Join us as we dive into the world of data breaches and cybersecurity, as well as the alarming rise of phishing attacks using generative AI. Don't miss out on this informative and eye-opening conversation.
Guest: Tonia Dudley, Board Member and Strategic Adviser
On LinkedIn | https://www.linkedin.com/in/cybertonia
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of the Soulful CXO, Dr. Rebecca Wynn welcomes Tonia Dudley, an active board member and strategic adviser consultant, in managing incident response, security awareness, and IT compliance for large global organizations. She discusses the challenges in incident response, recent breaches, as well as her involvement in promoting information security best practices and education through organizations such as the National Cybersecurity Alliance and Women in Cybersecurity (WiCys).
________________________________
Resources
Women in Cybersecurity (WiCys): https://www.wicys.org/
National Cybersecurity Alliance: https://staysafeonline.org/
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Letting Go and Trusting Your Team | A Conversation with Tonia Dudley | The Soulful CXO Podcast with Dr. Rebecca Wynn
Dr. Rebecca Wynn (00:01)
Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn We are pleased to have with us today, Tonia Dudley. Tonia is active board member and strategic advisor consultant. Her prior rules include being VP, Chief Information Security Officer for Cofense and holding leadership positions, managing incident response, security awareness, IT compliance for large global organizations such as Honeywell and Charles Schwab.
She has served as executive committee member for the National Cybersecurity Alliance, where she worked closely with organizations such as the Department of Homeland Security and Cybersecurity Infrastructure Security Agency, promoting information security best practices and education to organizations worldwide. She's co-president of Women in Cybersecurity, WESIS, here in Phoenix. Tonia is great senior again, welcome to the show.
Tonia Dudley (00:56)
Thanks Rebecca, thanks for having me on your show. I really appreciate it.
Dr. Rebecca Wynn (01:01)
You have a very diverse background and you've been in many different sectors of our field, but how did you even get started to be in the cybersecurity field? How did that journey, what did it look like?
Tonia Dudley (01:14)
So I have a very interesting career journey where I started the first 12 years of my career in finance and always was very tech savvy in those finance roles and then had an opportunity to get onto a PeopleSoft project which helped me better make my way into IT.
And did probably another 10 or so years in IT. And then the last five years of IT, I was IT compliant. So it was a great mix because it was when Sarbanes-Oxley had started up, you know, this nice SEC regulation, right? That we all, um, Sarbanes-Oxley that we all love to hate at this point. Um, but with my finance and IT, it was a great mix for me to be able to blend both of those, um, aspects of my experience and knowledge together.
And then, you know, doing IT lines for five years, I'm like, okay, what's next? And that's when InfoSec was really starting to kind of pick up and be of interest. And then we had an opening when I was at Honeywell in the policies and standards group, and it was a lateral move. And I'm like, oh, this will be a good way for me to kind of figure out all the different aspects of InfoSec. I really didn't know much about it at that point.
And so took that role and really did learn a lot because the policy standards group also kind of managed the exception process. So it worked closely with the security architects that sat right near me. Um, and it was a few of them that said, why are you over there? You're technical. You should be over here on our side. But, um, that was a little bit more of a little bit of a journey because then we had this incident that happened and I was able to help out with the remediation side. But then got to see that incident.
firsthand and it was very eye-opening. And then I was tapped to do security awareness. And then I found a passion for security awareness. And because of my business background and all of the things that I've been able to see, it really did help me kind of take that tech speak and put it into terms that the business and the non-technical users could understand.
So that's kind of where I made my journey. And then because I had used Fishme and Co-finance products for so long, then when I was getting ready to make a move, they're like, hey, why don't you come work for us? And so that's where I spent the last five and a half years of just helping customers with their programs, whether it's their security awareness or incident response. And then the last year of that being able to take on the CSOL role was great because then I got to take all of my experience, right? And then now-
turn around and help build out their InfoSec program. So I know that was a long, windy road and I think many of us have those kind of windy roads, right, because there's never, even when I was in finance, I only stayed in a role for a couple of years and then I would kind of excel at it and then be bored. And as a high performer, you're constantly moving throughout your career, right, into different things and just being open to what is next.
right, allowed me to then go into treasury or accounts payable or financial planning and analysis, right? So just learning all the different aspects of a business. And I think all of us can benefit from just starting at that ground level, right? And kind of inching our way forward.
