Episode details:
NetSPI Field CISO and host of Agent of Influence podcast, Nabil Hannan, sat down with Dawn Armstrong, Vice President Information Technology Operations at HumanGood to talk about the prevalence of third-party risk management, why IT hygiene is so important, how to use it to build a culture of security, and tactical ways to counter subtle gender bias in cybersecurity through involvement with organizations such as Women in CyberSecurity (WiCyS).
Show notes:
- 01:36 – Cybersecurity focuses in nonprofit
- 04:20 – Avoiding a false sense of security
- 06:08 – The prevalence of third-party risk
- 09:40 – Getting IT hygiene up to par
- 11:37 – Building a culture of security
- 13:54 – How to better educate everyone about online safety
- 18:09 – Getting involved with WiCyS
Transcript between Nabil and Dawn
Third-party risk management, IT hygiene, creating a culture of security, and advocating for gender equality
This transcript has been edited for clarity and readability.
Nabil Hannan: Hi everyone, I’m Nabil Hannan Field CISO at NetSPI, and this is Agent of Influence. Today we’re with Dawn Armstrong, who joins us to talk about third-party risk management, and the importance of overall IT hygiene. So Dawn, really excited to have you with us today.
Dawn Armstrong: Thanks, Nabil. It’s great to be here.
Nabil: Dawn, maybe we can start off by telling us a little bit about yourself and where you are professionally today.
Dawn: Sure, I’m currently the Vice President of IT Operations at HumanGood, meaning I cover cybersecurity, of course, community and corporate IT, and infrastructure.
Before that, I was at Virgin Hyperloop, for about four and a half years. That was a really exciting part of my career, because being at a startup, you have to be on top of change. You have to want change and be able to embrace it. And I think, frankly, that prepared me for what we’re seeing now in the world of AI, and how fast we’re moving now.
01:36: How is the focus on cybersecurity different in nonprofit?
Nabil: So we’ve talked on multiple episodes around truly the business context and the business profile that often impacts how security decisions are made. Would love to understand from you, how is cybersecurity and the focus on cybersecurity different for the nonprofit sector versus other sectors?
Dawn: Well, I can only speak for HumanGood, and what I’ve seen from a variety of acquisitions and mergers, but what I typically see is large tech debt. In senior living, you are more focused on caregiving, and your residents, and healthcare. There are such thin profit margins there, or maybe it’s a nonprofit, so you’re kind of scraping by with every dime, that cybersecurity is not really a consideration, right?
I think the industry has never thought they were an interesting target. But I think now we see that everything is an interesting target.
Everything is a target, generally speaking.
So obviously, the unique challenges are, you know, a lack of technological maturity, I would say, as well as financial availability. I’m really, really lucky, though, because I work for an organization where the CEO, John Cochrane, is all about innovation in that industry.
And I think as the global population and the American population ages, those people who are going into affordable housing, communities and retirement homes, they expect more because they’re streaming at home. They have their Facebook accounts. They have iPads and smartphones, and they expect all of the things that they had at their home. So they don’t want to lose any of that technological ability that they had, right?
And then we’re also seeing that adding that tech, generally speaking, to the senior living industry allows for better profit margins. Especially after COVID, it’s very difficult to get healthcare workers, so when you struggle with that, you pay more for contractors, so you’re further putting pressure from a financial perspective.
04:20: Do organizations have a false sense of security if they think they don’t have sensitive information to protect?
Nabil: Going back to what you mentioned around that the nonprofit sector may have felt that they were not meaningful targets because they are nonprofit, and there may not be money there, I often wonder if that’s a false sense of security that these organizations have fallen into because they may not have as much money, but because they’re not focusing as much on security, they’re easier targets to get – even if it might be less from a value perspective, they’re easier to go after.
Dawn: 100 percent.
Nabil: So is that a false sense of security that they have because they don’t think they would be targeted, or is it just that there isn’t enough from a funding and budgeting perspective, to actually be able to focus on this?
Dawn: Well, there’s always money somewhere, right? I mean, let’s face it, there’s always money somewhere. So I think that they thought that they had that type of immunity, but that immunity doesn’t exist anymore. We have seen ransomware attacks on nonprofit hospitals. Well, they were able to get their EHRs up and running again by paying the ransom.
You know, what are you going to do from a retirement community, if you have residents in your care? You have memory care, you have assisted living, you have skilled nursing, you have the entire range of caregiving. And you need technology to make that happen. We have alerting, fall detection, and all of that. And so if that’s not available, then you’re putting your residents at risk.
06:08: What role does third-party risk play in your world today?
Nabil: Now I know you’re very passionate about third-party risk. I’m very curious to understand what role does third-party risk play in your world today when it comes to cybersecurity?
