E174 - Joyce Hunter, Executive Director, ICIT (Institute for Critical Infrastructure Technology)

33:42

SUMMARY KEYWORDS

people, cybersecurity, technology, women, organization, debbie, access, privacy, house, standards, risk based approach, call, systems, agriculture, work, relationship, absolutely, security, hacked, secure

SPEAKERS

Joyce Hunter, Debbie Reynolds

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.

Hello, my name is Debbie Reynolds; they call me "The Data Diva”. This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show, Joyce Hunter. She is the Executive Director of The Institute For Critical Infrastructure Technology. Welcome.

Joyce Hunter  00:40

Thank you, Debbie. Appreciate the opportunity to be on your data diva show.

Debbie Reynolds  00:46

Yeah, well, you caught my attention; you caught my eye on LinkedIn, and I thought, oh, my goodness, I should reach out. You work a lot with Women In Cybersecurity. And I've done a couple of events with them internationally. So it's always of interest to me when I see women, especially women of color in this area, definitely having a strong voice in technology. I would love for you to introduce yourself. Tell me about your role, your journey in cybersecurity, and some of the things that you work on at the ICIT.

Joyce Hunter  01:21

I see it is a nonprofit 501 3C Think Tank. We focus primarily on cybersecurity, national security, and critical infrastructure, particularly those that are people-focused, and we have a people-focused mission. And those areas are food and agriculture, health care, water, and finance. And we have been a think tank for about 10 years; we're going into our 10th year if you can believe that. We survived COVID and everything else, and we are coming back out stronger. We typically have our major fundraiser benefit for the year, which is the gala, which is the most sought-after ticket in the DC area; we have probably somewhere around the neighborhood of 75,000 to 80,000 people in our database, and we have a digital library that is free to everyone who is a member of ICIT. So we have 10 years of research and development. So, if you're a college student who is a nonprofit or anybody else who is interested in what we do and some of the speakers that we have had, please feel free to go to our website and take a look at our research. There's lots of information, everything from software bill of materials, all the way through workforce in cybersecurity. So we are really excited about what we do and serving the American people.

Debbie Reynolds  02:54

That's tremendous. That's tremendous. How did you get into this field? What motivated you to move into this technology area?

Joyce Hunter  03:03

I'm an accidental tourist. I don't have a technical background at all. My undergraduate degree is in sociology, which does help if you're in this business, to be able to understand and study people and marketing; my MBA is in marketing. I thought for sure when I graduated from Wharton, that I was going to be a marketer. I always say man plans, God laughs, and I started out as a market research person for Hallmark Cards. Yes, me. I was a card designer and developer, and you got to have a sense of humor when you do those. So I had my first card series was Halloween. How much more fun can you get than that?

Debbie Reynolds  03:51

That's true.

Joyce Hunter  03:52

So back then we didn't have the Internet. And we didn't have laptops. And we used to have to go to each of the card stores and count the cards that were left after and then put it into a system and it would give us these nice little punch cards that you hope you never dropped. And then it would spit out all of the best of the past versus the past, though. That's what I thought I was going to be doing. But as luck would have it, I was transferred to who I was married to at the time in technology. We were transferred to Colorado Springs, Colorado, and I was looking for a job and happened to see a job for a business development trainee. And that's how I got my start.

Debbie Reynolds  04:35

That's amazing. That's amazing. I know you work with Women In Cybersecurity. Tell me about your work there. Your interest there. I really like the organization. I've done quite a few things. So I actually get called a lot from Women In Cybersecurity in other countries so I've done Saudi Arabia, I've done Canada, different places, but tell me about your role in women's cybersecurity.

