hi everyone and welcome to the handson cesa podcast my name is AD and today we're going to be talking to Sebastian

gibles Sebastian is an accomplished senior it and Security executive with extensive experience in global it

systems risk management and cyber security as ciso and CIO at coin flip he

oversees key it and security initiatives including vulnerability management and

international expansion efforts his career is marked by significant achievements such as the creation of

strategic security road maps successful launches of financial platforms and the implementation of comprehensive Security

Programs Sebastian has also held leadership positions at Northern Trust

next Capital group and the Federal Reserve Bank of Chicago he held several certifications and is well versed in

various technical skills and security tools Sebastian so excited to have you here today how are you doing

thank you doing great today amazing for sure so first things first

things first how did you even get into cyber security it's a long story but uh this

the short version of it is that thanks to my dad who had a fascination with technology um he introduced me at an

early age uh to uh computers and it was when I received uh commodor 64 at the

age of like 10 that uh I I started uh playing around with it I started

experimenting and uh um at the beginning it was like simplistic programs I would

write um it would help me with my school quizzing myself uh but then as time

progressed I also had a lot of good friends living around me who were interested in computers we started

building our own network we started putting our computers together and um so

it I had a Fascination from the start with uh with computers and um in college

I I was very lucky to get in into a group um of friends that were all

fascinated and pushed each other to do more and and and and to ex explore new

areas and uh so this was all before Google and Amazon um were like this big

that they are today um we had a project that in our last year of college where

that um we had to pick a subject a topic that we would automate and so we

everybody else in the time of like blogbuster and video stores were picking

something easy we actually decided with our group to automate the school system

um which would have like you could look up your your classes the books that you

could buy you could exchange information with other students it it had like a whole ecosystem that we uh we designed

and developed and this is where I started to go into cyber security um I

wrote my first manual on how to secure a web server and and how to run our

project in a secure manner that people could log in and uh would would be able

to order books look up their classes and things like that um and then so after

college I rolled into PWC I had some great mentors at PWC that

have helped me follow my passion with cyber security uh some people like that

uh Markell Luke Hendrick Philip Deno they all were a lot Tech very technical

uh but I also had uh some other people around me like Benjamin alen dim Henri and Kelly McMillan um people that I I

looked up to that inspired me and they help me with the the more softer side of

uh cyber security um so I I think and I personally believe in that uh you you

need not only to understand the the technical side but also the soft side to

be able to uh uh grow and and have a career path that I had so I've been very

lucky with mentors that I had aroundme amazing and what would you say are

the the key soft skills versus hard skills that you had to learn to really

understand the field to really get to where you are from the soft skills side it's um

Tech on the technical side it's it's always easy to understand how that technology works it's it's kind of like

binary ones and zeros it works or it doesn't work um you can stop something

or you let something through in your security solution um but from the

sofware side it's understanding what matters for the business how much risk is is associated uh with uh allowing

more flexibility uh what is the cost associated with what you're implementing

and not only the cost of like the technology solution but also the cost of um the delay that somebody might have

logging into a system there is also a missed opportunity uh for the business

and understanding all these components um it's not always easy um

and I think it's really important to have like conversations and links with

with your business partners uh the Departments the other departments in the company and um and and have those open

conversations to understand like what matters to them and how can you find

find a blend a balance between uh full security which you can never achieve and

security that works for a company interesting how do you keep up

with like everything that's happening and security the field is changing so fast like every other day you have some

either a new technology or some breach or like something is happening that you need to be aware of like how do you do

that while staying so in tune with both both the business andactually keeping the company secure um I I think it's um it's it's a

couple of things that actually help me um one is I I like to read a lot about

new technology new uh Innovations and uh but at the same time

I also like to experiment and and I have that from like the early age like setting up a new network of finding ways

to to solve a problem um I don't often stick with just a theoretical I also

like to experiment set up my own um Network at home or set up um a new

install a new technology at home and or in or in a lab and and play around

experiment that's how I learn but also with the teams that I have um we have

some really excellent people on my team uh um would like to experiment and also

discover new Solutions uh they often bring up new Solutions or um new ways of

addressing a problem to me and by sitting next to them or listening to

them I it's almost like a puzzle um nobody has all the answers by but by

putting like puzzle pieces together you often see like what the big picture is and what the final uh solution to the

