Oct 21, 24
Episode Description
Summary
In this episode of the Hands-on CISO podcast, Adi speaks with Luna Wu, Chief of Staff to the CISO at Alteryx. They discuss the evolving role of cybersecurity professionals, the importance of human factors in security, and the impact of AI on the industry. Luna shares her career journey, insights on navigating security challenges, and advice for those looking to enter the field. The conversation highlights the need for continuous learning and adaptation in a rapidly changing cybersecurity landscape.
Watch On YouTube
transcriptAdi (00:02.342)
Hi everyone. Welcome to the Hands-on CISO podcast. My name is Adi and today we'll be talking to Luna Wu, Chief of Staff to the CISO at Alteryx. Luna Wu is a results-oriented leader with over a decade of global management experience. With a track record of success, she specializes in strategically designing and leading security organizations. Luna excels in crafting and implementing scalable frameworks for enterprise-wide initiatives that resonate with organizational vision and mission statements.
Luna (00:06.703)
Thank
Luna (00:18.958)
.Adi (00:31.344)
Her expertise extends to overseeing day-to-day business operations and driving data-centric solutions to propel organizational success. Prior to Alteryx, she helped CISO at TikTok establish GSO, Global Security Organization, with over 400 global employees that cover day-to-day security operations. Luna, how are you doing today?
Luna (00:51.892)
I'm good. Thank you for having me, Abby.
Adi (00:54.702)
Amazing. Of course. Okay. So first of all, I'd love for you to explain to us what the difference is between a CISO and the Chief of Staff to CISO. Like what do you do versus what does he do?
Luna (01:05.102)
That's a great question. Yeah, so that's a great question because you're probably gonna see more and more security organizations having the role of whether if it's deputy CSO or chief of staff. And I have seen organizations that have both positions. And as chief of staff, I basically cover four areas of operations. The first area is anything related to business operations and simply put.
I make sure that people have the right to resources to be successful. So a lot of the headcount planning responsibilities or budgeting and making sure that we're staying within the track of the financial health is important for my day-to-day operations. And then my second area of delivery is in providing central PMO support for any critical remediation effort or critical security initiatives and projects. I provide PM support and I typically have...
a group of PM folks who report to me and we work together on those critical deliveries. And then the third area that you're probably gonna see a lot of the chief of staff doing is key metrics collection as well as reporting to not only at the board level but also at the C-suite level, educating them on the overall security health of the organization, security posture where the main security risks lie and with the recommendations as well as...
that narratives typically are weaved into a budget ask of like what is the right amount of investment in order to reinforce specific security controls. And last but not least, you're probably going to see some overlap between DRC function and Chief of Staff role when it comes to security awareness and training. So I work closely with the rest of the security functions to make sure that we're aware of any looming risks when it comes to attacks
towards our employees, like for instance, phishing or smashing attacks that you observe in the ecosystem and educate our employees in advance of those risks. And also a lot of the training programs where we have target personas, like for instance, we work closely with the product engineering team to teach them on secured SDLC, or we work with the IT team when it comes to access controls and not to provision overprivileged accesses, et cetera.
Luna (03:21.262)
So typically you're gonna see a chief of staff covering all of the above functions, but it really varies from team to team.
Adi (03:29.156)
Interesting. And how did you end up in this role?
Luna (03:32.434)
That's a great question because I started my career working in financial services tech enablement. And what I did was I was implementing systems, AI solutions for banking and financial services customers for 10 plus years. And I was reached out to buy TikTok and the CISO back then Roland called me and he mentioned to me that, I'm looking for a person to help me run the business operations for the global security organization.
the person has to be bilingual and I saw your background in the tech space, are you interested? And without any hesitance and knowing Roland's reputation in the security field, I said yes. And when you look at the transition, it's sort of natural because I was joking to people that SDLC work is like in the party and then security work is like cleaning up after the party where you started, you know, working.
on those security findings and vulnerabilities in the process of developing the systems.
Adi (04:33.476)
Interesting. And then you just decided that you're going to continue in a security direction.
Luna (04:39.084)
Yeah, so I spent the last five years, Alteryx is the second security organization that we established from scratch. And I started my security career five years ago with TikTok, where the global CISO was establishing the security organization across the globe to be able to meet the regulatory as well as customer requirements across the globe as TikTok rose to its fame. I think that was exactly around the same timeframe.
