Jeffrey Dobin: Good morning and welcome to the 16th episode of the Data Democratization Podcast. I’m Jeffrey Dobin. I’m joined by my tag team partner, Alexandra Ebert. We are super excited about today’s value-packed episode. Alexandra, awesome to be back with you again. Why am I so pumped about today’s guest? Who did you speak with?
Alexandra Ebert: Hi, everyone. Hi, Jeff. Sure. Today we will be talking with Claudette McGowan, Global Executive Officer responsible for Cyber Experience at TD Bank. Claudette is a passionate champion of cybersecurity. She has decades of experience in educating people about this increasingly important topic. The episode today is fully packed of actionable advice.
Jeffrey: Absolutely. We go a long way back with Claudette. She has been an evangelist and champion in the cybersecurity and data privacy space. Today, you will learn some actionable takeaways and perspective from a true boss in the cybersecurity space. Alexandra, are we ready?
Alexandra: We sure are. Let’s get started.
Alexandra: Claudette, it’s such a pleasure to have you on the show, I was really looking forward to this conversation. Before we get started to talk about all things cyber security, you were recently recognized as one of Canada’s top woman in cyber security. Could you briefly introduce yourself to our listeners and also share a bit about how you ended up as a cyber security champion?
Claudette McGowan: Thank you so much for having me. I’m thrilled to be here. Anytime you get recognized, you ask yourself, “How did I get nominated? How does this process come together?” I’m honored to be recognized for something I’m very passionate about and that’s protecting people. That’s really what cybersecurity is about. It’s protecting people protecting assets, protecting the things that we treasure from threat actors.
I’ve been in technology for over 20 years and throughout my time, there’s always been an element of protection. Whether I had all the endpoints in one organization, which was over 100,000 different endpoints, or whether we were managing and protecting IDs and identity and authentication, but there’s always been this element of protect. I come from a parent who was a nurse, and I grew up watching my mother and just saw her caring for people and how rewarding it was.
I almost remember sometimes thinking, “Wow, she’s got so much capacity to give to others.” Now, of course, you fast forward and I feel like I’m walking in her footsteps, but instead of in the white outfit at the hospital, I get to wear more colors and do things in a very different and digital way.
I’ve been in this industry for some time, in tech in general, and really double-clicked on cyber security because I saw the problem just growing. Whether it’s personally where you’re getting those phishing emails or every day you’re reading about a ransomware attack. They talk about where the moment meets the things that matter the most. I think right now, this is the moment for cybersecurity professionals to step up and really help everybody else along the journey.
Alexandra: Yes, absolutely. I really like this analogy you made with your mother and that you just brought caring for people in the digital space because the thing cyber security, of course, is super important for organizations, but it’s always also about protecting people. You’re also the host of a great podcast about cybersecurity. What’s the title of your podcast and where can our listeners find it?
Claudette: The long name is the Cyber Suite, but to be cool, we call it the C Suite. Essentially, it’s on Spotify, it’s on Apple Podcast. This is about everyday people and the things that happen with everyday people. It’s about raising awareness. There’s almost five billion of us connected online and our thought is that it’s wonderful to be connected, but it’s just as amazing to be protected, so we’re driving that connected and protected message globally.
I’m really happy to say, I believe we’re at 40,000 listeners who tune in to get tips on whether we’re talking about phishing, or scareware, or SIM jacking, or skimming, things that you would not know about unless you or somebody in your life who was confronted with it personally. I’d like to get people to the left of the boom. Like things blow up and then you have to figure it out, well, imagine if you were educated about what could potentially happen and prevent the thing from blowing up. That’s really what the C Suite is all about.
Alexandra: That’s, of course, a benefit. I also listen in to a few episodes and I really liked it. It gives this actionable advice for every listener on how they could improve their cybersecurity. How did cybersecurity change now that we had to prevent the pandemic and this increase in home office? What was different due to Corona?
Claudette: Yes, absolutely, just the number of people connecting from, I’ll call them non-traditional spaces to do their jobs. We have millions of people working from home. As a result, the threat landscape just got a lot bigger because there’s so many new attack vectors and people, you have the controls within the four walls that perhaps you don’t have, maybe you run an antivirus program, maybe you anti-malware, but it’s a maybe.
