Greg Schaffer: Hi, I’m Greg Schaffer and welcome to the Virtual CISO Moment. Tatiana Argueta joins us today. She is a senior security engineer with over fifteen years of experience spanning cybersecurity operations, risk management, automation, and creative problem solving. She holds a master’s degree in cybersecurity from Georgia Tech. She’s also very involved in Toastmasters. Tatiana, thank you so much for joining me today and hopefully this time you can hear me.
Tatiana Argueta: Good morning, Greg. Thank you for having me. And yes, I can hear you.
Greg: I’m so happy about that because for the first time in like, two hundred and thirty times doing this, started the recording, did the intro like that, started talking and all I could hear is you saying Greg, I can’t hear you. I can see you, but I can’t hear you. I guess it’s the first time for everything, but I’m really, really glad that we got it worked out. I appreciate you taking the time to join me this morning. Would love to hear about your career path, about how and why you got into cyber and just bring us up to where you’re at today.
Tatiana: Sure, yes, just a little note on the intro. I’m not done with my Masters yet. I’m still working on it at Georgia Tech.
Greg: Yes, thank you for correcting me.
Tatiana: Yes, so I’ve had a bit of a non traditional path into cyber security. If you may say I. Since the young age I I developed a big passion for social matters. So after graduating high school, one of my first careers that I pursued in university was political science, international relations, marketing, I was combining quite a few things there. And then I found myself in a position where I had to move and then whether trying to continue the path I was in or change it to something else which got me into web and interactive media design.
Tatiana: Now, when I was pursuing that program, I had a requirement to do an internship, which I was able to do it with Citgo petroleum over in Houston and that internship got me into their marketing team. Um, we worked on, um, optimizing some of the websites, working on analytics, customer experience, a little bit of everything, government, public affairs, communications, things like that.
Tatiana: And an opportunity opened up at the company I was in for a system security analyst. Honestly, part of why I got into it, it was because I felt like I was a little bit stuck in the role I was in. Excuse me. So I started as a way to learn or have fun learning something new, right?
Greg: I was listening to your podcast last night, and you always mentioned this is about learning new things and having fun, right?
Tatiana: Exactly. Yeah. That’s pretty much my motto, I think, as well. So that got me into security, and I really liked it. It was an extremely demanding job, but I had great colleagues. Quite experts, very knowledgeable, and they were able to transfer all of that to me, which allowed me to, as you know, become a CISSP eventually. And that’s when I realized that security was my thing.
Tatiana: So since then, that’s what I’ve been trying to do, just strengthen my security skills, especially because I didn’t have that formal academic background. I learned everything on the job or in formal training. And that’s why I got into Georgia Tech to get the master’s as well.
Greg: So you mentioned the CISSP. And I have to say that that was probably the hardest test. And I’ve taken some hard tests, but that was a very, very difficult test. Maybe it wasn’t the hardest, but it was one of the hardest. And I did it about twenty years ago. And I’m just wondering, A, did you find it as difficult as I did or was I just stupid? And B, how did you prep for it?
Tatiana: Oh, okay. So honestly, it was challenging. I think most of it for me was just fear. I’m not a great test taker. I also, like I mentioned, learned a lot of it on the job hands-on, so I was afraid that I wouldn’t be able to really keep up with the lingo and everything. But I kind of took it upon myself to almost test myself, right? Like, is this what I’m going to do? Am I good enough in testing?
Tatiana: And at the end of it, if anything, I could learn about my knowledge gaps and see where I need to go, right? But I mostly prepped through some of the formal education through ISC Square. Particularly practice tests, I think, were one of the best tools that I used. And some YouTube videos for sure. There’s a guy, I don’t know if I can mention names here.
Greg: Sure, sure. Okay. Just so long as they’re complimentary. We don’t want to say anything bad about people.
Tatiana: No, of course not. There’s a guy on YouTube that has some of the best material, the best content out there, Pete Zerger. I hope I’m not mispronouncing the last name. But if I had to recommend somebody, somewhere to start, he is really great. He has videos where he goes into specific domain topics and all the nitty gritty of the things. And he has a crash course that is just fantastic.