Dr. Rebecca Wynn (04:44)
I agree with you. I've been in several different sectors myself. I intertwine quite a bit in government services, technology, healthcare, financial services. And there are certain people out there who don't get it. They think you need to be in one vertical. But when you go ahead and so many companies are combining with other companies that having people who are more, I would say hybrid in their career, that they've had several different verticals experience, I think it helps them. And then we all have something in common. We're analysts at heart.
Tonia Dudley (04:51)
Yeah.
Dr. Rebecca Wynn (05:14)
and we pick up new information very quickly. So when people are only fearful of a new regulation, they don't need because the analytical skills that we bring to the table and the communication that we bring really makes it more worthwhile for them to go in and hire people like us to do that.
Tonia Dudley (05:27)
Yeah.
Right, because it's our skills that we learn, right? You bring your experiences and we can always learn a new skill, right? Whether it's a new program language or writing an SQL query, right? Those things are teachable, you
know, learning how to get along with people and being flexible and collaborating. Those are the things that are harder to teach.
Dr. Rebecca Wynn (05:55)
You have a big background in incident response. And one of the things that you hear all the time is, humans are the weakest link in incident response as well as fishing, right? That's a type of incident response. But I've heard you speak before in a lot of your writings, you don't necessarily agree with that, that the humans are the weakest link in the chain. Can you explain to us your point of view and how we should probably think about that differently if we do believe that the human is always the weakest link?
Tonia Dudley (06:22)
Yeah, so I'll just start with one of the things that I always used to tell the SOC analysts who would get, who would say that, you know, okay, that user, and I would remind them, you have your job, but you also don't know how to do their job. You don't know how to write a journal entry or write a legal agreement or write a job description, right? So we need to remind ourselves that our business users have their day-to-day job.
And we're kind of trying to force them to also pay attention to the security aspect of it. When oftentimes when you look at a lot of the incidents, right, there is usually a technology aspect of it along with the human, right? And so, yeah, sometimes it's a behavior thing and just getting people to understand now that we're in this day of, you know, everything is technically focused, right? To just, yeah, there's some things that we still need to do, right? But then it's also...
embracing what it is that they do and then also finding ways to come alongside their process to help them guide them in the path that That to do it right. One of the things that I did early on when I was doing awareness was we had blocked or not necessarily blocked but our firewalls had a Uncategorized, you know way to put a banner up that says the sites uncategorized, you know, do you really need to go here?
What was basically the acceptable use policy that was on that page. And then down at the bottom was a little button that says, go ahead and click here if you really need to go there. So I had the, the SOC team pull some stats around how many times are people clicking through that do that? You know, what does the stats look like the metrics? I wanted to have like a baseline of how many people are clicking through. I redesigned that page to have a learning moment on there, a little video about what happens when you go to those, you know, uncategorized websites that are
new because that's what threat actors do, stand up those sites, right? And then a way for them to go and register that site with our site categorization vendor that we were using. And then tell them to wait once you get that email back and it's categorized, then you can proceed. But if you have a business critical reason that you need to get to that page now because maybe a conference site just got stood up and there's a small window that you need to register, right?
Go ahead and click there, but then come back and still register the site. When we did that, then we saw a dramatic drop in people actually clicking through to that. Because oftentimes those links in that phishing email are taking you to a phishing site, right? So if they're clicking that link because they don't know, we can't say hover anymore because of our wrappers that try and isolate the page.
then we saw a huge drop in people's behavior. So I like to use that example because there's a lot of times that we can look to see, how can I disrupt the user's process to do it the right way? Or maybe there's just, you know, understanding what it is their business requirements are, right, as a security architect meeting with the business to see how can we make this technology secure or some configuration that we can do, or what do we need to do to help?
help the user so it shouldn't be on them to always look for, am I doing this securely?
