0:00

Welcome back to another episode of the Cyber Queens. Thanks for bearing with us. We are a little late getting started today because we wanted to give our guest time to link all of her profiles that she wanted to. That being said, today is a super exciting day on the Cyber Queens. We are really excited. We have CybersecurityGirl, Miss Caitlin Sarian herself here on the podcast with us. We're thrilled, so I met Caitlin earlier this year at RSA for the first time and then we ran into each other again at Black Hat and Caitlin very, very boldly did not have a Black Hat plan so we ended up doing a lot of things together just because I was like, are you going to go here to this?

0:02

I started getting into the cybersecurity education and awareness space literally just because I started my TikTok. So before I started that channel. I didn't want to start a TikTok for the various cyber security reasons that most people want to argue about. But I started it right after they decided to move all of their servers over to the US and then they paired up with Oracle. And then I realized, you know, everyone thinks I'm some freaky genius for being in cyber security or that I know how to code and I was like, you know what? I don't even know how to code. Like I learned how to code in school and I've never touched a piece of code since I left and I've been in cyber security for 10 years.

0:04

Caitlin's a phenomenal person. Caitlin is super cool. So I love your platform, love everything you talk about. You and Amber actually are killing it over there on TikTok. But I would say I don't know of anyone tackling Amber and being like you're EngineerAmber But people come up to me and call me by my handle and I feel like people call you by your handle a lot, and call you cybersecuritygirl! I'd practiced and tried it multiple times. I was like, would people be able to find out who I am? And it really wasn't until I went to TikTok where I was like, okay, I'm going to actually put my name on this.

0:06

Most of my stuff is basic entry level stuff. And so it was embarrassing for me. Cause, I've obviously been in this for 10 years. I obviously know the higher crazier things, but general people have no idea what we're talking about. And so I was really trying to hit the more general audience. And I was like, Oh my gosh, if the partners see that I'm talking about privacy in this type of way, this is so embarrassing. That's why yours is like LinkedIn ready.

0:07

I have a question for you. So did your employers have a problem with it at the time? He was like, how much time do you spend on TikTok? I'm like, I'm doing my work here and I don't have a family. This is my life outside of work. So allow me that space because it's not interfering. But a lot of people just don't get social media. Like literally, I recorded a video of getting ready for this with a trending sound that was a six second video and that took me about 20 minutes to do and I'm like, okay you probably think. these videos because for the normal person, it takes a long time, but anyways, they didn't have issues until I left.

0:09

So I didn't know what I wanted to do. I did mechanical engineering because that's the foundation of every engineering. It's just basic. And I started doing tech consulting interviews. And when I interviewed at EY, one of the ladies that interviewed me, who's now still my mentor, Danielle, she was like, Hey, we're starting a cybersecurity practice. And I was like, I literally have no idea what it is, but I'm going to go for it. And that's how I got in. Everything I learned was on the job. And again, to this day, I've never coded and that's why I'm so passionate because there’s genius people and Cybersecurity I feel like, is like our own little bubble and we want to protect it and be like only these types of people are in it but because of that I feel like it's similar to a boys club, it's like a cybersecurity club and we're not allowing people that maybe don't have the coding skills to get in or we're not being as welcome as we should be and there's so many roles that are open right now and I mean cybersecurity is not gonna die anytime soon so I just really wanted to like break that stigma of You have to be some freaky genius to get in you have to know how to code and What you would need to, crack the algorithm from the U.S. government at age 13 in order to get it. Like, none of that is a thing. I mean, you can, but...

0:11

This could be done better. By the way, no one here is a gatekeeper. We are all barrier breakers here on the cyber queen, so just love that. Love that for the audience. So tell us how your creating TikToks led to you getting a job as a global cyber leader at TikTok. Cause again, I specialize in data privacy and I worked at a global law firm for a very long while and have a lot of experience in it. I love it. So I actually interviewed with their privacy team, got the job with their global privacy team. And then I remembered that she had reached out to me and I reached out to her being like, Hey, by the way, I just interviewed with privacy.

0:13

But also my role was to be able to educate the public, educate our consumers and our users on TikTok on how they can stay safe, how they can utilize all of the security tips, the two factor authentication, how you can turn on VPN, all that stuff, through TikTok. So it was a really, really cool role where I got to make fun TikToks that was posted on the TikToks tip page and then also make fun videos internally for our own users. I was just going to say that. It's so bad and boring and just terrible because I worked for... A company called Cofense and they did manage fishing detection and response.

