Join us for a revealing conversation on crisis management with leaders in the cybersecurity field: Mary Chaney, Melanie Ensign, and Shawn Tuma. Learn about their valuable insights on the importance of adequate preparations in cyber incident response, using secure communication platforms during a crisis, and creating welcoming and productive environments in cybersecurity.
Guests:
Mary Chaney, Chairwoman, CEO and President, Minorities in Cybersecurity
On LinkedIn | https://www.linkedin.com/in/marynchaney/
Melanie Ensign, Founder & CEO, Discernible Inc
On LinkedIn | https://www.linkedin.com/in/melanieensign/
Shawn Tuma, Co-Chair, Data Privacy & Cybersecurity Practice, Spencer Fane LLP [@SpencerFane]
On LinkedIn | https://www.linkedin.com/in/shawnetuma/
On Twitter | https://twitter.com/shawnetuma
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
At the forefront of this On Location with Sean and Marco are MiC Annual Conference panelists: Mary Chaney, CEO of Minorities in Cybersecurity; Melanie Ensign, founder and CEO of Discernible; and Shawn Tuma, a specialist in cybersecurity and data privacy law. The conversation centers around crisis management, particularly emphasizing the importance of preparation, defined roles, and adept communication strategies.
Mary shares from her experiences, asserting the necessity for someone with the authority to make decisive actions in a crisis. Shawn echoes her sentiments, adding the need to prepare for catastrophic incident response rather than everyday incident response. Also discussed is the importance of having out-of-band communication platforms for secure discussions during a crisis.
All three panelists agree on the importance of involving companies in making their environments more inviting, safe, productive, and successful for diverse workers in the cybersecurity industry.
Key Questions Addressed
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Redefining Society Podcast with Marco Ciappelli playlist: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTUoWMGGQHlGVZA575VtGr9
ITSPmagazine YouTube Channel: 📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Learn more about Minorities in Cybersecurity: https://www.mincybsec.org/
Annual Conference: https://www.mincybsec.org/annual-conference
____________________________
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Crisis Management: Strategies When Communicating with Multiple Stakeholders | An On Location Conference Coverage Conversation with Mary Chaney, Melanie Ensign, and Shawn Tuma
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello, everybody. I don't have the privilege or the pain of having my co host with me, Marco Ciappelli. He normally joins me on our chats on the road and our On Location event coverage stuff. He's busy. He just joined me on another episode. Related to this conference, the Mike annual conference, um, but he's double booked now.
So I'm flying solo. Plus I have three guests, which is really cool. So we're no, no lack of things to talk about here. And certainly no, no lack of voices to do that. So this is part of, uh, my Marcos. Event coverage where we go on location, even if it's remotely. And we, we get to talk to cool people doing cool stuff for the community.
A lot of times around cybersecurity, but certainly around technology and society as a whole as well. And, uh, today's conversation is rooted in the Mike annual conference, the minorities and cybersecurity [00:01:00] conference. It's second, second year running now. And, uh. I think it was a post that I saw from you, Melanie, that, that triggered me to look at this, and I saw a couple, a couple sessions, and I said, I want to, I want to talk about this stuff, and I had a chance to chat with Mary, and I had a chance to chat with Dee and Duan, looking at another session around culture, and here we are, talking about culture.
Crisis management and, uh, what that means to all of us in the role of, in a role, whatever that role might be in cyber and, and cyber adjacent, that might be legal comms, PR, who the heck knows. And, uh, you have a session on it as well. So we're going to talk about that too. But before we do that, because I'm tired of hearing myself talk, the three of you, I'd like to hear a few words about, uh, who you are, what you have to.
And why, why this during their conference? So I'll start with you, Mary championing.
Mary Chaney: There you go, putting me out there. So, uh, my name is Mary [00:02:00] Cheney. I am the CEO chairwoman and CEO of minorities in cybersecurity, uh, CEO and founder of Mike talent solutions. As well as a cybersecurity and privacy attorney.