Dr. Rebecca Wynn (09:47)
One of the things I hear quite a bit, especially even with my consulting is our GRC department is not listening to what we need to do from an engineering standpoint, networking standpoint. One, to go ahead and meet business needs for what we have to produce, so that affects marketing and all that stuff too. But also, why you keep asking us all these requirements without any context.
Tonia Dudley (09:55)
Mm.
Yeah.
Dr. Rebecca Wynn (10:15)
How do you get around that communication? I know for me, part of it is really have to educate the GRC people, what does it really mean to run within the business? But how do you suggest people do that? Because that goes into the human communication. Once they go down, one side is going to do whatever they want and obviously GRC is going to be very frustrated in their processing.
Tonia Dudley (10:39)
One of the things that I always like to start with is just meeting with people, right? Coming alongside them and understanding their process, what's their pain points. And actually when I took on the CISO role, one of the things that I looked at was, okay, we get all these third party questionnaires that come into us, right? As being a vendor.
What are the top things that we see that people are asking us to do? And it was disabling USB drives. So then it was meeting with the team to say, okay, how can we, how can we do this and not impede the business? So we set up a process, let people know that we're going to let the leadership know that we're going to disable them. Cause if you just tell everybody, then they're going to freak out, right? Cause everybody needs to have everything. Um, and we only had two things that came in and one was only a legitimate business reason, the other one was they were.
doing something that they shouldn't have been doing. So I think when it comes to the GRC team, really coming alongside them, and I met with my compliance team regularly to understand, okay, what are some of the pain points that you're dealing with, whether it's the regulations, GDPR, or the risk assessments, or the frameworks that you're following. So what are the things that we need to really pay attention to?
And then risk rate those, right? What are the high priority things that we really do need to address? Or what can we figure out? Is there a compensating control that we can put in place for to help with that? So we still meet the, the control that's required, um, and not have to, um, totally strangle the business from doing the thing that they actually need to do to make the revenue, right?
Dr. Rebecca Wynn (12:20)
How do you deal with business where you're saying, oh, we'll just throw it on the risk register and then I'm like, you just have this huge risk register and nothing's ever being addressed. I'm sure that's happened to you before. How do you advise people to handle a risk register more responsibly?
Tonia Dudley (12:34)
Um, so we always had a mandate that when we had our secured exceptions, they weren't forever. They were, they were, you know, you had a year to, to figure out how to fix that exception. Right. So you have to put some time bounds around that and then making sure that you have a routine to regular review those things and understand, okay, we're never going to fix this thing because it would cost us too much and you just have to document that. But you still have to come back to it routinely, right? Like quarterly.
at semi-annually annually to say, has anything changed in the, in the technology landscape that we could mitigate that, or do we need to, we still just need to recognize that this is a risk, but the business is the one that needs to understand that they are the ones that own that, that piece. Right. The security team doesn't own it. The IT team doesn't own it. The business is the one who champions why they need that functionality. Right.
Dr. Rebecca Wynn (13:29)
I know one of the things that I've done is always tied into an enterprise risk management COSO or framework or something similar like that. And then when you look at the risk register, a lot of times it's just a listing, but really using those categories to list where they are. And if you're doing global, where they are globally as well too. And then that should be part of your regular reporting and your KPI into your compliance meetings or something similar like that. Do you recommend that too? And if so, do you have a
different type of metric you might keep that people might be able to go ahead and do that. I know that's what I did. I did it by location. I did it by what type of services application and then to get the bigger bang for the buck, tie that into the contract and how that can put a potential contract or an existing contract revenue in jeopardy because you're not resolving that. Tying it into the business.
Tonia Dudley (14:16)
Yeah, no, I totally agree with that concept. And then just making sure that you have routine meetings with senior leadership, right? They need to understand the impact because maybe it's not bubbling up to them that this is a problem, right? Maybe the teams are trying to deal with it on their own without actually getting the support of management to back that, whether it's from the business side or the technology side, right? So those are always not contentious discussions, right? They're not always easy to have, but.
