Host Tanya Janca learns what it's like to be a PhD, S-CISO, CISSP, AND the Head of Cyber Risk Consulting at Marsh Singapore! She's also a leader for WoSEC Singapore, has run many security events such as CTFs for girls and women, and so, so much more. Join us to listen in! https://twitter.com/m49D4ch3lly
Thank you to our sponsor Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.
Don’t forget to check out We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .
Find us on Apple Podcast, Overcast + Pod
Host Tanya Janca learns what it's like to be a PhD, S-CISO, CISSP, AND the Head of Cyber Risk Consulting at Marsh Singapore! She's also a leader for WoSEC Singapore, has run many security events such as CTFs for girls and women, and so, so much more. Join us to listen in! https://twitter.com/m49D4ch3lly
Thank you to our sponsor Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.
Don’t forget to check out We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .
Find us on Apple Podcast, Overcast + Pod
[Music] so[Music] foreign[Music] welcome to the wehack purple podcast where each week we meet a new and extremely interesting guest who is a member of the information security industry this week we have meg de kelly my friend of many years and also a phd ceso and the head of cyber risk consulting at mars singapore this week also something exciting happened our sponsor for this episode threadfix which is powered by denim group got acquired oh my gosh congratulations to all of our friends at threadfix and denim group we are so happy for you here at we have purple we had a little happy dance for you and i mean it from the bottom of my heart you deserve every success you have but without further ado i want to i want to talk to magda don't you let's bring her out hello hi welcome good morning good afternoon it's a morning for me but it's afternoon for you tanya i'm so excited to be here it's fantastic i'm really happy to have you here i haven't seen you like got to see your gorgeous smiling face in like months months it has been maybe even over a year like we haven't had a zoom call in a really long time since like maybe like like this winter and you look fantastic thank you very much tanya yeah well i can't even say when it was because you know in singapore the weather is most of the time the same so i don't even know if it's winter summer or spring it all looks the same oh my gosh the weather in singapore it so for people listening who haven't been to singapore basically magda gets to live in paradise it's amazing it's beautiful the last time i was there she took me to this restaurant we had the most amazing food with all these amazing women it was incredible um yeah so she gets to live in paradise i live in canada's version of paradise vancouver island we still have to have winter though because it's canada yes that's true i was about to say the weather is for sure slightly different now what do you get minus 30 degrees right as celsius in winter something like that so we are like we are way different than the rest of canada but we do still get some snow so we don't get super cold like ottawa where i'm from but it's still yeah we still get snow so it's nothing like singapore but i mean we can aspire but i'm not supposed to talk about the weather i'm not supposed to talk about how you live in paradise i was wondering if you could oh yeah oh also i forgot so i'm tanya jenka i'm your host apparently i keep forgetting to introduce myself like i'm the host no one cares everyone wants to know the guest but could you please um introduce yourself tell us like a little bit about you and about your amazing long title sure thank you so much tanya so i am magda shelley i'm based in singapore currently leading the cyber advisory for marsh asia the whole region so from my background and i think very quickly i would like to bring that up i come from a very diverse background i have origins from poland and origins from north africa tunisia in particular i lived in five different countries before settling in singapore which is like my home now and a lovely place to be like tanya said paradise so i'm really happy to have had this opportunity in terms of education i have a phd in telecommunication engineering that engineering that i have obtained long time ago and this has been followed by then afterwards specializing myself in cyber security i have had all type of roles and jobs across tunisia france qatar and other countries and landing here in singapore as i mentioned so it has been very very various journey very interesting one i had to learn a lot and also evolve as a professional i and as a person in general during my journey so this is a quick overview tanya of you know my profile and what i have done seriously i know you did way more than that but anyway[Laughter] um so so you're an s c so could you explain what an s c so is and then and then after maybe explain what the l let's start with s c so what does that stand for well first of all you know just to clarify on the certifications and my specialization in cyber security so i started with as i mentioned telecommunication engineering and telecommunication engineering includes basically as well everything that is programming general information security so it was really a fascinating journey around migrating and adopting cyber security in my career now when it comes to the s sc so in particular with a certification that is not very no it's actually a certified information security officer that comes from the sql institute seco and it basically is more of in management information security management certification that helps to achieve a little bit more business focus and risk rather than just you know technical cyber security i think i was thinking of vcso virtual cso because you have done that role right absolutely i have done that and i think one you know passion of mine is to help businesses understand their cyber risk and because of the different roles that i have had in my career i found myself really good at that and of course i ended up being a virtual cso for various companies and advising them on their cyber security strategy road map how to address it in an efficient and cost effective manner because obviously we can't imagine a company reaching 100 security and a lot of time that was as well a topic that was very interesting like how to ensure that the company understands