Coding Conversations with The STEM Educational Institute (SEI) - hosted by Nikisha Alcindor

Inside Cybersecurity: Omar Sangurima on Artificial Intelligence, Threats, and Opportunity

Season 2 Episode 4

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 53:24

Send us Fan Mail

Cybersecurity is one of the most important and fastest-growing fields in the world—and Omar Sangurima is breaking down why. In this must-watch episode of Coding Conversations, we dive into AI, cybersecurity, digital safety, innovation, and the future of tech careers. Omar shares his personal journey, industry insights, and powerful advice for young people looking to stand out in a world driven by technology, data, and security. This episode is full of high-impact insights, career inspiration, and future-focused conversations that will challenge the way you think about the digital world. Watch now and discover why cybersecurity skills, AI knowledge, and STEM education are more critical than ever.


Support the show

👉 SUBSCRIBE to Coding Conversations - https://www.buzzsprout.com/2136122/subscribe
✔ Early Access to New Episodes
✔ Real conversations with changemakers
✔ Insights at the intersection of STEM, wellness & equity
✔ Stories that inspire action and growth

https://www.linkedin.com/company/stem-educational-institute

https://www.instagram.com/stemeducationalinstitute/

https://x.com/sei_stem

https://www.facebook.com/people/STEM-Educational-Institute/100066630527785/

You’re listening to the STEM Educational Institute Podcast. The information in this program is for educational purposes only and not a substitute for professional advice. This podcast is for informational purposes only and does not provide legal, medical, tax, or professional advice. The views expressed are solely those of the hosts and guests and do not reflect the positions of STEM Educational Institute or its leadership. STEM Educational Institute and its affiliates assume no liability for any actions  and/or decisions taken based on the content of this program.

Welcome And Guest Introduction

Speaker 4

Welcome to Coding Conversations, produced by the STEM Educational Institute. I'm Nikisha Alcindor, president and founder of the STEM Educational Institute, where we provide free programming in financial literacy, STEM, and mental health. We work with high school students, they go through a one-year program. At the end, they earn a college scholarship. Coding Conversations are ways to bring exciting voices to you, the viewer, about things in the areas of STEM financial literacy and mental health. And today we have an exciting topic as well as an exciting guest. We're going to be talking about cybersecurity, particularly cybersecurity and health. And to help us with that conversation is Omar Sangurima. Welcome, Omar.

Speaker

Thanks for having me. Excited to be here.

Speaker 4

We're so happy to have you. So Omar is the head of cyber program management and third-party risk management at Memorial Sloan Kettering Cancer Center. You can think of Omar's job as being the digital bodyguard for the hospital. And Omar's goal is to build strategies that stop hackers from stealing information from disrupting the technology that doctors use to save lives. And he teaches, he treats his work as like a high-stakes chess game, if you will. And what he does is he has to predict what bad folks might do and find the weak spots in MSK defenses and fix them before anyone can attack. And so if you love solving puzzles or beating tough bosses in games, cybersecurity is the career for you. And when not protecting hostile data, he's usually strategizing in other ways, whether it be obsessing over fantasy football lineups or tackling difficult challenges in single-player RPG video games. Omar is always trying to do things that are innovative and high risk, right? And so welcome, Omar. We're so glad to have you here today.

Speaker

Thank you. Thanks for having me.

Omar’s Path From Queens

Speaker 4

So it's not a conspiracy, but Omar, like myself, for you the those of you who watch the show is from Queens, right? Is it just you know something in the water? Something in the water. We just we just keep going, right? And so, Omar, you got your degree, you got your MBA from Maris College in Piskix in Poughkeepsie, and then you went on to get your doctorate. Yes. So obviously those are very difficult things to obtain and agrees, degrees to obtain. But before that, take us back to your origin. Where did you grow up and how did you start to realize cybersecurity was your l field of interest?

Speaker

So as you said, uh grew up in Queens till I was around nine, moved up to Massachusetts, followed my sister. She got a residency up there, Bay State Medical Center. So uh she grabbed me and and our mother, we went up to to right outside of Springfield Mass. Um there again, the the overriding goal, right? The the first generation in this country, it's uh education's a silver bullet. It's uh keep at getting educated, look at your sister, look at what she's done. So I just kept my head in the books, uh, kept kept uh chipping away. High school, college, undergrad. Even then, it was it was odd. Cyber wasn't exactly I wasn't born with a computer in my hand. There's some people that I work with, you can tell, uh, they're amazing. Uh, but that it wasn't that wasn't the origin story. I I I'm a career switcher. Um so about 12 years ago, 12, 13 years ago, decided to switch over from financial advising and tried to get into a field that you know I thought was gonna be, you know, innovative, uh challenging, constantly different, different things to to focus on. And it's been that, thankfully. So, you know, it's it's been always interesting and never never a dull day in the field, I'll say that.

Speaker 4

I love that. I love when you know going from financial services industry to cybersecurity. Can you talk about kind of what was it or what are what are some of the courses or things that you did to prepare you or you think prepared you to go into cybersecurity?

