In this episode, you will be fascinated as our guest shares his journey from studying political science to becoming a leader in securing critical infrastructure against digital threats. You will also learn the importance of understanding human behavior in cybersecurity, the impact of AI on the workforce, and how to effectively use AI to boost your work-life balance.
Guest: Dr. Dustin Sachs, Chief Technologist and Senior Director of Programs, CyberRisk Alliance [https://twitter.com/cyberriskall]
Website: https://https://www.cyberriskalliance.com/
LinkedIn: https://www.linkedin.com/in/dustinsachs
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of the Soulful CXO, host Dr. Rebecca Wynn welcomes Dr. Dustin Sachs, the CyberRisk Alliance, Chief Technologist, and Senior Director of Programs. Dustin shares his journey from studying political science to becoming a leader in securing critical infrastructure against digital threats. We dive into the importance of understanding human behavior in cybersecurity, the impact of AI on the workforce, work-life balance, and the critical issue of neurodiversity in the workplace.
________________________________
Resources
Balancing Critical Thinking with Professionalism: A Guide to Constructive Feedback
https://medium.com/@soulfulcxo/balancing-critical-thinking-with-professionalism-a-guide-to-constructive-feedback-8888542a507f
Enhancing Professional Communication: Strategies for Effective Feedback and Collaboration
https://medium.com/@soulfulcxo/enhancing-professional-communication-strategies-for-effective-feedback-and-collaboration-2f3f3b5f9c38
Effective Feedback in Action: Fuel Growth, Collaboration, and Excellence
https://medium.com/@soulfulcxo/effective-feedback-in-action-fuel-growth-collaboration-and-excellence-5b32dad788a7
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Using AI to Boost Your Work-Life Balance | A Conversation with Dustin Sachs | The Soulful CXO Podcast with Dr. Rebecca Wynn
[00:00:00] Dr. Rebecca Wynn: Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. Please take a moment and like, subscribe, and share the show. We are so pleased to have us today, Dr. Dustin Sachs. Dustin is the Chief Technologist and Senior Director of Programs at Cyber Risk Alliance. His passion for knowledge drives his leadership in securing critical infrastructure against digital threats.
He focuses on strategic foresight and meticulously attention to detail to ensure proactive risk mitigation and defense strengthening. Previously, Dustin held leadership roles at World Connect, Performance Food Group, and Centerpoint Energy. A frequent speaker at major industrial events and is an adjunct professor at Lone Star College.
Dustin, my friend, it's so great seeing you again. Welcome to the show.
[00:00:49] Dr. Dustin Sachs: Yeah, it's great to be here. Thank you for having me.
[00:00:53] Dr. Rebecca Wynn: You have an interesting background. One, I believe you started in forensics and then you became a chief technologist and [00:01:00] people might not even know what a chief technologist is. So can you explain to us that journey and how you got into this fabulous world?
[00:01:05] Dr. Dustin Sachs: Yeah, absolutely. And, and it's, it even goes further back from that. I started out, I actually got my undergraduate degree in political science and did a year of law school. Um, I, I got through the first year of law school in the early 2000s and said, you know, what, when you get to the end of the first year, they start asking you, what do you want to specialize in?
What do you want to do? And I was really interested in computers and law and how they intersect. And, you know, I kind of said, well, What are my options? I can go work for the ACLU. I can go work as a government lawyer. And I'm like, but I really want to have money and, you know, like actually be able to like move out of my parents house.
So that's probably not going to work. Um, and it was, it was really interesting was my dad. Who's, uh, who was a forensic accountant at the time had just interviewed somebody who was talking about this field of [00:02:00] computer forensics. And this was. Pre iPhone. So it was really desktops and laptops and servers were, that was it.
So I was like, this sounds really interesting.
And was very fortunate. I was living in Miami at the time, and there were at the time four universities that had university level, graduate level programs. And one of them happened to be in Orlando at the university of central Florida. So I went, went through the program, you know, found that this was really my calling and started out doing e discovery and digital forensics, really kind of got into it, mid to mid 2000s. And was fortunate that we had the economic downturn in 2008 and we had a bunch of people who were leaving companies or being let go from companies that took data with them because they had been there for 20, 30 years.
