Leading by Example: Success in Promoting Security and Diversity Initiatives

Hi, everyone. Happy Security Awareness Month. Thank you for joining this session. My name is Jackie and I lead security engagement at Cloudflare. And I have my guest today, Monique Head. She's the Senior Manager of Training and Awareness at Palo Alto Networks. We're here to bring you a session about Monique's journey into cybersecurity, a lot of the amazing things that she's accomplished over the years and some lessons she's learned along the way. Monique, why don't you give us an introduction about your background and you have some very interesting hobbies and interests. Well, thank you. And first, thanks for having me. This is I know this is going to be a great session. So just to give a little bit of background, and maybe what I do and how I got here. I started off in instructional technology. This was way back in the day before we had the Zoom or the Google Meet. And it was a way to begin to transition professors so they could know how to put their courses and lessons online as well as teach them. Now, again, before pandemic, this is like 10, 20 years ago when it wasn't popular. So I started off in education doing that. And fast forward, I went to Morehouse and I helped to create their distance learning program. And then I decided I needed a change. So I actually just took everything lifted up and moved to France with my son. And I created a company where I supported academia as well as different other organizations to, how do you say it, expand their professional development programs using remote learning. And so I did that for some years in France. And then I came back. And when I did, I got a position at Visa. And I created my first module on social engineering. And when I created that module for online use and social engineering, I was hooked. I was hooked on cybersecurity. And I haven't looked back. And I've been doing that ever since. So that's a little quick view of how I got into cybersecurity and what my background is. But that's just a little bit about me. So I met you at PayPal in 2015. I had no idea that you'd already done some amount of security education. So you'd already done a social engineering module at Visa. Oh, that's actually new to me. I didn't know that. Oh, yeah. I started at Visa and I did a social engineering module. Then I moved to HP. What is it? Software Securities Division. And I actually managed their professional development program. So they had an external facing cybersecurity training program for their products. And so I would help to make sure that those modules were created and that people could actually, if this was a paid service, so they could actually pay for certain courses and take those courses online. So, yeah. So that's how I got started. Got it. Okay. So you decided to full time, like just commit to security when you came to PayPal. What's been the most difficult part of that career change or I would say challenging? Security people are hard to work with. I know this about myself, especially early in my career. We spend a lot of time with people who think in zeros and ones and are very technical. What was that transition like moving from general production and learning and development of that sort to, hey, we have serious things that tend to be engineering focus, some behavioral stuff, but we do spend a lot of time with engineers. So what's been the most challenging part of that? I will say the one of the most challenging things with working with education and awareness in the cybersecurity realm is the fact that the nature of cybersecurity is very fast paced. You're getting new and different type threats every day. We have these really devious, dastardly type of hackers on the hoodie trying to do their work or create these threats. And on the other side, we have technology that helps thwart a lot of those attacks. But you still need the human to understand and react appropriately. So the hardest thing is because that's a very fast paced type environment to have the educational resources be just as fast paced to give everyone the proper security acumen they need to be effective in their jobs. That's probably the hardest part, because the thing is, we are biologically wired to learn in a particular way. And so to be able to couple how we actually learn and internalize information so we can apply it effectively to match that quick rate of what's happening so we can address it. That's probably the biggest struggle to get those things together. And then on top of that, you have to think about you have, I would say the powers that be, and they want to see these things happen quickly. And a lot of times they're very used to working with technology. A lot of times, you can kind of tweak some of the different code or you can put in more filters or more controls. But when you come to education and learning, you're still you're still working with the human mind. Yeah, you can only speed up that process so much. So that's kind of the issue is, is you have to honor how we biologically learn. And I would say this way, we're only going to intake, let's say, for example, we have a course, that course might be about a half an hour long, you're going to only remember about five or 10 points of that. And you're going to lose it every day, until you're only going to retain about 10% of that, if you don't practice it, and repeat it in the next three days, it's lost. So I would say that's the struggle to get everyone to understand, learning takes time. Engineers need the time to absorb this information, to not have distractions, so they can apply it effectively. And you can't just push it out and