EPISODE 199: Marketer of the Month Podcast with Wendy Nather

Hey there! Welcome to the Marketer Of The Month blog!

We recently interviewed Wendy Nather for our monthly podcast – ‘Marketer of the Month’! We had some amazing insightful conversations with Wendy and here’s what we discussed about –

1. Discussed the importance and challenges of incorporating threat intelligence in security strategies.

2. Preferred the FAIR model for conducting risk assessments and engaging business leaders.

3. Emphasized dialogue with non-technical stakeholders to align on risk probabilities and impacts.

4. Described complexities and creativity required in implementing Identity and Access Management solutions.

5. Highlighted automation of incident detection and freeing up SOC personnel for complex tasks.

6. Suggested creative and low-cost security measures for resource-limited organizations.

7. Emphasized managing AI risks with traditional software security practices and addressing AI model integrity.

About our host:

Dr. Saksham Sharda is the Chief Information Officer at Outgrow.co. He specializes in data collection, analysis, filtering, and transfer by means of widgets and applets. Interactive, cultural, and trending widgets designed by him have been featured on TrendHunter, Alibaba, ProductHunt, New York Marketing Association, FactoryBerlin, Digimarcon Silicon Valley, and at The European Affiliate Summit.

About our guest:

Wendy Nather is the Director of Strategic Engagements at Cisco, leveraging over 40 years of IT operations and security expertise. With experience in financial services and industry analysis, she excels in security program management, threat intelligence, risk analysis, and incident response.

Phish and Chips: Cisco’s Director of Strategic Engagements Wendy Nather on AI’s Role in the Future of Cyber Scams

The Intro!

Saksham Sharda: Hi, everyone. Welcome to another episode of Outgrow’s Marketer of the Month. I’m your host, Dr. Saksham Sharda, and I’m the creative director at Outgrow. co. And for this month we are going to interview Wendy Nather who is the Director of Strategic Engagements at Cisco.

Wendy Nather: Great to be here. Thank you.

Don’t have time to read? No problem, just watch the Podcast!

Challenge yourself with this trivia about the exciting topics Wendy Nather covered in the podcast.

Launch Interactive Quiz

Or you can just listen to it on Spotify!

The Rapid Fire Round!

Saksham Sharda: Alright, so let’s start with the rapid-fire round. The first one is, at what age do you want to retire?

Wendy Nather: Oh, I wish I could retire right now, but I can’t.

Saksham Sharda: How long does it take you to get ready in the mornings?

Wendy Nather: It depends on what I’m wearing. And if I’m going to sit in front of a video screen, then I just kind of roll out of bed. 

Saksham Sharda: Favorite color.

Wendy Nather: Rainbow.

Saksham Sharda: What time of day are you most inspired?

Wendy Nather: I’m usually most inspired at three in the morning when I’m trying to sleep.

Saksham Sharda: How many hours of sleep can you survive on?

Wendy Nather: Depends on how many of them were on a plane.

Saksham Sharda: Fill in the blank. An upcoming technology trend is ______.

Wendy Nather: An upcoming technology trend is whatever happens to be in the news. It doesn’t have to make sense.

Saksham Sharda: The city in which the best kiss of your life happened.

Wendy Nather: The best kiss of my life happened on a train with a French soldier outside of Paris in the 1980s.

Saksham Sharda: Pick one. Elon Musk or Mark Zuckerberg.

Wendy Nather: Mark Zuckerberg.

Saksham Sharda: The biggest mistake of your career?

Wendy Nather: The biggest mistake of my career was not going into the foreign service, which is what the aptitude test that I took in school told me I should have done.

Saksham Sharda: A habit of yours that you hate.

Wendy Nather: I hate my habit of being able to wake up right before my alarm, no matter what time it’s set for.

Saksham Sharda: How do you relax?

Wendy Nather: I relax by falling asleep pretty much anywhere I happen to be, including in a crowded place.

Saksham Sharda: How many cups of coffee do you drink per day?

