Cyber Crime Junkies

Crossing The Line. Behind Insider Threats.

August 10, 2023 Cyber Crime Junkies-David Mauro Season 2 Episode 70
Cyber Crime Junkies
Crossing The Line. Behind Insider Threats.
Show Notes Transcript

Top Security Insider Threat Leader, Stacey Champagne, joins us to discuss leadership women in security handling insider threats. 

Topics: learning insider threat protection as a career, Best ways to limit cyber attack liability, how women can break into security careers, Careers in insider threats, effective communication for security internally in business, how can we spot fraud in business, How start a career in cybersecurity today, how to choose the right bootcamps, how to have effective communication internally in business, How To Select The Right BootCamps, how transition fro military into cybersecurity today, how women can break into security careers, how red team exercises help you stay protected.

 

VIDEO of Full Episode https://youtu.be/mobUk1ZSdC4

 

Thanks for Listening and Watching. Many watch/listen but don't subscribe. Help us out please by Subscribing Today. Thanks. 

 

 

Connect with us.  

 

 DAVID MAURO Linkedin: https://www.linkedin.com/in/daviddmauro/  

 Cyber Crime Junkies Linkedin: https://www.linkedin.com/in/cybercrimejunkies/

 Cyber Crime Junkies Instagram: https://www.instagram.com/cybercrimejunkies/

Cyber Crime Junkies Facebook: https://www.facebook.com/CyberCrimeJunkies

Podcast Cyber Crime Junkies: https://cybercrimejunkies.buzzsprout.com   

Site, Research and Marketplace: https://cybercrimejunkies.com     

Thanks for Listening and watching! -David, Mark, Kylie and Team @CCJ   

 

Music Credits:   Two Guitars by Admiral Bob (c) copyright 2012 Licensed under a Creative Commons Attribution (3.0) license. 


Try KiteWorks today at www.KiteWorks.com

Don't Miss our Video on this Exciting KiteWorks Offer!

Try KiteWorks today at www.KiteWorks.com

Don't miss this Video on it!

The Most Secure Managed File Transfer System. 








Stacey Champagne Exclusive Leader Chat-Women In Security Handling Insider Threats

 Stacey Champagne joins us to discuss women in security handling insider threats. Topics: learning insider threat protection as a career, Best ways to limit cyber attack liability, how women can break into security careers, Careers in insider threats, effective communication for security internally in business, how can we spot fraud in business, How start a career in cybersecurity today, how to choose the right bootcamps, how to have effective communication internally in business, How To Select The Right BootCamps, how transition fro military into cybersecurity today, how women can break into security careers, how red team exercises help you stay protected.


[00:00:00] It's always in the news. Cyber criminals attacking great organizations, wreaking havoc on the trust of their brand. With socialized cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field and we share our research and blockbuster true cybercrime stories.

This is Cybercrime Junkies and now the show.

All right, well, welcome everybody to Cyber Crime Junkies. I am your. David Morrow and in the studio today is, Stacy Champaign, a insider threat professional with a long history. We're gonna get into that. , [00:01:00] also the founder and c e o of Hacker and heels, as well as a, , another kind of startup that, she has as well.

So, Stacy, welcome. Thank you so much for joining. Absolutely. Thank you so much for having so, , insider threat and why don't we start, let's explain to the ladies and gentlemen kind of what your current role is, who you're with, kind of just general, anything. I don't, nothing confidential, obviously.

Just generally introduce yourself and, and, and, and let us know kind of what you're currently doing in your day job. And then let's get into some of those other, , kind of advocacy things that you're doing, which are really interesting and ways to help, you know, women break into cyber and things like that.

And then I want to, you know, back up and kind of share with everybody kinda how you. Sure. Yeah. So today I am a senior manager. I oversee an insider threat investigations programs, a global program for a data [00:02:00] insights company, really focused on building trust between, consumers and businesses and whatnot for a variety of, of, of different, you know, needs, business needs.

 And so as you can imagine, data insights, we have a lot of data. We have a lot of information on people. , that needs to be protected. Right? Right. And so my job as, as the, the lead of our investigations function is to be able to properly conduct, you know, investigations on people who are internal to the company.

So normally, you know, when you think of, or cyber attacks, you think of someone outside of the company who's trying to break in, steal data, , you know, wreak, hav, gun machines, whatever it might be, you know you know, , espionage, you know, hacktivism, whatnot. But there's a whole bit of it of, you know, having people within your company who you are trusting, , and you're giving lots of access and, which, you know, rightfully so, you need the access to be able to do [00:03:00] the work, , to build the relationships, to build the systems and, and all the things that enable the business, right?

, it's almost like a with great power comes great respons. And, you know, oftentimes we're gonna do our best to try to help people do the right thing, make a good decision, use their access appropriately. But sometimes over the course of someone's work experience, it could be something that happens inside the company to them.

It could be something that happens externally. It could be we call these things stressors, right? And so we know. You know over the course of, of people's just life experience, they will encounter different stressors from, from time to time. They might you know, end up having some financial stress.