say, learn it, do it in, you know, two seconds. Yeah, and I think just enabling whatever security controls we can to make it so that they only have to focus on the things we don't have a fix for. I think that's really helpful, too. I think years ago, we would ask them to remember laundry lists of things. And now there are a lot of tools that do that stuff for them. So focusing on the things we still don't have a technical control for is, has kind of been like my approach. And speaking on the other learning modalities, I'm on a team with a group of women, and they're, they're all very like they can, everyone can like read a spreadsheet, and it just goes in immediately. And I'm kind of like visuals, I kind of like, you know, bubble maps, things like that to absorb. And I've really just noticed how important it is to make sure that you're learning in like your preferred mode. Because sometimes I look at these spreadsheets, and I'm like, it's just going out, you know. And that's, and that's actually another point as well, is the fact that we all learn in different ways, we all have different learning styles. So a lot of times, some might be, let's do it this way. But as a, as someone who is maybe like a professional educator from that background, you have to open up your mind and say, I learned a particular way very well. For everyone else, I need to give them opportunities to learn in the way that is most comfortable for them. So just doing those things and getting that point across is really important. And you brought up something else, controls. So we come up with various security controls to help, you know, mitigate or stop attacks. And you want that educational training to actually complement and support that, not to compete against it. So that's important too. So it works together. Yep. So what keeps you interested in security? I think you, even though this is your role, I know you still dabble in a few things that are outside of security. I know you've done some privacy type stuff, but what keeps you focused on security? I mean, you're committed now, you've been doing it now for several years. So I think you're in it for the long haul. Yeah, I would say what keeps me here, and this is the truth, is working with various software engineers. I think working with that audience, they're usually people in the outside world say, ah, they're techie, they're geeky. But the thing is, they care so much about what they're doing. They have such focus. And I have such admiration for the knowledge that they bring to the table, especially cybersecurity. I love working with them. I love the way I learn different things from them, and we share with each other. And I think in some ways, I teach them as well. And there's that mutual respect. They respect me for the educational learning aspect, the perspective I put to it. And it is that respect, and I see how they work and how they care. And I just think to myself, I like being a part of that. That's going to automatically be something. I haven't been to one company where I didn't work with a team of software engineers or technicians where I didn't just enjoy that particular, I would say, sharing of information and whatnot. So that kind of keeps me in it. I like the people that I work with. That's a big part of it. And so I like also the fact that in technology meets learning. So I love technology. I know just enough to be dangerous. How to code a little bit in Python and C++, started way back in the day with Pascal. I work with technology. Don't laugh. It's been a while. I'm aging myself. But being able to do that and then couple learning with that, I love it. And the technology that you deal with, with learning and education with that. So those are the things that keep me there, that keep me excited every day. Yeah. I've actually found very few security engineers that weren't willing to take time out of their day to educate. There were several people when we were at PayPal that sat with me and explained cross-site scripting. For some reason, I could not understand how it was happening. I mean, I would read it, I would do practice exercises, and it just wasn't going in. And actually, Bill Corey, one of our old coworkers sat with me for 30 minutes and really helped me understand this one concept. And I'm still so grateful for that. And I found that gratitude across most of the teams that I've worked on since then. True. Me too. And now being at Palo Alto Networks, I would say the team that I work with from pen testers to the architects, to the SOC team, they are all so committed. And I work with them and we can come up with different types of, I would just say, technologies or new projects we can put together to solve different problems and different gaps with the learning and the execution, with controls and whatnot. And I just like it. It's a great, great, great group of guys, gals. Yeah. Yeah. Actually, SOC analysts, they're another group that you can really learn so much from. Gosh, I mean, the alert fatigue they probably experience is unreal, but man, they really see everything coming in and can be the core of information for those of us that need to teach others about what not to do. So that's been really helpful. True. And I love going, if you can go and visit a SOC center, that's the coolest thing. It's like you're on a mission control or something. I feel like- Hidden figures when you're in it, like NASA going into the control room. So I've been able to do that and share that experience with the SOC team and having them share it with me. Actually, you've been after me to watch that movie for years now and I still haven't done it. So I'll commit to it. Okay. Now we