Joyce Hunter  05:02

I am one of the mentors in Women In Cybersecurity. So, for a certain period of time back in the fall, I had a cohort of women where we would meet every three weeks or so. And they would give us an agenda that we could walk through with them. So by the end of the course, itself, which was about six weeks, then each of the women should have given me the opportunity to review their elevator pitch, to help them refine it, and to help them work on their resumes. Amazing still that a lot of people believe that they can have one resume for every single opportunity that they go after. And that doing a resume is a lot of work. And that you have to customize it for the job that you are pursuing. Because after you've been around as long as I've been around, then you have a lot of different facets to your career that may fit in one particular area and may fit in others. So you do have to have that. And I'm still working with some of them. Some of them actually call and I've tried your suggestions, and this didn't work or that didn't work. We will sit down and go over together. So, I build relationships. I don't build just transactional; I build long-term relationships where I stay in contact with people. I was with Lotus Development Corporation way back in the day. I used to work with Ray Ozzie, and I helped in the development and implementation of Lotus Notes with Ernst and Young International. And I still stay in touch with those people; most of them had become partners and now have gone off, you know, retired, and I'm still in touch with them. And I build long term resilient, stable, fun relationships. And that's what I do with women in cybersecurity.

Debbie Reynolds  06:49

That's a tremendous work. So, I really applaud you for your mentorship. And I can tell you're really amazing at it. What are your thoughts about just women in tech? So I've had this debate a lot. I like to do these types of programs, because I always hear people say, well, why don't we need a women in group? Anything? And so a lot of times, I can sit down and schoolroom as to why that is important. But what are your thoughts about why it's important to have some of these women in groups like women in cybersecurity,

Joyce Hunter  07:22

We need to see ourselves in these areas. In these positions, a lot of times we go to the meetings, and it's usually one of us either ethnic or relationship instances. In a lot of cases, we kind of sit in the corner, and we're not heard, we're not given a voice. We're talked over, talked under, talked through. When we have these women in organizations, then we can talk about some of the challenges that we are facing in those organizations, whether it's women in agriculture, whether it's women in cybersecurity, so we have a forum and a venue so that we can actually support each other and give each other advice and recommendations on how we might be able to overcome some of those challenges.

Debbie Reynolds  08:12

What are some of the things that are concerning you, when you talk to people, women who are trying to break into cyber or privacy or technology fields, I have a thought too I could tell you.

Joyce Hunter  08:27

What I do is I tell them that first of all, they need to go to some of these industry meetings, any of them. It doesn't matter which one it is, so that they can get educated and become knowledgeable, and that they can meet people half the time. And I think COVID did us a big disservice where we could not get out in front of people and actually get to know like I said, building those sustainable relationships, that is extremely important. Because you have to show yourself as knowledgeable. If you're on the phone, sometimes it's very hard to get a word in edgewise, particularly if you have a very strong personality that consumes all of the air on a virtual call. And so when you are in front of a person, or if you publish things out on LinkedIn, but things out in other mediums, like for instance, ICIT, we have a group of fellows that contribute to our digital library, and I write, I write to an organization called my rural America because I used to be the deputy CIO and then the acting CIO at the Department of Agriculture. So, people have come to know me over the years because of where I was and what I did in the past. And I like to encourage women who are coming behind me to do the same thing. I will take them by the hand and say, okay, we're going to this meeting, and you have a thought or an idea, you put your hand up and sometimes a lot of it is because you don't get that opportunity for exposure, you are kept in the back room in the back office, or else you're afraid to say something because you think you might sound stupid. I hate that word. But that's what we have been taught to think. Be quiet and only speak when you're spoken to. That doesn't work in this world. If you don't speak up, you're not going to get noticed; you're not going to get your thoughts out. Don't leave a meeting, saying I should have said, well, you should have, and have your argument set up, somebody is going to disagree with you. Don't be afraid of it; lean into it. And make your points.