They might end up having some interpersonal stress. It could be between them and their manager. It could be with someone you know, unrelated, right. But we. You know, with how much we work and how much we bring to work you know, it's inevitable that those things are gonna affect our decisions and our actions within a company, right?

And so, so our job investigations wise [00:04:00] is you know, when those things happen, how do we properly assess and pull together the facts of. You know, what happened? Why did it happen? What could have caused this? You know, what is our, what is our impact? What are our options in regards to remediation?

And really trying to bring it to a, to a conclusion of, of understanding that isn't out to get anybody, right. We're not. You know, trying to play the gotcha police or, you know, the policy police, I like to say it sometimes you know, you're really we're first, you're really first looking for root cause, right?

Yeah. We're really, that's what it seems like we wanna understand and to, and to mitigate the damage. Yep. We wanna understand that. We wanna really focus on the facts. And, and that can be really hard when these are people who sit next to you, right? Mm-hmm. Like these are mm-hmm. These are your coworkers.

These are people that you otherwise have tried to build trust in relationships with. And you know, a lot of times, and we know with insider threats, it's not intentional, right? It'ss. Someone [00:05:00] who was trying to do for a legitimate purpose, they were tasked to you know, create a document to send an email or whatnot, and for whatever reason, some sort of cybersecurity control oftentimes gets in the way of that, right?

So they do something that. When you're standing on the outside, or if you're standing as a security professional, you're like, oh no. Like, that's risky. They can't be doing that. Right? But when you're that person in their shoes in the moment you know, and you're trying to make a decision and you're, you think you're making a decision on behalf of the business and you don't actually know what the impact is of your.

Your, your decision and your actions is we have to take that into account when we're properly adjudicating this happened. So we are really focused on understanding that intent and then providing the information to legal, to hr, to any of, you know, the, the proper. I was just gonna say, it seems like this, the, yeah.

So, mm-hmm. Let me ask you this. So you and your team, or. What's common in this industry? This, this group that you, [00:06:00] you head up, whether it's at your specific company or, or others, where do they sit? Are you part of the cybersecurity group? Are you part of hr? Are you part of legal, like, or is it, is, is it, are you the quarterbacks for all of them?

I mean, I imagine it's almost like a racy document where. Lots of different people need consulted. They're accountable, they have to do certain actions. Can, can you walk us through that? Yeah, sure. So I'm gonna, I'm gonna keep it broader, Right. You know, just, that's, that's what I meant. Cause I didn't want to get into your specific group.

Yeah, absolutely. So I'm gonna, I'm gonna keep it broader and just kind of touch upon it in general and every, every, you know, comment that I make here today and what I share, share is more of the general insider threat expertise. Yeah. Not necessarily specific. I don't represent my, my company or anything like that.

Right. I represent my company, but not the comp this other company. Right, exactly. So, so in general what we're seeing in the industry is insider. Being stuck with [00:07:00] your cybersecurity team. And there's a, there's a lot of good reasons why, right? Like, it makes sense because our cybersecurity teams often have a lot of the data that we need to be able to conduct holistic investigations.

Now, the downside of that is that you saw bias to a side lens, right? So when you're on, on cyber, you're really focused on. Data loss prevention, you know, data kind of solve everything with a log and an alert and you know, things that are happening on the system. But in, in turn, you leave out a lot of the human aspects, a lot of the relationship aspects, interpersonal, the conversations that aren't happening on computers, they aren't going through the keyboard.

You know, they're on phone calls you know, they're in other systems, especially with insider threats. Yeah. Especially with insider threats, right. Because those can, can can tend to be non-technical in nature, at least the actions. Right? Yeah. So it sounds like you guys are doing a lot of [00:08:00] investigation into like the behavioral.

Right? Mm-hmm. So is there like, is there an element there? I mean, it, it was really interesting to me when you said we look at like a trigger, like an intervening life event because it otherwise makes good people that have long careered storied careers kind of. Do things that's abor, like it's an anomaly in their life because of a divorce.

Somebody's got cancer, there's medical bills, pi like something happened unforeseen, and then all of a sudden you see them like starting to commingle money or whatever it might be, right? Mm-hmm. Well, what, like what's the approach there? Is there a, is there a, you know, is there a specific methodology that's employed in insider threat management?

Yeah. So there's a lot of really good research out there. What we typically refer to is a publication called The Critical Path to Insider Risk. [00:09:00] Yep. And so it kind of walks you down from the furthest point. Of, you know, far out, like what are some of the, the, the loose kind of predispositions that someone might have that would set them up to potentially take action in the future.

And then it walks you all the way down to like, what are the things that typically happen right before s. Someone does something, causes harm to an organ. She, and a lot of those items that are closer, go ahead. Oh, I, I'm sorry. No, what, what, what I was asking is, are those kind of codified in a way? How, like there's the NIST standards, there's c i s, there's, you know, there's, there's I till for, for MSPs.