So we got a lot going on. Um, the Mike annual conference is coming up here at the end of the March. And I started minorities in cybersecurity specifically to develop cybersecurity leaders. We, we are literally right in the middle of cyber workforce development. We develop talent from the very beginning all the way up and through force of directors and.
I will stop there because I can go on and on and on, but I will pass it on to Mel.
Sean Martin: I'm going to say quickly before Mel takes the mic, everybody needs to listen to our kickoff conversation because you describe all the cool stuff that you're doing with Mike and and the conference and um, it's just amazing.
So we won't recap it now, but definitely listen to that episode and, and uh, now over to Melanie. Awesome. [00:03:00] Thanks,
Melanie Ensign: Mary and Sean. I'm so excited to actually Be speaking at the conference this year. I attended last year And it immediately became one of my favorite events of of the year so, you know There's a lot of conferences and a lot of events that that we could be going to and this one is is really special to me So I feel very honored and privileged to be part of it My name is melanie unsigned.
I am the founder and ceo of discernible Which is a specialized cyber security and privacy communications So we work, um, exclusively in the security and privacy space, um, and our clients are usually CSOs, uh, chief privacy officers and, uh, technical teams, um, that are kind of up leveling their communication skills, uh, and learning how to develop greater influence within the organization.
Um, I'm also, uh, the secretary on the board [00:04:00] for minorities and cybersecurity. Um, Disclosure. I don't know how many like things I need to need to put out there for, for folks to know, but you know, this is an organization that, um, that I feel very passionate about and, you know, I would follow Mary just about anywhere.
So her leadership has been spectacular.
Sean Martin: Nice one. And I have to say, Sean, we were just on talking about ransomware and all kinds of other fun topics. And so I was. Excited and surprised to see you as part of this as well. So I'm, I'm glad to have you back on so soon. Um, what are you up to? I'm going to, I'm going to ask people to listen to our episode too, cause you shed some insights on where things actually sit, but what about, uh, brings you together today?
Shawn Tuma: So thank you. Thank you, uh, Mary, first and foremost for, for inviting me to speak at the minorities and cybersecurity conference this year. I'm really looking forward to it. Um, [00:05:00] Mary and I have been friends for many years. I remember Mary want our first lunch before any of this stuff had started. Um, just to see the tremendous buy in you've gotten and the momentum and the growth.
I love it. Um, I see you're touching a lot of people's lives and, and ultimately that's what we're all trying to do. So I'm happy to be a part of that. Um, Sean, to your question, uh, you can tell I'm a lawyer, right? I'm not answering the question. Um, I'm a cybersecurity data privacy attorney and, um, uh, most of my work is focused on incident response as a first responder role as a breach.
Reach coach quarterback, whatever you want to call it. Um, and and then the other part of my work is related to risk management, cyber risk management. And, um, and through that, we do a lot of training with clients, tabletop exercises, planning and all that stuff. And, and 1 of the, you know, [00:06:00] our role is to, to lead the team and to, to help with the strategic oversight, the making sure everybody's doing their work.
Yeah. the right way and working together as a team leadership. Um, and so, um, you know, crisis communication is such a critical role of all of that. It's critical externally, but it's critical internally also. And many times how our teams work together. And so, um, you know, being able to join everybody here is wonderful.
Thank you for having me.
Sean Martin: Pleasure to have all three of you on together. And it was shocking because, um, when I think of crisis management, I think close the door and hide away and do it all on your own. I'm joking, of course. I'm joking, of course. No, there's so much involved and, uh, off screen. I won't make her repeat it, but, uh, [00:07:00] A crisis, uh, doesn't have to be if you manage it a certain way.
It's only a crisis if you don't manage it properly, we'll say, uh, politely. Um, but that involves many people. There's a number of stakeholders. So you actually, the panel that you're, that you're having, the discussion you're having at the, the, my conferences, uh, crisis management strategies when communicating with multiple stakeholders.
So I'm joking a little bit there, but it's the multiple stakeholders. How, I know it's important, but how important and why, why, what happens if you don't have alignment, coalition, what is it, who wants to kick things off there?
Mary Chaney: Okay, nobody's, everybody's quiet. We all have different viewpoints.
