EP 091 Danyetta Fleming CEO, 'Simple Cyber'

Show Notes

BIO

Danyetta Fleming Magana is a Certified Information Systems Security Professional (CISSP) and Fellow with Institute of Strategic Risk Management (ISRM), who founded Covenant Security Solutions in 2003. Her goal is to push the envelope regarding how we think about our information and find new and innovative ways to secure our digital way of life. Mrs. Magana is a Certified Information Systems Security Professional (CISSP), a globally recognized certification in the information security arena. She has been published in the Defense Information Systems Agency IA Newsletter and interviewed as an expert on Federal News Radio's "Mark Amtower Show." In 2001, Ms. Magana received the Black Engineer of the Year Award for the "Most Promising Engineer in Government." She is an advisory board member for the TINYg – Global Terrorism Information Network and  Armed Forces Communications and Electronics Association (AFCEA), International Technology Committee. Mrs. Magana also previously served as a Fellow with the Institute for Critical Infrastructure Technology (ICIT), a Washington DC-based think tank that briefs Congress, Senate, and the Senior Executives of the U.S. Federal government on matters related to Cybersecurity and Critical Infrastructure. Also, Mrs. Magana was a recipient of the Army's Achievement Medal for Civilian Service. Her company was recognized by Diversity Business for 2014, 2012, and 2011 as one of the "Top 500 African American Owned Business in the U.S.". In addition, her company was honored in the Inc. 5000, as one of America's Fastest-Growing Companies for 2014. Lastly, her company most recently was recognized by CIO Review Magazine as one of the "20 Most Promising Enterprise Security Companies in 2015". Mrs. Magana is a graduate of the University of Illinois Urbana Champaign with a B.S. in Engineering.

Social Media Handles:

LinkedIn: https://www.linkedin.com/in/covsec4u/

Twitter: @fleming_magana

Security Circle ⭕️  is an IFPOD production for IFPO the International Foundation of Protection Officers

Transcript

0:01

If you enjoy the security circle podcast, please like share and comment or even better. Leave us a Fabry view. We can be found on all podcast platforms. Be sure to subscribe. The security circle every Thursday. We love Thursdays.

Yoyo 0:44

Hi, this is Yolanda. Welcome. Welcome to the Security Circle podcast. IFPO is the International Foundation for Protection Officers, and we are dedicated to providing meaningful education and certification for all levels of security personnel, and make a positive difference where we can to our members mental health and well being. Our listeners are global. They are the decision makers of tomorrow and today. And we want to thank you wherever you are for being a part of the Security Circle journey. Well, I have with me today a very special person. If you don't know this lady and you haven't met this lady, I guarantee you're going to know her and recognize her name. Danyetta Fleming is known as the CEO of Covenant Security Solutions. We're going to find out all about that. her goal is to push the envelope regarding how we think about our information and find new and innovative ways to secure our digital way of life. Danyetta. Welcome to the Security Circle Podcast. How are you doing?

Danyetta 1:44

I'm doing wonderful. Thank you so much for having me. I'm excited to be here.

Yoyo 1:49

Well, contain yourself. Uh, you might not be saying that in 15 minutes time. Uh oh. Let me just hit you straight off with a hard one. What is good cyber?

Danyetta 2:02

You know that I like that you hit me with that question because I'm going to answer it a little bit different from the technical aspects. I'm going to say good cyber is when an organization understands how the information that they manage, collect and handle impacts the individuals that are part of that organization or that are reliant on that organization services. So it's really broad to say it that way. But at the end of the day, I think sometimes you get so bogged down into trying to define cyber through a lens of technical checklist. And, do you have the server lockdown or what are using OWASP? Are you using this? And we forget to tie it back to what matters the most. if My grandmother's social security number is gone and now she can't get her checks. She's upset, right? The family's upset. If my kids is, um, their private Instagram chat is being, um, siphoned by, um, a hacker or a pedophile, that, that has an impact on my life. And it has an impact on the life of, of the people around it. Bank accounts go missing. So I think if we, Broaden it a little bit. That's how I look at good cyber. It's when we can have a good level of risk management as it relates to individuals in their lives.

Yoyo 3:27

And let's face it, cyber, like you said, affects people. It even affects you and I, but in a slightly different way. We're watching banks go down, hospitals go down, because I'm just using the general language now. We're watching casinos. Go down. Hotels go down. I don't know. We had a big conveyancing agency here, where all of the legal firms for properties in escrow were all literally using, this business went down so nobody could exchange on their properties. We won't look to CrowdStrike right now, but let's face it, people hear of systems going down, it massively affects them. And we're learning actually that companies aren't necessarily being harmed in the long term around reputational damage.

