building, all ofthose pieces that we need to
sort of operate in these bigteams and in these big
(11:01):
organizations. So I think thefirst piece of it is sort of the
education component, in thatit's not really taught to us,
you know, we're taught Python,and we're taught Pope
programming, and we're taught,you know, SQL and all these
other things, but we're notreally taught well, what does
that mean to somebody else? Youknow, if I'm on the IT side, or
if I'm a developer, what doesthat mean to security? And I
(11:22):
think it's really important onthe security side, to have that
understanding, and that empathyfor what other teams are working
on. Because if I can't speak toa developer and understand, you
know, what they're goingthrough, or what they need to
do, you know, what theirdeadlines or requirements are,
it's going to be reallydifficult to work together. So I
think that's part of thechallenges is we don't really
(11:43):
have this educational component,it's, it's not a part of any
certifications that I've atleast seen, you know, this sort
of emotional intelligence piece.And I've really, especially when
I was doing research for thebook really came across a lot of
leadership and management booksthat talk about emotional
intelligence. I had a reallyhard time finding anything out
(12:03):
there, whether it was a book, oranything like that, that could
be used as a textbook or used,you know, sort of as a guide
that talks about emotionalintelligence, really, for
practitioners. You know, there'sthere's some stuff out there,
but there really isn't a lot.And I think that that's, that's,
you know, one of the biggestchallenges is we encourage our
technical people to go forcertifications to go for
(12:25):
technical certifications, youknow, that that's a great thing.
But we don't encourage them toapply empathy to what they're
doing. And so I think that's,that's probably where that that
gap came from.
Eveline Oehrlich (12:36):
Here, here, here, I'm hoping that my co
partner is listening into thispodcast. If not, I will point
her for that, because we havebeen saying that we need to
start figuring out how can weactually help our community
members to expand on theirexisting human skills or build
upon the ones they have? Orstart working on if they don't
(12:58):
think they have any? I think theother thing I was just speaking
to Gallup CEO, he was talkingabout the engagement of
individuals in the in a jobwell, today has been really,
really low. But one of hispoints was that as we are
lacking, or as we are notdeveloping these human skills,
(13:20):
work becomes less fun, not justbecause of its in cybersecurity,
or its insecurity or in theDevOps, or wherever. But because
it's so difficult to bridgeacross in, we can only talk
tech, and we could talkprocesses, but we really don't
have that connectabilityanymore. Mostly, maybe it's
gotten worse, because of thepandemic. He was saying that
(13:43):
they're doing a lot of work atthe Gallup as well to start
assessing and developing that.So it is a great opportunity for
us. Thank you for that. Allright, let's shift gears a
little bit. The clock is alwaysticking when we have great
conversation. So I want toswitch a little bit towards the
topic of cybersecurity. Andparticularly, where do you think
(14:04):
it stands today, in terms of itspriority from what you've seen?
And from who you've beenvisiting with? Where does it
stand in terms of priority inexecutives, leaders, investors
and individual contributors?Because I think there is, at
least from the research I'vedone, there might be a shift and
(14:25):
which is good. But I was curiouswhat your thoughts are on that.
Dr. Nikki Robinson (14:29):
Yeah, I would absolutely agree that
there's been a shift and Ithink, a shift really in the
last year. You know, I thinkthis it all really sort of
started with solar winds. Youknow, that? I think because it
had so much media attention, youknow, it wasn't just Oh, random
data breach here or random cyberattack here. Solar Winds
affected lots of different typesof organizations, lots of
(14:53):
different domains, and it becamea business risk. You know, it
wasn't just a cyber risk anymoreor an incident It was, Oh, my
business is in trouble. And notjust from a security
perspective, but a lot of thepeople that consumed and use
SolarWinds were IT operationsgroups. And so it that of not
(15:13):
having that tool in place, youknow, having to find an
alternative or not havingvisibility to your systems or,
you know, the potential of anincident, and then you can, you
know, it becomes a snowballeffect to the business. And I
think that was really what sortof, at least opened people's
eyes to, oh, there's, there'ssort of this cascading effect
when there is an incident thatsort of, I think, started to
(15:35):
change people's minds. And thenI think blog for J was another
big one, partially because itgot so much media attention, but
also because it opened people'seyes to open source software,
how do how are we actuallydeveloping? And how can we
support developers, while stillmaking sure that we understand
the risk. So I think it was sortof an eye opener for both
(15:58):
developers and for securityprofessionals to say, oh, we
need to really understand howthis is going to work, and how
we can support open sourcesoftware, but by you know,
understanding what that means toour risk. So I think, as far as
what those things sort ofstarted to change people's
minds, I do think a lot moreleadership boards, they're much
(16:20):
more interested in in havingsort of cybersecurity expertise,
at least available asconsultants or advisors. So I
would say there's definitely ashift in the industry as far as
leadership goes. And I thinkthey see the benefit of
cybersecurity, not just being,you know, a security assessment,
or an audit or an inhibitor, butmore of a, hey, if we work
(16:42):
together with the cyber team,with our developers, with our T
with our leadership, we can helpprovide strategic, you know, we
can help with those five yearplans, we can help make sure
that five years out 10 years outthat the business is healthy,
thriving and resilient,especially towards cyber
attacks. Because if if anorganization isn't resilient,
(17:03):
let's say for example,ransomware, I think that's
another really big one that'shit organizations and the amount
of cost associated withransomware. Plenty businesses
have shut down because they'vebeen hit by ransomware. And it
was so costly that they couldn'trecover. So I think I think
those kinds of situations havereally changed how people feel
and now they're starting to seekout security advisors and not
(17:27):
just from a, Hey, what is oursecure configuration look like?
Or how do we pass this audit?But hey, how do we, how do we
plan our strategic it anddevelopment vision with a
cybersecurity, you know,professional there to help us?
Narrator (17:42):
Do you want to advance your career and organization, we
can help you do that DevOpsInstitute offers a wide range of
educational experiences for youto begin your upskilling
journey. Whether you're lookingfor a defined path to
certification, exploring thelatest in DevOps, or connecting
with the large community, we canhelp you develop the specialized
(18:04):
skills needed for the future ofIT. And it won't just be good
for your career. It will alsomake you indispensable at work
with our lineup of industryrecognized DevOps
certifications, digital learningopportunities, and engaging
events, you can connect with ournetwork of experts and expand
your potential today, visitDevOpsI nstitute.com and join
(18:25):
our community now.
