Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 88
Afternoon Cyber Tea with Ann Johnson 1.9.24
Ep 88 | 1.9.24

Afternoon Cyber Tea x @CybersecurityGirl

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea" where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the frontlines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. Caitlin is a leading influencer with a cybersecurity focussed social presence, primarily on TikTok and Instagram, where she provides insights on data protection, privacy, and cybersecurity. Previously, Caitlin was at the helm of TikTok's Global Cybersecurity Advocacy and Culture Team, overseeing both internal and external cybersecurity awareness and educational initiatives. Before her time at TikTok, Caitlin spent nearly a decade in cybersecurity consulting. Welcome to "Afternoon Cyber Tea," Caitlin!

Caitlin Sarian: Thanks so much, Ann, for having me. I cannot wait to be on this.

Ann Johnson: I was really, really excited to have you on the show because I've been watching your videos on social and, of course, they're very viral. You know, you have more than 400,000 followers on TikTok, more than 380,000 followers on Instagram. You post videos on YouTube and you run a community and also offer training courses on cybersecurity.net. So as we're thinking about the "Afternoon Cyber Tea" audience and allowing them to get to know you a little bit better, can we go all the way back before you started dedicating time on TikTok and Instagram? What first got you interested in cybersecurity, and why have you stuck with it?

Caitlin Sarian: Yeah. So I -- I love this story because it was a very random way of how I got in, and I think that's similar to a lot of people that have been in the cybersecurity field for a -- a bit of time. Cybersecurity wasn't a real, you know, major in college when I was going to university, so I did aerospace mechanical engineering which is completely different. And, actually, I had taken coding classes and they were the worst classes I had ever taken. I barely, barely passed both of the classes that I was, like, forced to take in -- in my engineering degree. And I was applying after my master's degree to do tech consulting because I really did not know what I wanted to do. And when I was going through the application process and the interview process, I actually had met someone from Ernst & Young which is where I had started my cybersecurity career, and she had said, you know, we're really -- we're starting our cybersecurity program. Would you be interested in trying it? I'm a problem solver. I love learning. And so I didn't want to tell her that I was really bad at coding, but in my head I was, like, whoa, she doesn't know how bad at coding I am but, like, sure. Like, I'll -- I'll give it a go. And she goes, you know, you don't have to stay in it, but we can train you and then see if you want to stay in it or go a different tech route. And so that's kind of how it started. It was very random and I honestly have very similar thoughts to what the majority of the public think about cybersecurity which is hacking and coding. And what I found when I got in was it was -- it was very different than that. There was so many other areas of cybersecurity that you can get into and that you can learn that has nothing to do with hacking or coding. So that -- that's how I got in and I -- I've thanked the Lord every day that that happened because I have -- it's changed my life.

Ann Johnson: That's phenomenal. You know, I also came to cybersecurity accidentally. I'm a bit older than you, but I have been in cyber for a long time. But it wasn't my, you know, career choice, nor was there really a cybersecurity career. A lot of us who came in -- I had a network architecture background and did a few other things, and we came in accidentally. Right? Suddenly we're now cybersecurity people because we understand, you know, the infrastructure. So it's great to hear that we're still bringing people into the industry from really unique backgrounds because I think it's needed if we're going to have a robust security ecosystem. Yeah. So tell me -- what was the genesis for the @cybersecuritygirl channels, and what has your experience been so far? You -- you do this phenomenal work. I actually was watching some of your Instagram videos just to, you know, prepare for this episode, and I was really impressed with the way that you take difficult concepts, and probably concepts that me and others who have been in cyber too long have made really difficult. And you take them and you break them down in a way that folk -- the average person who isn't a cybersecurity professional could understand. What type of feedback are you getting from your audience? What's your experience been? How are you enjoying it?

