Today I have an interview with Kayne McGladrey, he is a vCISO / Spokesperson / Global Cybersecurity Thought Leader / Strategy and GRC Practice Lead who I follow on twitter and find extremely interesting J
He is a national cybersecurity expert, helping clients develop proactive programs to manage cyber-risk. He is the cybersecurity strategist at Ascent Solutions and has 20-plus years of experience, including 10 years in blending information technology and management acumen to cultivate and build cybersecurity best practices.
Kayne has a training course ‘Fundamentals of Professional Services Management’ and here he is talking about ‘Diversity in CyberSecurity’.
Here is the interview, enjoy.
You are classed as ‘vCISO / Spokesperson / Global Cybersecurity Thought Leader / Strategy and GRC Practice Lead’ in LinkedIn, what is it you mainly do and what is it you really enjoy most about the field?
What I enjoy most is being part of a global community working towards a common set of goals to help people, businesses, and communities. When I am when not working with Clients for advisory and strategy consulting, I spend my time on public advocacy and encouraging people from outside of our industry to consider careers in cybersecurity.
I see you are also CISSP and have actually a video training course in the fundamentals of it available, why did you decide on this certificate over others and how important do you think certs are in cybersecurity?
The perspective that many HR organizations have taken towards certifications is creating several problems. Risk-averse hiring managers add certifications as requirements on even entry-level intern job postings, which has been shown statistically to cause otherwise qualified women to not apply if they do not hold those certifications. This requirement for certifications also creates the perception of scarcity in our field by hiring managers, who do not receive enough resumes of “qualified” candidates. And it is forcing substantial unwanted costs onto job applicants; in the case of some certifications, there are ongoing costs for re-certification and time spent studying outside of work for those re-certifications. This is no longer acceptable at a time where there are over 10 million Americans unemployed due to the pandemic and 4 million unfilled cybersecurity jobs projected in 2021.
Only recently have I been getting to grips (I think) appropriately with spectrum in cybersecurity like Red, Blue, Purple team and management etc what do you think we could do to make it more understandable for people to get so they knew more about where to focus their efforts?
I have had the good fortune of serving alongside veterans over the past two decades and the language of red teams and blue teams stems primarily from their substantial contributions to our workforce. Unfortunately, we are not hearing from other voices from outside of our field, which can lead to confusion. A solution like the Hewlett Foundation’s 2019 Cybersecurity Visuals Challenge, which drew contributions from artists not in cybersecurity, could be a path forward for finding new terms and phrases. There is an educational responsibility as well – teachers and student advisors for high-school students should be able to help people see their inherent aptitudes and map those to red teaming, blue teams, and other roles in cybersecurity.
I was reading you are a big advocate for diversity in cybersecurity and have spoken about it previously, how did this come about and how do you think we can tackle it?
What we have been doing for over a decade is not working. We are now $30b of investment into cybersecurity startups in the past ten years. Premier employers and startups canvass the same higher-education campuses annually and hire people with roughly the same life experiences and associated unearned privilege, yet the number of breaches has only grown in the past decade. This is the definition of insanity according to Alcoholics Anonymous. It is imperative for employers and educators to include other voices in our conversation and in our workforce by recruiting from other less traditional sources. My own finding has been that those who have tackled adversity in their personal life experiences are well-suited for cybersecurity roles. The perspective gained in overcoming adversity in their personal lives helps them to understand that the challenges faced in cybersecurity can be overcome.
With so many people working from home now due to COVID, do you think this will affect cybersecurity and more specifically how the threats will change with many being on their home networks?
Those households sharing devices with corporate access among multiple family members are unfortunately a higher risk to their employers, but it is not a risk that they consciously created. If a student clicks on a phishing link while connected to a company VPN it provides an easier pathway for a threat actor to move laterally onto a company network. This is a risk for families who have two laptops, two adults, two children, a need for those children to attend school remotely during daylight hours, and not enough devices to achieve that outcome. This means that parents now need to have “the talk” with their kids earlier, except it is now a talk about credential harvesting, phishing, and malware.
Did you always want to get into cybersecurity as I see you were a ‘Systems Engineer’ to start with, was the goal always to get here or was it from seeing it in your role that made you want to learn more?
One of my first consulting jobs as that systems engineer was with a governmental agency handling retirement funds for individuals. What surprised me most was the expectation that everyone using the system that would determine an individual’s future retirement was acting with the best of intentions. As such, there were no passwords or user accounts required – it was assumed that if you had access to the system, you were allowed to use it – and there was a terminal in the waiting room of their facility. Fast forward fifteen years and I found the same attitude and scenario at a global financial institution. In both cases, the fundamental assumption that nothing bad could happen does not mesh with my experience of the world. I chose to help then, and I continue to help as best I can.
I have only just started to attend events regarding cybersecurity and ethical hacking as they are virtual and due to circumstances don’t have the opportunity to travel. Do you think the events and networking part are an important part of cybersecurity as the sheer amount of events is pretty vast?
Networking is important because no single person can know everything there is to know about cybersecurity. The topic is too broad, and the knowledge is continually evolving, so there’s substantial value in being able to get a second opinion from a trusted contact. Events can provide value, though many of them are very product-marketing forward because of the funding requirements to run a large event. With the move to remote events the cost model changes, although the move to remote events also makes meeting new people more of a challenge.
A lot of cybersecurity people use LinkedIn and twitter, I recently deleted all my social media apart from my twitter, do you think I should create a new LinkedIn for professional purposes?
Absolutely. LinkedIn should be exclusively used for professional purposes. It’s the second place employers look after receiving a resume for an interesting candidate. LinkedIn should not, however, be a copy of a resume. Rather, it provides an opportunity to showcase accomplishments and endorsements that would otherwise not be seen on a resume.
How has COVID changed what you had planned for the year?
The most substantial professional change for me has been the transition from in-person Client meetings and speaking engagements to purely remote meetings. We’re all developing skills we hadn’t imagined at the start of this year. I’ve also changed the guidance I provide to Clients around IT asset management, software management, and patching; solutions that require a device to be connected to a corporate LAN no longer make sense with the substantial move to remote work due to COVID.
Lastly what has the next 12 months got planned for you in the cybersecurity world?
Continuing to build the strategy, governance, risk, and compliance practice team at Ascent so that we can help Clients mitigate their threats and their risks proactively. I am also hoping to continue to speak to the media and the public about how our industry is about helping people.
Give him a follow:-
- Twitter = https://twitter.com/kaynemcgladrey
- LinkedIn = http://www.linkedin.com/in/kaynemcgladrey