A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Humanizing Cybersecurity: The Mission-Driven Mindset
Season Three
· Episode
3

Humanizing Cybersecurity: The Mission-Driven Mindset

When personal trauma meets professional purpose, it can reshape an entire industry—just ask Dr. Kelley Misata. The conversation spans the dangers of digital assumptions, the importance of storytelling in awareness training, and how open source communities can be as critical to resilience as enterprise vendors.

Transcript

Dr. Kelley Misata  00:02

One of the common themes that I absolutely love that I've gained from this work, that just it seriously warms my heart, is that these organizations will always put mission first.

Raghu Nandakumara  00:16

So, welcome back to another episode of The Segment. I'm your host, Raghu Nandakumara, and continuing with our unofficial theme of season three of bringing you guests that provide essential but probably not often enough heard perspectives on cyber. It is our great pleasure to welcome to the podcast today. Dr. Kelley Misata, PhD. She's the founder and CEO of Sightline Security, a nonprofit organization that helps other nonprofits integrate cybersecurity into their daily operations, and she comes with a wealth of knowledge and experience. So, Kelley, Welcome to the segment. It's wonderful to have you here.

Dr. Kelley Misata  01:01

It's lovely to be here. Thank you very much for inviting me.  

Raghu Nandakumara  01:06

Absolutely! So, on sort of just that general theme about the background. I do feel that particularly long-lasting careers in cyber require the individual to be very mission-driven. How would you describe your mission and what motivates you in your career in cyber.  

Dr. Kelley Misata  01:24

I really love that question! That's the first time it's been asked in that frame. It draws me to this, this conversation that I had with a dear friend of mine who's been in the security space for much, much longer than I am. And she said to me, she said, “Kelley, you just get so excited all the time about everything," and I said, “I do.” Like, I genuinely feel like we have an opportunity to make a difference in the world when it comes to helping organizations, individuals, groups of people, embrace cybersecurity with a lot more confidence, and taking down all those layers of mystery and flying unicorns and fairy dust. And I think that's what drives me every day, is that I see that possibility in all the different corners of my work. And I generally get up in the morning going, “Wow, what exciting thing is going to kind of come my way today.” Whether I learn something new, help someone think differently, engage on a work group that you know is trying to make the world a better place. It really is a journey every single morning.  

Raghu Nandakumara  02:28

Amazing. Because, and I've heard you mentioned this on other interviews and podcasts you've been given, is really you kind of challenge the way security is portrayed or represented within organizations as a and I think your critique of it is that it's often seen as a siloed function, whereas really you want that to sort of actually permeate across the organization. Can you talk a bit more about this, and in your ideal state, how would security be organized?  

Dr. Kelley Misata  02:59

Yeah, you know, we are interacting with this technology every single day and even more so, right? Like, think back, I remember the days of inter office mail. Do you remember those days with the envelopes, right? And you would talk about PII. It's like, you cross off someone's name, it's like, oh, that just went to the president, then went to HR, who's getting fired, right? But, but, like, I think back a lot to how we have adopted technology with such abandonment around; how do we stay safe? And my dream state is that we are always thinking about, should I be doing this? What is the impact of my behavior? What is my impact of engaging with a new piece of software? What's my impact to my organization if I choose to take this direction in a product development model? My dream is that we're going to step back and we're going to say, “Huh, maybe we should think again about it.” So, it's almost taking that pause instead of it being like, oh gosh, we've got to go talk to the security team. And we really don't want to talk to the security team because they're going to get in the way of progress in our organization, right? Or they're going to scare us even worse. Having it just be muscle memory for organizations and individuals, to me, is the dream state. And I think we're moving there almost unconsciously, but it's taking a long time, and I think folks in the security space are impatient when it comes to that, and I hope that maybe I bring a little bit of patience to the conversation to say,” It's okay, we've made progress. Let's just keep going.”

Raghu Nandakumara  04:44

I absolutely love how you framed the security practitioners as impatient, and really, what we need is more patience, but we'll come on to that in a second. But I want to take a further step back to something about what you said about how every individual is encouraged to approach any decision as, “How does this contribute to the security of my data, my organization?” Then we're going to get a whole better security culture than we have today around security being very much the gatekeepers or the or the barriers to progress. So, do you think there's an opportunity to modify how we do security awareness training to incorporate more of this personal ownership?  