Caitlin Sarian: Yeah. That's a great question. So I started Cybersecurity Girl because I really -- I knew that if I was creating a TikTok account back in the day -- and, by the way, I didn't create it until I saw that they were moving over to the U.S. platforms and databases and they'd partnered with Oracle. And that -- at that point I was, like, you know, I really want a platform for good. And so I was thinking about, you know, what would little kid Caitlin want to see? What value can I provide her I could hopefully provide for the next generation? And that's why -- that's actually why I love TikTok because it's really reaching a completely different demographic than any other platform. And so when I was thinking about, you know, how can I make a difference for the next generation, I went through, okay, well, I was an engineer and there weren't very many engineers, and especially mechanical -- I think it's still at 5%. So maybe I'll deal with mechanical engineering -- one. And then I realized I always get asked about my degree. No one really knows what it is, and I would absolutely love to bring more people into cyber. So I started it with, you know, a few main goals. One is to get more diverse backgrounds in STEM. And the other is just to train people to -- like, help them understand and see themselves in cybersecurity. So help them understand what cybersecurity is and then teach them how they can get in, and so they can also, yeah, see themselves in this field because we have so many open job -- open job listings and there's just -- I think there's a lot of people that are scared to even make the jump into cyber because they think it's this, like, big, scary monster. And so that's how it started. And it continued to go in the direction of just educating the general public on what cybersecurity is and how they can be safe online as well, mostly because of my mom and my grandparents because they'd always ask me questions. I'm sure you get that all the time, Ann, of, you know, when people find out that you're in cyber, they ask pretty much any technical question, even to "can you fix my printer," which I get a lot, surprisingly. But it was more just educating people so I wouldn't have to do it every single time when I got home. So any question my mom asked or my parents asked me, I honestly turned it into a video, and those were the ones that actually went really viral. And I've gotten incredible feedback. Like you said, I -- I absolutely love bringing, you know, our cybersecurity lingo, like our -- I feel like we're in our own little club and a lot of us feel, you know, really cool to be in this club 'cause no one else understands what we're talking about. But I actually feel the opposite. I just want to bring more people into the club because it's changed and impacted my life so much and, honestly, if we continue with this stigma of, like, only certain people can get in, you know, the -- the U.S. is going to be behind many other countries if we don't have, you know, all of the different, diverse backgrounds coming into this field, the cybersecurity field. So I've gotten surprisingly very good feedback from a lot of people. At the beginning it was a little rough. Sometimes I'd get some negative feedback because there's the super techy coders that wanted to keep their safe space their safe space and they didn't like me coming and saying that you didn't need to know how to code to get into cyber. But, besides that, it's been -- I mean, it's been incredible. It's a community that's been built and it's taken off more than I could ever imagine. And the way -- way I do this is honestly I, again, wasn't ever really that technical. Like, I just like problem solving. And so every time I create a video, I just think, okay, how -- how did I learn how to do this because this is not, like, normal for me. Like, I have to break it down for myself. And the way I break it down myself is the same way I break it down for everyone else. That's the way I understand. So it's been really cool to see that process and continue to -- to grow and -- and learn.

Ann Johnson: That's fantastic. And, by the way, I agree with you. We've been talking for -- for years about the need to have diversity of talent. And that doesn't necessarily mean, you know, man versus woman. Right? Diversity of talent in cyber means we need people from a lot of different backgrounds, educational backgrounds, experiences, work experiences because we have really hard problems in the industry and if we all look at them and try to solve them the same way, we're not going to solve them. Like, you get this group think. So I love the fact that you're challenging the paradigm and opening up the industry, and we're not talking in that vernacular that can be -- you called it a scary monster. It's right. When we talk about things like detonation chambers and sandboxes, it turns people off because they're, like, wow! That sounds really militaristic and I don't know if I want to do that for a living, when it's really pretty basic. Right? And the fact that you can break it down to those basics is so meaningful. So I want to talk about some of those basics that you talk about. In your opinion, what does it mean to actually be cyber- and privacy-aware?

Caitlin Sarian: Yeah. So the way I'm taking this question is for the general public. And for me it -- it just means for people to understand that anytime they're online, anytime they download an app or a software, anytime they, you know, are inputting information into a product or service, data is being collected on them. It's being used, it's being sold, they're being tracked. And I just don't think people are aware because there was such a boom in technology in the last, you know, ten, fifteen years that we're just trying to keep up and we want to take advantage of all these cool new -- cool new things. And what we don't realize is that when we're taking advantage of all these things, they're also taking advantage of us in some way, shape, or form. So I think, for me, it's just educating the public to let them know that it's all fine and dandy if they want to use these apps. It's all fine and dandy if they want to, you know, use IOG or whatever it is, but know that they're giving up some of their freedom. Not really freedom -- I guess their data -- and that it's being used in other ways that they might not realize. And so it's just -- it's just that awareness for them because -- and then also teaching them what to do with it after that. But, in general, it's just overall understanding and awareness that every -- everything they do online is pretty much tracked.

