The Black Hat Files

How Diverse Thinking Can Drive Security Innovation with Trina Ford

Black Hat Middle East & Africa Season 1 Episode 3

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 26:05

In the third episode of The Black Hat Files, Phillip Wylie sits down with Trina Ford, Senior Vice President & Chief Information Security Officer at iHeartMedia to unpack an idea often overlooked in cybersecurity: how diverse thinking can strengthen security.

Cybersecurity is built on problem-solving. But what happens when everyone approaches problems the same way?

From leadership and decision-making to building stronger teams, Ford explores why different perspectives matter, how varied lived experiences can improve resilience and what organisations miss when security becomes too one-dimensional.

The conversation looks at the human side of cyber, where innovation comes from challenging assumptions, thinking differently and creating environments where better questions get asked.

Because stronger security is not only about better technology. Sometimes, it starts with better thinking.

SPEAKER_01

Diversity works very well when you're trying to be creative. And when it comes to women in cyber, women have a unique and different way of looking at problems, approaching conflict, coming up with ways to get it done. Good managers and good leaders, they take the ideas and they allow their people to go run with it. So if someone brings an idea to you and it aligns to your strategy, go off and do great things. AI is new for all of us, but it's really no different. And I think when we start to recognize that, we'll become more aware of it and appreciative of it.

SPEAKER_02

I'm your host, Philip Wiley. Every month we bring you an exclusive interview recorded live at Black Hat MEA. From the heart of the industry, these stories are worth telling. Let's crack open today's file, How diverse thinking can drive security innovation. Our guest is Trina Ford, CISO at iHeartMedia. Welcome, Trina.

SPEAKER_01

Thank you. Thank you for having me.

SPEAKER_02

Good to have you. So how was your how was your trip over?

SPEAKER_01

It was long, but definitely restful. I really enjoyed it. And I've been enjoying my time here as well.

SPEAKER_02

That's good. Fortunately for me, the jet lag hasn't been as bad this time. I don't know what happened this time, but I usually don't sleep on planes. My first nine-hour flight, I didn't sleep at all. The last four hours I slept a little bit. So unfortunately, no jet lag yet. I'm waiting for it to hit.

SPEAKER_01

Oh, well, good luck with that one. I intentionally made sure to sleep, but for some reason, once I got here, I was too excited. I couldn't go to sleep.

SPEAKER_02

Okay.

SPEAKER_01

So this is on three hours of sleep. All right. So we're good.

SPEAKER_02

Well, I would have never guessed it. Uh you seem to be doing well. Uh so before we get started, why don't you share with our listeners a little bit about your background?

SPEAKER_01

Let's see. I have I have a pretty diverse background. I've been in many different industries. I've held many different roles. I started out in IT. I wanted to be a CIO. Of course, uh, when security became the thing, I then wanted to be a CISO, so dreams do come true. I actually started out as a programmer. And actually, let me go back further. It helped desk in sleeping on data center floors. And then I moved into programming, and I just kind of took off with um project management, which is pretty much the true foundation of why I feel like I'm as successful as I am today, because it teaches you to um build relationships, and that because that's what it takes to be successful. You have to build relationships, know how to build teams, keep pulse checks. So that's my background in a nutshell. I've held many different titles, but always doing more than the title suggests. And I'm very passionate about people and what I do. So I I love cyber because it's a different way of protecting and helping, and that's innate for some of us.

SPEAKER_02

Well, that's that's great for your staff that they got someone that's interested in people. That's yeah, you don't always get that manager.

SPEAKER_01

No, you do not. But I care about my people. I care about those that work for me. I am a true people manager, but I also know how to separate. And that's gonna that's very important for a leader to be able to separate.

SPEAKER_02

Yeah, that's good because there's too many times people want to be your friend or whatever.

SPEAKER_01

Exactly.

SPEAKER_02

Yeah, and you can't be manipulated through that or have any bad outcomes of yeah.

SPEAKER_01

Very true.

SPEAKER_02

So, yeah, so what what topics are you speaking on?

SPEAKER_01

One I'm very excited about is uh the women in cyber, which is going from uh surviving to really thriving as a woman and contributing in the cyber field. I'm also excited about the um agentic AI talk, which is controlling agents. So that's going to be interesting. I think a lot of people may be tired of hearing about it, but there's a different side to AI that I'm gonna talk about, and it's that more human side of things or the human interaction side of AI.

SPEAKER_02

And kind of to be in line with topic, diverse thought resonates different with different people. That's one of the things like teaching or podcasting or any of that. There may be something, and you know, I've seen so many people said I would like to create content on how to do this. Yeah, but I don't know, there's so much out there, but voices from everyone are different. They explain things different. Some people understand it better. So why don't we kind of dive into your your uh talk about women and diversity?

SPEAKER_01

Would you like to know?