And then I spent two and a half years working on exactly the same thing at TikTok and moved on to Outricks and now working for the CISO Lucas Moody to establish the security organization, like covering all of the various functions of security.
Adi (05:27.342)
Interesting. How do you learn? And I feel that changes so fast. So there's every day, there's a breach, there's something happening and new technologies. Like how do you stay updated?
Luna (05:38.766)
Great question. think security is the field for people who wants to learn things, who always has that learner's mindset because the field changed drastically just within the past couple of decades. Back in the days, I don't think we even have dedicated security functions across a lot of the companies and CISO's job was basically taken care of by CIO.
part-time on a part-time basis. A lot of the security functions back in the days roll up to IT. But now you're gonna see more and more dedicated security functions and security organizations. And what I wanted to touch upon is one is the involvement of the security field. I was telling people just look back in the days, the most complicated phishing attempt that you could see was Nigerian prints. And that was just a prevailing phishing attempt that happened around
early 2000s or starting from late 1990s where you would receive an email and it's as simple as, hey, you're eligible for inheritance of this large amount of heritage and all you need to do is just to send me some advance fees, right? Looking back, that was so basic and then when you do, if you went back in time and did a password spraying, one, two, three, four, five, and even more complicated one, two, three, four, five, six,
And that basically would compromise half of the internet population. So now you're seeing like the hackers are using advanced technologies like deepfake and AI. And like for instance, the podcast data like that we're recording today, the data could be used and then the hackers could actually alter the visual data or the voice data and how I talk and how I write my text, how I write my LinkedIn post.
and just create a simulated version of Luna online and they could send the message to my friends and family and saying, sorry, I ran into a medical emergency, could you send me this amount of money to my bank account, right? So you're seeing the evolvement of technologies that contribute to more and more complex threat landscape and that called for more dedicated
Luna (08:04.308)
teams to support security functions, also like segmentation of the various domains. Like when you're looking at how a typical security organization structures, have people covering for application infrastructure security, GRC functions, and then people to cover SOC operations, right? So it's such an interesting field that calls for like constant learning. And when it comes to learning,
The only tips that I can give is like you have to work in the field. Like always work, work, work, be diligent and just absorb knowledge and research on the attack patterns and talk to your coworkers on what they're seeing and also networking, which is very important. Like working and networking, talking to the CISOs, talking to their chief of staff to understand what they are seeing in the field and what are the common attacks that they're seeing.
unfolding in their particular industry and I think they help.
Adi (09:05.508)
Interesting. How do you feel about AI right now?
Luna (09:09.636)
AI is such a hot word and I've been following the Nobel Prize lately and I think two categories were awarded to AI. And just to share with you during my last few years of system implementation work that was back in 2016 to 2018, I was working on AI implementation work for banking customers. Like AI has been around for the past
decade. And what we did was we were helping the banks to understand their loan portfolio, commercial loan portfolio, and identify which loans are pegged to an interest rate, is called LIBOR. And LIBOR is the interest rate that had its ups and downs. And then they later found out that people were manipulating the interest rate.
because there was a voting system and they decided to retire LIBOR in 2018. But back in the days, like lot of the commercial loans or even your student loans and mortgages were pegged to the interest rate. Like the massive volume of those contracts that are pegged to LIBOR really posed a challenge to those banking customers. So we were collaborating with them, adopting AI, like tailoring our machine learning capabilities to help them.
identify the contracts which are pegged to the interest rate and help them identify what are the transition paths to take like based on the understanding of the kind of languages that exist in the system, right? So the reason why I'm sharing this example with you is because I wanted to stipulate that AI has been around for a long time. And I think the hype is
because people started realizing the use cases that AI can help solve for. And I constantly think about the use cases that can be adopted in the medical field. And like just by aggregating the massive amount of data of those symptoms from people around the world over time, and then it will help the doctors to actually pinpoint the symptoms and then it
Luna (11:32.015)
help the doctors across the world to actually collaborate and understand the root cause and to propose a better solution for the patients. Right? Like medical field is one field for adoption of AI. And there are many fields like that when it comes to like entertainment or other industries. And AI is such a hot topic, but I think a lot of the times people
People are not able to differentiate AI with automation. Automation is just how to automate the processes that you're doing it on a repetitive basis. But AI actually involves pattern recognition, massive amount of data that you require machine learning capabilities that require a lot of like neural networking, like teaching the machines to pick up.
the ability like mimic how a human's brain work. Right? Like, but also in the security field, because of the advancement of AI technologies, it requires a lot of well thought out like protection. And to be very honest with you, I think this is the field that interests me. And I think I will continue my research as well as studies in the field. Like I feel a lot of the questions are not answered for.