Debbie Reynolds  10:41

That's amazing advice that I think anyone can use. One thing that I tell women and technology is that, just like you say, you have to speak up; no one's going to speak up for you. No one can tell your story like you can. And I think some people feel like, oh, I work so hard, I do these things. And then people are going to notice, and they're going to present me forward somehow to other people. We know that's not the way it goes. So being able to really be able to tell your story. Now, it's easier than it's ever been. So I remember back in the day, way back in the day, we want to publish something, you have to have a relationship with an editor or publisher. Now, everyone, you can have your own forum, your own voice posts, your own stuff on LinkedIn, and put your own thought leadership out there. That's really vital.

Joyce Hunter  11:32

Absolutely, nobody's going to do it for you. You have to speak up for yourself. Because everybody has good ideas, there is no such thing as a bad idea. There are some ideas that need to be kept up a little bit longer. But that doesn't mean it's a bad idea. That means that you put it out in the universe, and somebody will come along and aid you in getting that solution or that idea fully baked.

Debbie Reynolds  12:00

Absolutely. I want your thoughts on cybersecurity and privacy. So cybersecurity and privacy are different as we know, but cybersecurity and privacy have a symbiotic relationship, but tell me your thoughts about either comparing or contrast or the differences you see there.

Joyce Hunter  12:24

I think privacy is where you have the ability to keep things particularly data and particular types of data. Out of the eyes and ears of the general public, whether it is health care, or whether it's educational, or other things like that. So there are certain data points, that should always be private, your Social Security number, your Medicare number, those are the things that are private. For the other one, you said privacy and data?

Debbie Reynolds  12:59

Cyber security.

Joyce Hunter  13:00

Cyber security. Okay, so security could be physical, or it could be logical. So the physical security is if you are securing the football stadium, say Lincoln Field in Philadelphia, I'm an Eagles fan, I'll put it out there. So you can secure a facility, you can secure an individual, as far as Secret Service, that's physical security, then there's the logical security, which is, again, going back to data. Going back to keeping that data out of the eyes, ears, and fingers of other people. Ransomware can do a lot of harm. That is the security piece of it. And it's also privacy. So you can have your privacy and your security interrupted because somebody took liberties with the physical security of software or hardware. So I think that there is a big difference. There's the people part of it, which could be the physical security. And there is the logical part, which is physical and logical.

Debbie Reynolds  14:14

Very good. I agree with that.

Joyce Hunter  14:17

Interestingly enough, I'm going to add this one to it. This is what the SEC is trying to get public organizations to understand is, yeah, you can be hacked, but your stakeholders need to know. And what they said is, you have four days, you have four days to report this so that people can make the appropriate protections so that their information is not floating out there in the ether. And all of a sudden they get a call from somebody who has gotten hold of their information and sounds like a real person, but it's not anymore. So I think that you can't run and you can't hide from it. You have to report in four days now. Something I thought was Hilarious two weeks ago, was a company was hacked by ransomware. They took too long to give the attackers the answer. So, the bad guys went to the SEC and reported the victim. I mean, how weird is that? So now you have the bad guys reporting the victims, if you don't respond in time, and a lot of people think, oh, it's not going to happen to me, it's not a matter of if, it's a matter of when. Because you will be attacked, period, plain and simple. That's just life these days.

Debbie Reynolds  15:36

That's so true. Right? And I think the companies that have the hardest time are the ones who think that they cannot be hacked or it can't happen to them. So yes, yes, yes. My thing is, let's say if someone broke into your establishment, once they got in, how much damage could they actually do? Right? That's a lot around people's internal processes and controls and who has access?

Joyce Hunter  16:05

Yes, I call it cyber-physical. So that's a combination of both; you can get the integration of physical and digital systems, which can allow for real-time monitoring and control, especially in agriculture processes; you need to be able to protect things from the dirt to the table. And all of that revolves around both physical and digital systems being protected.

Debbie Reynolds  16:34

I want your thoughts on risk-based approaches to cybersecurity; we hear those terms a lot. But I tell people risk is about activity over time. So you're taking a risk-based approach, you need to be able to show your maturity; what are you doing over time to be able to mitigate or ask for those risks? If you are, let's say you had a breach in the US, you have to report to the SEC, a lot of what they're going to be asking about is what did you do before this? What did you have in place before? So, what are your thoughts there?