that but at the same time builds the right capabilities so within my vcs or experience i was in my previous life and now i'm actually just advising more the csos or the the business stakeholders in the companies it has been very valuable for me because that experience in particular helped you to see so many different maturities so many different ways of deploying cyber security working through it understanding it or even addressing cyber risk as a whole oh my gosh okay so like i actually really want to talk about cyber risk because so we've had 40 40 i think your episode number 40 which is kind of awesome um and we haven't had anyone that's talked about risk yet so could you tell them or could you tell our audience or tell me what cyber risk is and then maybe why it matters yeah tanya it's a great topic you know because when you discuss with the company and when you discuss the topic of cyber security with business stakeholders if you start bringing terms that are technical dragons or rather bringing risk as a threat so for example you won't go to a cto or ceo of a company and tell them oh ransomware is your risk because they don't understand what are the consequences and what is the danger or harm to the company if that happens and materialize so basically by addressing cyber risk we're talking about it every time you need to link it to the matters of the company to what really is important for the company in the business risks then you define of how this cyber risk can materialize so within our community in particular very often there is this kind of really focus on the technical aspect of you know cyber security well not everyone is a cyber security professional right and not everyone understands technical jargon or even cyber threats so really really important to simplify that have a message that is clear and never assume that someone else knows even basic fundamental concept like i'm diverting a little bit from the cyber risk but just to give an example when we run a lot of cyber awareness commonly you know you use and you say phishing but when i i actually realized that a lot of people don't even know what does fishing mean even today and this applies in different regions so coming back to cyber risk it's extremely important when discussing with business stakeholders not to focus on the technical jargon but simplify and link it to the business and the business risks as such the other aspect that is also extremely interesting and i think this is really a passion of mine like i've gone full research into the topic and it's something that is very very interesting and cyber risk quantification you know we do cyber risk assessment and everyone talks about it in a traditional way you define your risk high medium low or with certain colors but that doesn't allow an objective visibility understanding of the financial losses following a cyber attack for a company so quantification will help to ensure or calculate the financial losses following a cyber attack and that will include costs like oh the business laws of profitability market share laws employees over time so it's fascinating on how many methods are there and one of the very well known frameworks in cyber's quantification is fair that fear is still complex and it hasn't been used you know so often we them organizations so i definitely encourage anyone who is listening to us today to read about it and try to understand how beneficial it is to quantify the cyber risk and i want to also mention that this is extremely helpful for information security professionals because they can basically get the additional budget that they're searching for it's a great way to go to the board and tell them look if this cyber attack happens this is how much we're going to lose and therefore i need my budget to implement my security initiatives oh wow okay there's so much okay so i'm gonna i'm gonna come back and and dive into those uh because i want i wanna know more about cyber risk and i like i said before it wasn't covered on the on the podcast before but also i feel like like when i first started in security i remember i had a meeting and i was trying to explain to upper management basically i was like the sky is falling why aren't you listening and they're just like the hell's wrong with her and then a bunch of them left and my manager said to me tanya you can't say the sky is falling you have to say this risk or whatever exists here's the potential business impact here's the likelihood of it happening here's how much it will cost to fix and therefore our return on investment is blah or the risk is reduced by this he's like if they're not listening to you and it really really is important because you're not communicating clearly do you and so from then on i came with like i practiced i was ready do you feel like this is a thing that well you're probably really awesome at this right but do you agree like sometimes just because infosec people aren't able to communicate clearly what risk is to business people like tanya i think you brought up a very very important topic communication is extremely important but as well again when you are in information security you know much more about the topic than other stakeholders and therefore again you cannot assume that the business stakeholders will understand you and of course in the cyber security space we would like and love to bring as much possible you know the security of the company up but we need to be as well realistic a business is a business the main objective is to generate revenue not to deploy all possible cybersecurity controls so they need to balance their budget their priorities with the section of the business in the manner that makes sense and one aspect that you brought tanya about you know having that visibility about the business impact likelihood and then defining the cost which allows to understand as well what measures to implement within what cost range to ensure that is actually making sense to the business common sense again but if it's not presented properly or in an adequate way then we are unable actually to bring our message to business stakeholders and they will not be focused on to implementing it do you feel like i i don't know if you've ever had to do it the other way where you've had to explain to the infosec people like listen we're not gonna spend a hundred thousand dollars to protect something that