Danyetta 4:18

They aren't, and I think part of that is because people, it's a long list so let me back up a little bit and say it this way I've been in cyber 20 years and I think one of the hardest parts about cyber is that. It's difficult for the average everyday person to understand what does it mean to me right you're impacted by it. But if, for example, your information is stolen they here in the States and I think in as well in the UK they just tell you go get a credit report, monitor your credit report, change your passwords, and you move on. And so there's this culture that's built up around, well, that's pretty easy after a while. I can just change some passwords. And long as I'm checking my credit report, then everything is okay. It's not till you get into Digging a little bit deeper that you hear the horror stories of people who have lost homes, who have lost livelihoods, who have gone to jail. you have the retirement, people that have lost their entire retirement, as a result. So you don't hear those stories on a day to day basis. And because you don't hear those stories on a day to day basis, what happens is that, the companies then don't get the reverberation. Right, because everyone says well that's a one off right that happened to, Mr and Mrs sales right but it didn't happen to me. And ultimately they get to write off of that but I think that we're entering a period. You know, talking, we avoided the crowd strike for a second here. But, when you, all of a sudden, now you can't get on a plane or you have flights delayed. If you're trying to make it to, a birthday, a funeral, a wedding, you know, something important. And now the airport is saying we can't move because of cyber. They had the big casino hack last year and people are standing outside and they can't get in their rooms because of cyber. So now it's getting out of this realm of, let's just Correct our, identity fraud issues and cover it up to now this is having real world impact. So I think you're going to start to see that change. it's just taken a while to get here because it's not until recently that companies have been kind of forced to say that, hey, we've had an incident. And now that we're getting to the scope of incidents, those are so huge now that now we're kind of questioning identity is now becoming an issue. how do I know that this information belongs to this person? It's been stolen 15 times, you know, anyone could have made off and, made edits to that information in that period of time. I think we're getting there where now the companies are going to have to start to answer and people are Um saying no, there's some real significant costs of this You know in the early days you could also write it off, right? I remember the time believe it or not when you could get a cyber policy and you didn't have to say You had security, you could just say, I want a cyber policy and they were right. So

Yoyo 7:26

you coming, not

Danyetta 7:29

now, right? Not now. They won't write you a policy, even with full security audits. You can have,

Yoyo 7:37

you can imagine them laughing down here to going this one. What's the cyber policy. Right, exactly.

Danyetta 7:43

They

Yoyo 7:43

were

Danyetta 7:43

laughing. Like, are you serious?

Yoyo 7:46

We'll take your money. Whereas now they're like. They're like, what? Cyber what? What? No, we don't do that.

Danyetta 7:53

Right. Right. They're, they're running the other way. But I remember that, you know, it was just like a little rider. They would just come. Oh, you want one? Okay, sure. Take, take it. Let's take your money and, and we'll never have to worry about it. Yeah. Full coverage. No question. What do you want? 5 million, 10 million, 30 million, please. We'll give you a cyber policy. Yeah. Yeah, but can you imagine less than 20 years now? It's you, we literally deal with businesses that are like, I need a pen test. I need this because I can't get a policy and it's like, well, you know, so that, that makes a difference. It's, it's perspective.

Yoyo 8:29

There are checks and balances, but we know that they are sometimes, you know, we have this right across the security industry, accreditations and legislations are met, but it's just ticking boxes. Is the practice really being followed diligently? And we know that audits are another way of testing an organization's resilience. But even then, that's just one side of it. And it's not, audits don't cover behavioral issues. They don't cover internal threats. They don't cover Apathy, quiet quitting, what I'm finding more often, the more companies I have exposure to is that every time somebody leaves the business, we seem to lose critical data, critical information, procedural information. It could be, you know, a certificate, that's got an expiry date. There you go. A zero day. I don't know yet that the businesses have got a plan to try and prevent this loss of really good qualitative information.

