EP 171 “When AI Learns You Better Than You Know Yourself” with Eva Benn Principal Microsoft Security, TEDx Speaker, Multi-Award Winning Cybersecurity Leader Artwork

The Security Circle

An IFPOD production for IFPO the very first security podcast called Security Circle. IFPO is the International Foundation for Protection Officers, and is an international security membership body that supports front line security professionals with learning and development, mental Health and wellbeing initiatives.

All Episodes

The Security Circle

EP 171 “When AI Learns You Better Than You Know Yourself” with Eva Benn Principal Microsoft Security, TEDx Speaker, Multi-Award Winning Cybersecurity Leader

April 01, 2026 • Yoyo Hamblen • Season 1 • Episode 171

0:00 | 52:51

Send us Fan Mail

Get in Touch! Eva’s Socials:

https://www.linkedin.com/in/evabenn/

www.evabenn.com

https://www.youtube.com/@evabennofficial

https://www.instagram.com/evabennofficial/

https://www.tiktok.com/@evabennofficial

Bio:

Eva Benn is a Principal Security Program Manager for the Microsoft Security and Response center. Eva has spent more of her security in red teaming and penetration testing, both as a people leader and hands-on practitioner. Before joining Microsoft, she worked in Big 4 cybersecurity consulting, leading global penetration testing and cybersecurity initiatives across various industries. She is a globally recognized security leader, holding an extensive list of industry certifications, including CISSP, CEH, CCSP, Security+, GSEC, GCIH, GSTRT, GPEN, GWAPT, GRTP, etc. As an international keynote speaker, Eva is known for her disruptive thinking, unconventional storytelling, and high-energy stage presence. She has a unique ability to break down complex security challenges into captivating, actionable insights that inspire audiences worldwide. She frequently speaks on topics such as red teaming, cyber threat simulation, adversarial tactics, and the future of cyber defense. Eva’s presentations challenge conventional wisdom, offering fresh approaches on how to outpace attackers and rethink security in an AI-driven world. Beyond her work at Microsoft, Eva is deeply involved in the security community, having served/serving on the leadership boards of the OWASP for LLM Project, OWASP Seattle Chapter, WiCyS Western Washing

Security Circle ⭕️ is an IFPOD production for IFPO the International Foundation of Protection Officers

Speaker 0:01

If you enjoy the security circle podcast, please like share and comment or even better. Leave us a fab review We can be found on all podcast platforms. Be sure to subscribe. The security circle every Thursday. We love Thursdays.

Speaker 2 0:36

Hi, I'm Yolanda And welcome to the Security Circle Podcast, produced in association with IFPO, the International Foundation for Protection Officers. This podcast is all about connection, bringing you closer to the greatest minds, boldest thinkers, trailblazers, and change makers across the security industry. Whether you are here to grow your network, spark new ideas, or simply feel more connected to the world of protection and risk, you are in the right place wherever you are listening from. Thank you for being a part of the Security Circle journey..

Yoyo 1:13

I have with me. Ava Ben, Microsoft Security, a keynote speaker. She sounds awesome, by the way. She's also the top 20 cybersecurity women of the world for 2024 stroke 2025. Wow. She's in the top 20. Most inspiring women in Cyber 2025. This is super current guys, the Hacking Games. You are on advisory boards and you have lots of letters after your name. Ava Ben, it's so great to see you. Welcome to the Security Circle podcast.

Eva 1:45

Thank you for having me. And by the way, that interest, makes me sound way important. That, more important than I am. I'm just a normal person. I'm trying to figure out life. Like all of you.

Yoyo 1:54

Listen, I have a few things after my name on LinkedIn, but yours is like, wow, like top 20 cybersecurity women of the world. Like I'm nowhere near that yet. So how did you, first of all, how did you, how did you get that?

Eva 2:09

How did I get that? Well, I think my journey into cybersecurity started from, from nothing. I came into the United States with nothing,$50 in my pocket. I barely spoke English and I built myself to where I am. Really. With grit and growth mindset and embracing obstacles as puzzles to solve instead of dead ends. I think that I've, through the years in cybersecurity, I've contributed a lot to the community, the security community in many ways through leadership, through research. And I've also held, um, some. Pretty challenging positions that require me to stretch my thinking. Um, I think the reason why I like to use my story to lead in conversation with people, especially when they're getting started, is because my story is a proof that it really doesn't matter where you start. You have to always start somewhere. And. Ethical hacking or hacking In general, the starting position is what is considered your attack position. Everybody starts somewhere. There is your attack position only determines your attack path to get into your goal. It doesn't determine your end goal and the opportunity,

Yoyo 3:18

oh, oh, oh, oh. We have to di we have to just pick that apart. Your attack position determines the approach you take doesn't actually determine your end goal. Take us through a bit more of that.