And, you know, they walked out with data. So I got to learn [00:03:00] how to investigate internal theft or trade secrets, got to end up. You know, becoming a testifying expert, testify at state, federal, local levels, um, in courtrooms. And then kind of as that started to happen, you know, we shifted towards this idea of incident response and cybersecurity becoming a real big thing and got to, you know, work worked for a couple of consulting firms that had large incident response teams.
Um, And was able to work on some very big incident response matters and really found that I enjoyed that. I enjoyed solving puzzles. I enjoyed the investigative side of things. After doing that for a while, really kind of started to realize that I could have a whole lot more impact if I actually worked at a company and could help them internally.
Build their cybersecurity or digital forensics and really strengthen themselves from the inside. So [00:04:00] went and worked for center point energy, started out working in their cybersecurity operations center, then moved over to the GRC team, uh, the governance, risk and compliance team.
And really the security got a knowledge of the security management side of things. And then moved on to other organizations where I was. Yeah. Charged with really getting to build from the ground or mature an existing, uh, program security management program. And that led to, several years of really working hand in hand with chief information security officers.
And then, was approached to come work at Cyber Risk Alliance and really help Impact and educate and create resources for CISOs and senior security leaders to do their job better.
[00:04:49] Dr. Rebecca Wynn: I'm always like, how are you getting around the systems? How are you doing from a social engineering perspective? How are you getting information very easily out of the company?[00:05:00]
I tell people I find behavioral science, social sciences, and cybersecurity really aligned very well in that we should be better educated in those three together.
[00:05:09] Dr. Dustin Sachs: Yeah, absolutely. One of my first managers would regularly tell me when I was doing a forensic investigation, he'd ask, how would you do it? If you were going to do it, how would you do it? And then go look and see if the evidence is there.
It's always to me, I've always been fascinated with psychology and the way in which the human brain works and how we as humans do this, why we do the things we do, how we make the decisions we make. Um, and I found very much that as I've. Progressed in my cybersecurity career. It's always been about understanding how, why the human is doing what they're doing, why the person is acting the way they do.
Why do they click the link? Why are they, why are they trying to take the data? What is their motivation? And then, really looking at how do we make the decisions that we make about Risk [00:06:00] and how do we assess risk as individuals?
Because everything we're made, every decision we make in cybersecurity, everything we're looking at is always, what is the risk to my organization? Or what is the risk? Of that, that could come from this event happening, uh, you know, what's the threat and unders I feel like if we try to understand it in a vacuum and we try to look at it as a very binary thing, we're missing some of the key elements and we're missing some of the best ways to protect people.
, for As long as I've been in the industry, we've talked repeatedly about don't write down your passwords, make sure your passwords are secure. But what NIST , the National Institute of Standards and Technology and other kind of.
Industry guidance finally got caught up to was this idea that we make people change their [00:07:00] passwords all the time is really dumb because the fact that if I'm Force you to change your password. Every 90 days, you're going to rotate the password a little bit. You're going to add a character. Or you're going to make it something else that's easy to remember.
So, you know. Approach it from how can I make my policy work for the individual, as opposed to how do you make the individual follow your policy?
, I've created a policy based on understanding how you're going to act and what's going to motivate you or what's going to deter you instead of trying to make you follow my rules.
[00:07:39] Dr. Rebecca Wynn: That's where I think that the disservice has been from policies and procedures. I have companies who ping out to me very quickly and they're saying, Hey, we're trying to get the 60 million deal. And we don't have, AI acceptable use and how we're going to train it.
Can you write one up real quick? I'm like, of course I can write one up real quick. But that's not going to be worth the piece of paper that it's on. [00:08:00] What are you trying to accomplish? Are you trying to accomplish that you want this piece of paper solely to get that deal? How are you going to mitigate that risk when you do have an issue because of that?