At least you knew when you were at work, there was a lot of things that were put into defense-in-depth, multiple layers of protection for you. I think that’s changed. I also think the threat actors have changed and they’re taking advantage of things like the remote infrastructure. They’re taking advantage of hitting you at certain times of day that traditionally, maybe they would be during the commute now. It’s a great time for people who are putting those extra hours in.
I just read something this morning where one threat actor or one group took advantage of the long weekend, thinking, “Okay, everybody’s going to be resting on their laurels, this is the opportune time to strike.” As much as we’re being innovative and creative, we also know that there’s a whole contingent of criminals who are being just as innovative and just as creative.
Alexandra: Yes, so you always have to be on top of your game to be able to protect people. What do you think are currently the biggest challenges and threats in the cybersecurity space? Is there anything that you really see a focus on currently?
Claudette: I absolutely have to highlight ransomware. Like I said, there’s not a day, there’s not a sector that has been immune, and that is something that many fundamental things in technology, like having backups, making sure that you’ve tested the backups. Making sure that people know what to do and you have an incident response plan. I spoke to several leaders in many big organizations and they don’t know what the incident response plan is or if they even have one.
I think it’s really critical that when you see something happening across the pond or in some other part of the world, you have to take those tactics and techniques and indicators of compromise that happened elsewhere and say, “Would I be ready for something like that to happen in my home, in my company, in my community? We have to learn from what’s happening anywhere in the world?”
Alexandra: Absolutely. Is there any story that comes to your mind of a cybersecurity attack that was particularly bad and that would be a great opportunity for people to really think, “Hey, are we up to face with a challenge if this happens to our organizations?” Because with the Data Democratization Podcast, we are always super interested in these front-line stories, and therefore, if you could share a story about cybersecurity, our listeners would really love that.
Claudette: There’s two things that come to mind for me, and one was a small business owner who was trying to close the books. It’s the end of the fiscal year, they’re trying to close the books and then they were under some form of attack. The first person they called was their tech support person, but they called that person after they had already sent the money.
It was heartbreaking because you know that it’s a small business person and you know that this type of crime could completely put them out of business, impact their lives personally and professionally. That was really tough. Then I have a bigger example of a government agency that was attacked through ransomware. In this case, this government agency, they shared that they didn’t even know, they didn’t even find the ransom note because people weren’t checking the logs.
I bring it back to hygiene. We have to have really good discipline and hygiene around how we run our business, how we run our operations. In every case, whether it’s a small business, or whether it’s a larger organization, knowing what to do, being prepared, making sure that you’ve got that list or those groups set up so that you can bring everybody together to really mobilize and solve the problem. It’s the same type of attack, two very different organizations, but in both cases, neither were prepared.
Alexandra: Yes, sounds like that. What would you say are the pillars of a successful cybersecurity program? What should every organization have in place?
Claudette: Without a doubt, you have to go back to that triad, confidentiality, integrity, availability. You really have to make sure that you’re protecting your crown jewels. You understand what is valuable, you understand the value of your data, and why it’s so attractive to threat actors. Making sure that what you have is on spec and you can tell if there’s been any modification to it, and then lastly, from availability perspective, is it there when you need it?
In many cases, when I talked about the backup, you asked folks and they’ll say, “We have a backup. Oh, yes, we do incrementals, we do differentials.” Then when they try to recover, they can’t recover and so they hadn’t tested the recovery. Again, it’s not enough to have a backup if you’re not actually testing that when you need it the backups going to be available, and ready for you, so having access to the data when you need it, with the speed that you needed that is very critical.
Alexandra: I can absolutely see that. We also notice from many of our clients that testing the systems is of utmost importance and there our synthetic data sometimes comes into play. One other thing that I was curious about, in one of your talks you mentioned, “that the days when cyber security was about protecting parameters are gone and that companies should really think about what’s on the inside in terms of security.” What did you mean by that and what would you advise companies to do?
Claudette: Again, it was all about protecting the safe inside from the very vicious outside at times. We have to be mindful of the fact that inside your organization, you could have internal threat actors. You could have people who present insider risk, and sometimes it’s malicious and sometimes it’s not. It’s human error, it’s negligence, it’s not keeping your eye on the thing that matters the most when you need to be focused on it.
I think it’s important for us to recognize that if somebody drops a USB key in the washroom, for humans, most of us are going to be curious, “I wonder what’s on that USB key,” and then you find out that you plug it in and you’ve infected systems. Those are different ways that you have to just be thoughtful of, “Are we making sure that internally we have things like segmentation that you apply that least privilege?” Like you only gets access to the things you need to get access to, or you only know what you need to know to do your job effectively.