puzz list um and then uh going to

conferences um going to uh attending webinars um meet meetups there are so

many uh different opportunities to talk to others in the field uh and and

hearing about uh what goes on in their world they're often struggling with the same problems that you have and and just

listening um and taking in information helps you also understand and avoid

tunnel vision for me it's also avoiding tunnel vision uh by just sitting in the

office and uh working with the team that we have uh sometimes you get uh that

that one track mind uh and it's beneficial to just meet up uh with other

people in the same field struggling with the same problems amazing what would you tell

cisos that feel like maybe they don't have enough peers they can really talk

to about the subject or ask questions to because what I've noticed is that some

cesos sometimes feel like they they would want to be more part of that conversation but

maybe they live in an area that is less you know not a big Hub or something like

that like what would you recommend um I believe that there are

multiple ways to uh even if you're not living in a big Hub um the the area I'm

I'm not living in Chicago in the center of Chicago um it takes me about like an

hour on a good day get to get into the the city um but like I live further away

um and so even even like around the town where I live there are meetup groups

there are opportunities to to meet other people um Discord is also an area or a

solution that you can use to get in touch with cyber security people um

there is a big online community that um you can just the the the barrier to get

into is low um and you can ask anything um I belong also I'm part of a Google uh

group uh that the cesos in the Chicago land area started and and it's meant to

uh exchange information exchange questions but also help each other um

and and it's not filtered it's it's it's not moderated um and uh whether you're now

like a first year ciso or you're like uh your 20 years into it um everybody is

very helpful and and open uh so I would I would encourage uh to reach out and

and explore the online uh communities that are out there

great did you see um different ways security was approached within the years

and different roles you've had in the security

field if there are different approaches um I do think that there are different

approaches and it often is linked to the stage that a company is in or uh how

mature a company is uh often they describe cesos also as like three types

of cesos um you have you have the ceso that comes in uh with a young company a new

company that uh needs um some guidance to start a program uh there is not a lot

of funding there is uh uh so you need to be Hands-On you need to be in the trenches and help and work with the

business and it it's often just you running by yourself or one or two two

additional people that you work with it's it's very time consuming it

can be stressful and uh um as but as the company grows uh your program also grows

with it um you have the cesos that come in after a data breach and um so I I

almost call them the um the the Warriors that go in to save the day um because

the the is a fire burning and somebody needs to come in needs to understand what what the the problem is needs to be

able to do a root cause analysis and needs to be able to address um that that

problem of the day uh that caused the the disaster or the the breach and then

as fast as possible uh plug the holes to forensics and um put the put the company

or the program back on the rails it's a very different profile it's uh uh also

demands like a different skill set and then you have the C that come into like

typically the more the bigger organizations or the more mature organizations where that there is a uh

controls understanding there is a they're often also regulated and uh um

the there is already an established team um and it becomes more about metrics um

how to measure your program um and how to evolve with the business uh through

time um and and that means also taking technology that is in place um when new

products are being launched with the company uh how to migrate and and incorporate not only Legacy but also

newer technology and um it's it's a very different uh uh tool set or of like

technical skills and soft skills that would demand um I've been primarily uh

in the I I've been primarily if you look at my career in the handson the the

growth of uh smaller organizations helping fintech uh

building a team and bringing in people um people process and technology and uh

making uh sure that companies are very successful as they grow uh um but I've

also uh overseen a supervisory work with the Federal Reserve with organizations

that are bigger um as as I was part of Northern Trust we we also um as part of

internal not in the cisu RO but uh we measured how successful or where that

the pain points and gaps were with the cyber security program and then we would report out to to to the three lines of