Eveline Oehrlich (18:27):
So as a summary, I would say it is fair
to say that cybersecurity is astrategic line item for all of
those particular executives and leaders.
Dr. Nikki Robinson (18:38):
I guess that is my hope I
Eveline Oehrlich (18:43):
Lets frame it as a hope I love that. Yes,
Dr. Nikki Robinson (18:45):
I hope so. Because I think there is there's
so much positivity, it's one ofthe reasons why I wanted to get
into cybersecurity, because it'sit's not just cybersecurity, it
really is it and a function oftechnology. And so I think if we
can start to change that ideaof, you know, I joke with
people, you know, I'm a securityarchitect, but I really joke,
(19:07):
I'm really just aninfrastructure architect. It's
security is, you know, securityby design. But really what I'm
doing is helping to buildenvironments that are secure.
And, and that's still in it acomponent of it. So I think, I
think it's starting to change.But yes, it's a lot of hope
there.
Eveline Oehrlich (19:25):
Yep. You know, this is, this reminds me of
philosophical discussion we havehad when I was at Forrester,
where we had a security and riskteam and an infrastructure and
operations team. And of course,you know, enterprise architects,
application developers, CIOs.And I remember the folks from
the security and risk team, notwanting to do at the time, this
(19:47):
is 2018 When I left but at thattime, they were doing their own
research. Of course, we alwayswanted to collaborate because
infrastructure and operations wehave to have our heads out and
get stuck sometimes was in, inthe nasty fixing the mess. And
we always had the conversationand and said, why do you why are
(20:09):
you in a separate group? Why arewe not bringing us together into
a research? team so we can dothings together? I don't think
that has happened. But But Ithink having the risk, sometimes
it takes, it just takeschallenges which are so
overwhelming that people areenough pain that people are
(20:32):
changing. And I think one of theother factors and I'm curious
what your thoughts or is there ametric which executives should
have relative to that? I thinkit's some companies, a CEO
already has the resilience andsustainability. We're seeing ESG
as a topic come up quite a bit.But in your, in your mind,
should there be metrics for allof those folks around this
(20:54):
topic? Because it impacts likeyou said the business
significantly?
Dr. Nikki Robinson (20:59):
Yes, absolutely. There's definitely
been a big push in the last two,three, maybe four years for
quantifying cyber risk, youknow, really making it much
easier, I think, to digest,because it's interesting, I
think, when people talk aboutqualitative versus quantitative,
but this idea that if we canhelp quantify some of that risk,
make it easier to digest andhelp to, to help to show what
(21:23):
we're talking about, tell thatstory a little bit better. And
metrics, I think, when it comesto, you know, here's my, here's
my bias here, because I lovevulnerability management, but,
you know, anything highlyexploitable vulnerabilities, if
I'm using threat intelligence,what do I need to be concerned?
What are the top three concernsthat I have? You know, so I
think breaking it down intosmaller chunks. And, you know,
(21:46):
my, the bane of my existence arelike 300 Page vulnerability
reports. And I think that's, youknow, one of those big
challenges is don't send those300 page, you know,
vulnerability reports. Let'slet's break this down into
metrics that makes sense forleadership. That's, it's, it's
absolutely imperative, I think,to not just the cybersecurity
(22:06):
mission, but to the businessmission, you know, to help break
those things down and make iteasier to digest.
Eveline Oehrlich (22:12):
Yep, absolutely. All right. Now, I
came across a fantastic shortpiece by Stefan Napo, who is the
VP cybersecurity director andglobal CFO, I group, SCB, that's
a French company, that doing alot of small appliances, and
it's actually the world'slargest manufacturer of
cookware, and I'm a cook so Ilove their products, but not
(22:36):
talking about the cookware butreally talking about what Stefan
said he talked about the swarmcybersecurity or swarm
cybersecurity. And, of course,in DevOps and development, we
talk about swarming. Have youheard this term? I'm sure you
have any? If you haven't, andlet's move on. But I am sure you
have your thoughts on that. Tellme tell me what you think when
(22:59):
that comes to your mind when Isay swarm or cybersecurity.
Dr. Nikki Robinson (23:03):
Yeah, so for, for me, swarming. I also
think about in a very itcontext, because, you know,
typically you have this tieredmodel, and that's sort of an
older model right of it. But ifyou let's say you have your
helpdesk, and then your systemsadministrators, and then your
senior sis admins or maybeengineering above that, but
instead of having these sort ofsiloed, tears, you have this
(23:26):
giving this power to, you know,in IT systems administrator that
can sort of help to resolvethese things without taking up
the chain, because, you know,you don't learn anything that
way. So it's this morecollaborative effort of, hey, I
think I know how to fix this,I'm going to do this. And then
if they need help, they canalways ask for help, and the
team can work together, but itbecomes more of this group
(23:49):
effort, instead of you know,hey, I've got this thing, I'm
gonna pass it to you, they'llpass the ticket to you, and then
to you and then to you. Soinstead of this becoming this
endless chain of, you know, whathappened to my issue, you know,
becomes this more of acollaborative and teamwork type
effort. And so applying that tocybersecurity, I think about the
(24:10):
cyber color wheel, if you'refamiliar with that, this idea of
you know, you have red teams andblue teams, and then you start
talking about threat intel, andyou have yellow teams and orange
teams and purple teams that arered and blue teams combined into
purple teams. And so you'rebuilding this more of a
collaborative effort, instead ofsaying, you know, I'm on the red
(24:31):
team, and I have a pen test. AndI'm going to lob it over to the
blue team. And they're justgoing to have to figure it out
and becomes a collaborativeeffort. And the blue team can go
back to the red team and say,Hey, actually, we found these
additional things. Can youverify that for us? Can you
check to make sure that this isfixed? And so it becomes this
more of an open type of teaminstead of you know, just the
silos? Well, I'm on the redteam, or I'm on the blue team.