costs fifty thousand dollars like do you have to reverse that sometimes this is this is really really a great great uh topic tanya and a question so in my experience i haven't had that particular you know um exact example what i have seen often is basically a roadmap including a lot of security controls and a lot of services that are not aligned with the financial aspect of the controls implementations yes it's it's very nice to have tools and controls across people and technology and process but what about the associated cost you can't just go again and ask the company to implement everything within the next few months they might not have the resources they might not have the budget they might have other constraint that will interrupt the business activities and therefore they cannot do it so the responsibility of the information security professional as well is to guide the company in a manner that makes sense again to the business that helps them to minimize mitigate the risks accordingly over a period of time and not just try to deploy everything at once because that's not possible so how i do it very often is there is a particular quick wins that needs to be implemented in a part in a short time as well those are the non-negotiable for example where the company just cannot operate like that if not that will lead to the materialization of a cyber risk that they cannot afford and i'm very clear they cannot afford and then followed up by the other initiatives that are actually again separated in a roadmap in short medium and long term allowing the company to have a pragmatic approach and a realistic implementation nice seriously i when when i started an infosec no one explained to me before what risk management was i would be like those are the people that asks me a lot of questions and usually tell me how i'm doing stuff wrong that was my experience as a dev and so then i moved over to security and i was like well i don't want to be those people that was like my entire experience was just you're doing it wrong and i was like okay so i feel i like your definition i like it i think you know sorry just to add on on that you know i think there is a lot of perception that risk assessment and especially in the traditional way it's very compliance focus and only list certain ways of doing it that again i'm perhaps lacking some link with the business or are not just realistic bringing that practical approach to the business so i would say the best is to combine different approaches and really try to understand how that business organization operates what are their priorities what are their main liabilities what are their main exposures what are the main cause that might occur following a cyber attack and that's not only within the technical environment like a very simple example that i like to bring as well you know a risk management very often we use the single loss expectancy and annualized rate of occurrence and then you know how you have the examples online that if you if a building gets fired then you lose for example the value of that building in a percentage now if we look at cyber risk in gen and a more holistic approach the loss for a business won't be just the building it won't be it will be the building the data inside the loss of business because the business might not have a hot site where everyone can go and work immediately so there is a lot of very interesting aspects to consider when defining the impact for the business that again often inside the security is not that holistic we look at it from an i.t information technology from a cyber security perspective and lens while we should look at the holistic view and discuss a little bit further with the cfo with the business stakeholders and understand where all the costs are involved oh wow i want to ask the people who are listening and watching if they have questions for magda you can ask them in the chat so we have a couple of people and kellen's been really awesome saying like that's cool an awesome idea and he has a new a new message that he just put up oh no that's nancy so i see a lot of organizations moving to the fair methodology do you have a specific methodology that you like the best or um do you have like like do you like the fair one or i don't know i don't know a lot about risk management so please excuse me not knowing all the terms yeah if tanya fear is is pretty known now when we say a lot of organizations are moving towards fear that is something that is relative for example to one region or one particular country as well it's important to understand that for example in asia if we go around and ask companies around implementing even risk quantification we'll be very very surprised by how low amount of company or low number of companies are considering cyber risk quantification so the implementation of fair is still growing now as a methodology and this is purely my own you know subjective opinion i i find the methodology really great they it brings all the important aspects when assessing or addressing cyber responsification now i do find that that someone who is not familiar with those concept will have really challenges to implement it and they need to specifically study that framework in very big details eventually look at practical approach what i think is a very good methodology which i apply a lot especially when starting the journey for companies so before they get into a sophisticated cybers assessment and quantification is to start by scenario building build the scenario that makes sense for a business and i give an example business interruption due to a cyber attack example ransomware and then go into further detail try to understand the impact and the factors or cost factors associated following that attack try to analyze the likelihood from the perspective of how it can happen for example in my case i use a lot of data streams to understand the likelihood that includes the incident history of the company that might include as well other data streams from mars because marsha's insurance and broking and risk management company so i get to leverage on data streams across various databases and it helps to have a little bit further accuracy but again having that visibility of scenario build your scenario define and discuss with your business stakeholders to understand if that happens and again it's not a threat i'm talking about the