Then they found out that you falsified on the contract and then you're going to deal with those repercussions. Or do you want to go ahead and say, the reason we want this in place is we want our people to be able to To think about what they're doing, why are they're doing it? Is there another way to go ahead and get it accomplished?
That's one of the things that I see is we want this solely to get this and not why is the underlying reasons that we're doing things
[00:08:31] Dr. Dustin Sachs: When you talk about the, you know, AI, that's a really great one because my first question is, well, how are your users, what are your users using AI for? For it, because if you're, if you're writing an AI policy, but everybody in your organization is just using the AI to generate a, more coherent email or to automate their processes or for infer like to understand a topic, you know, one of the greatest things that, for, that I've found for [00:09:00] AI, for example, is to say, Explain to me this concept.
I'm like, , I wonder how I would explain the OSI model, the model of technology to somebody who's in kindergarten. And I. Put that into AI and said, Hey, explain this to me. Like I'm five.
And it came back with this really great example of, Hey, you want to make a cake with different layers and each layer needs to is flavored differently, but you want the cake to taste really good at the end. So, and. It was great. It was like, I could, I could turn to my 12 year old son and give this to him and he'd understand generally the concept of what we were talking about.
That's a great use, you know? And if your people are doing that, why do you want to stop them from doing that? If they're doing their job more efficiently. efficiently, do you really want to be so prescriptive that you stop them from doing that?
Everybody fears AI and says, Oh my God, I don't want AI [00:10:00] making decisions for me. However, when I pose the question of, do you want your doctor determining what disease or, or, or looking at your symptoms that you come in with and saying, I'm only going to make my judgment on what you might have based on my own knowledge, my own education, and what I can research, or do you want to go to an AI and say, Hey, look at the.
Whole breadth of medical information that's out there. And in a few minutes, here are my symptoms. What are the most likely things and have your doctor then making some strategic decisions that way. And most people go, yeah, you know what, that, that, that makes sense. The one that was mind boggling to me is there was a research done, I think it was a year or two ago where they were able to take.
X-rays of lung cancer victims up in the Massachusetts, Boston area. And they, they [00:11:00] put the x rays through AI and AI was able to identify with, with like 85 to 90 percent accuracy, um, Instances of lung cancer, six or seven years prior to when the doctor identified it. And now you're talking about saving lives by using AI instead of the doctor or the radiologist having to kind of use their judgment.
So there are really good uses for AI. And I feel like we've taken at times this idea of the policy has to be black and white, you know, one way or the other. And that's a very dangerous thing. That's why looking at it from a, that human element and how does it impact humans is a really important thing.
[00:11:47] Dr. Rebecca Wynn: It's interesting. Cause when we talk about technology, I mean, AI has been around since 1950 and machine learning has been around since 1960. We've been correlating data for a very long time. We can do a lot more efficiently now. And the one thing I do like about. I'll [00:12:00] call it AI 2. 0 for lack of a better term right now, next gen AI is the correlation of data.
And I think the workflow analysis and process improvement is something that has been lacking in technology. At least, I mean, maybe you would say that development might've had that with all the scrums and stuff like that they've had, but generally speaking, from a cybersecurity perspective, we haven't had that as much.
And that's the one thing that I see that we might say, here's this workflow and it's hicking-up for some reason. Can you give me some reasons that you might see that could be hicking it up. You still have to do the mental analysis. I think people who go ahead and say, it just said this, therefore I'm going to run with it and not taking the human critical thinking.
That's always the danger point, but we can be using it a lot more respectfully, I think in cybersecurity.
[00:12:50] Dr. Dustin Sachs: I mean, we saw, we saw what happens when you blindly take what the results come, come from, uh, an AI in New York with the lawyer who filed the [00:13:00] legal brief and basically said, create, you know, file the legal brief or write a legal brief and give me all the citations.
And the AI did what it was supposed to, , it gave a citation. It did not, it was not programmed to give an accurate citation. To give a citation, it made it up. It did what it needed to do. So we'd achieved its mission, but it was false. And the guy sends it in and you know, the other attorneys go, this is crap.