Danyetta 9:34

that's absolutely right. And it gets back to the initial question that you asked me, what do I consider to be good cyber security is it gets back to the information and it gets back to how that is handled. And, and then even that gets into the governance structure. Of an organization. And so what we found over the years is to your point, a lot of people want a checklist. I got I did everything miss said I did everything I so said, but that's not really cyber security to its fullest extent. It's giving you based off of general perspectives of what we've seen as threats. How can you best mitigate that, but that's not necessarily giving you the solution. specifics about how do you mitigate threats, but then your organization. And oftentimes what we've failed to do too is really look at the human aspect of it. And then also adjust how organizations run to the reality of cyber. Right. I might have a customer service agent and. You know, just, I'm going to give you dollars because we're here from the U S I. So, you know, you pay them 12 to 20 an hour. And then, you know, you're used to them being able to collect information, put that information to the database and, and then you're off. Well, I mean, we're in a world where, you know, you don't know who's calling it. And we see these little clips all the time online where someone is calling into the help desk. I mean, going back to the, you know, it's a, Hey, I'm employee ABC that happens to be off today, but there isn't that structure built into the governance of the organization to validate. One, do we even have employee ABC? B, do we know if employee ABC is off today? And if they're off today, why are they calling into the help desk? You know, like, those are things. That could be stopped right at the, but the procedures, the processes, how we're governing information in 2024 is not, is, you know, and I, it's gonna sound a little crazy to say this, but I think a lot of organizations built their technology, but they kept their processes from 1984. Oh, some of them go back even further. So we're trying to have. Excellent customer service, but is that the right way to think about it? You know, if that's the primary way they're coming into organizations now It's not that they're breaking down your firewall that stopped probably about 10 15 years ago, you know Um, they're not breaking your firewall. They're not coming through your your intrusion detection system They're calling your help desk. They're calling your CSR reps. They're looking at the email and the home addresses in the Facebook. So, so when you look at it, it's more a human issue. It's more governance issue. And yet we still haven't fixed that from a cyber perspective. And that gets back to really understanding data, how data moves in your organization, and how do you manage that movement throughout the organization from beginning to end.

Yoyo 12:53

Now, you see, I'm really glad you said that. and when people say, I say I work in cyber security, but really, I say, look, all cyber security is, is protecting data. That's all we do. I tell you what I saw that was really impressive one day. It was about a year and a half ago and I was doing an audit on a business, as their consultant and in order for them to satisfy this particular component of the audit, they needed to let me have visibility of some documents. And so we set up a shared folder under NDA, everything that's all very secure. and as they were downloading the documents and bearing in mind, they worked in GRC, governance, risk, and compliance, great segue into cyber security folk. If you want to governance, risk, and compliance is an awesome way to get into cyber. We'll talk about that in a minute. But He said he got a warning come through from his governance risk and compliance department because he downloaded documents that were seen to be sensitive and in such a high quantity that it flagged up. And I'm like, I'm the auditor. It was just hilarious. And I'm like this, like the cat in front of the keyboard, busy day. I'm like this excellent processes, triggers in place, red flags. It's just, it was really cool. What have you seen that businesses are doing that is impressing you right now? Or what are you offering businesses that impresses them?

Danyetta 14:22

that is one of the areas I think that people are now starting to, Look at trying to get automated tools to help flag and help look at those governance structures and start to make that but I do want to say something in terms of that was interesting. I have a old video up on our covenant YouTube channel, and it might hopefully still there but it's from. Kevin Mitnick, who was a big hacker back, I think in the late 80s, early 90s, he went to jail for, he, he got code from Motorola. And the interesting thing was that they had the same, software in the system that you were just talking about, but Due to customer service, he said he needed this file right away, and so he was able to actually convince the person to ignore the flags that were coming up and to send him the file anyway. So he went ahead. So he actually ended up getting the code, I think, for the different, various models of the Motorola phone at that time. But, that's to say that I do like the fact that organizations are starting to put more in place. from an automation standpoint to at least flag it and give that pause for the individual to say, you know what, maybe I, maybe I need to think about this before I, you know, continue down this path. Um, The other piece that I think is starting to come up is availability, um, a lot more organizations and it's probably because of all the incidents that are happening, but we're starting to see more people take into consideration. Um, actually doing tabletop exercises, taking the time to understand what happens when it all goes wrong, um, and realizing that it can all go wrong, and it does go wrong, and you need to have a very, very, solid plan. Um, to be able to identify that. the other piece that we're doing is working with, I would say medium and small size businesses, around actually getting them to look at risk. And start managing their risk on a day in and day out basis. I think sometimes it gets to be overwhelming, especially for small organizations to look at that. And so that's one of the things that I've been very excited about is that we have a cyber risk portal, that we've been offering out to organizations and, and with that also getting to look at the supply chain. I think that's been a long overlooked area. Where people say, Oh, you know, I've got my stuff together, but we're an ecosystem. And, understanding that you're only as strong as your weakest link. You took the words

Yoyo 17:19

out of my mouth. I was just going to say that because genuinely, third parties, vendors, contractors are being used to enter in through the pearly gates of the business, aren't they?

