A considerate view to cybersecurity
2nd Nov, 2021#2
A secure world is a better world!
In a world where technology is advancing at lightning speed, security can sometimes seem to be lagging behind. This is especially so if you are not an IT guru who understands cybersecurity concepts very well.
This is a gap that can be filled by caring people sharing trustworthy information and experiences to help others.
Today I’m joined by Chris Kubecka, the founder, and CEO of HypaSec and Distinguished Chair at the Middle East Institute Cyber Program at the Middle East Institute.
I’m delighted we have an expert and industry leader sharing her experiences with us and shedding more light on how empathy plays an essential role in cybersecurity.
In this episode, you’ll get some simple tips that can help secure your data and digital assets. You’ll also get to hear about how Chris uses empathy when dealing with complex, high-impact cybersecurity problems. Lastly, you’ll learn about some of the challenges in the personal cybersecurity arena as well as the progress made in the past few years, plus a piece of advice in practicing self-empathy.
In this episode, you will learn:
How cybersecurity impacts other aspects beyond our interactions with technology (05:41)
How to get people to be empathetic and to think beyond their immediate reactions while in a crisis (07:35)
Aspects of cybersecurity that have become easier in the past few years (14:32)
How to choose and use the right networks to get trustworthy cybersecurity advice (17:10)
Distinguished Chair at Middle East Institute Cyber Program at Middle East Institute. Founder and CEO of HypaSec. USAF veteran of multiple humanitarian and combat missions. Advisor and subject matter expert to several governments and industries on cyber security and incident response for cyber warfare.
[01:30] Andra Zaharia: My guest for this episode is one of the people who I most appreciate in the cybersecurity space and beyond. Chris Kubecka is an absolutely incredible, experienced, committed, and energetic cybersecurity specialist whose, let’s say, reach, whose just simple expertise, kindness, and generosity have always impressed me. She is consistently the type of person who shows up for the community and for the people she works with in a very generous, very honest, very empathetic way. So, to talk to her for the Cyber Empathy podcast is one of the best things that I could have ever dreamt of. To give you a bit of insight into Chris’ work, she has been involved with computers from a very early age. She had a role in the United States Air Force Space Command, she was a Disaster Recovery Consultant. She even interned as a Vascular Surgery Technician before she became a Senior Network Operation Analyst. She was the one who detected and helped stop a second wave of cyberattacks against South Korea in 2009. Plus, in 2012, she pulled off one of the greatest cybersecurity operations of all time, helping Saudi Aramco who produces 25% of the world’s oil security network of over 35,000 computers and servers who were taken offline by a targeted attack.
[03:09] Andra Zaharia: Her work is the stuff that James Bond movies are made of. And I hope that at some point, we get to see a movie that’s made about her life, simply because it is absolutely mind-blowing. And not just that - so, beyond her technical expertise, beyond her incredible talks that she gives at conferences worldwide, she is just a wonderful human. She is just so present, so warm, and such a welcoming person to talk to. This is my opportunity to say thank you to Chris for agreeing to do this small interview for the Cyber Empathy podcast. And I hope that you discover - along with me - how fantastic she is and what an important role people like her play in moving cybersecurity in the right way forward with the right principles, and getting people to understand these complex connections in the world that make cybersecurity topics and that make empathy key for us to be able to live in a better, healthier, and hopefully more serene world. So, everyone, please meet Chris Kubecka. I am absolutely thrilled to introduce this conversation to you. Thanks for listening.
[04:47] Andra Zaharia: So, Chris, such an honor, so much excitement behind this microphone right now, simply because talking to you always is an incredible opportunity. You are just one of the kindest, most open, and most positive and constructive voices in the cybersecurity industry and far beyond it. You have done some amazing things with your work. And I don’t mean just on the technical side, but so far beyond it. And you’ve influenced a lot of my work as well. And I know that I don’t speak just for myself. So, thank you for being here to share your perspective on how we can use and build more empathy into what we’re doing here - everyone, each of us, in their own role.
[05:35] Chris Kubecka: Well, thank you so much for having me. It’s always a pleasure. I’m always available for you.
[05:41] Andra Zaharia: Thank you, that is obviously ever so generous of you. So, let’s get right into it. You work on some very high level, very complicated, very complex things, generally. So, I’m trying to make this simple for the non-cybersecurity people who are listening. Your work involves some very strategic stuff that plays into technology and geopolitics and a lot of decision-making. So, there are many complex things that come together. How do you use empathy to get all of these people with all of their priorities and interests to work together for something that is, let’s say, very important for the greater good of not just companies, but obviously, all of the people that they serve?