And to share with you an anecdote, the other day I got invited to speak on an AAPI panel and it represents the Asian minorities. Like we talk about AAPI celebrations. So I resorted to chat GPT and I asked chat GPT the question, who are the most revered AAPI celebrities or technologists? And guess who came up to the top of that list? It's Elon Musk.
So like, what I'm trying to tell you is you can't blindly trust AI to feed you the answer. And this is a good example of AI going wrong of just misinformation, AI being used as a vehicle to share misinformation, right? And I don't know what step along the way, how they train the model that led to the result being completely off, but...
Luna (13:55.585)
AI security is to cover for those like hallucination, pollution of your data, and then the wrongfully outputted results, like the case that I just shared with you. And then also like thinking about, and this is just like my very immature thought process, which is like how you're looking at the decision-making process and the shift of the dynamics from a...
social political standpoint and you started realizing I call it intellectual colonization and when I was adopting AI with the banking customers right people like just blindly thought my god AI is gonna take over my job AI is gonna be so smart but then I told them fear you not because AI cannot be like AI can only be as smart as human because it's trying to mimic our
like how we're processing data and how we're recognizing data patterns, how we're connecting the dots. But the good thing is like as you're collecting massive amount data, you're basically looking at the maximum level of intelligence that AI algorithms can achieve. It can benefit us, but it can harm us at the same time like when it comes to intellectual colonization. Then you started looking at the decision-making power solely being
aggregated to a group of folks who are like I would describe as more intellectually superior because they basically drive the like the algorithms like how things are going to be developed into right so it's a very deep topic that requires I think years of just like trials and failures and the regulatory as well as the government's catching up and coming up with
more advanced and comprehensive AI laws to be able to mitigate that. And also another interesting case study that I wanted to share with the audiences. I was watching this documentary, right? In South Korea, they had this AI company. What they did is they collect data points, like what I mentioned to you, the voice data, how people talk, where they pause, like...
Luna (16:20.215)
their speech patterns and then their visuals. And then they collect data points from the deceased ones upon consent from their family members. And one of the use cases that they presented to the audience was like a mom who lost her child and she was seeking closure. She was trying to farewell to her daughter to hug her one last time in the virtual setting. So she put on the goggle and was able to actually meet
the virtual version of her daughter and hugged her goodbye one last time, right? It was a very touching story. However, when you think about the things that could go wrong within that scenario, it sends chill down your spine, which it made me think who ultimately owns the data? Like who owns the data upon
the person's departure from this planet, right? Like the fundamental questions which demand answers for and I don't think that we're ready to answer those questions just yet. And so the adoption you're going to see like very similar to social media industry, right? You're starting to see technologies are advancing and then the regulators are trying to catch up. And then you started to see regulations like trying to mature itself. And there is this like continuous improvement cycle of
helping us to get to a better state of deployment and well-regulated space.
Adi (17:56.538)
Well, that's the story you just told now about that thing is crazy. I mean, do you think that if I look at security specifically as a field, as it relates to AI, I see a lot of security professionals, some super scared of it in a way that is, of course, I think anyone who's been in the field for a while knows that AI is not really as new as it is to the public, but
But the fact that it's so much more, it's like easy to approach. So there's a lot of new attacks kind of formulating. And then some people see it as a big risk. Some people just see a lot of the good sides. And I like how you, it seems like your overall state, the way you look at it is there's a lot of good to take from it, but also we're not completely ready to know what else is coming with it.
Luna (18:55.993)
100%. There are always two sides to a coin, the good and the bad. And also what makes me super exciting to stay in the field is because in the security space, there are always good guys and there are always bad guys. And I was telling people that, like people that I've been running into in the security space are such amazing people and they're incredibly intelligent. But
Adi (18:57.008)So.