Joyce Hunter  17:11

That's right. That's right. It's like when a child gets into trouble, right? The parent or the teacher asks, so what did you do to precipitate this kind of action? The same thing with risk based approach? There's no such thing as taking a test once a year, and this makes you cyber ready? Or cyber secure, the tabletop exercises, there are the interactive tests. I mean, very seldom do you see CBTs anymore, for people to just go through and check off and say, okay, you know, I have taken the test for this year; I’ve got to wait until next year to take the test. And it doesn't work that way. There are a lot of scenario-based exercises that you can take because everybody learns differently. And I think if a risk-based approach, you need to cover everything. For those who learn by doing kinetic learning and those who learn by hearing, you can have them study a scenario and then repeat it back to you with a solution, a team-based approach where you're hearing, learning, and doing where you give them a problem. Then of course, there's a right answer. But then there are various ways in which you can overcome. There's the I always call it the lockout.

Debbie Reynolds  18:26

Almost like the escape room?

Joyce Hunter  18:28

Thank you. That's the word, the escape room. Those are a lot of fun. The first time I did one with my grandson, I think he was probably about 10 or 12 years old; he'd beat all of us. I mean, so you have to have a variety of different ways to meet that risk based approach. One way is not going to do it every single year because people get used to it. And they pretty much figured out what the answer should be on a multiple-choice test without even reading the materials or internalizing it.

Debbie Reynolds  19:01

I agree with that. I agree. I want your thoughts about what's happening in the world right now that's concerning you about either cyber privacy or what's coming up, and you say, oh, wow, I don't know about this one.

Joyce Hunter  19:15

Gosh, I think it is the systems that affect people the most. A couple of weeks ago when we had that breach on the water systems in Pennsylvania and Texas, goes back to also agriculture goes back to health care, anything that touches a person, telehealth, if somebody could get in not giving anybody any ideas, but if anybody could get in and adjust the chemical compound or somebody who was receiving medical care at home, if somebody can go in and adjust the chemical makeup of water that we are drinking on a daily basis. If somebody can go in and adjust the chemical compounds, it's going into the dirt that's growing potatoes, tomatoes, corn, soybeans; that's a concern to me. That people would be mean and evil enough to even think about harming their fellow man is really concerning; the whole geopolitical scenario makes for very, very scary situations.

Debbie Reynolds  20:22

I think especially one of the things you just pointed out about devices. So, Internet-connected devices, IoT devices, for example, let's say someone has a CPAP machine that helps them breathe at night. Those are set by a doctor or physician based on the diagnosis of the person; if someone were to manipulate that, that can actually cause harm to an individual. So the more connected devices we have, the more we need to really think about that security, not only of security of keeping people out of those devices that are supposed to be in but then also making sure people who have access are the proper people who need access. What do you think?

Joyce Hunter  21:06

Absolutely. What was it, Thanksgiving weekend, when we had all those healthcare facilities that were breached? There were so many people that actually died, and people aren't talking about that. They're not talking about that aspect. They're only talking about, okay, you know, we got the systems back up and running. And I don't remember the exact number; I'll have to go look it up. But there were a number of people who actually died because their machines were cut off. They did not get the services that they were supposed to have dispatched going out for the ambulances, the EMTs, that had to go out and actually get people to bring them back into the hospital and get serviced. They communicate with the hospital and healthcare providers on their way in that was cut off. So I think it's horrible that you have to have these, but unfortunately, healthcare and agriculture are two laggards, if you will, in the technology world. I understand that you make money with an MRI machine, and it's paying to secure your cybersecurity infrastructure does not sound as appealing. I don't know whether you remember Debbie. But remember Y2K? Oh, yeah. I was working for Lawson Software at the time. Okay. And we were preparing all these healthcare facilities. Oh, people were telling me, oh, well, where am I going to get my ROI? Your ROI is going to come when you do the system stay up and running. Hello? Right? I would get complaints afterward. Why 2k? Well, nothing happened. Ya, right. That is the same thing right now. Invest in your cybersecurity, and ensure that your people are trained. I can't tell who it is. But there is a head of a major organization. I mean, people would be absolutely astounded that this person, the CEO of this organization, actually participates in the tabletop exercises of his company because he says that if he doesn't do it, how can he ensure that the people at the rank and file are actually going to do it, he wants to show how serious this is by him participating? That's what we have to get to.