Danyetta 17:30

Yes,

Yoyo 17:31

yes,

Danyetta 17:32

if they're if they can't get through your help desk, they're coming through your contractors who you're giving access to, the other piece I like is that there's a little bit more interest in actually doing security architecting and engineering, looking at how you lay out the infrastructure so that those sorts of. You know, for the whole big word that came up after target was segmentation, but that should have been the word the whole time. Everybody can't be on the exact same network. it's still, I was listening to one of the, your prior speakers and you were talking about, a fish tank, someone using a fish tank to get into a casino,

Yoyo 18:10

if you know, sorry. And it's called the casino fish tank hack.

Danyetta 18:16

Right, right. And it just makes you wonder, like, why do you have your fish tank or any of your IOT devices on the same network with what people, you know, why? I'll tell you

Yoyo 18:29

in that fish tank. There are probably think of a James Bond movie. There's one of those fish tanks. It's probably got fish in there worth 20, 000. And if anything happens to the temperature, the fish can die. If the temperature variance is low or above certain number. And so they've got them on sensors, which are then into the IOT of things, the mobile phone, if you will. Do to have alarms in case the temperature or the water isn't clean enough and so that's why it needs to have remote access so you but it does not need to be it needs to be behind a fire or with other things but so in fact when I talk to um, people who come to me and say, you know, yo, yo, I'm really interested in a career in cybersecurity. The first thing I ask them is, you know, what, what is it that scares you about cybersecurity? And the responses I get, Danyetta, are that it's all like, I can't code or coding scares me, you know, hacking. It's a bit complex, isn't it? Um, you know, I don't really like to wear a hoodie and be in my room 24 hours a day, uh, in a dark room. Um, and also I don't have qualifications. I don't have, I haven't got a computer science degree. It's not about that now, is it? The cyber security industry has a huge thirst. I mean, let's face it. They took me. Um, they must have a huge thirst for non technical people. Uh, why is this Danyetta? Take us through. I, you

Danyetta 20:05

know, I, I, I'm going to go back in the day again. I know I sound like that grandmother like back in the day, you know, but, um, you know, we really, um, The ecosystem of cyber professionals ended up gravitating to the item that really brought in the most money, which ended up being those people that had very strong technical backgrounds. And also technology was really easy to code and create your firewalls your ideas systems all of these tools that you see out here and they've got a plethora of them across the space. So, that's where the money went and that's where people went. Um, and it's unfortunate because, in my mind, and this is, of course, Danyetta's view, when we talk about the triad of people, process, and technology, most of the work is with people and process.

Yoyo 21:10

Yes, hell to the no. It's not

Danyetta 21:12

really with the technology. Nope, because there's people for that. It right. And so when you look at that, you know, that's part of the issues that we're seeing in cyber. People say it's hard, but it's not hard. It's detailed work, and it requires skill sets that go beyond being able to code. Like the coding part in some ways becomes the easier part, right? You definitely need technical skills to be able to translate what I call the people in the process. So when we were talking earlier about governance, you know, I, I need people now. And I'm making that plea to the audience of those physical and folks that are saying it's too technical. No, no, we need you in this field. Because we have so many technical people and some of the ways that they think about things are not the way that we need to be thinking about them. Well, we, you know. Case in point, we've talked about this example about 10 times. See, a physical person would say, gee, why are you calling in? You've never called into this help desk before and asked for your password to get reset. I can look here and see in the logs. So let me ask a few more questions as to why this is happening. And they would have thought about systems and processes. To have looked at things from that perspective. That's not always the case because we have people who tend to look at things from a bits and bytes perspective. And so they get really caught in the checklist. So I finished a, and I finished B and I finished C. So therefore I must be secure. And cybersecurity is not that clean. It's not that neat. And, you know, and that's the reason we're seeing these breaches at the level they are. You know, um, one of the ones. That that, um, recently happened was, I think it was a data. I can't think of the name of the company off the top of my head, but it was a data breach in which almost every social security number, um, was breached by this private company, um, that does investigations in Florida. And the interesting thing I saw when I was reading is they said, you know, their information was not encrypted. Right. So these are things that, that you're sitting back and you're saying, you know, what, where are the people who sit down and have this conversation to say, you know, let's think about this from end to end. And what does security look like when you're involving people in process, not just the technology, right? The technology is there to have had that happen. But the people on the upper end of that chain who can sit down and say, Hey, you know what? I can spot, um, You know, something fishy a mile away like we don't have a lot of those people in cyber, and that that is unfortunate because it's it's turning into where we don't necessarily have security programs and structures being built in a way to best protect those organizations.

Yoyo 24:27

Do you know where those awesome people are, because I do.

Danyetta 24:31

They're all

Yoyo 24:31

working in physical security, Danyetta.

Danyetta 24:34

They are!