Dawn: Well, it’s not that I’m passionate about it, I think it’s more terrified about it.
Nabil: That’s one way of putting it.
Dawn: The only breaches that I have had in my entire career, knock on wood, is third-party breaches. And some of them have been kind of ancillary breaches where they only really affect maybe our entire population of users, and so they have to be notified.
But in other cases, those third-party breaches may be where a very small company that’s maybe providing physical therapy to one community has not secured their server, their computer that basically runs their whole business, and that allows that virus to get into our systems.
So depending on the third parties that you’re using, your risk could be this much or that much. So this year, I was able to flesh out our security stack, and I added a third-party risk company so that we could analyze as we bring in new contractors, as we bring in new companies, what is our risk?
And to be perfectly honest with you, I’m not really seeing a whole big benefit to that, because a lot of the companies that we deal with are either government related or very small. We’re pretty small, so they’re not in there, and we’re also, we also get a lot of pressure from a security auditing perspective, because you want to do security audits on everybody that’s coming onboard. But when you have 125 communities, there’s obviously that pressure that I don’t have time for your audit. I need to bring these people onboard right away. And it’s challenging. So am I passionate and terrified about third-party risk? Absolutely. I don’t think that there’s much that you can do about it except be super vigilant.
Nabil: Are you changing the approach, or have you drastically changed your approach over time on how to manage third-party risk better?
Dawn: One of the ways that I’m managing it in-house is from a marketing and sales perspective. So in IT, I have to be marketing and sales a lot, I have to get out there and inform and help out the understanding of why that security audit is important. Why is it important for you to tell me that you’re bringing on this vendor? And that education is an important first step, because they just think they’re solving their problem, which they are, but you’re bringing a problem to me instead.
I’m making sure that my house is in order, so that I can only worry about the third-party risk without worrying too much about my house. So as long as we’re secure, and we have a great stack and great IT hygiene, then I can at least focus more on that third-party risk.
09:40: What are some benefits you get from making sure your IT hygiene is up to par?
Nabil: So IT hygiene, we understand, is a problem across the industry today because of how challenging it is as a whole. Would love to understand from you, how do you determine where to focus your effort when it comes to IT hygiene? And of course, you touched on it a little bit, that if you can at least have good IT hygiene yourself, you can focus somewhere else.
But what are some other benefits that you get from making sure that you’re doing the basics and that your IT hygiene is up to par with what you’re expecting it to be?
Dawn: It’s all about setting expectations with my team. So, they have to be trained and educated, that this is why IT hygiene is important. So that is all the way from documentation to best practices, securing your servers, hardening, labeling things, asset management, all of those nitty gritty details are important.
I’ve been at the HumanGood for just over two years, and about a year ago, we were having a meeting with a bunch of the IT guys, and one of them said, “Yes, well, we need to do better IT hygiene.” And I was so excited that they’re actually using my words! So I knew we turned a corner there.
Nabil: I mean, I think it’s fun and also exciting to see the cultural change happen, especially when they adopt not only a proper thought process ,but also the same language that you’re speaking about the same concept.
Dawn: That’s when I knew that they got it.
11:37: How do you bring greater awareness to cybersecurity?
Nabil: Which directly leads to what I want to talk to you more about around culture for cybersecurity as well. I think if you don’t have the right culture, you can only do so much from a technology perspective, automation perspective, and testing perspective, etc. But without the right culture, you’re not really going to have a successful cybersecurity program. So with things coming up like Cybersecurity Awareness Month in October, what are some things you’re doing to bring awareness around cybersecurity within your organization?
Dawn: I always say to the Board in leadership that Cybersecurity Awareness Month is my favorite holiday. We do a big thing for our team members, but we also do a big rollout for our residents as well. So for our team members during the year, we do our traditional IT things. We make them do we do phishing tests, we do training videos. So inundating them with more of that during Cybersecurity Awareness Month is not really going to interest them, right?
So what I’ve done over the years is I make sure I bring in one or two, three-letter agencies to do a talk. Everybody wants to hear from the FBI or whoever I can get in the door. And I also try to gamify a lot of things. Everybody wants a $5 Starbucks gift card.
The more you talk about it, the more awareness you raise, the more that they start to talk about it within their communities, and frankly, within their entire lives, right? Because everybody needs to have that education, because it affects all of us all the time.
So that’s pretty much what we do from a team member perspective. You know, we do some internet articles and things like that. But it’s really the gamification and the fun talks that we do during that time – keeping it real and funny.
13:54: What are some approaches you’ve used to better educate seniors and everyone about online safety?