I mean, what we're seeing right now with SEC and all the things that are bubbling up with when do we report, what's the, what, how do you define material, all those things, right? So it's really getting everyone on board with understanding that language. Yeah, I can, we could go on about that.
Dr. Rebecca Wynn (15:04)
You know, today a lot of CISOs are spinning out a job, getting a new job. It's one of those things where it used to be, ah, you're staying 18 months, two years, whatever. And a lot of times people are spending out nine months and 12 months, maybe because they're like, this is not the culture for me. Sometimes it's because there is downsizing. And for some reason, our departments seem to take the hit immediately versus other departments. But what do you see out there in the market when you talk to other CISOs as well too?
I know that a lot of people are frustrated right now that it seems like we're becoming CISO light squared. So it's, you know, we were like trying to get onto the executive boards where they could take us seriously. And it seems like to me that we're shifting majorly to left and it seems like almost every day it gets more than that. Maybe not Fortune 500, maybe not Fortune 1000 companies, but a lot of the startup smaller growth companies, it seems like we're not taken as seriously anymore. What are your viewpoints or what do you see?
Tonia Dudley (16:00)
I would agree. I feel like the CISOs that have been around for a while that have that are more seasoned, right? They've been doing this for a while. I think they are getting to the point of burnout because of those same politics that, you know, not being able to get the things done that they need to be able to get done, not having the budget, you know, being
scrutinize for the same, you know, everybody needs to cut their budget 10%, but we just added these things, right? But these things keep us secure. So it's always having to justify why you need those additional expenses. How do you having where that CISO role reports is starting, we're starting to see that shift a little bit too, which can also help with those conversations. So moving out from IT into some other either legal, I've even seen it in finance right where
we start to get a little bit more visibility into the real risk to be able to have a conversation that's not buried in the technology stack. Um, and I think that, yeah, we were making good progress with having, you know, smaller companies start to add that CISO role and now with the, with all of the dynamics shifting as far as, you know, the, what we saw in the last six months of
of last year with all the cuts in technology, everyone's, you know, really trying to scale back transformation is happening. It's really impacting the security budget overall. I think there's a lot of just frustration in the community right now.
Dr. Rebecca Wynn (17:35)
Yeah, I think one of the reasons for that too is there's several businesses out there that like almost it appears where it's growth at all costs. And when they talk to us as consultants, they're like, you know, how can we work you into the cost model? And you're like, wait a minute, we're really more on revenue retention and revenue acquisition. That's where I see myself as more of that trust officer role instead. Because if you only talk about growth and you want to do growth at a very, very fast
Tonia Dudley (17:44)
Yeah.
Dr. Rebecca Wynn (18:04)
A lot of times we're not built in to be able to do all the checks and balances that we need to do to be responsible to make sure that we're meeting regulatory requirements, legal requirements. And also then when people are trying to acquire new business that we can go ahead and we can, they always ask us as CISOs, you know, what is the security posture and are you willing to sign off on it? And you're like, not if they're deploying everything every night without telling me, it's hard for me to go ahead and sign off or we have to sign off on a hundred percent secure at all points in time.
where you might be deploying that's 85% or whatever, 90% baked, knowing that you're gonna go ahead and do a reiteration in three days. How do you suggest people deal with that or is that the frustration you also see out there?
Tonia Dudley (18:33)
Yeah.
I think that's some of the frustration. And then we just, if you look at a lot of the major breaches that we had last year, right, with Move It and Okta, like those, you know, producers are going after those technology stacks now, right, because they're trying to still make their way in. And so you have to also remind the business that it's a brand reputation as well when it comes to a breach, you know.
We used to always talk about that and we kind of lost our way with kind of bringing it back to what's the impact of the brand. And I think when you look at even the IBM cost of a data breach, right, there's lots of great content in there to show that impact of what happens with a breach. Move It was pretty disruptive last year, right? That was impacting a lot of businesses and I think then Okta came along and then that was impacting some and we saw the MGM and others that also were dealing with that same.
that same breach.