Dr. Kelley Misata  05:30

Oh, absolutely. I think it has to go down into the cultural level. And that's hard, right? Because one of the most difficult things in security are the people. We're the messiest, most complicated element. So, when we talk about security awareness training, we're not saying awareness training on the systems, we're saying the people. So, you're automatically talking about the most complicated pain in the neck kind of thing you have to deal with in security. So, you've got to take it maybe outside of that special box of let's do a training, and make it well, let's just talk about how we're using these systems and these devices. Let's talk about the what-ifs and the impacts on our organization. I mean, a really interesting case in point that I think about, and you know, my perspective is a little bit unique, I think, is that I think about, even if I post something on my personal social media, I think about the impact of that to the people who might be receiving it, or if I take a photograph, you know, I'm very, very protective of people's images, because I don't know what they have going on in their lives. So, I don't want to just be like, “hey, here me and a bunch of strangers behind me.” So, it's about thinking deeper to that, but it's also that consideration of, I'm using this technology. I have people around me. I have systems around me. What's the risk not just me, but to all the tentacles that are connected to me? And it sounds overwhelming, but if it just sort of becomes part of muscle memory, because we're already doing in some cases. I mean, you probably remember, like, I do your first password. Ridiculous! Like, I don't even want to say what it was, but everybody can guess. But now, if you were to say that even to my 82-year-old mother, and she loves that, I say her age on the podcast, because I'm like, You're 82. But even she doesn't do that anymore. And she didn't do any cybersecurity awareness training. She was just caught up in the culture of her life and the systems that she's using to force her to behave differently. To me, that's the sweet spot. But again, it takes patience. It takes future thinking. It takes patience. It takes stepping back and saying, “Ah, didn't get that right. Let's pivot over to this way of doing it.”

Raghu Nandakumara  08:04

And I think that that example you gave of your mother, and thank you to her, right, of being able to, and it's something about being able to connect the action you're taking to sort of something you're able to relate to in real life, right? Which makes the association, makes the reason behind it again, like the motivation that the mission behind it so much more powerful and I agree, right? I think that there's, there's probably a significant opportunity to reframe how we do security awareness training with that approach. At its center is about how do you make it as easily relatable as possible, versus sort of the abstraction. But let's come on to the patient's comment because you mentioned it again here. So, you and I, we work in we work in with security practitioners. We're in the industry. Why are we impatient?

Dr. Kelley Misata  08:53

Oh, it's because we're constantly thinking about where are the bad guys. Where's the threat? Where's the next terrible thing that's going to hit someone? I think about it all the time, and I've watched people early in my journey of the security space. I was watching people fatiguing out back then, and I kept thinking about why. And it wasn't until I was in it for a bit longer, as well as my own journey into security, that I realized that the more you're thinking about what bad thing is going to happen next, the more exhausted you will feel mentally and physically. And I think that's where the impatience comes from. And I also think security folks see the world through a different lens. You know, we are conditioned and trained to look at these devices and these systems through a different lens, and so for us, it's natural. Like I remember when I was at the Tor Project, and I would watch developers interacting with journalists in compromise parts of the world, and they would really start to lose their minds. They're like, “Why don't they just get it?” And I kept saying to them, “They can't see it.” Yeah, it's all a mystery, so if we can help them see it. So, I built a training using, do you remember those black lights, those pens that you used to have as a kid, and you give your best friend, right? So, I bought a bunch of those, and I brought into this training these envelopes, and I had people in the audience volunteer to be the nodes, and I took the message, and I wrote it in the black light, right? Because that's a little bit like PGP. It's like, okay, I'm going to encrypt this, put it in the three envelopes, pop it around, and they literally, in a physical way, experience how Tor operated. And at the end of that, that was the first time that a group of people, well, that I saw, stepped back and said, “Ah, now I know why Tor is slow.” I'm like, yes, yes, because it's making all of these hops around. But it really was for them that, oh, now I see where the bad guys are. Now I see where the systems are. Now I see how this works. You can't do that with everything in security, but we can do better. We can stop sort of presenting everything as magical.

Raghu Nandakumara  11:19

Yes, yes, absolutely. And I'm so glad you talked through the Tor example with the envelopes because I was reading a transcript of a, I think, on IBM Security Intelligence. You did a recording with them a while ago, and I read this, and I thought, I some reason, I couldn't actually access the audio I'm not really sure how she sort of manifests that envelope example. But now, now I absolutely get it. So, thank you. Thank you for that. Yes. And I think yes, we do again, right? Again, sort of, it's tied to that previous piece we're talking about regarding awareness, which is how, as security practitioners, I think we need to make it sound less magical, right? It's like really being able to put it into the context of and there's, there's a lot of talk today about security principles in the context of business outcomes, and I think that there's a lot to do there. But also, I think it is definitely demystifying cyber in general, because there's so much around it's like you get so much brilliant engineers, brilliant folks who work in IT and risk, etc., but I don't get cyber. So, there's a, there's a huge, huge opportunity there. I agree, connecting this now to some of the work that you're doing today, right? And I'd love for you to just quickly, because I'm sure the audience are probably not overly familiar with what Sightline does and what your role there is. So, before we delve into that, which is a fascinating area, give us a quick sort of overview of the Sightline.