Wendy Nather: Zero. I do not drink coffee.

Saksham Sharda: The most valuable skill you’ve learned in life?

Wendy Nather: The most valuable skill I’ve learned in life has been to talk to other people and find out where they’re coming from so that I can match the level that they’re, they want to speak on

Saksham Sharda: Your favorite Netflix show.

Wendy Nather: My favorite Netflix show is American Gods by Neil Gaiman.

Saksham Sharda: One-word description of your leadership style.

Wendy Nather: Flexible.

Saksham Sharda: A top priority in your daily schedule.

Wendy Nather: A top priority in my daily schedule is getting as much sleep as I possibly can.

Saksham Sharda: An ideal vacation spot for relaxation.

Wendy Nather: My favorite ideal vacation spot was on Great Exuma in The Bahamas on a beach where nobody else was around.

Saksham Sharda: A key factor for maintaining a work-life balance.

Wendy Nather: I don’t have a work-life balance. I just kind of ricochet from one area to another without a lot of structure.

The Big Questions!

Saksham Sharda: Alright, well that’s the end of the rapid fire. Now we can go on to the longer questions, which you can answer as much ease and time as you like. Okay. The first one is, you had a fascinating career planning over four decades in IT and security. What initially drew you to this field?

Wendy Nather: What drew me to this field in tech was when I was 12 years old, my father, who was teaching at Tel Aviv University taught me how to program in basic on the department computer. And because I told him I was bored. And ever since then, that has launched me into my career in tech, even though I didn’t know it at the time.

Saksham Sharda: How have your roles across financial services and as an industry analyst shaped your perspective on cybersecurity?

Wendy Nather: A lot of what’s shaped my view on cybersecurity is trying to make what we think of as conventional wisdom says that we should be doing security, trying to make that work in the real world. And doing it in so many different verticals and so many geographies, I’ve learned a lot about what’s just not practical.

Saksham Sharda: And how does one integrate, for instance, threat intelligence into an organization’s overall security strategy?

Wendy Nather: Well, we find that threat intelligence is really important, but the interesting thing is we did some research on what works for CISOs and the outcomes that they want in security. We discovered that when you start to use threat intelligence, your confidence in your security program goes down at first because you discover all the things that you didn’t know about. So it starts in a curve that goes down, but then it starts to get better as you get better at using that threat intelligence, and then you get much more confidence in your program. So I would say, the trick is to be able to put in processes that allow you to take action on the threat intelligence that you’re getting. Until you have that, you’re going to feel very nervous about what you’re discovering.

Saksham Sharda: So then what are the biggest challenges of gathering and analyzing threat intelligence?

Wendy Nather: One of the big challenges is deciding how much you trust the source of your threat intelligence. I’ve worked with a lot of organizations including in retail, and I found that some organizations tend to have good layers of trust with each other and they say, fine, if I get threat intel from this company, I’m going to trust it. But there are others, very large companies that say, we’re not going to automate anything based on the threat intelligence that we get. We’re going to check it out ourselves first before we decide to make any movements.

Saksham Sharda: And so risk analysis in general is quite complex. What methodologies do you prefer for conducting thorough risk assessments?

Wendy Nather: My favorite model and methodology is called the factored Analysis of information risk. It’s called fair. And the great thing about it is if you are into quantitative risk analysis, you can go very deep into the model and you can create Monte Carlo simulations and things like that. Banks like to do that. But if you don’t want to do that, it’s still very useful at the top layer. I would take the very top layer of the model to talk to my business leaders and say, let’s go through this together. What do you think is going to happen? And the trick is that if they give you the answers, they’re more likely to believe them than if you give them the answers. So having that dialogue using the fair model as a structure is my favorite way of analyzing risk.

Saksham Sharda: So then when it comes to dialogue, how do you communicate risk findings to non-technical stakeholders in a way that prompts actions?