Eva 3:31

Exactly. So I think that sometimes not having resources when you're getting started, it's actually your advantage. And I'll give you a mindset shift. Without money or without connections, you are forced to learn how to bootstrap, how to be resourceful, how to find free resources, and to make opportunities where none exist. And guess what? That actually makes you more resilient and it gives you more. Skills, and it gives you a lot, I would say, a competitive advantage against the people who actually start off with. Attack position that is further ahead of you. So, um, if we translate this into cybersecurity, right, um, sometimes, uh, attack position could be outside of an organization or a system that's considerably like from, for. From a traditional standpoint, that would be considered harder to get to your attack vector, or you could have an attack position started from the inside, right? Translating to life, that would mean maybe you start with more money. Maybe you start with connections. This does not determine who is going to get to the end goal faster because the person starting with attack position from the outside, they might make the most. Of their resources, um, and they, uh, actually may be able to get to the same goal faster. So the the analogy here that I use is that we can borrow a lot from cybersecurity and translate it and app apply, it to our life to be successful.

Yoyo 5:00

Do you know, I, I can imagine a lot of people listening,'cause I know some of you quite well and some more than most, some way too much. No, I'm just kidding. I'm just thinking. I think a lot of us are reflecting, listening to you thinking, actually, I did start from this place and I didn't have very much. And I think we can all kind of take this moment to put ourselves on the back and say, look, this is what I've achieved and I think we should remind ourselves of of that. I remember when I first started digging around in cybersecurity, I just found that I just loved GDPR Ava. Right.

Eva 5:35

Wow, that's unique.

Yoyo 5:38

Well, some people say I am rather unique, but not in a very nice way. But no, I'm thinking. GDPR was about, it was, it's just the most beautiful framework for protecting our sovereignty over our data. Alright? And nothing before has ever really empowered us as much as GDPR. Um, uh, and the Data Protection Act didn't really. Cover it in much depth, but was the beginning of a journey. But GDPR gives us sovereignty, gives us the right to refuse. It gives us the right to erasure, it just gives us rights that no one's ever given us before. So I think I, I'm always trying to encourage. Security professionals to slide over into cybersecurity.'cause I find that a lot of them have got a, the majority of the skillset of like having a risk mindset, having curiosity and wanting to problem solve and understanding incident management and investigations and all those sorts of things. So did you know you are gonna end up in cyber or was it kind

Eva 6:38

of Absolutely.

Yoyo 6:39

How did,

Eva 6:40

oh my gosh. Absolutely not. In fact, this is another, I guess, opportunity to share some inspiration from my journey is I was so stuck that I wanted to have a career in marketing and I wanted to have a career in sales Out of all places. I kept interviewing at Amazon. I wanted, that was my dream. I wanted to work in a marketing and sense in Microsoft about being at Amazon, and I just kept. Getting rejected, but this was it. It was almost like that fly that keeps hitting the window where the door is just like to the left, but then the fly just keeps winding that one wind window because it's not open to other opportunities. Then I ended up stumbling into cybersecurity, uh, quite frankly on accident where I was very technical, even though I was. Uh, at business school and I was building apps. I was volunteering and doing a lot of consulting work, um, for nonprofits and. The person who hired me at the time who was a leader, um, at one of the big four consulting firms, saw my skillset and actually helped me see what I couldn't see at the time in myself. So I would say a lot of the times we. Take our skills for granted and our talents for granted, and it's okay for us to zoom out a little bit and be open-minded to the opportunities that may not be, you know, within our immediate purview. I think cybersecurity is a skill that could, uh, that is very broad, right? Everybody from people from all walks of life can find something to contribute to this field.

Yoyo 8:21

I think it's a lovely story to say that, and I think, I think a lot of people see cybersecurity now as a really good career opportunity. It's definitely at the forefront, isn't it, of innovation, technology. Uh, in fact, I've just had a, I'm gonna, I'm gonna sort of spring something on you here. I've just had a really good conversation with a guy who used to work with the NSA. He is going to be on the, uh, podcast in cyber. He was NSA in cyber, uh, and he basically said. That to. To go and do a computer science, uh, to, to create computers and understand computer science. You don't necessarily have to have the degree of qualifications that you would have to have if you were going to be an electrical engineer or if you're gonna be an architect and design bridges, for example, and those. Very old disciplines, uh, are built on understanding failure. You know, you have to build a bridge that's going to withstand the capacity for, uh, x number of payload and, and more, uh, and know that that bridge is going to always stay standing. And so that design is built on years and years of understanding how bridges don't work. We don't have that same discipline of designing, you know. With, with failure in mind, with computer sciences doing.

Eva 9:41

Yeah. Um, I mean, I think that a lot more cybersecurity education and degrees are emerging. Clearly they didn't exist when we were preparing for this. Um, I think one of the beliefs that I stand by is, and I think this is very aligned to what you just said, that I think that, um, cybersecurity truly is a mindset. Uh, the technology changes, it evolves over time. The underlying mindset is. To embrace curiosity and to challenge the traditional way we've always done things. I think. Um, I also challenge a kind of the path to cybersecurity, the traditional path. And as you know, I share so many resources, uh, for free, how to get. Into cybersecurity for free. I am a firm believer that the industry already has all the resources and the support to get people into cybersecurity for free, and that's why I evangelize these. I don't believe that there should be any kind of artificially introduced roadblocks for people to get into the field. No matter where you come from, I guarantee you, you have a path into cybersecurity. The resources are available. You just need to start.

