Time is the Most Valuable Asset - Are You Respecting It? | Malia Mason
What are you doing to efficiently reduce manual processes and save tireless hours of those battling threats behind the keyboard?
In this episode, I had a brutally honest conversation with Malia Mason, vCISO and Manager of Cybersecurity, about her challenges, goals, what vendors do that piss her off, and the alternatives.
Malia served in the United States Navy as a Sonar Technician Second Class and was also in charge of all of the secret data on the ship and of making sure that everyone did their cybersecurity training.
She continues to work with several veterans nonprofits as a mentor and career advisor for veterans leaving the military and military spouses as well.
She is a strong proponent of getting more women into cybersecurity and tech, serving as a mentor for young girls in inner-city schools.
Guest at a Glance
💡 Name: Malia Mason
💡 What she does: Malia is currently transitioning roles as Manager of Cybersecurity and is the President and Co-founder of CyberDEI
💡 Noteworthy: Malia served in the United States Navy as a Sonar Technician Second Class and was also in charge of all of the secret data on the ship and of making sure that everyone did their cybersecurity training; she continues to work with several veterans nonprofits as a mentor and career advisor for veterans leaving the military and military spouses as well; she is a strong proponent of getting more women into cybersecurity and tech, serving as a mentor for young girls in inner-city schools.
💡 Where to find Malia: LinkedIn
Those who are in the cybersecurity industry and get to a position of leadership at of fancy company with a big title, get targeted by so many people and become very distrustful.
What Malia hates most about the cybersecurity industry: There can be a lot of egos in cybersecurity and there shouldn’t be.
Bonus: She hates the term, “influencers.” She wishes more people in the industry would recommend those who have not had a chance to speak at conferences or events. (Shoutout to #sharethemicincyber)
Malia’s bleeding-neck challenge: Asset management.
“Even if you're 95% covered, and you have the best tools and products in the world, all it takes is one system that you don't have eyes on or that you don't know exists that has an open S3 bucket somewhere and you get popped. If you don't know what you have, how do you know if you can secure it?”
Malia’s goal: To do auto-discovery because too many companies are still doing manual processes, like a spreadsheet of IP subnets. She wants to see everything. And then make sure that a tool that is doing auto-discovery is continuously running. So then that way, as soon as a new asset will pop up, she is going to automatically get her security tools on that particular thing to identify what exactly that thing is.
Triggers before beginning to evaluate a security tool:
Malia initially checks to see if her existing tools can achieve what she wants and can handle all of the requirements needed to comprehensively do asset management and discovery.
In a previous experience, she built out a long query, which took her a lot of time and effort. Though she found more than double what the organization thought existed, it got her thinking, “did I get all of it because of having to pull everything together?”
She needed to have continuous discovery. She realized that she could not rely on one solution to do the job, because having to work with different operating systems and environments, between cloud, on-prem, and marry that all into Splunk proved challenging. She was also filling multiple roles, having to pull all tools together, hoping she set them up right.
“There was a lot of, a lot of late nights with some beers at 10:00 PM, checking my queries and checking the tool.”
She is not going to introduce a new solution to the environment or to her team until she and her team have looked at the existing tools they have.
Questions Malia asks before evaluating a new tool:
- What tools are installed?
- What did the company pay for first?
- Are they configured properly?
- Are they working?
- Are there multiple tools in the environment that do the same thing?
- What’s missing?
- What will work in this environment?
- What can be used to supplement existing tools in the environment?
In many cases, it's always about what tool can be used as a supplement to the main or primary cybersecurity tool.
“It's rarely a straight-out replacement because ripping out a solution that's already embedded within the environment is such a pain and such a huge process.”
When researching a security product, Malia relies on:
- Getting opinions from others in her “trust circles” or Discourse
- Factual vendor information vs. marketing material, which allows her to understand what it will be like to use a solution:
- How is it to set up your tool?
- How is it to operate your tool?
- What does it look like day in and day out to use your tool?
- Can your tool be used in specific environments?
- What’s the sprint planning going to look like?
- How big of a project is this going to be?
- How many hours is this going to take to set up?
- What's the support that I'm going to get from your company?
- Are you going to be able to answer questions within 24-48 hours?
- Can teams get proper training so they can eventually run the tool?
The worst thing Malia has experienced from a vendor:
“A vendor contacted me and said, ‘Hey, I love what you're doing with diversity, equity and inclusion. I'm also supportive of DEI. Let me sell you this tool that I'm trying to try to advertise.’
That is a surefire way to get on my permanent block. I will blast you. I've put these vendors on blast and I'm like, ‘how dare you use diversity equity inclusion to sell your tool to me?’ No. Do not ever, ever, ever mix those two.”
“I think a good way is to demonstrate your product. You know, show us how is this gonna help us? You know, make our lives easier. I just saw a demo for a product the other day that I was so impressed with. It was a two-minute video and it was like the co-founder walking through and actually doing a live demo - showed the code behind it, showed how easy it is to integrate it, and then showed different challenges that can be overcome.
It was only two minutes. That's all the time I have for. And I had just happened to see this person posted it on. Didn't reach out to me, didn't reach out to anybody. One of my buddies commented on it. That's how I saw it. And I was like, wow, I already sent that to, you know, my, my new boss, the CISO. And I was like, ‘we should take a look at this product.’”
Marketers or salespeople who study up on Security+ to get security knowledge and speak their buyers’ language will open doors more than anything else.
What Malia likes that vendors do: Being fast to respond to emails and get support because practitioners are slammed.
Bonus: Ditch the swag. Donate to someone’s favorite non-profit.
“That's a vendor who I think is going to have more empathy. They're probably going to care more about my problems at my company. They're probably going to listen to me. They're probably going to get me more support just because. They had a different approach. It seems like, ‘oh, they actually give a shit about the community. They might actually give a shit about me and my problem. Okay. I, I might trust them a little bit more than your average, your average company.’”
Have patience and also understand no means no, no means no. If security professionals say, “not now,” do not continue please don't continue. Put a note in your calendar for six months later and do a check-in, but please don't harass them. Especially women.
Subscribe to Audience 1st
Get notified every time an episode drops to better understand your audience and turn them into loyal customers.