[06:28] Chris Kubecka: Well, one of the things I try to make them understand and remember, and remember myself, is the fact that a politician or a minister or someone like that, at the end of the day, they’re human beings, and they’re making decisions for human beings. So, if they decide not to go forward with or unsure of, say, a cybersecurity policy when it comes to their water infrastructure, then it’s a good idea to remind them or explain some of the effects to human beings that can occur from those failures. I mean, not having clean water, for example, not only affects business from the inability to produce things because water has to be of a certain quality, but also a drain on the healthcare system, the amount of illness due to lack of clean water if somebody were to attack a system, etc. So, it actually pushes up costs overall quite a bit more. But again, at the end of the day, these decisions are being made that can affect actual people, everyday people, and that needs to be stressed.
[07:34] Andra Zaharia: Absolutely. I think that that gap between, let’s say, the cause and effect, that is one of the most difficult things to see and relate emotionally to in cybersecurity. And that’s why we don’t see a lot of proactive actions still, simply because it’s difficult to emotionally, let’s say, metabolize those things and make them something they’re close to you and part of your life and not just something that’s someone else’s problem and not our own. How does this work when people are in a state of crisis? Because you worked on a lot of major potential crises that would affect the entire world, literally, quite literally. How do you get people to be empathetic and to think beyond their immediate reactions? Because I can only imagine how heated things can get in a situation of that sort.
[08:24] Chris Kubecka: I try to get them to understand what the effects are going to be immediately on them. If there’s a supply chain issue, where it cuts down on logistics, how much are they going to spend at the grocery store next week? Because supplies are not there. Whether it’d be almost everybody’s favorite drink - coffee - to other goods. Another one that I stress is, we might be in this state of chaos, but we need to get certain things up and running, because how are you going to get paid next month? They’re like, “Oh, yeah, I won’t get paid if our business systems aren’t up.” Also, explaining it isn’t just your paycheck, it’s also going to be… what if the company that they’re working for can’t do their contractual obligations, and then they get sued, and then jobs are lost, and it could be your job - and it has a knock-on effect from when not just employees don’t get paid, but other organizations don’t, and they can fall by the wayside. I know in the Middle East, it’s very important to think about maintaining people’s jobs and incomes. And so, I also tried to know the culture when I’m speaking to a person about that. In the United States, it would be more litigious; they’d be afraid of all the lawsuits that they would get if they couldn’t meet their contractual obligations. So, I try to play to that. Fortunately, the Americans love to sue people.
[09:48] Chris Kubecka: But what is the effect on you personally, and that human effect, the small company that provides all of the coffee that they deliver or lunches - might be a lovely Mom and Pop type of place. And they’re not going to be able to do that and stay in business because your organization might be the only contract that they have. And you love their sandwiches, so you know, you have to make sure that these things are done. So, I try to look at it from that point of view. Because, at the end of the day, many of us like to think that in the digital world, it’s just machines, and ones and zeros, and how does that apply to the human being. But the internet and computers, and decisions, and algorithms are made automatically about our everyday lives. And we have to remember that there are human beings who are coding, human beings that are trying to keep us safe, make decisions. And we can all either benefit or fall or do something in between. And I think, in some ways, the pandemic has kind of helped with that; allowing especially people in the IT industry to see how much technology affects our everyday life and how important it is.
[11:05] Andra Zaharia: And how it plays into literally everything that we do at this point, even for people who are not working in technology or aren’t, let’s say, as dependent, but we all are up to a point. And thank you for highlighting that. I think that this is actually the entire essence of why I’m very passionate about this topic, and why I’m very thankful to be able to have these conversations; to show people outside the cybersecurity industry, even people outside the tech industry, this human value — because humans drive technology forward in a good way, or in a less-than-great way — we’re the only ones who can enact change, enforce it, and cultivate it in a way that is healthier for us. Because at this point, society is shaped by technology, and our future will be inherently influenced so very deeply of, you know, what technology does, its capabilities, and how it supports either our good traits as humans or our lesser good ones. Have you found that throughout the experiences that you’ve seen go people through, and hopefully these moments of realization, and then connection to these far off effects, have you seen that that reaction lasts, that it sticks once that, let’s say, a switch is turned on in their brains?