Yoyo 24:35

Yeah, because they're already risk them over here! They already know about, so they're already doing risk assessments. They already do, disaster recovery, incident management, all of those things. They, they do gap analysis. We're looking to find those security professionals. Who are deeply curious. Like, there's more to my job than what I'm currently doing. I think my job's a bit dull. Do I feel like I'm being stretched? Could I be lured over into the cyber security realm? If only I could find a way to do it that doesn't put me massively out of my comfort zone. And that's when I go, Okay, get used to being out of your comfort zone in cyber security. And I think in security, security professionals are genuinely used to being out of their comfort zone. I genuinely feel like I'm out of my comfort zone several times a day. And then. One day I had this drive on it.

Danyetta 25:28

Actually, if you're going to survive in cyber, you thrive on it. I mean, when I started, we were talking about physical servers, windows NT. I don't want to date myself too much, but I mean, you know, can you imagine that to AI? That's a huge, you're always learning, but that's the fun part to me.

Yoyo 25:50

What was it like in the olden days? Danta. Well, sunny, no

Danyetta 25:57

de I'm sorry. Well de de It's alright. I shaved this morning

Yoyo 26:11

and we're back in the room. Bunny back in the day. Yeah, But like if we, if we look at the years of your. Uh, taking Phoebe's words out of Friends, uh, for cyber security and for the internet. What was it like? Remind us how, how, Challenging it was and how unchallenging it was.

Danyetta 26:32

It was, it was, you know, it's, it's interesting. I think it was challenging in the sense that no one had thought about, everyone was big on putting everything online, right? You're watching Cisco double half their stock is just going through the roof. Um, Um, everyone couldn't wait to figure out how could they get their own routers, their own servers. Um, you're just watching this happen. And then you're realizing like you don't quite understand the risk level you're taking on. And the conversations were very Interesting at that time, because people really all they knew is that they wanted to be online in that, you know, look at all the cool things that could happen. And I think it's important, you know, I'm all for innovation. But I think it was interesting back then that that thought process about, you know, what does this mean once this is all here. That was few and far between. We had people who understood it and were saying it, but they really weren't being listened to because there was so much to be, so much to be done, so much to innovate, so much money to be made. And so when you're sitting there saying, you know what, I'm not sure social media is such a great idea. You know, and everyone's looking at you like, what are you talking about? Like, this is the best thing to slice bread and you're like, you know,

Yoyo 27:59

um,

Danyetta 27:59

you

Yoyo 28:00

But then you look at the human. You look at the human race and you think, well, we can't really be that smart really because we're treating the internet in its, uh, in its early conception, like we're all running into a race car, taking it for a drive without checking the brakes actually work. Right? Uh, and then all of a sudden we're doing the same thing with social media. We know it needs to be secure. We know it needs to be safer, but no one does anything about it. Everybody just ignores the glaringly obvious. Are we just not that bright as never? Are we going to evolve, Danyetta? This is a big question. Are we going to evolve into the 22nd though, the 22nd century? Crikey.

Danyetta 28:39

You know, I, I think we're going to get there if we can get out of, I look at it sometimes, it all boils down to money. A lot of the conversations in cybersecurity over the years, it's all boiled down to, well, I want this and it's an impediment to me being able to do what I want. And so I'm going to go ahead and do it anyway. And here you're going to get the bare minimum that I'm willing to invest. Um, and then we're just going to keep moving and those decisions pile up over the years. Right. So now we're looking at. Company after company, government after government, person after person, um, like you said, going down. And now we're sitting here having to have some really serious questions, um, about, well, yeah, I can do what I want, but what does that mean? So I almost feel like we're kind of at that teenage years where you finally are starting to ask questions like, I want to do whatever I want, but oh, darn those consequences, you know, and, and that's where I feel like we are with cyber. We're, we're at this point where everyone said, oh, we just, you can't stop. Typhoon innovation. We've got to get this out here. Everybody wants to bank online and it's meant absolutely great things for our, for our world, for our economy. There's no doubt about it, but what does it mean in a world of AI when I can't tell that you're yo yo and I'm Danyetta, right?

Yoyo 30:18

Do you think one day someone might con me and I'm not talking to them at all? I'm talking to their AI.

Danyetta 30:26

Ah, that's, that's happening now.

Yoyo 30:29

Boy. That's happening now

Danyetta 30:31

in some corners, corners of the internet. I mean. I pity the fool who

Yoyo 30:35

tries that on me.

Danyetta 30:39

No, I'm already looking at having fun with that. I'm going to have different voices.

Yoyo 30:43

Are you? What, something like Britney Spears or more Beyonce?