Debbie Reynolds  23:34

I agree with that. And I think there's a gap in cybersecurity training. So part of the gap that you talked about is trying to do this paint-by-numbers training that's very boring, and it's probably out of date because cyber criminals, they're like big four accounting firms, they have call centers, they have promotions, they're very organized. So they have training, too, and they try to figure out what's the best way to counteract that. So we definitely have to be up on that. But there's also one blind spot that a lot of organizations have. And I'm glad that you said the CEO of this company does these tabletop exercises but tends to be executive. So executives tend to likely move up, and in a company, they tend to get additional access and don't get previous access taken away from them. They may have assistants helping them, they tend to be when companies get hacked, a lot of times they go for an executive, because the easier so executive may have more access to maybe a lower level person. But a lot of times when I see some of these trainings, they want like, okay, we want the lower level people to go to all these trainings if they don't even have access to have any more harm, do anything harmful, right? It's the people who don't want to go to training which are these executives, they have all this access. They're not really as close to these technologies. They have access control to systems that they shouldn't we have access to and they're just sitting targets? What are your thoughts?

Joyce Hunter  25:06

Absolutely. I have so many examples, Debbie. So, there is a top-rated college, HBCU. I went in and talked to them extensively about how they needed to cybersecure their organization. I was laughed at. Two weeks after my presentation, they were hacked. When you think about it, and I know people said HBCU, they weren't after the students. They weren't after the money. Think about colleges and what they do. The Federal government invests a lot of money in research, re search, the latest COVID drugs, the latest malaria drugs, the latest diabetes protocols. They invest a lot in not only HBCU, but all kinds of institutions of higher learning. For research. The bad guys want the research. They want to be able to best us or duplicate our drugs and sell it out on the black market. So yeah, I have a lot of feeling about that. Because I think we're sitting ducks, the institutions of higher learning are not taking this as serious as they should. They think that they're after the student’s money, and this particular school was shut down for two weeks. I have God sons that go to that school, they called me because they could not use their student cards. anywhere on campus. They couldn't eat. They couldn't access any of their coursework, nothing. I had to get up out of my bed at midnight and drive down. Wherever I drove, let them say, wherever I drove, give them cash, withdraw cash out of my account, drive it down, give them cash, so that they could go off campus and eat. I had to take them because there was nothing around the campus they could access.

Debbie Reynolds  27:11

Isn't that amazing? That story illustrates a huge shift, in my view, about technology dating myself. But back in the day, once I started working on this before, people had emails, computers, and stuff like that technology was taught as an aid to you and your work. Now, it is vital. Absolutely. I had gone to a restaurant like a fast food restaurant, and their computers were down. They realize we can't sell you anything. We can't make anything. We can't do anything without these computers. Right. So I think we need to have more respect and more awareness about how critical our reliance on technology is and be really serious. I think a lot of times in the media, maybe in movies, maybe we get to some movies where it's like Tom Cruise hanging from the ceiling and all that stuff. Right. So I think people sometimes think about those more farfetched threats.

Joyce Hunter  28:13

Yes.

Debbie Reynolds  28:14

As opposed to someone left Fortnite's door open. Someone just walked right through. What do you think?