[12:28] Chris Kubecka: I do. Once that switch can be turned on. A good example is when I’ve heard the argument, “Oh, those users or general people, they don’t know how to keep their own stuff safe. It causes all this crime. Don’t you know you aren’t supposed to click that link? Why don’t they have antivirus? Blah, blah, blah.” I like to remind people that security is expensive, both for organizations big and small, but also for the general public. And the general public and most people within organizations are not cybersecurity experts, and we can’t expect them to be. If you want to have a couple of computers in your house, that’s already a few thousand. You want a newer type of WiFi router that isn’t known to have any vulnerabilities that’s going to cost you. You have to figure out how to update it. You have to make sure that you’re updating your own stuff. Then antivirus, that’s about $60 a year, plus any other type of security layer. And these things can be very expensive. And we have to understand that not everybody has the money or understands that they would need the money to do these types of things and understand exactly what to do. I don’t think security is made easy for a reason; there’s too much money in the market. But it should actually really be much easier for everyday people to understand and implement very easy security, at least to a certain extent. So, when people see that, “Oh, yeah, it does cost me X amount per year to be able to run all of the things that they suggest people run at home.” And in some cases, this is something else that the pandemic has kind of taught us; not everybody has a system that can do things like remote employment or remote education because they might not be able to afford it. And when they’re given these things, they can’t always afford all of the additional layers of security that some in the IT industry and cybersecurity industry might be able to afford - we forget about that.
[14:32] Andra Zaharia: It is so easy to forget also about the costs of time and energy that people have to put in. And when you’re taking care of family members, whether they’re children or parents or other relatives, if you have health issues - all of that adds up in taking, carving out that time to read about things, to make sense of things, to educate yourself, to look for answers online. I think that that’s a hidden cost that very few people who are in the industry, whether tech or cybersecurity, realize. And then something that’s very real and important to people, and we should totally take that into consideration. It is definitely clear that when you start to think about these things, and maybe talk to people outside your normal circle bubble, I think that you can get a lot of the stronger sense into the reality of things and what people care about truly. And obviously, ease of use and making these things simple is paramount. Can you share some examples of things that have become easier in the past years in terms of security, because I think that we need those positive examples to show us that there is progress — not enough and not as fast as we wanted, but there is progress and there are more alternatives than we used to have, let’s say, five or six years ago?
[15:49] Chris Kubecka: Some examples can include, if a person can afford an iPhone, nowadays, Apple has tried to lock down some of the privacy settings so that it makes it easier for your private data not to just go everywhere. No matter how much or how little money you have, we are the product, no matter if it’s free or not in the digital marketing world, which is a bit of a shame because privacy issues can lead to security issues. And I do most of the time appreciate that when I run a Windows system, it’s automatically updating - I just don’t appreciate it when it does it during something that’s open where I don’t see the message. So, things are starting to get there. There’s certain types of security measures that are now being put into internet browsers to warn you. There are search engines that go, “Hey, this looks like a phishing site, so don’t click on this when you do an internet search.” It doesn’t get everything but it tries to. Spam engines - they’ve been quite helpful, and they’re getting better and better. Because things can look very realistic and appeal to you. So, things are getting better; it’s just in my opinion, not quite fast enough. But I think that’s what happens in the world - the things you want to be positive don’t seem to come fast enough, and the negative seems to come way too fast.
[17:10] Andra Zaharia: That is true. And they think that there’s this strong parallel between health and cybersecurity because they can both require for us to be proactive about doing things that are healthy for us in the long run. I think that it’s never been more obvious than it is now. That parallel is so clear now. And with all, the pandemic has obviously heightened our awareness around our health and how things in our bodies connect to each other, how things in our economy are connected in ways that people never thought of simply because everything worked before. It’s just when you get sick, you realize that things you took for granted who were working before, no longer do. And it’s the same in cybersecurity; when you fall for a phishing scam or your bank locks your account because someone tried to defraud you, you only realize that something’s wrong because up to that point, things just ran by default. And I think this heightened awareness is hopefully something that just gets us to pause, at least, to give ourselves that time to think about what we’re doing and the choices that we’re making, whether they’re for ourselves and for others. Because one of the things that I wanted to ask you about and something that I’ve noticed is that people need someone to trust in terms of technology and cybersecurity. When they feel inadequate, when they feel they don’t have enough information, when they just feel overwhelmed - they need someone to turn to. How would you suggest or recommend that they go about this? Because obviously, not everyone has someone in their close circle or family who is good at technology. So, when you’re trying to figure stuff out, what do you do? There’s so much out there, where do you even start?
[19:03] Chris Kubecka: One of the ways that I would start is if you happen to have a network, but you mentioned that not everybody might have a network of people to go to, but take a look where you can on where people have a track record of posting things that are positive. As in, not only a positive attitude, but also positive of, “Hey, this is how you do this.” “Hey, this worked. It was great.” “Hey, fantastic!” One thing I have noticed is there is a pretty nice percentage of the cybersecurity population that seems very willing to help people out. It’s not all, but it’s a pretty good percentage. So, if you ask a question and they don’t know the answer, they’ll be like, “Hey, but I think that so and so would know the answer. Because I just don’t know that topic, so let me put you in touch with so and so.” And it gets that conversation going. It’s very interesting how I’ve got a good amount of followers. I’m not an influencer, but I don’t want to be. If people ask me questions and I can answer them, then I try to. Because even though we might not be friends in real life, hey, you never know if someone that you’ve made friends with online can come in handy when you want or need information that they might know, and trying to foster that. Because especially during times when we might be a bit more isolated, it’s very helpful. Even if we can’t meet in real life, we still have that need to talk to other people and be socially interactive. Don’t go for the people who are a bit too egotistical and come off as toxic. Most of the people I’ve met in real life who come off as that actually don’t know that much, and they’re trying to use that negative personality to offset. So, go for the people that seem to have positive messages and appear to know what they’re doing.