Defense the operational side the risk management side and internal audit of uh

how well uh security was uh managed at the

organization and what does your day-to-day look like nowadays um that's a good question um in

my current role I I have a dual Ro so I have the ciso and the CIO and so um it makes my my day always

interesting because uh it's not just looking at it from the security lens

it's also looking at it from the implementation and the business s um as

new products are being implemented what is the right technology to implement and how to help the

business and additionally like how do you ensure that security uh is not an

afterthought um that means that um my day often starts early um I I I get up

at 6 um on my I get I hop on my train around 7 and I'm in the office around

7:45 uh but uh during that time frame I catch up by reading news uh on the train

um I get in touch with some some people that are on the East Coast um and I

start um reading through like what are the priorities of the day of the week

and I start planning out um the rest of my day uh for me like the start of the

day is making sure that I have a plan uh to make everything as smooth as possible

now with security you cannot plan out or you cannot predict uh what's going to happen um but that's also what makes it

exciting uh there are always two or three curve balls uh things that at hwk

Tech comes up come up that we all have to deal with um but uh i' like to plan

out and have a little bit couple of Pockets throughout the day that um I can use for um focus time learning catching

up but also walking around the office uh catching up with everybody else in the

office and and seeing what's going on in their side of theworld amazing so you have these two separate like a

hats that kind of work together as CIO and ciso what are the differences of

like what you do under this hat and under this hat and yeah let's start with

that so A CIO um and this is a role that I got

after being like with the company for about five months um I inherited the

traditional it site with um making sure that the laptops making sure that

endpoint Computing like the office access to office Office 365 or Google or

all the applications um are are working um and and so that if somebody has an

issue that they can go to a Service Des and that they're being helped as quickly as possible it's more about keeping

things running and making sure that if there is a problem um with access with

up time Etc that we have an answer as soon as possible but it's also helping

with implementation of new Solutions the the Cil s um there is some

overlap because like if when we are giving access when we providing access

we want to make sure that it's happening in a secure manner that we have multiactor authentication enabled that

we have um the the right permissions assigned to the person um and so that's

where that it and and Security will work together to understand like who has what

access um and if something happens if there is a problem with a system uh or

somebody cannot log into an application or the application is no longer

available um it's down there might be a security reason

for that as well so with that information sharing communication is really key and uh that's where that the

two uh get closer to each other and work together

amazing as the ciso I'm sure you you have to make a lot of decisions about

what can be done and what can't be done do you ever have a bad cop feeling like

telling people they can't do something um I I would be lying if I

would say like I never have the feeling like that I want to be the bad cop um

but I I wouldn't call it being a bad cop it's uh um it there are moments that feel like

frustration or like a moment that we know what the right answer is or that

the the item that would help protect the company best and um we we try to find a

balance by providing training and explaining why we do certain things with

security um but we have a wide variety of people coming into the company some

people have worked um at at let's say a different type of company um let's say a

pharmaceutical company or they've worked at u a non-financial company we're in

the financial space and and we regulate it so there are certain expectations uh of security being in

place or you have people come just coming from college and this might be their first job so um it's it's really

understanding when something happens let's say somebody plugs in a USB drive

and they copy over some some documents it's often with good intentions um

people do something because they want to make something happen they want to uh finish a report or a document that they

have to deliver to their supervisor and um often it's it's really

key to take a step back look at the information that's available and and

talk to the person or talk to the supervisor gather context what is

happening and and um it's by having that understanding that there is often no

need to be a bad cup um I the moments that we have to be a bad cup is when

something really is happening that was malicious and and luckily those are

Rarities those those items don't happen have you ever been in a company where

there was a serious security incident and if so what how did you deal with

like the chaos um i' I've been in a couple of

companies and and I think that every company nowadays um should ask the

question like if you hadn't had a security incident uh it's more a

question uh are you ready for it because it's typically just a question about like when is it

going to happen um and in the the especially with AI now we've seen like

an increase of attacks happening um we've seen the complexity Rise um but

I've I've been exposed to or been involved with plenty of security events

um the uh the one that I will bring up is uh where that I was secondhand

involved um and and so we um asas in we with the Federal Reserve we also supervised a lot ofInstitutions and in and in institutions financial

institutions uh you can also have small companies where that there might be one or two it people you have big

organizations now the pro problem with security incidents is that malicious c s

often don't pay attention to whether you're like a company with only one it individual or if you have

