In this episode, you will learn about finding your value, belonging, and insights on the unique skill sets you bring to the table and how to overcome imposter syndrome in the workplace. Additionally, learn about AI ransomware attacks, cybersecurity, and cloud services proactive solutions. Subscribe and never miss an episode!
Guest: Jo Peterson, VP of Cloud and Security Services for Clarify360 [@Clarify360]
On LinkedIn | https://www.linkedin.com/in/jopeterson1
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of the Soulful CXO, Dr. Rebecca Wynn welcomes Jo Peterson, the VP of Cloud and Security Services for Clarify360. She shares her journey of becoming a female engineer and how her military experience helped her gain college credits. She talks about her early computer classes, handling imposter syndrome, being a female in technology, following your passion, and transitioning into the telco industry as a network engineer. We delve into the topic of AI's potential to deceive and manipulate recruitment systems, allowing candidates to appear more qualified than they truly are. Additionally, we discuss the incident response, the rapid growth of AI ransomware attacks, and how to better protect the business using incident response wrappers for funding recovery.
________________________________
Resources
Cloud Girls: https://cloudgirls.org/
Informing an Artificial Intelligence risk aware culture with the NIST AI Risk Management Framework: https://www.nist.gov/publications/informing-artificial-intelligence-risk-aware-culture-nist-ai-risk-management-framework
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Embrace the Goldmine of Your Unique Skills | A Conversation with Jo Peterson | The Soulful CXO Podcast with Dr. Rebecca Wynn
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have with us today, Jo Peterson. Jo is the award winning VP of Cloud and Security Services for Clarify360, the founding co chair for Cloud Girls, a non for profit community of female technology advocates, a U. S. Air Force veteran, and serves on numerous advisory boards.
She is recognized as an industry thought leader and influencer being named one of Oracle's top 15 people to follow in cybersecurity and one of Onalytica's top cloud influencers. Additionally, she speaks regularly at industry conferences, contributes to industry publications, and hosts webinars for BrightTalk.
Jo, my friend, it's so great to see you again.
Jo Peterson: Thank you so much. I think the only thing that you forgot, Dr. Rebecca, is I post cat videos for on cyber security on the regular.
Dr. Rebecca Wynn: That is true. I'm a dog [00:01:00] person, but I like those cat cartoons as well too.
Jo Peterson: How's your day today?
Dr. Rebecca Wynn: It's going great. It's going great.
Hey, how did you even get started in this crazy field of cybersecurity? Did you always want to be in cybersecurity, even like when you went to college and things along those lines?
Jo Peterson: So mine was more of a journey. I, I'm of a certain age and there weren't a lot of female engineers. Honestly, for me to take a look at.
And so I went in the military and I had the opportunity to work on electronic equipment. And part of, if you know anything about the military, they're wonderful about getting you college credits for things. So I was able to parlay. My military time and the learning that I had there, the tech school that I went to into [00:02:00] college credits at the University of Maryland.
And I was able to take some very early computer classes. When networks were really flat and dinosaurs walk the earth, I think it was the same sort of time, of things. And so when I get out of the military, I was lucky enough to get a job at a telco as an engineer. I, have, I came up the network side of the house.
And then in 2009, after I had a number of different roles over the years, I really took a liking to cloud computing. I got in super early and I was doing architecture work for cloud. And what I realized really in really short order was folks weren't preparing. Their cloud environment to include security and so I would go back to them and I'd be like, okay, so [00:03:00] I'm not a security person, but how are you going to secure this?
And they would be like the same way we, secure the on premises. It was early days. It was very wild Westie, right? And people were like we're going to secure it the same way we do the on premises environment, or I get an answer oh, the cloud provider takes care of all that for us and not be like, no, And so I got super familiar with, the shared responsibility model, even before it was known as the shared responsibility model. And so I felt like it was my imperative to go to my client and go, gee so they're going to take care of this, but they expect you to take care of that thing over there.
Basically your data is yours. And it's yours to secure and they'd be like, it was like news to them. I really got interested in learning about [00:04:00] what I could do from the perspective of helping clients think through these architectures and these environments. And when 1 set of security controls just stopped working for you, because it was in a completely different plane, as it were.
So that's what happened to me over time. I feel really blessed because of the fact that I do have a really good foundational understanding of the plumbing of the environment. And, I think now we're starting to see that as we, come into the time of AI cloud is a foundational vehicle.
So if you don't have cloud, you're not going to oftentimes be able to take advantage of AI and all the wonderful benefits of AI. So, that's probably a really windy answer, but that's what happened to me.
Dr. Rebecca Wynn: We want to thank you for your service. I appreciate you serving in the Air Force.