whole scenario and the business risk understand that all impacts to the business the associated costs that might be first party so direct on the business and third parties for example liabilities legal costs associated that might go into vendors into other third parties and then try to understand if there is any possibilities to evaluate the likelihood as much as possible now in i have seen many companies interested only in the impact quantification they want to understand the cost if that cyber attack happens not you know the likelihood of it happening of course this is related because we know that nowadays companies are victims of cyber attacks very often right so they the companies know that at least some of them so because of that they limit to the impact quantification and they want to understand all those costs and factor costs that might be involved following a cyber attack so i think nancy's question is very very interesting and i have done a research that i will public short publish shortly around the different frameworks for cyber certification they are not only fair fear is the most known there are other that are very specific as well for for example vulnerability management and that's fascinating how much you need to invest versus how much is the cost of that particular vulnerability that might lead to a cyber risk because in reality i'm talking a lot tanya so you know you stop me if there's anything that well we have a question we have a question when when you're done that thought with another good question so in reality what happens is that companies operate in complex environments uh where we have a lot of operational technology in some industry we have legacy systems and those legacy systems practically are very hard to for example update to patch so and there's absolutely no way that for example in some critical infrastructure the operation manager of that particular plant or power for example power plant will say oh let's stop the operations for a while we're doing an update that will not happen in operational technology environment safety and availabilities are the first very important pillars and therefore again when talking about cyber risk when talking about mitigating cyber risk it is really critical to understand the reality and practicality of things and how companies are operating in real world because again theoretically that's the best practice but is that possible to be applied for a certain industry for a certain company that is another question okay so first i want to thank our sponsor because that's the thing i have to do and then i have a question in the chat and then i have a question so i want to thank our sponsor threadfix they got acquired this week so they are they've been a startup and have exploded in all these amazing ways making this amazing vulnerability management system but i just want to say dan sheridan all of you i am so happy for you the whole we hack purple team is so happy for you and thank you so much for always being so supportive of our company no one deserves better news than you thank you okay so i'm like really happy for them anyway okay so now there is a question from okay so there's a comment from nancy i'm really looking forward to reading your paper magda and then there's a question from kellan how often do you revise these models or how often does industry revise these models like it seems like a big deal and a lot of work to revise a model it's a fantastic question indeed and i think if we look at the reality of cyber's quantification and my research actually showed that it's a pretty immature area there's not many frameworks there's a limited number of research as well done in this particular topic so we are not even talking about updating the frameworks yet we're just talking about actually bringing more ideas to the table around how to quantify best cyber risk and again i thought i talked about likelihood and one of the biggest challenge in cyberus quantification is actually related to the likelihood of the cyber event happening and that is as well an area of research that is not very much developed why because when we're talking about cyborgs quantification we're talking about a mix or basically a collaboration between two industries cyber security and economics now how often do we see those two working together not very often right and therefore again if it comes to you know having more or more innovative updated models in cyber risk quantification i believe we are not yet there but there is a lot of new researchers coming up some of it that i am really really heavily trying to encourage a lot of as well companies like my company marsh and mclennan is focusing on cyber risk quantification that actually helps advance the research because there's a lot again of risk management concepts a lot of economics and cyber security that are combining bringing a lot of added value and really great benefits to the end clients wow okay what so this is a question that i ask everyone what is a day like in the life in your job like what is a day like in the life managing risk because i used to work somewhere when i was a dev and i remember we had this director who did not know anything about risk management just to be cleared he's like i'm gonna manage that risk and i'm like what does that mean phil he's like i'm gonna manage it and i'm like we all know that that means you're gonna do nothing and he'd be like i'm managing i'm like you're not managing anything so i have a feeling what you do is very different than what he did first of all tanya as i'm leading the cyber advisory i'm managing different clients and that means that of course my day or every day is different however one very important aspect that is continuously part of my professional career is educating the customers there is a lot of calls there's a lot of webinars there's a lot of discussions trying to come back to the basic to the fundamentals trying to understand the business so how does a day look like basically webinars i can start the day like today with the webinar where i'm trying to discuss the topic to the general or public audience then separate client meetings where we discuss for example a writer but particularly about their requests about what do they understand with cyber risk assessment because very often as well they don't have an idea then delivery of course which means not only having a