Greg: I’ll have to look that up, but I did sort of the same, a lot of the self-study. I didn’t do a boot camp for the CISSP, but you mentioned gaps. One of the interesting things that I found when I did the CISSP is that the domain that I thought I was going to be the strongest in wasn’t. And so I was networking prior, and I think you were too, doing some networking stuff. And I had been in networking for the first half of my career or the first, yeah, you know, fifteen years or so. And it was risk management that I was the most solid in. And that actually did help me to understand maybe I need to pivot my career there. And eventually I did and went down the CISO path. Did you find that your which you thought was going to be your strongest, wasn’t your strongest domain?
Tatiana: Yes, I think so, in a matter. I think one of the biggest challenges, too, is trying to unlearn, quote unquote, those bad habits that we get from the companies that we work on, right? And how do we put that into the industry terms? And more specifically, since we’re talking about an ISC Square certification, how does that organization look at it, right?
Tatiana: Which is the key, the key point here, because at the end of the day, we are testing on their examination on how they look at security and how they bring it together as a systems design organization.
Greg: And so I apologize for my mistake at the beginning of the podcast. It’s my vast staff messed up with the show prep notes, the vast staff, meaning ChatGPT. So if anybody’s wondering, my secret to my success here is that I utilize ChatGPT to help me with the show prep. And sometimes they get it a little bit wrong. And in this case, you said that you are working on your master’s at Georgia Tech. Thank you.
Greg: From someone I worked on and got my master’s at Middle Tennessee State in information systems, sort of like the same thing, not the same degree that you’re doing, but the same process. And one of the things I found was that it’s very difficult to work full time, have the responsibilities of everything that you do in life, and also go back to school and pursue an advanced degree. You got any tips on how to do that?
Tatiana: Honestly, I guess it does take a lot of discipline, right? But most importantly, personally, I think it’s not necessarily as difficult if you’re into something that you really like, which for me has helped a lot. Additionally, my program, it’s quite convenient. It’s online and I am still working full time and studying. But also I’m able to apply everything that I’m learning day to day in my day to day work. And that truly, truly helps.
Greg: So is it fair to say that in your fifteen years experience, you’ve worked in several different industries, right? So and most of them have been regulated. I’m again relying upon my assistant that I think I’m going to fire after this. You were in energy and healthcare, which are both two highly regulated industries, correct?
Tatiana: Correct, yes.
Greg: So, you know, a lot of the times I tell folks, particularly in the virtual CISO world, when I’m going out there trying to sell our product and our services, one of my go-to lines is like, well, security is pretty much the same across industries. Maybe the acronyms are different, but for the most part, security is the same. But it isn’t quite true when I said it. I’m not really lying. I’m explaining from a baseline perspective. But when you get really into the weeds, particularly when you’re talking about regulated industries, there are some significant changes, particularly around the security risk area. So I’m just curious, in your experience, what are some of those changes that you see when you go to different regulated industries as far as information security risk?
Tatiana: Yes. So I think obviously it’s about the context, right? And specifically for those two industries that we’re talking about, I think the types of threats don’t necessarily change, but it’s mostly about how the risk is defined and how it’s tolerated basically and enforced in a company.
Tatiana: For example, in the healthcare industry, you would expect that availability and patient safety are the priority and how we manage, how we define and manage that risk, right? Versus if you look at the energy or critical infrastructure industry, it’s a little bit more about resilient and operational continuity, right? And sometimes perhaps things like privacy and things like that wouldn’t have a big score as they would on industries like healthcare or something that deals with a lot more sensitive data.
Tatiana: Yeah, so I would probably say that’s the biggest one. And from that context perspective, it’s also the culture, right? And how people prioritize the risk, the safety and the regulatory requirements around them.
Greg: I know one of the challenges for any security program, and this isn’t limited to large organizations, small organizations have it as well and maybe different aspects of it, but it’s culture. Culture is so much driven from the top. You have to have buy-in from the top, from the C-suite and from the board. And sometimes it’s a difficult sell to the executives as far as the importance of information security and how it affects the business. How do you find a way to be effective to get buy-in when talking basically to folks that don’t really speak our language in information security on a daily basis, but that they need to understand the risks that the organization is involved with with regards to their information?
Tatiana: Sure. Buy-in is always going to come from understanding, right? And everybody has a different angle or a different role that they’re fulfilling in their company. Particularly for leadership, I think it’s all about the outcome, right? They want to know about how is your revenue impacted and beyond the operational disruptions, what are the consequences.
Tatiana: And then for leadership, it’s about scaling and reliability and that technical debt, that reduction as well, right? And learning how to prioritize all this competing needs that we have, because that’s how security works, right? And the premise is we can never get rid of any risk for real, but we learn to manage it and prioritize it, right?