SPEAKER_02

Sure, yeah. Like what are what are some of your tips as a manager to leverage diversity to help women and even other upper other underrepresented groups? It's very important.

SPEAKER_01

No, I agree. I think the first part of a manager affecting change as it relates to diversity is they have to be able to truly understand what it is. Um many think that it's black or white, um, or it's male or female, and that's that's not diversity. Um, diversity can come from the way you think, your experiences, um, how you approach things. And what I found is that whether you are a you know a woman or or a man, it's really going to be about your passion. And diversity of thought is very key, especially in today's climate and what we have going on with today's threats, the way we used to do things, if we all see it the same way, that's not going to work in our favor or for our benefit. We have to be open to hearing how others may see it or they think about it or they like to approach it, because none of us have all the answers. And when it comes to let's say women in cyber, women have a unique and different way of looking at problems, approaching conflict, uh, coming up with ways to get it done. And it works well when you have different thought processes going on, whether it's from an age, a gender, a race, or where you know the country you're from. Uh diversity works very well when you're trying to be creative and come up with um different approaches, or if you're trying to figure out find a solution to an age-old problem. You have to get away from the way you used to do it and be open to understanding and hearing other thoughts on it.

SPEAKER_02

Yeah, I think that's great. And I like granular as you go, because some people are just male or female, you know, black or white, like you said. It's good that you mentioned, you know, people from being from different countries and even just different jobs. You may take someone that worked in construction for so much time or whatever, and there's things they understand like physical security, if you're needing to secure a facility, and they understand how doors are attached, door frames, they understand how they could be breached and just all sorts of industry knowledge. I mean, you take someone if uh you worked for a bank and you found someone that maybe they were just a teller and they got a degree from a university in cybersecurity, then they do have some industry experience. So I like the way that you are looking at that into depth. So at times people don't go that far in depth. For uh women or other diverse groups, are there any recommendations for you that you would give on uh networking opportunities, different groups that could be valuable to them?

SPEAKER_01

Before I answer that, I was going to also use the example of HR.

SPEAKER_00

Okay.

SPEAKER_01

Um I found that when in today's climate, as we're trying to build programs and diverse teams, it's um there's certain disciplines or fields that are very valuable to security now because they deal with people every day. And transparently, since COVID, it's been about the people. It's not about the technology or the process. It's about making sure that we have a pulse check on our people, that we allow them to be creative, that we somehow help them to find that balance because COVID changed the way we look at things. And we as leaders have to do that as well. So I was just thinking about the fact that at one point I brought someone in from HR, I brought someone in from the business who was in sales, had no idea about security, but they brought this uniqueness to the program, and now they're excelling at other companies. Now, what was your other question?

SPEAKER_02

So I was saying what some of your recommendations is maybe some groups that they can uh be a member of to help them out.

SPEAKER_01

Well, you know, I I like Millennium Alliance, I love uh Innovate. These are different groups where um or companies that bring security practitioners and leaders together. And see, I shouldn't have now now someone's gonna be upset that I didn't mention them. Um let me I then I'd have to go down the line. So I'm gonna start that one over. There are a few uh different organizations that I would recommend. Um, some of them focus on uh leaders at the executive level, some of them focus on more the practitioners. I think if someone is interested in getting into security or dibling and dabbing, um I would probably start with Black Hat or start with um, you know, one of the other big uh conferences, you know, RSA, I think it's okay to say that because they'll get a real feel for the different tracks. They'll get a feel for what the vendors bring to the table, and then they'll get a better feel for what security is all about. Many people think it's just about fighting bad guys, but there's so much more to security. There's the risk aspect, there's the compliance aspect, there is the the monitoring piece of it, there's the alerting, um, there's uh the partnerships that we build with the vendors and the trust that has to be um learned and and built into our muscle because as security practitioners we are um I'll say aware, not paranoid by nature. So we're not always, we did not used to be always open to um partnerships or networking or you know, conferences, but now we found that that's built in, that's part of our the way of life now with for security.

SPEAKER_02

Yeah, one of the things that's kind of good to see too is that women are starting to be more welcome to conferences because I've got some good friends of mine that said the only good thing about going to a security conference is the lines for the bathrooms weren't long. And so it's good to see that there's been kind of a culture change I've noticed in the US, that it's being more inclusive and accepting, which is good to see that. And then you see some groups that cater to different uh women and in different women groups. One of my favorites is women's cyberjutsu is a good group, they're very supportive. There's also women in tech.

SPEAKER_01

Um and the um uh Nicole was part of this one. Is it Cyber Girls? I can't remember, but there's there's a there's many, many different groups. What I would encourage young women or women in different professions who want to move into cyber, troll LinkedIn. There's so many of us on LinkedIn. I've had a few women reach out and say, hey, I just want to talk to you about cyber. And and I connected and we talked. We did tea. So to me, um before I you know tout any firm or organization, I would say reach out, and we will always help someone network. If I know what type of industry they want to be in, I'll use my network to also help out.