0:15

I think there's a few factors as to why it gets a little weird. And I noticed this when I worked at TikTok legal comes in and changes like scripts around so when I made really great fun scripts They're like this also needs to include these specific sayings and I'm like, no, it doesn't I've read that I've read that law It's not needed but if you need me to put it in and then a lot of like weird legal jargon comes in or it gets reviewed, especially in the corporate environment, it gets reviewed a lot by multiple people, marketing, PR, because, especially at TikTok, anything internally, we're expecting it to go external, someone's gonna say something, so we have to talk to PR, we have to talk to legal, and it ends up adding a bunch of extra stuff that is not necessary, A lot of the videos I make are like 30 second videos and they're funny and they're relatable and that's what it is. You need to make it relatable to them and for them to understand that it's important but in a fun way so you're not shoving stuff down their throats to have them remember stuff they don't want to know. Like, why would non cyber people want to know about cybersecurity?

0:17

I'm excited about cyber after working in cyber all day.

0:18

I do. Because it's pairing what they already want to see with a little bit of education. It's not too much, it's not overwhelming, it's just like you're getting little snippets of reminders and then there's a bunch of studies that show that someone has to see something seven times in order for them to even grasp it or remember it. It was just like, Hey, and I was like, yeah. And it's like, what are we going to do about that? And then it's a smashing sound. And it was like. Hey, what are we going to do about that? And it's like, get people to give a shit about cybersecurity. Sorry guys. And it was like, Oh, make TikToks about it. Because that's what people are into. It's so quick. That's what people don't understand. And I'm sure you went through this a million times. I can't even imagine at TikTok. But even for my companies, personally that I've worked at, it's like, okay, marketing wants to get involved.

0:20

It's one of those things where it's so bad that they're like, we've made it a point to where you can't just fast forward. We've made it a point to where we're watching to see if you're actually watching the screen. Right. Cause I used to do that. I would open like six different windows and just play them all at once. I'd be like, cool, here we go. private browsers, six of them. You don't know. People aren't forced to watch it, to wait until their show starts. They're going to scroll. And so it's the same as I honestly feel like when I accept sponsored deals, which it's very rare for me to accept, but when I accept to sponsor deals now, I make sure that I'm like, okay, no, it's in my own voice.

0:22

Would you say that TikTok allows you to reach the most diverse group of people? And I know I'm going to ask another question and you're shaking your head. And can you talk about the importance of diversity in cybersecurity and reaching those types of audiences? It was ridiculous. People were asking me to help get verified. I'm like, when I figure it out for myself, I'll help you. I don't know.

0:24

Getting more diversity into STEM and cybersecurity was one of those reasons because I'm just really tired with the same people being at the top of the table or the head of the table. Yes, I understand that they're there and they deserve to be there and obviously what they did worked but we're in a day and age that continues to grow and learn and evolve and if we're not bringing different types of people, different types of opinions and different types of answers to the table, which we won't get unless we have more diversity, Then we're shooting ourselves in the foot. There's so many open jobs right now, and all these entry level roles require three, five, six years of experience, which makes no sense. And then we're shooting ourselves in the foot in the future because we're not even allowing actual entry level people to get into cybersecurity to have those skills.

0:26

They have to have three to five years in a CISSP, which you can't even get a CISSP unless you have five years of work experience. I've seen that five years and a CISSP. You can't even get that at entry level, but whatever. That's not my point. The point is that we're going to have a huge problem and all of these people that get recycled, that are the same people that are getting the same jobs, which, they're there for a reason. It's fine. When I want to get in the industry, but if you're continuing to hire me, just because you can check that box and then you're just going to hire the same person that looks like you after me, it's going to become a problem.

0:28

I've told people multiple times I was denied a web app pen tester position, like two weeks before I got hired onto the red team at zoom. Your value literally just depends on the market you're advertising yourself in. I love the diversity topic, and I would love to talk about that and literally nothing else, but we did promise the good people that we would talk about the importance of cybersecurity and recent breaches that are hitting Las Vegas a little hard right now. If someone, similar to the MGM situation, gets suckered into a phishing email or some type of social engineering scam, You're going down and, and this is also where we can bring diversity back in just a little bit. You need to have and, bring back what I had said previously too, but you need to have someone in your company that's in charge of fun, interactive training for your employees, because that's like the biggest thing that you can do.

0:30

And so I think more budget needs to be put onto training awareness. And you can also bring diversity in here because you know what? Having a more diverse group of people allows you to better understand what people want. All different types of people in your organization. What people want to see in a training that's not boring, that keeps people's attention is relatable to your general user. “the security awareness free version that some companies offer!” I ran into that when I worked at Kofence and I'm like, bro, that's just not enough. Like, come on.