Ann Johnson: I think that's great. And I don't think people realize that. Right? I -- I think that this generation -- and I have a daughter who's, you know, early twenties. Right? They are much less concerned about privacy. They put everything online, and I don't think they realize that the internet is forever and everything they're doing online is tracked. And, you know, twenty years from now this could come back to you. So just so -- you -- you can still make those choices. Right? You can still make the choice to put all of those things online, but understand the impact of that choice. So I appreciate what you're doing.

Caitlin Sarian: Yeah. Exactly. Thank you. I appreciate it.

Ann Johnson: Let's pull that thread just a little bit more. Let's say someone's at the very start of their journey to better understanding cybersecurity and data protection, and we can apply this to the general public because, believe it or not, employees of a lot of companies are the general public. There aren't -- you know, even in larger corporations there are a lot of folks who really don't understand security, other than what is being fed to them by the corporation. Right? So what are the top five critical tips or recommendations that you give folks who are just starting on the cyber awareness journey?

Caitlin Sarian: Oh, man. Okay. So -- that's a loaded question. We'll -- we'll walk through it. I think the first is understand, like, what accounts and who has your data. And the way I do this is kind of taking an inventory. So the first thing I do is look through my emails. I look through my emails to see what companies are emailing me. What I've done with those companies. And if it's companies that I've, like, never used or used one time, I go to their website and I request to delete the data. Ask them to delete my account, delete my data. A lot of people just press "unsubscribe," but they don't realize that pressing unsubscribe doesn't really do anything. It just opts you out of email lists, but this -- this company still has you. So take an inventory. Go through your Google or, like, your gmail or anything like that, any of your emails, and see who has your data actively. And then what I would do is Google yourself because a lot of people -- I know it sounds -- self-indulging, but it's actually not. There's so -- that's a great way to see what information is out that the internet has on you. And for me it's -- you know, you can see tons of data brokers at least in the U.S. that have a ridiculous amount of information -- like, personal information on you. And start requesting to delete it. I think those are the two main things. It's just understanding who has your data and then also you can do this by -- by looking at your home screen, seeing what apps you have. If you downloaded an app a while ago and created an account, don't just delete that app. Go request -- have them delete your data. A lot of people just think, like, unsubscribing or deleting an app automatically deletes you from that system. It doesn't. You have to actively request to delete your data off of those apps and platforms and softwares. And then, moving forward, just signing up for as little as possible. Like, if you could continue as a guest, I would highly suggest continuing as a guest if it's something that you don't use that often. And then when you do continue as a guest, I would make an email that is really only for kind of one-off, random stuff so they don't have all your personal data. For example, if someone were to get into one of your emails, hopefully it's only your kind of junk email stuff. I always use a -- there's also a lot of services that actually offer the ability to generate emails and passwords and phone numbers and designate them to specific websites so you don't actually have to give your real email. So I would just, again, sign up for as little as possible. You want to try to minimize your digital footprint as much as possible. And then also, again, start deleting your data off of the data brokers' websites. That -- that's really big in the U.S. I mean, the issue is any time you do anything, basically, every few months it ends up being back on data brokers. So I actually partner with a company called DeleteMe because I don't have the time to go through hundreds and thousands of data brokers to delete my data every couple of months when it pops up. And then when it comes to permission, give as little permission as possible. So, like, say for example if you're going on a website and it asks you for cookies, it's -- don't press "Allow All." Usually there's a button that says "Manage Cookies," and I only allow, like, functional cookies. Or if an app asks for permission to get your photos or push notifications or anything like that, I literally minimize the permissions as much as possible. I am trying to give the least amount of privilege while still being able to use them. And so those are kind of my top five is, one, understand the accounts you have. Take an inventory of your emails. Two is, kind of, Google yourself. See what's out there. And then moving forward, it's try to sign up for as little as possible. Delete your data from the data brokers, and then, again, this -- this is give as little information as possible and don't allow permission for everything.

