How do major financial institutions manage their enterprise security strategies and innovation in 2021? We talk with Dr. Alissa Abdullah, Mastercard's Deputy Chief Security Officer, to learn about cybersecurity strategy, emerging threats such as spear phishing, and the adversary of the future. She also explores issues around talent management and building partnerships for the security ecosystem.

As Mastercard's deputy chief security officer, Dr. Abdullah leads the Emerging Corporate Security Solutions team and is responsible for protecting Mastercard’s information assets as well as driving the future of security. She is also the host of the Mastering Cyber podcast.

Prior to Mastercard, Dr. Abdullah was the chief information security officer of Xerox where she established and led a corporate-wide information risk management program. Dr. Abdullah also served as the deputy chief information officer of the White House where she helped modernize the Executive Office of the President's IT systems with cloud services and virtualization.

Transcript

This transcript was edited for length and clarity.

Introduction

Michael Krigsman: We're speaking with Allissa Abdullah. She's Deputy Chief Security Officer of Mastercard.

Dr. Alissa Abdullah: It has been so long. Feel free to call me Dr. Jay. I still go by Dr. Jay.

Michael Krigsman: Dr. Jay, the last time we spoke, you were the deputy CIO of the White House.

Dr. Alissa Abdullah: Yes. That was under President Obama, so it's been a few years and I was, I think, early on in my career at that time with the White House. At that time, I was responsible for modernizing White House technology, Camp David, and Airforce One. There was a lot to do to modernize the infrastructure and I was there, right there on the ground ready to do it.

Michael Krigsman: Now, a quick thank you to Productiv, a SaaS management platform that unlocks the power hidden in your SaaS applications to bring you higher ROI, better team collaboration, and lower license costs.

What is the Deputy Chief Security Officer Role?

Let's catch up to today. You're Deputy Chief Security Officer at Mastercard. I think we all know what Mastercard does but tell us about your role.

Dr. Alissa Abdullah: I share, kind of tag team, with our chief security officer Ron Green. I am his deputy, and so what I am focused on is really emerging, the emerging side. I'm really looking at what do we want to do to fight the adversary of the future.

I think the adversary is going to show itself in a lot of different ways. We all are already looking at cloud, but I think the new side of the future is not really new, but how are we attacking identities when you have identities as part of the metadata? I'm not going to get too granular into this, but when you have identities attached with metadata, it creates a lot of intelligence, a lot of intelligent data.

I'm really looking at identities and how can we make our identities easier. How can we build password lists? How can we implement zero trust? All of those things are things that we want to do and how do we do them in the right way so that we are being very, very proactive?

Adversaries of the future

Michael Krigsman: It's interesting that you talk about the adversary of the future as opposed to stopping security threats today. Maybe make that distinction for us.

Dr. Alissa Abdullah: Just like you have a technology innovation, forward-looking component of your company, you have to have the same thing within security. Our adversary today, we know what they're looking for. We have an idea. We know the spear-phishing scams and emails. We know what we want to look for. We know the level of sophistication.

The adversary of the future is going to infuse more AI. The adversary of the future is going to infuse a lot of different things that we may not be tracking right now from an everyday perspective. While we have teams right there on the ground looking at what's going on now, preventing, protecting, detecting kind of what's going on now, there's got to be a team that looks at what's happening in the future.

The adversary of the future, what is that person going to look like? What is that group going to look like? Are they going to use quantum computing? Are they going to use user behavior analytics as we do? Are they going to use our user behavior analytics and our data links that we've created?

Michael Krigsman: That's a core part of your focus, looking to the very broadest range of security threats going forward, essentially.

Dr. Alissa Abdullah: Yes. Yes, and how do we put ourselves and create an infrastructure and platforms that will be agile? I hate using that word, agile, because it's so overly used at this point, but it really describes what I'm saying. It really describes the fluidity that I want and an infrastructure or some type of architecture so that, as things happen, we can pivot.

We're right now in a great example of that. The great example is COVID. Were your networks agile enough, had you infused enough resiliency so that when something happened you were able to pivot and pivot quickly. If you were thinking of the future and thinking in terms of resiliency, we would all be in better positions or would be prepared, which a lot of companies and a lot of organizations, definitely Mastercard, were.

It kind of gives you some perspective. When I say the adversary of the future, it may not necessarily be the adversary. It may be the catastrophe of the future. It comes in a lot of different ways.

Security skill sets and talent

Michael Krigsman: What are the kind of skill sets, because it sounds like this is broader than the narrow definition of security or cybersecurity that we think of? What are the skill sets that come into play here?

Dr. Alissa Abdullah: We need skillsets from all around. We have, right now—and I think I'm tracking the right number—in 2020, 507,000 unfilled U.S. cybersecurity positions. Five hundred and seven thousand, that is a lot and that's just in the U.S. Of course, the global numbers are much, much more. I'm that leader that says, really, to fight the adversary, you need a creative mind, just like you need a technical mind, just like you need a scientific mind because all of those things give you a different perspective.

The adversary does not necessarily have a degree in cybersecurity. Okay? Let's all be honest and be real about that. The adversary comes up in different shapes and forms. It has a lot of creativity in how they are attacking us.

There's a lot of synergy around a lot of the different tools and platforms and things that we are thinking and the type of brainpower that you need. I really encourage creative minds, technology folks, and scientific folks, if you have a passion for figuring things out and undoing things. We figure things out and undo things in a lot of different ways, but we need all of those different ways included in our organizations.

Michael Krigsman: The challenges that you face in your role, thinking about these various present and future actors and what they're going to do, and maybe they're kids, and maybe they have engineering degrees, or maybe they don't.

Dr. Alissa Abdullah: Mm-hmm.

Michael Krigsman: How do you start to approach all of this?

Dr. Alissa Abdullah: I don't think my past is any different from my present is any different from my future in terms of what I've seen. I think that's the connective tissue that I bring and that I talk to organizations about. The things that I saw happening on the networks at the White House are the same things that I've seen happening on the networks of Fortune 500 companies.

The threats may look a little different. The tools may look so slightly different. But really, the methods and the thought processes that the adversary is using are all the same. That's why a lot of times I say we need to have strong partnerships and entertainment, you know.

I was really good friends with the CISO at Sony. I was really good friends with the CISO at Striker. I'm really good friends with CISOs everywhere, as I think of all of us in this bigger community, as big as the world is, as small as it is. We have to have all of these partnerships.

You find the synergies in the pockets of really what's going on and you realize the similarities and the things that you've seen before. True cybersecurity experts know what to look for and sometimes it is a needle in a haystack, but you have to keep hunting and you have to keep looking.

You have to keep looking for, as I like to say, the moonwalking bear. You've got to look for the thing that everyone else is not looking for because the thing that everyone is looking for is the thing that the adversary might have put there to distract you from what you really need to be looking at.

Michael Krigsman: It's this kind of cat and mouse chess game of intellects between you and the adversary.

Dr. Alissa Abdullah: It is, but my goal – you never say that it's 100%. You never say, "Oh, this place is going to be 100% secure and I guarantee there's not going to be a breach."

My goal is always to make it so difficult, if you think about it in time as money. We use that phrase all the time, "Time is money." If I make it take so much time it's not worth the money, he moves on to a competitor or someone else, then I'm good to go. We should all be thinking of how much can we put, what are the defenses we can put in place so it just takes so much time and so much effort, "You know what? Forget it. I'll move on to someone else."

Cybersecurity challenges

Michael Krigsman: What would you say are the largest challenges in this very kind of diverse set of problems that you're facing?