We all have different viewpoints because
Melanie Ensign: I'm having fun with two lawyers.
Mary Chaney: Yes. Yes. Yes. And then we're not [00:08:00] shy. So, you know, I was gonna say I was gonna toss it to you, but no, it's just different viewpoints. Right. And I dealt with incident response, breach response, crisis management at the FBI, which is, it's a really bad day.
Um, when you have to call in the FBI, uh, and, but I'm also ran security operations center has been a, the head of it. In, in multiple capacities and ran incident response, director of incident response. So it's really, really, really important. I remember my first issue, my first week on the job in my first role in corporate America, a client called and said, You guys are exposing my information, uh, on Google.
Essentially we can boil this all down to, they had a Google alert. If you don't know, you can put an alert on your name on Google. And what happened was when we do the root cause analysis [00:09:00] behind it. And I'll get to that and then I'll go back to the, the thick of it. But somebody, you know, there is a robot.
txt file on your website that says, yes, Google can crawl or no. If it's yes, they can crawl it. If it's no, they cannot. And so software dev. Go, go in. And it was, they put, pushed out an update. The page said no, but then the update said yes. And then that exposed all this data. But what happened is, you know, we're, we're in on this phone bridge and anybody that's, that does incident response, that they have this.
So you have all of these people on the phone that are trying to figure out exactly what are we going to do about the fact that now Google has crawled the site and it is. a phone bridge because it's okay. I'm dating myself. It's not a zoom call. We're all on a conference call and there's multiple stakeholders involved and it became readily apparent a week into the job that I had walked into a mess [00:10:00] and because there were no clear defined places or roles that someone can go to make a decision.
And, and what I took away from that, and I'll turn this over to the others after this, what I took away from that in all, in every position I went through thereafter, we have to have someone that can say, turn off the website, we have to have somebody that can actually make. have the authority to say, shut it down.
And that's what I worked on because that's what the whole thing was. The business didn't want to shut down in, in South and everybody was like, Oh no, we're going to interrupt the business. It's like, but it's exposing PII. So we might just want to cut it out. So that's some of the stories that I have and that I'll be sharing in regards to when it goes wrong and what you can do to prevent it from happening.
Shawn Tuma: When the incident occurs, you know, um, what Mary's talking about reminds me of something that I use [00:11:00] with clients on incident response planning and preparation, and it's a saying from a old general Omar Bradley amateurs talk strategy and tactics professional study logistics and so much of what we do in incident response.
It's about logistics. Do we know our team? Do we have a team? Do we know what their roles are? Do we know what each other's roles are? Who can do the things that need to be in and how do we reach them when we need them, right? Logistics, logistics, logistics. Um, but the, the thing that I think is really important also to understand is when we're talking.
incident response. We're not talking about the normal everyday incident response that takes place within organizations hundreds or thousands of times. We're talking about catastrophic incident response. And I had a, a [00:12:00] failure of communication recently with a client who was going through a ransomware attack.
They weren't our clients yet. They had been told to call, talk to me. I got on the phone, set up a call, intro call, scoping call with forensics, all this stuff. And I could see the look on the, on the face of the CISO. I could see the way he was looking during this call is he's thinking. I know incident response.
I got incident response. What do I need some lawyer and some other company telling me about what I already know how to do? I know what to do. Quit wasting my time. Let me go do it, right? This was on a Tuesday. They ghosted us the rest of the week. Friday night at 7 30. I get a text. We need to talk ASAP, which you hadn't even signed my engagement letter yet.
Right? Um, we need to talk ASAP. Okay, we got
Melanie Ensign: like, I'm [00:13:00] having deja vu listening to this story.
Shawn Tuma: It escalated. It didn't get handled. Right, Sean, to your initial point, it escalated. Now they had a threat actor posting their data on on the web and tweeting it out. Right now. It came home to them. This is something different than what we do day in and day out.
That leads to Melanie. This is a very specialized skill set, and you got to have a team to do this right.