Switching Careers With Certifications

Speaker

So I remember this is funny because the there's one certification that I said, let me give this a try, kind of a test run before I went full bore into say a degree in cyber. Uh the the Comp TIA Security Plus. Uh I remember I I chuckle now because w when I'm, you know, when anybody's asking me about, you know, how do I break in, what certs to start with, I say, you know, I studied for that thing for nine months. I usually pause for laughter at that point because that was a long time, like one cert, but I was just so I had to I was taking a leap. It was something that I wasn't, you know, of course, classically trained in uh for school. So studied for nine months there, thankfully passed. Um, you know, my my origin story would be completely different, I think, if I had stumbled, if I had stumbled then. But, you know, did that, then started taking a couple courses for an MIS. Right. That was my first kind of teaser. I didn't know. And tell us what MIS on Masters of Information Systems. Yep. So uh to uh started doing that even while I was still kind of you know one foot in the financial field, but definitely looking uh to to move out. The cert and beating being getting that beating, but getting that certification, I think then I was hooked. Like I I just loved the idea of being able to take a look at a certain level of challenges, right? It's always, you know, my my wife has heard this many times, is another it's another windmill to tilt at. I just love, you know, seeing seeing something on the horizon and saying, you know what, maybe I could figure that out. And the industry, cybersecurity especially, at that point was still more heavily focused on certification. So once I started really kind of chaining those together, I started to convince myself that maybe I could do this. And then from there, you know, uh networked a little bit. I I got my first job through someone I knew. It wasn't necessarily it was just, you know, surreptitiously mentioning it to a a buddy of mine at at Jiu Jitsu. We were it was an open mat, right, in Brazilian jujitsu on a Saturday, and he, you know, he's like, Hey, I hear you're in this cyber thing, you keep talking about it. Right.

Speaker 4

Okay, first of all, you can't just throw in while I was doing jujitsu. There has to be an explanation for that. So we got it. So are you is that kind of one of the other things that you still practice?

Speaker

I I mean, sort of now. My body's a little busted up, so I I'm I kind of you know, I'm I'll make appearances at Open Mats uh here here and there. But I started started Brazilian jujitsu, it was after so I was on the national team for taekwondo, uh, under the under seven the under-18 team. Okay. Went to North Korea. That was the first uh world championships, the second world championships were thankfully in Puerto Rico, right? So definitely much nicer than North Korea, I'll say that. Um five days in North Korea as a 15-year-old. Uh wild wild times. Wild times. I'm sure. Yeah, yeah. Um yeah, did that, uh, wrestled in high school, and then you know, I didn't want to continue doing the the you know on the adult team for for taekwondo. I was too too grindy. So um I I got into Brazilian Jiu-Jitsu. There was a school near Hartford, Connecticut, where I went to undergrad. It was uh West Hartford, Connecticut. And back then it was a it was a huge deal to have like a purple belt teach the class. Sure. It was you know, because there was not a lot of black belts uh in the United States at the time. And uh I got hooked. I uh you know, and I've been grappling since 99, 2000. Um yeah, like I said, right? You know, if I if I shake someone's hand or if I put my hand down, like you can see like the gnarled fingers here and there a little bit, right? Or if I had if I stretch out, I can remember times when I should have tapped and I didn't. Uh but uh you know, still love it. Um but yeah, it was again got into never would have thought that that would have led to you know a career.

Speaker 4

So what I love about that is that your physicality actually is translating to your ability, your s your mental strength in terms of what you do and your critical thinking. And we often see that with with athletes being able to transition kind of their work and their physicality into difficult fields. Because I remember the term cybersecurity coming out of when people were starting to get hacked or identity theft. Do you remember this? Like identity theft came out, and then everyone would you would go to the police and they'd be like, Can't help you, ma'am. Right? Do you remember that? Like it's like so someone stole my identity, and it was like the best, the best way to prevent that is to have all these different alerts and all these things. And so that was in my mind, that was the scope. I'd love to see to to get your thoughts on where that scope has has trended towards because back then it was just okay individual information getting stolen, but now we're talking about ransom, like people taking data from companies and data's having you know, companies having to pay for that. So talk to me a little bit about what you've how you've seen the idea of cybersecurity, like that definition transforming over the years.

Martial Arts And Mental Toughness

Speaker

So it's really amazing that that you kind of pinpoint it that way, because I see it as kind of a Venn diagram or uh a sine wave, right? Like down, up, down. It started with individual identity protection, as you said. It was kind of very much scoped towards you you're you're gonna get your own your own Social Security number taken, or somebody's gonna start taking, you know, writing checks in your name or taking out loans in your name. And then I think as business, as enterprise got more interconnected just by virtue of technology advancing, then I think uh cybersecurity took on a bit more of an enterprise uh scope, as you said. It went then, you know, then business data could get stolen, then intellectual property could get stolen, then not only that of the of the business themselves, but then what about the business's customers, right? So then you have you start having, wait a second, the the scope starts expanding. Now what I've been seeing lately is kind of a return towards first principles where, you know, it's still data governance is taking up privacy is I think privacy now, the the concept of privacy and privacy engineering is having kind of the same renaissance that cybersecurity did maybe 10 years ago, 10, 11 years ago, kind of when I started. And it's you know, the and and to think that they're not distinct fields is is uh is a fallacy. I think there's there's there's overlap, but there's v fine, fine professionals in privacy engineering that sing a different tune, dance a different dance than the ones in cyber, kind of cousins. We kind of, you know, we definitely reinforce each other, but it's it's the the days where it's it's the same, you know, are are kind of are kind of gone. Same as I'd imagined, and this would this would be a little bit before my time, but I've done some some studying in the history of the field that I'm in, is kind of where the the break happened between like information security and cybersecurity, right? Where it was like, you know, we're making sure that you know physical records are you know uh uh thrown out when they need to be, making sure that folks only have access to you know the hard copies of papers. Th there it kind of broke away, and then you had the cybersecurity, information security. Folks still kind of they don't disambiguate the terms, you know, but now I think that's a bit more distinct. And I think the same thing's kind of happening now with with privacy and cybersecurity. Fields that are very connected but not anywhere the same and demand different skill sets.