Is that, is, is the standard that you just mentioned, is it codified or is it a, is it a behavioral practice? It's something that's common in the. It is common knowledge for those in the industry, whether or not there's an actual like framework or standard around it aside from the publication around those factors is I, [00:10:00] I'm not aware of, but I do believe there might have been some work.

So a leading. Leader on all of our, on the insider threat research Mir does a lot of work around it. Right. And if I recall correctly, they have been working towards something similar to all the frameworks that you have mentioned around you know, vulnerability scoring and whatnot. What would it look like for insider threat?

Okay, that's what I was asking. Yeah, because as you sit within the cybersecurity umbrella essentially right? Obviously there's, there's the mire attack framework, which is, which is really kind of the standards and the framework in which threats are measured, evaluated, remediated, et cetera. And then there's, you know, standards for organizations like NIST and things like that.

So does Mire, and I apologize for not knowing this. I should know this, but I don't do a lot of insider threat. So is Mir, does Mir. Have certain elements of the framework that you guys look to clearly when somebody's violating the law, all of that is codified. Mm-hmm. There's case [00:11:00] law, there's federal, state, et cetera.

Right. So how, how, how, how do those rules and regulations come in play? Yeah. So, There's two, two parts to this. So one is the obvious, like the, the, the legal side of things and things that we usually have to work with are you know, employment law. You know, in the US we have our you know, computer laws as well computer abuse and whatnot.

We have to also take into mind even our, you know, GDPR and our C C P A and you know, understanding that while that is often geared. When we think of it, we think of it as consumers, but there's also you know, employee aspects about it as well. So those are all kinds of factors that we, we look at from, from the legal and the regulatory side on the other side of things of, you know, all the different types of you know indicators and whatnot.

And where do we kind of get that inspiration and whatnot from there's a couple of resources. Yes, Mir does a lot of [00:12:00] research. There's also the National Insider Threat Task Force that provides publications. CISA has given, has created a guide on how to build insider threat programs. Very comprehensive, very holistic.

Carnegie Mellon University, their Their cert organization has a repository of, I believe, over 3000 insider threat cases, both public and private that they refer to whenever they're publishing research and information. So that's a great you know, place to go as well. And then you can even get into the different information.

Groups like an FSI sac or whatnot, all have their organizations. And so we really do try to, you know, there's a lot of great information out there. And then in, in real time too, all of us as insider threat practitioners, I would like to say we have a pretty strong community working with each other and are working across the public and private lines.

Because the reality is, is like, while it seems like insider threat is new in a newer discipline, in, in the private [00:13:00] sector, this is something that the government has been doing and, and. You know, learned all the lessons for mm-hmm. You know, for quite, quite a while now, and it would behoove of us to figure out what makes sense to bring in to the private sector, so.

Excellent, excellent. So before this rule, right you've obviously You began a career in either IT or business, and then did you have a mentor that kind of got you involved in insider threat? Yeah, so I was a graphic designer before cyber, that's cyber security. I was a visual information specialist for the government.

And so and so that, you know, and so that our listeners understand because we get this every single day. Somebody's reaching out to me on LinkedIn or by email or on our website, and it's, it's always the people that we have on that are in cybersecurity and that are in leadership roles like you are.

They came from marketing, they came from [00:14:00] sales, they came from graphic design. They're like, it's not like, that's why I love this practice of cybersecurity because so long as you have that common belief in protection, right? Protecting of others, protecting an organization's brand, and you let that vision kind of drive you, there's gonna be a role here for you.

So it's, it's, it is pretty cool. Didn't mean to cut you off. I just wanted some context there for you. So you were in graphic design and then what happened? Like how did that lead to this? Yeah, so I wanted to further my career a little bit more in the government. And the way to do that I thought would be branch out into a different field.

And growing up, I'd always been part of what is called the first robotics program was a program that was put together by Dean Cayman. They invented the segues, these competition programs that I was in for you know, 5, 6, 7 years. I watched my brother do it. And, and I think that enabled me a lot to.

[00:15:00] Even hesitate when it came to like, oh, like what else could I do to provide more cool opportunities here in the government? Oh, well I could go do cybersecurity. There was no doubt in my mind of like, you're a woman. You're not capable of doing it. You know, thankfully, because I have been brought up in such a environment where I was seeing women do incredible things with science and technology and math and everything every single day.

Right. And so it was almost like a seamless transition of like, okay, I'm just. Go, go get my master's. I'm gonna focus on cyber policy and I'm gonna do this thing. Right. But once I got into cybersecurity, I actually. I didn't know what I wanted to do. It was one of those where you have the epiphany moment of like, okay, it's not just enough to be in cybersecurity.

Like what do you, the field is so wide right. Are you gonna be, be red team? Like are you, like, did you buy a flipper when it came out in your practice hacking and, and things like that, or are you. Involved in you know, blue teaming and, and you understanding sim tools and, [00:16:00] and you know, all, all those aspects, or is it more like policy, the GRC role, you know, the insider threat role, things like that.