Ann Johnson: I think that's phenomenal. And we are really aligned. And I'm glad to hear you say it. I'm going to make my family listen to this because every time I give them this advice, much like many of us, they just kind of -- I get the eye roll and the, okay, you're paranoid. And so it's great to hear that validation, and it's really good advice. And I -- I captured the note on DeleteMe because I'm not familiar with them and, much like you, I don't always have the time to go through and see where I am. So that's fabulous.

Caitlin Sarian: Yeah. They're -- they're a lifesaver. I -- I used to literally -- I mean, some of my first viral videos were showing how people can delete their data off of, like, specific data brokers. But there's literally hundreds of them and it -- they pop up, like -- like every couple months because it's -- I don't -- I don't know where they're getting all this. I mean, I have an understanding of where they're getting this information, but it's -- I don't want that. And I sort of -- I gifted that to my family, too, because it's, like, I don't want my family to be tied back to me. Like, I don't want -- they just -- they just need to delete everything.

Ann Johnson: That's great. Well, let's keep going. Some of your videos are drawn from current events and the headlines. And we're at the beginning of 2024 right now. So are there any current trends you are seeing as you're doing your research? And what do you recommend your -- you know, the folks that watch your videos, the listeners of our podcast, what should they be looking out for right now?

Caitlin Sarian: Yeah. So there's a lot of current trends, and I think I'll stick with two. One is social engineering. It continues to just be ridiculous. And that's really -- that gives us, like, the key to the castle. Right? We're the ones that they're trying to trick, so that's why I love being able to do awareness pieces on this so people can understand that they have the power to prevent stuff like this from happening, whether that's in your company or in your own home. Social engineering continues to -- and that's, for people that don't know what social engineering, that's like phishing emails or, you know, spam calls that are trying to trick you into getting data about you. And they're just -- with AI specifically, and we'll talk about that also 'cause that's kind of the future as well -- but AI is also just making it a lot harder to tell what's real and what's a scam. So as an individual, I just say really watch out for things. If it looks like there's urgency, if it's -- something looks a little off or there's a gut feeling that you have, I would just stop, like, take a deep breath, and then try to figure it out. So one way I do this is, like, let's say a bank emailed me some ridiculous email and asked me to, you know, confirm or send my identity. I would immediately stop, take a deep breath, and then call the bank separately. Don't use the number on the -- the email that they give. Call them. Like, Google them and say, like, okay. This is my bank branch. I'm going to call this phone number instead, and then see if it's actually them. So I think social engineering is going to continue to grow, especially with AI. I think AI is going to make it a lot more hard -- like, a lot harder for people to recognize phishing emails and even the AI voice cloning. That's going to be crazy, too. But -- so it's phishing and then combined with AI. I think AI will be used to really up the game when it comes to hacking. But that also means that we need to use AI to up the game when it comes to protecting as well. So those are kind of the two trends. And then also -- actually, may I say one more? Third party management is absolutely huge. We can see that from SolarWinds, and we can see that from MOVEit, which was a file transfer system. So large third-party management company -- large third-party companies that get hacked, it ends up, you know, doing a massive ripple effect and -- and then also we can see that with Citrix data bleed which -- they weren't hacked, but they had an issue. It has a ripple effect and it impacts a lot of organizations. And so if you're not doing your third party due diligence correctly and/or not kind of coming up with the correct contract, I think we're going to see a huge issue with third party management and it's -- it's going to continue to grow. So those are the kind of three -- three things that I think are going to be on the horizon slash or are already here.

Ann Johnson: Yeah. Look, I agree. Phishing is forever. And I want to talk to you a little bit about -- more about AI voice cloning. Also you've talked about things like safety breaches on baby monitors. With these type of, you know, security breaches or online safety issues, we talked a lot about what you think are threats. What -- you know, is there anything else right now that's making you sit up, or any particular event that's making you sit up and take note. And particularly not just in the U.S., but globally we're going into a very large election year. There's a lot of different, you know, elections that are taking place around the world. Do you ever think about how, you know, AI voice cloning and deep fakes and those type of things are going to impact that type of environment?