20000 um and they often find the lowest

the pth with the lowest resistance and in this case um they found a system that

was unpatched um and what they found an easy one way into the

network um and and this is how that a lot of uh incidents happen um to me it

comes down to uh really security hygiene foundational aspects that we all have to

tackle um with this vulnerability management having regular scans on all

of your Sy well first of all understanding what assets do you have

how what are you doing to understand what what the risks are to that uh asset

and then thirdly uh understanding like if something goes wrong can you detect

it can you identify the incident of that it's happening a lot of organizations still

don't have that detection uh to be able to respond in a timely manner and uh in

this case it it actually translated to um cards uh being copied um account

takeover and um it it translate into millions of dollars of loss for the

organization um so um and it it was only one one system that was unpatched um so

it it can be like one item in your security program that fails um but it it

can have a casting effect wowum that's crazy how do you sort of build theculture after that in the company to be more security

minded yeah that that's a really good question because I I think it's uh it

may start with security um identifying um information or tools that

can help with building uh security awareness or security culture but at the end of the day everybody plays a role

and uh it it starts with somebody joining an organization uh coming from college coming from a

different company and um introducing during that first stouch

during the onboarding that typically HR uh organizes bringing uh some initial

thoughts about like what matters to the company from a security perspective but

also getting to know each other at that point when you have that first touch Point creating a link with with the

individual with the group of people that join uh is a way of like extending a

hand and and like offering them to um also provide feedback to you and I think

it's important because like true time um my team has been has been wonderful i' I

have a great team of it professionals and security people but we also get a lot of information back from the

business from from individuals working for those business teams about about

what matters to them and and that's why the first touch Point matters the ongoing touch points also matter um I I

make uh I make a case to uh have regular meetings touch points with all the leaders that we have to understand what

are the projects that they have going on um what if there is anything from

security that they have concerns about and how can we have like that ongoing

flow of information um and with that uh we we introduceseveral other items we we have introduced um security awareness

training that we do on an annual basis it's typically online brief like 15 to

30 minutes online with a brief quiz at the end to see if everybody understood

the material um second is like fishing campaigns which we do on like a monthly

basis uh again to see if everybody can spot uh the fishing emails and for us

it's it's one of the biggest risks uh to the crypto industry fishing uh we get a

lot of fishing emails but also fishing through SMS text messaging um and what we've also lately

seen a lot of like uh video uh deep fakes where that um um leaders or uh

other people that um have a level of trust or embody certain level of trust

are being used to to target employees or customers um and it's all about like

making our internal people aware of this um and then last but not least we we

also have introduced the it demo day um and with the it demo day is like every

other Friday we spend an hour no present no deck no slide deck but we make it

like show and tell Interactive that we talk about technology that we talk about

security and um our upcoming one is about vender management um which is a

collaboration between legal uh procurement and cyber security to talk

about the process but also why we certain things we want to have certain things reviewed from a cyber security

perspective and how everybody can help so if somebody is looking for a new

solution are there certain questions that they can already ask themselves um

when they look at the application the online application or um and then they

can come to us and provide already information to us uh but we see it as like a collaborative effort and

everybody is in the boat rowing together

amazing what do you think that is something that people outside of security don't necessarily understand

and that you look at um that's that's not a good questionum it's I I think it's um often a challenge where

that um there are expectations in the business or um others outside security

um and I'm I'm taking this also from my personal uh experience where that there

is an expectation that we want to run as fast as we can and we want to introduce

new products as fast as we can um and

there is like a risk associated with that um if we if we don't have like ask

specific questions about um who gets access to the system

what level of access does the person get where is the data being stored how is

the data being protected um do we have like a backup

mechanism there are key questions that help us understand the risk of a new

project or risk of a new application and um often it's it's uh

taken as well we know that so and so already uses this application as a

company so it must be okay to also use this

application um that might be the case if like large organizations already use the

the application can be used as a reference but often we still need to configure um security mechanisms like