Melanie Ensign: Yeah, it's I'm not going to disagree with Sean, but I'm going to offer a different perspective, at least from the communication side where I sit, because Sean is absolutely correct that you, you have to be prepared for this.
You have to have Tamir's point to you have to have roles and responsibilities and all the logistics, you know, mapped out in advance and that your external communications has a Reveals a lot about how well [00:14:00] you communicate internally as an organization. Um, and you know, one of the reasons why I've never marketed our firm as an incident response company is because I'm not interested in getting on the deck of the Titanic.
Um, there are certain things that we need from a communications perspective that it needs to exist. It needs to be true and it needs to be accessible prior to something going wrong. And if I can't develop those things in advance, because you didn't call me until something bad already happened. I know we're not going to be proud of the result.
And there are lots of other companies that are happy to walk through that fire with you. And accept all of the battle scars that come with it. But, you know, I ran incident response communications. For large tech companies for a decade, and I know that there are things you need to do in advance. Otherwise, you just [00:15:00] really don't have the option of doing this well.
It's going to be painful, it's going to be bumpy, and you're going to be really disappointed with the outcome. Um, and so, you know, I think both Miri and Sean have You know astutely Mentioned, you know some of those specific things of like getting prepared Um, because it's you really can't do the best job if it is solely reactive There is a lot of proactive work that needs to go into this in advance um, in fact, I was talking to to a colleague the other day who Was talking about the fact that they were having clients who didn't want to spend a certain amount of money for preparation because they didn't think their incidents were that big.
And, and the way that this company was thinking about it was like, why would I spend like, hypothetically speaking, why would I spend a million dollars for an incident? That's only 5 million in terms of cost. Right. And the [00:16:00] reality is, is when you invest in preparation work, you are preparing yourself for all future.
incidents, not just the next one. In fact, the next one should be run so well that you can refine and improve on your process. You know, um, moving forward iteratively if your process is not ready you miss the opportunity To get better because of an incident you're constantly going to be playing catch up Um, and so that's that's one of the things on the communication side that we're You know, helping a lot of our clients do is get yourself to a really good place of readiness so that every incident makes your process stronger, makes it better.
And, you know, our perspective is, is you should be better off at the end of this incident. If, if you feel like the incident set you back, it was not a good response. And most of the time it's because they weren't
prepared. [00:17:00]
Shawn Tuma: Melanie, I'm going to add something. to what you're saying because I agree wholeheartedly.
But what I have found, because all I, I mean, all my clients, 75 percent of them come to me when the incident occurs, right? So they haven't prepared. And what we have found is those that have prepared like you're talking about have also prepared for their incident response. Planning and don't find themselves in this situation because they are prepared.
And so what that leads to is day by day, we're having to live on the deck of the Titanic, a bunch of different Titanic. And in many of our cases, they're smaller for smaller. they have limited insuranc have limited budget and t to bring in outside P. R. looking to us to guide th they do it. And like you [00:18:00] no degree of good.
It's j be? And how do we,
Melanie Ensign: how pa to be? Yeah, exactly. And It's interesting because that preparedness, another reason why this preparedness is so important, and uh, Sean Martin mentioned earlier, he, he said it politely, um, I'll say it crudely, which is, it's only a crisis if you fuck it up, um, but that preparedness work, um, includes considering the fact that the impact of an incident is often larger in scope than organizations Um, I want to just make sure I mention this, but, um, I won't, I won't, I won't, I won't Anticipate, right?
So when people think of incident response communications, they're immediately thinking about like the media statement, right? I am a seasoned communications professional. The media statement is not my number one priority in an incident, right? I'm thinking about our employees. I'm thinking about our customers and I'm even thinking about like recruiting, right?
If we are about to [00:19:00] damage our security brand, how are we going to recruit the security talent we need to prevent this from happening again? Um, and so I've sat in on a lot of tabletop exercises that start with, Oh, you get a call from a journalist. I'm like, okay, first of all, they normally don't happen that way.
But second of all, it should not be a journalist call that notifies you of. Of a problem and in the rare occasion that that is how you become aware of an issue That journalist is not your number one priority. It doesn't mean that you let him sit
there. Yes. I
know It doesn't mean that you let it sit there and you ignore it, but if i'm preparing A response to a journalist.