Jo Peterson: Yeah it was a good, it was a good [00:05:00] experience. And, I think that, you and I were chatting about this a little bit. It's. If you can hire somebody with, from a military background, you're going to, I'm going to give a little plug to the vets out there. There's someone that, transfers a lot of the ethics and a lot of the discipline that they learn being part of a team to your team.
So the military's already started to train them as, a person that. Has to be part of a team and respond as part of a team and show up on time and follow a chain of command and all the wonderful things that the military teaches them. And so hire a vet. That's my plug.
Dr. Rebecca Wynn: I agree with you.
I think one of the things too, is being agile, fluid, being able to take on a multiple different tasks, being able to switch tasks very quickly. So the project management [00:06:00] standpoint, understanding that policies and procedures and checklists are there for a reason. They're used if they're in cyber security, being a vet as well too, or networking, they're used to having, using this checklist List as well as different security, technical implementation guides that part you don't have explained to them.
They're used to also dealing with incidents, business continuity, and they're trained along those lines. So there are also good team leaders, thought leaders along those lines. And so I tell people always pay attention when you have a vet and really look at those resumes I always do and look and see if there's any of those cross skills.
That even if they can't be used directly in your team, there's probably more likely going to be another team in your organization that they'll line up very well, and then be a good business partner with you over on cybersecurity.
Jo Peterson: Yeah, that's a good point. The military teaches these young men and women coming in leadership skills because they want to groom them for positions of leadership.
And [00:07:00] unlike maybe someone else who is their chronological age and maybe didn't have all the responsibility that this young person has in the military, just if they're going to college, and they just haven't had all that responsibility, all that life seasoning yet there's an acceleration that occurs in terms of maturity and leadership skills for these young vets that are coming out of service.
Dr. Rebecca Wynn: I think it's really challenging today, where we do have a lot of technology people who were laid off last year and the year before. And don't forget that there were small, medium sized companies that had layoffs as well as the big companies that got all the press and what people find when they're trying to get into a new role, a lot of times companies say I only want somebody who was in healthcare and you were in a different sector. Maybe you're in technology, maybe we're in financial services, maybe we're in pharma. And so I won't look at you. I think people are missing out on a lot of great pockets out there, great talent because they're being too [00:08:00] narrow in their mindset.
Jo Peterson: I hadn't thought about it in the exactly those terms. I guess the thing that I think about is, I am so encouraged by the coming together of disciplines. I've been doing this a long time. I know you've been doing this a long time. You're a seasoned technology person as I am. And for the longest time, we saw silos and I feel like the some of the silos are breaking down if you were on the network team You never talked to the security guys if you were security guy, you never talked to the network team, right? But now we have you know network security people, which is wonderful if you were on the dev team You didn't cross over with the security guys.
Now we have DevSecOps, right? So we have these coming together of functional units. And a lot of times in the bigger organizations, if they've got the personnel, because they have deeper benches. They'll have somebody [00:09:00] that's the liaison between the two teams, which is awesome because they make decisions as a team.
So they consider what are the needs of the business overarchingly? But what are the needs of the network? I have this going on with a large chemical client right now. What are the needs of the security team? How can we. Put those together and make it work for everybody. So that's been a really cool thing that's happened.
And so if that's a great way I tell people, okay, maybe there's not a job open on the security team, but maybe put yourself be forward, and put yourself up and say, Hey, do we need a liaison? Do we need somebody from the network team to be a liaison for the security team? Get to know those people get to know what their challenges are.
Volunteer they tell you the military never volunteer, but, it's probably not a bad thing for someone who's looking to cross over [00:10:00] because at the end of the day, and this Dr. Rebecca team leaders. Are people and they hire people that they like, they have to have the skill set, but it has to be somebody that they feel like would fit in with the rest of the team that they that's tough.
Yeah. That they feel like the person would be a fit. If you make an effort. You might stand a better chance of getting yourself maybe it's a lateral move, but maybe it's into security and area that you haven't been in before, which is important.
Dr. Rebecca Wynn: I think that's also a challenge, right?
I tell people to be very cautious about hiring people in a team solely for team fit because. People flip out of a job pretty quickly anymore in today's world leadership changes. So look at those skill sets a little bit more at times than just if I like them as a person. And the 1 way I see that comes in on females is there's a lot of teams out there that.
Let's face it, [00:11:00] third majority of them, vast majority are male. And so at times they may think and see things a little differently. And by hiring women onto the team, you will see a different perspective. What do you find that as a challenge to, I know that you mentor a lot of, women out there and a lot of young women and women trying to get into the field.