Yoyo 10:53

I interviewed a very young, talented woman once in one of my former jobs as a security analyst, and she, um, she told me that, um, she realized she had a talent when she was playing a computer game and she was frustrated that, uh, it was impossible to win. And so she redesigned the game so she could win. Love story. And then she realized, what, what can I do? Like now most girls, right? Don't think like that, but I just, I thought she was so refreshing and so unique. You've spent a lot of time with ethical hacking and red teaming, and I'd love to know how that background in your early career has kind of influenced the way you see today's AI driven threat landscape.

Eva 11:42

Wow. Great question. Um, uh, before I answer, I just have to say my, um, what got me into cybersecurity was actually a very similar story. I had developed an app to solve a problem that I had. Uh, so I, I really think that these are the stories that people need to need to hear. Um, so back to your question, I believe that, um, my experience in ethical hacking and teaming over the years has really shaped my thinking from thinking about new technology and the way we view the world from, you know, things that enable us and make us productive. To think of it, think of it as. Challenging these new technologies and, and changes in how we operate into what are the new attack opportunities, what is the impact in terms of, um, you know, security impact and weaknesses. I challenge absolutely everything to be very honest with you. I view even my personal life thrown. Through a, a hacking lens, I always think of, you know, what are these new vulnerabilities that are introduced by, by ai and how can we as people shape our thinking in a new way to adapt to this new threat landscape? Um, because AI is bringing a new attack surface. And to be very honest, while I'm very, very excited about the productivity and the opportunities that are introduced by ai, I can't help but also, uh, think about. How is that redefining what we do as security professionals and humans?

Yoyo 13:18

Yeah, and I, you talked about the attack surface, and I'm thinking. AI has completely redefined the attack surface. What sort of, and, and look, this is going into your skillset as a, a predictor of the future, Ava, but what new vulnerabilities do you think are emerging that security leaders aren't kind of thinking about yet?

Eva 13:39

Wow. This is, totally, honestly, my, my favorite topic. I've been talking about this as a security professional for so long, and I contribute to the security community by doing research in that area. So AI is redefining the tax surface in two Uber ways, right? It. Redefining the existing attack surface, but it's also introducing new attack surface. When we think about the existing attack surface, I'd say there are three main ways that AI is redefining it, and that's. Scale, speed and quality. When we think about scale, there's so many reports, industry reputable reports out there that are just showing us the volume of attacks is skyrocketed. With ai, what used to be isolated incidents is now millions of automated attacks. What does this mean? This also means more targets also the speed of attack. When we talk about that, we attacks that wants to days or weeks to plan and launch. Can now be generated in seconds. And the third one, when I talk about quality, I mean anybody from the world, right? No matter their skillset level now have the resources at very low cost to craft flawless, personalized. Spear phishing emails to do clone voices, deep fakes videos and so forth. Right? So these are, I think, the three main ways that AI is redefining the existing attack surface. Now, the caveat is that we are also looking at new attack surface areas, which include new types of attacks that require new security strategies. And in fact, I delivered a keynote. Back in like early 2023 talking about this, and it's funny how this is still re relevant, but when we, uh, used to just protect traditional software, we used to have, I mean, we've gotten pretty good at security when we talk about security software, but now attacks are carried out to the models. To the data and new technologies also that connect AI models to external tools such as the model context protocol or MCP, which is an emerging new attack surface that we need to rethink how we protect. There's new types of attacks like we think about prompt injections, gel breaking, deep fakes, data poisoning. These all require new approaches and. Uh, luckily for us, I think the security community has come together. There's so many research projects happenings on the Mitre Atlas, for instance, uh, plane. There is also the oasp for LLM, which I'm also contributing to. And we are coming together to really help security leaders and security professionals to, uh, to rethink. Traditional security approaches, traditional security still applies. Security fundamentals still applies. We still have to protect the underlying software, the underlying infrastructure. This does not go away. Mm-hmm. We just now have to think about these new layers of security. And this is the last thing I'm going to say on this topic. You've strike, uh, strikes, uh, very like interesting topic to me. But I think that one thing security leaders need to think about, and perhaps they're not thinking about enough, is that. Focus we are focusing on, on security of our systems and our organizations, but we're overlooking a new attack surface, which is the human layer, the human play, the impact. So AI has the ability to interact with humans the same way as other humans do, which brings the opportunity of human manipulation at scale.