Speaker 4

Okay, so you we you brought up the term Venn diagram, right? And so when I think about kind of privacy settings settings, everyone gets those pop-ups that say, do you want to load cookies? Most people don't read them, they'll say accept, manage, or reject all, depending on what your options are. And then you have this kind of cybersecurity malware hacking things. But then to me, there's like a in the middle, there's some sort of ethical, maybe it's not called ethics, but who gets to decide what goes into what bucket and I guess consumer awareness? Like who who is like how is that being dished out or divided?

Speaker

So it's I think for me, the the way I'd split those uh uh it's a matter of outcomes. So in where where I work, it's usually, well, okay, privacy is gonna sit there and tell us what we need to lock down, uh why to how long for how long, to what extent, you know, makes the that privacy and more data governance says, listen, this is this is important, this is why it's important, whether it's like uh laws, regulations, whether it's intellectual property, right, it's it's uh proprietary to uh to the organization. Then okay, we've sussed all that out. Now cyber, come over here and make sure that what we want to have happen with this data, with this information, for these purposes, which is where the privacy comes in for the doctors or for the patients. Make sure you lock it down. So that's where you know we we saddle up. Um where I think then, at least that's that's what happens in the organization. I think you bring up a great question in terms of who's doing that writ large.

Speaker 2

Yes.

How Cybersecurity Has Evolved

Speaker

I don't know. That's w you know, uh th this is one of the things that I always harp on when it when you when I get on my soapbox here is, you know, the United States doesn't have a national privacy law.

Speaker 3

Right?

Speaker

Europe has kind of figured it out. Yes. Um they're at the forefront with the EU AI Act as well, which is, you know, in add in addition to the GDPR. But you y we have a patchwork in the United States, which I'll tell you what, makes um locking data down fun when when depending on on the scope of the enterprise that that you're that you're working working with. So I think that, you know, right now it's anyone's guess in terms of who you you have an ethical folks in the industry do have a compass. We do kind of know listen, and and you have a compass and you also try to balance it out with, okay, for what purposes are we doing this for?

Speaker 2

Yeah.

Speaker

So, you know, because w what my boss says, I I love the man, right? Um, you know, the the most secure system is the one that's not connected to the internet and it's at the bottom of the ocean, but how useful is it? So you have to kind of balance that out. But many folks in the field in privacy and data governance as well as cybersecurity, we have that true north where we're like, listen, we're we're trying to lock this down. We want to make you we we treat it like as if it was our own family's kind of data. And we understand like w would I want my data out there, would I want my family's. Uh in in the hospital for sure, it's it's not hard to make the connection towards patient harm. Yeah, sure. And and privacy, especially with the the type of care that we provide. Sure. And so, but in terms of writ large, that's a really good question.

Speaker 4

Well, you know, it's something that I think about often, particularly for when I I I do a lot in in artificial intelligence. A lot of my research is in artificial intelligence, and I start when I'm building models, I start with the ethical questions. Like what is the worst that can happen? Right? And when I think about there are pros and cons to having your data taken from you when it comes to privacy. Because frankly, you know, I like getting coupons at the store based on my buying habits. Absolutely, right?

Speaker 3

Absolutely, yeah.

Speaker 4

I like that. But I don't like my insurance premiums being determined by information that I might have given up voluntarily without knowing or without knowing. Right? And so I'm wondering when you think about kind of cybersecurity and healthcare, what are some myths and what's the kind of reality? Like what what is actually what does that actually mean in the context of healthcare?

Speaker

So one of the things that I think, and it was an aha moment for me, and and and I'll be the first to admit, I it wasn't even I think I was maybe one or two years into working at the hospital at at MSK at Sloan, where it really dawned on me, hey, it's a data breach here is a horse of a different color because uh medical data is immutable. You can change your social security number, it's a pain, but you can do it. You can change your name, it's also a pain, but you can do it. You can't go back and rewrite your medical record, your medical history. So in terms of the myth that I would think I think permeates is that it's just like any other data breach. I think, you know, at the risk of sounding biased uh because it's the field I work in, those types of breaches can be so harmful because you can't y what if there's diagnoses on there that you don't want public? Sure. And once it's out there, I can almost guarantee you, once it's out there, and if it's unencrypted, if it's an actual breach, if you know all all those bad steps happen, it's out there but who knows what it's getting used for, who knows how it's being monetized. So I think the myth is that it's just like any other data breach. Um it's not a myth that practitioners share, I'll tell you that, because the folks in the field understand that this is, you know, there's very small room for error when it comes to allowing that. There's you could do credit monitoring, you could do this, you could do that, but what are you gonna do for someone's uh medical information once it gets out there?