Luna (19:25.879)
A lot of them have this little superhero living within their heart that they wanted to like save the world from the bad things occurring. Like they wanted to stop the data being taken advantage of by the malicious actors, right? So there are two sides to the coin, to everything, to AI, to the security field and just to about anything.
Adi (19:53.156)
Interesting. How do you think security will advance within the next few years? Like what is going to be different from then? What is now?
Luna (20:02.593)
I think you're probably going to see this continuous trend. More and more complex threat landscape resulted from advancement of technologies. it requires probably the market segmentation that I'm seeing is already pretty mature. You're seeing basically mature security companies and startups popping up everywhere just to cover all of the security domains that I touched upon.
And AI security is such a common challenge I think all of us are faced with, right? And also when you're looking at just catching up with all the regulations across the globe and for companies, especially global companies that have operations all over the globe, when you're...
Conducting business in Europe, have GDPR. And when you're conducting business in Japan, they have their own security laws and regulations. And I categorize the success factors of how you're measuring security successes. It's like we have our obligations to those regulators and to meet those compliance requirements, to be able to sustain our business and to keep our business in the region and the country. But at the same time,
like catching up with all the latest and greatest regulations and compliance requirements is one bullet point that I want to make. And then the second area, which is we have our obligations to the customers. Like back in the days, if you go just five years back and go through the contracts with the customers, right, the vendor agreements and they're
there were not many with stringent security terms and clauses in those contracts. But now you're seeing like lengthy paragraphs documenting the security requirements, like you shall turn around to vulnerabilities within a specific timeframe or security incidents if it impacts any customer data, et cetera, and business continuity, security awareness. So like I have my obligations to meet the requirements from the customers.
Luna (22:22.266)
to make sure that we're a partner to them, to ensure them that we're going to be safeguarding their data. That will be the second area of how we're measuring the success, right? We have to make sure that the regulators are happy. We're not running into legal situations with regulators and governments. And then we don't want any lawsuits coming from our customers. But then there is also a third...
area which is the most important amongst them all, you're combating those bad guys. Like these are where the true risks are. You're dealing with security incidents of people who trying to infiltrate into your systems and network all the time. So like how do you mitigate the true risks? And the true risks are dependent on the industry you're in, the company you're in, the size of the company you're in, and also sometimes it's the
publicity of the company can determine because I worked for both TikTok and Alteryx. Alteryx is an enterprise software company and TikTok is a social media. The kind of threats that go into different companies are so different. And also because TikTok, like you're seeing a lot of the hackers, they're not just financially motivated.
We're seeing a lot of like this year is election year. Every election year we have very busy war rooms too, just to make sure that we're protecting the platform from not being infiltrated by propaganda, like political propaganda specifically. So like when you're looking at the motives of the hackers or the cyber criminals, it's very different from company to company. So like in summary, you're looking at, I have to make sure that we're meeting.
those ever evolving regulations, I have to make sure that we're making the customers happy to protect their data and to make sure that we have all of the data governance requirements that they are demanding and security incidents and vulnerability turnaround requirements they are demanding. And then the third area, is like mitigating the security risks and to make sure that we have the right controls to offset those security risks.
Adi (24:37.39)
Interesting. Would you say that most of your focus and the C-Sales focus goes on sort of stopping the bad guys from the outside or making sure the company employees on the inside know what to do and not to accidentally let anyone in to say?
Luna (24:59.787)
That's a great question. And I think I resonate with the topic deeply because I'm responsible for delivering both here at Alteryx and at TikTok security awareness. And a lot of people don't know that 82 % of data breaches occur from your employees clicking on that phishing link. So people would think that if you have
the most advanced technologies deployed, you're good. But a lot of people ignore the fact that sometimes it's as important to educate your employees on security risks and make sure that they are aware of some of the common attack themes that we're seeing. Like just as I mentioned, right, hackers using deep fake technologies to fish for information like corporate sensitive information. So in that regard,
I think like it's important to work together with your employees and a lot of the times people think of security folks as a group of nerds in their black hoodies sitting in grandparents or parents basement and just, you know, that's how we operate. But it's truly not the case because we have to be a business partner for like to enable sales and we have to be a business partner for the rest of the organization to teach them on
the security risks and what are some of the common like phishing attempts that we're seeing and what is a social engineering attack, right? That we're seeing a lot like it could come from just a simple like LinkedIn message. Hey, like so and so here's the URL click on it. So and when I think about the
security awareness, it's not just about checking off a box from a compliance standpoint. And how I think about it is to truly understand your human risks within your enterprise. And when you're just like, think of it in a grid format, a data grid, you have the different columns being the different departments, I call them personas, and personas are not just limited by the departments that they work in.