Dr. Kelley Misata  12:51

Yeah, so Sightline security is a nonprofit based here in the United States that I built out of my dissertation research. I have to give credit to Becky Base, who was one of my mentors back in the, in that time period. It was built because I started a PhD program after being stalked for many years, decided to go and earn the PhD as a way of understanding how my attacker could do what he was doing and when I got to dissertation, which, by the way, I thought they were kicking me out at every single every semester. I was like, Oh, that was fun. I'll wait to see when they're going to say, “Thank you very much, see you later.” So, I got to dissertation, I was like, “What do I do?” Like, it was such a daunting thing. And I stepped back into that space of, oh, I used to do TQM back in the day, I was a Baldridge Award assessor for a little bit, so I knew how to do assessments, and so I did my dissertation on a gap analysis of looking at cybersecurity preparedness with organizations working with victims of violence. I wanted the whole nonprofit space and my PhD committee said, yeah, get the PhD first, then go save the world. But the long and short of it is, is that the thing that that experience illuminated for me was that nonprofits were given all this free stuff from different places, but nobody was helping them step back and say, “What do I need, and why do I need it, and what's the value to my business?” And so that's where Sightline came to be. Because unbelievably, I was sitting preparing for my defense, for my dissertation. Becky came into the room, surprised me, drove from Mobile, Alabama to West Lafayette to surprise me, and at the end of my defense, she said, “you have to do something with this way of thinking that you've built around this research," and that has become Sightline. So, our lane really is to help nonprofits figure out where they are. For us, it's about taking the controls that exist in the security space, CSF, CIS controls, and repurposing them into nonprofit language. But the only way to do that is to spend a lot of time listening to these organizations. And so it's really sitting on the fence between the security space and the nonprofit space, so that we can help those nonprofits figure out where they're at.

Raghu Nandakumara  15:24

Fascinating. And you spoke about, sort of the background, about how the personal experience that essentially motivated you to explore this area in your PhD, would you mind talking a bit about that experience? If you don't mind sharing.  

Dr. Kelley Misata  15:41

Yeah, it, you know, I think for me, it frames even today, where I see security and sort of how I see this whole space. You know, I started my career very much like most people do, just taking the first job, but I elevated to doing a lot of business development. I have an MBA in marketing, which is also really weird, because I have a PhD in cybersecurity and MBA in marketing.

Raghu Nandakumara  16:07

It’s the right way around. That's the right way around.  

Dr. Kelley Misata  16:11

Exactly, but I was working for a large company, and one of my work colleagues kind of barnacled himself to me in a way that was not friendly and not good, and it went on for the better part of seven years. And I really, I got to security, because I just kept reaching out for help, because I kept thinking, like, how can it that this one person 3,000 miles away could not only disrupt my life, but he kept reaching out to people connected to me. And so I was getting like bee stings, because I get all these emails from people in my life. You know, lots of relationships completely obliterated by this situation and lots of fears. So, I was experiencing this heightened level of fear, but so were family members of mine and others. And I remember going to the Tor project because he was using Tor, and I remember calling Andrew Lumen and saying, you've got to help me because the FBI and other law enforcement agencies said, “We can't help you, he's using Tor.” And it baffled me how a piece of technology could protect the bad guys and leave the burden of evidence on the good guys, right? So, at all these different junctures, I was like, how is it that that's winning? And it's it was a little bit of him winning, but was more the technology was winning. And I kept thinking, this can't be the way security works. It just can't be. So, I luckily met Dr. Eugene Baffert, and, you know, kind of a tribute into saving me in the direction of my life. And he said to me, “Hey, why don't you apply to this PhD program at Purdue.” I'm like, “Yeah, right. You want a single mom living in Boston in her 40s with an MBA in marketing to join a PhD program in cybersecurity. You've got to be out of your mind.” So, yeah, I did it. I wrote the application on Amelia Earhart. I went into it thinking I just wanted to grab as much information as I could, to be able to understand how he could do what he was doing and how others, you know, couldn't help me along the way. And so that is completely framed how I approach security, because that beginner's mind that I lived in for all those years. I mean, I remember calling a friend of mine back in the day, Marcus Raynham. And I called Marcus, we had gotten introduced by some other mutual friends, and I said, “Help me understand how firewall works. You literally like one of the pioneers in this technology.” And he was like, “I don't have time for that.” In typical Marcus fashion, right? Like, that was, that's his personality, good-hearted guy, but that was his personality, and that was part of my entree into the security space of, wow, there's all these smart people who I don't want to say unwillingly, but didn't have that patience to step in and say, let me break it down for you so that you can understand how this connects to what you're experiencing. So, that's what I carry with me everywhere I go.

Raghu Nandakumara  19:32

Thank you so much for sharing it, and I think that tying it back to what was talking about right at the beginning, it's very easy to understand your mission, and how that experience now ties to what you've done and what you are doing today. So, thank you so much for sharing that. So, let's talk about Sightline, and let's talk about nonprofits. And as you're covering that, sort of just the intro on Sightline, what you spoke about was it's helping nonprofits understand what they need to do in cyber.  And you spoke about sort of mapping to things like CSF, etc. and other frameworks, and translate that into requirements that represent them. So, help us understand that a bit more. Because if I look at CSF, I see kind of requirements that are relevant to everyone. I don't see a lens of private sector versus public sector versus nonprofit when I read it right? But clearly there is a difference. So, I'd love to understand that.  