Nabil: A common challenge – and I shared one of my stories with you about my mom, who had an incident with her accounts getting hacked and scammers reaching out to her contacts on Facebook, etc. When it comes to the residents at these senior living facilities, what are some approaches you’ve seen that tend to be the most effective, and are there certain things we’re not thinking about that we should be thinking about, not just to better educate the senior but also better educate everybody, the general population, across the board?
Dawn: We have 23 IT admins across the country that service all of our communities, and we do monthly workshops for the residents, and there’s always a cybersecurity component to that. We try not to make it overwhelming. So those workshops are really for them to bring in their devices, ask questions. Maybe they need the device updated. Or whatever needs to be done. We try to help them out with that. But also, we also try to impart one piece of information for the month. Here’s the tip of the month.
As we roll through to October, we do something very similar with them. So all me and my two security engineers will go out to the communities. We’ll do talks. We also try to bring in the three-letter agencies for them. The residents always like to hear from them, tell them some war stories, right? And frankly, if you listen to what they’re telling you, then everybody in that room is hearing their story and learning from that story. So I think that outreach, that education, and normalizing it is very important.
I think the FBI statistics show, and I might get some of these numbers wrong, but it’s something like 80% of all elder fraud is reported if it was not successful. So they’re basically, I didn’t fall for it, so I’m going to tell you about it.
But on the other hand, they don’t tell you about it if it was successful. Often, they won’t tell anyone about it for months and months and months. They don’t want to be seen as not being able to handle their own affairs. They don’t want to be seen as in cognitive decline or be embarrassed, frankly. I think everybody in this room, everybody out there listening to this probably has at least one story from a family member that we can all relate to. It’s really all about education and talking about it all the time. We have to talk about it all the time.
Nabil: There is a real stigma. You know, people feel like they’re vulnerable, and sharing the story of when they got taken advantage of makes them feel more vulnerable, versus them thinking that, hey, maybe I can save someone to not fall from the safe for the same issue that I did. And it’s fascinating how creative these scams and attacks are getting today to truly compromise, especially the elderly.
Dawn: Oh, definitely. And, you know, I always start off my talks when I’m giving them to the residents with a vulnerable story. I mean, that’s a very good point, Nabil, is that I put it out there something that happened to me, and then that immediately puts them at ease, that I’m not going to judge them.
Nabil: Let’s the guard down a little bit.
Dawn: Exactly, yeah. The elder fraud statistics are absolutely insane. I think in 2022 it was something like $3 billion estimated, and a large percentage of that is from the US.
Nabil: Yeah, I mean, it’s also understandable, because the elderly in the US probably have more access to technology than other countries.
Dawn: Zelle, and Venmo, and money apps, yep.
18:09: Can you share more about your involvement with Women in CyberSecurity?
Nabil: Absolutely. Would love to talk more about understanding your involvement with Women in CyberSecurity. Can you share with us what you do there today?
Dawn: Oh, absolutely, so the organization you’re speaking of is WiCyS and that’s a nonprofit organization that started about 11 years ago. Its focus is on moving women forward, whether that’s from an entry level position in cybersecurity or middle management, all the way to leadership. They have mentorship programs for all levels of leadership. They have scholarship programs for SANS and ISC2.
It’s really a great organization for women to get involved in all types of different programs. In their conference in Tennessee earlier this year, I actually did a talk on gender bias (p. 57), and did a talk that involved how to gender wash your resume, because bias is out there, whether that bias in hiring is conscious or unconscious. How do you make your resume not look like you’re a female? The fact that we have to do that is a shame, but it’s a fact.
In my research that I was doing for this talk, I found out that most candidate automation platforms use a program called BERT. It basically sifts through the candidates and goes off of keywords and things like that. And there was a study done, and that study showed that BERT was 61.8% more likely to choose a male resume, even if the resumes were exact. That’s crazy!
Nabil: I think that goes to some of the discussions we’re having today around systems that get trained on data, so the system could potentially be using machine learning or AI to help make decisions, and that’s when you also have the problem where just because it’s automation doesn’t mean it’s not biased, because the training data often leads to output behavior in these types of systems, and that causes problems.
Dawn: Exactly. We were having some conversations earlier with a couple CISOs, and we were talking about how these LLMs are basically trained on Reddit, and who participates in Reddit? Mostly 19-year-old, straight white guys. So that’s what we’re going off of.
Nabil: And that’s a big challenge we’re dealing with and trying to address. And obviously it’s not going to happen or get solved overnight, but it’s a work in progress. So to elaborate a little bit on the Women in CyberSecurity piece, what advice do you have for people who want to get involved, and what do you recommend they do?
Dawn: If you’re a corporation and you want to sponsor, you could just go to the WiCyS site and sign up as allies as well. For mentors it’s great. I’ve been a mentor there for several years. Frankly, I usually learn just as much as when I’m part of it so that’s awesome.