Luna (27:25.692)
but also it depends on their, let's say, tech savviness or the amount of access that they have. Are they the admin of a critical application or do they have access to our critical applications? And then at the role level, you're looking at the various security domains of the likeliness of them being the victim of a specific cyber attack. And then if you're developing that grid view and
to be able to track over time, you should be able to see how the security awareness level go up or down in a very specific security domain over time. And that allows me to actually track what are the most risky personas within the organization and where do their weak links lie.
Should this group of people be educated more on access and controls like the product engineering side? Or should this group of people like the sales folks, they lose their laptops a lot. Should they be educated more on how to properly safeguard your physical assets of the company? If you see where I'm getting like launching a mature security awareness program is going to help you mitigate a lot of their risks and
that will essentially help mitigate those security attacks from occurring in the first place.
Adi (28:59.708)
What do you think is one of the things that's hardest for people who are not in the security field to really deeply understand that security people know?
Luna (29:10.022)
To go back to the last question, Just as I mentioned, people think it's all about technology and people think that security operates in silo. But it's truly about the people and security is a team sport. And every person working in the company owns a piece of it. And I was always telling folks that, you know, it's like a massive puzzle.
And every single one of us actually own a piece of it, except for some might actually own a bigger piece of it than others. Like I'm talking about people who have access to the critical applications or who are the admins, et cetera, who are handling API keys, et cetera. So like the people is important and how to engage your audience and how to engage your internal stakeholders is critical to the success of our mission.
and vision for the security organization. And also another saying that people don't understand is the, which caused some challenges as well as tension within a lot of security organization is like, why do we keep you around? What is the return on investment of security organization? Because we're deemed as the call center in a lot of cases. And it's one of the challenges that I constantly ask myself, like, how do I address the question of
justifying our existence to the right audience. What is the return on investment? Right. And I was speaking with a security practitioner and I really like how he framed it. He said, Luna, you own business operations, right? You should constantly ask yourself two questions. It's almost like a poker game. The first question you should ask yourself is, can you afford not entering the game at all? And then the second question is, if you choose to enter the game,
How much can you afford to lose? And I was like, that's so deep and profound and it makes so much sense. And to translate it in an easy to comprehend way, right? For instance, DDoS attack. Today, if I were to do nothing and I decided not to implement people process technologies and I just sit back, drink my coffee and just watch everything happen, attacks occur, I do nothing.
Luna (31:37.526)
How much is that going to cost the company? How much is that going to cost the business in the long run? And if I choose to step in and mitigate the risk and implement the technologies, hire the right people and educate the people on the kind of risks, like how much risk can we mitigate? What is the percentage of probabilities can we actually decrease it down to?
and then times the loss and it basically tells you like how much you should be spending in that particular area. And another example that I want to share with you is like I keep telling people that security is like protecting your house and I rely on you to tell me where your critical assets are. Where do you put your saves?
And then two, if you don't mind just turn on the light so I can see this stuff. Like this is where all the logins are super important because you need to have visibility into what's actually lurking in your environment. And turning the lights on is just basically all SOC operations where we're consuming all of the alerts and to be able to understand where we're seeing suspicious activities. But I'm not gonna implement a $10 worth of...
jar to protect $5 worth of toothpicks, that wouldn't make any sense, right? But to evaluate on that, which is how much am I protecting and how much am I investing? That is the question which I think a lot of people fail to understand and it's the most difficult to actually solve for in today's security operations space.
Adi (33:30.874)
That's super interesting. Do you think most companies sort of have that equation figured out? Do you think most of them understand how much they're putting in versus how much they're actually, they want to be putting in?