0:32

So like, as a sales engineer, our job is to go in and talk about like, Here's the use cases, right? Okay. This part of your job sucks. That's great. Okay. This is a possible risk and breach potential breach. Great. Let's actually show you like what would really happen if that happened. Right. Cause nobody cares about preventing it as much. Do you guys think that orgs should be forcing people to do it more often, more than once a year? Like what should we do? How do we address this?

0:34

And like the basic ones aren't really going to show you the importance or do anything. They're really boring and not relatable and not digestible. It's very heavy legal jargon. And so I think there's a good mix of outsourcing the standard basic cybersecurity training, but for your specific company, you should have a team that's making it, that's way more fun and relatable to stuff that your company actually uses and does and thinks about on a day to day basis.

0:35

I've been in so many tabletops. We all sit down. I'm like, okay, what do you do when something's going bad? We all call this guy. Okay. That guy's out on vacation. Now, what do you do?

0:36

Or on your phone, where somebody can hack your phone and get it out of you.

0:37

Yeah. But I mean, every nice thing you try to come up with to make your user experience better, like SSL and federated users and stuff like that. I'm going to come right along and break those things. And we're all going to go back to the stone age where we do have to log in six times.

0:38

Yeah.Well, I always knew that I was put on this earth to do bigger things. And I always wanted to help people and that's literally why it kind of drove me to start my TikTok channel. And when it was growing so much, I realized I'm really, really passionate about anything I start working on. I literally was like I'm in my 30s and I've been hustling and grinding and This is not where I want to be so that was one of the reasons but that was a Small reason the main reason was because I realized how much of a need this was for everyone like again we are given technology at a young age like literally kids are swiping their phone before they even have their first word and no one, it's similar to taxes.

0:40

I'm just starting, I have interviews with my first few interns next week, but, yeah, there's a lot of stuff that I want to do to help educate the public on online security and education. And obviously I also want to get more STEM in, there's two buckets, right? There's like the general public, and then there's the bucket of like who wants to get into cybersecurity and how, how I can help them.

0:41

They're also so high level, they're like 30,000 foot views of security concepts, like the CIA triad and stuff, and it's like, you haven't even told these people how that applies to what we do. And it's like, okay, well, do you guarantee me to get a job? No, we don't ever guarantee that. Well, then why am I paying you? Well, for intro to cybersecurity. And I'm like, well, I could find all of that free and I could do all this, but what is your coaching actually offering? And there's a lot of LinkedIn influencers now that are saying that they can do all this stuff, but I've never seen anyone prove it.

0:43

So you need to target things that actually give you skills to do that thing, not just be called that title.

0:44

Well, and the schools and certification and boot camps, they let you take out FASFA for federal loans and whatnot, but then you're in debt. Right? So we have student loan debt problem. We're entering. I mean that I have student loan debt because I have multiple degrees. And I'm like, this means nothing because right now, none of you guys are hiring entry level. So talk to me when you're hiring entry level like actual entry level because what do you want me to do? I don't know what to tell you I can give this to someone but it's gonna be discouraging because all these people are saying, oh I got this certification.

0:46

Yeah. Yeah, I would agree. All right. This episode has been 45 minutes long already. We are having such a great time, but unfortunately we do need to bring it to the end.

0:47

I love that. Speaking of that, there was a study that I read that, uh, security budgets are even being taken away more in 2023.

0:48

I think one thing I don't usually say on these, but Maril made it a point on my first time on this podcast is, find a few mentors, even if they're not your mentor.

0:49

So many. Um, now don't, don't listen to everybody on YouTube. Some people out there do not know what they're talking about, but there are definitely the good ones. You can find the good ones. We're going to have one of them on the show next week. Coming up next week on the next episode of Cyber Queens, we have Heath Adams from TCM Security, the cyber mentor himself. So the harder you make my job, the better off you will be. But also it is going to be to tailor that security awareness training, because I think the most effective training I ever saw was not super general and like, hackers are bad. Watch out for them. It was seeing my own coworkers be like, this is our definition of PII.

0:51

No big deal. Thank you so much for spending your Friday afternoon or morning with us. Thank you. Again, next week we have Heath Adams joining us. So be sure to tune back in for that. We're going to be talking about affordable, accessible, practical, and realistic upskilling in cyber skills and everything that he's doing with the good work over there. And Caitlin, please tell the good people where they can find you. And if you've got anything coming up.