1
00:00:02,872 --> 00:00:04,492
Welcome to the Cyber Traps podcast.

2
00:00:04,492 --> 00:00:11,222
We are here on the beautiful Gonzaga campus at the inch 360 Conference, and we have Samuel Cabo with us.

3
00:00:11,282 --> 00:00:12,152
Sam, welcome.

4
00:00:12,202 --> 00:00:13,912
Tell us a little bit about who you are and what you do.

5
00:00:14,227 --> 00:00:15,587
Thank you so much Jethro

6
00:00:15,772 --> 00:00:20,692
My name is Samuel Kubui I'm a cybersecurity analyst here with STCU.

7
00:00:20,767 --> 00:00:28,567
I've been with the company for about one year prior to that, worked with Freddie Mark back in Virginia as a cybersecurity engineer.

8
00:00:28,777 --> 00:00:29,557
Okay, great.

9
00:00:30,007 --> 00:00:35,717
And so what does that mean that you're a security cybersecurity analyst now at a credit union?

10
00:00:35,717 --> 00:00:36,617
What does that entail?

11
00:00:37,137 --> 00:00:38,037
That's a great question.

12
00:00:38,037 --> 00:00:38,637
Thank you.

13
00:00:38,707 --> 00:00:46,407
Being a cybersecurity STCU entails monitoring the systems to make sure.

14
00:00:47,127 --> 00:01:11,697
That the threats and incidents that are coming into our systems are monitored and are responded to, let's say, for high and critical kind of incidents
and protecting our members' data to make sure that they information for our members, that is their PII or be their banking information is secure.

15
00:01:12,197 --> 00:01:16,847
So it's about protecting the organization data, which is actually our members data.

16
00:01:17,147 --> 00:01:17,507
Yeah.

17
00:01:17,957 --> 00:01:34,197
So it seems like, from my perspective, being an outsider, that banks are one of the high level targets because there's so much money there and there's it seems like once you get in then you might be able to get in, get access to a lot of different things.

18
00:01:34,567 --> 00:01:36,997
What are some of the things that you guys put in place to.

19
00:01:37,502 --> 00:01:42,272
Protect your members and make sure they don't get hacked or have fraud committed against them?

20
00:01:42,867 --> 00:01:59,802
I would speak generally and say that definitely in financial sector we see a lot of scams are coming to our way when you speak to different credit unions, banks a lot of scammers and a lot of threat actors trying to hack into different systems.

21
00:02:00,227 --> 00:02:11,327
And so some of the ways that we can protect financial data, it's making sure that we have controls to protect the systems and the data.

22
00:02:11,757 --> 00:02:25,807
Having things like and one number one kind of controls, having backups to make sure that when there is an incident or when there's an infiltration or.

23
00:02:26,347 --> 00:02:43,457
You know, there's a side by incident that needs to be, to recover the data in the system, that the organizations can actually recover and have the integrity of the system, the data from a good backup that have been monitored for indicators of compromise.

24
00:02:43,727 --> 00:02:54,127
And that brings in continuity that the service to the members will not stop because the ability to recover wasn't there having things.

25
00:02:54,562 --> 00:03:10,882
Like daily monitoring, having systems, let's say for example, like tools like seas to be able to see incident and the lots that are coming in daily that you have people who are actually looking into the systems.

26
00:03:10,912 --> 00:03:23,392
'cause again, cyber is not just about systems, but it's about people that you have people with knowledge and skills to be able to monitor those systems and to be able to understand.

27
00:03:23,842 --> 00:03:26,902
The threats that are coming into the organization.

28
00:03:26,902 --> 00:03:28,942
So that's very important.

29
00:03:28,942 --> 00:03:42,092
And again, as I mentioned, cybersecurity is about people making sure that each and everyone has awareness and it's their responsibility.

30
00:03:42,182 --> 00:03:50,382
The cybersecurity of an of the organization is not just about the analyst, the CIO, but it's about everybody who works in.

31
00:03:51,122 --> 00:03:52,232
In that organization.

32
00:03:52,772 --> 00:04:02,552
So making sure that there is very robust cybersecurity awareness that people know what is phishing is, what is email compromised the basics.

33
00:04:02,552 --> 00:04:16,512
Because threat actors try with the low hanging fruits before they really go into the sophisticated ways of really infiltrating an organization, they will go to those low hanging fruits.

34
00:04:16,512 --> 00:04:16,812
So.