I am simultaneously and in fact, at a higher, uh, speed developing a communication for my customers because I want the customers to hear from us. I don't want them to read it in the news first, right? And so there's this, this [00:20:00] planning process that has to happen in terms of Sean, you mentioned the logistics of like, who are the people who write these things, right?
And I don't want the head of customer support to just start sending out random messages when they hear about an incident that's happening. And at the same time, you know, the folks that are writing for media need to be mindful of what's being said to customers. Ideally, our customer message is so good.
That I can just forward that to the journalist to say, this is what we've communicated to our customers. So if you don't think your customer communications can serve as your public response, you need to fix your customer communications.
Mary Chaney: Well, okay. So I'm going to jump in there as one that has been literally in the sock and running these things.
Um, and I want to say just Mary's own definition. There is a significant difference between an incident and a breach. And when, when I say breach, I mean, something [00:21:00] has went horribly wrong. That's the crisis. The incident happens all the time. The breach is when you have to do something because some legal or regulatory, something, somebody PII exposed, blah, blah, blah, blah, blah.
I will argue with you that Mel, just a little bit, I, and I'm going to say this out loud. My security tools never told me that there was an incident. I told you about my first. Security breach. It was the actual customer that called me. It's the customer. It's a third party vendor. It's the FBI or law enforcement.
I've had those calls and, or it's, I've had even, uh, so a whistleblower. And, and, and it called me and tell me, 'cause these are, you know, global organizations, and told me, okay, something's gone awry. And it's like, okay, what the heck? I, I've had the opportunity to, to smooth with the whistleblower who was acting all incognito and, you know, I did my FBI skills, [00:22:00] but when the FBI calls or when law enforcement calls and says, okay, so and so was arrested because.
They had child porn on their, uh, work PC. I'm like, what the blankety? That's an issue. That's an immediate phone call. Right. But all that to be said, you know, the, the types of communications and the stakeholders that internal communications is important and having that, we, we touched on it and everyone talked about incident response plans.
You have to have that plan. You have to do, and, and I, I, you know, I'm exclusively working out of a law practice here locally called FBFK, but other, as Sean pointed out, you usually get the call after something has gone wrong, right? And so it's like, Okay, but it's hard to get them to purchase the incident response plan beforehand.
It's like, you need this just so you know, and then the root cause analysis will cause you to [00:23:00] improve, as Melanie pointed out. But if you literally don't have a plan, and you can see, you see the death, the death statement, and you know, every time I see See it. I say they don't have a plan is, oh, the, the bad actor.
No, the bad actor got into our system, but they only had access to this. Yeah, no, that's not true.
Shawn Tuma: You know, to build on your point and both of your points, um, Mary, a lot of times. Now, with the changes in threat actor tactics, uh, especially with extortion based ransom type events, they're not encrypting the network anymore.
Instead, they're stealing data without anyone knowing. And once they have the data, they're then emailing members of the workforce at the same time as they are leadership. And so now you have [00:24:00] leadership learning of this event at the same time their employees are learning of it. And sometimes those employees are forwarding those to the media, those emails they've received.
And so, to Melanie's point, you don't have time to go prepare now. It's whatever you have committed to muscle memory is how you're going to respond. And if you haven't prepared, It's gonna be, it's gonna be messy.
Melanie Ensign: Yeah, I completely agree with that. It's one of the reasons why, even from a security communications perspective, we're constantly harping on the need to be proactive, because all of the relationships that I need for incident response, I touch base with every single day.
In like the day to day operations, right? So, you know, the attorneys, the engineers, the product managers, the customer support. These are the people that I talked to every day when we do things like product reviews, when we do things like write blog posts or create content for conference talks like [00:25:00] it's the same core people over and over and over again because we have committed to be proactive in the way that we talk about security.
And that is a huge safety net for us when in these more serious incidents do occur because we have the relationships, we know the sign off process and we can move very quickly because these are people that we work with closely every day. And so, you know, up until the most severe levels of escalation.