(24:53):
Yep. You know, it's much morecollaborative. And so I think
that's 100% the way forwardthere's a fantastic Stick. She's
on LinkedIn. Her name is marrowVernon, she talks a lot about
purple teaming. And when I cameacross her and some of the
things that she's written aboutpurple teaming, that's really
what started getting me thinkingabout swarming. Right. It's it's
(25:14):
a similar notion, right ofcollaboration and bringing
people together. But I thinkit's a big benefit to teams,
because one, it empowers youremployee or your cyber
professional, or your developer.But it also improves their
skills. It allows them to learnsomething new, it improves
teamwork. And I think there's abig reduction in how long it
(25:37):
takes to identify and resolvespecifically, you know, in a Red
Team Blue Team context, versusHey, I have this 200 Page pen
test report, here you go, goahead and figure it out, you
know, it becomes more of this,like, hey, we found this
vulnerability across 100systems, can you guys work on
this, and we can see if we canget this fixed, and then we can
(25:57):
come back and retest. So So forme, it's all about
collaboration,
Eveline Oehrlich (26:02):
super, we, I that reminded me of something I
did with again, a formercolleague of mine, where we
looked at MTTR. And we foundthat not necessarily to
security, but we found that thelargest amount of time, I think
it was 70% of time was found inthe meantime to detect. And and
(26:23):
that was because everybody waslooking down their own their own
pipe, right and their own data.So I think that's an additional
benefit, in terms of Meantime,detect at the pre at the
predecessor of swarming, but asyou said, MTTR overall, because
we are bringing people togetheris an incredible impact has an
incredible impact reducing that.And that, again, reduces
(26:45):
business impact. So super. Allright, let's shift a little bit,
we have about five minutes or soI want to cover two topics, one
the skill, and then I want toreally get into your thinking on
the women in it, or women intech. So the first one, let's
say I want to be successful incybersecurity. And actually, I
did lose an analyst in my formerrole to the security and risk
(27:09):
team. And I was very sad loser,but she is a great analyst in
this space. But if I wanted togo into cybersecurity, and maybe
there's a focus on here who arewanting to switch, what do you
think are the necessary skill,maybe one or two to be
successful? Besides what wealready talked about in terms
of, Hey, you gotta be havingempathy. And so EQ, but what
(27:30):
else do you think are essential?
Dr. Nikki Robinson (27:33):
Yeah, I would say a lot of the skills
that I brought with me from itto cybersecurity, and you don't
have to have an IT background,to necessarily go into
cybersecurity, but I can say forme, it helped a lot. Because I
understand technology very well.Now, I would say troubleshooting
is a really, really big skill.And that's, you know,
troubleshooting, problemsolving, being able to sort of
(27:55):
understand enough that you canfigure out what's going on,
because that's, that's one ofthe big, big parts of
cybersecurity is typicallyyou're handed, you know, a piece
of information, and you've gotto go digging, and try to figure
out what's going on. And so Ithink that problems, problem
solving, troubleshooting, andnatural curiosity, all three of
those sort of go hand in handtogether this sort of, okay, let
(28:19):
me dig and try to figure outwhat this is. So I would say
that's the first and I know Isaid, three skills really, and
one that was sort of I wastrying, it's kind of a cop out.
But that's sort of that. That'ssort of how I would describe
that right problem solving asthat big component there. I
would say the other reallyimportant skill, you know,
besides sort of thatrelationship building, and what
(28:39):
we call soft skills, wouldreally be how, how do what was I
gonna say, how do how do weunderstand data. So data science
is a really important componentof cybersecurity. And I've met a
lot of really great datascientists that have crossed
into cybersecurity and they area huge asset, because they're
(29:03):
able to parse through all ofthis information that we've been
collecting in security with oursims for years and years and
years. And now we have datascientists to really help us.
One make that pipeline of data,easier to digest, easier to
bring in. But they also help uspull out the really important
information. They're helping usto leverage AI, machine learning
(29:26):
models and different techniquesthat we may not have had the
skills I say we, I may not havehad the skills in before in data
science, but that's something inthe last two years, I've learned
how important it is to sort ofhave those data science
principles in cybersecurity. SoI would say you don't have to
know Python or machine learningin any sort of depth. But having
some of that understanding isreally important. Can I give
(29:50):
three skills? Can I give onemore? Of course you can. Okay,
one more I would say you know,since we're talking about
DevOps, right is the ability tocommunicate and work really well
with developers to be able tospeak the language, if you have
some programming background,it's super helpful. Again, you
don't have to be a developer,but to be able to understand
enough that you can talk to adeveloper, when they're saying,
(30:12):
Hey, we have this requirement,we have to do this this way.
Let's figure out a new solution.So I think that sort of being
able to speak the language isreally important.
Eveline Oehrlich (30:21):
Excellent. Fantastic. All right, our last
question, and then I have a funquestion for you. But this one
is around women and technology,both of us have been in
technology, I have my ownchallenges. But this is not
about me. This is about you.What would you would love to
hear? What was the biggestchallenge for you you faced? And
(30:41):
of course, how did you overcomeit? If you're willing to share?
Dr. Nikki Robinson (30:45):
Absolutely, yeah, I would say the biggest
challenge I had, it was funnygetting into it. You know,
starting on helpdesk, and sortof working my way up, I
actually, I had some reallygreat mentors along the way, and
sort of, you know, working myway up in it. I think the
biggest challenge I honestly hadwas when I wanted to break into
cybersecurity, and I got so muchpushback from my it friends on,
(31:09):
you know, why would you want togo into Security, you're never
going to be able to come back toit or, you know, you're just
going to be in security. And itwas such, it was such an
interesting, I guess, sort ofperspective that I had this sort
of, you know, you're not goingto succeed in security, and
you're never going to be able tocome back, you're you can never
cross the lines again, you know,it was this, like making it sort
(31:31):
of this like, well, you can't doboth sort of a thing. That was a
big challenge, because I had toessentially go back and say,
Well, I can do this. And what Ifound was going on the
cybersecurity side, I actuallyam far more technical than I was
before I understand way moreoperating systems, I understand
development way better than Iused to. And so I guess sort of
(31:53):
pushing through that barrier ofa lot of people saying no, like,
No, you can't do this, No, youaren't going to be good at this.
No, you don't have the skill todo this. And really being given
a chance to show that I do thatthat was sort of tough that it
took me a couple of years tomake that transition from it to
cybersecurity. And, you know, Ihad one very great mentor of
(32:14):
mine, Philip Culp, who gave memy first shot. And so, you know,
and then I was able to sort ofgo from there. But so I would
say that was the biggestchallenge. But the biggest thing
that helped me was finding agreat mentor and someone who was
willing to take a chance on meand for me to you know, show
them my skill. But yeah, thatwas that was pretty tough.
Eveline Oehrlich (32:35):
Wow. Fantastic. Well, thanks to your
mentor for supporting you, andthanks to you for sticking it
through. That's quiteimpressive. So I have one more
question. I know you are verybusy, and you do a lot of
things, but you must have somefun. What do you do for fun?