So it's, those are a thousand different jobs, right? Mm-hmm. There's so many different sub variants there. And so fortunately I started with what I knew. What I knew was how. Effectively communicate information. It was something I had to do day in, day out for various stakeholders of all levels in the government.

And so what I did was translated that into a position where I helped different cybersecurity teams document their, their procedures. Right? So a little bit of technical writing, a little bit of visualization and mapping out whether it was vulnerability management or how we're, you know, following our PCI guidance and.

You know, helping out different teams. And it was honestly just happenstance. It was pure luck. And I, and I, I know this does happen more often than, than not, but it was pure luck that I happened to be in a meeting. They had just hired the director to build out an insider threat program at one of [00:17:00] my first workplaces, and I thought, that sounds interesting.

I wanna know more about it. Sounds cool. Right? Yeah. It's like being an investigator. It's like, well, I. You know, I, I've always wanted to work for the fbi. This seems kind of cool, right? So, yeah. So, okay. And you approached her, him, and what happened after that? Yeah, so I asked her if we could just have coffee on a, on a cadence, and so I could just kind of learn a little bit more about what this insider threat thing was and, and the skills that you needed to be successful and what you could expect and all that kind of stuff.

Stuff. So you were brave enough to take that step. Yeah. So you were brave enough to take that step and, and ask the person to be a mentor, which is, which it takes a lot because a lot of people are, are nervous about being rejected and doing that. But I'll tell you on the other end of it, it's very, very, Flattering, right?

Because I'm sure she's like, really me. Like I would love to, like, I would love to help somebody you know, younger in their career, like learn some of the roles and, [00:18:00] and break in because that's how you know as you get older, that's how we kind of measure our success by the people that we've helped also achieve.

So, yeah. And that's really exciting. That's interesting. So that, so that took, that, that took bravery and then she was receptive, so she was cool. Right. So and you guys started having coffee and then she kind of explained the role. Yeah. And, and, and I just wanna say it's interesting that you called it asking her to be my mentor because there was no, there was no like, hi, my name is Stacy.

Would you be willing to be my mentor? Be my mentor, please? Yeah, of course not. It was just, and, and, and I think what made the, the relationship successful is that I was very clear about the outcome, right? Was that I was trying to decide whether or not I wanted to. Pursue this path or not. And I think the problem that we see with other people or just the, the general advice of like, go find yourself a mentor, is that people are reaching out and asking people to be their mentor without any clear [00:19:00] clear goal in mind.

Right. It's like, I just want you to help tell me how be successful. Couldn't. And it's like, how can I, I couldn't be on the other side, couldn, what do I do? I couldn't agree more. Yeah. I couldn't agree more. And, and especially, I mean, people are like, well, I've decided I'm gonna go into cybersecurity. I'm like, okay.

That's like saying I decided to go into business. Like, what does that mean? Like that, like, are you gonna open up a cake shop? Like, what does that mean? Like, like that. Are you gonna go work on Wall Street? Like there's, those are two different roles and they're both business, so it's like, what does that mean that you're gonna go into cybersecurity?

So, Narrowing down, like I'm interested in insider threat in maybe investigating it or maybe like interviewing it or, or, or creating policies on it. And then you can meet somebody that does that and see what they do on a day-to-day, weekly basis. What's a day in the life look like? And then decide can, would you be happy doing.

Right. So yeah, it's a lot less [00:20:00] overwhelming on the mentor side of things to be approached with very specific asks as opposed to a general like, help me be successful. Because honestly, we do all want you to be successful, but with everything else that we are also managing in our own jobs, we don't have the time to put together a curriculum for.

So we need very specific guidance as to what exactly you, you know, you're looking to excel in and, and we can help you in those targeted things for sure. Absolutely. So I, we have a good picture of where that's led you. Yeah. Tell us about the, the, you, you have two other kind of aspects that you've developed.

One is the Hacker and Heels, which is the one bringing females into the cybersecurity industry. And what is the other one? And I think I deleted it from my notes, so I apologize. Oh, trade Secrets Network. Mm-hmm. Yeah. So, so what is that? Walk us through that. What is trade secrets? So the Trades Ne Secrets network is, it started [00:21:00] as two, two relatively new colleagues.

I had just moved to New York City and I was trying to get connected with others in the insider threat community. And this individual I met at an event. And you know, they were leading an insider threat program at another company, and I thought it would be helpful to get some perspective from, you know, another insider threat program manager, right.

So, oh, yeah. Asked if we could go out and grab a drink. And when we were doing it, we had such a blast. We were like, we should invite more people. And so it just kind of grew from there and it, it grew into this, this network of you know, at the time, and this was pre covid, we would. Gather people together, ga invite other insider threat practitioners, and we would have the conversations that just weren't happening in the more formal, like, working groups you know, other more institutionalized you know, F S I SAC or or other gatherings, right?