Dr. Alissa Abdullah: The technology tends to not be the biggest challenge. We tend to be the biggest challenge. People tend to be the biggest challenge. People tend to be the biggest challenge because they have big hearts and the adversary knows how to pull on our heartstrings.

I remember years ago. Unfortunately, sometimes, these spear-phishing attempts or now vishing attempts are still relevant. But I remember years ago, the adversary would say, "Oh, you know, this is your best friend and I'm lost in Africa," or "I'm lost in some other country. Please send millions of dollars." It would pull on our heartstrings because that was the first time that we'd seen it, not because we actually believed or thought it through enough, but the adversary knows how to pull on our heartstrings, and our heartstrings, I think, are our weakest link.

The technology, we have so many tools in place. We have so much that we have done, we as in Mastercard, we as in cybersecurity professionals and organizations. There are so many different defenses that we've put in place and depths of defense that we've put in place. Inevitably, it only takes one person to click on a spear-phishing email, something that tugs on your heartstrings.

You probably have gotten these emails with angels flying and, "Please click on this link," and it's some chain letter or whatever. Who knew back then that those were a type of spear phishing or spam emails? But that's how it kind of really all started.

How to fight spear phishing

Michael Krigsman: Very briefly for folks who don't know, what is spear phishing?

Dr. Alissa Abdullah: If you think of it in terms of the sport, spearfishing, you take a spear, you throw it. Let me say, I'm not a spearfisher. I'm not an expert fisherman, so please do not tweet that I said something crazy about spearfishing, the sport. In its basic, basic form, you take a spear and you throw it in the water. You hope for the best that you get a fish and you won your prize.

You referred to it earlier as a cat and mouse game, but a lot of times it's really a Trojan horse game. The adversary is sitting and waiting and will wait until the right moment.

Michael Krigsman: Explain that, the Trojan horse game.

Dr. Alissa Abdullah: When you say cat and mouse, I think very active. A cat is always reaching, reaching, reaching for the mouse. When I say a Trojan horse game, they sit. If you think of the original, the Greek mythology, the story of how the Trojan horse came in, the Trojan horse game is, I'm going to come. I'm going to sit and, at the right moment that I prescribe as the right moment, I'm going to show myself and do mass destruction.

That's kind of what we're seeing now in how cybersecurity or the adversary has really evolved. The adversary comes into our networks, sits, waits, observes, learns, gathers. Maybe he doesn't do anything at all until they don't agree with something that you've done and then, all of a sudden, kaboom, your whole network is encrypted or something like that. That is really the Trojan horse game.

Michael Krigsman: It sounds like a lot of this is psychological. There's this psychological dimension between you and the adversaries that you're facing.

Dr. Alissa Abdullah: It is. I think it is, which is why I go back to saying the technology is not the difficulty. The adversary knows how to pull on our heartstrings, how to psychologically convince us that this email really came from our CEO and we're all going to be part of this secret acquisition. Please click on this email and transfer all this bitcoin.

We all have this urge to do the right thing and to do the right thing for our companies, and so that's why it's easy to say, "Oh, wow. The CEO wants me to do this and we want me to be a part of this. Let me find out more. Let me investigate it a little bit more. Let me click." That's the psychology around it. It really comes to us all wanting to have – us foundationally having good intentions.

Michael Krigsman: It's interesting, Dr. Jay, that you say that technology is really table stakes.

Dr. Alissa Abdullah: Mm-hmm.

Michael Krigsman: It's just the basics. That kind of surprises me a little bit because we think about security as being very technology-driven.

Dr. Alissa Abdullah: You don't really hear me saying we have a technology shortage in cybersecurity. We have a personnel shortage in cybersecurity. I keep saying, I believe—and I think I speak for most of my CSO peers—that we have budgets, constraints, goals, and things like that.

We get what we need, for the most part, to get done. I say for the most part because I'm speaking for all CISOs, what we think and how we think. We get what we need to get done.

A lot of times, just depending on your organization, you get more than what you need or you get an abundance of what you need. It depends on how you present that in that budget.

You never hear us saying, "Oh, my goodness. We have a shortage in technology to fight cybercrime." No, we don't. We have a shortage in talent to fight cybercrime and there are a lot of initiatives that we have put in place and partnered with other companies to put in place to help with that.

That's why it's really more of a personnel, psychological, and talent issue, and pretty much a marketing issue as well, because there are a lot of people who think it's really technology-oriented when you can use your creative mind. But that's why we've kind of put all of these different initiatives in place to help us move forward with talent and grow our talent in different areas.

Assigning responsibility for security and data breaches

Michael Krigsman: We have a question from Arsalan Khan. He says, "Security is important, highly important. Should companies be held criminally liable for data breaches when it's found that, for example, they didn't apply patches?" He's asking where do you point responsibility when something happens.

Dr. Alissa Abdullah: I don't think there's any company that has the intent of doing wrong. I don't think of us as big companies or Fortune 500 companies or small and medium-sized businesses. Everyone in this cybersecurity game puts their best foot forward.

I think we look at risk, we look at risk consumption, and we look at risk tolerance in all different ways. There are so many different layers to that, it's hard to say, "No, you should be criminally responsible." You can't make that type of blanket statement. I think you have to take risks into consideration and what the risk tolerance of each company is or what each group or each organization is.

There are always opportunities within the company and within the year to say, "Oh, it's time to throttle what our risk tolerance is." That's something that I think all companies went through with the onset of COVID. Everyone was working remotely. Now we have to take a look at our risk. What type of risk do we want to take now with everyone working remotely? Is our tolerance greater? Is our tolerance lower? Do we move our standard or now is the right time to bang-bang-bang on spear-phishing and making sure people know you're going to be targeted even more? Things like that.

I think you have to put the risk component in. You can't just answer that question yes or no. it's not really black or white. You have to add the risk component in as well.

Michael Krigsman: Certainly, different companies manage this better. Some companies seem to have a greater propensity for breaches and other types of security incidents than others.

Dr. Alissa Abdullah: I think that's an easy perspective to have on the outside looking in. On the inside looking out, there are initiatives in play. I think what I will say is, I think we as technologists, in general, tend to run towards the shiny object. We tend to want to implement the newest widget and there have to be people in your organization that say, "No. Wait a minute. We've got foundational things that have to be done. We've got password resets."

Unfortunately, there are organizations that still have passwords or have not moved to a passwordless environment. We're doing a lot of different things. We've set up a lot of different ways. If you have passwords in your environment, you have to reset your passwords and have a good, strong password policy.

You have to turn off ports that aren't being utilized. You have to use robust authentication and think about how you verify that an employee is where they are and who they are and doing what they're supposed to be doing.

There are a lot of checks and balances that have to be done internally, and so you can't lose sight of the basics while you're trying to kind of catch what's the newest AI thing that's happening, what's the newest shiny widget. I feel strongly that it's not an issue of, "You are responsible. You should be held responsible."

Cybersecurity, I'm not going to make it sound like it's easy. It's not. It's hard. It's harder in some places than it is in other places. It's harder at some companies than it is at other companies. It's harder based on whether you're regulated than if you're not regulated. It's so many different layers that you can't shoot the spear and say everyone should be doing blah-blah-blah and it should be just this way. There are just so many different components.

Michael Krigsman: The table stakes aspect of the technology or, could we say, the operational excellence aspect of security is having your firewall in place, the right ports. There is a whole litany of things.

Dr. Alissa Abdullah: Absolutely. If you look at the past breaches in the past six, seven months, or maybe three years, what was missing—and I'm not going to dig deep into this—a lot of times we miss the basics. A lot of times we miss just basic things that needed to be done and make sure that you have the bowtie very tight before you move onto the next thing.

