Security Unfiltered
Security Unfiltered
From Mathematics to Cybersecurity: Fayon Atkinson's Unexpected Career Journey
What if your career path took an unexpected turn into the fast-paced world of cybersecurity? Join us for an insightful conversation with Fayon, a senior cybersecurity advisor, who pivots from mathematics and mechanical engineering to become a cornerstone of breach response and risk advisory. Hear how her role as a breach assistant at an insurance company became the gateway to a successful cybersecurity career, and discover the unique challenges and rewards of navigating this dynamic field.
We bring you personal stories of career transitions, from fields as diverse as mathematics and criminal justice, to the evolving landscape of cybersecurity. Fayon shares her experiences working in both reactive breach response and proactive risk advisory, shedding light on the importance of continuous learning and adaptability. This episode also tackles misconceptions about introversion in the professional world and highlights the perpetual need to stay ahead in the ever-changing cybersecurity industry.
Dive into the unique challenges faced by Black women in cybersecurity as Fayon candidly discusses her experiences with imposter syndrome and the lack of representation. We also delve into the critical role of cybersecurity insurance, comparing it to auto insurance claims management, and emphasize why even small businesses need comprehensive security measures. From conducting incident response plan reviews to leveraging threat intelligence, this episode is packed with valuable insights for anyone interested in the intricate world of cybersecurity.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
How's it going, Fayon? It's really great to finally get you on the podcast. I think that we've been probably working towards this thing since probably the end of 2023 is when I got the email initially, but I'm glad that we're finally able to get together.
Speaker 2:Yeah, thanks. Thanks for having me, jay. I'm happy to be here, happy to be here.
Speaker 1:Yeah, absolutely, you know, I start everyone off with telling their background. The reason why I do that, you know, is because there's a portion of my audience that are trying to get into cybersecurity or they're trying to get into IT, and maybe they even went to college in something that wasn't IT related and they're in a career path that they don't like right now, you know, and they're trying to make a switch Right. And I have found that it was always very helpful for me, when I was trying to make that jump into it and into security myself, to hear someone with a similar experience or a similar background, um, you know, and and they were able to pull it off. And so then it's kind of like in your subconscious, like, well, if they can do it, maybe I can do it Right. So, you know, how did you? How did you get into IT? How did you get into security? You know, was there something earlier on in your life that kind of sparked that interest?
Speaker 2:Yes, I think, like most people that I know, I got into the cybersecurity space. A very I kind of just fell into it, I would say. So my background is I have my undergraduate in mathematics. In undergrad I do a dual degree program, so it's a 3.3, well, at the time it was a 3.2. So I had to have a bachelor's in math and then I transferred to a partner school to get engineering degree. I thought I was going to be a mechanical engineer, so that's the second major I did. I went into mechanical engineer.
Speaker 2:It turns out I didn't like it. My dad was pushing me to do electrical engineering. I was like I don't want to be like you, because my dad's also. He's a computer scientist, a computer engineer. I was like I don't want to be like you, I dad's also, he's a computer scientist, a computer engineer. I was like I don't want to be like you, I want to create my own path.
Speaker 2:And so, while I was going to school, my sorority sister. She's like hey, do you want to work at this company? And so I applied and I got a position to be a breach assistant and in that role I worked with a breach team. So this is that insurance company and I work with. Attorneys are individuals with attorney background, legal background, so they, you know they're coming from the cyber data privacy space and I also work with the technical folks, um so with like their cisp and stuff, and I was just a free assistant at the time.
Speaker 2:So I get to see a different lens of it. Where at that time I didn't know much about cybersecurity, I would say I thought it was, you know, a stereotype like a guy behind a computer hacking people every day. So it was a different exposure. It was insurance. It was more on the reactive side, so it was the breach response team. So when an organization would be impacted by a cyber incident, the team they would be sort of like an on-demand breach consultants, so they would get on a call with them and sort of they're dealing with a crisis, so they would potentially just help them walk through what that would look like, so getting all the necessary vendors they need to sort of mitigate that. So that was my first time in that space and I've been there ever since. That was 2017, six years.
Speaker 1:Okay.
Speaker 2:So I've been there since I am since left that company and I'm now with Corbis where I do, instead of the reactive, I do a bit more proactive work. So, with the risk advisory team and our team is, it will provide resources to our policyholders to prevent the severity and likelihood of a cyber incident. So, being that, I've seen like, okay, what it's like on the back end of you know, a big organization after they've been impacted by a cyber incident. Now I'm like, okay, let's figure out how to avoid that from happening. So we offer a ton of services. So I've been there since. That's how it started.