Dr. Kelley Misata  20:31

Yeah, it's, it's been such an interesting journey, and it's actually continuing, which is really fun as we continue our work at Sightline, is that there's, there's never this moment where I'm like, “Oh, that's it," and we got it. So, a really interesting case in point is that the verbiage in the NIST CSF is as logical as it seems to most people. If you take that and you put it into a mission-based organization, they're going to immediately go into it with the mindset of, “Oh, it's cybersecurity. It's complicated," so you got to break down that whole barrier. The other thing is the language. The first time I asked a nonprofit to have an inventory of your hardware and software, they came back and said, “what do you mean by inventory” For anybody, you're like, “Well, do you have a list?” Yeah, I know. Do you have a list? But again, it was that moment where it's like, okay, so they're thinking it's something like some system or some application that they have to have to be able to grab things. And then, as soon as I started talking about assets, that was a whole kettle of fish, like, way off in the corner. This didn't even go down into the bowels of these control families that talk about detection, response, you know, firewalls, intrusion detection, like all of logs. A nonprofit is not going to understand what a log is, okay. So, it was stepping out of the security space and stepping into their world to say, “What is it that I can do to help them see where security connects to their mission?” And the first thing that I started doing when I was setting a Sightline was that I would do these onboarding calls with our members, and I said to them, “cybersecurity is a marketing term. Let's not talk about it.” And they're like, “Okay, your whole website says cybersecurity all over,” I said, “but let me help you break it down.” Information security is securing of information, like a phone number, photograph, name, whatever, right? You can put your hands on that. And they're like, “yes, cybersecurity securing of a space, we can't control that, that's the domain.” But if you focus on the what then they stepped in, they're like, “Oh, well, we've got, you know, donor database sitting over here.” Yeah, we should probably think about, you know, securing that. That's the moment that these organizations are stepping in and saying, Ah, okay, the second shift was taking away all the scary stuff because they're already scared. They read the new advancements in technology like AI and machine learning, and they're like, “Oh God, the robots are going to take over the world?” The moment I was able to sort of step back and say, “Hey, did you know that if you do some simple things and you can tell stories around it, your donors might actually see that you care about the information that they're sharing with you to help your mission.” Won't that be a lovely story to say to them, and they immediately like, “oh yeah, let's tell some stories around that.” Then it's a different frame of thinking about how to present the business. And all of these combined were really about us going in and saying, I don't know your business. I might know cybersecurity, and I know the control families inside and out. I don't know your business. So, at Sightline, my dream is to not just have cybersecurity for nonprofits. I want to understand security by mission. I want to understand what's the difference between a human trafficking organization versus a food bank, yeah, versus the Red Cross versus my local pet shelter, here in my town, like there's all these layers. So, at Sightline, it's very much my mission to stop saying, hey, two-point whatever million nonprofits in the U.S. alone, you're all the same, so we're going to give you all the same help, and we're going to assume that you have all the same problems. I want to break all of that down and say, we could do better.

Raghu Nandakumara  24:53

I love that because I think storytelling is so important now. How in cyber right to really get progress. And I think this applies to organizations of any size, of any complexity, being able to tell effective stories about why cyber is important to almost each individual part of an organization is essential to get buy-in. And I think that applies even more so going back to sort of something that you said right at the beginning, where there's potentially a very large distance between the individuals who are sort of carrying out the organization's mission and their IT or cybersecurity function. So, I think that's really important. I think this is kind of where, sort of the reason it puts you in the best place, marketing MBA, cybersecurity PhD, right? Sort of really coming together in that perfect storm. But yes, I sort of completely written. I think there's something else that you have said in the past about the nonprofit sector, but a common misconception is, is that we look at nonprofit, meaning, “Oh, right, they're just dependent on hand me downs," right? And they don't have resources, they don't have expertise, they don't have money. But what you've expressed is that, no that the problem often is that, particularly if you look at some of the more, the larger nonprofits, is that, in fact, they're quite well resourced, and they're quite well funded, and they've got access to everything. But they don't necessarily know how to stitch it all together, and that's where they need help.  

Dr. Kelley Misata  26:33

Correct. And there's that context of, why does this matter? You know, if you ask anybody, I can't wait for RSA, because I'm going to, I usually walk around the exhibit floor outside the talks, and I'll meet up with friends or colleagues. I'll be like, “So, hey, what's your thought on the nonprofit space right now?” And I get the like, the usual stuff: they're poor, they don't know cybersecurity, you know, the laundry list.  I'm like, yep, nope, yeah. Let me tell you, they have money! They have to, they have to explain how they use that money differently, because if you look at the business structure, right, it's different than enterprise. So, again, it's taking us as security professionals out of “oh, I just have to figure out how to get them to meet the controls within the CSF” and more of, “Gosh, I wonder how they make decisions about money.” Once you understand that, then you can approach the security investment question differently. So, it's about not going in and saying, “Oh yeah, you know, you guys are all kind of hosed here, and you're all the same” because they're not. And honestly, one of the common themes that I absolutely love, that I've gained from this work, that just it seriously warms my heart, is that these organizations will always put mission first, always. Whether it is a domestic violence shelter that I spoke to, I remember early in my research for my PhD, and this dear friend of mine was sitting on my porch, and I said, “Hey, I said, I'm going to be doing this thing, and what do you think? And I have a survey, and it's great.” And she's like, “Kelley, I have 100,000 hits on my website every day from all parts of the world. I can't think about that because I've got a family that needs a place to sleep tonight.” She's like, that's all that matters to me. So, again, going back to sort of how security professionals really want to help, want to bring that urgency into the organizations. The more that we can just step back and say, “Oh, I didn't think of it that way. What can I do to help?” Just even be like, you know, put my finger in the dam to make sure that you don't like collapse kind of thing?  