list or an excel file with a different risk it's actually meaning interviews with business stakeholders or workshops where you actually collaborate with different business units different business stakeholders you bring in you present and you ask the right questions to try to understand further the business and then raise your concern in a way that is understood one very good example in here that is practical and i think is very valid nowadays is that a lot of companies are still missing around the third party's risks when it comes to cyber security and the importance of it so very recently or in the last few days and weeks i've been really having a lot of conversations around that so this is something that is part of me like of my day i basically have a meetings as well we're not only deliver but i need to raise the awareness of the clients i need to educate them and i need to speak with various stakeholders and not only cyber security not only i.t and then of course internal meetings where we need to ensure that whoever we are working with or i am working with understands the offering understands what we do when we talk about cyber risk assessment or cyber risk quantification which is again something that is not commonly understood by everyone so my calendar or my day is fooled fooled by me meetings you know from morning starting with webinars for example as i mentioned client meetings with i'm just starting the journey with them educating them with delivery where as well include basically discussing with the clients and the business stakeholders and then even internal discussions with colleagues to make sure that everyone understands what does certain concepts mean and what are we doing so there is a lot of you know different angles it's a lot of different stakeholders involved that means very long days very very long days and a lot of adaptability so you can't have the same discussion with different stakeholders you need to adapt the way of how you bring your message you need to be very flexible you need to put yourself in the skin or in the basically life of that person and understand how to approach what they see from their perspective what is their concern and how to bring your message in the most efficient or effective manner wow usually when we ask people that question they'll be like i'll know lots of meetings or they'll be like i mostly code all day i've never received such a thorough answer this is so good because like people so p a lot of people that watch this podcast or listen to the podcast it's because they might want to get into this field someday right and you just gave a really good description okay i have more questions though okay what types of personality traits or aptitudes do you think would make someone good at risk management so i feel like it's really obvious you have to be a good communicator you're not going to do well at this but what else like what else could make someone be good at this or pre-just predisposed to potentially being good at it i think again it's a very very important question one aspect that is critical is being able to listen and listening of course is related to communication but communication is when you speak you need to be clear but also you need to listen and understand your clients and this is really critical the other aspect as well as being pragmatic and understanding that by being an advisor to clients you need to be very careful in that sense that you might know your area of expertise but as a professional you cannot know or understand everything so have that you know i would say pragmatism and and make sure that you always careful around what and how you perceive and advise clients on something and the operational technology is a great example you cannot go for example to an operation manager in a plant and tell them we need to do an update now how come you have you know legacy systems that are not yet updated that would not work you need to actually manage your advice in a proper way that considers the overall risk for that particular plan for example understanding why they're concerned with the updates and then finding a way to do the right thing making sure that you actually as well help the business operate and in this particular case help the plan continue the operations so i think if i look at the various point communication as you mentioned but listener being a good listener is extremely critical and being pragmatic and always having the practical approach is not about knowing everything because no one does but being that advisor and the good uh person who's gonna recommend the best suitable solution for the clients in alignment with their risk appetite with their business goals a topic that has come up on this podcast over and over and over again is empathy and i feel like a lot of what you're describing there uh like around being able to listen to the client understand where they're coming from and then help them like get to a more secure place i feel like it's you understanding where they're coming from a lot so that you could be good at your job do you agree or yeah absolutely tanya you know again it's not everyone understands cyber security not everyone understands the threats and the consequences of the cyber attack and therefore we if we do not take the time to educate the clients and understand them we are unable to do or achieve our goal which is making them further evolving in the cyber resilience journey and that is something that is really critical for for a good advisor now when it comes to empathy i want to just highlight as well an important point while it's really important to listen to the clients to understand them sometimes you will find clients or just business stakeholders who are not ready to listen who are not ready to actually implement anything even if you try your best so know as well your sponsors we them the organization that you're trying to advise and try to find people who are eager to listen and communicate constructively with you following you know your recommendations following your questions this is very very important another aspect that i use sometimes is as i speak five languages i try actually to speak with the clients in their own language i tried to learn mandarin that didn't work yet so i thought i did you know i even was so proud that i said oh i speak a little bit of mandarin and then i didn't practice and i