Dr. Nikki Robinson (32:52):
Oh, yeah, I'd love this question. Yeah, I
actually, I I'm very big intofitness. Like I love all things,
outdoor activities, hiking andbiking and running. So I love
I'm actually signed up for acouple triathlons. So I love
running and biking and swimming.And, and that's what I do for
fun.
Eveline Oehrlich (33:11):
Wow. Wow, this has been a great conversation.
You and I could go on. I wouldlove to stay connected. I think
there are some things maybe wewant to do together.
Dr. Nikki Robinson (33:21):
That would be great.
Eveline Oehrlich (33:22):
Thank you so much for being on our podcast. I
really appreciate it. You are awonderful, wonderful individual.
So thanks again. We have beentalking to Dr. Nikki Robinson,
security architect, adjunctprofessor, volunteer and book
author, and many many otherthings again, Dr. Robinson or
Nikki, thank you so much forjoining me today on Humans of
(33:45):
DevOps Podcast. For those whoare listening. Yes. And for
those listening in make sure youcheck out the book Mind to Tech
Gap Addressing the ConflictsBetween IT and Security Teams.
It is on my list order. Iactually already pushed a button
on my Amazon. So this is great.Humans of DevOps podcast is
produced by DevOps Institute.Our audio production team
(34:08):
includes my good friend Julia,Pap, and our hardworking Brendan
Lay, thank you to both of those.I'm humans of DevOps podcast
executive producer EvelineOehrlich. If you would like to
join us on a podcast, pleasecontact us at this is a very
long name, but I'll read it outHumans of DevOps Podcast at
DevOpsInstitute.com. I'm EvelineOehrlich, I'll talk to you soon.
Narrator (34:35):
Thanks for listening to this episode of the Humans of
DevOps Podcast. Don't forget tojoin our global community to get
access to even more greatresources like this. Until next
time, remember, you are part ofsomething bigger than yourself.
You belong
You're listening to the Humans of DevOps Podcast, a
podcast focused on advancing thehumans of DevOps through skills,
knowledge, ideas and learning,or the SKIL framework.
Dr. Nikki Robinson (00:17):
You know, it can be it was almost there was
this friction between IT andsecurity. And then when I got
really interested inspecifically vulnerability
management and sort of made thehop over to security, I started
seeing those same patterns butfrom the security side.
Eveline Oehrlich (00:33):
Welcome to Humans of DevOps Podcast. I'm
Eveline Oehrilch, Chief ResearchOfficer at DevOps Institute. Our
topic today is focused onCybersecurity: What You Should
Know. Today we have with us Dr.Nikki Robinson. Let me give you
a little bit about Nikki and herbackground. I of course, did
(00:57):
some digging into what she hasdone and give me some time. So
Dr. Robinson, earned a Doctor ofScience in cybersecurity has
several industry certificationsand is a security architect at
IBM right now and also anadjunct professor. She has more
than 10 years of experience inIT Ops. So Nikki that we have in
(01:19):
common before moving into thesecurity field about three years
ago. She studied vulnerabilitychaining concepts and completed
her PhD in human factors tocombine psychological and
technical aspects to improvesecurity programs. She has a
passion for teaching, obviously,yes, she's an adjunct and
(01:41):
mentoring others on riskmanagement, network defense
strategies, and digitalforensics and incident response.
As I said, she's a securityarchitect and has technical
experience and continuousmonitoring, risk management,
digital forensics and incidentresponse. She is a speaker at
many conferences on a variety oftopics from human factor
(02:04):
security, engineering, maliciouswebsite, Grant, graphing and Dev
SecOps. She's also the co hostof a podcast titled Resilient
Cyber Podcast with the goal todiscuss variety of cybersecurity
and it with many, many subjectexperts, and many of you might
have listened to her podcast.Finally, one more important
(02:25):
thing. She is a volunteerspeaking for InfraGard also
Women in Cyber Chapters, whichis why size I think Information
Systems Security Association,which is ISSA, and Cyber Jitsu
Organization, welcome to ourpodcast. Nikki,
Dr. Nikki Robinson (02:45):
Thank you so much for having me today.
Eveline Oehrlich (02:47):
Very excited that you're here. Now, the first
thing you have to talk about isCyber Jutsu. Can you help me on
that one?
Dr. Nikki Robinson (02:57):
Sure. Yeah, this is actually a this is a
great organization that theytheir focus is really a to focus
on getting women into thecybersecurity field. So they're
working to close the gender gap.They're trying to help mentor
young women to get intocybersecurity. And they host all
(03:17):
kinds of events, they dowebinars, they do workshops on
everything from PythonProgramming, and then they do
cyber competitions and capturethe flags or CTFs. So they do a
lot of different events to sortof help help encourage young
women to get into cybersecurity.And and they host a lot of
conferences as well.
Eveline Oehrlich (03:39):
Are they global? Or are they are also
regional events?
Dr. Nikki Robinson (03:43):
I think I believe both. I know that they
do a lot of regional because Ithink they have different
chapters, sort of like women incyber or Rhesus. But But yeah,
so they do have a lot ofregional events.
Eveline Oehrlich (03:55):
Okay, worth checking into. Super. Thank
you.. So as you can imagine,when I did research on your, on
your background, and what youdo, and all, all the wonderful
things you have been through andhave been studying, and there
was a lot of things I was like,Oh, I would love to talk to you
about that. I would love to talkto you about that. But, of
(04:17):
course, we cannot cover theseall. So there are two key things
we want to cover today. First, Iwant to dive a little bit into
your book minds, the tech, thetech gap, addressing the
conflicts between IT andsecurity. And then second, of
course, because I am a woman andI know we have some women on the
(04:38):
on the show. I want to I wantyou to share your experience as
women in technology. So thoseare the two things we're honing
in. I hope you are ready forthat. I know you are ready for
that. Thank you. So let's get tothe book first. I think that's
the most important one because Ithink it was published in
October of 22. So not that far,and not that long ago. As I
(05:00):
said, the book was called, or iscalled Mind the tech gap,
addressing the conflicts betweenIT and security. So first of
all, congratulations to theapplication. Fantastic. I think
I'm going to order it becausethat topic is something which is
also I have something I'veresearched in my career over the
(05:21):
years. Now in the book, youaddress, and I quote from the
book from a book review, you'resaying, or it says, the long
standing challenges between itand cybersecurity teams, and
you're exploring the differentjob functions, goals,
relationships, and other factorsthat might impact how it and
cyber security teams interact.Give us a little bit of an
(05:45):
overview of the book, because Ithink there are some powerful
things in there, which I wouldlike people to kind of listen
to. So enticing them to actuallybuy a book, and I'm not trying
to sell your book, I think thisis an important piece. Most
folks have not even thoughtabout, and I want you to do a
(06:05):
little bit of a review.