Wendy Nather: First of all, I like to ask them for their estimation of the risk. The problem that I see a lot is that a business leader may agree with you on the impact. Yes, if this happens, we might lose $11 billion in funding, but I don’t think that’s gonna happen. So they won’t agree on the probability with you. So it’s important to have that discussion and say, how likely do you think this is gonna happen? And would it make any difference if I tell you that one of our peers just experienced this? And so I have a dialogue with them and we end up agreeing more or less on the probability and we start working from there.

Saksham Sharda: Do you have any story around an incident response that you’d like to share today?

Wendy Nather: One of the things that I like to talk about is the difference between details and context. Everybody says context a lot, and they don’t always mean that. So when I was at CISCO one day we discovered that one of our servers was talking to a server in Romania. Now that’s a detail, but that’s not the context. The context was that we were a Texas state agency and we don’t do business with Romania. So I went, oh my goodness. And I declared an incident and I sent out for pizza, and we worked on the problem. And then we discovered that the security software that we’d bought on a state contract was supported by a vendor in Romania. So we were downloading security updates from a server in Romania, and it was legitimate. We were doing business with Romania. So I said, okay, finish the pizza, let’s go home. It’s not an accident. So context is the thing that you as an organization have to determine yourself. A vendor can’t do that for you. You have to do your part in figuring out whether it’s an incident or not.

Saksham Sharda: So IAM is a critical component in security. What are the biggest challenges you faced in implementing IAM Solutions?

Wendy Nather: Identity and access management is the main interface by which the business interfaces with it. And so it is as complicated as the business itself. One time I had to migrate, and identity and access management, a single sign-on portal that was custom-written over to commercial off-the-shelf software. And I had to reverse-engineer all of the requirements. I had to look at the way we’d implemented it and derive the rules so that I could move those rules over to the other product. And you can imagine how tangled they were and how complicated and you could allow this access, but not when this happened or not. By the time you got to the top of leadership, there was nobody to approve the top leadership access. So where do you put it? That sort of discussion requires a lot of creativity and that’s often the hardest part of IAM.

Saksham Sharda: So besides the entanglement and everything about IAM, if you were to keep that aside, what innovations in IAM excite you the most and why?

Wendy Nather: Probably the most exciting innovation in IAM today is the fact that we no longer have to use the poetry-generating custard inside of our heads as a store for credentials. We don’t have to remember passwords anymore. With the passwordless technology that we’ve rolled out, you can simply use other factors including biometrics. As I get older, it’s harder for me to remember 200, 300, and 400 passwords. So I’m very happy that we’ve developed that technology.

Saksham Sharda: And what is the speed of this rollout, do you think?

Wendy Nather: The speed of the rollout is going to be years because there are a lot of legacy systems out there that are not immediately set up. They’re not web-based, for example, and that’s what’s getting rolled out first. And the expense of retrofitting those legacy systems is difficult to do. So for most of the user-facing systems that can benefit from passwordless, I would say it’s gonna take about three to five years to be able to roll that out. But then you’re going to see a very long tail of legacy systems where they might just have a layer put in front of them instead of fixing those legacy systems to use the same mechanisms.

Saksham Sharda: So let’s talk a bit about the hallmarks of an effective security operation center. In your opinion, what are these hallmarks?

Wendy Nather: Some of the hallmarks of the soc include? Well, first of all, it is very hard for an organization to get eyeballs 24 by seven. Almost nobody wants to work the late shift or the overnight shift. I used to do it, and I didn’t like it that much, except I could talk to Europe a lot from the States. But one of the tricks that I have seen at a very large successful organization is that they took all of the recent incidents and headlines and said, what would these look like in our environment? And once they figured that out, they said, can we detect it? And once they figured out how to detect the signs of those incidents, they automated that detection. So they automated everything they could in little pieces so that their sock personnel didn’t have to do it by hand anymore. That freed up the SOC people to be able to work on the next set of difficult detection problems.

Saksham Sharda: Do you have an example of a major security incident and the key lessons learned from handling it besides the Romanian? What I guess was different.