Speaker 2:I honestly thought I was going to be a mechanical engineer, but now I'm a cybersecurity advisor. I've been with Corvus since 2022. I'm now a senior cybersecurity advisor. So I've definitely advanced in my role over the time and even at my prior company, I started as a breach assistant I expressed interest in like this is kind of cool, I want to learn more, and so, on that team when there was a position at Open. And so, you know, on that team when there was a position at open, that was my opportunity to step into more of the breach response role to help these organizations when they have a cyber incident. Yeah, so.
Speaker 1:So it sounded like you kind of just dove into the deep end, right, and I'm sure, sure, along with that comes a lot of anxiety, right, and like imposter syndrome and things like that, right, like you know, I've been in cybersecurity for probably 10 years and when I get a new role, I still have imposter syndrome to some degree. I'm like I hired the wrong guy. Obviously they didn't think that I would be like this or anything like that. You know, any day now they're going to tell me I'm gone. Did you experience any of that and, if so, how did you overcome it? Because I'm sure that that's actually pretty. That's a pretty unique situation, right. Like, not everyone jumps into the deep end in cybersecurity. I don't even recommend it, right. When people are asking me how to get into security, I tell them to go a different path than that. So how did you overcome that?
Speaker 2:Yeah, I still suffer from imposter syndrome today, but I think a large number of it is for me. To help me overcome this with the leadership on my team at my prior company. Training was really really good and I thought I couldn't do it because I'm not technical enough. I mean, I know a bit of coding because you know some of my background and I was an innovationist. But I started to do my master's while I was doing that role in computer science, but the focus would be on cybersecurity and so I have some knowledge of what to expect. But I'm a very visual, hands-on learner so I needed that. But I would say most of my peers they were really good with helping me and training me and I ask a ton of questions. I'm very inquisitive, so that definitely helps, but I would say that the key to it is leadership on my team.
Speaker 2:But I still, to this day, struggle with imposter syndrome. I'm like, okay, do I know it? I get on calls with organization or policy holders to talk through gaps that they could potentially have in their security posture. It's like, okay, I have to brace myself. It depends on who's on this call. Sometimes you're getting the very, very technical faults and sometimes you're getting someone from like risk management. So it really depends on who you're getting, what that conversation, how that conversation could could end. I think most of them are pretty positive, but I still struggle with with that today. Um, therapy, it's like definitely a working process for me yeah, definitely.
Speaker 1:You know what's interesting just being in the cyber security realm the the amount of people and the different kinds of people with different backgrounds that you're encountering on a day-to-day basis. It's always very important to understand who's on the call and what their background is, what their role is, what they're working on. There's been numerous times where I didn't understand that earlier out of my career and I approached a problem from a completely incorrect angle and, you know, almost like burned a bridge before, like even putting it up. It's um, it's a.
Speaker 1:It's an interesting balance, though, because you know security tends to touch every department in the company, like we don't just work with developers or other it people. We have to work with the legal team and say, no, it needs to be this way because of this. And you know we need to work with procurement people and people that are doing audits and everything under the sun. It's um, it's an interesting, you know place to be, because you know not only is security growing and changing every single day, you know you also need to really be on top of your communication skills, and I think that that's like a like an undervalued skill that, as technical people, we don't always put that emphasis on.
Speaker 2:Yeah, yeah, I agree, I would say like, even with security I didn't say it's a pretty diverse industry, right? Like you mentioned, we need to touch on every topic across every organization. Organization, like every department, gets to see some things that security related, and I would say that again, back to that stereotype of who you would imagine to be in cyber security, not as someone that looks like me with my background, where, you know, then you think of someone who's technical, you don't think that that, um, soft skill is. They're mostly like computer coding or hacking or doing something like that, but that's all still. But a communication piece is definitely something that I think helped me in in my role. Uh, categorize myself as an introvert. I don't know that most people see me as that. I think. With that, though, I still try to think through like, okay, how do I communicate with the different people speaking that language? You know, trying to translate something that's very technical to a very non-technical, depending on my audience.
Speaker 1:Yeah, I mean, I tried to consider myself an introvert as well, but then here I have this podcast, so I don't think I can make that claim anymore.
Speaker 2:Yeah, people tell me I don't think you're an introvert. I was like I think I am.
Speaker 1:Just to backpedal just a little bit. You know, you got your degree in mathematics, started to go down the mechanical engineering route. You know what was that like? To do the mental gymnastics to make the pivot in IT, right, because I'm sure that there must have been something where it's like, well, that's not really what I've wanted to do, right, that's not what I set out my goal to be at the end of this thing. You know, how did you kind of reconcile that? I guess you know within yourself. And the reason why I ask is because it actually took me a long time to do that myself.