Yoyo 17:16

So I've got a question for you around humans, um, or humans, H-O-O-M-A-N-S. Um, but I've got to tell you this, I was on a course earlier this week and there was a presenter there who's going to join the Security Circle podcast in the future, and he talked about the five generations of warfare. The first one is identified as Napoleonic. Quite obvious it was to do with, you know, the, the walls across the seas and the oceans and the claim for land. Mm-hmm. The second generation of warfare was World War I, and this was the industrial warfare, you know, the emergence of guns and bombs and firepower. The third one, and I'm probably not even selling it as well as he said it, but he's gonna come on and talk about it. The third one is called maneuver warfare, and this is around World War ii. And we can quite clearly understand the maneuver there and what that means. The fourth generation is the war on terror, and he's identified the fifth generation of warfare is where we are now. Mm-hmm. And the frontline is the mind, uh, of every citizen, the mind occupied territory. Off record. I saw him and chatted to him and said, look, you're great. You've gotta come onto the Security Circle podcast. I could even say it, but what's the sixth? What do you think He said?

Eva 18:43

Uh, well, I am right there with you on the fifth. This is my area. I, I have no idea. I'm curious. I have no idea. I wanna listen to his podcast.

Yoyo 18:54

It's, uh, it's ai. It's gonna be ai.

Eva 18:57

Oh, okay. So when, when you said the fifth, in fact is where, this is where I, this is where I'm operating right now. Mm-hmm. And I think that I'm blending the fifth and the sixth. So I'm actually writing a book, and I haven't announced this yet, so this is, I'm house

Yoyo 19:13

Eva 19:13

the press on your podcast. So the book is all about, um, AI. AI's impact on the human plane. And that's, to me, that is absolutely the bridge between that fifth and uh, sixth plane of warfare that he was talking about. And I'm completely aligned with that. So I think that where I'm fascinated here is that the attack surface extent to human psychology and what I call the human operating system, if there is anything that I have learned in my years of ex. Experience, and I, I'm sure that you would agree with that is that when we think about security, no matter how many secure apps or defenses you are built on top, if your human, if your operating system right is vulnerable. It doesn't matter, right? So I think that the, that human operating system, we need to think about it a little bit more deeply. Humans continue to be the primary attack, uh, initial attack vector for attacks. We see that in. But

Yoyo 20:18

why, why is it, you know, we're the smart ones, right? We created all the tech. We went to study. We, we know. Why is it word of vulnerability? I mean, I know, I wanna hear what you say.

Eva 20:27

So, uh, so this is actually, it's not lack of training. I just wanna put that out there. The training and awareness market is worth billions and it's accelerating. I think now that we talk, when we talked about ai, it's accelerating the impact on the human, uh, cognition and. We are the weakest link. And hackers know this, right? Uh, bad actors know this because we are inherently vulnerable. Our human operating system is designed for survival and no PowerPoint or phishing simulation can override. Uh. Millions of years of human evolution. And the unique thing that AI brings to the table in my view, is that can interact with our cognitive biases and our human cognition in ways that traditional software cannot. So one example actually just made a video on this, um, that I think I'm gonna. I think I just published yesterday, but essentially, um, AI is now making people fall in love. Like there's a, there was a woman, a news article that recently got published where she married an AI system, or I don't know if it was an app, and the AI picked the ring. They're in love. Okay. There are many. Cases like this that are emerging where people have relationships with ai. And so while on the surface this seems funny and we can make fun of it, I think that when we put our cybersecurity hats on, if AI can make a human fall in love with it. Think of what else they can do. Right? It's, it's essentially, it can be turned into a very powerful weapon. And to me, the impact can be manifested in the human plane where we could see humans. Health impact humans not, you know, making the bad decisions because of manipulation that can carry out attacks in the human plane. It's no longer about systems and money, right? Obviously that's doesn't go away. But now we've got, just think about, uh, one thing I'm just gonna say on this topic is shortly after Sora two was released, the number one search tool online was a free watermark removal. And that's, that tells you everything you need to know.

Yoyo 22:52

Yeah, that's actually pretty shocking. Look, uh, you mentioned you're gonna come out with a book, um, when you've got the pre-release, uh, date, let me know. We'll record something to talk about and promote your book. We do this an awful lot on the Security Circle podcast, so make sure that you let me know and then provide me the link as well to some of these videos. Then we can encourage our listener to follow you and check out your content. But look, um. Let's, let's look at humans a little bit more. I mean, this story you've told is exposing a huge amount of weakness, isn't it, in terms of how humans are kind of engineered to survive in 2025. And, and, and I was like, it's a good job that I was mouthing my WTF when you said that a woman married her ai. I'm thinking, come on, this, this doesn't bode well for us as a human race to have longevity and live for another a hundred thousand years, does it?