Dr. Nikki Robinson (06:07):
Yeah, thank you,, it's funny, because I'd
had this idea for this book forat least five years now, even
before I got into cybersecurity.So when I was on the IT side of
the house, you know, and workingwith sort of my security
counterparts on assessments oraudits, and literally sitting
through four or five hour longmeetings on, you know, security
(06:30):
controls and configurations. Andso I was sort of getting this
idea of you it can be it wasalmost there was this friction
between IT and security, becauseit was like, Oh, we're having
another audit, or oh, we haveanother assessment or this or
that, or all security does thisor security does that. And then
when I got really interested inspecifically vulnerability
management, and sort of made thehop over to security, I started
(06:53):
seeing those same patterns. Butfrom the security side, you
know, seeing sort of thefrustration, and the, it won't
do this, or I'm trying to workwith development, and we're
trying to get this done. Andit's difficult, or it's
challenging. And so that wasreally what sort of even having
that idea but coming intosecurity and saying, Oh, I'm
seeing this, you know, sort ofthis frustration and this
(07:16):
friction from both sides. Youknow, we're both having
challenges working with eachother. And it's not because, you
know, we both have importantmissions, we both have important
goals, but most of the time,those are somewhat conflicting.
So having teams that haveconflicting goals and missions,
makes it really challenging to,you know, sort of get together
(07:37):
and make these things happen.And so that was really what
spurred the the idea of thebook, and I wanted to dive into
sort of, from a historicalcontext to what traditional job
roles look like, you know, 20years ago, and how we built, you
know, IT teams and how they looknow, and how that sort of plays
into why relationships cansometimes be fractured between
(08:00):
the teams, and ultimately, thatthat leads to concerns with
risk, you know, and riskmanagement and how do you how do
you manage risk with the peoplethat you know, need to work
together? So that's really sortof the spirit of the book, and,
you know, hoping to shed somelight on why these challenges
exist. And then, you know, atthe end of the book, I provide
(08:20):
sort of a roadmap for Hey, theseare the questions you need to
start asking yourself and yourteams, depending on the type of
job role that you have.
Eveline Oehrlich (08:29):
I love that last part, you said, I think
that is essential for folkslistening in having a roadmap to
understand what what can theyactually do that actionable
advice, because sometimes, youknow, there are books out there,
and I'm done with it. And I putit aside and I'm thinking, Okay,
now what? Yeah, right. It'slike, okay, I'm not really sure
(08:52):
I understand, but I don't knowwhat so that is beautiful. Now,
one thing you were under, in thebook review, which talks about
that also, of course, you arehoning into into something
called empathy, and emotionalintelligence. And that is
something which I have keeninterest in, as I've done
research for the DevOpsInstitute on upskilling for the
(09:14):
past five years. And you wouldnot be surprised that I tell you
that the human skills, are theresignificant gaps there within
it, and they don't go away theseand they're particularly around,
you know, having that empathy,having these inter interpersonal
skills and really working anddeveloping collaboration and
(09:36):
coordination with others. Sothat is quite interesting.
Interesting. And of course,there is action, which means
people should upskill and humanskills and we've been kinda like
a preacher pin saying that, butwhy is it so hard? Why is it so
hard for a reverse it people I'man IT person, I think I have
(09:57):
human skills plenty. And my kidswould tell AMI you do, ma'am.
But why is it so hard sometimesfor folks in either on the
security side or on the IT side,no matter what role to think
about that human skill and andadding or working on them? What
are your thoughts on that?
Dr. Nikki Robinson (10:17):
Yeah, I think it's such an important
question to ask because and it'sa question I started asking
myself too, because I, you know,working in it, and security for
almost 15 years now, it's one ofthose things I haven't seen as
part of it programs, traditionalIT, whether it's academic or
certification programs, andinsecurity as well, I know that
(10:40):
there are some universities outthere that teach emotional
intelligence in their ITprograms, but I think that's a
newer thing. And I just haven'tseen as many programs that tout,
you know, emotion, emotionalintelligence, empathy,
relationship, building, all ofthose pieces that we need to
sort of operate in these bigteams and in these big
(11:01):
organizations. So I think thefirst piece of it is sort of the
education component, in thatit's not really taught to us,
you know, we're taught Python,and we're taught Pope
programming, and we're taught,you know, SQL and all these
other things, but we're notreally taught well, what does
that mean to somebody else? Youknow, if I'm on the IT side, or
if I'm a developer, what doesthat mean to security? And I
(11:22):
think it's really important onthe security side, to have that
understanding, and that empathyfor what other teams are working
on. Because if I can't speak toa developer and understand, you
know, what they're goingthrough, or what they need to
do, you know, what theirdeadlines or requirements are,
it's going to be reallydifficult to work together. So I
think that's part of thechallenges is we don't really
(11:43):
have this educational component,it's, it's not a part of any
certifications that I've atleast seen, you know, this sort
of emotional intelligence piece.And I've really, especially when
I was doing research for thebook really came across a lot of
leadership and management booksthat talk about emotional
intelligence. I had a reallyhard time finding anything out
(12:03):
there, whether it was a book, oranything like that, that could
be used as a textbook or used,you know, sort of as a guide
that talks about emotionalintelligence, really, for
practitioners. You know, there'sthere's some stuff out there,
but there really isn't a lot.And I think that that's, that's,
you know, one of the biggestchallenges is we encourage our
technical people to go forcertifications to go for
(12:25):
technical certifications, youknow, that that's a great thing.
But we don't encourage them toapply empathy to what they're
doing. And so I think that's,that's probably where that that
gap came from.