A lot of times, these things are iterative too. We have to constantly look at how are we handling passwords? How are we handling vulnerabilities? Are you closing all of your critical, high, medium vulnerabilities? Do you have a plan for the low vulnerabilities? Those are things there; that's an iterative process that can't be rocked.

I talked to you about this at the very beginning. I look at the future and what the adversary is going to be doing for the future, but there's a large part of our organization that looks at what we're doing right now and make sure there's no hole in our iterative processes that have to be continuously done and put in place.

Operational excellence and security

Michael Krigsman: I love it when we get questions from Twitter and we can have this dialog. The questions that come from Twitter tend to be great. Arsalan follows up and he says, "Where is the security boundary of an organization since a breach at the ISP can affect you? Vendors who use your intranet can compromise you? Nowadays with employees working at home, we've heard the phrase a thousand points of light. Now we have a thousand endpoints that are insecure."

Dr. Alissa Abdullah: That's right. This is an end-to-end conversation. When I say end-to-end, there is no end. The end starts inside of the organization. The other end keeps going and going and going. At one point, we thought we'd have this nice little cute, little network perimeter and we can control everything and keep everything inside. That is gone. Those days are gone.

Arsalan is right. In the cloud with the ISP, they are on home networks. Really, it is not. I keep saying this. It is not an endpoint; let's find the endpoint and secure the endpoint. It really should be a data security strategy. Let's secure the data. Let's figure out how to put the right wrappers around the data and, I think I mentioned this earlier, make it less intelligible.

You've got identities attached with data and it's moving all through the network. You've got intelligent pieces put together. Once you start stripping away those different pieces of the metadata from the data, now you have unintelligible and it's encrypted. Now you have an unintelligible glob of goobly-goop. [Laughter]

Michael Krigsman: That's a technical term, I assume.

Dr. Alissa Abdullah: A technical term. I coined it, goobly-goop. [Laughter]

Michael Krigsman: You've got your firewalls configured properly. You have the operational aspects managed. Why is this primarily a human problem and a cultural set of issues and how do we deal with that?

Dr. Alissa Abdullah: A couple of different things. There are two sides. There's the human problem and I'm talking human in terms of talent. We don't have enough talent. Then the cultural problem. The talent that we have, we all need to make sure we have a cyber aware culture. There are certain things that we do and we've gone a separate further when we talk about a cyber aware culture.

Aside from spear-phishing email campaigns that we do that I love, the escape room, we have an escape room. This is pre-COVID. We had an escape room set up where you lock people into a room. They have to solve the puzzles. They're racing. It's a race of the clock of how you get out of the room. It was based on phishing and some cybersecurity terms and thoughts that we think our culture should be taking into consideration. That's just like the human culture side.

On the talent side, I mentioned earlier, we have 507,000 unfilled U.S. positions. We have the cyber talent initiative, which I think is amazing. We just kicked off the first cohort. We have nine cybersecurity leaders, graduates from various colleges, and what happens is they are spending two years at a government organization. We have a lot of partnerships with this. This is CIA. This is FBI. This is DOD. This is Department of Energy, Department of Homeland Security.

They spend two years. I know I'm leaving out a whole host of other federal organizations, too. I don't want to, but the list is long. They spend two years at those government agencies. Then they're invited to participate and work with the initiatives partners, which are Microsoft, Mastercard, and Workday – great companies to be at. We're inviting other companies to join us in that initiative as well.

After they do those two things, after they're invited to work for those companies, $75,000 of their student loans are paid off. I wish! [Laughter] I wish something was like that when I was young, in my youth, and looking for how I was going to pay off my student loans and things like that. Seventy-five thousand dollars of student loans being paid off after two years in government. You're bringing in government service. Now, you're bringing in your private sector service. You have a resume built for success and less debt.

There are things that other companies, just like we, are doing to make sure that we have the talent side in place. It's two sides. There's a talent side and there's the culture side.

Partnerships and the talent ecosystem

Michael Krigsman: You've got partnerships and you think about talent in terms of an ecosystem.

Dr. Alissa Abdullah: Absolutely. We re-emerge as different beings or we will resharpen our pencil and go through each of these different organizations, right? We have careers. There are plenty of people who have longstanding careers at a company and there are plenty of people where you grab from one company. Someone moves to another company, but we all kind of move around. That's just how technology is.

We believe the richness of it is in those experiences where we are helping people to expand their depth and breadth. I think, by giving them government experience and I listed some very good and very hefty organizations, along with a long list of others, as well as our partnerships, our initiative partnerships, I think just sets you up for success in whatever you want to do and however you want to play this moving forward.

Let me just go ahead and do a quick plug. Anyone who is interested, whether it's a government agency, whether it's a corporate partner, or whether it is someone else who wants to be a part of the next cohort, go to cybertalentinitiative.org. I think we're taking applications now in our next cohort. The applications are due November the 13th.

Michael Krigsman: The other part of the human equation, as you were talking, is developing—I think you said—a cybersecurity culture.

Dr. Alissa Abdullah: Cyber aware culture. Let me just go a step further because now I'm on your podcast. I'm going to plug my podcast.

Michael Krigsman: [Laughter]

Dr. Alissa Abdullah: I have a podcast called Mastering Cyber and it's 60 seconds of cybersecurity, 60 seconds of cybersecurity tips, terms, and topics. It's really easy stuff like the best way to not get scammed at a gas station is to use contactless payment. I tell you what to do in 60 seconds and you're done. You moved on to now Michael's CXOTalk and can listen to his podcast. [Laughter]

Michael Krigsman: [Laughter]

Dr. Alissa Abdullah: Listen to what's going on there. But when I talk about cyber aware culture, there are things that we have to do in our businesses that are just basic foundational things that we, as a culture, as people, now, just as we know to lock our front door, just as we set our alarms when we're leaving the house, there are things that we should be doing at home to help protect ourselves because, in actuality, as we help protect ourselves, we think about it in our companies, whether we're in a cybersecurity job or not. If we're in finance, if we're in human resources, it'll be top of mind.

How to build a cyber-aware culture?

Michael Krigsman: How do we create this cyber aware culture and mindset?

Dr. Alissa Abdullah: We have monthly spear-phishing emails and everyone can throttle. I've been in organizations where it's done quarterly. We do it every month because that message comes from the top down. We have to have a cyber aware culture.

Our spear-phishing campaigns have become very, very unique and they have become competitions across the company where different leads or different parts of the organization kind of brag, "Hey, I didn't have as many that clicked," or "My click rate is better than yours," or "My report rate that I've reported a spear-phishing email is better than yours." We've added a gaming and competitive aspect to it, which generates the camaraderie within the organization but, actually, increases the learning and engagement. Right?

I think when you take it away and strip it away and say, "Hey, here's your annual cybersecurity training," that kind of waters down. In some ways, it can water down the message and just become click-click-click to the end of the training. When you infuse engagement, when you infuse that comradery and that discussion and have it as a regular discussion in all-hands meetings and in different casts whether it's a podcast or whether it is a webcast and have it as a topic of conversation, now you're infusing a security-aware culture.

Another thing that I know companies are doing is having security champions implanted within the organization; another great way of having a security-aware culture. When you have these security champions planted within the organization, everyone is not waiting to come to security, right?

You should not be waiting to come to security. Security should be right there in the midst on the ground with the knowledge and the expertise in your dev organizations ready to help you make decisions so that you are really developing security at the speed of innovation. I think that's kind of the message that we always put.

Let's develop security at the speed of innovation. Let's do security by design and security by default. Let's infuse that in the organization. There are other ways that you really have now just some ideas to throw out there to have a cyber aware culture.

Michael Krigsman: Does it work? Do these efforts pay dividends?