Caitlin Sarian: Yeah. I start going down that rabbit hole and then I freak myself out and then I, like, pull myself back because there's so many rabbit holes you can go down, and there's so many threats. I think, for me, what -- what scares me, at least right now, is the infrastructure -- hacking of infrastructure. So actually there was a news article that said some water facility was hacked because their password was 1-1-1-1. And it's, like, we're not even teaching general cybersecurity awareness and how important it is to people that have -- have a lot of control with the infrastructure that runs our country. And so my concern is more, again -- and this no -- not surprising at all because I'm in the education and awareness space, but -- is how are we going to continue to educate the people in the field that are -- you know, are pushing the buttons and are responsible for infrastructure that supports this -- this entire country? That was hacked, I think, by, like, an Iranian company. So it just -- for me, personally, it's the infrastructure and also just general training, like, that we need to start focusing on. Obviously, the AI voice cloning -- who knows what's going to happen with the elections. I -- I -- yeah, I can't even understand. I mean, my mind just continues to get crazy ideas about all this stuff that can be done, especially during elections and I don't like going down that rabbit hole. I'm not going to lie to you, Ann. It scares me a bit. But, yeah, for me, personally, it's more of, like, the infrastructure, like, that runs our country that I'm -- I'm more concerned with. I'm not sure. What -- what are your thoughts?

Ann Johnson: No, I love the way you brought that back. Look, cyber people love to have, like, the spooky thing. What's the next spooky thing? And I -- I've actually written and spoken many times -- that's cyber hygiene, which is what you were just talking about, is the thing that actually causes most breaches and most events. It's not the most sophisticated, spooky, new-age thing. It's the fact that you don't have strong passwords, or you're not using multi-factor authentication, or you haven't encrypted the right data, or you have too much privilege which is, you know, sort of that concept of giving too many cookies. Right?

Caitlin Sarian: Yeah.

Ann Johnson: So I love that you brought it back there because that is right, in my mind. Right? In -- in the opinion of Ann Johnson, the right things we still need to be focused on are basic cyber hygiene. And if we don't focus on basic cyber hygiene, including our supply chain which you talked about, it doesn't -- these other threats don't matter because people are just going to use basic attacks. Why would they spend the money on sophisticated attacks if they can use basic attacks to get into your environment?

Caitlin Sarian: Yup. Exactly.

Ann Johnson: Let's pivot a bit. I want to talk about career. You talk a lot about this on your channels and I know that we have a common point of view that, to be in the cybersecurity industry, you don't have to be super technical. You don't have to have every professional certificate or acronym in your headline. You don't have to be a coder. Much like you, I took a -- "a" coding class because I was required to take it. I passed it and I moved on and said that was one of the hardest things I've ever done. So kudos to all the coders out there 'cause it is really hard. Can you expand on how you think about career, and -- and really how you think about career for folks that are trying to break into the cybersecurity industry?