What I thought was really fascinating about this last WiCyS, I spent a lot of time in the in the business booth area, and the amount of hiring that was being done by companies, I thought was a fantastic idea for a company that’s trying to hire. Cybersecurity people are hard to find, and what an amazing opportunity for them to be able to hire bright young women.
Nabil: I do want to go back, because it’s, really piqued my interest. Your talk that you did there about the types of things to do, to stand out during the recruiting process or not get set aside during the recruiting process just because you’re a woman in cyber, were there any other key takeaways or themes during that presentation that you found really resonated with the audience, and would you mind sharing a little bit about what those were sure?
Dawn: Well, if you’re having trouble getting hired, one of the things that a lot of women are doing is taking their photo off of LinkedIn and changing – if you have a name that’s Chris, that’s okay, that could go either way, but if your name is Crystal, you might want to just put a K there. So that’s one way to gender wash, so that they can’t really tell if you’re male or female. Also from a language perspective, men tend to use more agentic language, so very strong, confident words, like “I” more active in nature. And women will use more communal language, like “we” and “I’m part of a team.” So changing your resume to be more agentic is also very important and those are two of the big takeaways.
To be honest, even though I did that presentation, I was still shocked at the amount of women who have been a victim of terrible bias in all areas of their careers. I mean, I’ve had it happen to me, but I’m not 21 anymore, and to see like 20-year-olds having these problems happen, I was just shocked that we haven’t come as far as I thought we did in the recruiting front too.
Nabil: I think there’s a huge problem today around how job descriptions are made as well, because I find often job descriptions have requirements that may be unattainable or are maybe not quite required for you to be successful in that particular role. But what often happens, I think, is women, when they see a requirement that they don’t meet all the criteria, they don’t apply for certain roles, whereas men often don’t look for that 100% completeness from a from a requirements perspective before applying.
Dawn: And that’s one of the slides that was in my presentation, and that’s pretty much the first thing I tell women is that a man will apply if they hit 10% of the requirements. A woman won’t apply unless she hits 85-90%. Just apply. Because, frankly, I’ve been a hiring manager for a very long time, and HR makes me write those job descriptions, and I’m usually just copy pasting.
Nabil: I’m also wondering the different mindset between men and women when it comes to whether they meet certain criteria. Do you think there are some other cultural or childhood behavior that kind of predispose us to those biases on making a decision on whether we apply for something or not?
Dawn: Well, that’s a deep question. I have absolutely no doubt. I mean women go to home ec class, guys go to shop. You know, I think that’s different now, or at least I hope that’s different now in schools, but I had to take home ec. I really wanted to be in that shop class, but I couldn’t take it. I wasn’t allowed, and I was forced to take home ec. Why do I want to take home ec? Come on. I mean, women from STEM, you know, you’re talking about science, technology, engineering and math. I think women, young girls tend to be a little bit discouraged. Maybe they’re not as fast learners as the boys are. Yeah, I just it’s there.
Nabil: I also think, from a childhood perspective, boys are encouraged to do things that are a little bit more inherently riskier than girls are. You know, if a young boy goes and plays outside and nicks his knee and comes home and cries about it, it’s like, oh, he’s a boy. He’s just doing something like that.
Whereas girls are encouraged not to go around and be rough and cut themselves and get in trouble. That’s often still, I think the majority of the population kind of treats it that way.
And same, you know, your home ec class and shop class kind of made me think about that too, because if you think about in a way, the boys then got pre-exposed to tools and things they were doing in that class that were inherently a lot more risky than home ec class, and that right away kind of builds a divide between the mindset of the two genders.
Dawn: Yeah, definitely. I guess I really wish we had come farther, but I don’t think we have.
Nabil: I didn’t mean to get too deep, but I think it’s a real and reasonable discussion. And I loved your perspective, so that’s really helpful. But Dawn, thank you so much for being here. This was truly a pleasure and great learning from you, and look forward to many more.
Dawn: Thanks Nabil, it was great to be here. Thank you very much.
Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please reach out to us at podcast@netspi.com.
Explore more podcasts
EPISODE 060 – Sharing a Blueprint for Cybersecurity Leadership
Listen to Tunde Oni-Daniel’s journey from cybersecurity technologist to leader and hear how to lead with purpose while building a top-tier team.
EPISODE 059 – Making Cybersecurity Accessible for All
Join Agent of Influence as Mandy Haeburn-Little discusses expanding security services in the UK and her work to attract diverse talent to cyber.
EPISODE 058 – Staying Mindful throughout Data Breaches at Any Program Maturity Level
Hear from Lee Vorthman, Chief Security Officer at Oracle, on the stages of security program maturity and how to address a data breach at any level.