We can't find these. And, you know, to your point as well, I mean, the, the efficiencies I've had numerous CISOs, including the CISO I worked for at world connect, who would say, you know, whenever they were asked the question, is AI going to take my job?
The answer was always, AI is not going to take your job. Somebody who knows how to use AI is going to take your job. And I think that's the, that's the, the, the value of it. And what you were saying, you know, the workflows, if you can make yourself 10 percent [00:14:00] more efficient or even 1 percent more efficient.
You know, I think of Andy Ellis's book, 1 percent leadership, you know, if you, or nudge theory, if you can make yourself 1 percent more efficient each day using AI. You're going to make yourself really efficient in a year. And now all of a sudden you're, you're able to do the things that are otherwise mundane and not that creative and not that fun.
And you can now focus on the fun stuff.
[00:14:30] Dr. Rebecca Wynn: . I think another part, just because we're talking about CISOs, CISO burnout is big. And I'll be honest, I've been massively burned out before. Yeah, but the 1 thing is, is that when you go ahead and we can look at some of these efficiencies, sometimes we can go ahead and we can see, you know, how can I stack those activities to take less time?
And I think 1 of the things that we have to be careful about, let's say we were working a 60 hour work week and we use some of these tools and AI's to allow us to be able [00:15:00] to work a 45 hour work week efficiently. Fight tooth and nail. That those other 15 hours don't get eaten up again by work. Instead, they need to be, I think, really eaten up by work life balance.
And I think that it helps people then, how can I have a better work culture? How can I have gratitude? That I work for the place that I work for and how can they have gratitude for me because they're getting my best self to allow me to be able to flow better. Is that what you see too? I think that's the critical part of without AI to help us become super efficient and then we're still just doubling our hours.
That's the one thing that worries me.
[00:15:38] Dr. Dustin Sachs: I think it goes beyond AI. I mean, you and I are talking to each other, you know, post COVID and,
I haven't stepped foot full time in an office since then. I live just west of Houston. It is a 30 mile drive to downtown Houston, which is where I worked for five and a half years. I would spend on average each way to work two hours in [00:16:00] the car each way. So four hours of my day alone was spent in the car on a good day.
More on other days. I mean, my wife and I joke, we got our, we got an audible account because of this, because I was just in the car so much that time that I've gotten back since COVID. The fact that I don't, that I don't drive two hours in the car. That's. I mean, that's massive.
That to me is. Vital. And I think what we've found is that not only in COVID, but then you add an AI is exactly the problem that you're running into. You hear people who say, well, but I work more now than I did before COVID because I'm at home and I can work till six 30 and it's no big deal because I'm just going to get up and go eat dinner.
I think we've got to be very careful. That's that is the danger. Of working remote, but it's all, so it's a blessing and a curse. And I think in [00:17:00] order for us to really combat burnout, we've got to understand that even though maybe the paradigm of, the line between work life. Maybe has blurred a bit more over the last couple of years, we've still got to keep that really very distinct line of like, I've put in my time and I'm walking away.
And as cybersecurity professionals, we've got to be better about that because. Everyone knows if you're in an operational role, you might be working weekends and holidays. And, you know, after the CrowdStrike incident, where You know, it happened on a Friday, you know, people had to work over the weekend, but you also know that you would also hope that those organizations recognize that and say, Hey, you know what, take Monday, Tuesday, Wednesday, and you know, don't come in like no big deal.
Like take, take a longer weekend, take a couple days or, Hey, you want to leave a little early today, you know, sign off, go do it. [00:18:00] You know, um, I don't think we see enough of that and I think we need to see more of it. We need to continue to foster that because it's so vital.
[00:18:11] Dr. Rebecca Wynn: Yeah. I've had an issue always with HR is like, because they don't always understand that from a technology perspective. I think they're better now post COVID or like, you know, you've got to work your 40 hours. I would call them wink, wink days. So, Oh, you know, was Dustin there? Yeah. Wink, wink. Yeah. Just was there.
[00:18:26] Dr. Dustin Sachs: And how many organizations, once it hits lunchtime, Friday are kind of like the wink, wink, like you say, where it's like, if you can convince people not to schedule meetings for you on Friday afternoon, you kind of, start your weekend a little early.