If you think about firewalls, does it admit everything or to deny everything that doesn’t fit this criteria. Making sure that you think about the internal threats, in addition to the external threats. Also, again, as we have people working at home, what does that mean to connect from home, what type of device, what type of tunnel, what type of secure virtual private network.
These are the things that I think everybody now has to consider that the attack surface is not the same, and also that we can’t trust everyone and so you hear a lot about zero trust, which means basically, everything has to be authenticated and verified. I think that’s the way the world is going, and I think it’s a smart direction.
Alexandra: This definitely makes sense. Since you mentioned, people should only have access to things that are absolutely necessary for them to do their job. Especially with the concept of data democratization, some organizations really tried to figure out ways how more people could get access to data to facilitate innovation. Where’s the right balance in your point of view on protecting data versus making it more broadly available to internal and also external people to innovate with it?
Claudette: I always go back to what’s the value. At the end of the day, there’s a business value and having the data to use for insight doesn’t mean that you have to have access to all the data. Do you have to view all the data? Is there any way to anonymize the data? Is there any way to do things in a synthetic fashion where you could still get the right outcome, but without sacrificing privacy? I think about digital literacy and access to data, it’s absolutely a human right to know what’s out there about you, but do you have the right to know what’s out there about everybody else? My personal view is no.
Alexandra: Yes, makes sense. I’ve also heard that very often when it comes to data breaches, that it happens within the organization. At this point when data is shared with vendors or with collaboration partners, and especially in banking we know that there’s increasing need to collaborate with vendors and also with startups in open banking, and so on, and so forth. Would it help with just sharing anonymized or synthetic data to reduce the attack surface that not so much could happen to the data or isn’t it in general that big of a threat from a cybersecurity perspective when data is shared with external partners?
Claudette: My personal view is that some form of masking is necessary. Also I take a step back from that and say, “Who are you doing business with and where is your data residing?” Making sure that when you have third parties and fourth parties, you understand everything about them. Just like you wouldn’t open up your home to anyone and everyone without doing any kind of validation or verification, I think it’s the same way we should be treating our data and just understanding, who we’re sharing with it, how we’re sharing it, and also that, again, we’re protecting privacy.
Alexandra: Absolutely. Especially with banking, we know that it’s an industry that’s heavily based on trust. There’s also lots of research that came to the conclusion that consumer trust in banking actually reached an all-time high in 2020. Why do you think that is the case and how should banks leverage this trust?
Claudette: As an individual, I can say that 2020, was such a year for unprecedented change and there’s very few things we could count on to look and be the stabilizer for us. I look at our banking system in Canada as one of those things that gave people the stability, whether it was support from governments or organizations, but I certainly think in a year where there was so much tumultuousness, you can look at the banking systems and say, they delivered on stability. The business is trust. It is about trust.
I know, a lot of people think it’s dollars and cents, but ultimately, it’s about your livelihood. It’s about your dreams and your aspirations, and who do you trust, to make sure that you can realize those goals and those vision. I think, in my personal opinion and standpoint, the reason why the trust went up is because you could count on your financial institution to be that steady rock for you, during a time when it was very, very difficult.
Alexandra: Yes, I see that and I think this is also one of the reasons why especially banking and those insurance industries would be sure to put a lot of emphasis on the cybersecurity practices to really be in the place to uphold this trust. How do you think will banking change in the next 5 to 10 years and also how will cybersecurity in banking change in the future?
Claudette: My personal view is that more people will be educated, like again, back to the C Suite and be educated when the time is now, not to be educated after something has gone horribly wrong. I think that’s a big piece that because you own so much of the trust landscape that more can be done in helping people along that journey. I think from a banking standpoint and I certainly think we’re embracing digital in ways you’ve never seen.
I look to people in my own family, who only user their phones to communicate, whether it’s on social media, well, now they’re doing everything, through their phone, through their tablet or through their laptop. It’s necessity and that’s why I go back and say, like this literacy in the digital space is truly a human right. There’s many companies right now that if you don’t deal with them digitally, you can’t deal with them.