Speaker 1:I got my bachelor's in criminal justice, fully expected to go into federal law enforcement. I thought this IT thing would be a very temporary thing, just something to pay the bills until I get into an agency somewhere, you know, because they take like one to two years to get you in and I can't be without an income for one to two years when I have student loans and like it took me a long time. I mean, like I was in it, I was in security and I was still, you know, trying to angle myself and get into federal law enforcement. Right, that was, that was everything to me. That was my dream and now, looking back on it, I'm I'm actually thankful that it didn't work out right, because I I don't have to put my life on the line every day. I'm, I'm not worried about you know these, these random, you know life or death situations. Um, I get to you know, sit safely in in my house and not go outside for a week if I don't want to yeah, yeah, I would say it's just.
Speaker 2:This is the same same same thing for me. Like I said, I was working part-time while going to school full-time, and I worked at the bank and I hated working at the bank because I had to sell and I was like that's not my personality at all and so when this opportunity opened up, it was just like, okay, I'll continue to go to school while I try to make some money to pay bills. But it just became very interesting and I didn't. I wouldn't consider myself very technical, so from my, my approach to it was more of like my gosh, there's this other side of the world that I don't like to see every day or hear about all the time. You're hearing about companies that's getting hacked. What is ransomware? At the time, ransomware was like it wasn't as big as it is today, but you hear about all these things. Or like in the healthcare space especially, I didn't understand the different policies and regulations that they have to abide by, but seeing those like it was to me it was not boring at all. So it was like there's never a boring day. This is so interesting. You learn something new all the time and then you get to talk to like people who are experts in the space.
Speaker 2:Because, uh, I started off as like a breach assistant before I became like a breach manager. I got to sit on the back, sit in the background and listen to, uh, my colleagues on calls or talk to like forensic vendors or law firms about what's going on, to understand the, the cyber landscape. I was like, okay, this is actually kind of cool and I'm helping people. Oh, I don't mind doing this. And so that's when I made the switch, because I was like, okay, I could switch and study something else, because, at this time, like, okay, I will get to learn more of the theoretical piece while I'm getting the more real life experience of it. That's that so similar to you. I was just trying to pick the L's and then here I am, almost seven years later.
Speaker 1:Yeah, yeah, it's a fascinating field. One of the first people I mentored, right, he was trying to get into cybersecurity from being in the networking. You know, in my opinion, networking is probably like the worst part of IT. You know, it's the most boring topic in the world. I tried to, you know, get my network plus early on in my career and the only thing that book did for me was put me to sleep at the at night, you know like, or even at work, like that was the most embarrassing thing.
Speaker 1:It I, I hate networking. I just hate thinking about it, right, which is weird for a security professional to to say. But it's like I don't, I truly do not care what protocol you know you're using. Is it encrypted? If not, we need to talk about it, right, like, that's the extent that I care about it. Um, I was talking with him and I was describing what it's like in cyber security. He was, he was mostly on board until I got to the point where I said but you know, you have to be comfortable with always learning, always something changing and you needing to learn something new and adapt. That was the part that you know, really like, stopped it right there, for it was like, well, I don't think that this is it because I want to. I kind of want to just like, get my CCNA and stop there. You know, I'll be good for the rest of my career. I don't need to go to school or get certs or anything else like that and like, well, you know, you're going to stagnate, right?
Speaker 1:I later on in my career I met people that had been in that same exact situation where they they chose to no longer, you know, longer learn the new stuff. They chose to no longer learn the new technologies or the different protocols or reasonings, best practices. They chose to stop doing all that stuff. And later on, actually fairly recently, they were laid off and now they're having trouble finding work because they don't have those skills. The skills that they had were for that one company and that one company.
Speaker 1:His manager really liked him because he was a funny guy. So the manager always did a good job of making sure that they had that, that role, that kind of workflow for him, so that he could say to management like, hey, this is the only guy that does it, he's the only guy that knows how to do it. Um, you know, god forbid. The day came when you know someone said, well, can't we do it another way? Right, and he didn't have anything to back it up. And immediately my friend is now, you know, on the job market. Um, which is? It's an interesting time to be on the job market, especially when you're trying to, like, rebuild your skills. I, I would not want to be in that situation, that's for sure yeah, yeah, it's, it's interesting.