35
00:04:17,337 --> 00:04:31,557
Making sure that every employee, every member is aware about the things that they can do to defend the company or the organization data and their own personal data is very critical.

36
00:04:32,177 --> 00:04:32,477
/ 
Yeah.

37
00:04:32,982 --> 00:04:33,262
Absolutely.

38
00:04:33,762 --> 00:04:36,617
So what have you gotten out of the conference today?

39
00:04:36,837 --> 00:04:39,537
What has been interesting or something new you've learned?

40
00:04:40,372 --> 00:04:43,372
That was great, especially during the morning session.

41
00:04:43,432 --> 00:04:56,232
Where there was a speaker talking about cybersecurity risk management, and I agree with him that cybersecurity risk doesn't exist.

42
00:04:56,322 --> 00:05:09,642
It's all about business risk because all we do is cybersecurity professionals a supporting business, because cybersecurity doesn't really exit or is not siloed on its own.

43
00:05:09,792 --> 00:05:10,722
It's just not there.

44
00:05:11,222 --> 00:05:13,832
Cybersecurity exists to support the business.

45
00:05:13,832 --> 00:05:20,582
And so everything that we do is to support the mission and the vision of the business.

46
00:05:20,582 --> 00:05:24,482
And so making sure the exact continuity, the exact monitoring,

47
00:05:24,727 --> 00:05:25,017
Yeah.

48
00:05:25,772 --> 00:05:30,332
That was something that I really appreciate about him also was saying there's.

49
00:05:30,902 --> 00:05:34,772
there's no such thing as a cybersecurity risk, there's just a business risk.

50
00:05:34,772 --> 00:05:38,702
And that putting that different frame on it really helped.

51
00:05:38,702 --> 00:05:47,482
And he talked when I interviewed him for this a lot about the communication that needs to happen so that people understand what the real issue is.

52
00:05:47,482 --> 00:05:55,472
That we're not, we don't really care if somebody gets into our system for the sake of somebody getting into our system.

53
00:05:55,802 --> 00:05:58,202
We care because of what they can do once they're inside.

54
00:05:58,592 --> 00:06:04,952
And understanding that and being able to articulate that makes a big difference in how you approach those issues.

55
00:06:04,952 --> 00:06:06,212
And I think that's really key.

56
00:06:06,452 --> 00:06:08,012
Anything, any other takeaways?

57
00:06:08,432 --> 00:06:24,532
Yeah, and I would add to add and say that again, it's not about the system adding into tools and going to, let's say for example, we come to this conference or maybe other conferences, let's say to, I would say, and we go shop for systems and tools.

58
00:06:24,892 --> 00:06:33,262
You can have multiple tools in your organization, but again, if you don't have the right people to be able to monitor those systems.

59
00:06:34,042 --> 00:06:36,442
Then those solutions will not really help.

60
00:06:36,862 --> 00:06:53,612
So security and it is not a cybersecurity or it's not an IT shop to just have the latest and greatest tools, but having the right people to be able to monitor those tools and be able to use them effectively is really important.

61
00:06:53,612 --> 00:06:58,692
And another one thing I would like to add is about, the ability for the organization.

62
00:06:59,142 --> 00:07:00,912
To recover in the event of data.

63
00:07:00,912 --> 00:07:25,132
I know so many organizations do have data backups and they do check the integrity of those data backup, but I wouldn't add on like having systems to really monitor
and to check indicators of compromise within those data backups is very critical because I think that's to my opinion, is the number one control for cybersecurity.

64
00:07:25,162 --> 00:07:28,207
Because it's it's a question of when not.

65
00:07:28,727 --> 00:07:29,017
Yeah.

66
00:07:29,542 --> 00:07:39,012
And so if you don't if something happens and you have an incursion, then if you go back in the backups and that door is still open, It doesn't matter.

67
00:07:39,842 --> 00:07:40,782
you're not solving anything.

68
00:07:40,847 --> 00:07:43,217
You're not solve anything and you're not able to use whatever you've been backing up.

69
00:07:43,217 --> 00:07:43,277
Ye

70
00:07:43,332 --> 00:07:44,612
that's a very good point.

71
00:07:45,062 --> 00:07:48,902
Alright, well Sam, thank you so much for being part of this cyber Trapps podcast interview.

72
00:07:48,902 --> 00:07:52,592
I appreciate you and glad you're here at the Inch 360 conference.

73
00:07:52,592 --> 00:07:53,282
Glad to be here.

74
00:07:53,282 --> 00:07:53,942
Thank you, Jethro.