forgot everything so but what i noticed is that if you discuss with the clients in their own language that as well helps a lot because of course it's easier for people to communicate in their own mother tongue do you speak french i speak french of course oh my gosh more ways i could talk to megda yes i spent seven years in paris tanya so you know i didn't have my choice uh aside from speaking the french language very well i spent two weeks in paris and i have to say they were it was it was a delicious experience to say the least so so let's say someone wants to work in risk management how could they get into such a field because if you want to be an accountant you know you study finance and university and then you uh do you know like accounting school and you graduate and then you're an accountant and you can go out and account um but like if you want to learn cyber risk and you want to get a job in that someday do you have any thoughts on like maybe different job experience someone should try to get or maybe i am unaware that you can go to school for that like what what can people do there are certifications that help but let me take a step back i think what is the most important if you want to be really a great cyber risk advisor in general is to have the understanding of the business which means please take the time to go and have a one day or a few days of a life of a business owner why because that will give a very big different perspective towards cyber risk and what is actually the priority for a business owner it will help you to understand that while actually cyber risk might be for you perceive from a one angle it is also important to understand that there are different priorities for someone in business okay okay what about um so i don't like to advertise certifications or anything like i don't try to like push people towards that because it's an industry in itself like i was explaining to my significant other who said wait so you have to pay to take a test again and i said yes and you have to recertify and pay again and then you have to get these cpes so then my sweetheart was looking it up but you have to do live training to do the cpe so like you can't go to meetups or you can't do this or that and get cps i'm like well yes because then they make more money off you when they buy more training from you and my sweetheart was like what this is a racket and and so i and and then we have purple has a certification but you don't have to pay uh to take it you get it when you finish all of the courses in the entire program and you've passed all the tests and then you get it there's not like an extra fee and so um we have like a different approach on that and so i try really hard not to push certifications on people but that said what are some of the risk management courses or certifications that exist or just name ones that you like and just forget to name the ones you don't like well i would say tanya i i have a similar view i don't have a lot of certifications first of all because obviously certification means cost like you said and when i was on you know uh since my professional journey i focus on gaining practical experience rather than spending my time in books and passing the the exams because i felt it was much more relevant for my job and what the customers were expecting so i will not you know just mention one certification in particular but the certifications that i have for example help me as well to see from a management perspective and certain different aspects and areas but as well to understand some really good processes and fundamentals now if i look at you know the learning that i had from the books from what i have learned in the exams from what i read online in certain courses around risk management there is no one that will help you in mind you achieving the best outcome i think the best way to become someone who's good at that try to read and take different courses from different perspectives so you will be able to see how much even cyber risk assessment as a term cyber risk quantification as a term might differ from one course to another they are not completely standardized terms there's different research again there's different approaches so i would say take the opportunity to read about that take the opportunity to take different courses from different providers and see how for example and this is as well something that's very interesting some frameworks will call cyber risk quantification when they use and i mentioned that the simple loss expectancy the annualized rate of occurrence and this kind of terms and concepts but for me that is semi-quantitative because it doesn't look at the business holistically and coming back to my points before in my view and this is an opinion again the best if it is when you combine cyber security and economics now is there a course like that there out i haven't seen anything that is as holistic as i would like perhaps i missed it but i would say again focus on different courses and ensure that you actually as well understand that the best and optimal way is to combine economics and cyber security in order to be good to be as good as possible in cyber risk management okay so we started a little late so i'm going to ask a double question and then another question and then we're going to wrap up because i want to i just want to keep you on the phone all night but that apparently i've been told is not supposed to happen so so super tough question what do you like best and what do you like least about what you do like about risk management so it's a hard question and i don't mean like what do you like lise does and there's this guy named jerry and he's the worst[Music] you know when we look at the job and this this makes me this question makes me think about something that was really really fascinating for me i was on a webinar with more than a thousand people and i said i'm passionate about what i'm doing i love it it makes me happy and then there was a question from the audience what if the like the job that we are doing is not making us happy every day i'm like when you work in a job you cannot be happy every single second there are tasks that are the routine tasks administrative tasks their tasks that does do not actually align with your passion maybe but that's part of your job so if i look at what i really like the most i really like the most advising