Dr. Alissa Abdullah: Absolutely. Absolutely. Absolutely. We've been doing these types of things at Mastercard for a while. We just kicked off our security champions program, which is the infusion across the dev organizations.

It absolutely works because you know what? Here I go back again to the talent shortage. Now, I'm expecting a lot of other technology experts to really learn. If you're going to learn development, you should learn development securely. You should learn to secure by design and secure by default. That now takes a lot of the burden away from the corporate security organization and infuses it right there at infantry. The infantry, the command, those who are on the front lines. It infuses it right there to those who are really doing the touching of the computer, the nuts and bolts of all the development.

Michael Krigsman: We have another question from Twitter, another interesting one. This is from @CXOTalk. Lizbeth Shaw, it's a great question. She says, "Earlier, you mentioned resilience. What do you mean by resilience and what kind of resilience are you looking to achieve?"

Dr. Alissa Abdullah: I'm going to take it from the perspective of our bodies. Our bodies are very resilient. We fall down. We bleed a little bit. a scab will form and you heal.

When I'm looking at resilience, what have you put in place to either make your organization resilient to things that are going to happen, make your architecture and infrastructure resilient to any type of penetration, not that penetration is not going to happen? Penetration is going to happen but your organization is resilient to it or your infrastructure is resilient to it and can push it out.

We get these immunizations when we're infants. The flu. Flu season is coming up. Everyone is going to get the flu vaccine and we're hoping that it infuses the antibodies into our systems, into our bodies so that if we get attacked by the flu, it will push out and we won't get sick.

I look at resilience in the same way. We put all of these controls in place. We have done the right things in terms of risk. We know, when I say in terms of risk, we know if it gets cold outside and we don't put a coat on, we may get sick. Okay?

In our networks, we know that there's a certain amount of risk that we want to take and a certain amount that we don't. We've done enough to put the controls in place so that if something were to happen, we've got the antibodies already included in our networks that will push everything out, that will not allow the adversary to penetrate.

I don't want to speak of the adversary as if it's some spooky Halloween thing. It can be even, I will just say, someone from the inside who mistakenly clicks on something or, "Oh, my goodness. I didn't know I had access to this file," right? We put the right security controls in place so that we're resilient against things happening whether they're on purpose or whether they're by mistake.

Michael Krigsman: Are these controls technology-based? Are they human-based? Give us a concrete sense of it.

Dr. Alissa Abdullah: Yes. Yes, these controls that I'm talking about would be technology controlled. But of course, on the human base, that's the cybersecurity aware culture. That's the human side of it.

You have technology controls in place. You have access management rules in place where, hey, if I have a folder that popped up on my desktop, well, maybe I wasn't supposed to have access to that folder. If I double-click it, oh, I didn't have access even though it showed up. Those are those technical, hard things that we have to make sure we put in place. I say hard things to put in place only because, as the network grows and grows and grows, and as your capabilities grow and grow and grow, you have to put your arms around the entire thing.

That's the challenge of cybersecurity. You have to put your arms around the entire thing.

Michael Krigsman: Another question from Twitter. Very, very quickly, where do you see the links between security architecture and enterprise architecture?

Dr. Alissa Abdullah: I think it links like this. It's got to be one hand clasping the other. Not one hand watching the other. Not one hand holding the other. It's one hand clasping the other.

We are deeply embedded within our enterprise architecture because there is nothing that can be done from an enterprise architecture perspective that you say at the last minute, "Okay, now that we have an enterprise architecture in place, let's include security." No, it just doesn't work like that unless you want to redo your enterprise architecture. [laughter]

The path of least resistance is to be included, is to have this inclusive environment where we're all in there syncing together, design thinking together. You have your enterprise architects thinking from an enterprise perspective. You have your IT architects thinking from one perspective. Then you have your cybersecurity architects adding the security by design, security by default. You have all of that infused together.

Michael Krigsman: As we finish up, can you give us two, three pieces of security advice based on your very broad experience?

Dr. Alissa Abdullah: I keep saying the technology is not the hard part. It isn't. The people are the hard part. Number one, let's make sure we all have a cyber aware culture.

When I say a cyber aware culture, we're feeding them the right things. We can overdo it; we can overdo it, people, and no one is listening. Based on your organization and your culture, you give them right amount of information at the right pace and they will suck it in, consume it, and help your organization be resilient.

Then from the technology side, we can't forget the basics. We can't forget the basic things that have to get done. We can't forget the compliance checks that have to be done while we're trying to innovate because then it undoes, it just really unravels innovation when your basic things are not done.

I think there are just really two big things. There's the technology piece and the talent piece or your organization, people perspective that you have to put in place.

Michael Krigsman: Any advice for individuals to not get caught in a spear-phishing campaign?

Dr. Alissa Abdullah: Sure. Don't click. Don't call. Don't. I don't even answer my phone. If you want to reach me and call me, call and leave a voicemail. I will call you back. [Laughter] I will decide whether I'm going to call you back. I don't answer unknown numbers just like I don't respond to unknown emails.

You can't take things at face value. You've got to look at the email. Did Michael Krigsman actually send me this email or does it look like it came from him? Was this his email address? You know what? If I'm still not sure, guess what? I can call you, Mike. I can call you and say, "Hey, did you send me that email?"

We've lost that. We've lost the aspect of, I can actually pick up the phone and call my friend and say, "Hey, did you actually send this to me?" We can't lose that aspect.

Michael Krigsman: It is pretty extraordinary, these days, how authentic some of these fake emails get.

Dr. Alissa Abdullah: Oh, they're absolutely authentic, which makes them more sophisticated, right? They're easy to fool us. We see emails at the beginning of the year that say, "Hey, it's time to renew your laptop. It's time to refresh your laptop. Send me your laptop," and gives the address.

I see emails that say, "Hey, it's time for benefits enrollment. Click on this email and put in your name and social security number to renew your benefits."

They know the business rhythms of your company. They know the things that you know and love. They know the things that you want to buy off the Internet. [Laughter] These spear-phishing emails come in from a lot of different levels of sophistication.

Michael Krigsman: I'll just tell you very quickly one that I received – actually, a letter. We have a copyright, I'm sorry, trademark for CXOTalk. You need to renew it, I think, between the fifth and sixth year. I received a letter that looked authentic, 100% complete, except it was a year early.

Dr. Alissa Abdullah: Mm-hmm.

Michael Krigsman: And the address was different.

Dr. Alissa Abdullah: Right.

Michael Krigsman: The only way that I knew – and who knows, like five years later, after you've registered a trademark? Who knows?

Dr. Alissa Abdullah: Mm-hmm.

Michael Krigsman: You don't remember when the exact date was. The only way that I knew is I just had a funny feeling about it, so I went to the U.S. Patent and Trademark Office and looked it up and I discovered this. But I mean I was astounded.

Dr. Alissa Abdullah: Yeah, and you know what? It really causes us to be more protective of our data or really know. You know what I mean? Before, I would say, years ago, I didn't have notifications on my bank account. I was like, you know, I'll check my bank account. I will budget. I'll look in every now and then when I get the receipt from the ATM and it says this is how much I have. Well, that's pretty much it.

Now, I have notifications turned on. I know where every single penny comes out. My husband will make a withdrawal and I'm like, "What are you doing?!" [Laughter] You know? It's like, okay, I know every single thing that comes out because now we have to be responsible for our data. We have to be responsible for what we have and what we know.

Just like you, you knew, "Wait a minute. Something sounds off about this date. Let me look into this." You've got to know. You've got to be more aware now.

Michael Krigsman: All right. Well, Dr. Jay, thank you for spending so much time with us today and sharing your knowledge with us.