Tatiana: So if we really want to get that buy-in from leadership, I think it’s best to frame it into terms that they would truly understand. And that often comes to not necessarily focusing on the controls that we’re placing in the in the processes, in the business processes, but more about the impact on that revenue and the outcomes as a business in the end. Because businesses are here to generate revenue, right?
Greg: Right. They’re not here to give us a playing field to work with cool tools and all that.
Tatiana: Exactly.
Greg: Sometimes it seems that way. But as security professionals then, what’s our responsibility in this process? You’re talking about that we need to talk in terms of the business. Doesn’t that then put upon us the responsibility of understanding what the business does and some of the strategic plans and aspects and goals of the business, and even just have an understanding of business communication terms?
Tatiana: Indeed. Yes, yes, yes, for sure. I think the the biggest way to sum up the role for security practitioners here at the operational level, I think is, like you said, definitely we need to understand our business, right? So understand your business, understand your users, which are not necessarily the same context.
Tatiana: They might be the same people. The business employees are part of the business processes and they’re gonna be your users. But what I mean by that is the business process has defined roles for people, but people are people and people might be having a bad day, might be having this or that. And in your day to day, you have to learn to deal with things like that, right?
Tatiana: So understanding your business, understanding your users, understand the technology that you have, and most definitely understand your data, right? Especially if we’re talking about telemetry and things like that and security. Communication is also so important in this sense.
Tatiana: I like to point out that the good Lord gave us two eyes and two ears and just one mouth, so use them proportionally or something along those lines.
Greg: But in all seriousness, we talk about certifications in our field. We talked a little bit about the CISSP beforehand. But one of the most impactful certifications that I’ve gotten in my career I’ve talked about this before the podcast is nothing to do technical and it’s from Toastmasters.
Greg: Back then, I don’t know what they do now, I think they pivoted at some point in time. Back then the two main ones leading in you first are in the competent communicator and then the competent leader. And the reason why I say that is not so much people think about Toastmasters and they think well it helps to get you to speak and it does.
Greg: But really what Toastmasters did, at least for me, was really helped me listen, help me to process, help me to remove the idea that I have to be thinking about what I’m going to be responding while the other person’s talking, because you learn to think on your feet, like through the tabletops, and being able to enunciate and to get your point across quickly, which I’m not doing right now, is another aspect of it, too, with the whatever they used to call those two-minute speeches that we did. I think it was tabletops.
Greg: Oh, yes, yes, yes. I’m just curious. I know that you did some Toastmasters work earlier in your career and were part of the, you held one of the positions, the office. I did too. I think I was like education and it was tough. I think it was the toughest one. But I’m curious from your perspective, because I’ve sat on this podcast and say Toastmasters is great. You should go out and think about doing it. And yet now I have someone here who’s actually been through Toastmasters. Did it help you any in your career? And if so, how did it help you? And if not, just tell me I’m way off base.
Tatiana: No, and actually, I’m glad that you mentioned that now that I think about it. I’m going to start with this because I don’t want to forget. This is one of the reasons why I got into security, actually, because of Toastmasters.
Tatiana: When I was in the Toastmasters team at CIDCO, that’s where I was in the vice president of communications role and a member as well. That’s how I met the manager for that security role that I moved into the company, actually.
Tatiana: So just a side note there. It’s funny that we’re talking about it. Think about it retrospective that perhaps if I hadn’t joined Toastmasters, I wouldn’t have developed that relationship with that manager and then um get comfortable enough to to make the leap right um but most definitely i think
Greg: Go ahead.
Tatiana: Sorry.
Greg: No, no, I just said I love it. I love the fact that another benefit of Toastmasters is that it’s like any sort of networking. It’s like you never know when you go somewhere what you could be introduced to as far as like that can help you later in your career. I haven’t been to an ISSA meeting, for example, in over a year and a half. And after we’re done recording this, I’m actually going to one. So I’m actually excited. I’m trying, that’s one of them. I don’t do resolutions, but that’s one of my goals for the year. So everybody remember that too. It’s just like you can network and maybe that’s how you can advance your career, but anyway I digress. Go on.
Tatiana: No, no. So I think you’re absolutely right on the listening portion because it makes you first of all exposes you to lots of different people, right? Which that’s a great start. For me personally, I would say I am a relatively anxious person in social spaces or in social interactions, to be honest. I don’t know if it’s coming across right now, but I am.