for example getting logs into our monitoring system um and understanding

how do we do that with the new Solution that's being brought in is is something

that um we often have to spend some time on and um I think that that's often

overlooked that there is a process Beyond just buying a new solution or

size application uh there are some ancillary things that also need to be done to ensure that we have the

visibility and we can respond to security issues okay

interesting what would you say is your biggest issue happening right now like

in terms of uh challenges in the cyber security world uh I think it's it's that balance

between um having a small team and

um limited limited budget um and trying to go as fast as possible uh so each day

it's it's finding a balance of like what is the highest priority um for the team for me as an

individual but also for the company and um keeping the business going as fast as

they want to run while protecting the organization uh and that often involves

um having those conversations to understand the context of the changes

that we're going through and how can we find the cheapest solution possible to

to make uh us still uh maintain the same security

posture would you say working at a like essentially a fintech company

different than working in something that has data that is may be less

sensitive absolutely um and for me data has alwaysbeen um the main item uh for me

security is always around data and uh data and the business processes one you

can impact a company um if a business process is

impacted and a business process can be if I'm not able to log in and purchase a

soccer ball for my son uh because the website is not available um and and it's because there

was a denial of service attack on that web website that impacts the business uh

it's not necessarily data that's impacted in this case or sensitive data

um but it's the availability of the service and so understanding like how long can the company in this case be uh

without a website that you can do online transactions or online purchases is is

also key besides uh data sensitivity now in the world in the financial world that

we are in um we have to deal with a lot of sensitive information pertaining to

customers if you want to become a customer you have to go through several steps to uh establish your identity that

we know that who that we're dealing with is truly for example Sebastian and where that this person

lives where that date of birth uh we collect a series of information that

will compliance people collect and verify to ensure that we have a low risk

of like um um identity Taft or um

account takeovers or uh M uh money laundering happening um but at the once

they're in the system we have legitimate people doing transactions with us and

that data the social security numbers Etc need to be protected um we have

Regulators that look at what we do and how that we protect that information and

we have um obligations to uh respond and Report anything that goes wrong with

that sensitive information to uh our Regulators so yes it's um in a regulated

environment the expectations are a lot higher and uh there there is a little

bit of stress that goes with one with thatinteresting what do you think is like

the how do I phrase this how much of your focus goes on actual security

implementation team like the security team versus handling the business side so

management so understanding how things work together like how would you say that

works um I think it's 40% team um oriented uh

making sure that the teams um have the support that they need and then 60% is

the the business side um it might be depending on the week it might be a

little bit different um but I I'll like I said I have I have some excellentteams with it with devops with with my Security Group

and uh each one has a manager that has had plenty of experience and um

typically it ends up us discussing what are the priorities of the week uh and

that's uh it started all with like understanding the business side uh so on

the business side I have meetings with uh discussing our road map um discussing

the priorities for the next quarter two quarters out and then um I take that

information back I look at well how does that translate to what we need to do and

I have weekly uh meetings with my manager group where that we go through

uh well U we have these priorities coming up these are the deadlines and um

are we working on it are there any blockers are there any is there anything that we need to talk through and then we

talk through it as a group um if if needed we pull and other staff members

but often the managers just go to to their teams and they execute and they

deliver the work that needs to be done and we stay within our

timelines perfect is there any decision you remember making that obviously you

thought was right at the time but ended up harming the it's linked to uh the

question that you had earlier about uh what is what makes it what makes the the

position so difficult um as at the fintech organization a smaller

organization we we tend to work with less resources and we want to go fast uh

so to support a quick deployment of a new business solution uh I supported the

idea of adopting a new technology which was a lot cheaper um unfortunately uh

staff and Engineers did not have the necessary uh experience and we leaned a lot on the

vendor providing our support um but as we progressed and we implemented the

solution we ran into some issues uh that we could not uh

resolve um and so we we we tried to work through it and uh but it ended up um

that we had to replace the solution with a with a different solution um this time

we did spend more time um and we did a side by side comparison of

the different solutions that were out there and not just the price uh the

price was a big component but also at the technical aspects and whether people

could support it or not um I think that that's really

critical uh from a due diligence perspective whether you're adopting a security solution it solution or a