Eva 23:52

Yes. Um, so. I'm gonna break down just a little bit. I'm gonna break down this example a little bit because, um, I think that why I say the human operating system is vulnerable is because we all have our inherent triggers that define us, and they're very unique. If somebody comes here and tells you, this is the recipe of how you can stay secure. This is BBSI, I'm sorry. Everybody has their unique attack surface and AI enables, um, bad guys or malicious actors to perform reconnaissance on who we are and what our triggers very precisely, right? For instance, if I get a call, I'm a mother. If I get a call from my son, guess what? If I've just had a security training, don't freak out My inherent. Like underlying system is, is triggered. Therefore emotion and survival takes over. At that point, I'm not thinking out of my rational mind, I'm thinking about like motherhood and human instinct, and this is what I talk about, human operating system, this woman, right, just to pick on. Poor woman, but she wasn't stupid. She wasn't a bad person. She was found in a situation where she was vulnerable and perhaps craving human connection. So at that point, her human instinct overrode her rational. You know, decision making, and I think that this is where people often miss that, that layer, the underlying layer of what makes us vulnerable. We don't click on bad links because we're stupid, or because we're malicious, because we're bad people. We click on these links because we, our emotion overrides decision making.

Yoyo 25:48

So look, I, I get it. I do think it's a worrying dynamic because I think even as humans, we need to recognize if we have vulnerabilities and we need to be aware, maybe there's an evolvement there in some more self-development and training that needs to happen because we're seeing it in children, we're seeing it in in men, and we still have a very high suicide rate for men. And a lot of it's due to disconnection. And, and so there's an awful lot of problems in society that we could probably link to being, being feeling lonely and, and, and away from, from, from community and society. But look, um. I'm going to ask you, um, in terms of limiting beliefs, it's my thing this week I went on this course and we talked about self-limiting beliefs. Uh, self-limiting beliefs are those narratives that you tell yourself that tell you why you shouldn't do something. So for example, I have a young female, uh, professional who's very talented and she won't go and, uh, apply for other jobs because she doesn't feel she's good enough. She's got a self-limiting belief. No, they're not gonna hire me. It's just gonna be rejection, blah, blah, blah. And so that's a classic example that we see in mentoring of self-limiting beliefs. What would you say to someone who doesn't feel maybe technical enough for cybersecurity or AI roles? And, and look, I, I advise people to always go and do cybersecurity essentials. I think you learn very quickly doing those courses, what parts of cyber and security you love and what. Are you.

Eva 27:23

Yeah, that's, I think, first I'm going to say you need to understand there is always going to be someone smarter than you, someone who knows more than you, someone who's further ahead than you. And I think that we often fall in the trap of comparison. It's human nature, and so we feel like we're behind, especially in today's ai. Dominated world where there's new things coming up every day where everybody's moving faster. I think that it's, the world is almost designed to make us feel Im posture. So what you have to remember, and I tell this to my mentees, I also create this in my content, is that you need to turn your. I would say in parenthesis, disadvantage, um, in quotes, quotation marks, disadvantage into advantage. Right? If you are just starting out, what unique perspective do you bring to the table? Remember, cybersecurity is not a one person show. It's a team sport and your unique value, your unique perspective is actually what is the missing piece. There are some people who are extremely technical and fabulous in one deep domain expertise, right? There are others who are deeply technical in others, but they may lack some skills that you may bring to the table, whether they're technical, whether they're non-technical. Um, I think that what is important is, and limiting belief by the way, is something that it. It's such a good topic, and I think we all struggle with this. We all have limiting beliefs. There's no matter how confident, like when someone looks on the outside, just trust me, they do have limiting beliefs or you're not alone. Um, but I think it's important for you to take a deep look at yourself and think about what makes me. Uniquely me. What do I bring to the table that others don't? And own that. That's the only way to build confidence. You cannot go and compare yourself to somebody else. I used to fall into that trap. By the way, yoyo early in my career, oh my gosh, oh my gosh. I would always compare and try to compete with other men and just like think I'm falling behind. And then I realize that my skillset and what I bring to the table. Is just different. And once I started embracing who I truly were was and leading with authenticity, then I started actually seeing my value. And I think that also helps with the limiting belief.

Yoyo 29:49

You know, I think for me personally, in my journey, I think sometimes, you know, at work, in terms of our cybersecurity challenges, it can sometimes feel like it's too big to fix. It can feel like it's, it's a never ending cycle of fixing. Stuff. And don't get me wrong, oh yeah. We're in, we're in the business to fix stuff. So it's not like we know, I mean, we know we don't get to the end of the day. It's like a nurse. A nurse does not get to the end of the day and say, right, I'm hoping my ward's going to be empty, uh, for a new day tomorrow. No, there's always gonna be people sick overnight. And we pretty much have that same principle. We know the job is never done. It's always a rolling roll in, roll off, uh, kind of roll on, roll off. Um, but look. I think limiting beliefs has come along at a good time for me because there are points where sometimes you feel like it's too big to fix, and so knowing your limiting beliefs, knowing that actually no, it, it, it feels like a bit of an energy boost for me. Do you know what I mean? In the sense of no, don't, don't let those limiting beliefs seep into what I do day to day. We have to be aware of them, know that they're present, hear them, and then ignore them.