Greg: I am too, believe it or not. I relate. I’m not a social butterfly, but I take it well.
Tatiana: Yeah. So I think for me, part of it was trying to get out of that bubble, try to get out of my comfort zone. And as English is not my first language, I thought it would help me get out of my comfort level, network with other people, and also practice my English public speaking skills. Right? I think that definitely helped a lot.
Tatiana: I also like research. I like learning new things, like I mentioned, and then having to prep for those speeches. It was fun just doing the research and write it up. It was a good challenge.
Greg: Yeah, it’s been so long since I’ve been involved with Toastmasters, but I did find that at first I was anxious with it and getting up in front of people and what are they going to think? And then you realize it’s like, wait a minute, everybody’s in the same boat and we’re all helping each other.
Greg: And that kind of carries over to social situations for me in general or professional situations, even being in meetings and all that. It’s like, I’m not the only one who’s anxious here. Everybody’s probably got something going on in their mind so let’s just breathe and just go on with it. We’re all human.
Greg: It’s kind of like this podcast here too. It’s just like, I mean, we’re just talking, having a good conversation. And whereas I was thinking about this beforehand, before we actually started talking before recording, it’s like every single time I do this podcast I get nervous beforehand. But yet I wouldn’t have done this podcast if it wasn’t for Toastmasters.
Greg: I get a certain amount of my confidence in the fact that just in communication and listening. And I have the pleasure of hearing so many stories. I just think it’s great. Not only do I get to share the stories, but I also get to hear them firsthand. And that’s what really keeps me going. And again, all that because of Toastmasters.
Greg: So one other security question before I forget, because we’re at different stages in our career. In your opinion, what do you see as like the big thing to impact security, like say in the next two or three years?
Tatiana: Well, I think we are at a point where we really need to start learning or thinking about security in a more macro way. We all of course have the major threats, like you were mentioning. AI will definitely be one of them. And just to be clear, what I mean by that is improper implementation of AI, not necessarily AI itself, right?
Greg: Right, right.
Tatiana: And then hand to hand, and if not perhaps a little bit above AI, because AI would probably be a subset of this risk, I would say geopolitical risk is getting increasingly important and impacts more and more every day our industry, I think.
Tatiana: The incentives and types of threat actors vary so much now, from individual actors to nation states. Considering all the tensions in the global economic and political realm will definitely have an impact on this.
Greg: You bring up a very good point. Off to my right here, which you can’t see obviously, I always have a news broadcast feed on. We need to be very much aware of what’s going on in the world and how people are being fed information. That’s where the threats happen.
Greg: And the same thing with geopolitical issues outside the United States, everything going on with Venezuela and now with Iran. The stories coming out of Iran that we wouldn’t be able to see without Starlink. You’re right on.
Greg: We tend to forget that and think of threat intel as CVSS scores and ISAC feeds, but really we have to keep our head on a swivel with everything else out there.
Tatiana: Indeed. Yes, yes, yes. And to follow up on that, I think the other big risk out there is misinformation and disinformation, for sure.
Greg: Yeah. And that’s a tough one because news used to be news and now it’s entertainment. I joke, but don’t joke, that I consume both Fox News and CNN to see different views of the same story.
Greg: It can be difficult and stressful, and we have enough stress in security as it is. So I want to ask you, what’s one of the ways that you decompress from the stresses of our world?
Tatiana: That is a great question. It depends on the season. I love gardening, getting my hands in the dirt, seeing growth from my work. I also love traveling, diving, listening to podcasts and music, and learning new things. That’s my way of balancing stress and growth.
Greg: And that’s the key word, balance. What future plans do you have?
Tatiana: I’m hoping to get into a PhD program for AI. I want to continue doing research while continuing my work in security. I work for an awesome company with an incredibly talented team, and I want to keep learning.
Tatiana: I’m interested in how AI will impact security not just from a control standpoint, but how it can improve business processes and the experience of analysts, engineers, and CISOs.
Greg: Awesome. Tatiana, it’s been an awesome conversation. Once again, I appreciate you taking the time to join me and chat this morning. And best of luck with everything going forward. Sounds like a lot of good stuff ahead.
Tatiana: Thank you so much for having me, Greg. It’s been a pleasure.
Greg: And everybody, stay secure. Bye.