Joyce Hunter  28:23

Espionage is huge. It is huge. I mean, all we have to do is look at our own experiences. Remember, a couple of years ago, maybe three years ago, we didn't have chicken. We didn't get chicken JBL the right, we could not get chicken because the supply chain was interrupted. We could not get fuel when the Colonial Pipeline was hacked. So it is everything is either IT or OT. Everything is becoming more consolidated. Can you imagine somebody who could get a hold of the energy grid and all of the new houses that are now being built? I mean, everything is connected together? Right? Coffee pot goes in the morning and can't get into your house. My son put one of those electronic locks when my parent's house in Philadelphia, and I'm thinking to myself, where's the key? You know, I'm thinking, where's the key if he's telling me all about, there's no key you just do this? I said, and if the electricity goes off, there is a key I can still have a key to get in the house. And he was mystified. He was like looking at me like, why would you need a key? We are so reliant on technology these days. If you ever ever, ever had the opportunity to go down to the AWS facility, in what is that Pentagon City, they will show you the house of the future. It scares me because nothing will work. Maybe I'm old school. I just want to be able to get to my creature comforts without having to worry about whether I'm going to be able into get to my house, whether the clock is going to work any of that. So yeah, it's of great concern.

Debbie Reynolds  30:06

I'm also concerned about that. So I like technology, and I'm going to take advantage of this. But I'm not a fan of everything that people try to use in a technological way. I'm totally with you on a lot. I recently had a choice; I had to replace some locks somewhere. And I chose the old school; they were the same things like what about the power?

Joyce Hunter  30:30

See, see. Exactly, exactly. I do appreciate being able to auto-start my car on a cold morning from my house, I do appreciate that. But as far as getting into my house, I have to have a physical key or some way of being able to access something just in case.

Debbie Reynolds  30:52

That's very smart, very smart. So, if it were the world, according to you, Joyce, and we did everything you said,  what would be your wish for either privacy or cybersecurity anywhere in the world, whether it be regulation, human behavior, or technology?

Joyce Hunter  31:10

Standards. Standards and governance. I was the queen of governance over at Agriculture. Whenever you say governance, people run, Debbie, they do because that makes them accountable. Right. Governance makes people accountable. And people don't want to be accountable. They want to do whatever they want, whenever they want, by always arguing with scientists who say that an electronic microscope is not it. And I said if it plugs into my network, it's it. So governance and standards. Right now, it's the wild west as far as AI. And I've read it, I can't remember where, but the states themselves, Debbie, are making up their own standards. That's crazy. That means that there's going to be no communication. I know that the listening audience thinks we're ancient. But back in the day, healthcare was in the same plight; IT systems didn't communicate, and you couldn't go across State lines. And you couldn't do this. There were no standards; there was no regulation until we had the HITS,  the Health Information Technology Standards Panel. We're going to have to get to that point with AI. Because right now, everybody's running around doing their own thing, developing their own programs. Nobody knows if there are any real ethical rules for AI development. We talked about it. But is there something that standard that everybody has to subscribe to? No, there isn't. If I were to save the world, according to Joyce, I get on that standard and figure it out really, really quickly, or else you're going to have a mess.

Debbie Reynolds  32:57

I agree with that completely. Well, thank you so much for being here. It's such a treat, though. Thank you for imparting all your wise words. I totally agree.

Joyce Hunter  33:09

Thank you for the invitation, Debbie, and I hope you get the opportunity to do it again. Absolutely.

Debbie Reynolds  33:13

Absolutely. Anytime I'd be happy to collaborate with you.

Joyce Hunter  33:19

And since I'm a Trekkie, live long and prosper.

Debbie Reynolds  33:25

Live long and prosper. Bye bye

Previous
Previous

E175 - Melih Calikoglu, Data Privacy Expert and Lawyer (Turkey)

Next
Next

E173 - Nitin Singhal, VP of Engineering, SnapLogic