Speaker 2:I like well one, I like his honesty, like knowing, like you know who he is like. Yeah, I don't think I want to learn anything else, so that is interesting. But yeah, the job market it's, it's pretty rough right now. I know a few people that are trying to get into the, the cyberspace, and they ask about, like, what should they do? And you know similar background to to mine, I, you know, I explained them. I think most of it is networking. I think, with cybersecurity, a lot of the roles, sometimes mostly the non-technical ones. It's very transferable scales from what you're doing, if you can, if you're a fast learner, that's one, and if you're able to communicate well, like we just talked about, that's also key, and just being curious and willing to expand your knowledge. But yeah, it is an interesting time to be unemployed.
Speaker 1:Yeah, I feel like one of those key skills that are often overlooked for security professionals is that communication effect. I remember when I was on help desk and maybe it was just the company that I was at in the business that we were in, right, but we were dealing with like 911 software that directs calls, you know, and provides exact location information to the, to the first responders, and I mean I would get calls sometimes that were just like hairs on fire. This thing isn't working, like. I got to get the whole team on here to figure it out, right.
Speaker 1:So I was used to being in like high stress situations and calming people down, talking them through it, and I, I, I dealt with like the, the military, the federal government, right, right, so like they can't do a screen share, they can't send you logs, right, like you, literally, and they intentionally do this. They intentionally put someone that literally doesn't know how to spell linux on the other end of the call for you to work with them and that that's not an insult to them in any way. Right, they, they, actually, they are extremely intelligent and smart in the one thing that they do for that agency and it is very intentional for the agency to do that, and it is also very intentional for them to put them on the phone with you because they want no liability if something goes wrong. They want it to be like well, this vendor doesn't know. You know that's literally the situation.
Speaker 1:I mean you're getting on the on the call with these guys that you can't, you can't see anything, you can't get sent anything and you have to walk them through. You know exactly what to type on the keyboard. That sort of skill is is now that I'm looking back on it. It's an extremely valuable skill Like that's. That's why I tell everyone you know, start in help desk, because if you get through a stressful environment and help desk, that's all the communication stuff out of the way, right there.
Speaker 2:Yeah, yeah, that is. That is super key. I would say, like even in my last role at my the prior come to Nail the Sweat, where I was that on-demand breach consultant you're getting a call from someone who's like or entire system is down or company's losing money, what do I do? So they're in full crisis mode and sometimes they're not happy in them having to call their insurance carrier and talk to someone and like answering all these questions, especially if it's someone who's not technical right, they want you to figure it out or you know they're upset.
Speaker 2:I've had a lot of interesting interactions with you know, c-suites who are experiencing like a ransomware and how to handle that experiencing a ransomware and how to handle that. And you have to be really calm and patient with most of these people, because one you have to understand that if you're dealing with something, they probably never have to experience the fact that their company is losing a lot of money. But if someone's saying, hey, you got to pay me millions to get yourself back, so yeah, it definitely, definitely a unique skill set, to say the least.
Speaker 1:Yeah, it's interesting. When I was on the help desk side of it, I think that my customers could tell that I was very young, very early on, still learning things. I mean, I'm still learning today, but I definitely know a lot more than I did then, and it was always interesting when you know you would get the more senior person more senior.
Speaker 1:I mean, this always happened with with guys. You know the more senior guy that knew significantly more you know than you about everything and you give them advice and it's like it doesn land. It doesn't make sense to them because they don't know the intricacies of your system. I remember, for instance, I was working with a very large bank. If I named them, two-thirds of the world would know who they are and I was working with this person and I said okay, your database is out of memory. We have to increase the memory. It's not a server issue. Was working with this person and I said okay, you know your, your database is out of memory. We have to increase the memory. It's not a server issue. You already have the the memory on the server. We just need to expand the database. Because it's not, it doesn't know to utilize it right, and so that's why we're running into all these issues.
Speaker 1:And it took probably four hours of convincing them to do it. And, like guys, I like, I literally like. This is what it is. My engineers have confirmed it. My developers have confirmed it. You know the people that literally created this application, confirm that that's what's going on. You know they got they got very vocal with me, very unprofessional, and that was frustrating for me. It was. It was definitely a learning experience, but like, at the same time, you know it was a situation where it's like, hey, like this is what it is. I don't know how else to explain it to you. Did you run into situations like that where you know people kind of like almost give like a second?