I would tell them even seasoned people like me, 99.99% of the time when I've lost outta CSO rule has not been to another female.
Jo Peterson: Oh yeah. For sure I can count the number of female CISOs that I know on my hand today, and they're all awesome, by the way. And what I love about them is that they hire women underneath them. They women a chance. Not that the guys don't because and I'm going to say this my best bosses have been guys So let me just put that out there. I've been lucky enough [00:12:00] to have bosses that advocated for me and believed in me and gave me a chance and those happen to be men. So there's great Male leaders out there that encourage females, right?
But I don't know what the latest number is. I saw something last year that said, maybe 12 to 15 percent of the cyber workforce is female. Am I tracking right with my stat there? Yeah, you are. Okay. So if you think about that's a really low number. So I know that some of the, even the, Okay. The guy sisters that I've had conversations with, they want to get women onto their teams, but they say to me, look, the talent's just not out there.
And I, don't, know what the answer is. What do you think the answer is?
Dr. Rebecca Wynn: I think one of the way you're trying to go in the proper front door to get these positions, you see a job that's posting, [00:13:00] you put a resume out there, it has to go through ATS and it has to go through someone in HR and things along those lines.
I think with all the AI reading through the resumes, they had, they're dropping a lot of the great resumes. We can talk about it's best to know people in the organization saying, put your name up. But the one thing I know that when I'm hiring roles, I ask them, I go, I want to see all the ones you rejected.
I would take consistently in the rejection pile is where I find the people who I want to hire for my team, or I say, they'd be great fit for operations over here. We're looking for this, or there'll be a great person over here on the DevOpsSec team over here. And so I tell people that's where AI and ATS systems. Have failed. And then the other thing you have just warning people out there is you have people who are using platforms out there that will help you tweak your resume to meet exact job description. And if the people aren't using that, these are other people look like [00:14:00] they are your top candidates, maybe for that position.
When they're not. They're the people who knew how to fool the system. And I won't get into is that good? Is that bad? And all that kind of stuff. But I tell people, so if you're going to do that, you really should maybe think about, am I going to spend more time to have people like looking out at LinkedIn and some of these other platforms to see who are being the thought leaders who are talking about a lot of things and then reach out to them saying, Hey, are you potentially open?
That's one thing, I think that AI has done a disservice is because you can fool AI. You can make them look like you have experience where you don't, so you can get in the door and it can be used to drop great candidates. That's one thing I see that's going on consistently.
Jo Peterson: Yeah, and you're sparking something as you're chatting with me, something that comes to mind.
Shout out to my friend and tech leader, Janet Shines. She taught me a lesson. Janet is a very successful business person. Now. She used to be the vice president for Verizon wireless. [00:15:00] And she said to me, Jo. You've got to encourage young women to apply. And I said what do you mean? What's the problem?
And she said, the problem is they disinclude themselves. They, young women, unlike young men, and you probably know this, but I want someone to hear this. I'm hoping some young woman out there hears this. They look at a job description and a woman thinks unless she has everything listed in that job description.
She doesn't apply. And a young man will look at the job description and think a completely different way. He'll be like, ah, I got 50 percent of it. I can learn the rest on the job. Completely different mindset. We as females disinclude ourselves. We don't even apply for jobs that we, don't have everything perfectly that they're asking for.
And who knows who wrote that job description? [00:16:00] Maybe it's pie in the sky to begin with. Maybe a junior security person would never have all those certs that they're asking for, example, right? But somebody in HR said, Oh, that sounds good. Let's include that because that'd be a bonus if they have it. But do they really need it today to do the job?
No, probably not. But that kind of stuff happens all the time. So if. If a young woman is out there listening to this, I want to encourage her to take a chance and apply. And I loved your idea about reaching out to other women on LinkedIn that you think are just cool. I'll send a female CISO an invite.
I apologize, female CISOs in advance, but I think you're cool. And I send you invites sometimes because I think you're cool. So there's really nothing wrong with being like. Hashtag nerd and fangirl them because [00:17:00] they're, like, to me, they're, if they've made it that high up in a they're just, they're amazing.
So I want to know them.
Dr. Rebecca Wynn: The one thing I always say is. I always tell my HR, I said, if there is any woman's resume that comes in for the position now, watch me next time. I have 10, 000 of them and I said, I want to see them.
And then a lot of times, even though they don't fit the position I've asked, I said, can you set up a 25 or 30 minute. Conversation with them, just say you're not a right position for right person for this role. But Rebecca is willing to go ahead and speak with you for a half hour, 45 minutes, just to go ahead and, to see what you're looking for and see, she might be able to help you get to that best opportunity.