Caitlin Sarian: Yeah. So I think we're now in an age where people are recognizing that they want to get into cyber, but there's not enough education on the different areas of cybersecurity that they can get into. And, actually, I was just watching a video this morning and someone was, like, I can tell when people aren't actually in cybersecurity when they just say that they're in cybersecurity versus when people are and they say, oh no, I specialize in data protection and privacy, or I specialize in acts of management, or I specialize in network security. So what is -- for me, what I see -- what's happening is people are, like, oh, I need to get into cybersecurity and then they'll take, like, a general cybersecurity certification, which is great. Like, those are great. It shows that you love continued -- I love continued learning. It shows that you -- you're interested in cybersecurity and that you might have, like, the very, very standard high level overview of what cybersecurity is. But at this point, I think a lot of companies are needing a little bit more of a niche. And -- and that's what I -- I'm starting to realize is that you need to start figuring out what domain because everyone -- for me, personally, what I see is every -- everyone's first question is, "What certification do I need?" And I'm, like, there's so many other things that you need before certification to get, in my -- again, this is my opinion -- into -- into cybersecurity. For me, I think it's -- you need an understanding of what -- really, what domain you kind of want to start going into. And then, again, some certifications might be helpful, but it just -- to me, they -- they're like a college degree. Like, it shows that you have an education, a general background. But what matters the most is the skill that you can show and prove. And, like, how are you getting those skills? And a lot of people will probably say, well, I don't have a job so how can I show skills? But there's a lot of other ways that you can show skills. Like, for example, there's TryHackMe or Hack The Box where you can do exercises there and get -- like, little certificates that show that you did that. You can volunteer. Like, I have a few unpaid interns that have been helping me, you know, build an app. And there's -- there's a lot of places that you can, like, volunteer at. Or if you go to, like, a local coffee shop and help them with their data protection. Like, there's -- there's so many ways that you can show skills. And also it's networking which I hate to say, but I would much rather have someone spend -- let's say you spend fifteen hours studying for a certification. I would much rather have you spend fifteen hours or, you know, five hours studying, like, general cybersecurity -- that domain. Like, let's say you're going to go into data protection. Let's say five to ten hours of studying data protection, specifically. Understanding -- you know, getting involved in groups, starting to talk to people, and then an extra five hours, like, really, really networking with people that are already in that industry. Understanding what skills are going to be needed for that job, what group that you can join, the people that you need to meet, webinars that you can help. You can host -- you can host stuff. So, like, if you're involved in groups in that specific niche, you'll meet way more people. It's a lot better to get a job. I think there's just a lot of uncertainty around what cybersecurity is and how to get in. And it's -- it's not -- in my opinion, you need to figure out which lane, like which domain. And, actually, I've been working on a -- a comprehensive survey that people can take and it will tell them one out of the fourteen domains that would be a best fit for them and their skills. And then, from that domain, really start getting involved in different groups and networking and studying for specific certifications if -- if needed in that area.

Ann Johnson: I completely agree and I love the fact that you're going to help people understand because cyber is a huge field, to your point. People will come to me and say, oh, well, you're -- you know, you're a cyber expert. I say, well, no -- not really. I mean, there's nobody that's -- well, maybe there's a few people that are true end-to-end cyber experts, but I know a lot about a little bit, and a little bit about a lot. So --

Caitlin Sarian: Yeah.

Ann Johnson: -- it's, like, and that's the way cyber is. I know a lot about online fraud and I know a lot about identity. And the rest of the stuff I know a little bit about. Right? And I think that -- that's what people need to understand. And there's so many different careers in cyber. You can do anything. You can be a cyber sales person. You can be a marketing person. You can be a cyber lawyer.

Caitlin Sarian: Yup.

Ann Johnson: You don't actually have to be a cybersecurity practitioner, and I think people need to understand that also. So thank you for doing that hard work.

Caitlin Sarian: Yeah, of course.

Ann Johnson: As I said earlier, we're recording right after the New Year. So I am going to ask you to do something I never do. I always refuse to have predictions for 2024 for cyber or privacy or for the New Year for those things because, no matter what you say, it's probably going to come true. But I am curious of what your thinking is going to -- going to be prominent beyond anything we might have talked about earlier.

Caitlin Sarian: Prominent, like, from a career perspective?

Ann Johnson: No, from an industry perspective. What do you -- where do you see the industry going in 2024?

Caitlin Sarian: It's actually hard to say. I could have told you that last year which I -- again, like you said, that we kind of -- kind of know where it's going. I feel like we're at this really weird crossroad where companies are saying they want entry-level, but then are requiring skills that, like, no entry-level can attain. And the entry-level folks are not really achieving the skills that are needed for specific jobs. Like, they're getting, like, a security plus certification and are thinking that that's all they need to get. And so there's going to need to be kind of a little bit more upscaling from the entry level. And when I say entry upscaling, I'm not saying, like, obviously, skills that you'd need for a full-time job. At least to show that you're -- what you've learned and put it into practice in a different way. And then I think the companies are actually going to need to start maybe having a little bit of a reality check and, Ann, I'd love to get your opinion on it because you're obviously at Microsoft. But I think companies are going to need to start really understanding and niching down. The other thing I would like to see, which I don't think we are going to but I'm -- I'm -- I'm working with a few organizations to help with this is, if there's a way that we can standardize what the different -- like, let's say we have ten area entry-level jobs, if we could standardize what each of those roles and responsibilities looks like across at least a big organization, it will allow a lot more people to start realizing and understanding the skills they need to obtain in order to get that job, because right now, like you said, there are a million and one ways of saying -- you know, of -- of different teams. Like, you can say network architecture, but then that could just be a SOC analyst. Like, there's just -- there's so many interchangeable things, and every single company has different teams and they're pretty much the same at the end of the day, but there are different names. And so it's very confusing for -- for entry-level people to -- to go into the field because there's just too many definitions. And so if there's a way that we can standardize entry-level roles so that people can have kind of a goal and know what -- where they're going, I think that would be extremely helpful, at least for, like, you know, the Fortune 100 companies that are hiring. Like, these are, on average, the ten roles that we need. These are the skills that are going to be needed, the roles that -- like, this is what the role would look like. I think that would be very helpful. What are you thinking?