Eva 31:02

So I'm gonna use this opportunity to measure. So I've actually, um, I've developed a framework, so I told you, I, I convert everything into some sort of a hacker challenge in my life. So my value proposition, I think, for defending the human mind in today's world is to embrace a hacker mindset. And I've actually used the cyber kill chain to create a framework. For human mind, um, resilience, for building your resilience from the inside out. And the first step of any, you know, of any, uh, hack, for lack of a better word, is reconnaissance. Right? When a hacker goes after a target, they need to understand. Everything they were, they need about the started. Think of it like stalking your ex on social media, but on steroids. Okay. So when we talk about human resilience, I think that, uh, really aligns with what you just said. You need to notice. What are your triggers? These are your security vulnerabilities. What are the things that make you stressed? What are the things that make you anxious? What keeps you up at night? Um, to me these are very different for different people and they also vary throughout the day, throughout the year, depending on what you're going through. Uh, somebody who is going through a challenging personal time are. A prime target, this same person next month when they get a little bit more sleep and when they're more balanced, they will be a tougher target. But you know what I mean? So I think that it's important for us to recognize our vulnerabilities and um. Build micro habits to address these vulnerabilities. Like for instance, if you find yourself that you are very rushed, responding to triggering emails during like certain hour of the day, try pausing for three seconds before you respond. Take a deep breath. I think that the key to changing and building resilience is not by changing yourself fundamentally and who you are. I think it's about embracing small, tiny. Habits to address your weaknesses and doing them consistently. Otherwise, it's not sustainable.

Yoyo 33:16

Those small, tiny habits, they can be something as simple as setting one day a month that you do a housekeeping check of all of your passwords. They could be that one day a month, another day, where you just make sure that all of your. Your browser history is deleted and you'll, you clear your cache on your, on your, on your browsers. It could be that you decide that one day is where you're just gonna do review of your notification settings in your mobile phone. So stuff isn't following you, tracking you, you know, you're not giving away your location to apps that have no business knowing your location, and you're turning off the notification setting. So you are making strong decisions about when you wanna go into an app. It's not telling you when to do it, just, just little things, little steps like that we can take Yeah. To have more control. Right.

Eva 34:06

I completely agree. I also have one thing that I call the one minute, um, daily check-in. So find a time during the day where, you know, you're probably like the most stressed or frustrated for me. That's usually in the afternoon where the day has bombarded me already and I'm starting to act out of. Maybe autopilot, and I think it's important for you set this one like alarm. It has to be on your phone, not a calendar block, anything like this. And just check in. Just check in. Are your actions aligned with your objectives? Rate your stress level. If it's anything above. Three. Like from one to five, just take a, take a glass of water. Take a little walk. Right. I think that these are important things. We don't think about a human regulations and nervous system regulations as a security vulnerability, but that to me is the biggest cybersecurity vulnerability because that's when we make me. Stake. That's where we misconfigure and miss security settings. That's, that's when we are distracted, perhaps respond or click on things. And um, I think it's important for us to stay aligned with our intentions frequently.

Yoyo 35:17

Yeah. And even going into winter months, you know, with the clocks going back and the hours of darkness becoming longer, you know, they advocate strongly for just going out and getting 10 minutes of natural daylight, for example, for people that work from home. And a lot of people in cybersecurity work from home. A lot of people in security work from home. Um, but look, um, proud. Uh, your brand visibility. Ava, it was what attracted me to your profile. You have used LinkedIn incredibly well, and it's been a very powerful platform for you. So why do you believe that building a visible sort of personal brand in cybersecurity is just no longer an option? It's something you have to do.

Eva 36:00

Believe it or not, first of all, thank you, yoyo. Um, I definitely feel the same way about you. Um, I have to say LinkedIn has been the scariest platform for me for, for forever. Um, I, I've really struggled showing up there because I have all of my coworkers there and I've always been in pretty technical teams where visibility is. S not necessarily celebrated because it can be viewed as a security risk, but I think, uh, it's a trade off because I also, I went through a time where I didn't show up online because I was just really busy with work and, you know, I, I, I was silent. I have to say, I started getting pings from other women and people who have inspired and they, I realized how many people I'm impacting through my work and through showing up with authenticity because I am essentially. Showing people and making, giving them permission, if you will, to start doing the same. I think the more people that show up authentically, especially in cybersecurity, redefines what the field could look like, and it's important for us to show up with who we are because. Guess what? The next generation of women and cybersecurity professional in general is watching and they're looking at us. They're looking at us as what's possible for them. And I think that's why I always, my LinkedIn is just me. I engage with every single person there with authenticity when I'm responding to a comment or if I'm interacting with somebody via dm. They are the only person that mattered to me at that time, and I think that this is, I'm using the platform truly as a social connection platform versus just the megaphone.