Wendy Nather: Yeah, that was not an incident. That was not a major incident. Some of the lessons that we’ve learned most recently are how the attackers get more and more creative in taking advantage of what we deploy as defenders. For example, if you use the push authentication method, which we do in Duo, that’s one of the very few factors that goes out and notifies the user on their phone that there’s an incoming authentication request. Now that push has been used by attackers to start annoying the user, triggering it over and over and over again so that the user will do anything to make it stop. It’s called push fatigue. And they found that if they annoyed the user enough, the user would say yes, just to make that stop. You don’t see that with any other kind of factor. It’s only with push fatigue that you’re seeing this. And so we had, as defenders, to develop a mechanism for avoiding that in the future. So there’s an arms race going on with the attackers. And, that’s, you know, one of the things that we’re always on the lookout for.

Saksham Sharda: So speaking of races and competition, as director of strategy engagements and head of advisory at Cisco, how do you bridge the gap between security and business objectives?

Wendy Nather: Bridging the gap between security and business objectives is an ongoing struggle because you have to be conscious of the fact as a cybersecurity practitioner, that you’re only a very small part of what the business worries about every day. You’re not front and center with them, so you have to fit yourself into the business risk analysis. You have to find out what’s most important to them. You have to have that dialogue with them and then say, here are some other fallout risks that apply to cybersecurity that you may not have thought of. So let’s try to integrate this into the whole portfolio of risk that you’re managing every day as a leader. So, that’s the trick.

Saksham Sharda: Back in 2011, you coined the term “security poverty line” to describe the struggles that many organizations have. What is it and how can we help those who are challenged by it?

Wendy Nather: So I coined the term security poverty line to describe the level under which an organization just can’t implement security enough to defend itself. And I coined it because I wanted to describe it as being every bit as complicated as regular poverty. There are dynamics in place that we have to work on as a society to make it possible for these organizations to have effective security. It’s not just a matter of throwing money at the problem. And it’s not just a matter of training people. It’s also whether there are constraints in the environment that keep you from being able to achieve security controls that we believe you ought to have. And it’s the amount of influence you can have as an organization, as someone working at Cisco. If we go to a supplier and say, we’re gonna need you to fix this, they’ll fix it right away. But when I was working for smaller organizations with less influence, the organization vendor would say to me, well, nobody else has complained about this, so we’re not going to fix it or we’ll fix it if you pay us to fix it. So all of those things coming together, the problem of budget, the problem of expertise, the problem of capabilities, and the problem of influence all come together to make this poverty that we need to address globally if we want to help organizations that are smaller than the Fortune 500s that can afford this.

Saksham Sharda: So what are some examples then of affordable security solutions that have been effective for organizations struggling with limited resources?

Wendy Nather: So when I started an at-one job at Cisco, I was the only security person. No people were reporting to me, and they said, we need your budget request by the end of the day. So I asked for $2,000 and I just wrote down that I wanted a logging server and a couple of books. And the person I was reporting to this was in the public sector, they scribbled it out and said, where do you think you are in the private sector? So I had zero budget and I had zero people when I started that job. So I did everything that I could. I bartered with vendors. I said I will be a reference customer for you if you give me discounts. I traded things with my peers. There are some things that you can do that are free. For example, there was one organization that found that there were only about 10% of their users who were being attacked by phishing, and who were being scammed with fake emails. So they changed their email addresses, the problem was solved, and they stopped getting phishing emails. So it worked for a very long time. So you have to be very creative about some of these solutions, but they don’t always require you to give, or put out a couple of million dollars. There are things that you can do with free software if you have the right expertise available to you.

Saksham Sharda: Since you mentioned the public and private sectors, how can public-private partnerships be restructured to provide meaningful support to organizations below this security poverty line?