And I encourage other women out there to do that. And even if you are not a woman, you're a man and you're looking for a position, I encourage you just for the greater good, randomly go ahead and pick maybe five people out of the pool who. [00:18:00] Who were rejected because they didn't meet the requirements and go ahead and meet with them, I try to do that all the time. You can't do a 24 7 because you do have to earn a living, but I encourage people out there that as people are applying for jobs, they're doing so for reasons they want to make some sort of core change in their life.
And if you can pay it for and look at the pool that did not make the cut. And even if it's just a random draw, see if you can go and meet with a couple of people and help them out on a mentorship because I mentor, I know you mentor as well. And I think it's important going forward that we consistently do that in the world, not just our profession, but in the world.
Jo Peterson: That's a lovely thought. it's, it's a little chunk of time. Of your time, and I always think about the fact that somebody held their hand out for me and gave me a chance, right? Because I was unlike the other candidates in the pool. I was telling my friend the other day, I have a picture of myself [00:19:00] in an early engineering role.
And at the time, I'm going to date myself here, but all the guys wore white and or blue. Long sleeve shirts to work so you can figure out what year it was But that was the time and I forgot we were having a picture So all the engineers had gathered and I had worn a bright pink top and because I was the only female they stuck me in the center of the picture, and I literally Dr Rebecca look like a sore thumb.
I was literally and figuratively the sore thumb and I think about that sometimes because nobody else looked like me, right? I'm just saying there were, I know there were other female engineers, but it was way before social media. And we were lucky to have email addresses at that time and I didn't know anybody else.
Like me, then.
Dr. Rebecca Wynn: Well, it's still a bit that way and [00:20:00] one thing I encourage everybody remembers each and every one of us are unique being and so really go ahead and sit down and what are the unique skill sets that you bring?
So when you go ahead and get into these positions, it's easy at times to feel like you're an imposter. Should you be long? You should belong. And if they don't make you feel like you belong and you have value, shame on them. I always tell people they're probably not going to change and I know this is contrary to HR, but if they're really not going to change, and, that environment's not good for you. Go ahead and see what lessons that you've learned, appreciate the lessons you learned, and then move forward to a company that can appreciate you.
Today, when we look at cloud, one of the things it seems like we're having data breach every nanosecond.
What do you think is going on there? It seems like security governance we're behind the curve. We keeps being behind, but I keep telling them if we don't make sure the [00:21:00] cloud is secure, the rest doesn't matter as much.
But what do you see? What do you think about what's happening right now with security in the cloud?
Jo Peterson: Let me tell you that I think that people have become teams have become more aware. I. T. leadership has become more aware. Folks are doing a good job trying to secure their environments. But it's hard and part of the hard is that.
The tools are disparate, so if you want to look at one function, you have to log into one tool and then if you want to look at another function in terms of monitoring, sometimes you have to look into another tool and then you're expected as an analyst to correlate the data between the two tools and understand.
So there's that problem. There's the problem of false positives.[00:22:00] So I'd read a study and I'm going to get the percentage wrong here, but it was high of based upon that. The gist of it was based upon the number of alerts that a SOC analyst gets, he or she doesn't have time to look at them all. So they just ignore some of them.
And the percentage again was pretty high, right? So if you're ignoring alerts, is there one in there that's a problem that you've ignored? The third thing is, expectation. So we've shifted all these workloads to the cloud and we have multiple clouds and we expect one human being to be able to know how to secure all the different environments that we as a company have decided to procure.
I want people to understand that every flavor of cloud product, whether it be SaaS, IaaS, PaaS, and every [00:23:00] provider hyperscaler has different nuances about all these products. My feeling is, free up more of the security budget to help these people do their jobs, right? If you look depending upon the vertical, as a percentage of revenue, An IT team might get 10 percent 6 to 10 percent of the annual revenue of the organization.
Totally for all it projects of that 6 to 10%. Again, depending upon the vertical and regulatory constraints, the security team gets somewhere between 8 and 12%. So let's make it, let's make it in English. If you have 100 million dollar revenue company, then you're going to get 10%. Maybe if you're lucky 6 to 10 percent for your, all of your IT.
Of that total revenue, [00:24:00] and then you're only going to get this tiny portion for security, but yet everything is in more and more, your brand depends on your security. People don't want to do business. Consumers don't want to do business with somebody that has a bad reputation. They don't, it's starting to matter, right?
Everything security is mattering more and more in organizations. So give these folks a little bit more money to do their job. That's, that's, what I'm going to put my, my hand on the table and pound, right? Is like these, IT folks are doing the best that they can. Why do you think we turn CISOs so often?