Where you have a variety of different. Lot different points in their program and, and oftentimes the basic questions get asked over and over [00:22:00] again, and some people are kind of a little bit nervous to, to go for more of the hard-hitting questions of like, what do I do if HR is not co cooperating with me?

What do I do? Right? If they're not, if I'm not able to get the indicators I need to conduct a full thorough investigation, like, let's talk about that. We don't need to talk about which DLP solution we should be implementing. Like we're already, we're past that. We've already decided on that. We're already you.

Going on there, but like, these are the harder things that truly stall out our programs. So one, one thing I always do on this episode is, is I always ask people to pause and explain some of the acronyms, right? So you said A D L P solution. So can you just explain for the listeners, because sometimes we have.

People that have engaged and reach out, and they are business owners of a manufacturing company and they're concerned about insider threats or something like that, and they might not even know what a DLP solution is. So can you just elaborate on what that is? Yeah. And DLP is a great one to kind of elaborate on [00:23:00] because mm-hmm.

It is often seen as a as a stand in for an insider threat program. So DLP stands for data loss, prevent. And it's usually a tool or a collection of tools that help with how data is you know, usually leaving your, your company, right? Where a lot of times it's focused on that, that egress. And so whether it is.

Emails that are going out, whether it is you know, files that are being uploaded to places like a Dropbox or you know, a Google Drive or whatnot that may not be owned by the company. These are the tools that are helping to filter that traffic and figure out is this for a legitimate business approved purpose or is this something where someone is trying to send something of ours?

To a place that we don't agree with where it should go's deal accidentally, right? Mm-hmm. Okay, great. So like when, there's a lot of room remote workers today, right? And they're working from home and they go to save some work document. They're working on a proposal for [00:24:00] something, it's a Word document. They go and save it, they save it on their own.

iCloud or their own Google Drive or something personal cuz they think, well, I might look at it on my iPad later tonight. Or something like that, that could catch that, right? Mm-hmm. A A A D L P P monitoring for those anomalies and, and either block it prohibited or at least alert. From it. Right? Because I think that's, and, and some managed sim programs will also catch that.

I think those, some of those anomalies if, if it's a certain size or whatever, but that, that, that D L P aspect is really key because that helps business owners or leaders. Protect against shadow it, right? That whole user's not even knowing that they're jeopardizing their company, not intending to jeopardize their company, but they're just doing it out of convenience and they're saving things where they shouldn't be saving in a company authorized drive or something like that.

Is, is that fair? Is that a. Correct [00:25:00] understanding. Okay. Cool. Yeah. All right. Yeah, I mean, the whole point of this podcast is for me to learn more. So that's the, this, this, this is helpful. Okay, good. And then what's the other so, so, so you built up this network. Of these insider threat people that are in the industry.

You guys share stories, share in insight, connections, things like that. And then has that evolved or how did that become the the other kind of passion project that you've. Yeah, so it definitely just evolved. You know, we, we had the events in person when we reached Covid we moved them to more virtual presence.

And then, you know, started to do a little bit of thought leadership too. There was a moment though, where I kind of put it on ice for a bit because I myself was trying to figure out where I wanted to go with my career. Did I wanna continue to, you know, build that expertise in insider risk management or did I wanna try to go for something different, broader like a CISO role?

[00:26:00] Right? And so, You know, as we've been kind of picking it back up, the direction that I do wanna go with the Trade Secrets Network is to produce more thought leadership to produce, you know, really kind of bring in all of these experts that I know are out there that have fantastic things to say. Could really provide a lot of information to business owners our, our stakeholders in all the different roles.

Because it's not enough to communicate with our ciso. We have to be able to properly articulate the risks and the threats to hr, to legal, even working with our physical security, corporate security partners as well. And when you have to you know, kind of get the message across to that many stakeholders it, it benefits so much to have a diversity of, of thought leadership and bring in and, and communicate out like what's working and what isn't.

For that particular field because right now with insider threat and insider risk especially what we're noticing is it we're [00:27:00] struggling, right? And we're struggling. Kind of back to the, the beginning point question that you asked of where does insider threat sit? Right? Where does insider risk sit?

It's often sitting in, in cyber, and when you get in cyber, there's a bias against the practitioners. You are not capable and qualified to do employee interviews, to understand legal ramifications because you are a cybersecurity person and it's like, You're not part of the legal, you're not part of the legal team, you're not part of the HR team, but a good insider threat team, an insider risk management program will have a, you know, a diverse skillset.

You will have your forensic investigators, you will also have your counterintelligence people, you will have people versed in hr. And ideally you have a, a hub model. You know, not necessarily, you don't necessarily need, you know, these individuals to solely be insider threat practitioners. You'll need some of 'em to, to make the operations go.

But you should [00:28:00] have a designated person who is an expert on the HR side, but understands the, the insider risk aspect of it to be part of those investigations. Same with legal and so on. And so it's just so important to educate. Yeah, absolutely. So where does like privilege access management come into insider threat?