know what we're doing Friday evening. So what is your favorite element of security and do you have anything that you still kind of find challenging or that you're still trying to work on? Well, I would say one of my favorite elements is seeing learnings internalized. So after it might be a typical awareness program, it may even be the annual compliance training, which I know everyone kind of rolled their eyes when they see it coming, but it's necessary. And you have to have those periodic reminders so we can keep top of mind what is most important with our security acumen, but being able to see a person's face light up when they've internalized information. If they may approach or see some type of suspicious phishing email, for example, and I'll be passing the desk and they're like, I'm not clicking on this. I'm turning this into the SOC team so they can vet it before I click. Knowing that we can do that and we can stop phishing attacks, that people understand the importance of why and it's embedded in their psyche to be careful, that I love and I think that's like a great success. And then also, I would say one of the struggles is being able to, in creative ways, create new trainings that complement the security environment and the work environment of those that need to take a training. So my big thing right now is how do we create trainings that we can embed into the workflow of what an employee may do. So whether they are on the InfoSec team or they're in finance or they're at a call center and they may have phishing attacks, knowing how they can, within the role and the job that they have day to day, be able to bake in learning, so just-in-time learning, we'll call it, so they'll know what to do at that moment, you know, to keep themselves safe. That, to me, that's one of the challenges, that's one of the things I love, trying to figure out these creative ways to kind of do that. I like that. Yeah, we're in the midst of our annual training now, so I'm definitely feeling that pain and pressure, but we really are trying to humanize it and we are recognizing employees that report quite a bit to our internal, you know, reporting email address, and I was most proud that we have two members of our sales team on that top reporting list. They're a huge percentage of our company, you know, they're responsible for paying the bills, so they're very, very busy, you know, they got a lot of calling, they're probably receiving a lot of emails that could be problematic, but their eyes are open and they're reporting, and that's like a very gratifying feeling. I'm so appreciative of that. Yeah, and you have to, you have to celebrate these small wins as well, because you want to promote that positive behavior. So, at Palo Alto Networks, we have what we call the cyber reporter program, where when people report, we reward them just for taking the time to notice and to report it, whether it is a phishing attack or not, it's the fact that they're thinking about it and they want to be proactive in helping to keep our network safe. Yeah, exactly. It is really, really valuable, and we're doing the same. I'm happy to be someplace where we don't blame people for sometimes doing the wrong thing, like we're a pretty blameless culture. Everybody makes mistakes, it's the reporting that's important. So, that's something I think is really important to foster at any company, because if you're punishing people for clicking on a phishing email inadvertently, you're done. Your credibility is done. They will hide it forever. Exactly, exactly. So, we wanted to have people be proactive rather than scared, and just saying, well, I didn't do that. It's like when you, if you have, say, for example, a phishing simulation, and you have that teachable moment at the end, if they happen to click, and they think, I'm just going to click the X, and nobody understands what I did. But just take the time and look at the teachable moment, and it's okay, don't worry, you're not going to get in trouble. Yeah, a guide to phishing simulations. I've had more than one just go sideways, right? You just bite the bullet. But I think there's a lot of value in them being executed appropriately. Do you have a security champions program? I don't think I've ever asked you this, and this isn't part of what we reviewed for this, but do you guys have a security champions program? Yes, we do. And I think there are a lot of different ways, not that it's necessarily implemented that way where I am now, because you don't want to give away the secret sauce, but having security champions in all the different locations that can help to amplify a message, no matter where they are globally, and also being able to have those champions who are a part of maybe more technical, the infosec team, or work closely, all of that need to have these programs. So you can, one, reward, and two, you create that communication channel where you can have back and forth information going. One, this is probably the, this is the proper way to do this, that, or the other. And then also having them come back and say, this works, this doesn't work. So you can work together as a team. So yeah. Okay. Yeah, we're starting to kind of evaluate and think about it. So I was just curious if you had something going. Yeah, I think it's worth having, it's worth implementing. At least it's not one of those things you have to do right away. But I think also organically, when you start creating programs, and you're dealing with people, you're dealing with the human, and I've learned a lot on the human side and human risk. I think there's an element of having it grow organically, take into consideration your organization, how