Speaker 4

Yeah, you're absolutely right. And I kind of feel like that is when HIPAA came out in the early 2000s, and it was like this whole thing, and patients were trying to figure out what it is. It the hope of HIPAA was to prevent kind of data transferring, right? Right. And patient information being out there without the knowledge of patients and just kind of securitizing that. Now, where HIPAA is, I don't really know how far it's come along, but I kind of feel like it's a joke. You walk into your doctor's office and they're like, sign this, and you're like, well, what am I signing? It's like, oh, you're signing that we gave you the HIPAA booklet. It's like, well, what is that? What does that mean? Does the HIPAA booklet say that? Like, you're gonna take my genome secrets? Like, what does the HIPAA booklet, like what does it say? And I bring that up because you're absolutely right when it comes to these sorts of data breaches, even sharing information between hospitals, right? When you think about there's like the whole medical records thing, right? What is the um what are the what are the consequences or what are the potential things that could happen when you're sharing medical records, right? And so I'm wondering for you, what what are things well I don't want to ask you because then people might use it. But when you think of those types of things, how do you kind of align yourself and your team to start thinking about like what are your internal meetings about? Like how do you guys say, hey, um these are things that we're thinking about? Is there a like what's your process?

Privacy Versus Cyber In Practice

Speaker

Sure, sure. And I I it's you bring up a just even as a meta point, right? Taking a step back. Thinking about what why we're locking this down. I think is is one thing that makes us better at the job, but then also I think it makes us better partners in an organization. What I like to always say is, you know, nobody says, hey, I have to go to MSK because I heard they have a phenomenal cybersecurity department. As much as I'd love to. Yes, yes. So what are we doing it for? And I think that a lot of our internal meetings, I'll be, you know, I I like being the one in the room that kind of brings us back to that question, if we drift, because I think it guides us if we're, you know, are we locking down a medical trial? Are we locking down a collaboration between a couple of different institutions? Uh so who are we working with? Are we working with researchers? Are we working with clinicians? Are we working with people that are wearing both hats? Are we talking about patient data? Are we work you know working on a system that's patient-facing? Is it internal to us in terms of you know understanding the guts of the network, which is something, of course, we don't want out there? Sure, absolutely. Thinking about exactly what we're trying to lock down then shapes and why shapes the how. So and it shapes, like you like you were alluding to, the ethical question of okay, where on the spectrum of available and locked down are we gonna land? And where are we gonna feel okay sleeping at night that yes, this is this is the right tight rope to walk, where it's available, but it's encrypted, it's locked down, etc. I think there, that's really one of the guiding principles that I like to bring forward because it can devolve into, well, we know that this is the best encryption, this is what we have to do, we're gonna lock it down six ways. But then, you know, to your point, HIPAA, you know, the recent updates to HIPAA have been all about interoperability. You want to allow that patient to more ownership over their medical record so that they can go and make go to where they wanna be seen. And it shouldn't be an issue of well, you You know, I'd go to this other provider, but that other provider can't read my medical record because of the way the the my initial provider encrypted it or the system that it's in. I love that concept, and so it's forced my field to be a bit more agile, be a bit more, you know, on its on its toes in terms of, okay, listen, we have to make it available, but we still have to lock it down. That was I remember when the interoperability rules really came into effect. Sure. It was a big it was a big wait a second, hold on. Right. Um but I think it was a a great moment for the industry to understand, hey, there's, you know, yes, folks want their stuff locked down, but the information is there to facilitate care. We have to figure out a way to suss out this issue. How can we make it safe, but how can we make it secure and available? So, you know, I think that in a lot of those meetings, that's really bringing that back, bringing that question back in has has been, I think, uh probably one of the contributors to you know the type of team that that we have. I don't care.

Speaker 4

Yeah, and I love that because especially in the elderly, right? So we have baby boomers that are now retiring, they're older. A lot of them may or may not have a caretaker that can go to them to the doctor. And giving they don't they don't remember their medical history. And so it's it's a huge deal for doctors to see that, pharmacies to see what's what's going on in terms of that, to flag medication and to say, hey, this may or may not be good for you. So it's completely it's a something that's super important. And as as I hear you talk about the different facets of cybersecurity, what are some skills I can already kind of put make a checklist based on what we've talked about? But if you were to say there is a skill that every cybersecurity person or someone who wants to go into cybersecurity, what would you say it would be?