Because I would think, you know, when, when we look at some of the, just some top of mind breaches that have occurred and we see 'em all over the news and, and they happen and they, they gain authorization, you know externally coming. They compromise somebody's access internally, but all of a sudden from that one designer or that one programmer, all of a sudden they're able to get to like source code or they're able to get to the financials and all of the, the, it's like inside the organizations aren't configured with any blocks at all.

Hmm. Where, where people don't have privilege, like, [00:29:00] you know, there should always be layers where, you know, you, you don't get to see these documents cuz you're not in this department. But why does this person over in that department able to full, have full access once they get in? Because if they use poor password management or whatever it is, and.

Somebody from the outside gains it, then all of a sudden without some privileged access management in place, they have keys to the whole castle that they really shouldn't have. I would think that same concern applies directly with insider threats. Absolutely. Absolutely. The distinction I would make is that your insider threat team, you know, while we investigate those incidents when they happen.

When it comes to the types of controls and policies and other mitigating type factors that you would wanna have in place to help you know, prevent or at least slow down, maybe something like that. That's w. We don't have a [00:30:00] say in that. Right. The best that we can do is try to implement You're involved in the own.

Yeah. Right. You're involved in investigating it, right? Mm-hmm. And saying, oh, they get access here. And then they were able, from that person's access the way it was configured, they were able to do this, and then you guys can make recommendations. That should probably be changed, right? Go look at something or some, you know, like reconfigure that, or you guys deal with that from a technical perspective.

Yeah, and we, you know, oftentimes we see too, it's, it's a case of they had controls in place, but at some point it either, you know, wasn't updated or stopped working or, you know, there was a, there was a gap in that validation of your tools. And if there's one thing that I would just want everyone to take away that I, like, I would put on a, you know, neon sign behind me.

It's validate your, Oftentimes it's, it's, we think we have a control in place. We think we have a safeguard, and lo and behold, something happens to where we realize, oh, that wasn't working like we thought it was. [00:31:00] Oh, yeah, absolutely. Yeah. I mean, I, I, I just, we were just speaking with a CISO who was involved in a breach and they had really good in outstanding M E D R program and E D R program, but they had the configurations.

Wrong. Like they hadn't, they had made it like literally it was a button that hadn't been pushed. And it could have not only alerted them, but alerted in, remediated them like the issue, but instead they just hadn't done that. And that's exactly right. They hadn't validated the configurations. And a lot of times the teams aren't set up.

To be able to go back and do that work, right? Like, we're always concerned, we're always chasing the next threat, the next big thing. We're being pushed to go faster, further with less resources. And so validating your tools, going back and checking to make sure the door is locked six months later, who's got time for that, right?

Yeah. Who's got time for that, right? Mm-hmm. Exactly. It's not on somebody's radar. Mm-hmm. Yeah, that's, that's really [00:32:00] interesting. So insider threat, when we think of all of the. The threats to an organization's brand insider threat has hasn't, like the percentage of risk has been a lower one in my understanding, but it's growing in a great deal, and I don't know if that's from a lot more remote workers.

A lot of the job hopping that's been going on in the last year or so. I know there've been a lot of layoffs lately, but I mean overall, like are you seeing. What, what does the data, the, the macro view look like to you? Yeah. So even before the pandemic, we knew historically that, and, and the, the percentages fluctuate depending on which report you read, right?

Mm-hmm. But somewhere in the sixties to seventies, even as high as eighties you know, that that percentage of people would take something, something of, of a work product when they depart an organization. Mm. That [00:33:00] that was happening before the pandemic. You know, now in the, in, in the times that we're in now where we're seeing a lot of you know, strife and instability around job markets and people's employment and what you know, I think we're, we're potentially seeing and feeling an application of that one.

You know, because, because people are, you know, people are moving around so much, they are getting laid off and whatnot. And two I think that it's become a, a popular media talking point, right? So it's not necessarily that it wasn't happening before, it's just that I think we've picked up on a narrative as a society of this employee versus employer.

Narrative story going on right now, and as such, they're hooking onto you know, these cases as they're coming up. But it's always been there. It's always been happening and, but I do agree. And believe that we are gonna continue to trend, to see a shift of, you know, the inadvertent to the [00:34:00] intentional malicious insider, the more that we as a society you know, struggle to figure out what is you know, the best ethical relationship between you know, people in their workplaces.

Yeah. Yep. So I would take it then that culture plays a very strong role in insider. A huge role. I mean, I always re attribute it to like my goal as an insider threat PR practitioner, professional leading teams, whatnot. My goal is vigilance and loyalty. So the vigilance of being able to recognize.

Whether they themselves are experiencing stressors, whether someone is trying to influence them, trying to fish them, you know, trying to get them to act in some way that could be harmful to the organization, and then the loyalty that when those moments come up, They choose the be, you know, to not take that [00:35:00] action, right?