Yoyo 37:48

Oh, wow, that's awesome. So a lot of people come to me as well, and they say, you know, what's the, what can I do to have better visibility? Sometimes the young folk that I'm mentoring, you know, they'll want to be more visible. And, and I, and I, I, and I remember someone saying to me like a long time ago, and I said this before, you know, someone said, oh yeah, yeah, you should do, you should definitely speak in front of people or do something. You know,'cause the way you talk about stuff, you know, blah, blah, blah. And I said, yeah, but I really dunno what to say. Um, and then someone said to me quite powerfully, you know, you'll find your narrative. And I did. And, and I say that to young people as well. I say, you know, what is it you wanna talk about? Because you can't be authentic if it's not something you're deeply passionate about. What's the sort of one practical thing as an expert that you are, that someone can do this week to elevate their voice online?

Eva 38:41

So first of all, do not post content just for the sake of posting content. You have to be intentional. The other practical thing is you just have to do it, okay? You don't learn how to swim on the shore. You are going to have to be ready to be embarrassed. It's uncomfortable being seen, especially initially. You are going to have to be okay with. Your posts not getting all of the applause. Just come with good intention. One thing I learned when I started creating content, short form content, right? I have to say like I was hiding. I, at first, I didn't even share my real name. I wanted to help people, but I also just kind of felt like, oh, I don't know. I don't wanna, I'm serious security professional. I wasn't sure and. What I learned from this, by the way, through the journey, is what I don't like doing and what's not my voice. So I think that you need to start showing up online and you need to, and you will find your voice just by doing.'cause initially, you're gonna have to try different things and not everything will work for you. So for instance, I found that. I don't want to be like the everything person. I don't wanna be reflecting the news. I want to focus very, very specifically to the things that I am researching and I'm working on, which is how AI is transforming the threat landscape. And I wanna translate cybersecurity complex topics into plain English, and that's what gives me energy. But guess what? I didn't just wake up. And new, right? I had to try different things. So today everybody who is listening, I challenge you. Think about just one post something. And you know what? Ping it to me. I will engage. I will like, I will follow you. Just just find me on LinkedIn and I'll be there. The first one cheering you on.

Yoyo 40:32

That is super smashing great.'cause you have a huge following on LinkedIn. In fact, I remember the third podcast, the third Security Circle podcast I recorded. I interviewed someone called Chuck Andrews. He's a huge, probably the most well-known security influencer on the physical space, but he's also in cyber. Uh, a lot of people don't know he's in cyber. He keeps that quite quiet and I kind of said to him, Hey, look, you know, you know. You are an influencer, like what's that like? You know, and how naive was I? Because he said it's a huge responsibility. It's a huge burden, you know, because you have to be not only authentic and you shouldn't have to think about being authentic, but you have to deliver authentic narrative in the sense of it's got to be relevant, it's got to be accurate. We are seeing now, influences, you know, gaining notoriety in really bad ways by, yeah. Deliberately posting fake content to gain. And I'm thinking, crikey, where'd you go from there? Do you know what I mean? Like, where'd you go from there? Mm-hmm. Yeah. So, um, I think it's important to be truthful and to double check your facts and to sense check everything you do, because ultimately you lose that credibility and it's, I think it's hard to recover.

Eva 41:46

Uh, I a hundred percent agree. I think that there is a lot of misinformation out there. Um, and I think especially, uh, you know, for, for me, the victims of that fall prey are people that are genuinely trying to get into cybersecurity and to learn, and they're getting steered in the wrong direction. And this is what I'm here to fight against. Uh, quite frankly, that's why I'm doing this. It's a lot of work to be honest, but I've received a lot of feedback from people who lives I've impacted in a very positive way. So I think that, um, it's important as a cybersecurity professional to be factual, but also be entertaining. And this is extremely hard. Um, I'm still navigating, well. I'm naturally

Yoyo 42:33

funny, Ava, so it's okay.

Eva 42:36

It's, it's finding, you know, finding people where they are, meeting them in the way that, you know, you are also respecting their attention to me. When somebody's, you know, interacting with my content or viewing my content, I want to ensure that their attention. Is is really wor you know, it's, um, I'm valuing their attention because at any given point of time, everybody has limit op, limitless options of where to spend their time and attention. So I'm grateful where people give me their attention and I don't take it lightly. That's why I ensure that things are always factual, that are valuable. I try to provide as much free resources as I can, and I think that. Uh, when you look at it from that perspective, when you take the spotlight off of you and like, oh, look at me, but like think how can you help others? I think then also that pressure comes off of you and you don't feel like, oh my gosh, like I'm in the spotlight. So it's a mindset shift mindset.

Yoyo 43:37

I was going to ask you, you know, fast forward five years, but I just think I need to ask you, what is 2026 gonna show us?

Eva 43:45

Uh, well, it's, it's quite, um, you know, it's, I think that we are moving very fast. Uh, we're moving fast, we're going, we're embracing, um, agentic world where AI systems don't just answer questions, but they take actions, connecting the tools, the data, and external systems. And that creates enormous opportunity for defenders, but also introduces new risks. That we need to manage carefully as security professionals. And for me, the battleground is not just the raw capability anymore. It's about speed, about, uh, it's about adaptability, it's about control. And I think that organizations can think about safely integrating AI into their workflows. Um, but we also need to be mindful of keeping humans in the loop. I believe that the security flywheels is just going to. Accelerate from here, um, quite significantly as we embrace the new a AI agent future. And this is just my opinion based on what I'm observing in the world. Um, but only time will show.