Danyetta 30:52

I don't know. I don't know. I'm thinking I might just. Just flip it up. I might do like a Maya Angelou or you know, I love her. Good choice. Yeah, choice.

Yoyo 31:06

Gosh. I was working for yellow pages in 1999. And,, I remember my, my boss, I think he was a director at the time or a manager, and he'd gone away on the yellow pages were considered in the day to be at the forefront owned by BT, a British telecom. So they were at the forefront of anything that was technologically, advantageous. And he came back and it's 1999. He came back and he said, Oh gosh, I've just seen the future. And we're like, really, what's that look like? Then he said, you know, they just said, basically, when you get a mobile phone, you're going to have like this mobile device and you're going to be able to walk down the street and order your shopping and then choose what music you want. On, on your, on your mobile device, you can play music cause it's going to come from the cloud. And we were like, the what?

Danyetta 32:03

You were like, I've seen rain come from the cloud.

Yoyo 32:06

It's, it's, it's our boss been out for way too many, ciders at lunchtime and he's kind of come back and thought, I've got to tell him something. Um, but, but they were so on point, you know, they were absolutely right. They were. They were, we were getting these little teasers of the future and what was going to happen. And we were like, my God, why would I want to walk down a street and choose what I'm listening to from the cloud? Right. And we all got conned, Danyetta, didn't we? Into this. Situation we're in now, where we're now dependent, what we do now, every

Danyetta 32:42

day.

Yoyo 32:45

Every day. Like, I can adjust my shopping order for my groceries while I'm in a meeting. Right. Exactly. Like, right, like I bought a cowboy hat for Texas Night. I know you're not going, but I bought it online at 11:55 PM last night because I thought, right, I've got no other distractions. Uh, the TV's not on, whatever, blah, blah, blah, the cat, the cat sitting on my lap is a harmonious thing. You can picture it now. The dog's not barking, the neighbors are quiet, you know, and I'm like, I've got to get that cowboy hat for GSX like this. So I did. And that's what I'm doing. I mean, and yet years ago, it would have been unbelievable to think that, do you think some businesses are quite scared about automation and AI when you think. There's so much information out there. How do they take good advice and how do they follow good advice, Danyetta?

Danyetta 33:43

It's, it's, it's a difficult, um, issue because, this gets back to our triad, right? We talk confidentiality, integrity, and availability. So now we're going to talk about integrity. And the biggest issue we have right now is integrity of data. So, um, can you trust the information? That it is reaping results from. And that's going to be the biggest issue for organizations. I don't think you can get away from being able to use AI, um, in automation. It's going to be necessary. Um, matter of fact, there's probably an additional podcast just on AI and cyber, right? Um, because it's coming into cyber and such, um, great force and veracity. And it has to, right? The adversaries, the threat actors, they're using artificial intelligence and moving at this beyond the speed of light right now. And if you don't have AI, there's no way you can keep up. You're not keeping up with people, right? So there is that technical aspect that you have to be there. So I think the hard part for organizations is you really have to start to define your truth. today. Understand what you have, understand what your organization ought to look like, understand what checks and balances you're putting in your data so that you can know that in fact that this information can be trusted and utilized and not just assuming that everything that's within the the four walls of our organization is valid. Um, I think this is the first time where we're having to really look at that eye and say it's something bigger than having a hash that says that it hasn't changed from one moment to the next. It's saying, can it be used? And, um, we're in this age of what we call disinformation, misinformation, and I'll add another one called manipulation. for organizations, that's something you have to start planning for today, while there's still symbolism of the past and the future is emerging.

Yoyo 36:01

And it helps, it helps, doesn't it, if customers, clients, potential clients can trust whom they're working with for that advice, right? Which I'm seeing in this melee of craziness. I'm seeing that source of truth is coming through with reliable. This is why influencership has become so important now because there's such a lot out there. I have people that I follow. Let's not mention any of those sinful names. No, I'm just kidding. But I have people that I follow the sources of truth. You know, what do you think about this? Sounding, sounding up. So you can imagine why it's more important as well in business. And I find as well, when I do professional podcasting for businesses, They've understood that podcasting is a really good way for them to reach clients and potential clients because they can understand more about them than they would in a security expo or on a stand. And, in a sales call, even where someone's designed to come across a certain way. And then even then, who are they, where are they from? So yeah, it's authenticity work