I mean, everybody kind of does it. And it was always one of those, like everyone did it, but no one talked about it and it's still very much, everyone does it, but nobody talks about it. But I think it should be less of a stigma behind it and more of a, if you're coming in and doing your work and putting in your effort and delivering, [00:19:00] and you can do that in 30 hours, guess what?
You get 10 free hours of paid time off because you got what you needed done in the week done. You're meeting your deadlines. And if you can do it in 30 hours, what normally takes It takes 40. You're just being efficient and we should reward that efficiency.
[00:19:22] Dr. Rebecca Wynn: Exactly. Don't, don't penalize me or they want to pay me less that, Oh, you know, you need to only work 30 hours a week instead.
So we will pay you less. I'm like, there's a premium efficiency that I think that is missing, um, in the market.
[00:19:35] Dr. Dustin Sachs: Organization won't hesitate to say, well, we 50 hours, but we're going to pay you the same amount. They're not going to pay you more for working a 60 hour a week. But the, but, but the minute you say, oh, well, I was able to get done in, in 30 hours, what took 40 hours, they go, well, okay, well, we're not going to pay you for a full, full 40 hours.
Like we, we don't need to pay you the same. You can't have it [00:20:00] one way and not have it the other way. If I'm more, if I'm efficient, you know, and, and there's not a need. Cool. Like the, this idea that you have to work 80 hours every two weeks and that it's gotta be eight, eight, eight, eight, eight, eight, eight every day.
It isn't the reality of cyber security. If you work a 12 hour day, one day you work a six hour day the next day. And that's okay.
[00:20:28] Dr. Rebecca Wynn: Or you're in wasteful meeting for eight hours a day and then you got four hours after that to try and get your work done.
[00:20:33] Dr. Dustin Sachs: Yeah. I mean, so, so the reality is I think there needs to be a real, the way that we're going to combat a lot of this burnout, not only in just at the CISO level, but at all levels is trusting people, remembering that we're not talking about children in elementary school. We're all grown adults and if you've high, if you're hiring practices, it are to hire people who are less than reliable.
Look at your [00:21:00] hiring practices, not at the people that are in the organization. You know, that's the, your policies are the problem, not the people that you're hiring. They're just doing what they're, you know, programmed to do. But if you, but on the same side, if you've got, if you're hiring good people that you trust and you truly trust them.
Then let them, let them manage their schedules because they're going to be more happy and they're, we've seen over and over psychologically, a worker is going to be more willing to do, put in the effort and do the work when they know , they're being treated with a level of respect and trust that.
That they want. So if you give your people the freedom, you'll actually find that they'll be more willing to do the work because they will, and they'll be more loyal to you because they know that they're getting treated really, really well. They're getting a sweet deal and they don't want to abuse that because they don't want to risk [00:22:00] losing that.
[00:22:01] Dr. Rebecca Wynn: Isn't part of the problem is that we're not doing a very good job of embracing neurodiversity in the workplace, especially cybersecurity.
[00:22:08] Dr. Dustin Sachs: Absolutely. As somebody who, who has struggled with neurodiversity issues for, for years and for my entire life, I think it's interesting because I've had this discussion as well.
I'm on the local board here in Houston of autism speaks, um, autism's in a, uh, a neurodiversity that is very personal to me. And , it's interesting because. If you asked hiring, cybersecurity, hiring managers, CISOs and senior leaders, what are the characteristics you're looking for in a, your ideal worker, attention to detail, ability to spot patterns, a drive and a focus on the industry you're in a willingness to learn all of the things that you would go.
Man, if you've got all those, you're a unicorn. That's what [00:23:00] neurodiverse people typically have. Those are the characteristics of those people. Some of the people that I know in the industry, there are some of the best. And some of the people who every one of us looks up to. Are neurodiverse. It's an area.