it works, how it flows, how information is communicated, and you build it off of that. Coming in saying, you have to do this, this way, or that, even if it's a security program, you don't want to do that. You want to build it up so people naturally come to you. It's like, if I build it, they will come. You remember that movie with the baseball guy? Field of Dreams. Yeah. Just to be clear, just to be clear, I've never seen it, but we, I did create a deck with somebody who that was their theme. So that's the only reason I know. So, so I wanted to pivot to some interesting things that you are doing. We've talked generally about your career and, you know, some of the things at Palo Alto, but what kind of recent big wins do you have that you're really proud of? Wow. Well, at Palo Alto Networks, one of the big wins, most recent that I'm thinking about, we have, we are sponsors or partners with the National Cyber Security Alliance. You know, that's the organization that puts on Stay Safe Online, and they are actually the sponsors for the Cyber Security Awareness Month that we're actually into now, October. So if you can see on, oh, there you go. Cyber Fest up there. That's what we refer to internally for our observation for this particular month. But we are now sponsoring that educational resource page. So that means you can go to their website and they have reached out to all the different entities who have free educational resources having to do with cyber security. So people can go and maybe get a certification on a particular thing, or they can take workshopping classes to hone their skills in one particular area or another. So we're actually helping to sponsor that particular feature that they now offer. And so I'm very proud of that. And it's been a really great partnership working with them this year. That's awesome. Yeah. Yeah. I think resource libraries are right up your alley. Yeah, exactly. But I invite everyone to go there. If you're thinking about your career, and you want you feel it needs a little bit of an uplift or a boost. If you want to change from one job or work area to cyber security, go here and you will find a course that is right for you. So proud of that. And even Palo Alto Networks, we contributed certain certification programs for some of our products and so on and so forth. So it's a great place to go. It's agnostic. Any company can actually upload or educational organization can upload their courses there. Oh, neat. Okay, I'll take a look over there. Over the past two years, you've really committed yourself to organizations that focus on cyber security recruitment. So so far, what are some of your favorite organizations and what are you doing there? Okay, so I've actually learned something in a past year, pandemic and whatnot, is not to, I guess, overextend yourself. So a lot of different nonprofit organizations and cyber security, you know, women diversity, but I have a few that are kind of my go tos. And I really actively participate on a regular almost weekly basis. So just to give a shout out to them, cyversity, great organization. Yeah, they're geared toward to achieve the consistent representation of women and underrepresented minorities in the field of cyber security. So that's a great organization to be a part of. And they actually promote and share a lot of different education programming. So you can uplift your career in cyber security. So that's one I recommend and I'm a part of. Another one is the Women's Society of Cyber Jiu Jitsu. Okay, I hope I say Jiu Jitsu, but I think that might not be. But WSC, they're great. And they're dedicated to raising awareness of cyber security career opportunities and advancement for women in the field. So I love that group as well. Because with those things, you get all these opportunities, I was sponsored, and I was able to actually go to Black Hat. That's a very expensive event. But to have a sponsor and to have someone say, Hey, we're going to help you with your career. And we're going to sponsor you and going that, you know, it's just, it's great. And I'm finding these organizations really help to support and uplift anyone who cares to get involved. And so we all need to just gather together rally and support these organizations, and also volunteer our time as well as, you know, be able to, you know, partake in some of the different resources that they have. Yeah, I think one thing I really like about you is that you're appreciative of resources, and you also always pay it forward. So I know you have a pet projects going, do you care to share your pet projects? What are you willing to say? All right. Okay, I can make the announcement, but we're not ready. This is a soft lunch, we're not ready to go really public with it yet. But I've created my own nonprofit organization, it's called Cybertorial. And it is dedicated toward educating young people in cybersecurity, in particular, young girls, young females of any diverse background, why we need to see more, and I'll say, action, action oriented, she roles that we can look to and say, I can do that, I can be like that. And I've seen that while you might have some of those type roles out there, we need more. And so I'm going to do that. And also, I'm wanting to kind of focus on because there are a lot of organizations, the two that I just mentioned, and they focus quite a bit on I would say, high school and up. Well, I'm trying to do a little bit high school and down why we need to catch the interests of young people early on. So when they get in high school, when they start thinking about what am I going to major in college, they will already have that particular concept in