To go and, you know, report it to their security person, to, you know, not accept the U S D V device from the person meeting you at the casino in Las Vegas, which I'm referring to the Tesla employee a couple years ago to, to do the right thing, right. And again, it's, it's getting harder to do the right thing by employees with the way as we're seeing things going down recently.

Right. And so we need to, we need to try to, we need to recognize that, like, if we truly wanna get ahead of the insider threat we have. Be an organization that someone wouldn't want to do harm to, and that's really hard. Rather than, yeah. Kick left. Mm-hmm. Yeah. So in it gets to the heart of building a.

Security culture, right? Like a culture that is a positive culture and one that people care about the organization's brand that they serve, but also one that [00:36:00] has security interwoven into the fabric of that culture, right? Because we care, because we care about the brand. Security's interwoven into the fabric.

Yeah, because you know, you care about, Then I'm gonna care about you. It's the employee symbiotic relationship. Yeah. Mm-hmm. So let me ask you this the f FBI recently released, well, recently in July or June released a warning about deep fake and about deep fake you know companies. They're seeing a drastic spike in organizations being fooled.

They're hiring a lot of remote workers. They're using DFA technologies to take these remote jobs. And then you don't have to hack the company, right? You just hired them and then they're inside and you're giving 'em access and they go in and while they're doing their job, they're also funneling data to someone else.

Are you got, are you in, in your roles or in your industry with your colleagues in insider threat? Are you seeing that? [00:37:00] Yeah, it's certainly a concern. And, you know, I think it, it comes down to two, two things. One is getting to know your mom. And, and it's, it's because there's been plenty of investigations where I'll ask for some context around an individual, like, how are they doing?

You know, how's their family? Mm-hmm. You know, can you tell me anything about this person and the manager can. They have right. Not made any attempt to try to understand who this individual is. So when you think of, you know, trying to, what do they like to do? Do they like boating? Do they like soccer? Do they go on trips with their family?

Are they outdoorsy? Do they have a crafting thing going on? Like, what do they do in, there's a disconnect between managers and employee. So trying to build that rapport could be a great you know, I'm not saying it's gonna prevent someone from being able to pull [00:38:00] something over someone, but it's a good way to kind of get a beat and get a feel about whether or not this is someone who is truly engaged and interested here, or perhaps has you know, a, a another goal in mind.

Right. So there's, that's one aspect of. The other aspect of it is something that has been talked about and in fact we had National Insider Threat Month back in September recently. Mm-hmm. And the, the theme of it was really around helping people develop critical thinking skills. Who, who would've thought, right?

Like, okay, we're gonna do an entire month on insider threat, and you think we're gonna talk about tools? Learning and monitoring, and instead we're actually gonna talk about why it's really important to help people you know, understand where they get their news from and how to properly vet a source and how to, you know, be able to tell whether or not they are being fed some sort of misinformation, disinformation, and whatnot.

Right? And so that is becoming you know, an even more prevalent part of our. [00:39:00] Evolving conversations around insider threat that, you know, a couple years ago we were very focused on the bad person thing and we've. Realize, like, okay, we can't take that approach. It's not healthy for anybody. We need to start figuring out how do we help people?

Like it's not, you know, when they do something, a lot of times it's because they've been pushed into a corner, right? And just for humanity's sake, you know, let's, let's be mindful of that and let's do the right thing by them, right? And, and try to, you know, help them out the best that we can. And now even further, we're recognizing.

It's not because again, they, they, they think they're doing right. They think that what they see, what they believe is true. Right? And so how do you help people better identify truth? And it's, it's a tall order, right? And then, then there's, there's a debate that maybe businesses have a responsibility in that.

And so it'll be, I'll be curious to see how that continues to. Absolutely. So before we be, before we wrap [00:40:00] up share with the listeners and viewers about your your initiative on with hackers and heels and, and getting females to enter the cybersecurity field, which still today, even though there's a lot of people trying to drive that is still predominantly.

Yeah, so Hacker and Heels, we help women launch and grow their six figure cybersecurity careers. Cybersecurity is a lucrative business. There is a lot of opportunity, there's a lot of need for talent, and especially a need for diverse talent that can bring in you know, and can represent the, the very types of people who you know, use.

Systems who Yes. You know, who are the hackers? Our hackers are just as diverse. You know, our cyber criminals are just as diverse as we all are. But also the people who use the tools on a day-to-day basis and are, you know, trying to secure our society or trying to use digital technology, we need those perspectives to be able to properly.

You know, implement security [00:41:00] strategies and capabilities that will land, right. That people will use, that people won't just you know, try to circumvent a control by sending it to their personal email or something. Right? By taking all those factors into account, that only comes when you you know, have people who have different lived experiences, right?

So I focus on women with hacker and heels and, and, and another important part of my mission is to help people along the entire. I don't wanna just show them the door to cybersecurity because the door is just the beginning. Just getting into the building. It, you're, you're still at the very start. And unfortunately there are a lot of barriers in landmines that will come up throughout a women's technology, technology career, cybersecurity career.