Yoyo 44:54

Yeah. Well I, I look at Agen AI and we've all seen those programs, haven't we? Where the professional dog trainer comes in and trains the pet that's just lost all control'cause it hasn't been trained properly. Agen ai, basically, it will do what you ask it to do, but you need to train it really well. My biggest concern going into 2026 is we've got a lot of people out there who haven't trained their dogs, but the fact that one house in the middle of one country hasn't trained its dog properly to poop in the right place, a genic AI has got the ability to kind of poop on a lot of people's carpets. So that's where, that's where I'm.

Eva 45:34

Yeah. Um, I mean it's, as I said, I do think it creates opportunities as well as introduces significant new risk. In fact, um, the, there is os will be releasing soon the new agentic, um, the new, uh, top 10 for agentic risks. Um, so stay tuned for that. I think that this is definitely gonna be a helpful new tool for security professionals. We, we can't, here's the deal, like. The AI energetic future is here, right? We cannot turn our back. We, we either have to get on that ride and learn how to. Drive or freaking, you know, go on the right and don't know what happens to us. So I think that if we can't turn on back to this, it is important for to think about and a lot of what's happening in the world right now, we've experienced before when we've, you know, gone through major technological advancements that have transformed how we operate and how we live our lives, right? From moving to mainframes, into PCs, to embracing the web, to embracing smartphones. All of these technologies, right? They've transformed the way we live and they've eliminated jobs. They've, uh, created jobs. I think we're going through another one of these transformations. It's, I would say it's larger, uh, than anything we've seen before, but we have to embrace it with growth mindset and just know that it's gonna be okay. We've been through. You know, big transformations before we are going to, we, it is just a matter of adaptation and we are a very adaptable, uh, species.

Yoyo 47:14

I applaud your positivity. Wrapping up then, what's the one message you want every listener, especially women and career transitioners, to take away from your journey?

Eva 47:26

So. I just, if there's one thing to take away, I want you to just challenge yourself and just do it. Fail fast, whatever. Be honest with what your dreams are and go after them. Um, a lot of times, especially women, I think we shy away to, to really. Look and see what is it that we really want from life? Instead of borrowing the dreams that are forced upon you by society, by, you know, having a certain job by whatever your parents or your boyfriend or whatever want. The, this is both for men and women. It's not just for women. Just own what your story is, what your dreams are, and just go for them. I think that the only difference that makes, um, that that stands between people who achieve a lot and who don't. Is just taking action. That's it. They don't, they're not smarter. They're not more capable. They just take action and they're not afraid of failure. So this week I challenge you tactically. Go ahead and just think of what's that one thing that you can do to take action towards your goals, whether that's your cybersecurity career journey, or whatever else it is.

Yoyo 48:37

You are right. I love this idea of are you allowing the choices to be made for you or, or are you making the choices? And I am, I have to say, if I was to be super critical, I can quite often allow choices to be made for me, and I need to start thinking differently. I mean, I do make choices, but I've allowed some very big choices to happen, and I've been very, very lucky and unlucky. My intent going forward is to make really intent, make choices with intent, and that's my sort of going to be my New Year's relu re resolution. Ani went into a bit of Sean Connery there. Um, do you have a Cyber New Year re New Year's Resolution for 2026?

Eva 49:23

I don't believe in resolutions. Um, I, this is one of my life mottos because I make resolutions throughout the entire year.

Yoyo 49:32

Love

Eva 49:32

it. I mean, to me it's like I don't wait for, for the first, I've never been like this. I think one of the resolutions that I am recently, I guess, realizations, resolutions of what I'm trying to do is to really stay more aligned to what makes me happy. Um, I honestly spend way too many years of my career pursuing. Exactly the cookie cutter career and ladder and what I thought would make me happy, what society told me would make me happy. And I think now I try to be more mindful and just embrace who I am, what makes me happy. And part of it is inspiring people, giving them the tools to be successful, connecting people. As you know, I've been celebrating a lot of women's impact insecurity this month, just doing something different that nobody else is doing. So. Just, just try that. I, I, I hope that this conversation inspires you to really do a little bit of introspection.

Yoyo 50:31

Okay, well that's it. What we're gonna do is we're gonna provide all the links to some of your content. You are gonna let me know when your book is finished and ready for pre-release. Uh, we'll have you back onto the security circle Tag me in also Eva to the, top, uh, tenent, uh, AI risks. And I would say folk not only tag in Ava to your content. If you are trying out some new stuff, tag me in too. We wanna be huge advocates of getting you started. That's how, that's how it begins right there. Ava, Benn, thank you so much for joining us on the Security circle.

Eva 51:06

Thank you, yoyo. I appreciate you.