Speaker 2:Yeah, all the time I'm a woman, like a section, yeah, all the time, and I'm a woman, uh, so that's just like an immediate, you know, um, like it moves me down in terms of like them, you know, assuming my, my expertise. And then the next thing would be like I'm a black woman. We don't see a lot of black women um, in this space. Uh, in my current role, I'm definitely getting getting on video calls with these organizations and most times you're seeing male right, especially if it's the technical side of the organization that's hopping on these calls to talk about any recommendations that I could have. And that's where my imposter syndrome would kick in, right, it's like, okay, I'm a woman, I'm a Black woman, and then I have an accent, uh, from jamaica, I was born in jamaica. Sometimes we can hear it come out. It's like, oh, my gosh, all right, now I have to, you know, present myself in in a very stern way to make sure, like what I'm saying it holds some, some value. You know, we don't see a lot of um women, let alone like minority women in or women of color in, in the cyber space. I mean, I think it's changing now. Like you know, from when I first graduated undergrad they said it was about 10 percent, uh, women in cybersecurity. Now we're at about 25% of women in cybersecurity, but only 9% of that is women of color. So I'm not getting on calls and I'm not seeing people that look like me all the time.
Speaker 2:So definitely experience that I would say quite a bit, especially with someone who's very technical, and I'm making a recommendation of like, hey, you probably need to do this because your, your attack surface is too large, let's shut this down, let's, you know, move away from this and implement this control, and that I get quite a bit of pushback often. But you know I have to stay diligent. I have to stay, you know, like, be firm in these calls and you know, sometimes it's like I don't know what else I can do, but I'll still offer you the recommendation and I hope, I hope, I hope you take my recommendation and because it's really me, it's for you and your organization, or, essentially, save money at the end of the day, yeah, it's you know, I, I don't, I don't understand how people can be like that.
Speaker 1:To be completely honest with you, you know I've led teams before and I mean I, I led one team where I mean, I think probably 10 out of 12 on the team were women, and I encountered stuff like that all the time. Because we would be so strapped for time I wouldn't be able to attend every single meeting, you know, to make sure that our projects are on time and acting with the developer community and you know whoever you know needed to be on the call right, and so I would send obviously one of my 12 people to to this meeting and we would go over the topic of the call. What, what you need to address? Here's the most common questions you're probably going to get. This is how I would want it, you know, to be answered, because you know most of the people on the team yeah, probably almost all of the people on the team were fresh out of college learning, just like I was at one point in time, and so I try to make it as less stressful as possible. I try to eliminate a lot of the unknowns that they may have in their head to make them feel more comfortable in the call they're prepared going into it. Call, you know, like they're prepared going into it.
Speaker 1:You know, there was so many times where they would just be discounted right For for saying the exact right thing. And they are younger women, you know, and people are just like, completely just not accepting their opinion. Right, and there's been countless times when, when I would have to meet with this person, you know, the, do that, uh, you know, and like, after a couple times of doing that, the I think most of the teams you know opened up a little bit more to the, to the realization that, like this critical, you know, application is run by a team that's mostly women, right, right, but they're led by someone that knows what they're doing. Like, I feel like they had to, like, understand the situation just a little bit better and get used to it, which still it's really dumb.
Speaker 1:Right For me from a from an engineering perspective, right, if someone, if someone says something that I don't understand on a call or makes a recommendation that I don't understand, as, as an engineer, I'm working backwards, I'm trying to say, okay, well, how did they come to that conclusion? How does it make sense? Does it make sense Is? Am I the dumb one here and I'm not seeing something you know and I'll ask questions. But like, like hey, what were you thinking when you, when you recommended that, when you said that you said that right, because? Because I don't know. I think, as an engineer, it's really important for us to always have that open mind, because as soon as we no longer have that open mind, we really hold ourselves back yeah, yeah, definitely have to be on bias and I really like that.
Speaker 2:um, you advocate for your team. I think that's super important, especially for, like, women in the industry. Like I think, just IT itself is, like you know, the majority is super male dominated and then we don't see a lot of women, even though that's changing now. But I always say, for me, my experience was a little different. In both my roles in the space I've had women as leaders and these were like super strong women. So that was really good for me, for my experience. I know that everyone experienced um is is the same.
Speaker 2:The other thing is they advocate for me, right. So my leaders now they, they try to make sure I get the visibility as a thought leader like I, I know my stuff. Like I said, I'm a nature person I tend to shy to the background, but for them they're like yeah, you're smart, you know your stuff, people need to know that you know your stuff. And as a woman of color also, people need to see that there's representation across the board. So they definitely advocate for me. So I really appreciate you doing that for your team because that is super important, like advancing that women of color and women in the space and also like sort of bridging that gap yeah, so sometimes I feel like I'm I'm like uh, too defensive.