SPEAKER_02

That's awesome. Yeah, and then one group I can't forget is uh also uh Black Girls Hacks. They put on SquadCon at DEF CON each year, which is a good conference. Yeah, so you can't forget them.

SPEAKER_01

No, no, you can't forget them. I do also want to go back to your bathroom comment with women.

SPEAKER_00

Yes.

SPEAKER_01

What's very interesting here is I was in the bathroom and it was so refreshing to see women who did not look like me, yeah, but were a lot like me. Yes. You know, they were having conversations, they were talking about uh talent. I think they actually spoke in one of the um panels. But it's interesting to hear that our challenges, no matter where you are, which walk of life, whether you're starting your career, towards the end of your career, in the middle of the career, um, we have all had our experiences. And hopefully those experiences, again, I was listening but not listening because they were speaking a different language too. Um, but I was listening but not listening, and you could hear that we all see that there have been some changes. We also all agree that more change needs to come.

SPEAKER_02

Yes, definitely.

SPEAKER_01

So it's nice to see women here, and I know that it is deliberate. I've been to a few organizations or conferences or summits where it's deliberate to bring women into the fold. I would love when we get to a point where it doesn't have to be so deliberate, but it's just you know part of your muscle memory, just like it is inviting a man or males to a conference.

SPEAKER_02

I think one of the things we really need is the awareness piece because sometimes young women aren't aware of these certain roles because people can be, you know, you know, kind of do the traditional roles for this gender or that, and and they kind of miss out on these opportunities. So when women get introduced to these opportunities, it's good that and a good way to get more people in. So, how can we as allies help women and other underrepresented groups? How can we help them to you know excel in their career, help them get a foothold in their career?

SPEAKER_01

I think we can start by helping them to understand that cyber is not about being technical. Many women will shy away because they feel like it's going to either take them down a path that they don't want to go, or they they believe that men have the hard skills, the technical skills, and they've been led to believe that, and women have the softer skills. That's not true. No, women have both. I started out technical. I chose to go down a different path because I've always wanted to be a people manager. I think to answer your question, we first have to bring awareness to what security, cybersecurity, information security, digital security, whatever you want to call it, really is. And we should also then help them understand that there's different domains within security. So again, whether you call it information or not, or cyber, there's different domains. And there are areas where it's really about your passion. Again, taking the person from HR, they do they did very well with awareness and training, and then they went on to do um vulnerability management. So it it again, they like dealing with and working with people. So it really is about what is your passion and helping them to understand which fields might be more inviting based on the passion that they're sharing. Another thing that we can do is start to, as women, bring other women along. Like this is great, and I love it. Um, what I've thought about is when others have said, hey, you can bring someone with you, bring one of the up-and-coming young professionals or junior professionals with me so that they can shadow and see what it's really about, or bring someone who's thinking about getting into this field so that they can really see what cyber is really about. So there's bringing awareness, there's making sure that we are we we are being vulnerable with them and sharing our experiences so that when they hit a hard road, they don't quit because that's what happens. We suffer in silence, we think that it's only happening to us, but it's happening to, it's happened and happening to others. So when you find out that you're not alone, when you see uh success, however you define it, when you see other women on the stage, when you hear another woman talking about um their role in cyber, how they built teams, the programs that they've established, talking about how they are looking at their technical architecture, that is in motivating and inspiring. So we need to do a little bit more of that as women.

SPEAKER_02

That's great advice. And just to kind of add my two cents for what I think people should be do that want to be an ally to help others, and we all should do this, is try to get to know people that aren't like you. Exactly. Because sometimes what happens, sometimes it's not intentional. Sometimes it's just like, you know, if you go somewhere, women hang out, guys hang out. They relate. So you need to learn to be inclusive. Yeah, be inclusive. Be inclusive people not like you, get to know them, because one of the biggest things you can do is just make them feel welcome.

SPEAKER_01

Yeah.

SPEAKER_02

You know, if they feel yeah.

SPEAKER_01

I think we're all, even I, I've become very aware of it and I'm breaking that, right? But many of us have our unconscious biases. So I'll see a black woman and I'll immediately go up to her when there's white males, white women, you know, Indian, everyone is there, but I will automatically go navigate to someone who looks like me. I've stopped doing that. Now I'll go invite myself into conversations and and I'm welcomed.

SPEAKER_00

Yeah.

SPEAKER_01

But we have to actually get out of our own way. Part of breaking the biases and the lows in diversity is um recognizing our own uh, let's see, our own misgivings or what have you, however you want to say that.