Raghu Nandakumara  29:02

I think that that's such a powerful image to have in the mind. Because, again, tying it back sort of this, what seems to be a bit of a theme in our conversation today is about that mission-driven, right. And about aligning it to the mission, and drawing probably a crude parallel to, let's say, the for-profit sector to the private sector, where, like I often say, everyone cares about security till you cause an outage on the key revenue-generating application. At which point, no one cares about security. And it's all about, when is this thing going to be back online? Because every second it's offline, I am losing X thousand dollar or whatever it may be. And in the nonprofit sector, the impact of that is often a human impact, right? And as you just described, and we have to be mindful of the matter, how do we, how do we better secure this without in any way compromising the mission?

Dr. Kelley Misata  29:57

Absolutely, I mean, I've seen examples of members in our community that were hit by a ransomware attack. I won't name the attack. It was pretty famous. That prevented them from being able to provide lunches to children for like weeks, not just a couple of days. But you're talking about families and children that rely on that support to get through their weeks. And it's not, it's not always about like, just these, I don't want to say sad stories, but the thing about nonprofits is that they're there when everything goes sideways. Whether it be fires in LA or a blood drive because someone locally needs a transfusion, or someone's having a really, really tough time, and they call a suicide hotline. These nonprofits, they are there when we need them. And yet we're sort of putting them off to the side and saying, “Well, they're not the money, they're not our go to market," or they're, yeah, they don't have any money, or they're not going to get it, or it's going to take me a lot of time that it's, it's hard for a lot of security professionals, I think, to step in. And I think where they over rotate, and I've seen this too, and it kind of drives me a little crazy on something. They're like, “Hey, I've got cybersecurity in my blood. I'm going to go volunteer and go, like, help them.” And my immediate reaction, so he's like, “please, don't, please, please don't go," like, in like a superhero and be like, I'm going to sit on the board. I'm going to, like, help you do everything. I just want them to step back and say, “Wow, so how do you operate?” Like, what's this? Like, go in with a lot of humility, and you can make a lot more progress, because I think also these organizations look at our field as this space of superheroes. And if one of them knocks on the door, of course, they're going to be like, “Come on in. Fix us. Because we're scared. We're busy, we're scared. You are superheroes, so you're going to come in and fix us.” That is a super dangerous combination.  

Raghu Nandakumara  32:10

Absolutely and again,  just trying to draw some parallels with what I've seen is, is that often, I think, whether it's a security professionals or as or as vendors, we're very, very quick to jump in with, “here's all the amazing things we do,” or “here's all the here's, here's my set of super skills,” right? And we never first think, we never think, actually, the first question I should ask is, “what do you do? What do you care about? Tell me like, What are your problems?” And almost reframing the conversation in that way would make for such a more powerful engagement, is that what you find?  

Dr. Kelley Misata  32:45

Exactly, for me, when I'm working with these organizations, and actually most things in security, I still feel like I'm that PhD student in the first semester, you know, at Purdue, and going all right, like, what's cryptography? Like? What are elliptic curves? By the way, they made me cry. And I remember I did a key, I did a keynote, and Martin Hellman of the Diffie-Hellman exchange was a keynote in the morning. We met each other the green room, and I went up to him. I said, “Hello, I'm Kelley Misata.” And he knows staff, and I just kind of did a little this on his arm. He's like, “What's that for?” I'm like, “your stuff makes me cry.” Just going to tell you, but it really is like we're making these things so, so complicated. And so when you can go into something, whether it's your area of expertise or not, if you go into it with that beginner's mind, and you don't have to, I hate the sort of term dumbing things down. It's not dumbing things down. It's being curious. Yes, it is saying, hey, I've never done that before. I have no idea what it takes to run an animal shelter. Not even a little bit. Tell me about how you do that. That's huge. And then if you have those conversations using their words, knowing their business, it's hugely powerful. I have a story you want to hear it? Yes, please. Okay, so this is one of those humbling stories. I was working with one of our members. They just finished their kick-start, which is our way to get them kind of started on their security journey. And I do a lot of research on the outside. I look at all their websites and their social media. And so this organization helps survivors of suicide. And they have a forum, and the forum is widely popular, and I remember going on and going, oh, like the security person in me just was, like, screaming, going, oh my god, oh my god. Like, I remember, I remember going and going, oh geez Louise, what are we going to like? I really and I remember, like, finding myself kind of going down that route. And going “Okay, shoot, I'm going to have to talk to these people," right? And I resisted the urge of calling them immediately, waited for their outcomes presentation. I'm sitting there, I'm like, “Oh," I get to the presentation around this particular platform, and I said, I have some concerns, like, I said, just like that. And the woman who founded the organization stopped me my tracks, and she said, “Kelley, I think I know what you're going to say, but let me talk to you. Let me share with you why our platform is open.” She said, “People who have had someone in their lives commit suicide are in a head space that is wrought with questions and grief and stress and uncertainty and trust issues, and all this stuff is going on.” She said, “These people need a space where they can just sit and watch and kind of get a feel for what's going on and a feel for the conversations and this. And she's like, and sometimes they hang out there for a while, and when they're comfortable, they come in. But not until they're comfortable.” And she said, “This is what our community needs.” And it was such a like I should have known, like I should have thought about it, but because I don't live in that world day in and day out, how would I understand how those people that they serve are navigating sort of this space to reach out for help? And so I said, “Oh my gosh, let's think about some creative ways that maybe we can do a little bit more without shifting the essence and the need for this platform to operate this way.” So, and she got that, she was like, “yeah, if you have suggestions, we get it, we understand it, but we're putting mission first.” But it was hugely humbling. And I love her for it. I love that she felt comfortable saying that to me.  