Eveline Oehrlich (12:36):
Here, here, here, I'm hoping that my co
partner is listening into thispodcast. If not, I will point
her for that, because we havebeen saying that we need to
start figuring out how can weactually help our community
members to expand on theirexisting human skills or build
upon the ones they have? Orstart working on if they don't
(12:58):
think they have any? I think theother thing I was just speaking
to Gallup CEO, he was talkingabout the engagement of
individuals in the in a jobwell, today has been really,
really low. But one of hispoints was that as we are
lacking, or as we are notdeveloping these human skills,
(13:20):
work becomes less fun, not justbecause of its in cybersecurity,
or its insecurity or in theDevOps, or wherever. But because
it's so difficult to bridgeacross in, we can only talk
tech, and we could talkprocesses, but we really don't
have that connectabilityanymore. Mostly, maybe it's
gotten worse, because of thepandemic. He was saying that
(13:43):
they're doing a lot of work atthe Gallup as well to start
assessing and developing that.So it is a great opportunity for
us. Thank you for that. Allright, let's shift gears a
little bit. The clock is alwaysticking when we have great
conversation. So I want toswitch a little bit towards the
topic of cybersecurity. Andparticularly, where do you think
(14:04):
it stands today, in terms of itspriority from what you've seen?
And from who you've beenvisiting with? Where does it
stand in terms of priority inexecutives, leaders, investors
and individual contributors?Because I think there is, at
least from the research I'vedone, there might be a shift and
(14:25):
which is good. But I was curiouswhat your thoughts are on that.
Dr. Nikki Robinson (14:29):
Yeah, I would absolutely agree that
there's been a shift and Ithink, a shift really in the
last year. You know, I thinkthis it all really sort of
started with solar winds. Youknow, that? I think because it
had so much media attention, youknow, it wasn't just Oh, random
data breach here or random cyberattack here. Solar Winds
affected lots of different typesof organizations, lots of
(14:53):
different domains, and it becamea business risk. You know, it
wasn't just a cyber risk anymoreor an incident It was, Oh, my
business is in trouble. And notjust from a security
perspective, but a lot of thepeople that consumed and use
SolarWinds were IT operationsgroups. And so it that of not
(15:13):
having that tool in place, youknow, having to find an
alternative or not havingvisibility to your systems or,
you know, the potential of anincident, and then you can, you
know, it becomes a snowballeffect to the business. And I
think that was really what sortof, at least opened people's
eyes to, oh, there's, there'ssort of this cascading effect
when there is an incident thatsort of, I think, started to
(15:35):
change people's minds. And thenI think blog for J was another
big one, partially because itgot so much media attention, but
also because it opened people'seyes to open source software,
how do how are we actuallydeveloping? And how can we
support developers, while stillmaking sure that we understand
the risk. So I think it was sortof an eye opener for both
(15:58):
developers and for securityprofessionals to say, oh, we
need to really understand howthis is going to work, and how
we can support open sourcesoftware, but by you know,
understanding what that means toour risk. So I think, as far as
what those things sort ofstarted to change people's
minds, I do think a lot moreleadership boards, they're much
(16:20):
more interested in in havingsort of cybersecurity expertise,
at least available asconsultants or advisors. So I
would say there's definitely ashift in the industry as far as
leadership goes. And I thinkthey see the benefit of
cybersecurity, not just being,you know, a security assessment,
or an audit or an inhibitor, butmore of a, hey, if we work
(16:42):
together with the cyber team,with our developers, with our T
with our leadership, we can helpprovide strategic, you know, we
can help with those five yearplans, we can help make sure
that five years out 10 years outthat the business is healthy,
thriving and resilient,especially towards cyber
attacks. Because if if anorganization isn't resilient,
(17:03):
let's say for example,ransomware, I think that's
another really big one that'shit organizations and the amount
of cost associated withransomware. Plenty businesses
have shut down because they'vebeen hit by ransomware. And it
was so costly that they couldn'trecover. So I think I think
those kinds of situations havereally changed how people feel
and now they're starting to seekout security advisors and not
(17:27):
just from a, Hey, what is oursecure configuration look like?
Or how do we pass this audit?But hey, how do we, how do we
plan our strategic it anddevelopment vision with a
cybersecurity, you know,professional there to help us?
Narrator (17:42):
Do you want to advance your career and organization, we
can help you do that DevOpsInstitute offers a wide range of
educational experiences for youto begin your upskilling
journey. Whether you're lookingfor a defined path to
certification, exploring thelatest in DevOps, or connecting
with the large community, we canhelp you develop the specialized
(18:04):
skills needed for the future ofIT. And it won't just be good
for your career. It will alsomake you indispensable at work
with our lineup of industryrecognized DevOps
certifications, digital learningopportunities, and engaging
events, you can connect with ournetwork of experts and expand
your potential today, visitDevOpsI nstitute.com and join
(18:25):
our community now.
Eveline Oehrlich (18:27):
So as a summary, I would say it is fair
to say that cybersecurity is astrategic line item for all of
those particular executives and leaders.
Dr. Nikki Robinson (18:38):
I guess that is my hope I
Eveline Oehrlich (18:43):
Lets frame it as a hope I love that. Yes,
Dr. Nikki Robinson (18:45):
I hope so. Because I think there is there's
so much positivity, it's one ofthe reasons why I wanted to get
into cybersecurity, because it'sit's not just cybersecurity, it
really is it and a function oftechnology. And so I think if we
can start to change that ideaof, you know, I joke with
people, you know, I'm a securityarchitect, but I really joke,
(19:07):
I'm really just aninfrastructure architect. It's
security is, you know, securityby design. But really what I'm
doing is helping to buildenvironments that are secure.
And, and that's still in it acomponent of it. So I think, I
think it's starting to change.But yes, it's a lot of hope
there.
Eveline Oehrlich (19:25):
Yep. You know, this is, this reminds me of
philosophical discussion we havehad when I was at Forrester,
where we had a security and riskteam and an infrastructure and
operations team. And of course,you know, enterprise architects,
application developers, CIOs.And I remember the folks from
the security and risk team, notwanting to do at the time, this
(19:47):
is 2018 When I left but at thattime, they were doing their own
research. Of course, we alwayswanted to collaborate because
infrastructure and operations wehave to have our heads out and
get stuck sometimes was in, inthe nasty fixing the mess. And
we always had the conversationand and said, why do you why are
(20:09):
you in a separate group? Why arewe not bringing us together into
a research? team so we can dothings together? I don't think
that has happened. But But Ithink having the risk, sometimes
it takes, it just takeschallenges which are so
overwhelming that people areenough pain that people are
(20:32):
changing. And I think one of theother factors and I'm curious
what your thoughts or is there ametric which executives should
have relative to that? I thinkit's some companies, a CEO
already has the resilience andsustainability. We're seeing ESG
as a topic come up quite a bit.But in your, in your mind,
should there be metrics for allof those folks around this
(20:54):
topic? Because it impacts likeyou said the business
significantly?