I certainly believe that banking will become more digital. Your veterinarian will be more digital, how you get your food, they will be more digital, the hospitals. Back to the story about my mother as a nurse, her entire hospital went completely digital and that wasn’t her space. That wasn’t her domain, so that was a decision that had to be made of, “How do you change this manual way of doing things to completely automated when it’s not the way you were trained and not the way you learned?”
Alexandra: Absolutely, and how to educate people to cope with this new environment. One other thing that I would love to talk about with you is diversity in cybersecurity. You’re an advocate for increasing diversity. Why is it so important especially in cybersecurity to have a more diverse workforce?
Claudette: Yes, first of all, I think the number one reason is simple math. There are four million unfilled jobs in cybersecurity. I want to cast the widest net possible to get as many people interested in being on the right side of history, and supporting the protecting of this world. You’ve heard in many cases and in the next couple of wars, they won’t be on a battlefield. It’s going to be done with bits and bytes. I really think the more people in this space the better, and that’s just fundamentally around the numbers.
You can’t discriminate and say, “Hey, I like this person, this height, that height, this weight, this size,” because it doesn’t make sense when the need is so great. Also, I know from personal experience, it’s a differentiator. To be into an industry where it’s growing and there’s need, it can transform lives and so people who are doing things today that they think, “Hey, perhaps it’s a little bit more for me, or I have aspirations to be in a different domain or to make a career pivot.
It’s a phenomenal opportunity and the doors are open. I am the Chair of something called the Coalition for Innovation Leaders Against Racism here in Canada, and we have almost 50 different organizations that are a part and they are all looking for diverse talent. They’re all looking to engage the hearts and minds of people from the black and people of color communities, LGBT. You name it, like it is really critical that we don’t close the door to anybody who wants to be here because we need as many people as possible.
Alexandra: Yes, it makes sense and I think one other benefit would also be, we’ve seen all this research coming out about companies that have more diverse boards and more diverse workforce just performing better. I think especially in a domain like cybersecurity where you’re just managing that, it’s always just keeping up with the criminals out there and the other side where it’s new ideas on how to infiltrate an organization that you really harness all these different perspectives that a more diverse group could bring. I think this would also be a pro and a benefit.
Claudette: Absolutely, and creating the solutions. You’re creating things and it’s five people in Silicon Valley creating it based on their experience but it’s for the world, chances are it might not hit the mark. You really want to get as much diverse minds on a problem as possible. Again, it makes good sense, I think economically for an organization, but it also makes great sense societally
Alexandra: Yes, absolutely. Maybe for the listeners who are not yet in cybersecurity, you seem like somebody who is really a fan of cybersecurity. For you, what are the most reward awarding points of working in the domain of cybersecurity?
Claudette: Yes, first I think prevention. I’ll tell you, I love to run toward the fire and put the fire out, and understand why the fire occurred, and how I can prevent it from happening. What I find even more exciting than the fire, is preventing the fire and getting there before. That’s where I see the value of analytics and machine learning helping us to move to a place where we’re predicting things before they happen.
Where we’re learning patterns, where we’re seeing behaviors, and we’re applying a new logic to help solve for things as close to real-time, if not even faster. I’m very excited about the future of where things are going to go, and again, applying cutting edge technology to the problem that has been around from the beginning of time, which is you’re going to have good and you’re going to have evil.
Alexandra: Yes. That really sounds like a few good points to consider moving your career towards cybersecurity. Before we come to an end, Claudette, it was a really pleasuret alking with you. Is there anything that you would wanted me to ask you that I didn’t ask? Or is there anything that you wanted to really remember or dissonance from this conversation?
Claudette: I just go back to the opportunity and it really is about protecting the world, protecting your community, protecting your family and so maybe you don’t want to work in cyber security but she want peace of mind at night. I would go on Udemy or I’d go on Eduonix, or I’d go on Cyber Re, but go and learn something. Take the courage to just educate yourself around your personal protection and tell a few friends.
I find that when I share stories to people, they say, “Wow, you have the coolest job and you do all this.” It’s not so much that it’s the coolest job, but it’s the job that I’m passionate about doing because of what it offers others. It goes back to that helping others and if you can help people and enrich lives, and that gets you excited, and it’s a great place to be. If you just want to sleep peacefully at night, that’s a great place to be as well.