That can be really difficult and can really knock them out of the game. And we see this because you know, we see this in women leaving usually by 35. If they were started in tech, they will have left tech by 35. You know, the why is that tenure of keeping women around. Why is that? [00:42:00] It's, there's a lot of factors, but a lot of it comes down to, you know, your pay inequity, your you know, level of stress and discrimination, the microaggressions.

And, and just a lack of respect for you know, incorporating different ways of doing things, right? So, especially like when we take risk, for example, You know, oftentimes, and, and we see this in, in a multitude of different professions, right? And I think we can equate it, especially with like the financial sector.

Usually women take a more conservative approach when it it comes to risk, right? And, and to bring it to cybersecurity, there's actually a study done around women and men responding to a cybersecurity incident. This is in the book Insecurity by Jane Franklin. And the study found that on average when something happens, men will just continue to do as they've [00:43:00] always done.

Right? So, oh, an incident happens. Shocking. Oh. We probably shouldn't have left the door open, but then they continue to leave the door open. Yeah. Shocking. Yeah. Women instead, well institute be, you know, change their behavior, put in new controls mechanisms to not Oh, really? Continue to do that. Right.

Interesting. Yeah. And so interesting. And so it can be really frustrating when you're a woman and we're over here trying to say like, Hey, we need, so the behavior modification. Yeah. So the behavior modification. Yeah. It, it, it seems there seems to be some trending along genetic lines that you're seeing, right?

Or, or along gender lines that, that are like the behavior modification doesn't occur as much in men as, and why do and female. Why is that interesting? I, you know, I attribute it to the fact that like, we as women have to live our, our lives on guard. We, it just, it's unfortunate, but it's, it's the truth, right?

There's plenty of factors out there, plenty of studies and things we can, we can cite [00:44:00] to around violence, against women around harassment and discrimination and whatnot. And so, you know, when it comes to having to have that protective mindset, I mean, you know, it, it's unfortunate that we have the advantage there, but let's make something of it, right?

Let's put it towards good use. Let's put it towards cybersecurity. Right, absolutely. So we will have links to the show notes to Hacker and Heels as well as the Trade Secrets Network and your LinkedIn information. So I encourage a lot of people to reach out to you and learn more, especially women that are looking to break into cyber.

Before we go though, I had a question in discussing insider threat and, and women that want to get in. You, you were talking about compliance and we're talking about risk. What, how does, where does insider threat the practice of insider threat protection? Where does that sit? In terms of grc, because one of the great paths, if you're, if you're not, if you don't know code, [00:45:00] right?

You, you're not a coder and you don't know, like the, the, the SIM tools or the, or the red teaming hacker, you know, code aspects, right? You can still get into cybersecurity. There's sales, marketing, management, operations, and then there's also grc, which is governance, risk compliance, and there's a whole host of roles there.

To me, it would almost seem like insider threat would fit right under there. Is that, is it part of it? Is it part of that curriculum? I can't say I've seen it with a GRC function, but that's not to say that that wouldn't potentially be a really good and appropriate place for it. Right? Because, you know, you wanna be in a, in a position where you can't be biased or you know, in a, with insider risk.

When you're dealing with people with privilege access, as you were talking about, those often sit in cybersecurity. They sit in cybersecurity, they sit in tech. Right? And so if you could put it over with a GRC function, you've got a little bit more of you know, autonomy to protect against any [00:46:00] sort of of bias there, right?

Yeah. But what I do actually see for insider threat programs, if they are sitting within cyber. I see them more closely sitting with your incident response team somewhere within the soc, within the security operations center. Got it. Yeah. Okay. Interesting. So, and, and, okay, that makes, that makes more sense, right GI given the curriculum, cuz I've seen, I've gone through a lot of the curriculum on the G R C as well as the C S S P.

I can see how it, it usually is in the SOC piece, but I'm just always curious when, when we talk to people in involves an insider threat, I would think there would. Like, they're so in integrated, especially the governance piece, right? It seems so, so integrated with insider threat and grc. So I'm just curious how that model was shaped.

So I, I, I didn't know. So thanks so much. This was really interesting. I encourage everybody to reach out to Stacy Champaign. Really good help that you [00:47:00] guys do with with helping people get into cyber and not only once they're. Right. But helping them move along, helping them overcome some of those challenges, especially challenges that are unique to females.

And we appreciate all that you do. Thanks so much. We really appreciate it. Thank you so much, David. Okay, great. Thanks. Have a great night. Mm-hmm. You as well. Hey, well that's a wrap. Thank you for listening. Our next episode starts right. Please be sure to subscribe to our YouTube channel. It's free, and download the podcast episodes available everywhere you get podcasts.

To support our show and get exclusive pre-release episodes and bonus content, please subscribe to Cybercrime Junkies Prime Lincoln, the description and show notes, and thanks for being a cyber crime Chuckie.[00:48:00]