Raghu Nandakumara  36:57

Yeah, absolutely. I think that's such a there is so much to take from what you just described. Because, again, it comes, it's, it's, as you said, right? It's that humbling thing about when you, when you spend that time to understand why someone or an organization is operating in a particular way, you then kind of, it puts that context that you didn't have. Where, like, it's otherwise, it's that your expertise is trying to lead the way, like, Oh, I know how to fix this, right? Versus, there's probably a good reason why you did this so, so tell me about it. Before we move on to the next thing, I think, just the last thing about not just the organizations you support, but also who they serve. You described various scenarios like that these are the organizations that are in a crisis. They are the first port of call. But also, I think a part of your work probably doesn't go sort of ignored that often, those victims are also the ones that the attackers are trying to target at that very time, because they know they're the most vulnerable. So, you must be sort of yourself, and of the organizations you work with are probably juggling all of these challenges.  

Dr. Kelley Misata  38:11

Yeah, and it's interesting, that's where understanding the mission of the organization really comes into play, because it helps you step into it again, not telling them what to do, but listening for different things. So, when I was working on my dissertation, I was working with organizations supporting victims of human trafficking. That's a very different security mindset to have, because not only are those victims targets, but the organization supporting them are also targets. And one of them was doing this, like hackathon. I won't give you the details, because it scared the Jesus out of me, but they were doing a hackathon, and then I said to them, I said, “So, what are you guys doing to harden your systems?” And they're like, “What?” Like the big eyes like, I'm like, “well, you're promoting this hackathon.” And they're like, “yeah, all over Facebook and Twitter and everything.” I'm like, “Oh, the bad guys read that stuff too.” And they were like, immediately, “what? Oh, shoot.” But it is. It's stepping in and really understanding, like, like, who would want to come after them? Like I've worked with nonprofits that are, you know, from a political side. You know, their mission is very controversial. I've worked with organizations that, because they're using numerous third-party tools, some of them so legacy that's kind of ridiculous, that they still exist, that you're like, oh gosh, what are you doing? We've got to harden you. And they're like, “Yeah, but who's going to come get us?” And that's the part of the mindset that we also try and shift them out of, is I had one executive director on the call, and she's like, “Come on.” She's like, “Bad guys. I know you're listening. Anyway, you can come, come get us.” And I'm like, “Don't do that!” Not that that's going to happen, but like, just her, her mindset, like, we don't have anything, you won't get anything out of us. I was like, Well, yeah, okay, great. But it's, it's, again, I think that's one of the challenges that Sightline has always faced since I started it, is that, you know, we are, someone told me we're very white glove and we're very nuanced, and yet the information that I've gathered over for these years is just incredible, and it's helped me to see security in such a different way, because it's not… There are some things we can do that will blanket a lot of people. I mean. MFA, hello. Thank you very much. Great. But there are so many things in the security space that don't fit everybody at the same level, so we should think about where those opportunities exist.

Raghu Nandakumara  40:57

I think the white glove analogy is absolutely spot on. And I think it's cyber as much as we want to generalize, we need to remember that ultimately, the only way we'll be successful is taking that white glove approach to every problem that we try and solve. So, moving on and in, sort of, in this last part, you talked about, sort of their use of, sort of third-party software, etc., right? So, you spend your other passion or area of expertise, and passion is open source. And open source, I think, is now getting a huge amount of focus from a cyber perspective, particularly because of how much like third-party risk, supply chain, attacks, etc., are so much of the term of the day at the moment. So, let's start with open-source security, big picture. What are the challenges? What are we looking to address? What are the priorities?  

Dr. Kelley Misata  41:55

Yeah, it's a great question. And it's probably a whole other segment.  

Raghu Nandakumara  41:59

I know! I'm kind of, I'm thinking about, how do we squeeze as much as possible into this, in something that will, probably could, could deal with an entire season of itself? So, yeah!