Luna (33:45.952)
in a more of an arts than science way. And I'll have to be honest with you, I'm no GRC expert and I'll probably rely on GRC practitioners to help with this. A lot of the startups are trying to address quantification of risks. But it's not just a mathematical question of how you're looking at, this particular vulnerability is impacting this set of
assets and this set of assets can equate to this amount of money. There are many aspects that cannot be quantified like the reputational loss. A security incident that happened way back when due to a single minor human error. It could haunt you for the years to come. The reputational risks as well as the you know the
the regulators challenging you on your business, right? Like in the social media industry, it happens a lot, like all of your hearings, it shakes the confidence of your customers, right? Like how do you quantify those things? It's not as easy as just approaching it from an asset perspective. And today I think now customers are more and more security savvy, and then they started realizing how important it is
to deal with a company that have the right security hygiene. And then if you're not providing all of the basics, like they walk away, like how do you calculate the customers walking away, right? The potential loss and the sunk cost is kind of different.
Adi (35:34.96)
Interesting. If I go back a little to when I'm talking about the employees of the company, do you ever feel or maybe not exactly a bad cop, but are you ever the person to say, we can't do this? Or like, how do you navigate situations where something could be business positive, but security negative?
Luna (36:03.076)
Good question. I joke to people that as a security professional, we have to slap people on the face every day, like gently. It's true because just like the parent who suffers from paranoia, like myself who has a six year old at home, we are the ones who always tell people not to do things. Don't climb on the table.
get down, you know, Asian parent style. And there are similarities in how I operate at home and how I operate at work because when you're dealing with security risks as part of your software development process, when you're dealing with critical vulnerabilities that we found in like production releases, how are you convincing your business partners like
product engineering and IT to mitigate the risks and how fast should they do it. And a lot of the times our advice clashes with their other priorities. And especially when you're working in a fast paced environment where releases happen on a daily basis or on a weekly basis, right? They're always like trying to cut the chase and making sure to...
put out technologies and product features as fast as possible. Sometimes that decision comes with the cost of risky security behaviors, but it's a matter of evaluating what would be worthwhile, what could cost us more if we don't do something. If we don't, we found a something.
like a high vulnerability for instance in this particular release. Shall we hold off? Or if we don't hold off, what is driving us to push it to the market this soon? Like it's the discussion that you have to engage the business partners to understand where they're coming from, which is why I'm saying security should not be operated in silo. Like understanding...
Luna (38:22.431)
their perspective and lens helps you to actually justify the ask that you are trying to push forward. So I hope that answered your question.
Adi (38:33.092)
Yeah. Without any names or companies or anything like that, have you ever been exposed to a severe security incident that you could share about?
Luna (38:45.4)
I can share public information of when I was working at TikTok. And as I mentioned, TikTok is a social media company and a lot of challenges that we're faced with, Facebook is faced with, and a lot of other social medias are faced with the same challenges. two areas, I'm not going to name specific incident, but like two areas of
security incident genres that I can categorize for you. The first one which is protecting underage to users. And this is what's challenging us, what's challenging other platforms as well back in the days. There was a Blackwell challenge that started I think in 2016.
And originally it was a group of teenagers and then they gave each other timeline and it was awful. Which led to actually casualties. Not only on platform but also off platform. Like they would use social media as the vehicle to commit suicide. And broadcast. It was... Yes, it was a huge challenge.
Back in the days where we were trying to address like establish the war room trying to work with our TNS which is the trust and safety groups and to make sure that we like carefully altered our like monitoring capabilities and to make sure that like we are Safeguarding the platform so that it's not being taken advantage of as a vehicle And it's it's hard to wrenching and heartbreaking just to see
like some of those security incidents that occurred in that particular field, right? Like, and to go back to my point of like security professional is just a space where I feel you have to have the right morals. You have to like be, you have to have the mindset of really protecting the people to be able to do the job right and to take the job seriously. Because like in the example that I shared with you, it actually is a matter of life or death. And then
Luna (41:04.159)
kudos to the security professionals in the medical field. And a lot of people wouldn't think of it that way, right? Like if you have a hacker that hacked into your critical infrastructure, like ventilators going off and it's a matter of life or death, right? So like it gave us the purpose of the purpose to actually work in the field and
It's heart-wrenching to see that kind of security incidents from occurring. I was happy to see all my coworkers that we were full hands on deck and that we were trying to address it real time and to make sure that we're handling the risk properly and really to address the risks from the get-go. And then the second category of the challenges that we're seeing are deepfake.