Dr. Alissa Abdullah: Absolutely. It's been fun. It's been so much fun catching up with you.

Michael Krigsman: Everybody, we have been speaking with Dr. Jay. She is Deputy Chief Security Officer of Mastercard.

Before you go, please, please subscribe to our YouTube channel and hit the subscribe button at the top of our website. We look forward to seeing you again next time. We have great shows coming up. Next week, we're speaking with the chief operating officer of Dropbox. Take care, everybody. See you then.

This transcript was edited for length and clarity.

Introduction

Michael Krigsman: We're speaking with Allissa Abdullah. She's Deputy Chief Security Officer of Mastercard.

Dr. Alissa Abdullah: It has been so long. Feel free to call me Dr. Jay. I still go by Dr. Jay.

Michael Krigsman: Dr. Jay, the last time we spoke, you were the deputy CIO of the White House.

Dr. Alissa Abdullah: Yes. That was under President Obama, so it's been a few years and I was, I think, early on in my career at that time with the White House. At that time, I was responsible for modernizing White House technology, Camp David, and Airforce One. There was a lot to do to modernize the infrastructure and I was there, right there on the ground ready to do it.

Michael Krigsman: Now, a quick thank you to Productiv, a SaaS management platform that unlocks the power hidden in your SaaS applications to bring you higher ROI, better team collaboration, and lower license costs.

What is the Deputy Chief Security Officer Role?

Let's catch up to today. You're Deputy Chief Security Officer at Mastercard. I think we all know what Mastercard does but tell us about your role.

Dr. Alissa Abdullah: I share, kind of tag team, with our chief security officer Ron Green. I am his deputy, and so what I am focused on is really emerging, the emerging side. I'm really looking at what do we want to do to fight the adversary of the future.

I think the adversary is going to show itself in a lot of different ways. We all are already looking at cloud, but I think the new side of the future is not really new, but how are we attacking identities when you have identities as part of the metadata? I'm not going to get too granular into this, but when you have identities attached with metadata, it creates a lot of intelligence, a lot of intelligent data.

I'm really looking at identities and how can we make our identities easier. How can we build password lists? How can we implement zero trust? All of those things are things that we want to do and how do we do them in the right way so that we are being very, very proactive?

Adversaries of the future

Michael Krigsman: It's interesting that you talk about the adversary of the future as opposed to stopping security threats today. Maybe make that distinction for us.

Dr. Alissa Abdullah: Just like you have a technology innovation, forward-looking component of your company, you have to have the same thing within security. Our adversary today, we know what they're looking for. We have an idea. We know the spear-phishing scams and emails. We know what we want to look for. We know the level of sophistication.

The adversary of the future is going to infuse more AI. The adversary of the future is going to infuse a lot of different things that we may not be tracking right now from an everyday perspective. While we have teams right there on the ground looking at what's going on now, preventing, protecting, detecting kind of what's going on now, there's got to be a team that looks at what's happening in the future.

The adversary of the future, what is that person going to look like? What is that group going to look like? Are they going to use quantum computing? Are they going to use user behavior analytics as we do? Are they going to use our user behavior analytics and our data links that we've created?

Michael Krigsman: That's a core part of your focus, looking to the very broadest range of security threats going forward, essentially.

Dr. Alissa Abdullah: Yes. Yes, and how do we put ourselves and create an infrastructure and platforms that will be agile? I hate using that word, agile, because it's so overly used at this point, but it really describes what I'm saying. It really describes the fluidity that I want and an infrastructure or some type of architecture so that, as things happen, we can pivot.

We're right now in a great example of that. The great example is COVID. Were your networks agile enough, had you infused enough resiliency so that when something happened you were able to pivot and pivot quickly. If you were thinking of the future and thinking in terms of resiliency, we would all be in better positions or would be prepared, which a lot of companies and a lot of organizations, definitely Mastercard, were.

It kind of gives you some perspective. When I say the adversary of the future, it may not necessarily be the adversary. It may be the catastrophe of the future. It comes in a lot of different ways.

Security skill sets and talent

Michael Krigsman: What are the kind of skill sets, because it sounds like this is broader than the narrow definition of security or cybersecurity that we think of? What are the skill sets that come into play here?

Dr. Alissa Abdullah: We need skillsets from all around. We have, right now—and I think I'm tracking the right number—in 2020, 507,000 unfilled U.S. cybersecurity positions. Five hundred and seven thousand, that is a lot and that's just in the U.S. Of course, the global numbers are much, much more. I'm that leader that says, really, to fight the adversary, you need a creative mind, just like you need a technical mind, just like you need a scientific mind because all of those things give you a different perspective.

The adversary does not necessarily have a degree in cybersecurity. Okay? Let's all be honest and be real about that. The adversary comes up in different shapes and forms. It has a lot of creativity in how they are attacking us.

There's a lot of synergy around a lot of the different tools and platforms and things that we are thinking and the type of brainpower that you need. I really encourage creative minds, technology folks, and scientific folks, if you have a passion for figuring things out and undoing things. We figure things out and undo things in a lot of different ways, but we need all of those different ways included in our organizations.

Michael Krigsman: The challenges that you face in your role, thinking about these various present and future actors and what they're going to do, and maybe they're kids, and maybe they have engineering degrees, or maybe they don't.

Dr. Alissa Abdullah: Mm-hmm.

Michael Krigsman: How do you start to approach all of this?

Dr. Alissa Abdullah: I don't think my past is any different from my present is any different from my future in terms of what I've seen. I think that's the connective tissue that I bring and that I talk to organizations about. The things that I saw happening on the networks at the White House are the same things that I've seen happening on the networks of Fortune 500 companies.

The threats may look a little different. The tools may look so slightly different. But really, the methods and the thought processes that the adversary is using are all the same. That's why a lot of times I say we need to have strong partnerships and entertainment, you know.

I was really good friends with the CISO at Sony. I was really good friends with the CISO at Striker. I'm really good friends with CISOs everywhere, as I think of all of us in this bigger community, as big as the world is, as small as it is. We have to have all of these partnerships.

You find the synergies in the pockets of really what's going on and you realize the similarities and the things that you've seen before. True cybersecurity experts know what to look for and sometimes it is a needle in a haystack, but you have to keep hunting and you have to keep looking.

You have to keep looking for, as I like to say, the moonwalking bear. You've got to look for the thing that everyone else is not looking for because the thing that everyone is looking for is the thing that the adversary might have put there to distract you from what you really need to be looking at.

Michael Krigsman: It's this kind of cat and mouse chess game of intellects between you and the adversary.

Dr. Alissa Abdullah: It is, but my goal – you never say that it's 100%. You never say, "Oh, this place is going to be 100% secure and I guarantee there's not going to be a breach."

My goal is always to make it so difficult, if you think about it in time as money. We use that phrase all the time, "Time is money." If I make it take so much time it's not worth the money, he moves on to a competitor or someone else, then I'm good to go. We should all be thinking of how much can we put, what are the defenses we can put in place so it just takes so much time and so much effort, "You know what? Forget it. I'll move on to someone else."

Cybersecurity challenges

Michael Krigsman: What would you say are the largest challenges in this very kind of diverse set of problems that you're facing?

Dr. Alissa Abdullah: The technology tends to not be the biggest challenge. We tend to be the biggest challenge. People tend to be the biggest challenge. People tend to be the biggest challenge because they have big hearts and the adversary knows how to pull on our heartstrings.

I remember years ago. Unfortunately, sometimes, these spear-phishing attempts or now vishing attempts are still relevant. But I remember years ago, the adversary would say, "Oh, you know, this is your best friend and I'm lost in Africa," or "I'm lost in some other country. Please send millions of dollars." It would pull on our heartstrings because that was the first time that we'd seen it, not because we actually believed or thought it through enough, but the adversary knows how to pull on our heartstrings, and our heartstrings, I think, are our weakest link.