Dr. Kelley Misata  42:09

Well, I think, you know, not to plug my RSA talk by I'm going to be talking about this at RSA. I think, you know, there's, there's still, kind of like nonprofits. There's still a lot of mystery around it, right? When the nonprofit place, everybody assumes things in the open-source space, it's the same kind of mindset. People think about it as a bunch of typically, guys in their black hoodies sitting in the basement someplace on GitHub, like doing stuff, right? They don't think about the big parameter what the open-source space has been and I've been lucky to be serving as president of the open information security foundation for 12 years. And Suricata is, you know, a huge part of the network security space. And we have Suricata’s in places you can't even imagine around the world. But the reason why OIS seven Suricata, sort of that model of open-source works, is because we're looking at it from a multi-dimensional perspective. So, you know, it's not just a bunch of people who like each other hanging out. It's actually a business model. And if you step into looking at open source as a third-party vendor the way you would an enterprise vendor, then all of sudden, the adoption and the use of it in these larger organizations shifts. Because then you have to think about of, oh, what happens if that project implodes? Or what happens if the roadmap stops innovating? What about the governance? Where are they getting their money? Are they paying anybody who are the contributors? Like it starts to open up all those complexities. And that's what I love about the open-source space. Right now and into the future, is that it's not going to get simpler. It's going to get more complex, but we have this sweet opportunity to step back and say, “How do we reframe our thinking about what open source is?” Does it still have all those community aspects? Absolutely my favorite thing, and the thing I hate the most is our conference, Surrey con. We run Surrey con every year. I hate building conferences. Sorry, everybody who's listening. It's not my lane. But the second I get on stage and I see the faces of these community members that I've seen for 10 years still showing up, still contributing… that's what propels me and propels my team to continue on is that we know that it has a place in the world. Not all projects have that. So, making those key decisions from a supply chain perspective, when you're using open source, you've got to open your eyes. You've got to look at from all these different dimensions. You have to think about it around supply chain risk. Just like you would anything else. And stop thinking about it as this, like, Oh, we're going to be seeing around the campfire, singing songs on our laptops. And trust me, my early days in tour, I'll never forget I had the tour developers were in Boston for a meeting, and I invited everybody over for lasagna dinner, because that's what I do. And I remember, like, a whole bunch of them just kind of squatted in the living room. And my daughters, who were in middle school at the time, were like, “Mom, I don't think they're leaving. They're all getting really comfortable here in the living room.” And I said, “That's okay. I'll just tell them to leave when it's time.”

Raghu Nandakumara  45:42

That's really funny. Well, I hope whenever I get a chance to visit Boston, you'll treat me to a vegetarian lasagna. You said treating the open-source project as a third-party vendor, right? But, and I am simplifying a lot here as well, because I acknowledge my understanding of the spaces is limited, but okay, you say, treated them as a third-party vendor. But if I'm doing some compliance checklist, right, and if it's a third-party vendor with whom I have a contract, I can send them their part of the checklist, and I say, I'll fill it out and send it back to me, and I'll assess it. How do you do that with an open-source project, like, who answers the questionnaire? Like, I think that isn’t that the challenge that the organization things? I don't really know how to how to manage this risk, how to manage this exposure.  

Dr. Kelley Misata  46:32

Well, that's where it comes from. The first decision of who in your organization is making the choice to use that software, right? It's that pause that we talked about at the beginning of the program. You know, and I've seen users a lot of times, will start using Suricata as an example and say, “oh, oh, maybe we need to start thinking about licenses, and maybe we need to start thinking about these things compliance.” And it's not until after those moments that they come knocking on our door. But for a lot of projects, they don't have that infrastructure. They don't have those channels to be able to ask those questions. Whether it's an open-source software that is tied to a commercial company, or whether that is an open-source project that maybe has dissolved a bit or doesn't have those key contributors anymore. But it is and it's hard because that's, I think, for some of the die hards in the open-source space, the beauty is just to go in and play with something and check it out and see if it works right. Great. Don't stop that. But once you are in your environment that you decide to like, use it more in depth, put it into a product roadmap, whatever it is. That's when you really should step back and take a hard pause and say, “Hmm, now we need to think about this thing a little bit differently.” And those are the conversations that I have with consortium members all the time at OISF. I think that's why we've been so successful, is that we're not a barrier to their progress. But what we want to do is make sure that Suricata stays around to serve them longer. And if you can't have that conversation with a project because it doesn't exist or you can't find it, then just recognize the risk that you're taking?  

Raghu Nandakumara  48:21

Yeah, absolutely. And I think the also, the other, maybe perceived challenge is, is that, how far down the rabbit hole do you go in terms of, okay, there is your own direct consumption of open-source software for something you're building. But then, if you are licensing something from a third-party vendor, their use of open source, and if they're licensing something else. And so what, like, how far down that path do you go to get to the I guess, like, to that sort of undividable quanta that everything sort of sits on top of.

Dr. Kelley Misata  48:55

That's the challenge, and that's why, well, my family's kind of squash this idea. But I was like, oh, I want to go get a law degree because I want to understand, like, the legal components to all this, because it would be super fascinating to answer, be able to answer that question. I think where we are today is that we don't know a lot of what we don't know yet. And for projects that have, again, some structure and some organization around it. We think about it, but even at OISF, our consortium members are coming to us with some of these complex down-the-line questions around licensing, and we're scratching our heads, saying, “How is that going to work? Is that an us problem, or is that your problem?” So, it's, it's really, really challenging, but it also makes it kind of exciting.  

Raghu Nandakumara  49:45

Yeah, I think it's really interesting when we look at it particularly now. So, as I'm sure you're aware, various regulatory bodies globally are starting to issue more and more regulations around operational resilience, and as part of this, they speak about. As managing sort of that third party risk and sort of third-party service providers often like largely, sort of aimed at hyper-scalers and like critical, sort of IT service providers. But you can see a scenario where, as an organization, you've built an application that is heavily dependent on an open-source project. And if that open-source project, whatever happens with it, right? It compromises the resiliency of this application, then that's sort of like, how does that then manifest itself into how you unwind, and I guess ultimately it's about who do you point the finger to?