Like the most famous example was like the deepfake Tom Cruise who was on the platform for a long time. it was so advanced that in the beginning I don't think like people would even tell the difference of the true Tom Cruise versus the deepfake Tom Cruise. Right? Like every election year it was wartime for a social media company because
you were trying to prevent the platform being the vehicle for a lot of people who were trying to use it for political propaganda and who was trying to promote information using deepfake technologies. So these are the two broad categories of those security incidents that I wanted to share with you and with people who are interested in like what in the security field but who is curious about like...
what security professionals deal with on a day-to-day basis. At Alteryx, the kind of threats that we're dealing with is kind of different. And to a certain extent, I'm a little more relieved because we're not dealing with life or death because we're a data analytics company. So the security incidents mostly are related to not as malicious as what I saw at social media companies.
Adi (43:27.408)
Well, what would you say is the biggest challenge right now in the cybersecurity space?
Luna (43:36.019)
the biggest challenge comes from...
The, I would say, the immaturity of regulations, immaturity of regulations, I think is one of the things that I've been thinking about a lot. to elaborate on that, I did some research before a podcast and I was trying to understand what is the percentage rate of prosecution.
for cyber crime committed, confirmed. And that number is roughly around 0.5%. And guess what that percentage is when a non-cybercrime is committed. The prosecution rate is around 30 to 40%, 40 % and above. So we're always combating the bad guys who have probably just as advanced technologies or even more advanced technologies.
but who are more financially motivated to commit a crime because the ramifications or the outcome of them getting punished is not as severe or not at the same level compared to a real crime, right? And so you're combating those guys who are just evil.
But they are so financially motivated and there is a high chance that they can make a huge fortune out of just one single attack. So I think the challenge is going to be like here we're combating the bad guys but also at the same time we're trying to educate
Luna (45:34.957)
the business owners and the C-suite and the board level to try to invest a little bit more into the security. But over there you're looking at it's not really a balanced game to my knowledge. And then I think a lot of the times it's because like
How do you punish those cyber criminals? I don't think today they're being punished in the way that they're committing or they're doing the harm. Like it's at the same like gravity level, if that makes sense. And a lot of the the bot farms, they're non-US operations and all over the world. And typically those cyber criminal rings, they would choose a jurisdiction that's...
that has less stringent cyber criminal laws.
Adi (46:25.988)
Wow, that's really interesting. What do you think?
they are caught in such low percentages. Is it lack of effort or is it just really actually much harder?
Luna (46:35.797)
Because of
Luna (46:40.181)
it's much harder to catch the cyber criminals. And also I think like as the regulators like this catching game, like trying to figure out what's going on within the space and then trying to actually understand what the kind of crimes and the cost of catching those crimes and prosecute those criminals. Like it's going to take years. Like you're looking at advancement of technologies, but also you're looking at like
the our jurisdiction systems trying to catch up and to make sure that we're actually punishing the bad guys and instead of just like leaving the good guys doing his or her job.
Adi (47:25.924)
Interesting. What is one blind spot you think that other CISOs are not necessarily paying enough attention to?
Luna (47:34.668)
The blind spot I think I touched upon enough which is the human risk. I cited the 82 % of the data breaches came from human error. It could be as simple as a person, one of your employees just clicking on the phishing link. So like really paying attention to engaging your employees and adopting a mature security.
awareness program and I work with a lot of the startups nowadays and some of them are in the security awareness space where they're thinking along the line of not just launching the security awareness program as compliance requirement but truly mitigating the human risks within the company. And I think that would be one observation or one advice that I could share with the rest of the security professionals.
Adi (48:33.166)
Interesting. We're sort of out of time, but do you have time for a couple more questions? Perfect. So what would be your advice to someone who's trying to get into cybersecurity or maybe even advance to a more leadership role?
Luna (48:38.497)
yeah, sure.
Luna (48:52.491)
would say don't be intimidated. And I truly mean it because my educational background has nothing to do with technology and my previous professional background had nothing to do with cybersecurity. There is overlap when it comes to SDLC and security. But my educational background was in translation and interpreting and by the way English is my third language. So I was trained to become a translator.