Danyetta 37:05

now, believe it or not. Right. We've got all these automation tools and technology, but The ability to tell a story in that story, not have an ounce of truth is so much more easier now than it was, you know, when I started my company, I remember people were like, why start a cyber company? No, one's going to need cyber as an independent, like, you know what? Right. Obviously I never listened to them, but I just remember people saying that. But, you know, I think you have to dig and you have to ask those questions as an organization and especially with when you're meeting with people I have, um, you know, I just recently actually had a client I was talking to and they were like, you know, um, it's refreshing. To actually have someone who's not going to yes us today. You know, who's going to actually tell us I can, I can't. And those are the kinds of things you're going to have to look for in this day and age. You can't be taken in by what you see necessarily. You have to kind of dig deep. And I think that's also true when you talk about cyber tools. You've got to dig deep. Not everything that says AI is actually. You know, the algorithm is built to parse the information as they said, right? Yeah. There's, there's what they're telling you. And then unless you're taking the time to actually go and test out that algorithm, you have no idea. So you really have to sit down and start to question interview, um, do your own deep dives. Now that's the one thing that the internet does make a little bit easier and automation. You could do a little bit better in deep dives, but just having conversations. I had. The veracity.

Yoyo 38:59

I had, um, I sat in on an RFP once, uh, for a SOAR, you'll know what a SOAR is, but for those that don't, a SOAR is an automation product that basically means all of the logging data, um, for, through SIEM, uh, which is, how do you explain this to somebody who doesn't know anything about cyber? But basically when you're doing logging and monitoring all of that data, there's thousands and thousands per second, sometimes that could be going through, they're going in through a SIEM um, yeah. And what a saw does is it automates it. although there is a truth to be said that if your SIEM aren't in good order and don't have a really good rule set, then the SOAR isn't going to make a magic, um, out of it. I'd never dealt with SOARs before, but basically all the data from all of the SIEM, if you're running several SIEM, they'll go through this SOAR and the SOAR will literally automate what it is you want to know and see and make it a priority. It's very good piece of equipment. And there are a number of really cool providers. I sat in on the RFP and I didn't know about SOAR. But it's really easy when you've got a number of different vendors who are all vying for your business to, to get the truth, because let's face it, you know, if they lie to you, the relationship is doomed and for those companies, for those companies that don't feel that brave. And know that they need to head into technical RFPs, and they don't understand what's going on, then hire a consultant to take him with you who does understand. Somebody who is totally independent, who will sit in those RFPs and say, right, okay, when he's talking about encrypting data, what he really means is

Danyetta 40:34

this. Exactly, exactly. You know, just, and I, You know, to to your point, you know, um, you were just reminding me of our earlier conversation about the encrypting of data and, and actually it's, it's important for anyone who's going into any type of RFP type situation, I think to have. A very good understanding of what that looks like for, and this is getting into sort of like the physical security person coming into cyber, for them, just to have that basic understanding, sort of like you were just explaining. Soar, you don't have to go deep, right? You don't have to understand exactly how they code it. So you just have to understand, okay, this is how it works. This is how it functions. How am I able to relate that to an individual's, um, threat protection and threat profile? And I think that is so, so critically important. So I'm sorry that that just came into my mind. I know you were going to another,

Yoyo 41:39

I have to tell you as well that I brought in two different people who were going to use that. So one was going to program it and the other one was going to use it as an operator analyst. And it was really important to me That they be a part of the RFP process and nobody had heard of that before You know, especially bringing in someone so junior and i'm like Bringing in somebody who's incredibly good at what they do. And if they're going to use this piece of automation, I want them to love it. Instead of bringing in a piece of kit or piece of tech that I think is great, or it's a good price or whatever. And then all my whole team of analysts turn around and say, Oh my God, this is awful, that's not the outcome I wanted. Um, but look, I've got to ask you about tiny G lady. How's it going? Of course. Tell me about your tiny G journey.

Danyetta 42:30

Oh gosh, how many years have I been in Tiny G? I've been on Tiny G journey, I'll say over a decade. And, um, I actually, um, enjoy being a part of that. Um, when I came in, they were like, and I love how David says this, it's with the British accent, with Sybil. I hope I said that right. Cyber. Well, you sound like you're from

Yoyo 42:54

the Bronx when you say cyber. Or Boston.