Dr. Kelley Misata  50:41

Right well, and that’s if you can unwind it. But that's where better practices in that development cycle need to also play a part. And I think that's one of the challenges. We see it with Suricata, like we want people to be using it. We want people to be testing it and putting it into different scenarios, but we recognize that if you are part of a large enterprise organization, that you're going to have to ask, you can't just kind of take it off into the corner and play around with it. So, I think for a lot of the users, they're really going to struggle with that, but that's where I'm trying to stay on the side of positivity, because I think some open source projects are really scared that we're going to lose the essence of community and innovation and freedom that is built into these projects and these the software. I want to believe that we can get creative and that we're not going to lose that, that we can have a balance of both some way, but I don't think it's going to be easy. And again, we're going to have to work together to think through it. When the National Cyber Defense Office from the White House put out the call for information around securing open-source software, I went out of my comfort zone and I did a response to it, because I saw what they were thinking about. I'm like, I'm like, you're missing all these other pieces, guys. How do we like look at all the components of what open source is, instead of just securing the software absolutely 200% I agree with it. That's not the only thing. So, we have to bring in expertise from all those different levels. Which brings me to one quick note that, you know, I think often the security space, we're always we have this divide of technical versus not technical, and if we can break down that divide, then we bring more people to the table to have better conversations around these problems, because if people say, “Oh yeah, you're not technical, because you're not working on development every single day, you're not as important," or “you don't know as much," we are doing ourselves a disservice, particularly around open source.  

Raghu Nandakumara  53:00

Absolutely and I'm glad you brought that up, because I'm going to add something to that. You spoke about needing a really diverse range of opinions and creativity to solve this problem, in addition to having both technical and non-technical individuals. And I think that at cyber, I mean not just cyber, but what we're talking about cyber here really needs to sort of rethink about how it approaches making it a much more diverse and inclusive profession, right? There is so many amazing individuals, but we're still very, very focused on a very particular profile that work in cyber. So, I agree, right? I think there's, there's massive opportunity, a massive amount of skill sets and expertise that we need to bring and only by further pushing, sort of for diversity, equity, inclusion is that is how we're going to manifest itself.  

Dr. Kelley Misata  53:53

Yeah, I remember early in my days in the security space, people would want to put definitions around privacy right, similar to the technical versus non-technical, and I would push back in a respectful way, and I would say the way I view privacy is very different than you. I come from a different background, I have different experiences, and I don't think that I will ever be able to use technology the same way as I did before that event in my life. So, my definition of privacy is going to be different. This is the same thing we're trying to define what is technical. I ask people, and again, it's not to be obnoxious. It's because I'm curious. Yeah, when someone says to me, “Well, you're not technical," or “That person's technical," I always ask, “what does that mean? Can you describe it for me?”  And so for me, I'm curious about, how do we shift the conversation? But it comes first with saying I don't understand because I can calculate elliptic curve, that's not what I'm ever going to do again. So, don't even ask. But I can. Will I? No, I can code. Will I? No. I mean, my team at OISF is dying for me to have a pull request on Suricata. I'm like, yeah, just, just wait you guys. But my passion and my love is all this other stuff. Now I'm going to sit where it’s fun for me. Yeah, doesn't mean that I'm not a value to the conversation, and that's where I pull out the Dr. Misata.

Raghu Nandakumara  55:26

Absolutely, I think there you really kind of wrapped up this entire conversation that we've been having today, which is very much around we can only serve our customers, our clients, our partners, best if we, when I say we, I mean, whether it's individually or the team that we have working with us, have the ability to understand what we're trying to solve for and why. And that can only happen by listening, but also by having those in our team who are able to relate to those experiences, which is why having a sort of a spectrum of backgrounds of individuals is so important for us to make progress in cyber.

Dr. Kelley Misata  56:20

I agree. I agree. And, you know, kind of going back full circle from my world. You know, people used to say to me, why don't you go after that individual? Like, go do that. Why did you go get a PhD? And I kept saying, I don't know if I can ever change that. You can't change people. I can't affect change on that, but I can affect change in the way I think and the way I understand how things work, in the way I can approach my use of these technologies, and how I can protect myself as a result of that knowledge. That's where control and change and impact happens, not in trying to change some awful situation over here. So, for me, it's like, how do we make things better by having those broader conversations and coming at it with, again, some humility.  

Raghu Nandakumara  57:19

Absolutely. Dr Misata, Kelley, I couldn't think of a better way to bring this conversation to an end. Sadly, I must add, I'd love to just carry on talking and talking, but I'm conscious of your time. So, with that, thank you so much for your wisdom, for your humility, for your experience and the perspective that you bring to the two very, very important problems that you've kind of made your mission to help progress.

Dr. Kelley Misata  57:50

Thank you. Thank you for having me. It's been a lot of fun.  

Raghu Nandakumara  57:53

Likewise. Thanks for tuning in to this week's episode of the segment for even more information and Zero Trust resources, check out our website at illumio.com you can also connect with us on LinkedIn and Twitter at Illumio, and if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon. You.