Um, you know, we should be doing the first five or six runs of our ladder on a weekly basis, right, just in our daily operations so that, um, you know, we do have that muscle memory. We have the relationships. We're familiar with the content, um, and, and, and domains, right? When an incident happens in our, Um, environment that should not be the first time that I'm reaching out to my S.
R. E. team or my absent team or you know, whatever teams you have, even if it's a small [00:26:00] organization, the communication, the people who are going to be running communications for your incident should be in contact with those people on a regular basis.
Sean Martin: And, um, I'm afraid we're going too deep, maybe not, but I don't, I don't want to give the panel away.
I'm sure some of this will come up again in the panel, but I suspect very, in very different contexts as well. But, so I want to shift slightly for a brief moment. So we're talking about the people and being prepared. And Mary, you made the joke of, we got on the phone, it was a bridge line, right? To me, that's technology.
People knew. To get on that line and that conversation was on that line only and I've heard stories where Spur the moment we spin up a zoom, maybe not the best way from a security perspective to maintain such such private [00:27:00] conversations Sending stuff through slack. So there are many more new technologies Beyond the phone traditional phone line that are available to us that can help perhaps if not prepared Could put us in more jeopardy or in peril.
So I don't know if anybody wants to speak to that At that point.
Mary Chaney: No, I mean All of it needs to be understood right and thought through beforehand again, the phone, the bridge line, you think it was, um, secure, but it was sent to a whole bunch of people. It was a whole bunch of people on that call that really didn't need to be on the call.
Just honestly and truly didn't even need to be on the call. So in preparation at to Sean and Mel's point, if you prepare, then you actually know and you decide which communication platform you're going to use. Because, you know, just putting my legal hat on [00:28:00] for just for a second here. If it ever comes off, I don't think it ever does.
But, um, you know, you, you, you communicate something in slack, right? And then now, uh, you know, you're out in California and they have a private right of action. Plaintiff's attorneys go sue you. That's discoverable. Right. That message is discoverable. And so all of these things have to be thought through at the very beginning and planned out at the very beginning, even which type of communication platforms you're going, uh, you're going to use.
Shawn Tuma: Yeah. And I'll add to that to say, um, you know, from the, from the security. Um, depending on the nature of the attack and the nature of whatever the threat is we're dealing with, um, it's not uncommon for the threat actors to be in the email system. And so if you're sending around email and company email, uh, you know, spinning up a zoom, [00:29:00] guess who's going to try to be on it.
And we've had them try to join before, you know, and if you put the security code, by the way, in the email. Guess what? You haven't kept them out. So thinking ahead for out of band communications, you know, um, one thing that we use a lot, um, not by plan, but just because it's there is text, you know, or maybe a signal or something like that, just to have a way of reaching people to get call credentials to them, you know, or things like that.
Obviously, a good plan should account for that ahead of time, you know, but when we're coming in on most of these, it hasn't been accounted for. So it's, um, it's a challenge, but you got to be cognizant of that.
Mary Chaney: No, I had just a quick story. I had a client that was a client maybe a year and a half ago and someone [00:30:00] compromised their office 365 because they sent me an email.
And so, Hey, well, they, they said, well, that stop it. Don't stop it. But sent me an email that the threat actor sent me an email saying, Hey, log in. You know, it was like an audit. It was like, Oh, um, a form that they wanted me to click on the link. And I was like that. Okay. So first of all, you wouldn't be sending this to me because I don't work for you.
I'm not in house, but obviously someone's inside. And I sent. I text my point of contact and I said, look, um, I'm receiving this particular email because I responded to the email and, and the threat actor responded back to me and I was like, okay, yeah. Okay. And so I text the person, I was like, Hey, somebody's in your system.
You might want to get that checked out. And, and it was like, oh, well I don't work there anymore, but I called the guy. And he said they didn't compromise anything. And I'm like, okay, so if [00:31:00] they're communicating, this was, Oh, this was last year, right around, uh, tax time. That's when it was, I said, so if, if they're contacting me, obviously they're not out because I sent the email, they sent it back.