Speaker

I can identify and I can find, you know how you can say I can find my people in the room? Sure. You you have to you have to want to tinker. You have to. And and one of the things I remember I said it, it just came came to mind. I said, once you start tinkering, you're you're starting to hack. Yeah. That's the thing. You w you you sometimes if I'm interviewing folks, if I can tell that they will have physical discomfort if they can't figure something out, even if they don't have, you know, the type of the system on their resume that we use or the specific set of skills, I want that person on my team. We can we can teach them the MSK way of cyber you know, that's on us. But if I can tell that someone is gonna it's gonna bother them, it's gonna burn their mind when they can't figure out why something didn't work or why they couldn't get into something or why they couldn't come up with that technical solution to a problem that's gonna help people, that's a person I'm on on the team. And I think that if you if you present that, that's what I say to a lot of folks that ask me, like, hey, how do I prepare for an interview? I just had this on actually on on Friday, uh you know, which is what yesterday, right? Um how do I prepare? I said, listen, let that come through. I can tell you're curious. I can tell you like to tinker, I can tell you like to break things down and build them up, and maybe they don't work again. And then that's going to drive you to you know, learn the system even even more so. Um let that shine through. That's a person that I want on the team.

Why Healthcare Breaches Hit Harder

Speaker 4

What I love about that is so close to being a coder and writing computer code because the the thing that always bothers me, there is like a meme of someone um sleeping and the code is in the you're trying to figure out what is it, and now of course code assistance can help you with that, but you still are kind of, why isn't this working and your head is bothering you, right? And so I I really love that. And the the other thing that's interesting, and you probably have better statistics than I see and I have seen, but I've seen in the past, like there are dashboards that companies have that literally show the amount of attacks that are happening in seconds that are coming from all over the world. And I believe you have one. Can you give us a sense of maybe a statistic, maybe like how many happen like an hour? Like how many attempts are do you you guys monitor that? I'm sure that you mire that.

Speaker

I'll say I'll say we get millions a month. It's always it's you know I I liken it to you have and now of course, obviously with AI systems, that's even that's I think that's going to skyrocket. That's only going to go because you can automate what what it what I liken it to is you know, you're checking you're checking the doors and the windows. Right. If you if you've you know grown up in Queens, it happens, right? You you you you keep an eye out if anyone's kind of near your car. Sure, sure. Why are they hanging out by the car? It's not you know, it's uh it's a Chevy Cavalier, it's old. What are you doing? Like if it's not yeah, what are you checking for? Right? And I think that that is constantly now that's automatable. And it's just all the time. And if anything and as even as, say, you know, I talk to uh some folks that are you know front-end web developers. And uh one of the things that they you have to set up, right, when you're setting up any internet presence is you have to set up some sort of filtering to be able to distinguish like what's real interest, right? SEO, yeah, oh I'm I'm getting so many hits. I'm getting so much interest. Wait a second, is it just the fact that you have bots checking out if if there's something that's vulnerable, a door or a window that's open? Sure. And you know, I what's the quote, right? Like, why do you rob banks? That's where the money is. Well, of course. You put any sort of medical presence out on the open internet, it's gonna get constantly you know, just tap-tap, check, is this open? Is this open? Is that there? Day and night.

Speaker 4

Day and night. And it's like bots, you know, that are going to be. You know, it's interesting when you talk about kind of the amount of tax and the skills that you need, right? Um it seemed just by meeting you and knowing you, not only do you have to have like a um intellectual knowledge, but you also have to have common sense, right? A sense of common sense and uh be able to kind of question, question the things. And I'm wondering, um uh earlier today, you to you talked to our students and you get you guys can take a look here, um, some some film of Omar talking to our students. And one of the things that came up was the how do you get in like the entry-level positions and how these positions are being posted and they'll say entry level, but then when you read it, it's like you have to have all these certifications and two to three years experience. And then you have this great um saying that tech is kind of cannibalizing or its pipeline. Tell tell us more about that.

Tinkering Mindset And Constant Attacks

Speaker

Yeah, it's it's cannibalizing the pipeline. It's eating its own tail. I uh it there's I the math just absolutely doesn't math. You you brought up the certifications. I I I that that was a keen point. I did I didn't mention that, but you have some of these entry-level positions where it's asking for certain certs that the industry knows, oh, you need five years in the field to have that cert. If you see an entry-level position and it's asking for the CISSP, like either a bot put that up or you know, some unbeknownst, you know, not not knocking my friends in HR, but somebody put the someone signed off on a job spec that asked for a five-year cert on an entry-level position. And even then it the the comedy gets worse, or the tragedy, which one would you want to say? But it gets worse when then the experience only says two to three years. Wait a second, you're asking for a five-year cert. You want two to three years experience in the field. You know, some some folks, uh maybe the comment section or whatnot will say, hey, you know, you can you can take some of that experience requirement off. I get that, right? With a degree you can maybe lop lop it down to about three years. But even then, then we're talking about a three-year cert, two to three years of experience for, again, what I say is an entry-level position. Yeah. It doesn't jive. It doesn't make any sense. And what gets me is that not only is that obviously that's gatekeeping, that's keeping amazing folks in. I always say this, like i I liken it to when, you know, my my my oldest niece graduated a couple years ago. My youngest niece is about to graduate this year. When they were getting into school, right? When they were getting into undergrad, I said, I I I would never I would have never gotten in with the type of barriers and things that they have to do. Or then I thought back to my undergrad. Would I would I get into Trinity College now? I don't think so. I don't know. So I look back now, there's no way I'd get in as a career switcher now with with the types of of barriers that are there. There's there's that gatekeeping aspect. Then the other thing that's a bit more down the road but is worrisome to me, is where do the mid and senior level people come from in a field normally? The juniors that stuck it out and got the salt on them and stayed in and and graduated to higher levels of proficiency. Where are we getting those folks now? The ether? Like i if if we're making all these hoops and and and honestly, like in they there's no congruency to the things that we're asking folks to do to get into the field. Not even to mention that you see those jobs and they're still trying to pay junior level money. So I I just don't understand what we're we're setting ourselves up for a tsunami of we don't have people to fill the roles that we need. And and another thing that really just irks me. Yeah, you can tell this whole the whole subject does, but the thing that does irk me is the cyber field in particular goes, oh, there's no good people out there. Wait a second. Yes, there are tons of folks that I know would be phenomenal, but we don't let them in. We don't have pipelines, we don't have bridges, we don't go out into communities that potentially like mine, right? Like uh my origin story, I didn't mention tech till many years later. You uh we don't go out into communities and say, hey, there's you know, tech could work. Yes. This is a path. This is a way to, you know, to improve improve your uh your situation. It's it's it's maddening.