Wendy Nather: That’s a really good question, and it’s one that’s being discussed right now in policy circles. How can organizations work together? One aspect of the public and private partnership is that there are nonprofits out there that badly need our help. Nonprofits are kind of the other critical infrastructure. If they can’t operate, the homeless don’t get housed, people don’t get fed. Human trafficking victims don’t get rescued. All sorts of critical infrastructure depend on nonprofits. And I believe it is up to both the public and private sectors to come together to help support those organizations in particular. Now that’s different from small businesses, which we also need to work out. But in different countries where there are different relationships between the citizens and the public sector and different levels of trust, you can accomplish a lot. I mean, look at what Estonia has done with their citizenry. They’ve put in a digital infrastructure that works well to help boost cybersecurity, and we should be looking at models like that.

Saksham Sharda: So Warren Buffet recently said that he expects, with the rise of AI, phishing and all these scams would be the biggest industry to happen. So as AI continues to evolve, what cybersecurity controls should we be developing to manage the risks?

Wendy Nather: Well, if you kind of squint and you look at AI you kind of see when it’s unfocused that what it is is software. So there are a lot of the same risks with AI because it’s software as we’ve had traditionally with other software. It’s another layer on top of what we’re implementing. You have to be ready to deal with flaws in the software attacks on the inputs, be able to gauge the right outputs from the software, and be able to remediate anything that you find in there. And the ensuing complexity, because AI operates, at a level much closer to the business than we’ve had before with regular software. But a lot of the functions, the fundamentals don’t change. Can you manage to find flaws in what you’re using? Can you fix it? Can you remove it? Can you do without it? Can you implement business processes in case you have to stop using it? All of these things we have to be working on from a cybersecurity standpoint.

Saksham Sharda: So what are the current challenges in ensuring AI model integrity? 

Wendy Nather: Yeah, I have seen some really interesting work from university students on, first of all, how to poison an AI learning model and then also how to vaccinate it against that poisoning. So this type of work is underway and it is very similar to how we need to protect the inputs of our current software. It’s just at a higher level so we have to think more about the meaning of the inputs and the outputs. Not just the literal translation of the strings, but what does it mean? What sort of decisions are we going to make based on the output of this AI and how do we deal with attacks on the meaning?

Saksham Sharda: So the second last question is kind of a sum up. We’ve been trying to solve some of the basic problems in cybersecurity for decades. Why are we seeing them over and over again in the current future?

Wendy Nather: We are seeing these problems over and over again because when I started in cybersecurity when I started in tech over 40 years ago, it was a very small community. It was mostly people in the military, it was academics, it was some people at very large institutions. But that was it. And as we have evolved in tech, more and more people have come in to join the circle and they haven’t learned the lessons that we learned way back then. So we made certain mistakes in web software development, but when we came to mobile, different people came in to start developing mobile software. And so they made the same mistakes that we had done on the web. The same thing with IoT. It’s going to be the same thing with AI. It’s a different demographic joining us now. And as more and more people come in, they’re going to have to learn from these mistakes or they’re going to have to make them over again.

Saksham Sharda: What does your typical day at work look like? You wake up in the morning and then?

Wendy Nather: I wake up in the morning, I roll over, and reach for my laptop. No, I get up and have a cup of tea and then I start having meetings. And a lot of times I’m on the road as I am here, so I have to go find my cup of tea, and then I have to make my way to this enormous expo and, and find my way around. So, it varies a lot. Either I’m talking to startups or I’m talking to chief information security officers or engineers, or I’m here talking to journalists.

Saksham Sharda: So the last question then what would you be doing in your life, if not this?

Wendy Nather: Well, when I took an aptitude test for my school career they said I should go into the foreign service. And I didn’t do that. I went into tech completely by accident, but I was having dinner with a friend a little while ago and they said I should have gone into the foreign service. And she said, well, maybe that’s what you did because here I am in Paris talking about cybersecurity and making connections with people at many different levels. So maybe I am doing that.

Let’s Conclude!

Saksham Sharda: Thanks, everyone for joining us for this month’s episode of Outgrow’s Marketer of the Month. That was Wendy Nather who is the Director of Strategic Engagements at Cisco.

Wendy Nather: Pleasure. Thanks for having me.

Saksham Sharda: Check out the website for more details and we’ll see you once again next month with another marketer of the month.