Dr. Nikki Robinson (20:59):
Yes, absolutely. There's definitely
been a big push in the last two,three, maybe four years for
quantifying cyber risk, youknow, really making it much
easier, I think, to digest,because it's interesting, I
think, when people talk aboutqualitative versus quantitative,
but this idea that if we canhelp quantify some of that risk,
make it easier to digest andhelp to, to help to show what
(21:23):
we're talking about, tell thatstory a little bit better. And
metrics, I think, when it comesto, you know, here's my, here's
my bias here, because I lovevulnerability management, but,
you know, anything highlyexploitable vulnerabilities, if
I'm using threat intelligence,what do I need to be concerned?
What are the top three concernsthat I have? You know, so I
think breaking it down intosmaller chunks. And, you know,
(21:46):
my, the bane of my existence arelike 300 Page vulnerability
reports. And I think that's, youknow, one of those big
challenges is don't send those300 page, you know,
vulnerability reports. Let'slet's break this down into
metrics that makes sense forleadership. That's, it's, it's
absolutely imperative, I think,to not just the cybersecurity
(22:06):
mission, but to the businessmission, you know, to help break
those things down and make iteasier to digest.
Eveline Oehrlich (22:12):
Yep, absolutely. All right. Now, I
came across a fantastic shortpiece by Stefan Napo, who is the
VP cybersecurity director andglobal CFO, I group, SCB, that's
a French company, that doing alot of small appliances, and
it's actually the world'slargest manufacturer of
cookware, and I'm a cook so Ilove their products, but not
(22:36):
talking about the cookware butreally talking about what Stefan
said he talked about the swarmcybersecurity or swarm
cybersecurity. And, of course,in DevOps and development, we
talk about swarming. Have youheard this term? I'm sure you
have any? If you haven't, andlet's move on. But I am sure you
have your thoughts on that. Tellme tell me what you think when
(22:59):
that comes to your mind when Isay swarm or cybersecurity.
Dr. Nikki Robinson (23:03):
Yeah, so for, for me, swarming. I also
think about in a very itcontext, because, you know,
typically you have this tieredmodel, and that's sort of an
older model right of it. But ifyou let's say you have your
helpdesk, and then your systemsadministrators, and then your
senior sis admins or maybeengineering above that, but
instead of having these sort ofsiloed, tears, you have this
(23:26):
giving this power to, you know,in IT systems administrator that
can sort of help to resolvethese things without taking up
the chain, because, you know,you don't learn anything that
way. So it's this morecollaborative effort of, hey, I
think I know how to fix this,I'm going to do this. And then
if they need help, they canalways ask for help, and the
team can work together, but itbecomes more of this group
(23:49):
effort, instead of you know,hey, I've got this thing, I'm
gonna pass it to you, they'llpass the ticket to you, and then
to you and then to you. Soinstead of this becoming this
endless chain of, you know, whathappened to my issue, you know,
becomes this more of acollaborative and teamwork type
effort. And so applying that tocybersecurity, I think about the
(24:10):
cyber color wheel, if you'refamiliar with that, this idea of
you know, you have red teams andblue teams, and then you start
talking about threat intel, andyou have yellow teams and orange
teams and purple teams that arered and blue teams combined into
purple teams. And so you'rebuilding this more of a
collaborative effort, instead ofsaying, you know, I'm on the red
(24:31):
team, and I have a pen test. AndI'm going to lob it over to the
blue team. And they're justgoing to have to figure it out
and becomes a collaborativeeffort. And the blue team can go
back to the red team and say,Hey, actually, we found these
additional things. Can youverify that for us? Can you
check to make sure that this isfixed? And so it becomes this
more of an open type of teaminstead of you know, just the
silos? Well, I'm on the redteam, or I'm on the blue team.
(24:53):
Yep. You know, it's much morecollaborative. And so I think
that's 100% the way forwardthere's a fantastic Stick. She's
on LinkedIn. Her name is marrowVernon, she talks a lot about
purple teaming. And when I cameacross her and some of the
things that she's written aboutpurple teaming, that's really
what started getting me thinkingabout swarming. Right. It's it's
(25:14):
a similar notion, right ofcollaboration and bringing
people together. But I thinkit's a big benefit to teams,
because one, it empowers youremployee or your cyber
professional, or your developer.But it also improves their
skills. It allows them to learnsomething new, it improves
teamwork. And I think there's abig reduction in how long it
(25:37):
takes to identify and resolvespecifically, you know, in a Red
Team Blue Team context, versusHey, I have this 200 Page pen
test report, here you go, goahead and figure it out, you
know, it becomes more of this,like, hey, we found this
vulnerability across 100systems, can you guys work on
this, and we can see if we canget this fixed, and then we can
(25:57):
come back and retest. So So forme, it's all about
collaboration,
Eveline Oehrlich (26:02):
super, we, I that reminded me of something I
did with again, a formercolleague of mine, where we
looked at MTTR. And we foundthat not necessarily to
security, but we found that thelargest amount of time, I think
it was 70% of time was found inthe meantime to detect. And and
(26:23):
that was because everybody waslooking down their own their own
pipe, right and their own data.So I think that's an additional
benefit, in terms of Meantime,detect at the pre at the
predecessor of swarming, but asyou said, MTTR overall, because
we are bringing people togetheris an incredible impact has an
incredible impact reducing that.And that, again, reduces
(26:45):
business impact. So super. Allright, let's shift a little bit,
we have about five minutes or soI want to cover two topics, one
the skill, and then I want toreally get into your thinking on
the women in it, or women intech. So the first one, let's
say I want to be successful incybersecurity. And actually, I
did lose an analyst in my formerrole to the security and risk
(27:09):
team. And I was very sad loser,but she is a great analyst in
this space. But if I wanted togo into cybersecurity, and maybe
there's a focus on here who arewanting to switch, what do you
think are the necessary skill,maybe one or two to be
successful? Besides what wealready talked about in terms
of, Hey, you gotta be havingempathy. And so EQ, but what
(27:30):
else do you think are essential?