business solution that uh there is time taken to evaluate key requirements for

the business from the technology side um because like it often takes more effort

to rip something out and replace it with something else interesting do you think there is a

certain area that like cesos have a blind spot and they don't really pay attention to it and you think they

should uh blind spot um I often I often still see like with uh

with some of my colleagues still spending more time on the technical side and um I think it's thanks to like one

of my mentors that I had throughout my career Lawson Kelly he showed me a couple of tricks to get more buyin from

the business um by by crowdsourcing a solution um and so we at the time we

were looking at we needed a security monitoring solution but at the time it

was pretty expensive and we had to convince finance that it was it was the

right solution to implement and um similar to that we had we had a similar

situation over here where that we were looking at all the Technology Solutions

that we have and and finance wanted to uh get a better understanding where do

we spend the money who is using or applications and and often with security

we have so many tools that give us visibility of like who does what and

when but it's like bringing that information together that you can also

use it to your benefit for finance for example we um we had a casby solution a

cloud monitoring solution that saw like for example in the marketing department

we have like we had like 15 people uh they had licenses for certain

applications and then our security solution saw over the last 90 days what the usage was for those applications we

could Dr we actually were able to drastically reduce the license cost

because we had applications where access was given but certain people were never

using it so um I think it's like finding those moments and it's again like

working with the business working with the different departments often it's not

only um stopping some a bad guy from coming into the company but also like

sharing the information that we have with security with other departments to help them in their

world amazingand do you think that doing cyber security in a company ishow do I word this people who are going to cybersecurity do you see it as people of a certain type or is it more manydifferent people doing different

things can you explain that one a little bit Yeah like the people who end up

doing security roles um either see or people who are you know getting

started Midway is it people who tend to be quite similar like a similar crowd or

is it very diverse and people with different interests I'm a big supporter

of diversity and um and the reason being that for me it's a mindset it's it's not

necessarily always uh because you're technical being technical helps but it's

a mindset and um I worked with an

extremely smart guy um in the past long time ago he had a PhD in nuclear physics

um but and he is he's still working at one of the biggest Financial organizations in the world in cyber

security um he he had a mindset of like you can do anything and and that's a

mantra that um I I follow is like as long as you have the mindset you can

achieve and do anything um I also um the one person that still

impressed me Sandy she uh um was working at a pat hospital and I hired her as a

security analyst um she had no cyber security or technical background but uh because her

fiance was a penetration tester she saw uh what was happening at home she

started experimenting and started um with with hack the box and

she was trying to explore uh a bit herself she had a really interest and

she really wanted to get into cyber security um and it was through what she

mentioned on her resume that stood out um not that she was at a pat hospital

but the contradiction between like what she was doing and that where that she was wanted to go that people my interest

and um I I took a chance on her and it was probably one of the best decisions I

ever made uh so I personally think diversity helps us um because again to

an earlier point that I had uh we we all otherwise end up with tunnel vision and

uh Technical Solutions are not always the answer uh often you need a broader

context to solve a problem perfect what do you think changed about

cyber security in the past few years versus what do you think it's going to

look like in the next few years um I think that there were three changes

that have helped but also impacted cyber security in my view one the pace the

pace of changes has dramatically increased uh with the introduction of AI machine learning uh um and that helps us

but it also helps the malicious actors so it helps us to um with AI to address

like the mundane the the trivial things that we we have to deal with in a

day-to-day uh collecting information uh putting pieces together um and and

writing reports um it's it's tedious it's time consuming but with AI it will

help us and will help us then also focus on more complex items um un unfortunately it will also

be an adversary uh adversary that we all have to deal with um the other the

second part is the remote work when we had to deal with Co um a lot of

companies were stuck in Legacy uh they had to deal with Legacy vpns they had to

deal with people working from the office it really transformed the workforce and

how that we looked at cyber security uh instead of like the mo around the castle

uh we went from um in and protecting the office or the data center it really

became like around what is now important to what a user is doing um

with the device or the asset that they have and the access that they have to the app