Speaker 4

Well, you know, one of the problems that I find is that the people who are putting those positions don't even understand them. So a lot of times they'll go to a chat GPT or some AI source and ask it to write a job description and they'll post it, and then the person or whomever will get into the interview and they'll either ask about, you know, the bullet points, the 500 bullet points, and then the person interviewing be like, oh, we just put that in there. Have you ever that I that I've had that experience, and I'm sure a lot of people have had that experience. And so, well, we'll well, just you putting that in there has turned away so many applicants. I'm sure if you've ever been on LinkedIn, and you always know if a job is actually a legitimate job based on the, you know, how they put the number of how many people apply. Like if it's over a hundred, it's probably not a real job. But if it's honestly if it's like 30 people apply, it's like it's probably a real job. Maybe, yeah. Yeah, it might maybe a real job.

Speaker

The chances are better, right? You're still playing roulette.

Speaker 4

Yeah, because it's like, okay, a hundred people apply. Why are you telling it's just like why am I gonna apply? It does it's like nonsensical, right? No. And you had this beautiful saying kind of out of your Genesis story. Um, your it starts with your mom saying, Mijo, I want you to talk about that and like how that really got you having a firm um foundation.

Speaker

So it was, you know, again, you know, I I did school, went to business school, did the financial advising, and my and my and my undergrad wasn't a financial advising degree, right? It was it was philosophy. So my mother at this stage of life is going, okay, Mijo, you know, plantate con lo pie firmamente debajo. Like put your feet firmly underneath you. If you're gonna make this change, make sure you're going in eyes open, you're doing your research. She was the best career coach at that point in time to make sure that, hey, I wasn't just gonna, you know, try this for a year or two and then say, oh, this is not for me. Um, because she had she had seen that obviously with undergrad and then the financial advising. Um but even then, what what kills me now is that somebody can do that, can do the research. I have tons of folks that reach out on LinkedIn, I'll sit with them, I'll, you know, I have a saying with my my CISOs, I'll talk to them all.

Speaker 3

Right?

Speaker

If they reach out, I'll make a half hour, let's how can I help you? How can I be a service? I like starting the conversation that way. And they'll tell me, hey, I have it, I have it planned out this way, this is what I'm getting into. They'll tell me, they'll tell me some deep part of cybersecurity, and they'll have a roadmap all the way to get there, right? And and it warms my heart, but then it also makes me sad because like they're not gonna get the chance in a lot of cases to get there. They've they have a better roadmap than I did when I started. They have their feet f more firmly underneath them than even I did, right, according to my mom. And it's still the the pipeline's just just not there.

Entry Level Hiring And Pipeline Problems

Speaker 4

You know what's interesting because I I think a lot of similar to artificial intelligence, a lot of CEOs and a lot of um a lot of business owners, everyone's like, we gotta get this AI thing, right? Most of them don't even know what AI is. Oh no. They think it means Chat GPT, and it does not. And so I I feel like the same thing is happening when it comes to cybersecurity. Like no one realizes that artificial intelligence, generative AI is a subdomain, and that there are all these different pieces of artificial intelligence. It's been around for a very long time. And I'm wondering how do you get leaders to one understand cybersecurity and without giving without using fear tactics. Like how what does that look like?

Speaker

I think the the best advice I ever got and that I hold to mind is I'm a business problem solver whose tool is cybersecurity.

Speaker 1

Oh, I like that.