Dr. Nikki Robinson (27:33):
Yeah, I would say a lot of the skills
that I brought with me from itto cybersecurity, and you don't
have to have an IT background,to necessarily go into
cybersecurity, but I can say forme, it helped a lot. Because I
understand technology very well.Now, I would say troubleshooting
is a really, really big skill.And that's, you know,
troubleshooting, problemsolving, being able to sort of
(27:55):
understand enough that you canfigure out what's going on,
because that's, that's one ofthe big, big parts of
cybersecurity is typicallyyou're handed, you know, a piece
of information, and you've gotto go digging, and try to figure
out what's going on. And so Ithink that problems, problem
solving, troubleshooting, andnatural curiosity, all three of
those sort of go hand in handtogether this sort of, okay, let
(28:19):
me dig and try to figure outwhat this is. So I would say
that's the first and I know Isaid, three skills really, and
one that was sort of I wastrying, it's kind of a cop out.
But that's sort of that. That'ssort of how I would describe
that right problem solving asthat big component there. I
would say the other reallyimportant skill, you know,
besides sort of thatrelationship building, and what
(28:39):
we call soft skills, wouldreally be how, how do what was I
gonna say, how do how do weunderstand data. So data science
is a really important componentof cybersecurity. And I've met a
lot of really great datascientists that have crossed
into cybersecurity and they area huge asset, because they're
(29:03):
able to parse through all ofthis information that we've been
collecting in security with oursims for years and years and
years. And now we have datascientists to really help us.
One make that pipeline of data,easier to digest, easier to
bring in. But they also help uspull out the really important
information. They're helping usto leverage AI, machine learning
(29:26):
models and different techniquesthat we may not have had the
skills I say we, I may not havehad the skills in before in data
science, but that's something inthe last two years, I've learned
how important it is to sort ofhave those data science
principles in cybersecurity. SoI would say you don't have to
know Python or machine learningin any sort of depth. But having
some of that understanding isreally important. Can I give
(29:50):
three skills? Can I give onemore? Of course you can. Okay,
one more I would say you know,since we're talking about
DevOps, right is the ability tocommunicate and work really well
with developers to be able tospeak the language, if you have
some programming background,it's super helpful. Again, you
don't have to be a developer,but to be able to understand
enough that you can talk to adeveloper, when they're saying,
(30:12):
Hey, we have this requirement,we have to do this this way.
Let's figure out a new solution.So I think that sort of being
able to speak the language isreally important.
Eveline Oehrlich (30:21):
Excellent. Fantastic. All right, our last
question, and then I have a funquestion for you. But this one
is around women and technology,both of us have been in
technology, I have my ownchallenges. But this is not
about me. This is about you.What would you would love to
hear? What was the biggestchallenge for you you faced? And
(30:41):
of course, how did you overcomeit? If you're willing to share?
Dr. Nikki Robinson (30:45):
Absolutely, yeah, I would say the biggest
challenge I had, it was funnygetting into it. You know,
starting on helpdesk, and sortof working my way up, I
actually, I had some reallygreat mentors along the way, and
sort of, you know, working myway up in it. I think the
biggest challenge I honestly hadwas when I wanted to break into
cybersecurity, and I got so muchpushback from my it friends on,
(31:09):
you know, why would you want togo into Security, you're never
going to be able to come back toit or, you know, you're just
going to be in security. And itwas such, it was such an
interesting, I guess, sort ofperspective that I had this sort
of, you know, you're not goingto succeed in security, and
you're never going to be able tocome back, you're you can never
cross the lines again, you know,it was this, like making it sort
(31:31):
of this like, well, you can't doboth sort of a thing. That was a
big challenge, because I had toessentially go back and say,
Well, I can do this. And what Ifound was going on the
cybersecurity side, I actuallyam far more technical than I was
before I understand way moreoperating systems, I understand
development way better than Iused to. And so I guess sort of
(31:53):
pushing through that barrier ofa lot of people saying no, like,
No, you can't do this, No, youaren't going to be good at this.
No, you don't have the skill todo this. And really being given
a chance to show that I do thatthat was sort of tough that it
took me a couple of years tomake that transition from it to
cybersecurity. And, you know, Ihad one very great mentor of
(32:14):
mine, Philip Culp, who gave memy first shot. And so, you know,
and then I was able to sort ofgo from there. But so I would
say that was the biggestchallenge. But the biggest thing
that helped me was finding agreat mentor and someone who was
willing to take a chance on meand for me to you know, show
them my skill. But yeah, thatwas that was pretty tough.
Eveline Oehrlich (32:35):
Wow. Fantastic. Well, thanks to your
mentor for supporting you, andthanks to you for sticking it
through. That's quiteimpressive. So I have one more
question. I know you are verybusy, and you do a lot of
things, but you must have somefun. What do you do for fun?
Dr. Nikki Robinson (32:52):
Oh, yeah, I'd love this question. Yeah, I
actually, I I'm very big intofitness. Like I love all things,
outdoor activities, hiking andbiking and running. So I love
I'm actually signed up for acouple triathlons. So I love
running and biking and swimming.And, and that's what I do for
fun.
Eveline Oehrlich (33:11):
Wow. Wow, this has been a great conversation.
You and I could go on. I wouldlove to stay connected. I think
there are some things maybe wewant to do together.
Dr. Nikki Robinson (33:21):
That would be great.
Eveline Oehrlich (33:22):
Thank you so much for being on our podcast. I
really appreciate it. You are awonderful, wonderful individual.
So thanks again. We have beentalking to Dr. Nikki Robinson,
security architect, adjunctprofessor, volunteer and book
author, and many many otherthings again, Dr. Robinson or
Nikki, thank you so much forjoining me today on Humans of
(33:45):
DevOps Podcast. For those whoare listening. Yes. And for
those listening in make sure youcheck out the book Mind to Tech
Gap Addressing the ConflictsBetween IT and Security Teams.
It is on my list order. Iactually already pushed a button
on my Amazon. So this is great.Humans of DevOps podcast is
produced by DevOps Institute.Our audio production team
(34:08):
includes my good friend Julia,Pap, and our hardworking Brendan
Lay, thank you to both of those.I'm humans of DevOps podcast
executive producer EvelineOehrlich. If you would like to
join us on a podcast, pleasecontact us at this is a very
long name, but I'll read it outHumans of DevOps Podcast at
DevOpsInstitute.com. I'm EvelineOehrlich, I'll talk to you soon.
Narrator (34:35):
Thanks for listening to this episode of the Humans of
DevOps Podcast. Don't forget tojoin our global community to get
access to even more greatresources like this. Until next
time, remember, you are part ofsomething bigger than yourself.
You belong
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.