Ann Johnson: You know, I love that idea. If -- if Microsoft and -- you know, Microsoft and Google and Amazon and Foreboders -- whoever it is -- could get together and say an entry-level cybersecurity architect job is this. These are the responsibilities. These are the requirements. These are the skills we're looking for. It's certainly a worthwhile exercise and I'll -- I'll take that up. I'll talk to some of my peers across some of those companies and see if they're willing to have a -- a common naming scheme, kind of a common functionality. And maybe it's something we can drive through, like, a SANS organization. Right? So that people, when they go in to get training, they're going in and getting really targeted training for what that entry-level architect job looks like. But that's a great idea.

Caitlin Sarian: Yeah. Yeah. I'm working with the U.S. Department of Commerce and, like, NIST to try to figure stuff like this out. So we can definitely try to work together, too. But, yeah, SANS is also a great organization. I just feel like -- feel like if we're all coming together and, like, on a consistent page, it will make it a lot easier and less daunting. And I also think it would make it a lot easier from a training perspective because people that are trying to enter into the field, there's a bajillion trainings and there's also, you know, a lot of universities that are saying, oh, you know, get a cybersecurity degree. And it just -- they don't really -- no offense -- they don't really amount to anything. Like, I don't think a lot of people are getting what they need out of these because they're not mapped to, like, an end goal of, like, you're going to get this type of job and these are the skills that you need. So I think if we -- I mean, we have to come together on those. We're building a bridge to the center and building it back. But, yeah, I would -- I would love to talk to you offline about that, Ann. Maybe we can figure something out.

Ann Johnson: Yeah. And I think going through NIST is great because that's something you can easily land on SANS. Right? And -- and have organizational input because we all talk to NIST. So let's -- yeah, let's -- let's put that on the to-do list for a short -- for a very short-term follow up. So I want to thank you, Caitlin. This has been phenomenal. And I'm a cyber optimist. Right? Despite the rise in overall cyber crime, I always stay optimistic. The reason I get up every morning is because I believe we're fighting the good fight, and it's really, really mission-driven work. What are you optimistic about from a cyber standpoint?

Caitlin Sarian: Yeah. I'm honestly -- I'm a big optimist. Sometimes a little too much. I'm just optimistic about the future of -- of cyber in general. Like, just getting as many people in and -- and the -- the diverse backgrounds of people that are coming in. Like, I -- I get messages from every type of person. Like parents that have been a mechanic and are now starting -- wanting to get a new career. To, like, even high school students that are already prepping to get a job that they don't even want to go to college. So it's really, really cool to see all the different types of people that are interested in cybersecurity. And then I can't wait to see, like, how the world changes with these new people in it.

Ann Johnson: Me, too. People like you. People that are coming up behind you. People that are just career changing. Wherever folks are coming from, we need people. As you said, we have -- we have a shortage of folks that are actually trying to come into cybersecurity and we need folks to challenge the paradigms and bring different ideas. So thank you so much for making the time. I know you are extraordinarily busy, so I really appreciate you making the time to join today.

Caitlin Sarian: Of course. Thanks so much for having me. And I appreciate it. I know you're busy, too, so I appreciate you hosting this. It's so helpful for everyone. And, yeah, thank you again for having me.

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." I invited Caitlin Sarian to join "Afternoon Cyber Tea" because she has such a unique perspective. She's out there on TikTok and on Instagram educating both the general public and people trying to break into cybersecurity, and she does this thing that's really difficult to do. She takes really hard concepts and makes them simple. So she was an outstanding guest and I know you'll love the episode.

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft