The Compliance Word

S1E4: Cyber Security: Dominic Vogel

March 31, 2021 RAW Compliance Season 1 Episode 4
The Compliance Word
S1E4: Cyber Security: Dominic Vogel
Chapters
0:50
Intro
1:24
Dominic Vogel's Origin Story
5:04
Oonagh's Origin Story
10:58
Do People Understand Cyber Security?
15:14
What Is Cyber Security?
19:53
Companies Do Not Take Cyber Security Seriously
24:12
How Do People Evolve As Cyber Security Risk Specialists?
31:30
How To Begin Your Career In Cyber Security?
35:08
Skills Needed To Become Cyber Security Expert
35:12
Dominic Vogel's 5-10 Year Plan
45:03
Companies Do Not Take Cyber Security Seriously
The Compliance Word
S1E4: Cyber Security: Dominic Vogel
Mar 31, 2021 Season 1 Episode 4
RAW Compliance

On today's podcast, we'll be speaking with Dominic Vogel. Dominic is a cybersecurity expert, speaker, and comedian. He is the founder and chief strategist of cyber.sc and is one of the nicest and most awesome people you could possibly meet. Hosted by Oonagh Van Den Berg and edited by Luke McCann.

Show Notes Transcript Chapter Markers

On today's podcast, we'll be speaking with Dominic Vogel. Dominic is a cybersecurity expert, speaker, and comedian. He is the founder and chief strategist of cyber.sc and is one of the nicest and most awesome people you could possibly meet. Hosted by Oonagh Van Den Berg and edited by Luke McCann.

Oonagh van den Berg:

On today's podcast, we'll be speaking with Dominic. Dominic is a cybersecurity expert speaker and comedian. He is the founder and chief strategist of cyber.sc and is one of the nicest and most awesome people you could possibly meet. So Dominic, thank you so much for joining us today. And welcome to the compliance word. How did you get to where you are in your career today?

Dominic Vogel:

I always love sharing my origin story is actually only until someone asked me that question a few years ago that I even became in tune with why I even went down this path. Growing up in high school, I used to be in grade 10. So I know grade 10 may mean different things around the world. But let's say when I was around 16, perhaps, thats when I knew I wanted to do something with technology, but I wasn't sure why. And my dad, who was a Computer Science High School teacher at the time, since retired. I didn't know what I wanted to study when I went to university. And he literally brought home a massive stack of I would say at least 100 magazines. He dropped them on my bed. He said, there's gonna be something in here that interest you? Well, I didn't know that as a computer science teacher, he will always get all these free magazines sent to the school. And from different vendors, Microsoft, what have you, and he just dropped on my bed. So I looked through all these magazines. And I thought it was all boring, super technical. And this one magazine literally came out of nowhere. And I looked at it and said Information Security magazine. And I thought what the hell is information security? So like, picture a six year old reading, seeing those words, for the first time. I was like, what the heck is that? I read the magazine cover to cover, I did keep that magazine, somewhere in the mess that is my home, I should find it one day. I do believe it's here somewhere. And I for whatever reason, I thought it was so interesting, you know, just the concept of data and information for these organizations and the need to protect them. It was something that I found so fascinating. And I ended up studying computer science in university. And over my four year degree at the time, the word cybersecurity is only one. And that was by me asking a professor I said, Well, can you can we talk about cyber security. So again, this is in the early 2000s. And it wasn't very common for it to be discussed in post secondary education. And I end up doing a lot of self learning. And then I held out or started off my career as a security administrator for a large global logistics company. And then I just stayed in the field and then my career unfolded from there.

Oonagh van den Berg:

Oh, wow. So from six years old, you had a career trajectory, you knew where you were going. You knew cybersecurity was the future.

Dominic Vogel:

I knew early, I guess, I am a first way of millennial very, very early first way. And my dad was always the first one on the early Apple devices of computers. I remember sitting on his lap playing with them this kind of thing. So I mean, part of the first wave of life I grew up with with technology, and when I hit high school there in my mid teens, I knew that I wanted to do something. And for whatever reason that magazine was in that stack of magazines that my dad brought home, there was only one security magazine, all those magazines that he brought home, or there was only that one so I shudder to think what would have happened if I didn't stumble across that magazine. Maybe I would have I would have gone into comedy or something.

Oonagh van den Berg:

I'm not going to ask what the range of magazines were either. Goodness knows.

Dominic Vogel:

It was it was very untypical of a 16 year old it was really geeky stuff.

Oonagh van den Berg:

I was never academic at school. But my older my older sister, you know, she's in Mensa, my younger sister as well as an incredibly high IQ. And I was the middle child where my parents would say just try your best and if your best isn't good enough, you know, it's okay with us. And there was never any pressure on me. And so I used to, I used to run I was an I did athletics. I joined every single extracurricular club so that I could to get out of class, you name it, I played volleyball for the school, hockey, debating public speaking, I was even on the ping pong team, like, literally, you name it. I just wasn't really interested academically at school. But that being said, when it came to my national exams, I always passed my national exams to everybody's surprise. But that's because I knew I had to pass the exams. Otherwise, I wasn't really that interested. But I knew I wanted to be in law. And I remember one of my teachers just saying you'll never get to be a lawyer because you're not going to get the grades to get to university to be a lawyer. And I was like, no that's what I'm going to do. I went to university and I studied law. And after I did my undergraduate I, I realized that I love regulation, but I couldn't see myself in the in the UK. So my mother said like, take a gap year and try it out. So I went round and I, I worked through all of these kind of I worked to the Solicitor's Office of barrister chambers, I worked in the Royal Courts of Justice in the in the typing pool typing up court cases, which was just the worst part as well as I have a slight mild form of dyslexia where there's certain words that I always spell the wrong way round. Typing poll was not a good choice for me, like I'm typing up legal cases. And like what words this? I'm always being corrected by my supervisor. And I was like, This is not for me. But I then decided I would become a personal trainer because as I mentioned, I was really good at athletics. So I actually interviewed for a job to join one of the big kind of national gym chains where I could go in and become a personal trainer. And I was really excited about that. And the same day that the job offer arrived for that on the doorstep, I kid you not another letter arrived from Maastricht University offering me a place to go on their master's program. And I kind of felt like this is very serendipity. It was you know, that moment in life where there was two paths I had to choose. And I thought that I was going to close one chapter completely, and move into kind of personal fitness. And obviously, then the powers that be had other plans for me, and then this obviously, the master's program landed on my doorstep. That is how everything happened with my career, like where I ended up where I am today. One small thing to happen. Like you said, you picked up a magazine for me, it was two letters arriving simultaneously when I thought I had made a decision. Then your whole life changes. And in a minute it's just amazing. And it's been on this on this podcast series that I've been talking with various people about how they got into where they are. And it's interestingly not one person has planned to get into what they're doing. Compliance didn't exist as a job. When I left school it only really started coming around, it's like the US banks like Goldman's, etc, was a 1997 to 2000. And then in London, it was around kind of the 2004. So it really was kind of still was part of the legal team. And slowly it's emerged in its own right, as a fully fledged department. It wasn't something you saw the careers fair nobody talked about compliance. And I myself found it by accident, I tell a story that I was at JP Morgan and I had done my legal training at the European Central Bank, I loved regulations. I wanted to learn about products. I was at JP in the product development team, and this was all great. And then I came across this compliance department. You get to work in products, working with regulations and work with the regulators. And the head of compliance also got to go to the pub every day at lunchtime and come back drunk in the afternoon. And I was just like, this isn't such a bad job. I'm a 20 something year old and I'm thinking I've got this one. This one I can do. And so that was kind of like my kind of my entry into compliance, I soon realized that getting drunk in lunchtime was just an exception for like a few people. There was many things that attracted me to the job.

Dominic Vogel:

That is honestly one of the most interesting origin stories I've ever heard! At least for me in cybersecurity a lot of people either come up through the ranks, or they've been in security the whole time. But they all tend to be you know, be cut from the same cloth, and security as an industry as a whole it still suffers from a lack of diversity. But your your origin story like that is fascinating. I can honestly tell you, as one of the most fascinating, entertaining, engaging stories I've ever heard. Sure, we're just scratching the surface.

Oonagh van den Berg:

It's like Pandora's box. There's a lot. There's a lot of interesting stories along the way. But um, but open it obviously, this is this is not this is not about me, Dom, this is about you. And I could talk about myself for hours, which I'm sure the listeners know. Well, I want to obviously talk about you today. One of the things that continually surprises me as I come across people, they're like, 'Oh, I'm a financial crime expert.' And I'm like, well, you're not like, Well, yes, I am. I'm a financial crime expert. I know. AML. I know, CFT I mean, tax evasion. And I'm like you don't know, cybersecurity, do you? When we look at financial crime, there is kind of like the six key areas you have AML CFT, tax evasion, fraud, data privacy, and cybersecurity. And I'll be honest, I was even on a call yesterday with one of the government agencies. They asked me what is my knowledge in financial crime? And I said, Well, I can cover all most areas, except for cyber security. It's such a different discipline, the other kind of five areas of intertwined, kind of similarities and crossovers, and the policies, and the regulations will work in light of each other in a way. But cybersecurity is just a completely separate ballgame.It's a bit like baseball versus basketball. There's no similarities here. I'm sure you must get this a lot people working in financial crime, they come and talk to you about cyber security? 10 out of 10 people, how many of them actually know what they're talking about? And how many of them are able to have a conversation? I'm gonna go with possibly none?

Dominic Vogel:

I want to say one just to be generous. What you mentioned there with compliance roles, an example, was security, security is still very niche. And it wasn't until, you find the late 90s, early 2000s, that you saw at least some of the regular industries like financial services and healthcare started getting jobs and security opportunities there. Flash forward to today. So many people, especially at the executive level, do not understand what cyber security is and there's so many myths surrounding this are also cyber security equals something for the IT team to deal with. I always say cyber security is not a technical issue. Cyber Security is a business issue is a risk, no different than operational risk, financial risk, it's a business risk. I say that's the number one this perception is that it's seen only through a purely technical lens, while missing other policy and procedural and people components that make up cyber security. And to me, it's very much an extension of almost enterprise risk management. Now, at the end of the day, I do feel that cyber security is a risk management discipline, far more so than as a technical discipline. Yes, there's technical intertwining to it. But that's what exactly gets a lot of people tripped up is that they think of cyber security and they think of it as something that the IT guy deals with, or that the IT team and all their technical magical abilities deal with you know, so that's that's the gist of my entire career.

Oonagh van den Berg:

I have to apologize. I thought that cybersecurity was an IT issue.

Dominic Vogel:

I won't hold it against you were friends.

Oonagh van den Berg:

And that is why it was so important to to get you on. Not just because you're an amazing person but it was also is important to get you on the call today because i think it's demystifying cypersercurity because that is the honest perception with many people.

Dominic Vogel:

I put it this way; cybersecurity is basically an extension of cyber risk management and that's why i personally have never really liked the term cyber security , I think the term cyber risk management is more conducive to the sort of the type of mindset that we're trying to reach in the business world. So when we think about where we are in society we live in a very digital world. We live in a digital society, thanks to COVID we've become increasingly more virtualized and businesses and organizations have become increasingly more digitized. With that comes increased cyber risk and in the age of the internet and the age of an online economy just like there are physical real world risks there are cyber risks that go alongside that. Furthermore as we sort of dig down into these layers here, we think about how our economies used to be run by oil or gold right? Now our economies and some of the biggest companies on earth, they are run by data and data is very much the commodity of the 21st century. There needs to be protections around that and there again comes in cyber risk management. If you think about any organization big or small there are over three tenants that make up cybersecurity. So there's confidential data or confidential information, that's information that may be trusted to you by your vendors, your partners, your clients or customers, your employees and if you're having their sensitive financial information or what have you. Those are things that need to be protected because if a cyber criminal steals that then they're their data has been compromised and thats identity theft. So there's a confidentiality aspect of security. There's also what we referred to the integrity of the data so again this isn't true for a lot of organizations but you know let's say your organization that does a lot of data crunching as an example and does a lot of analysis on numbers that data somehow got change without knowing about it that could change your projections, that could change the products that you end up creating or the data that you end up sharing or even something like that. In the healthcare system you know the integrity of the data is very very important so that's another area that can be compromised by cyber criminals and attackers. The third arm of that is availability and we're now seeing this being sort of hit by the rise of ransomware. Ransomware is very much the the kidnapping of the 21st century, in which you IT systems, your data they all get held for ransom and you will gain access back to that unless you pay that ransom, often virtual currency. Especially small businesses don't take the time to realize that if you were to lose access to your email in all your systems for a day what does that mean for your business for two days for three days? I know for me I get annoyed just a 20 minute power outage! If you've never had the opportunity to go through that or taking the time to ask those questions these are again all the things which are part of cyber risk management. Back to my original point; we live in a digital age and the need to realize that the digital world around us does come with risk and unless we address those now we are literally just we're playing with fire and especially with the increase in cybercrime and how cybercrime is now the most profitable crime on earth surpassing the drug trade it's only a matter of time before your organization goes down in flames unless you're taking cybersecurity and cyber risk management seriously.

Oonagh van den Berg:

I think that's actually been the frightening thing last year. It's not to saying that organization's didn't take it seriously, but to what extent did they expect such an influx of events happening simultaneously and again COVID caught us out in many ways, everybody was prepared for BCP. But nobody was prepared for working from home. You know, there's two very different things. But cybersecurity obviously came to the forefront last year. And when people talk about 2021 trends, one of the questions was, are we gonna see law enforcement action this year where regulators come to the banks and say; look, you were very ill prepared. You did have to do a technology risk assessment, you should have been aware of the flaws, gaps, vulnerabilities in your systems. And it came to us having to notify you of the typologies for you to be able to implement reactively, the controls, what do you think? Do you think that we're going to see enforcement action around it this year, because of the lack of, I wouldn't say lack of preparation? I believe the banks think they were prepared. We just ended up in a really, what do you call it a perfect storm, so to speak?

Dominic Vogel:

The closest analogy that I've come across that is parallel is what happened in the automobile industry. I truly believe that we, this will eventually apply for organizations worldwide. The analogy I'll give is what what happened over the first 100 years of the automobile. So when cars were first created, or at least mass produced, they were they were inherent death traps. Right through the 40s 50s 60s 70s cars, at least in North America, they were mobile death traps. Far too many people died on the road, on highways. You know, they were just not safe. And it wasn't until there was greater consumer advocacy. I'm not entirely certain in terms of how this plays on the rest of the world, all this looking through a North American lens here. It wasn't till in the late 80s, when there was greater consumer advocacy in the US, which led to greater regulations, forcing automobile industries, especially the big ones in Detroit, Michigan, so your Ford Chevrolet, Chrysle. They started focusing in on car safety and prioritizing car safety, and that they were not mandated by federal regulations to do so. And then what we then saw from that point to where we are now, if you watch a car commercial what they what they talk about is car safety. They talk about all the cool blinking lights, all the blinking safety features that talk about the crash safety ratings, their safety awards, they are now competing, and the competitive differentiation is focused on car safety. I hope it doesn't take 100 years for cybersecurity, to go from being no thought to an afterthought to being a source of competitive differentiation. But I truly believe that we are moving in that direction in terms of whether there's going to need to be greater government intervention. Otherwise, organizations just will not compel themselves to make significant changes in terms of how they approach cyber security. So I think as we move towards that, I still think that could easily still be another five to 10 years out, before we start seeing more comprehensive regulation. But I do believe in the near future, especially like I said, digital age organizations won't just be a matter of table stakes can be a matter of competitive differentiation in terms of how data privacy and data security is handled as an organization.

Oonagh van den Berg:

How do people evolve as cyber security risk specialists? Where do you go to get your knowledge and learning and experiences? The industry is beginning to change now but I can't imagine that there has been over the past number of years many specfic kind of university courses and degrees around this? Maybe I'm naive in saying that, it's not been an area of focus for me but higher people upskilling this area and learning and an understanding what the challenges are.

Dominic Vogel:

You're absolutely not naive in thinking what you said there. I mean, it's only been in the past, I'm gonna say right three to five years where we've seen more consistent educational efforts. At the university level and college levels for cybersecurity, and part of the problem with cybersecurity, for I'm gonna see pretty much since the mid 90s, until, let's say maybe 2010 or so, was that it was an industry where there was very little diversity. You know, one of the first things I noticed when I had my very first security conference, way back when was that it was mostly a middle aged pissed off middle aged white guys there and now see the irony often that I am pissed off and ledge white guy. The lack of diversity was startling. So there's very little thought diversity or experience diversity, as we were talking about earlier, majority people in security, again, came up through it ranks, so they all shared the same technical lens, that they viewed security as part of the reason why security ends up being seen more in the technical domain than in a business domain. And as such, many it people and I know, it's a stereotype, but it was a stereotype for a reason was that the majority of it people were crappy communicators. And that's why for the longest time, security didn't have a seat at the executive table. Why? Because they tend to be very condescending, arrogant, and we're unable to communicate in ways that resonated with non technical people.

Oonagh van den Berg:

My IT guys were, in every bank I've worked in, they've always been lovely. But I suppose the one characteristic that I have been able to say about a majority of them is their interest. They're terribly introverted. But the truth is, is that you when you're in a bank, you're competing across a broad range of personalities. You're going to have a lot of very extroverted peacocks around the place. And that's not something that an introvert will naturally want to even enter into. . But it's definitely changing today, I'd have to say, but I do write if I go back 5-10 years there wasn't that. I wouldn't say they even were considered at the table? Even compliance had to fight for their position at the table over the years. They would be used to just make sure the lights, the systems are working, and then they can leave the room. That wasthe attitude but everything has evolved.

Dominic Vogel:

Oh, absolutely. It's remarkable how quickly it's changing. I know, back from my corporate days, I worked in the credit union system here in Vancouver. It was so hard for somebody to even get a seat at the table, and one of our greatest collaborators and partners in the business was the group that focused on compliance and the anti fraud group. It was still very early before those synergies couldn't be harnessed like they are now. Although we were very different skill sets there was there's a lot of commonality there and common ground where we were able to work together, you know, so and speaking now, I realized that an answer your earlier question about professionals in upscaling, but to quickly answer that question, the profession has come a long way, we're seeing increased diversity from a gender perspective, a thought perspective. some of the greatest security minds, people who I look up to, they have a degree in psychology or sociology and they weren't technical people. We bring in different viewpoints, different life experiences. It helps you solve different problems which we've at least in the industry, we've been unable to solve for the past 20-25 years. So it's a very interesting time to be in cybersecurity, because I feel there's a lot of positive change and positive growth, and has a lot of opportunities for people to enter the field. If you go to University College route, there's a lot of cybersecurity programs now, even at technical schools, but there's a lot of certifications many of which don't require much of a financial investment. But I think part of the problem though, and I hear this a lot from people and students that I mentor, coaching people who are new to the field. Where there's a lack of a clear road. I'm often being asked the same questions in terms of what certification should I get, what's that going to cost? It's not just not well known or well published or understood. If you want to be a lawyer, as an example, that tends to be a fairly clear path. If you want to succeed as a cyber security professional over a 10 year, 15 year period, that path isn't very clear. So this little panel, you mentioned earlier about even at career fairs or career jobs, where cybersecurity wasn't advertised, and as an example, I went to school, and I graduate from university, and in the early 2000s, the cyber security wasn't even in the list. I remember having a debate and argument with my University, because they said, Oh, we shouldn't get a career in cybersecurity, there is really no future there. But the are lots of career opportunities. But the career roadmap is still very, very confusing, and not very clear.

Oonagh van den Berg:

People looking to get into cybersecurity today especially more junior people who are starting out in their career, what recommendations and what advice would you give to them, to begin to look for a career and to explore and follow a career in cybersecurity?

Dominic Vogel:

Yeah, so there's a couple things in that I was sharing with students or those who are looking to transition into the field. The first one is to look beyond rather than it just being in technical field. Many people I talked to think, 'Oh, you know, I love the tech skills, I'm not tech savvy enough'. You don't need to be a tech wizard to succeed in cybersecurity. There's many opportunities, whether it be hands on working with the software and hardware, it could be convention, cyber risk management, people who understand doing risk assessments, risk analysis, right? Those types of people are highly sought after as well. So there are different roles, different opportunities. And that's we don't look beyond the technical skill set, don't just hold back because you feel you're not technical enough. The other rule of thumb I was saying to people is just reach out to people on platforms like LinkedIn, one of the best ways of learning is from looking at all the avenues and area of cybersecurity that interests you the most. Just reach out and talk to people who have different jobs in the field. Cyber security has become a specialized career field, it's not as long as it was 20 years ago, where you were a generalist, and you did everything. It's very much like the field of medicine, where you have your sort of your general practitioners, but then you have people who hyper specialize in other areas like network level security, or in doing doing risk analysis. So I mean, it again, just using some high level examples there, but it's become a very specialized area. So do your homework in terms of figuring out what it is that interests you the most. And as part of that, as well, network, I always tell people, you know, don't don't just apply to jobs, or just don't study by yourself in a corner. And you know, one of the things I wish I knew when I entered the field was network. Take the time engage with people on platforms, like LinkedIn, develop friendships, develop relationships. Networking, I believe is one of the single best things you can do, whether it be for cybersecurity or any other career, take the time to invest in developing a personal network, even before you've entered the field. I think that is so so important. I've seen students succeed with that type of mindset. Make sure you get involved with as a basic security certification. Just the way you know the hiring process is, HR tends to want to see a basic level of security certification. I always recommend to students the security plus, which is a plus sign. It's a relatively inexpensive, I think it's like $300 to take the test atleast $300 (canadian) to take the test. And it's a textbook, you study, you pass the test, you have some basic level of certification at least gets you in the door, because it's sort of like a just like a quick calling card that you need to have. But those are the quick and easy rules, I get people who want to enter the field.

Oonagh van den Berg:

When you mentioned about network, I cannot stress the importance of people networking and our networks are a privilege to us. And they're also sources where we can leverage not just knowledge experience, but we can also leverage career opportunities, if we're honest with each other. Using your network to your advantage and, you know, networking within your network. And expanding within that network. As you know, I suppose there's different types of networks, people have expander networks, where basically, they're connected with people all over the place. But I have quite a broad bluecar network, which is within compliance, which means that my network is primarily 90% of my connections in LinkedIn are compliance officers. And I deliberately focus it on compliance because that's where I want to develop my network from a professional career perspective. And I think a lot of people don't recognize and under our records, at least realize the importance of building out network and getting out there, getting to industry working groups, getting yourself involved in the conversations. One of the things I'd love to talk about in particular is cryptocurrency regulation. There are a handful of people that currently are experts, because they've been in this since day one. And they can tell you how the product works. They can tell where the risks are, etc. But regulation is evolving day in day out, they cannot tell you anything more than what you can kind of get up to scratch reading on. If you're a junior compliance officer today and you want to go into a room where you're going to make a difference, get into crypto regulation. You're gonna walk into a room where you're as informed as the other people in the room, and especially younger people today, they're all quite well aware of how all of these kind of virtual currencies work, because most of them I'm surprised have invested and they have invest in clubs, at universities in digital and cryptocurrencies.

Dominic Vogel:

That's true on so many levels. Even taking modern, modern mindsets to technologies, whether it be artificial intelligence, or whether it be cryptocurrencies, the security discussions need to happen around that. I was just discussing those things for students and those entering the field, one of the things that which I think is so important, which is chronically under invested by people, is the skill of communication. You know, if you're someone who can communicate something like okay, here's cryptocurrency, here's what what the risks are, here's how we can use that in a way which is still safe and secure. And we're still empowering the organization. That's a really hard skill set to find especially in the security profession, there's no shortage of people who can give you the technical ins and outs of, of things, but will give it to you in very deep, very scary technical explanation and not able to do in a way that will resonate with non technical people. As important is to maybe sharpen your technical skill set, sharpening those foundational schools skills. Now some people call them 'soft skills'. I always scoff at that term. I think there's nothing soft about being a strong communicator. But I think being able to be a strong communicator and be very confident to the audience that you're speaking to is so important. We need to speak in the language that's going to resonate the most with them. People who have that level of aptitude and have that skill set. They will go very, very far, at least in the context of cyber security of field there is a shortage or those types of individuals for sure.

Oonagh van den Berg:

We only got connected a few months ago or even even a couple of months ago and ever since we I've really got to know you I've just been so energized by you Dominic you know every time i speak to you you're the most upbeat energetic positive person and not many people can hold themselves out in that regard. You're just if i may say this you're a ray of sunshine! It's just it's always such a pleasure to talk with you and every time i speak with you i walk away in my happy place and i'm incredibly grateful. I know that you do a lot of training and guidance and mentoring as well within the industry. Do you think that in the organizations the attention is being given to cybersecurity that needs to be given and do you feel the recognition to the cybersecurity specialist has been given in terms of the importance of the role that they play?

Dominic Vogel:

The short answer to that is no. I don't feel that the majority of organizations today truly understand or appreciate what's needed and the effort that security teams go into. I'll give you an example; In the us there was a massive hack in an IT company called Solar Winds, which was tie back to the to the Russians. And the CEO of this company he blamed the poor security on a intern in the security department on the cyber security team. First of all I mean that's crappy leadership. I grew up in a corporate perspective always knowing that I was the scapegoat of the organization that's why many cybersecurity professionals are so jaded. If you meet the average professional they're incredibly cynical bunch and I was too if you hadn't met me back in my corporate days i was not the cheery person you know today. They're often put in a no win position. There's an acronym which is very common in the security industry was referred to as (CYA) cover your ass. So that's how many secure professionals in large companies focus their efforts on that because they know that they can't convince their executives and they know in the event of a massive data breach or if something happens that you know they'll be the ones who are held responsible. What's really sad is that i'm assuming the majority of organizations, the security teamknows what issues are at play and they've been telling the executives for years that we need to invest in this technology or telling them this is a massive risk we need to deal with. But the executives do nothing about it. There's such a helpless feeling for cybersecurity professionals and that's why burnout is very high in that industry because they often feel like their voices cannot be heard. The corporate world doesn't really appreciate the value that cyber security risk management brings to an organization. That's still a very prevalent feeling across the business executive globally, it's seen as a necessary evil or the cost of doing business and when it's seen through that lens it tends to be short handed and shortchanged and not given the respect it needs. It's something which I do believe is changing but back to my earlier point about greater government regulation i truly believe that's the only way the markets are going to change and companies are going to change in history greater government intervention there.

Oonagh van den Berg:

Over the next five years what do you see and how do you see your career evolving do you have a civic career? Do you see significant changes that are going to happen in cybersecurity?

Dominic Vogel:

For me growing my business cyber.se. I love focusing on small midsize organizations I purposely stopped focusing on corporate just because I can no longer tolerate the red tape and other nuances of the corporate world. Love working with small midsize organizations as small as maybe 10 or 15 employees all the way up to maybe four or 500 employees. Their true lifelight of the global economy and I love working with those types of companies because they need help the most when it comes to cybersecurity. They traditionally can't afford high paid consultants from Deloitte or KPMG or what have you. I love helping empower these businesses to grow and to say these are the companies of tomorrow, i get tremendous joy out of doing that. In terms of how the field is going to morph and change it over the next few years i think the greatest change is going to generally be through greater integration into business right it's still because it's still so siloed and put in the technical bucket rather than the business bucket. I think one of the greatest changes where it starts becoming more integral in the DNA and the fabric of an organization and because companies are now digital companies. I always jokingly say that every company is a digital company unless you're selling tacos on the back of a volvo and all cash deals, you are a digital company. I think as time evolves security will just become more intertwined with the DNA of companies.

Oonagh van den Berg:

I'm actually incredibly excited to see the evolution. As we move towards virtual digital banking we're moving more towards kind of the crypto space and obviously there had there have been thefts and hacks over the years. There's no areas that aren't vulnerable to attack and as we move into a virtual world cybersecurity will become one of the main risk departments. Currently it's kind of like compliance risk, market risk and credit risk. I actually genuinely believe that cyber risk will come to the front because it has to. If we want to operate our platforms in a virtual environment that's going to have to be our number one. How do we protect our client information, how do we protect our operating systems and how do we protect our client monies. We need to get the cyber risk correct and we need to make sure that we have eradicated vulnerabilities in our in our frameworks and in our networks.

Dominic Vogel:

I couldn't agree more! I truly believe that the shift is pointing in that direction, when there's just so much organizational inertia that is still being overcome, but that to me if we look over the horizon over the last seven to 10 year period we're referring moving in that direction. It's definitely the direction that we need to be moving towards because we're not going to become less digital right? We're gonna becoming increasingly more digital and reliant on digital platforms with each passing day. There's no going back we're not going back to pen and paper, we have to make sure that the

Oonagh van den Berg:

Thank you so much for coming on the podcast! security is aligned with the broader digital transformation movements as well.

Intro
Dominic Vogel's Origin Story
Oonagh's Origin Story
Do People Understand Cyber Security?
What Is Cyber Security?
Companies Do Not Take Cyber Security Seriously
How Do People Evolve As Cyber Security Risk Specialists?
How To Begin Your Career In Cyber Security?
Skills Needed To Become Cyber Security Expert
Dominic Vogel's 5-10 Year Plan
Companies Do Not Take Cyber Security Seriously