SPEAKER_02

So that's great. I'm I'm really glad that you're sharing, you know, on the topic of diversity is something that we know we still need to preach. It needs to hopefully things get better, you know, because like you said, things are improving. We still got a long ways to go. But I'd like to discuss your your second topic, the the one on AI agents. That sounds really interesting. I'm still still kind of learning AI myself.

SPEAKER_01

And so AI, uh, many mention AI like we used to encryption. Just throw it out there, or like we used to do with risk. And I'll say this falling back on the last thing. All of it is about education. So the whole diversity, you have to educate to understand it. With AI, you have to educate to understand it. Many of us are, some of us, I should say, we started just by utilizing solutions and tools that have AI at the core of it. Because we have to somehow it's in us that we have to become believers first. So the talk that um or the panel discussion is regarding how do we can kind of control our agents. I look at it from the human aspect all the time. It's the same way you would if you brought an intern in or a junior employee or someone who wants to come from another field to cyber. You don't just turn them loose, you you give them, you know, certain access, state at task, and you see what they can do in what we would call a test environment or an isolated environment. You don't just let them go. And you also make sure that they understand your policies, what your the standards around it, the inventory. So AI is new for all of us, but it's really no different. And I think when we start to recognize that the control that we're talking about, the risk that we're talking about, will become more, people will become more aware of it and appreciative of it. So that's kind of where that talk is going.

SPEAKER_02

Okay.

SPEAKER_01

Without giving too much advice.

SPEAKER_02

So do you you you leverage much AI in your your day job?

SPEAKER_01

Believe it or not, a lot of our tools have the you know AI built in, and the way that many of the vendors are, you know, staying relevant is to make sure that they're building it in. The same that most companies go through, uh, vendors are their technology as well. They're trying, it's about efficiency, automation, speed, streamlining. So making sure that you have the opportunity to build in AI for companies takes the the challenge and the strain off of the security leader or the IT leader or whomever that's trying to figure out the best route to go.

SPEAKER_02

So is that really something you really consider when you're looking at new products?

SPEAKER_01

Uh I'm gonna say so. I look at cost savings, efficiency, uh, streamlining. So yeah, if it's uh if it's built in and it's going to allow us some automation, absolutely. Look, we're not building Fort Knox and we're not hiring security resources. We don't get that type of budget or investments. So we have to be smart about our approach to protecting our companies. And much of that has to do with technology that will Allow us to leverage and position resources elsewhere while the technology kind of does the work for us.

SPEAKER_02

So one of the things I think would be a good topic to discuss, especially you being a people person and being a leader, what's your advice for managers to help retain employees?

SPEAKER_01

Ooh, that's a good one. We have to make decisions as managers. What type of manager do you want to be? I chose years ago to manage down side and up, but what's mo what was most important to me was managing down. And that actually has served me well in my career. So you have to keep a pulse check on your people, and you also have to allow change and you have to be receptive to other ideas. Many managers feel as though if it's not their idea, it looks like they're not effective or they shouldn't be in their roles. That's not how that works. Good managers and good leaders, they take the ideas and they allow their people to go run with it. So if someone brings an idea to you and it aligns to your strategy, go off and do great things. I think that's where managers may need to take a step back and look at their style. And they also have to determine what type of style, what do they want to be known for? I found that practitioners and resources like coming to work for me because when I ask them a question, it's not because I don't know, it's because I want them to tell me. I want to make sure they're engaged and it's inclusive. I also make sure that they understand how their contributions are helping the company. That's why you share your strategy. That's why you help them understand the mission of the company and show how their great works are protecting the company. So many managers could probably benefit from stepping back and remembering when they were and using that, what motivated them, what inspired them, and use those tools and techniques and tactics to do the same. I think that understanding that we're all human, that we have home lives, that there is a balance, that as leaders and managers, we must make sure that our people strike that balance. Your family is what will always be there for you. So recognize and kind of find that balance in between work, life, family, work, life, however you want to look at it.

SPEAKER_02

For someone that wanted to make the move from manager to CISO, what's your advice?

SPEAKER_01

Run run to it or run away from it? Run away. Run away. If you want to move uh to being a security leader or a CISO, what we need today are good leaders, people who know how to take a skill, hone in on it, um, help someone contribute, add value. Um good leaders and good managers know how to bring out the best in people. And they're they'll have those tough conversations, those hard conversations, but they'll watch that the they'll see that the conversation changes the person's approach and perspective. And nine times out of ten, they take it and they flourish. They they run with it. So if you really want to be a good manager or move into being a CISO, you have to understand that there's different facets to being a CISO. There's that risk hat, there's the you know, kind of babysitter hat, there's the partner hat. Um, that's both vendor and internal. There's the business hat. So you have to be ready to wear all of those hats because the role of a CISO has changed drastically in the last years.

SPEAKER_02

Very good. So that's a wrap. A big thank you to our guest, Trina Ford. Let's close this file into the next chapter. This is Philip Wiley signing off.