their mind. So to me, even if you think about it today, there's a lot on Hey, be a software engineer, so on and so forth. What be a software engineer, but you know what, make sure you know how to do it securely. You can couple a little bit of cybersecurity with software engineering. I think when you get ready to go out and get that first job, your resume is going to pop a little bit more. So even if they go into any other stem, having a little bit of a background in cybersecurity will help them. And then also, I want to with this organization, help young girls in particular know how to stay safe online. Gosh, way of life. We just heard from some of the people talking on some of the companies, I won't, you know, throw out any names here. But we need to start educating our young people on how you take in the message from social media, and how you share or don't share your information, how to be careful, it's a way of life. And we can't have them learn trial and error, and something you know, bad happens to them. So I want to address that, because it's just it's a new playing field out there. And we want to make sure that they stay safe. It's like when you go to cross the street, you look both ways. It's social media, you need to know how to be safe, look both ways and be cautious in what you do and how you do it. And it's got the message starts at home. We cannot expect all the technical controls to protect our young females. They need to know how to do that. We need to empower them so they can do it for themselves. And then they can go on and help, you know, make the world a better place for everyone. Yeah, I have I have an organization that I donate to that's kind of an anti human trafficking, you know, anti sex trafficking organization every year. And I've been really proud to see over the past two years, they started to just incorporate safety online. So you're so on point with this thought process. And I think the fact that you've done your own nonprofit, I mean, that's that's killer. You're already busy while you're tacking that on. But this is true. My Saturdays and Sundays are filled. So now I'm learning how to time manage and it's like every other Saturday. But the paperwork was the worst of all. But now that I have my board of directors and whatnot, I'm just excited to be able to cultivate some different products that will push out hopefully, to have people kind of learn in the edutainment type of way. Educational, but entertaining. I'm doing a throwback to my early career, which is the conversation was going that direction. But producing and facilitating in public. That's just killer. So we have about three minutes left. I have one last question for you. And that's that I learned about Black Girls Code from you a few years ago. And since then, I mean, I guess we've kind of covered some of your volunteer experience and initiatives. But what are some of the most rewarding specific experiences that you've had with any of these organizations? Yeah, well, and then I remember Black Girls Code. I haven't been able to volunteer quite as much anymore. But I started doing that back in the day before Kimberly Bryant blew up. But now she's being an organization that's doing great. And I'll always know and maybe that's that was the catalyst to give me this yearning to create my own nonprofit so I could help also make a difference in my own, you know, small way. But seeing the future of technology through the eyes of young people that helps keep me young and help keeps me attuned and what's coming down the pike, not just how I see things today when I go to work and when I'm hearing directors from the team, but looking at young people say, hey, this is where things are going. This is what they're thinking about. And it gives you a glimmer of the future when you do that. So I learned a part of it before that for that reason. And then also being able to learn alongside these young ladies. So now I actually attend Black Girls Code events, and they're going to happen in a couple of days on NFT and Bitcoin and learning about this alongside them. It's like really, really fun. Oh, that's awesome. Yeah. NFT. That's been something interesting to read about. Also kind of an abstract concept. I have a friend selling art with NFT. So learning. Yeah. Monique, I'm so glad to have gotten to spend some time with you. I haven't seen you in real life in so long. So this is one of our first seeing each other, I think, at least since the beginning of the pandemic. So thanks for coming on. Thanks so much. Any last thought process? Any last comment? No, I think we've kind of covered everything, but it's also to push education is in my bones. I remember when I was in high school going to college and my mother was a teacher. She's like, you could go on a teacher. I'm like, man, if I get out of school, I'm not going to be a teacher. I don't want to ever set foot into another teaching institution again. But here I am full circle. And just to let everyone know, there are a lot of different ways if you're interested in getting into cybersecurity as a career, the traditional path of four-year colleges, of course, but there are two-year college programs, there are training programs, there are a lot of free programs out there. So you just have to search and look and you will find that path that is right for you. And just want to empower everyone to be the best they can be in their own personal lives. Awesome. Well, thank you, Monique. Hope to see you soon. And happy Cybersecurity Awareness Month, everybody. Stay safe online. Monique, hope to see you again soon on a Cloudflare TV segment. Great. Thank you so much. And thanks for having me. Bye.