clients talking with people about their sample risk even building those scenarios around cyber risk because they need so much to understand there's different businesses the different clients how they operate you know their revenue their structures the organization so it's absolutely fascinating what i like the least is probably everything that relates to some administrative tasks what i need to do just because it needs to be done you know i think a lot of members or a lot of people in the audience will relate to that you know like it's like filling a lot of papers that you need you just need to answer forums it's not something that i think anyone would enjoy right perhaps i don't know i think so yes there are always parts of every job we don't like like i recorded an audio book last week and i have to tell you i did not like that i did not like it at all and then like i think i'm good at talking i think i'm good at reading nope turns out that's not true i have never made so many mistakes in my whole life but i'm so excited i'm going to have an audio book and so you do those parts that are really hard so that you can get the good thing yeah talking about audiobooks tanya i have actually i'm super excited because i'm now in the midst of having two books ready so one is about cyber risk uh in general for the stakeholders and i will not go into detail surprises fans and the second one is actually a book that isn't yet finalized but i started it already and it's a little bit different it brings cyber security you know a little bit further from as well some more interesting aspects that are not only about corporate not only about business but it's basically like a story so i'm super excited about those two and i'm looking forward to publish them and share them with the with everyone that is amazing i had no idea that you were writing a book not only one book but you're like oh whatever i'll just write two writing a book's really hard mate it is it is it is and very time consuming yes oh my gosh actually like honestly i found like the writing of the book part really good but all the technical edits and grammatical edits i was just like i i it took i swear like two-thirds of the time was all of the edits like it's it's hard and i like to think i have really good grammar but no and apparently i use a semicolon in a way where you should have a colon and vice versa and i felt very confident in my punctuation before i wrote the book exactly there are things that you don't see at all when you write a book and it's yeah it's fascinating how many mistakes you find out after it's proof or proofread and uh yeah i mean i had um i had friends helping me to read the book you know and proofread it and i had as well uh professionals to do that it's it's absolutely a challenging task and requires a lot of time again oh yeah so we met because you do awesome work that i admire and so you've done lots of work with women and girls to get them into cyber security like the first ctf for girls in singapore and the second one the third one the fourth one etc do you want to tell us a little bit about some because so basically like long story short i just saw cool stuff that this lady was doing on twitter and i was like wow she's awesome i'm gonna follow her and then i started messaging her and she totally tolerated me and then eventually i was going to singapore for work and i was like oh my god could we meet in person and and she said yes and so could you could you could you tell them a little bit about it yeah tanya this is really a topic that is very very important for me so when we look at the first ctf for girls which we basically was the catch catch the flag competition it was really fantastic we had literally young girls like 15 18 participating and having you know prices and winning and it was really really awesome so i think in terms of impact where i really thrive and i just realized i'm repeating the word really very often but whatever you know but it's what is really interesting is that and what i'm passionate about so giving them this opportunity when you take for example a girl that is 15 or 18 they not only need to be supported to in terms of you know have for example study group but also to have the possibility and the confidence that they can do that so we i have just launched a scholarship in singapore where we offer literally a certain hacking certification for the girls and we have we have 10 courses and 10 certifications that we will sponsor and and basically support those girls for and we the study group so they don't give up it's not that easy so they need that support as well you know around making it a success so this is something that i'm absolutely looking forward and with the support of the cyber security agency of singapore's i'm super excited and really happy about it and i hope i'm gonna you know see a lot of hikers there you know more and more you know like girls packing all the way like in singapore everywhere oh my gosh meg to kelly thank you so much for being on the we hack purple podcast i know that you have a hard stop and i've gone way past the time i supposed to thank you thank you so much for taking the time to be on the show and quite frankly thank you all the things you're doing for girls because i want to be old and gray and know there's lots of women in our field to take over from you and i someday thank you so much tanya for the invitation it was really a pleasure um i was very very happy to have this chat with you and i'm looking forward to seeing you in singapore oh yeah oh yeah i hope so oh yeah i have yep and thank you so much to our amazing guest this week meg to kelly who well i mean i feel like one hour just wasn't enough i would have talked to her all night um thank you again to threadfix our amazing sponsor thank you to my amazing sound engineer who makes us look and sound amazing on this podcast thank you to you for attending thank you for listening thank you for checking out our academy our community all the things we do our secure coding course is coming out in two or three weeks depending upon how tanya does on finishing the final exercises and assuming we pass our qa and we are so excited to have you our listener support us and just come back week after week thank you so much and with that i'm tanya jenka and our guest this week was meg to kelly and that was the we hack purple podcast[Music]