The technology, we have so many tools in place. We have so much that we have done, we as in Mastercard, we as in cybersecurity professionals and organizations. There are so many different defenses that we've put in place and depths of defense that we've put in place. Inevitably, it only takes one person to click on a spear-phishing email, something that tugs on your heartstrings.

You probably have gotten these emails with angels flying and, "Please click on this link," and it's some chain letter or whatever. Who knew back then that those were a type of spear phishing or spam emails? But that's how it kind of really all started.

How to fight spear phishing

Michael Krigsman: Very briefly for folks who don't know, what is spear phishing?

Dr. Alissa Abdullah: If you think of it in terms of the sport, spearfishing, you take a spear, you throw it. Let me say, I'm not a spearfisher. I'm not an expert fisherman, so please do not tweet that I said something crazy about spearfishing, the sport. In its basic, basic form, you take a spear and you throw it in the water. You hope for the best that you get a fish and you won your prize.

You referred to it earlier as a cat and mouse game, but a lot of times it's really a Trojan horse game. The adversary is sitting and waiting and will wait until the right moment.

Michael Krigsman: Explain that, the Trojan horse game.

Dr. Alissa Abdullah: When you say cat and mouse, I think very active. A cat is always reaching, reaching, reaching for the mouse. When I say a Trojan horse game, they sit. If you think of the original, the Greek mythology, the story of how the Trojan horse came in, the Trojan horse game is, I'm going to come. I'm going to sit and, at the right moment that I prescribe as the right moment, I'm going to show myself and do mass destruction.

That's kind of what we're seeing now in how cybersecurity or the adversary has really evolved. The adversary comes into our networks, sits, waits, observes, learns, gathers. Maybe he doesn't do anything at all until they don't agree with something that you've done and then, all of a sudden, kaboom, your whole network is encrypted or something like that. That is really the Trojan horse game.

Michael Krigsman: It sounds like a lot of this is psychological. There's this psychological dimension between you and the adversaries that you're facing.

Dr. Alissa Abdullah: It is. I think it is, which is why I go back to saying the technology is not the difficulty. The adversary knows how to pull on our heartstrings, how to psychologically convince us that this email really came from our CEO and we're all going to be part of this secret acquisition. Please click on this email and transfer all this bitcoin.

We all have this urge to do the right thing and to do the right thing for our companies, and so that's why it's easy to say, "Oh, wow. The CEO wants me to do this and we want me to be a part of this. Let me find out more. Let me investigate it a little bit more. Let me click." That's the psychology around it. It really comes to us all wanting to have – us foundationally having good intentions.

Michael Krigsman: It's interesting, Dr. Jay, that you say that technology is really table stakes.

Dr. Alissa Abdullah: Mm-hmm.

Michael Krigsman: It's just the basics. That kind of surprises me a little bit because we think about security as being very technology-driven.

Dr. Alissa Abdullah: You don't really hear me saying we have a technology shortage in cybersecurity. We have a personnel shortage in cybersecurity. I keep saying, I believe—and I think I speak for most of my CSO peers—that we have budgets, constraints, goals, and things like that.

We get what we need, for the most part, to get done. I say for the most part because I'm speaking for all CISOs, what we think and how we think. We get what we need to get done.

A lot of times, just depending on your organization, you get more than what you need or you get an abundance of what you need. It depends on how you present that in that budget.

You never hear us saying, "Oh, my goodness. We have a shortage in technology to fight cybercrime." No, we don't. We have a shortage in talent to fight cybercrime and there are a lot of initiatives that we have put in place and partnered with other companies to put in place to help with that.

That's why it's really more of a personnel, psychological, and talent issue, and pretty much a marketing issue as well, because there are a lot of people who think it's really technology-oriented when you can use your creative mind. But that's why we've kind of put all of these different initiatives in place to help us move forward with talent and grow our talent in different areas.

Assigning responsibility for security and data breaches

Michael Krigsman: We have a question from Arsalan Khan. He says, "Security is important, highly important. Should companies be held criminally liable for data breaches when it's found that, for example, they didn't apply patches?" He's asking where do you point responsibility when something happens.

Dr. Alissa Abdullah: I don't think there's any company that has the intent of doing wrong. I don't think of us as big companies or Fortune 500 companies or small and medium-sized businesses. Everyone in this cybersecurity game puts their best foot forward.

I think we look at risk, we look at risk consumption, and we look at risk tolerance in all different ways. There are so many different layers to that, it's hard to say, "No, you should be criminally responsible." You can't make that type of blanket statement. I think you have to take risks into consideration and what the risk tolerance of each company is or what each group or each organization is.

There are always opportunities within the company and within the year to say, "Oh, it's time to throttle what our risk tolerance is." That's something that I think all companies went through with the onset of COVID. Everyone was working remotely. Now we have to take a look at our risk. What type of risk do we want to take now with everyone working remotely? Is our tolerance greater? Is our tolerance lower? Do we move our standard or now is the right time to bang-bang-bang on spear-phishing and making sure people know you're going to be targeted even more? Things like that.

I think you have to put the risk component in. You can't just answer that question yes or no. it's not really black or white. You have to add the risk component in as well.

Michael Krigsman: Certainly, different companies manage this better. Some companies seem to have a greater propensity for breaches and other types of security incidents than others.

Dr. Alissa Abdullah: I think that's an easy perspective to have on the outside looking in. On the inside looking out, there are initiatives in play. I think what I will say is, I think we as technologists, in general, tend to run towards the shiny object. We tend to want to implement the newest widget and there have to be people in your organization that say, "No. Wait a minute. We've got foundational things that have to be done. We've got password resets."

Unfortunately, there are organizations that still have passwords or have not moved to a passwordless environment. We're doing a lot of different things. We've set up a lot of different ways. If you have passwords in your environment, you have to reset your passwords and have a good, strong password policy.

You have to turn off ports that aren't being utilized. You have to use robust authentication and think about how you verify that an employee is where they are and who they are and doing what they're supposed to be doing.

There are a lot of checks and balances that have to be done internally, and so you can't lose sight of the basics while you're trying to kind of catch what's the newest AI thing that's happening, what's the newest shiny widget. I feel strongly that it's not an issue of, "You are responsible. You should be held responsible."

Cybersecurity, I'm not going to make it sound like it's easy. It's not. It's hard. It's harder in some places than it is in other places. It's harder at some companies than it is at other companies. It's harder based on whether you're regulated than if you're not regulated. It's so many different layers that you can't shoot the spear and say everyone should be doing blah-blah-blah and it should be just this way. There are just so many different components.

Michael Krigsman: The table stakes aspect of the technology or, could we say, the operational excellence aspect of security is having your firewall in place, the right ports. There is a whole litany of things.

Dr. Alissa Abdullah: Absolutely. If you look at the past breaches in the past six, seven months, or maybe three years, what was missing—and I'm not going to dig deep into this—a lot of times we miss the basics. A lot of times we miss just basic things that needed to be done and make sure that you have the bowtie very tight before you move onto the next thing.

A lot of times, these things are iterative too. We have to constantly look at how are we handling passwords? How are we handling vulnerabilities? Are you closing all of your critical, high, medium vulnerabilities? Do you have a plan for the low vulnerabilities? Those are things there; that's an iterative process that can't be rocked.

I talked to you about this at the very beginning. I look at the future and what the adversary is going to be doing for the future, but there's a large part of our organization that looks at what we're doing right now and make sure there's no hole in our iterative processes that have to be continuously done and put in place.