It's too hard. It is what we expect from that one human being. They get burned out. We don't give them the tools that they need. We don't give them the budgets [00:25:00] that they need in some states. They can be criminally prosecuted for not doing their job as it should be. And sometimes it's out of their hands.
They cannot affect change. Maybe, the CISO reports to the CFO and the CFO says, you know what, we don't really need that thing that you told me we need, whatever the thing is. So you've just effectively tied this person's hands, but they're on the hook. From a legal perspective, I just, it just gets me a little fired up, honestly.
Dr. Rebecca Wynn: I've walked away from either consulting gigs or I've walked away from positions before in the past where it's like, there was no way for me to win. There was no way for me to be able to do the job that I was hired to do with all the handcuffs and shackles. I was being put upon me, but I had 100 percent the liability and I was not going to be in a 6 by 8 cell.
If [00:26:00] it's that big for numerous years, because I wasn't able to do the job I was capable of doing, but not getting the support that I was needed to be able to do the job effectively.
Jo Peterson: That's they don't get a seat. They don't it's getting better, but they don't get a seat at the table with the board.
So they don't get to articulate what they really need. Which is problematic so I think that all, and, we've not seen the, formal reports come out yet, but the increase in AI related ransomware attacks is through the roof. What we are seeing is, tech firms, security firms in particular reporting on the percentage growth that has occurred from 22 to 23 and some of it's double digits.
And it's in those sweet spots of phishing. Where we're seeing AI generate attacks. I'd read the other day that [00:27:00] AI can crack an average password in 7 seconds. 7 seconds. Crazy. I forget what the rest of the stat was, but just an average password in 7 seconds. And then we look at sort of advanced threats, which are coming, which we've, we're starting to see, but we haven't seen yet like vishing.
Okay. Vishing the old days somebody would target an executive and right now they can copy their voice. Full stop. They can copy their voice. So all of a sudden you get a phone call and it says I'm John Jones. This is John Jones the CEO and I need you to do this. I need you to reset my password.
I've heard him speak. It sounds like him.
This is the kind of territory that we're getting into for all the digital media that we believe to be true. Like I saw a picture. Or [00:28:00] I heard a voice or right is being altered it's next level stuff that we're going to start seeing happen. So that's pretty scary.
Dr. Rebecca Wynn: I tell companies out there, what you do, you need to have another way for them to be able to validate that is not necessarily on a known personal system or a known system.
We need another way to go ahead and make those communications. And that goes into your business continuity, incident response, really things along those lines as well too. And just because we talked about that, the other thing is what do you do when we see like the MGM, when we go ahead and we see that, Hey, I'm going to go ahead and harm your family.
If you don't go ahead and give up this credential or something along those lines. Are you handling that as a company as part of your tabletops and things along those lines, how to handle it
is to go ahead and say this event just happened at MGM could that have happened to us? And if it would have happened to [00:29:00] us, how we would have handled it. So you can take those real life examples that seem to be happening almost on a weekly basis. And are we prepared and then go ahead and be able to make sure your team knows how you could handle that safely.
Jo Peterson: That's a really good point.
And let me offer, share a tip if I can with your audience, because I encountered this. Unfortunately, with a client, but they were savvy enough. So what they did is they did a series of tabletops, different client than the one we just talked about.
They wrapped them in an IR blanket. And the reason that they wrapped them in an IR blanket, meaning the commercial vehicle was then if something occurred, they could utilize the funds that were sitting in there for the tabletop that had been designated for an incident response. And unfortunately it happened to them, they got hit and because they had the funds in there, they could [00:30:00] initiate and a SWAT team to come in and help them right away.
They didn't have to worry about getting funds and getting one of the executives to approve the funds it was great. If you're able to wrap and I are blanket around. A tabletop, or whatever other a pen test, whatever other security, normal security vehicle that you do, I would encourage you to do it just so that you have that sort of the commercial side of it done.
And then you can get the help you need right away. Doesn't matter who you choose, right? But just. Have it done for yourself and that give you a little peace of mind.
Dr. Rebecca Wynn: Oh, that's great. Unfortunately, our time has totally flown by. I want to encourage everybody to read through the descriptions.
You'll find all of Jo's contact information. We'll have some additional resources in the resource section as well, too. Please go ahead and make sure you subscribe to the [00:31:00] Soulful CXO Insights newsletter. You can do that on LinkedIn. Always like, subscribe, and share the show with other people and leave me comments or reach out to me on LinkedIn on other guests or topics you'd like to listen to.
Jo, thank you so much for being on the show. You're an inspiration. Thank you for sharing all your wisdom and your great tips.
Jo Peterson: Thanks for having me. I had fun today.