Speaker 1:It's just like how I was like, brought up, like, like I will, you know, be very blunt with people, and a lot of people don't don't appreciate that. But, you know, at the end of the day it's like I'm sorry, I just don't care. Like you, you were wrong in doing this. I'm going to, I'm going to go to bat for my team because, you know, I've been in situations where, like, my leads didn't do that for me, you know, and like I was in the right and I just needed someone that was more senior than me to say like, hey, he was right. And, you know, for whatever reason, for whatever selfish, you know, self-promoting reasons, they, they decided not to do that. And so I, like, I've experienced the other end of it, obviously not as a, not as a woman or anything like that, right, I'm, I'm a white male. Like I can't experience, you know, two thirds of what the issues that you, just, you know, mentioned, right, Just, you know, I, I've seen the other end of it and I wish more people would, would, you know, take ownership like that.
Speaker 1:Right, because I, I read, I read a Jocko Willink's extreme ownership book and I think that it's a really good book for anyone to really learn how to be a leader. You know, if anything fails on my team, if anything goes right or wrong, it's all because of me. And guess what, when it goes right and I'm not the one that actually did it, the credit doesn't go to me. It should be directed towards that person. Even if I'm in the room and my boss's boss gives me the credit, it's like no, it goes to this person over here, Like they handled it through and through, you know. And it's just, it's interesting to see those principles you know at work, because when I read something, I really try to consume it and understand it and impact from there. Is that also true, potentially, with you? Like? Have you read different books that have impacted, like how you address different situations in the workplace?
Speaker 2:So I would say, books. I am more of a podcaster, so I love to listen to podcasts. Most of my podcasts with different speakers or different guests, on these different shows that talk about, you know, like diversity, equity and inclusion, and what is for women talking about, like how to handle microaggression. Um, so those are the. Those are that's what helped me like, okay, let me see, okay, how do I handle certain situations?
Speaker 1:and then, um, I lean heavily on, like mentors to help me with offer, like guidance on how to approach different situations so to, I guess, to maybe circle back to an extent, right, let's talk about what a breach analyst is, because I've actually never heard you know that, that title, that position or anything like that, right, I don't know the entire insurance side of the company while it was breached and I never had to make any of those calls. So, like what, what is that like?
Speaker 2:yeah. So, um, for my previous role as a breach, the title which title versus, like, what you do it in the basis is pretty interesting. But, um, it was a breach response manager and in that role we would insurance company. So we're, you know, fake. When you have a, like a auto claim, you call your auto insurance saying, hey, this is what happened, and they'll probably recommend I don't know like the auto truck or something From the commercial side.
Speaker 2:It's someone is experiencing a cyber incident. Most times they don't know how to, you know, mitigate or remediate. They reach out to us. We'll hop on a call with them and say, okay, we ask a few questions, get to the degree of what they're experiencing. If we can't offer immediate recommendations, we will do that. But we will also recommend third-party services. So usually let's say ransomware is an example. If someone's experiencing a ransom, we will offer immediate recommendations. And then we'll say, hey, you need to get a forensic firm who, for those that's listening at this, not familiar with what a forensic vendor does, is their goal in like an incident like this is to determine how and what. So how did something happen and what did this bad actor get to? And then, for legal counsel, it would be for the legal side of it, making sure that the work is being done under attorney-client privilege is being done under attorney-client privilege, and then also assist with most of the communication for those highly heavily regulated industry, making sure that you're dotting your I's and crossing your T's. So that's our role and we will walk with them through the entire process. So that was the core of that role.
Speaker 2:With that comes other day-to-days and even today, with my current role, I talk to policyholders. Like in insurance, you have to do an application. With that application, you have to meet certain controls or requirements. Those requirements look like do you have like mfa for email? What's your backup strategy? Like um. So if you meet those requirements, you're essentially a decent risk or a good risk for this insurance company to run an underwrite.
Speaker 2:So my job is to one help the underwriters on the internal front analyze these responses from application Is this sufficient enough for us? And from the external side, if it doesn't meet it, a company will say hey, I want to talk to a cybersecurity advisor Myself or one of my colleagues to talk through where is the gap and how can we close that gap to make sure we have a pretty robust security posture. That's the core piece of my role today. But I do tabletop exercises, which I really enjoy doing those um and then we do like incident response plan reviews. We have like an in-house threat intel team and with our company we have a scan um so we scan the parameter based on domain and we identify any potential risk that they could have. So it's really again risk prevention services. I would say that my current role falls in the bucket of my previous role. Breach response services would be like breach coaches I think that's a more generic term.
Speaker 1:That's really interesting. You know, I never thought of that from like a, like a breach perspective, right, going to one singular person and them, you know, kind of directing everything, right. I mean, you know we have that with incident managers and whatnot, right at like larger, at larger firms, you know where. You know you, if you're the one that's leading the technical side of it, you just tell that instrument or whatever you want and it's their job to just deliver it. You know, which is, I mean it makes a lot of sense, right, because from a, from an executive perspective or, you know, an upper management perspective, I want to call one person and that one person, just, you know, handles the legal engagement, handles all this other stuff. It's like, just send me what I need to be, what I need to sign, and I'll sign it, you know um that makes a lot of sense.