[21:05] Andra Zaharia: That is a beautiful way of putting things. And one of the things that I love most about working in this industry is that I get to learn from a lot of generous people who somehow find the time and energy in their day to help others, to talk about topics, to surface topics that are incredibly important to give examples. And they just put so much of themselves out there into helping the community, whether it’s helping people find jobs or mentoring them, or just answering questions, being in interviews, doing podcasts, and having conversations like the one that we’re having now. And I’m very, very thankful for that. They definitely help raise entire generations of people who will step in their path and contribute the best that they can. In terms of being on the receiving end of empathetic experiences, who really showed the human quality in cybersecurity, could you share any story that made you feel what a difference it makes to have someone be empathetic towards you when you need it the most? Because it is a very complex job that takes not just a mental capacity but also a lot of emotional labor at the end of the day.
[22:25] Chris Kubecka: Let’s say about three years ago, I was very ill. And I had like a four-year-long illness, maybe going on for years now. You always forget, when you’re no longer sick, you have this way that your mind wipes it out. But when you’re ill or something is going wrong in life, many times it affects your confidence, and it can make you seem like you were kind of drowning in the world. There was a particular person who unbeknownst to me had been following me and some of my work. And when we had gotten a chance to meet in real life, he was able to very much lift me up and was one of the people in a line of people that was able to make me think that I wasn’t drowning. I might need a bit of a life preserver every now and then like all of us need to. But he also started introducing me to his network and was a real confidence-builder during that time, because at the time I really thought I didn’t do anything very important. And sometimes you need positive people in your life, not just flattery or something like that, but positive people to not only tell you “Yes, you are a human being, you’re doing great. And let me make sure you do even better.” So that was a very positive experience for me.
[23:46] Andra Zaharia: And one that I hope we all get to have when we most need it. It is, to me, what I see a lot in the people such as yourself who do so much and put so much of yourselves into your work and into your contribution to the community is that sometimes it may be draining, sometimes it may be overwhelming and it may be too much. We often forget to be empathetic towards ourselves. I think that we’re sometimes very unskilled at practicing self-empathy and realizing when we need to take more time for ourselves and help ourselves before we help others. So, do you have any, let’s say, thoughts or recommendations for people to pay a bit more attention to that specific area of their lives?
[24:37] Chris Kubecka: Well, I hope this doesn’t come across vain. But about a year and a half ago, I decided I was going to try to force myself to relax. Now, I’m not very good at meditation or mindfulness - and I’d like to be - but I ended up getting - this is going to sound weird - facial sheet masks so that every day for 20 minutes I have to sit there, and you can’t do all that much. So I would then catch up on just things I wanted to read or look at something funny while trying not to move too much with this thing that looked like human skin on my face. It kind of forced me for 20 minutes a day to take stock in myself, to think a bit more about me, and to have that time set aside to do things that I wanted that weren’t work-related that could make me smile. So, of all things, facial sheet mask helped me learn how to relax a bit more. And men can use them too.
[25:39] Andra Zaharia: Yes, and that is excellent advice. I’m totally going to try that. Especially because I find it difficult as well. I need to force myself to sit still, it does not come natural. And I think that for many of us it doesn’t. And just setting ourselves up for the least amount that we can put into this, that is an absolutely excellent idea. I will totally, totally try this myself. Thank you for this.
[26:04] Chris Kubecka: We’re going to have to take facial mask selfies and post them on Twitter, start a trend.
[26:09] Andra Zaharia: Yes. I definitely will. I think that I’ve become comfortable enough with myself to do that and not feel like anything else. Thank you so much, Chris. You are absolutely incredible. Thank you so much for sharing this kind of time and space with us, and for just giving us all of these nuggets that we can go on down all of these, let’s say, tiny rabbit holes that lead to good things, and good people, and good experiences. I’m just very thankful for this. Thank you again.
[26:45] Chris Kubecka: Well, thank you. Any time, any place, you are an inspiration for me. I don’t want you to forget that. You’re wonderful.
[26:55] Andra Zaharia: Thank you so much.