Afternoon Cyber Tea Season 3 Recap

Examining the forces shaping the cyber landscape with the experts leading the industry’s transformation

This month we wrapped season three of Afternoon Cyber Tea with Ann Johnson, just days before the US presidential election. Sandra Joyce, a threat intelligence expert, joined me for this concluding episode to talk about election security and protecting ourselves against misinformation. Our discussion was incredibly illuminating, and it is perfect example of the ground we covered in this season’s podcast series.

Each episode has surfaced perspectives on how our collective approach to cybersecurity ties directly to some of society’s most pressing issues, including the need for more diverse voices in the industry, the impact of a global health emergency, and the urgent need to reframe how we think about security.

Some of my favorite moments from this season included:

The pressing need for more diverse voices in cybersecurity

I’m grateful for the chance to talk with guests of unique backgrounds and experiences to hear what inspires them and how they’re shaking up the largely white, male-dominated cybersecurity industry. It became clear that promoting diverse voices goes beyond tapping into a cultural moment—it’s about strengthening the entire industry.

Camille Stewart, head of security policy and election integrity for Android and Google Play, may have put it best when she said, “Racism is inherently a cybersecurity issue because people are at the core of how security controls are adopted and how technology is used. If we don’t address issues of systemic racism, the processes and institutions that we are building security into are inherently vulnerable.”

In other words, diversity is threat mitigation, in and of itself.

That’s why Camille’s collaboration with Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs, is so compelling. Together, they launched the #ShareTheMicInCyber campaign to amplify diverse, expert voices in cybersecurity and share insights to help organizations identify blind spots.

It’s an important reminder that the cybersecurity industry is a community and that our ability to protect against threats is only as strong as our ability to identify them—together. And that brings me to the next major theme of the season: resilience.

The impact of a pandemic on global operations

In this season's first episode, I spoke with James Turner, an industry analyst who works to support CISOs and strengthen the resilience of the economies of Australia and New Zealand. He said it’s important to remember that cybersecurity is everyone’s business, using the banking industry to emphasize collaboration between organizations on matters of security, even if those organizations are competitors: “The security operating centers at large banks are on speed dial with each other all the time because the attack against Company A hits Company B the next day.” 

Even during a global pandemic—which James has seen as a tremendous catalyst for information-sharing amid budget cuts and workforce impact—he says simply reaching out to peers remains critical to understanding and preventing threats.

For Microsoft’s Chief Information Security Officer, Bret Arsenault, the pandemic also has reinforced the importance of planning and testing emergency scenarios to combat bad actors who attempt to exploit human vulnerabilities and new realities of life and work online. 

“We’ve seen a really big increase in ransomware and a lot of activity against Remote Desktop Protocol because so many people are remoting in. When you see broad usage, you’ll see broad bad actor campaigns against those things,” he said.

So as companies advance their digital transformation, the best way to enable a productive workforce is secure it with a solid strategy to mitigate opportunism. And while a little digital empathy goes a long way, getting employees to think responsibly about their own security also can help remote workforces avoid risk, too.

Reframing cybersecurity as a business imperative

The human side of cybersecurity remains one of the trickiest but most critical areas to tackle in the industry. Many guests said it’s integral to how they advise organizations on threat prevention and mitigation.

Jules Okafor, CEO and founder of RevolutionCyber, built her entire company on the premise of transforming institutional cyber mindset to drive behavior change among employees after seeing too many organizations focused on selling security products instead of solving problems.

“That’s not a cyber mindset. It’s more about how do you surround people with cybersecurity in a way that helps them understand it will make them do their jobs better? Cybersecurity has to be better at aligning with the way people think,” she says.

And I think all of my guests would agree cybersecurity should be prioritized throughout all levels and departments of an organization. Some companies are innovating how they do just that.

“Honestly, some of the most successful cybersecurity internal departments I’ve seen have reported out of risk or finance, not technology,” said security researcher and Fulbright Scholar Tarah Wheeler.

Defining cybersecurity as one of the pillars of business, Tarah says, demonstrates that it’s critical to your success and more than just an afterthought.

This prioritization reflects a level of understanding that Sandra, my most recent guest, said has become paramount in today’s threat landscape.

As the head of Mandiant Intelligence at FireEye, Sandra discourages a prevention-only mindset. Instead, she advises organizations to assume attacks will happen and to conduct threat profiles that help them strategize how to mitigate the damage when breaches occur.

“If you can understand where you sit in the ecosystem, you can prioritize more and, at the very least, get more efficient,” she says. “Don’t just look at the initial intrusion. Don’t let the first day of an attack be the day you determine how to manage it.”

But these steps aren’t limited to organizations. Theresa Payton, CEO of Fortalice Solutions and author of Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, also offered individuals advice on how to guard against the influence of misinformation campaigns. Our conversation touched on the personal data collected by our devices, too, and what we trade for convenience and insights about the patterns of our lives.

“That ubiquitous nature of technology in our lives right now really does have an implication on both privacy but also the risk-versus-reward tradeoff when that data could be really helpful,” she said.

While AI-enabled voice assistants, intelligent appliances, and more can benefit users—think, for example, of discovering an underlying health condition revealed by data collected by your smartwatch—Theresa cautioned against the innumerable unknowns about how that data could be used. And she called on organizations and governing bodies to build security into design and guardrails that prevent helpful technology from hurting us.

This is something I’ve so valued this season. The diversity of expertise, experiences, and backgrounds reflected in these episodes is, on a grander scale, helping to shape and improve our collective understanding of cybersecurity. I hope you’ll find useful takeaways from these leaders who are at the fore of securing and strengthening our industry.

Thank you to all who listened to season 3 of Afternoon Cyber Tea! All episodes are available to stream and download on PodcastOne, Spotify, and Apple Podcasts.