Speaker 1:And then you know, from from the insurance side of it, more towards your, your current role, you know, I've I've heard recently that that companies are are kind of they're I guess they're weighing the insurance recommendations against, like the cost of deploying those controls versus the cost of the policy. You know, because now this is only from what I've heard, right like I haven't like read articles on or anything like that, but people were saying that the insurance premiums were going, you know, so like sky high that it doesn't make sense to deploy the security recommendations that require you to get the policy. Is that something that you've encountered or is that something that is like kind of made up?
Speaker 2:Yeah, I haven't encountered that, I will say in comparison to premium, with the cost of, like a claim significantly different, right? Um, because I think your third actor is like there is there's no bias, right? If there's someone who they can target, they're going to target them, and insurance premiums varies based on a number of factors. So a small mom and pop shop could still get hit with a ransomware whose ransom demand is $1 million and they probably want $5,000 in premium. So the weight of that and in order to not get a $1 million ransom demand, is to have the appropriate controls that the insurance carrier is recommending.
Speaker 2:I think I would like for people to think of it like we're hoping that everyone wins. It's a win-win scenario. It's protecting you because it's not just the cost of paying a ransom demand, it's a lot more that goes into it. We have to hire people to do the work. That's legal forensic. If you have to pay the ransom demand, you need ransom negotiators and then you have to look at the back end of it. If you have to notify people, which is super expensive, like I think of a large firm maybe handles a ton of personal information, they may have notification obligations under different state laws, and so they have to send out notification letters, which can be pretty pricey, and then you have litigation on the back end after everything is done, so it can be super expensive.
Speaker 1:Where do you see the insurance industry with cybersecurity going right? Do you see it kind of maybe even crossing over into the private going right? Do you see it kind of maybe even crossing over into you know the the private sector, right, where you know me as an individual can go to a company and get cybersecurity insurance against, you know, a breach of data or something like that? Like where, where do you see that going? I mean, maybe it's my own ignorance, right, I'm not in the insurance side of it. I don't deal with anyone on the insurance side of it ever outside of my podcast, so it sounds like that's a pretty expansive area.
Speaker 1:To me it feels like, okay, this is only going to grow.
Speaker 2:I agree it is definitely only going to grow. I think cybersecurity awareness itself is growing. I think that helps with local proprietorship or a small business become like, okay, maybe I should be doing something. And I think I've seen cases where, like the small doctor's office, like a one person or two people, they are starting to get at cyber peace. It could be embedded into another type of insurance and it's just like an added coverage within that. So if this happens, then I have these services available and this coverage. So I see it growing rapidly actually.
Speaker 1:Yeah, you know, it's one of those things like I always tell people. You know, whoever, whoever I'm close with that comes to me for this sort of advice, right, where we're talking about insurance coverages and whatnot, I pretty much I always tell them to go with the more expensive route, right, the the better solution, that's covering more the reason. So you know, like I told you before the show, right, my audience knows I have a one-year-old at home, right? Well, when she was born, you know, I only got to hold her for 10 minutes and then she was taken from me and she's in the NICU and now, you know, she's in a life or death situation. I mean, that was that was by far, by far. It's not even close. That's the hardest situation I've ever gone through in my entire life. The last thing I ever wanted to think about was insurance coverage, or is this bag of morphine covered, like? I did not want to think about that. I didn't want to do the math. I couldn't, I, I actually couldn't think about it. I actually couldn't do the math. You know, I had people ask me my name and I couldn't tell them my name. Um, that's just the amount of stress that I was under. And when it's when it's literally your worst day, you know your worst situation. You want to just be able to make one phone call and be like hey, handle this. You know I need to engage the policy, whatever it is Right. Um, same thing with, like, car insurance.
Speaker 1:On my birthday this year, someone decided to side swipe my Audi and it didn't look that expensive, you know. I figured, okay, you know, two to $3,000, this is fine. You know it was in a. It was literally parked outside of a of restaurant, you know, at the back of the parking lot. No one else was around it. I came out, no other cars were around it, and someone just side swiped the car. You know, take it to the, to the body shop of 15 grand. Like, okay, well, a lot of appearances would fight me, you know, on that Right, but I'm taking it to a place that I know is reputable. That's going to make the car look, you know, perfect, like it never even happened, which you know truly to me, like that's that's what I want. You know I don't want to drive around in a car that's all banged up and stuff, and you know it's, it's not, it's not fun. I like, I like that car, you know.