Alexandra: Absolutely. It’s wonderful to see how passionate you are about this because then I can absolutely see why that’s the case. Thank you so much again for taking the time and to all of our listeners out there, do what Claudette said, educate yourself either on Udemy and the other platforms or check out the fabulous podcast that can really recommend it. Thanks again for tuning in and, Claudette, thank you so much for your time.
Claudette: Thank you. My pleasure to be here. Thanks for what you do as far as helping people understand data.
Alexandra: Thank you very much, Claudette.
Jeffery: Claudette makes cyber security fun, doesn’t she?
Alexandra: Yes, it’s such a cool topic, isn’t it? It comes with the added benefit of being on the right side of history and protecting people. I think also that Claudette’s podcast, The C Suite, is also a great resource. I’ll definitely continue to listen to that one, to pick up more cybersecurity knowledge.
Jeffery: Indeed, whether you’re a cybersecurity pro or just a lay person interested in best practices, I can personally recommend her podcast The C Suite, but what about today’s podcast? Should we pull together some takeaways for our listeners who are on the line right now?
Alexandra: Yes, let’s do that. I’ll start. We’ve got a really awesome definition of cybersecurity from Claudette. “You can think of cybersecurity as caring for people and their safety in the digital space. Cybersecurity became even more important recently due to the pandemic. People started working from home with less security and as a result, the threat landscape got bigger. The attackers targeting has also changed and they’re taking advantages of the peculiarities of remote work.”
Jeffery: “At the same time, ransomware has become a common threat in every sector. It’s important to learn from the attacks happening around the world. Companies should ask themselves, what would have been the outcome and damage if they were the targets?”
Alexandra: “Also know what to do if an attack happens to you. Be prepared to mobilize people and test your data backups.”
Jeffery: Yes. “Using data for insights doesn’t mean that you need to give access to all of your data. Companies can anonymize and leverage privacy enhancing technologies to pick and choose which data they make available and to who. Aim for the outcome you want to achieve without sacrificing privacy.”
Alexandra: Absolutely. Then we also heard that, “Collaborations need privacy safe data sharing. Third parties need to be validated for lead and companies need to understand how the data can be shared in a way that protects privacy.”
Jeffery: Claudette spoke about knowing the value of your data and why it’s so attractive to threat actors. “Now, many orgs back up their data and systems, but some of them fail to test them adequately for primetime. One of her key recommendations is to test your backups and the way I think of this is really like rehearsing for worst case scenarios. Be ready and be prepared so that way if you’re hit by an attack, you know where your backup data is, you know how to access it, and you should also be able to leverage it at the speed you need to keep your systems up and running smoothly.”
Alexandra: That’s definitely very valuable advice. Then we also heard that, “cybersecurity was used to be about protecting the inside from the outside, but we also need to be mindful of internal threats. Whether they are malicious or not, you need to segment internally and only give people the access that they really need. Today, we are moving towards a zero trust approach, which means that everything needs to be authenticated and verified.”
Jeffery: True that. “Data literacy must also improve. Banking will become more digital, and people need to be educated about and prepared for cybersecurity events.”
Alexandra: Absolutely. Claudette really recommends cybersecurity also as a career option for younger people who want to be on the right side of history. The industry can transform lives and organizations need an a currently also looking for diverse talents.
Jeffery: Absolutely. Another cybersecurity trend that was mentioned is really around analytics and machine learning, and that they’re becoming more increasingly important in predicting attacks, even before they begin.
Alexandra: That’s true. Claudette recommends learning about the field of cybersecurity. Even if you don’t want to work in it, great resources available at Udemy, Eduonix, and Cyber Re.
Jeffery: One of my favorite things about Claudette is her desire to help others. She spoke about her why and her mom serving others and how she uses cyber security as her own path to give back. Not all heroes wear capes, neither does Claudette, but she’s a hero in my mind and a true evangelist in the cybersecurity space, as well as empowering others through diversity. Claudette serves as a wonderful role model by being an awesome leader in this space. If you want to learn more about Claudette or cybersecurity in general, check out the C Suite Podcast on Spotify and Apple to learn about everyday people like you and me and how they’re protecting against cybersecurity attacks.
Alexandra: Absolutely. I hope you enjoyed listening to the show today. We will back with our next episode with another exciting story from the frontlines of data and privacy. In the meantime, please follow, download, and subscribe to the Data Democratization Podcast. If you have any questions, just send us an email or a voice recording to firstname.lastname@example.org. Thank you for tuning in today.