Speaker

Since turning that perspective around, and again, shout out to my director as well as my CISO. I'm blessed with a great leadership team. Um love working for those two. If you're then able to say, hey, what are the business problems that you're facing, I might be able to help you. Here's how I can help you in my lane, you start then going, wait a second. The person you're talking to starts going, wait, they're not just trying to beat me over the head with cyber, they're not just trying to wave around IT terms, or they're not just trying to, you know, throw IT at me and then just just trust me, right? Sources trust me, bro. No, that's not that's that can't happen. But if you sit there and listen, and and it's funny because it goes recursively, obviously, back to like my sales background. That's how you know you sit there and try to qualify the customer, understand like what is the problem that they're coming to you for to solve. Speak to the benefits, speak to the outcomes, speak to what new future your solution can offer versus I'm just gonna lock this down and you know, you you can tell. And sometimes it even happens to me. Like I I try to practice this a lot, but you can tell folks' eyes will glaze over. Yeah if you start going off in the cyber world. Cool, you're showing off that you know some terms. Yes. Amazing. Yes. But they're coming into you to solve a problem. So go back to that and and and talk to that. Then I think, and you don't have to bring up the fear. You you know, that that's kind of understood a little bit, where it's like, hey, listen, if you don't do this, then it's out in the open and that's all she wrote. But you don't have to harp on that. How can I help you? What am I solving for you? What pain point am I getting rid of? Cool, I have a cyber tool that can help that. Right. And if I don't, be honest.

Speaker 4

Now let me ask you, you provided our students with kind of some tips and safety tips about cybersecurity. Do you ever use things like um you can give us some examples of you know some of the things that but do you ever use analogies to for people in kind of higher positions, executives, for their personal life so that they can kind of better understand so that you don't get those those gay glazing over.

Speaker

Absolutely. I I always I like to bring it back to one one of the the the things that I jumped on in terms of getting into IT really to begin with was one time my my mom, you know, she's from Puerto Rico and she said, Omar, I want to learn about this email. Help me with this email, right? She had never sent an email. Not you know, it wasn't it wasn't part of her her skill set there, right? But she knew that it was a way to maybe potentially talk to the folks back home. Right. And I just remember walking her through, it was the simplest thing for me, but just patiently answering her questions and and walking her through, setting up her Gmail account, and seeing just like her eyes lit up with this is magic. Wait a second. I can s you know, I I'm reconnecting back to my home country. Like, you know, yeah, she has the phone, of course, and that but like being able to, you know, have that asynchronous communication. And then obviously that were was the training wheels to then getting her like more on the internet. Sure. Right? Then then the whole world opened up for. And it's just it just I always remember that in terms of then coming back to, hey, what what are you trying to do here? Right. The analogies that I that I bring up, I usually just bring them back to whatever the per the a person will tell you, I always say like, they'll tell you like what their pain points are and what their hopes and aspirations are. They'll hint at it in the first like five to ten minutes of talking to you. Mm-hmm. If you're listening. Sure. If you're focused on I'm smart and I'm just trying to tell you something, you'll miss the signs. But if you sit there and you just take a beat and you they'll folks will tell you. Folks will tell you what's important to them.

Speaker 4

Well you know what I love about that, and especially the the example of your mother, is that the older generation, they I feel like they are being targeted so hard right now. Um and it's it's just so interesting because the naivete that happens and it's it's sad because they are not able to distinguish if someone's lying to them and selling something and it always comes on a phone call. How, you know, for our audiences, a growing audience, how would how would you recommend they protect themselves or their caretakers help them navigate like difficult like, you know, um calls and all the stuff that floods their inboxes?

Talking Cyber With Business Leaders

Speaker

I always say, and this is this is still for all the tech solutions that we've come up with, one of the main ways that an enterprise gets compromised is still social engineering. So it's a great, it's a great topic that that you're pivoting to. Now with AI, the old school ways of saying, well, the grammar's bad, that's out the window. Uh even non-native English speakers can use an LLM to craft an amazingly worded uh targeting message to an audience that they don't speak the native language of. So that's out the window. So grammar, um, you know, you can spoof email addresses, all the technical things are still they're they're increasingly less of a checklist that you can go to. But still the main thing that I try to instill in in any security awareness training that I I support take a beat. If there's if there's a sense of urgency that's coming from the other side of that communication, take two beats. It very it doesn't it's not fail-safe. Could very well be, you know, you might get that panicked phone call from a family member. It happens, life happens. But nine times out of ten, if they're going, you have to do this now, uh, wait a second, your your your stuff is compromised, click here, or calling you, hey, I need this, I need your information, we're doing an investigation. Or uh this is the help desk. You know. If there's a sense of urgency being foisted on you, that should ring alarm bells. Sure. Do a little bit more due diligence there. Take a step, right? Not to mention why would a help desk be calling you if you didn't call them to get help, etc. But that's a little bit more, I feel it's it's not like that one rule I can say. But if someone's trying to get you to do something quickly, you the hairs on the back of your neck should come up and then take a couple steps and really examine. Then you can start understanding. Okay, then uh the other tips might start to show themselves. Like why are they calling me? Where is this coming from? Is there an extra letter? In the address that you wouldn't have noticed if you didn't take that step. But that social engineering is always keyed in. And again, sadly, like you say, it's targeting those populations. But if it's urgent, double check it.