Speaker 2:Yeah.
Speaker 1:And uh, you know, like that's what I want to hear yes and so it's interesting. It's interesting where the insurance side of it is going to go, because maybe, maybe that'll go, or you know, whoever that's like. Hey, we also have this cybersecurity insurance for 10 extra dollars a month I see the potential of it, of it growing there.
Speaker 2:Like I've talked to companies where it's maybe like four employees that work there, they don't even have a brick and mortar, everyone's virtually working. But I think, based on the line of business, they still need to have these proper cybersecurity best practices in place, just to protect themselves, just to protect their customers or clients or whoever they're working with. Because I think today, data is like gold mine, right, like you get it it's it's it's really critical information. So protecting that data piece is super, super important. Um, yeah, sometimes I'll get on calls and say, well, we don't have any data, or we don't have this or we don't have it. I'm like, technically, you do, you have employees. Yeah, well, that's important information. You probably want to protect your employee information because, as we can see in terms of the privacy world, different states are becoming really, really strict with how companies or retail providers protect customers or consumer data. So, yeah, I think there's just a deep grind.
Speaker 1:Yeah, it's funny that you bring up still that logic kind of like persists in the world where I don't have any data, what are they going to target me for? Admittedly, I did not have that great of network security world where I don't have any data. You know what are they gonna target me for. You know, admittedly, I did not have that great of like network security at my, at my apartment at the time, because it's an apartment yeah building a house.
Speaker 1:Right, I'm gonna have it at the house, there's no need for me to have it here. And you know my podcast. This is very much a free flow podcast, right? And when russia built up um, you know their, their forces on the border of ukraine in november of what was it like? 2021 or whatever it might have been, right I, I started saying like yeah, russia's gonna invade ukraine, like there's there's no doubt about it in my mind. This is why they're gonna. This is why they're going to do it. This is why I think it all that sort of stuff.
Speaker 1:At that time, my content was served in Russia. I would get a percentage of my overall traffic would come from Russia, which is fine, there's nothing wrong with that or anything like that. As soon as they invaded, the content getslisted in russia and china and all of their allies. And not only is it blacklisted, but now I'm getting like very weird targeted attacks and I'm sitting here like, okay, like I, it's a nation-state actor, right, so if they want to get in but out of, you know my own, uh, like self right, I have to at least make it a little hard. So it's like, ok, fine, I'll get this whole like tech stack in here and I don't have any data. I'm a security person and I'm saying it. I don't have any data, I don't have anything for them to take, right. But at the same time, what about you know, this personal document that you?
Speaker 1:have right that you don't even think that you have anymore, but you have it and it's there and if they get it they could potentially steal your identity right Like do you want to take that risk?
Speaker 2:Yeah, yeah, that's a good point. Not just like data, but what could they do to your website?
Speaker 1:What could?
Speaker 2:they do to your reputation, which also could result into some financial loss or businesses. So it's a really interesting conversation when someone says, well, we don't have anything to protect or we don't do anything that would require these controls. Technically, yes, loss of revenue is never good, so in any way you want to protect it. And that's where I would say for companies, how can they?
Speaker 1:you know, be proactive with this is do a bit of risk assessment, understand what are the risks that you have and then sort of build your controls around yeah, well, you know, and we're the top of our time here and I personally I've I feel like we'd go for another hour or two, you know, but you know that typically just means I have to have you back on sometime in the future. But, um, you know, before I let you go, how about you tell my audience, you know where they could find you if they wanted to reach out and connect and where they could find your company if they wanted to learn more.
Speaker 2:Yeah, so they can connect with me on LinkedIn. So it's Fayonne Atkinson. On LinkedIn, I'm not very active. I have a yearly 24-hour goal to be more active on LinkedIn but due to this, I will make it a point to get on LinkedIn more often. But yeah, I work for Corvus. It's now a traveler's company. So cyber insurance for all organization business sizes. They can always reach out to my team. We are the risk advisory team at Corvus, so we offer risk prevention services. We have a website, so it's corvusinsurancecom. We have a ton of resources. We have webinars that we teach about like cybersecurity. We have front website, so it's CorvusInsurancecom. We have a ton of resources. We have webinars that we teach about cybersecurity. We have front-end data, so it's at CorvusInsurancecom.
Speaker 1:Awesome. Well, thanks everyone. I hope you enjoyed listening to this episode or watching it, whatever platform you're on.
Speaker 2:Thanks. Thank you for having me, joe, I had a great time.
Speaker 1:Yeah, absolutely, I really enjoyed our conversation.