It's what makes us good in technology. It's what makes us good in cybersecurity. So why aren't we embracing that? Why aren't we embracing the fact that you don't have to be the company man or woman? Was the, you know, picture in Mad Men and, the 1950s and 60s, like there are reasons why that those mentalities have long fallen away and why we look at that and go, , that's an era that we don't want to go back to, I think.
Anytime you're excluding people who have a passion for things you're missing out and to sit there and go, well, you don't interact with the world the same way, or your [00:24:00] people skills aren't, I mean, there are plenty of roles that you can have in cybersecurity where quite honestly, and you know, and unfortunately, crudely, you don't need to have people skills, a SOC (Security Operations Center) analyst.
Doesn't necessarily need to have people skills. You need to be able to look at patterns. You need to be able to analyze, you need to be able to run down rabbit holes, all of that. Certainly people's skills are going to differentiate you, but , if you don't want to interact with the world, there are jobs that that's okay,
You're going to be amazing you know, not everyone's got to be the one who wants to get on a podcast or be a speaker or, you know, get up and present. Some of us enjoy doing that. Some of us like educating others about it. Some of us interact with the world in a way that we're able to turn it on when it comes to cybersecurity.
I am the biggest introvert. Of all, when the camera is off and the end of the day comes when it, when I'm [00:25:00] inside in my role in cybersecurity, I'm game on. You would never know that I'm an introvert because that's because I'm in a comfort zone and because I'm able to pursue my passion and be around people who are.
Equally passionate, but I think it's also about authenticity and owning your narrative and not being ashamed of it.
[00:25:22] Dr. Rebecca Wynn: When you encourage people to be their authentic self, being able to follow their flow, you can help teach them some emotional intelligence skills because a lot of people who are highly intelligent, we just see things. And think of things differently. But if you lead with an emotional intelligence and that's the only thing you're looking for in an interview, I think you miss out on some really top candidates, um, over and over again.
[00:25:47] Dr. Dustin Sachs: Some of the best leaders are that I've experienced in my career are those who.
By all outward accounts, lacked emotional intelligence. [00:26:00] Because of the persona that we expect from a leader, you know, even when you look at some of the top leaders out there, the people who everyone turns to and, and, and puts as a leader, if you really look at them, they're people who are.
Who don't fit the mold of the, you know, the perfect leader, Steve jobs, by all accounts, was a horribly harsh person to the people he worked with. Elon Musk, by all accounts is a horrible person to the people that they work with, but we look at them and we go, that's a leader because they've got this skill, this ability , to motivate us to do things.
I mean, you look at those people and you go, you know what, yeah, you might not have people skills, but you're a leader because. You've got this characteristic that nobody else does. [00:27:00] For all their flaws, they're outside the box thinkers. I think back to the.
Apple commercial, the think differently commercial. If you remember that commercial, it was, you know, those, it was the, the quote from, I believe it's, it's, uh, I think it's Picasso who made the, who did the original quote, which was those who are, who are crazy, crazy enough to think they can change the world are usually the ones that do.
And that, that quote to me, that think differently concept really embodies What we look for when we look for leaders, we're looking for somebody who's going to look at the world differently and go, I'm willing to do what people don't think is possible. One of, by all accounts, the most motivational presidents of all time, John F.
Kennedy stood up in 1961 and said, we're going to go to the moon before the end of this decade at a point when we knew zero, literally zero about how we were going to do it. Um, Everybody said, Oh my God, you're crazy. We're never [00:28:00] going to be able to pull that off. And we did. Um, and it's because people said, you know what, if he's crazy enough to think we can do it, maybe we can do it.
[00:28:11] Dr. Rebecca Wynn: Unfortunately, our time is totally flown by. I want to thank everybody for joining us on this episode. Please make sure if you haven't already like subscribe and share the show. Please go ahead and subscribe to the Soulful CXO Insights newsletter that's available on LinkedIn. Dustin, thank you so much for sharing your insights and being on the show is awesome having you here today.
[00:28:33] Dr. Dustin Sachs: Absolutely. It was great to be here and I would encourage everybody to go listen to Dr. Wynn's, previous, episodes. For my name to be in that same category of people now who have been guests here, that's just amazing to me.