Dr. Rebecca Wynn (19:45)
Not everybody in our audience is in technology. They listen to this because we have leadership in core values and resiliency and health and wellness. Can you explain a little bit about those breaches and why it's so important for not only companies to understand, but people at large to understand how really not making really great security and governance risk compliance decisions actually affects you as a consumer.
Tonia Dudley (19:48)
Okay, so the Move It breach. So Move It is a platform that organizations use to securely move files back and forth between organizations. I was at a couple different companies that used it, so I was very familiar when I started to see it pop up. What the threat actors were able to do was leverage a vulnerability, so they were able to get access to anyone who used that platform and be able to then take out copies of their data.
and hold that for ransom. So they started with going after a few companies saying, Hey, we have your data. And then it didn't, it took a little bit of time before they realized, Oh, they've breached move it. And so then move it came out and said they had a patch and then I think a couple more patches. Um, but in the meantime, the thread actors had already stolen a lot of data that they were just, you know, trickling out a little bit at a time and then, you know, every couple of days or it'd be a new company that would be Um,
And what else, where are we going to go with that? So that was, so that was a really big impact so when we talk about, so when I first took on the role at, at Co-Fence, one of my, you know, the top things that we always talk about is identity access management. Um, how do you manage that? How do you manage onboarding, offboarding, um, identities, whether it's users or, um, service accounts or any type of account to access your, um, environment, because that's what threat actors.
Dr. Rebecca Wynn (21:12)
Um...
Tonia Dudley (21:37)
like to get a hold of and be able to reach, right? To be able to get some of these credentials now they can move around as a normal individual user without being detected. And then vulnerability management. So patching, having a regular patch cycle. I was in an environment that would take 60 days before patches would get rolled out, which that's a long time, right? When we see threat actors, they're usually
those vulnerabilities usually bubble up because somebody, either a researcher found it or a product or was leveraging a vulnerability within the software or a product. And then asset management, so knowing all of your assets. So those are usually the top three things that is most forefront on anybody's security program. If they can start to whittle those things down, then maybe we can make some progress.
It's always the threat actors are usually going after credentials, which they do that. When I was at Cofense 60% of the phishing emails that we saw were credential, right? They want to be able to get those credentials because now they can log into the system, but they also deploy malware that then leverages those vulnerabilities to be able to execute some type of code to be able to make their way in. So maybe they don't need to have a credential, but maybe they can install some malware that can leverage vulnerability.
like Move It, right, to be able to get access into your systems, to be able to take that data out. So those are typically what we see when it comes to vulnerability. And so when those happen, especially the Move It one, it becomes very noisy because the threat actors want everyone to know like, hey, I hacked this company, I'm holding them ransom to make them pay. So the noisier they are with that attack,
then the more likely that the organization, in their mind, is going to pay those millions of dollars to be able to get them to not expose their data. So when you see those, then that's where it really becomes, you gotta have your PR and your comms team really involved with that crisis management and incident management to be able to, when do you tell people who, what, when, and there's regulations that say,
Well, you have to notify people in X number of days, depending on what state or country or region that you're in.
Dr. Rebecca Wynn (24:04)
And that goes back to really business continuity and people forget that incident response really has to go on business continuity. Because one thing is about your contracts, your contracts also tell you the order that you have to report and how you need to report things, right? You might have FBI and things like that as well. And it's amazing how many companies I talked to and I said, you know, where's the analysis of your contracts where each of the contracts really says, this is who we have to contact, here's the order to contact. And they're like, what are you talking about? I'm like,
you expect somebody to go read 3000 contracts because now you have a potential data leak or data breach. Data leak is internal where you might have internal people who sees the information they shouldn't, which can be reportable at certain times, data breach issues, at least that it's been, it's gone outside the network. But those are both types of incidents as well too. So that is interesting when we talk about that. So the other thing is people are probably gonna see in the news.
if they haven't already looked at it, is when people are like, hey, I'm trying all these phishing for you guys and now with Generative AI, even though I can write it to seem a lot more like your people because now the spelling mistakes are gone, if I can't do it that way, people do announce that I have a brand new job or there's other websites who grab it, you have a new job, that now you're working for this company, here's your email, let me do cross checks on that with all these data brokers, let me grab where I know where you live, let me grab your phone number.
and now let me go ahead and send you the text messages to try and get you to do something, impersonation, or if that doesn't work, how about I threaten your family to go ahead and give me your passwords? We're seeing that quite a bit now too.