Mandarin Chinese English translator and I dreamed to become a diplomat. So I always had this like building the communication bridge and to save the world like that little hero living in my heart and I studied public policy here in the United States came here to pursue my master's degree. But then I fell in love with implementing systems and then I fell in love with security doing security work.
And if you're not a programmer, it's okay if you didn't study computer science because just as I mentioned, I think this field is for people who have that little hero living in their heart and who is a fast learner and who always wants to figure out what's going on and who wants to pick up new knowledge and new technologies. And it requires a variety of the skillsets to join for us to combat the
bad guys, it's not just about you can program or you can run a security application. It requires a variety of the skill sets and it requires people who can connect the dots and who actually recognize data patterns of why people attack to truly understand the human psychology behind the attack patterns, right? And cyber security field is so fascinating.
because of other factors but also one factor is it's a mix of science and art and you have to understand why people attack and there is a human psychology element that goes into the equation of trying to understand how to better protect your ecosystem and the people. So don't be intimidated by the field. Give it a try and understand how
Luna (51:20.548)
things in security world work. And if you're interested, like pursue it, study with some courses, certifications, join the networking events and see if this is the right field for you.
Adi (51:35.708)
Amazing. So two final questions. One, is there anything that keeps you up at night as sort of see-saw?
Luna (51:46.726)
Things that keep me up at night, well, thanks to melatonin, I've been sleeping pretty well. But right now, I would say it's really it's budget season for me in October. So it's really like putting together the narrative and try to understand where the true risks lie and to be able to help the team to get the right resources, like to get
Adi (51:55.484)you
Luna (52:15.364)
the right investment in the right place. And also at the same time to really align. A lot of people think that we have to keep a balance between security and business, but we are an integral part of business. When you're saying keeping a balance, it just, you naturally mean that you're putting the two things on different ends of the scale. But security, like we're in the same direction as where the business is going.
like when it comes to security sales enablement, helping the customers understand where we stand when it comes to security posture or just to, you know, mitigate the risks. So like, like really to find the right narrative and working with our business teams and to push forward the right initiatives and the effort.
with the right amount of investment, would say, I would say this are the things, the list of the things that are on top of my mind.
Adi (53:21.916)
Interesting. And the very last question. And before that, I'll say thank you so much for joining. I don't know if you know, but amazing. I don't know if you know, but you're the first woman security leader that's been on the show. So also that's super amazing. And I think you have a very unique comprehension of like the...
Luna (53:28.344)
My pleasure.Adi (53:48.684)
vastness of the field, which is really interesting. I'll ask you one question.
Luna (53:52.61)
I appreciate that.
Adi (53:55.429)Say that again.
Luna (53:56.494)
I appreciate it.Adi (53:58.424)
For sure. I really enjoyed this conversation. The last question is really touches on that. I feel what is the thing that excites you outside of security? Like why, why it's a stressful field. It's like a lot of things happen. What makes you like, wow, I want to do this.
Luna (54:08.334)
Mm-hmm.
Luna (54:20.896)
You know, to go back to your observation of the fact that cybersecurity today is still a male dominant field, because I think people has this misinterpretation of cybersecurity equals programming, equals computer science, equals just technology. But I think female, we have a natural advantage.
in the cyber security space because we are naturally good at multitasking. I am a mom, I'm a full-time mom and I'm a full-time cyber security practitioner. Like in the field you're always met with challenges, problems, fire drills everywhere that requires that like
juggling skills, trying to identify what is actually important. It's very similar, like when I look at how I run the household versus how I run the cyber security department, there are similarities. Like it's always about like staying calm, trying to figure out what is the most critical priority and just tackle it head on. Just get things done, that execution mindset, which I think is
A lot of people ignore the fact that it's not just about configuring the right technologies or implementing the security controls to mitigate the risks. It's also about that people element that I touched upon, security awareness. It's about PMing. A security field also calls for a lot of great PMs to help the team stay focused.
and to be able to meet the timeline when it comes to remediation, all those regulatory and compliance requirements. So I think like I encourage more females actually explore this field and see if this is the right field for you. But I think like we definitely have some natural advantage in that.
Adi (56:34.106)
Amazing. Thank you so much for joining today, Luna.
Luna (56:37.181)
No, thank you so much, Addy, for having me today.
Adi (56:42.085)Okay.