Operational excellence and security

Michael Krigsman: I love it when we get questions from Twitter and we can have this dialog. The questions that come from Twitter tend to be great. Arsalan follows up and he says, "Where is the security boundary of an organization since a breach at the ISP can affect you? Vendors who use your intranet can compromise you? Nowadays with employees working at home, we've heard the phrase a thousand points of light. Now we have a thousand endpoints that are insecure."

Dr. Alissa Abdullah: That's right. This is an end-to-end conversation. When I say end-to-end, there is no end. The end starts inside of the organization. The other end keeps going and going and going. At one point, we thought we'd have this nice little cute, little network perimeter and we can control everything and keep everything inside. That is gone. Those days are gone.

Arsalan is right. In the cloud with the ISP, they are on home networks. Really, it is not. I keep saying this. It is not an endpoint; let's find the endpoint and secure the endpoint. It really should be a data security strategy. Let's secure the data. Let's figure out how to put the right wrappers around the data and, I think I mentioned this earlier, make it less intelligible.

You've got identities attached with data and it's moving all through the network. You've got intelligent pieces put together. Once you start stripping away those different pieces of the metadata from the data, now you have unintelligible and it's encrypted. Now you have an unintelligible glob of goobly-goop. [Laughter]

Michael Krigsman: That's a technical term, I assume.

Dr. Alissa Abdullah: A technical term. I coined it, goobly-goop. [Laughter]

Michael Krigsman: You've got your firewalls configured properly. You have the operational aspects managed. Why is this primarily a human problem and a cultural set of issues and how do we deal with that?

Dr. Alissa Abdullah: A couple of different things. There are two sides. There's the human problem and I'm talking human in terms of talent. We don't have enough talent. Then the cultural problem. The talent that we have, we all need to make sure we have a cyber aware culture. There are certain things that we do and we've gone a separate further when we talk about a cyber aware culture.

Aside from spear-phishing email campaigns that we do that I love, the escape room, we have an escape room. This is pre-COVID. We had an escape room set up where you lock people into a room. They have to solve the puzzles. They're racing. It's a race of the clock of how you get out of the room. It was based on phishing and some cybersecurity terms and thoughts that we think our culture should be taking into consideration. That's just like the human culture side.

On the talent side, I mentioned earlier, we have 507,000 unfilled U.S. positions. We have the cyber talent initiative, which I think is amazing. We just kicked off the first cohort. We have nine cybersecurity leaders, graduates from various colleges, and what happens is they are spending two years at a government organization. We have a lot of partnerships with this. This is CIA. This is FBI. This is DOD. This is Department of Energy, Department of Homeland Security.

They spend two years. I know I'm leaving out a whole host of other federal organizations, too. I don't want to, but the list is long. They spend two years at those government agencies. Then they're invited to participate and work with the initiatives partners, which are Microsoft, Mastercard, and Workday – great companies to be at. We're inviting other companies to join us in that initiative as well.

After they do those two things, after they're invited to work for those companies, $75,000 of their student loans are paid off. I wish! [Laughter] I wish something was like that when I was young, in my youth, and looking for how I was going to pay off my student loans and things like that. Seventy-five thousand dollars of student loans being paid off after two years in government. You're bringing in government service. Now, you're bringing in your private sector service. You have a resume built for success and less debt.

There are things that other companies, just like we, are doing to make sure that we have the talent side in place. It's two sides. There's a talent side and there's the culture side.

Partnerships and the talent ecosystem

Michael Krigsman: You've got partnerships and you think about talent in terms of an ecosystem.

Dr. Alissa Abdullah: Absolutely. We re-emerge as different beings or we will resharpen our pencil and go through each of these different organizations, right? We have careers. There are plenty of people who have longstanding careers at a company and there are plenty of people where you grab from one company. Someone moves to another company, but we all kind of move around. That's just how technology is.

We believe the richness of it is in those experiences where we are helping people to expand their depth and breadth. I think, by giving them government experience and I listed some very good and very hefty organizations, along with a long list of others, as well as our partnerships, our initiative partnerships, I think just sets you up for success in whatever you want to do and however you want to play this moving forward.

Let me just go ahead and do a quick plug. Anyone who is interested, whether it's a government agency, whether it's a corporate partner, or whether it is someone else who wants to be a part of the next cohort, go to cybertalentinitiative.org. I think we're taking applications now in our next cohort. The applications are due November the 13th.

Michael Krigsman: The other part of the human equation, as you were talking, is developing—I think you said—a cybersecurity culture.

Dr. Alissa Abdullah: Cyber aware culture. Let me just go a step further because now I'm on your podcast. I'm going to plug my podcast.

Michael Krigsman: [Laughter]

Dr. Alissa Abdullah: I have a podcast called Mastering Cyber and it's 60 seconds of cybersecurity, 60 seconds of cybersecurity tips, terms, and topics. It's really easy stuff like the best way to not get scammed at a gas station is to use contactless payment. I tell you what to do in 60 seconds and you're done. You moved on to now Michael's CXOTalk and can listen to his podcast. [Laughter]

Michael Krigsman: [Laughter]

Dr. Alissa Abdullah: Listen to what's going on there. But when I talk about cyber aware culture, there are things that we have to do in our businesses that are just basic foundational things that we, as a culture, as people, now, just as we know to lock our front door, just as we set our alarms when we're leaving the house, there are things that we should be doing at home to help protect ourselves because, in actuality, as we help protect ourselves, we think about it in our companies, whether we're in a cybersecurity job or not. If we're in finance, if we're in human resources, it'll be top of mind.

How to build a cyber-aware culture?

Michael Krigsman: How do we create this cyber aware culture and mindset?

Dr. Alissa Abdullah: We have monthly spear-phishing emails and everyone can throttle. I've been in organizations where it's done quarterly. We do it every month because that message comes from the top down. We have to have a cyber aware culture.

Our spear-phishing campaigns have become very, very unique and they have become competitions across the company where different leads or different parts of the organization kind of brag, "Hey, I didn't have as many that clicked," or "My click rate is better than yours," or "My report rate that I've reported a spear-phishing email is better than yours." We've added a gaming and competitive aspect to it, which generates the camaraderie within the organization but, actually, increases the learning and engagement. Right?

I think when you take it away and strip it away and say, "Hey, here's your annual cybersecurity training," that kind of waters down. In some ways, it can water down the message and just become click-click-click to the end of the training. When you infuse engagement, when you infuse that comradery and that discussion and have it as a regular discussion in all-hands meetings and in different casts whether it's a podcast or whether it is a webcast and have it as a topic of conversation, now you're infusing a security-aware culture.

Another thing that I know companies are doing is having security champions implanted within the organization; another great way of having a security-aware culture. When you have these security champions planted within the organization, everyone is not waiting to come to security, right?

You should not be waiting to come to security. Security should be right there in the midst on the ground with the knowledge and the expertise in your dev organizations ready to help you make decisions so that you are really developing security at the speed of innovation. I think that's kind of the message that we always put.

Let's develop security at the speed of innovation. Let's do security by design and security by default. Let's infuse that in the organization. There are other ways that you really have now just some ideas to throw out there to have a cyber aware culture.

Michael Krigsman: Does it work? Do these efforts pay dividends?

Dr. Alissa Abdullah: Absolutely. Absolutely. Absolutely. We've been doing these types of things at Mastercard for a while. We just kicked off our security champions program, which is the infusion across the dev organizations.

It absolutely works because you know what? Here I go back again to the talent shortage. Now, I'm expecting a lot of other technology experts to really learn. If you're going to learn development, you should learn development securely. You should learn to secure by design and secure by default. That now takes a lot of the burden away from the corporate security organization and infuses it right there at infantry. The infantry, the command, those who are on the front lines. It infuses it right there to those who are really doing the touching of the computer, the nuts and bolts of all the development.