Tonia Dudley (25:41)
You saw that with the Okta breach, right? Where MGM, I'm sorry, MGM, it was related to Okta, but what they did is the threat actors figured out who was in their help desk. They then were able to use social engineering to get their way in, right? So sometimes a breach isn't always technical.
And then you have to look at what's your processes. You know, does your help desk actually talk to somebody last week who was dealing with that same exact reach. And so I asked him, so what have you done to your help desk process, right? To adjust for now, what do I need to do to really authenticate somebody? And it was literally, they had to come into the office. Like that was their, okay, we got to figure this out because.
You know, we need to make sure we know who we're giving access to, especially if you're in critical infrastructure industry and you are, really need to protect your assets.
Dr. Rebecca Wynn (26:39)
Yeah, it's scary out there because a lot of times we're doing the same thing about, don't communicate with anybody. We can see your phone, we can see what you're doing. Don't communicate with anybody. So you do need another channel that the people can go ahead and communicate. This is what's happening. So if you're a company out there and your business continuity, when you're training people, what do they do when they go ahead and they get a text message or they get something else on their personal system that it seems to be that someone says,
Tonia Dudley (26:52)
Mm-hmm.
Dr. Rebecca Wynn (27:08)
hey, we're either blackmailing you, blackmailing you, or something along those lines. What is another channel outside their phone to go ahead and contact you? Or if it's on their system, what is another way? Just think about that. A lot of people are mixing the two. You're using your home system. Maybe you're using it because you have a VDI or a phone that way. They're gonna need another way to communicate to you somehow that this is going on behind the scenes.
Tonia Dudley (27:27)
Mm-hmm.
Yeah, and those are things that you need to set up ahead of time, right? With doing your incident, your, um, your tabletops and even doing your practice, you know, practicing that whole process, right? To know that, okay, we need to have a different avenue communication channel. Like you said, finding that third party that it's very, um, minimal who even knows about it, because you'd also don't want the threat actor know that you're also using that other, um, mechanism.
Dr. Rebecca Wynn (28:04)
With all the stuff that does going on and all the different areas as a CISO or people who are in our leadership positions that we have to watch now, it's very easy to go ahead and basically even if theoretically we're not at work, we're still mentally
24-7, seems to be we have a hard time turning it off. What do you do for your resiliency to go ahead and keep some sort of balance so when you do have an incident, more likely not, you're going to be on your A game?
Tonia Dudley (28:19)
Yeah.
You know, making sure that you're still taking downtime. I had someone ask me, how do you make sure that your team is still fresh? Right. So you have to make sure people are rotating that they're taking their time off. I had a director who was in the UK, but I needed him to take that time off. Right. So making sure that your team is taking their PTO so that they're getting recharged because at the end of the day, if everyone's drained then you're not going to be productive as a team.
And then just making sure that, I think some of us get a little insecure, like, I, I got to do this and learning to let go a little bit, that you have a team that can help you and that you help each other, um, and not trying to, um, strong arm all of it yourself, right? That you can lean on each other, um, to help get through the moment instead of trying to just take it on.
Dr. Rebecca Wynn (29:25)
Well, our time has totally flown by. I wanna thank everybody for tuning into the show today. Please like, subscribe and share the channel. Be sure to go ahead and pick up the Soulful CXO Insights newsletter. And Tonia information will also be in the description to scroll through that as well. Tonia thank you so much for being on the show. We appreciate all of your inspiration, your insights and your wisdom.
Tonia Dudley (29:27)
Thanks, I appreciate it.