So you're an accounting firm. I'm gonna I'm gonna need you guys to clean this up. So understanding what you're going to do, because the threat actor was there and monitoring all the email that was coming back. So those are the types of stories. I have plenty. I have plenty of stories.
Shawn Tuma: We're handling one of those for an accounting firm right now, Mary.
Same, same. issue. Um, they did not have personal data as much themselves as all the businesses they were doing tax returns for had personal data throughout the whole country. Now they're having to update their written information security plan to accommodate the needs of Massachusetts, even though they do no business [00:32:00] there just to show how far reaching those little things like that can impact
Sean Martin: lots to discuss here.
And, um I'm excited for those who get the opportunity to hear you in person having these conversations, hear more stories. Um, I want to thank you, Mary, because pulling this event together, the Mike annual conference, it's made sorry, March 24th through the 28th in Dallas, where this session. Uh, will take place.
Let me just make sure I get the right name for it. Here. It's the, uh, crisis management strategies when communicating with multiple stakeholders, uh, from this esteemed group here, they'll be having a deeper and continued conversation, perhaps. Um, but back to the thinking, Mary, because what struck me is I know what you're trying to do with the organization, but to empower and enable.
And for me, this topic, the other one that I talked about in terms of culture, make it [00:33:00] real, right? This isn't just about empowering. It's empowering by example with leaders, you know, and do this stuff all the time that folks can actually Take back and do it's not just to feel good is it is that too. I'm sure I wish I could be there for that, but it's more than just that.
It's actionable stuff. And that's what really struck me. So I want to thank you for pulling that together. It really caught my eye and, uh, That's why I wanted to have this conversation. I'm thrilled that I was able to.
Mary Chaney: Yeah. Thank you so much for having us. We really appreciate it. And yes, that's our conferences developing holistic professionals, right?
We need to be able to prepare them not, you know, and give them tools and practical tips and, you know, the things that we've learned by fire. Um, so they can take it back and incorporate it into their careers as they continue down the path of cybersecurity professionals.
Melanie Ensign: If I could actually just [00:34:00] add one more thing, um, just another accolade to Mary's accomplishments, but the reason that I got involved in this organization, in addition to, you know, just my trust in Mary, but also, um, The organization does a lot of work with companies to make companies better to make the companies a safer place for people to join in their careers and to help companies get better at things like building diverse teams and thinking about, you know, different ways to hire and like, there are a lot of really wonderful groups out there.
Um, who provide a lot of support and to your point, John, a lot of empowerment. Um, but the burden is still left on the individuals to break down all of those barriers. And, you know, I really credit Mary for the fact that, you know, this [00:35:00] particular organization. is breaking down those barriers for organizations by targeting companies and helping the companies get better.
Um, so that the placement for individuals is not so painful and they don't have to deal with all of the friction on their own.
Sean Martin: And it's a funny, it's not the right word. Uh, inspiring to know that the last chat I just had on the top of culture spoke to that. Directly with D and Duan, uh, you could see that where it's about giving the organizations the tools to create environments that are inviting, welcoming, safe, productive, and yeah, successful, right?
Um, you can see, you can see those organizations that, that have successful teams and that are driven by successful cultures and then the others [00:36:00] that, that don't, and those, those ones see a lot of movement and a lot of, a lot of sad people coming and going. With that, I would encourage everybody to listen to that episode too.
It was very insightful with Dean Duan. So, Mary, Melanie, Sean, fantastic catching up with you. I wish you the best with your, your session at the conference. No doubt people will enjoy that conversation and have a chance to chat with you in person firsthand there.
Mary Chaney: Thank you. Thank you for having us. We really appreciate it.
Shawn Tuma: Thank you very much.
Sean Martin: You're all very welcome back, of course. Until then, we'll see, we'll see you. Have a good conference. Those listening and watching, please do, uh, follow Mike, Minorities in Cybersecurity, and, uh, please stay tuned here for other episodes as Marco and I travel everywhere, physically and virtually, to cover events like this that are doing good things for the, for the community.
Thank you [00:37:00] all.