applications um so endpoint security uh more action driven uh security become

became a lot more uh important and then the third uh elementI think the availability of solutions uh I I I typically attend like big

conferences like blackhead and Defcon and uh what you see is like there are so

many so many new uh vendors and solutions that come to the market

and um with pressure on budgets I do think um and it's also echoing something

that I hear with other cesu peers is that the point Solutions are not always

helpful um because like you have to then go to three four five six fendors to

have your security program addressed and if you have to go six times to finance

for approval that each time time that you have to purchase something the sixth

time they might not say yes to that request uh it's easier if you have like

one vendor or two vendors that you can go for a request um so I do think that

that will lead to some consolidation in the security Market with some some mergers Etc um similar to what I've been

doing is like we we are also consolidating tool sets where we can and to get like the most out of the tools

that we have um so yeah those are the challenges that

but also opportunities that I've seen amazing and how do you think it's

going to like go from here if we look at AI if we look at the different things

that are coming up I I think like to to my previous

point I think that AI but also and this is me being in the crypto uh atmosphere

the uh audience environment uh I do think that Ai and blockchain will be two

elements of technology that will greatly help address security um and I've said said this

before like um with AI we can help make things that are trivial that take are

very time consuming like writing a a report and so on uh there are better uses of time that we have um the um with

blockchain and and the concept behind it that you have a decentralized oversight

of transactions that are happening if we can get to a decentralized overview of

security that is being validated by the network it will also help us um validate

identities validate uh if actions are allowed and

my my view is that uh over time time security firms should embrace blockchain

and build it into their Solutions so that we have like an integrated um

validation of what what is actually allowed to happen in each of our environments okay so my next question is

what gets you excited about cyber security ver says what keeps you up in excited every day is a new day in uh

or a new bright day in paradise um because I see it as like you never know

what's going to happen um it's it's always evolving changing um there's new

technology there are new Solutions out there um new opportunities to learn when

I started college um and the first day in college uh the teacher said welcome

to um a lifetime of learning um and it was be what you've entered the field of

it and not will be the the same uh tomorrow so you will have to learn

continuously learn and that has always got me excited gotten me excited um

because like there's always a surprise or there is always and I like good surprises and there's always a surprise

or like something to um what keeps me up at night um

surprises um or like not knowing um not knowing if something is happening in

your environment and that's why for me transparent transparency of what's happening in the environment um at any

point is is really important to me uh so potentially not knowing that a malicious

actor is in your environment um and discovering it too late after that the

damage has been done um is is something that sometimes keeps me up now how to

deal with that is I make it a case to reevaluate of controls on a regular

basis uh ask questions verify what's in place and and um never get complacent uh

make sure that you challenge yourself and the people around you and and make sure that the people around you are also

challenging themselves uh because again to the first point we are learning

something new every day perfect okay so one final question

and before that thank you so much this has been super interesting and like I can really tell that you've thought

about all these like different things and it comes from a perspective of

someone who's seen a lot of cyber security um so it's really cool to hear

um my last question would be what would be your most unusual advice to someone

who's either getting into cyber security or looking to advance within what would you say well and that's why I liked one

of your previous questions um certifications are a marketing tool to

me and I know that I have a good amount of certifications um but it's not always a

demonstration of your skill set um for me it's like a way to show on your

resume that you you have you were able to learn you you passed an exam and um

if you have a list of certific ation that it's a way to differentiate uh yourself from other

candidates what I will say is like there are other ways to differentiate yourself as well on your resume but also

throughout your career um again like if if you uh want to have that step up or

look for a couple of entry level certifications on your resume uh but more importantly focus on other items

that make you stick out uh for example um start doing heck the Box get an

achievement there volunteer or teach a stem at a stem program summer program

for kids uh a program that you develop yourself and that you can talk passionately about during your

interviews um coaching even like coaching a basketball team nothing related to cyber security um shows that

you're a team player that you you can not just individually solve something

but you like working with a team um I I think that all those examples show that

you um are driven that you're passionate about something and again linking it to

like the having the mindsets um I think with the right mindset you can achieve

anything perfect thank you very much was a pleasure thank you for having

me