Danyetta 43:00

Or Boston. Okay, so my British, I'm not even going to do British accent again. Cyber. Cyber. Cyber. Okay. Yes. That was it. Okay, I got it. I got it. So, um, you know, it was looking to bring that into the counterterrorism, right? The organization got started right after 9 11. And it was built around the idea that different communities needed to talk to each other. In particular, there were things that were obviously the Twin Towers came down in New York, but also there were pieces that were happening in the UK. Okay. And so, um, once that happened, it was very clear that some of the relationships that needed to have had been there, um, in order to respond, those needed to have a place to continue to foster and grow and people need to get information in advance. And so that's the genesis, um, of the organization. And so I've been very, um, honored to be a part of kind of bringing in what that looks like from a cyber. I think I said that right cyber perspective. And so, um, that's something I'm actually going to be briefing on for those of you that are going to be In the UK. Um, while you're at GSX, I'm going to be actually in the UK doing, um, a briefing around, um, cybersecurity and, um, the link with terrorism because we're seeing a lot more where it is cheaper. It is more effective. Unfortunately, to be able to sit at home or sit in a, um, uh, terror cell somewhere halfway across the world, and you can take out water systems, you can take out electrical systems, um, you can take down banks. So critical infrastructures are being hit have been hit. And that has continued to increase. And so we're going to continue to see that, especially with all of the events that are happening globally. We're going to continue to see cyber being a very critical aspect of how that happens. And can you imagine if you're without water and without heat in the dead of winter?

Yoyo 45:18

I mean, as you were saying that, yeah, we all know that they are clearly significant threats and we don't want anyone to take down water. But in the UK, we're having such a bad reputation with water companies and the amount of pollutants in the rivers and waters. They're taking themselves out at the moment, to be honest with you, because they're, you know, the shareholders are getting paid lots of money, but the rivers and the waters are full of toxins and unsafe to swim in. And look at what happened in Paris with the Olympics. They couldn't even swim in the Seine. Is it the Seine? Um, all the road to the Rhine, one of those, so we've got my, my, so, uh, so yeah, they can take themselves out at the moment and have a good word with themselves, but it's Mario's still on the board, by the way, I've got to tell you a story about Mario.

Danyetta 46:03

Oh, he's so awesome. I have, I

Yoyo 46:06

have such a professional crush on Mario because I do because years ago when I listened to my very first tiny G webinar. He was online and I saw him and I thought, what an impressive guy. And he was dynamic and passionate about what he was talking about. And of all the people that I've met, he's always the one that stands out always since then. So I guess what I'm trying to say is back then I wasn't an influencer. I didn't have a podcast. I was far, far lesser known. and yet it's the people you meet in the journey. are the people who leave the lasting impressions that are the most impactful. I think we'll have to make sure we tag him in.

Danyetta 46:53

We'll have to tag him in so he knows that that we, we included him.

Yoyo 46:58

He's, he's a little bit inspirational. Yeah, yeah,

Danyetta 47:03

he is. I actually, I enjoy this organization I think one of the things that that people don't think about just about the security community as a whole as well as the tiny G organization is that people are very. They're very nice and they're very compassionate. And I think sometimes when you look at other professions, I don't see that sense of, um, honor that sense of duty. And that is something that you can, you know, I I've enjoyed over, over the years of being a part of tiny GM, being a part of the security community as a whole, is that we have. Uh, you know, we get to be a superhero without a cape. Right. We get to be superhero without a cape. Maybe, maybe someday, you know, the, the security podcast and come up with the cape design. We can all get capes. But right. You know, We need, we need capes at some point, but, but, um, Imagine if we did. You probably couldn't get us in the building we'd all be running around trying to jump off. Do you remember

Yoyo 48:16

when you were a kid do you remember when it was windy and you'd open your coat out you try and like fly in the wind, we don't do that. Is anybody managing this actually. Says controlling reception. Nope. Security all pretending to fly. No security's outside with the Cape

Danyetta 48:33

the firewall went down like, oh my gosh, she's outside with that cape again.

Yoyo 48:38

Yeah. And all the women will be doing their Superman poses, which is comes from Grey's Anatomy, apparently. Um, I know that, uh, yeah, Shonda, Shonda Rhimes series, Grey's Anatomy. If you watch it, you watch it. If you don't, you don't. If you're like, they, they use this analogy because they used to go into surgeries and build their confidence up before they go in, especially if it's maybe somebody they know. And so they, they just need this little confidence exercises. What you're supposed to do is a Superman pose, not the one with the hands in the air, um, but the one where you stand, literally your, your feet apart, your hands in a fist. On your hips either side and you just look up and apparently you've only got to do that and take a couple of deep breaths and walk into any meeting and own that room.

Danyetta 49:22

There you go. We're gonna we're gonna call this Superman pose the security Superman pose. So that's another acronym for SSP.

Yoyo 49:32

I That's a really good idea. We should paint it first. You heard it here first people. Yes. Danyetta Fleming, it's been an absolute pleasure to finally catch up with you. And thank you so much for joining us on the Security Circle Podcast.

Danyetta 49:53

Thank you so much for having me. Had a wonderful time. I'm going to get my SSP cape. Do it lady. Okay.