Michael Krigsman: We have another question from Twitter, another interesting one. This is from @CXOTalk. Lizbeth Shaw, it's a great question. She says, "Earlier, you mentioned resilience. What do you mean by resilience and what kind of resilience are you looking to achieve?"

Dr. Alissa Abdullah: I'm going to take it from the perspective of our bodies. Our bodies are very resilient. We fall down. We bleed a little bit. a scab will form and you heal.

When I'm looking at resilience, what have you put in place to either make your organization resilient to things that are going to happen, make your architecture and infrastructure resilient to any type of penetration, not that penetration is not going to happen? Penetration is going to happen but your organization is resilient to it or your infrastructure is resilient to it and can push it out.

We get these immunizations when we're infants. The flu. Flu season is coming up. Everyone is going to get the flu vaccine and we're hoping that it infuses the antibodies into our systems, into our bodies so that if we get attacked by the flu, it will push out and we won't get sick.

I look at resilience in the same way. We put all of these controls in place. We have done the right things in terms of risk. We know, when I say in terms of risk, we know if it gets cold outside and we don't put a coat on, we may get sick. Okay?

In our networks, we know that there's a certain amount of risk that we want to take and a certain amount that we don't. We've done enough to put the controls in place so that if something were to happen, we've got the antibodies already included in our networks that will push everything out, that will not allow the adversary to penetrate.

I don't want to speak of the adversary as if it's some spooky Halloween thing. It can be even, I will just say, someone from the inside who mistakenly clicks on something or, "Oh, my goodness. I didn't know I had access to this file," right? We put the right security controls in place so that we're resilient against things happening whether they're on purpose or whether they're by mistake.

Michael Krigsman: Are these controls technology-based? Are they human-based? Give us a concrete sense of it.

Dr. Alissa Abdullah: Yes. Yes, these controls that I'm talking about would be technology controlled. But of course, on the human base, that's the cybersecurity aware culture. That's the human side of it.

You have technology controls in place. You have access management rules in place where, hey, if I have a folder that popped up on my desktop, well, maybe I wasn't supposed to have access to that folder. If I double-click it, oh, I didn't have access even though it showed up. Those are those technical, hard things that we have to make sure we put in place. I say hard things to put in place only because, as the network grows and grows and grows, and as your capabilities grow and grow and grow, you have to put your arms around the entire thing.

That's the challenge of cybersecurity. You have to put your arms around the entire thing.

Michael Krigsman: Another question from Twitter. Very, very quickly, where do you see the links between security architecture and enterprise architecture?

Dr. Alissa Abdullah: I think it links like this. It's got to be one hand clasping the other. Not one hand watching the other. Not one hand holding the other. It's one hand clasping the other.

We are deeply embedded within our enterprise architecture because there is nothing that can be done from an enterprise architecture perspective that you say at the last minute, "Okay, now that we have an enterprise architecture in place, let's include security." No, it just doesn't work like that unless you want to redo your enterprise architecture. [laughter]

The path of least resistance is to be included, is to have this inclusive environment where we're all in there syncing together, design thinking together. You have your enterprise architects thinking from an enterprise perspective. You have your IT architects thinking from one perspective. Then you have your cybersecurity architects adding the security by design, security by default. You have all of that infused together.

Michael Krigsman: As we finish up, can you give us two, three pieces of security advice based on your very broad experience?

Dr. Alissa Abdullah: I keep saying the technology is not the hard part. It isn't. The people are the hard part. Number one, let's make sure we all have a cyber aware culture.

When I say a cyber aware culture, we're feeding them the right things. We can overdo it; we can overdo it, people, and no one is listening. Based on your organization and your culture, you give them right amount of information at the right pace and they will suck it in, consume it, and help your organization be resilient.

Then from the technology side, we can't forget the basics. We can't forget the basic things that have to get done. We can't forget the compliance checks that have to be done while we're trying to innovate because then it undoes, it just really unravels innovation when your basic things are not done.

I think there are just really two big things. There's the technology piece and the talent piece or your organization, people perspective that you have to put in place.

Michael Krigsman: Any advice for individuals to not get caught in a spear-phishing campaign?

Dr. Alissa Abdullah: Sure. Don't click. Don't call. Don't. I don't even answer my phone. If you want to reach me and call me, call and leave a voicemail. I will call you back. [Laughter] I will decide whether I'm going to call you back. I don't answer unknown numbers just like I don't respond to unknown emails.

You can't take things at face value. You've got to look at the email. Did Michael Krigsman actually send me this email or does it look like it came from him? Was this his email address? You know what? If I'm still not sure, guess what? I can call you, Mike. I can call you and say, "Hey, did you send me that email?"

We've lost that. We've lost the aspect of, I can actually pick up the phone and call my friend and say, "Hey, did you actually send this to me?" We can't lose that aspect.

Michael Krigsman: It is pretty extraordinary, these days, how authentic some of these fake emails get.

Dr. Alissa Abdullah: Oh, they're absolutely authentic, which makes them more sophisticated, right? They're easy to fool us. We see emails at the beginning of the year that say, "Hey, it's time to renew your laptop. It's time to refresh your laptop. Send me your laptop," and gives the address.

I see emails that say, "Hey, it's time for benefits enrollment. Click on this email and put in your name and social security number to renew your benefits."

They know the business rhythms of your company. They know the things that you know and love. They know the things that you want to buy off the Internet. [Laughter] These spear-phishing emails come in from a lot of different levels of sophistication.

Michael Krigsman: I'll just tell you very quickly one that I received – actually, a letter. We have a copyright, I'm sorry, trademark for CXOTalk. You need to renew it, I think, between the fifth and sixth year. I received a letter that looked authentic, 100% complete, except it was a year early.

Dr. Alissa Abdullah: Mm-hmm.

Michael Krigsman: And the address was different.

Dr. Alissa Abdullah: Right.

Michael Krigsman: The only way that I knew – and who knows, like five years later, after you've registered a trademark? Who knows?

Dr. Alissa Abdullah: Mm-hmm.

Michael Krigsman: You don't remember when the exact date was. The only way that I knew is I just had a funny feeling about it, so I went to the U.S. Patent and Trademark Office and looked it up and I discovered this. But I mean I was astounded.

Dr. Alissa Abdullah: Yeah, and you know what? It really causes us to be more protective of our data or really know. You know what I mean? Before, I would say, years ago, I didn't have notifications on my bank account. I was like, you know, I'll check my bank account. I will budget. I'll look in every now and then when I get the receipt from the ATM and it says this is how much I have. Well, that's pretty much it.

Now, I have notifications turned on. I know where every single penny comes out. My husband will make a withdrawal and I'm like, "What are you doing?!" [Laughter] You know? It's like, okay, I know every single thing that comes out because now we have to be responsible for our data. We have to be responsible for what we have and what we know.

Just like you, you knew, "Wait a minute. Something sounds off about this date. Let me look into this." You've got to know. You've got to be more aware now.

Michael Krigsman: All right. Well, Dr. Jay, thank you for spending so much time with us today and sharing your knowledge with us.

Dr. Alissa Abdullah: Absolutely. It's been fun. It's been so much fun catching up with you.

Michael Krigsman: Everybody, we have been speaking with Dr. Jay. She is Deputy Chief Security Officer of Mastercard.

Before you go, please, please subscribe to our YouTube channel and hit the subscribe button at the top of our website. We look forward to seeing you again next time. We have great shows coming up. Next week, we're speaking with the chief operating officer of Dropbox. Take care, everybody. See you then.