Speaker 4

Absolutely. And you know, it's interesting because when I I think also avoidance, for lack of a better term, is like putting on there are blockers you can put on home phones so that they the caller has to talk and explain themselves. With text messaging, now they text you for anyone who's out there when someone's texting you about a job. I actually have one person who keeps calling the spammer back. Those are fun. Those are fughts. There are vulnerabilities in some of their some of the way they communicate to each other. What are some tips that you can give parents when it comes to to that if you if you were like a kid? I feel like sometimes a kid with a cell phone is not too much of a good idea.

Social Engineering And Senior Safety

Speaker

It's uh it's one of those things and it's something I'm facing now, right? I I have a two-year-old and I know that conversation is coming. Uh she's already very keen on what's mom or dad doing on the laptop, what's mom or dad doing on the phone, right? She notices that a lot. And one of the things that I've I've seen, and because this is a question I've been asking myself to my peers, what what are you doing, what's going on? I think you have to take sadly, not sadly, but uh it's an extra step. You have to take an active role in what they're doing with those devices. Um does the person need to have communication capabilities if they're playing Roblox. What why? Yeah. Who's on the front? Having the conversations appropriately at whatever age they're at and saying, listen, this is not just the character that you're talking to on this Discord server or in in this uh chat room before you you know you drop in and play a couple rounds of of battlefield or whatnot. It's these are other people. Yes. Right? And and there's very little that they need to know about you in order to play, right? You don't want to be the no fun folks, because then what's gonna happen? They're just gonna work around you. Sure. So you know, engage and understand that, yeah, yeah, there's there's need for this. But I'll tell you what, personally for me, that that cell phone conversation is gonna be is gonna be a difficult one because I just, you know, now we're seeing it's kind of a recursive loop, right? A sine wave. You're seeing schools go, you don't need it all day. No. Deposit it. So, you know, I get the tug of you want to be able to communicate, but at what cost? You're seeing countries now determine that under 16 you don't need social media. No. More of those, and I'm I'm kind of in favor of that.

Speaker 4

No, I agree. I mean, I I I I observed my my son actually, he was playing chess and some way the setting was on like a he was playing the computer, but the computer was actually another person. And the person had a name, and I was like, whoa, whoa, whoa, who is this? And then I had to go to a setting, it was like buried to like turn it off. And so all these things, because you know, who doesn't want their kid to play chess? Of course. But then you have some you don't know who this person is playing chess with it with the you know, a kid. And so it just becomes um, you know, really, really tricky. Yes. Um and I love that you f you picked up the idea that schools are turning away from technology. You know, and in my my opinion is that as a parent, you have to be involved. I mean, there are there are no perfect parents, you can't be everywhere with your kids. But I feel like, just like I feel with SEI, our goal is to empower our kids. Obviously, when they're younger, you have to intervene and play an active role. But at the end of the day, we're sending them out, especially high school students, we're sending them out into the world. We're not gonna be there, you're not gonna be there, right? And so you want them to have be like, mm, I remember Omar was on coding conversations and he said, he said I should not do this. So that we kind of, you know, we're teaching them, right? Um I love that. So, Omar, if you could leave a voice message for your younger self um on uh day one in cybersecurity, what would you say?

Speaker

It's uh it's a phrase that my my father used to say to me, you know, he's not he's not with us now, and and it's something that I hear uh and especially on days when Barcelona soccer plays, right? Which was today. And they've they won three nothing big.

Speaker 4

Oh congratulations.

Speaker

A banner day for me today. Um Tranquilo, mijo. Like relax. Relax. It's you're not late, you're on time for where you need to be.

Speaker 1

Okay.

Speaker

It'll work itself out.

Speaker 1

Okay.

Speaker

Because I remember again as a career switcher, I felt like I was behind the eight-ball. I felt like, wait a second, all these people uh have ten years on me. I'm just trying to break in, right? I'm 30, what am I doing? Oh no. And just that's something I tell myself and it's it's funny. Now it's advice I give, and I always preface it with, you know, f if uh you know, if my wife were in the room, she'd laugh because like there's definitely nothing tranquilo about how I was trying to break in. I was trying to make up for lost time. But you know, you're you're running your own race. You gotta be better than you were yesterday, and that's it.

Speaker 2

Yeah.

Kids Devices And Active Parenting

Speaker

That's all. That's that's really what I because I think I'd enjoy it more.

Speaker 2

Yeah.

Speaker

To start, right? You know, I I'd I'd again my wife, you know, there's gonna be a time when you're not an analyst and you're gonna look back and remember those days fondly. And I said, What are you talking about? I want to get promoted, I want to continue, I want to hard charge. And she was a hundred percent correct.

Speaker 2

Yeah.

Speaker

There's days I'm like, oh, I remember when I was just a risk contract analyst. Those were amazing days. I had so much, it was great. Um you know, not that I don't like where I'm doing or where I'm at now, but it was just it was a different time. And I I think, you know, being more present, relaxing, tranquilo, chill, it'll come.

Speaker 4

I love that. I I feel like I just had that conversation in regards to being an AI and building algorithms and was talking to a bunch of people, uh, and I said, you know, do you ever feel like you're going too slow? And they were like, everyone feels that way. Yeah. Everyone in this room feels that way. We all feel like we can't, we're developing too slow. And uh it's just so I guess it's I think in God's time is the way to look at it, right? Absolutely. And so we're rounding out our conversation here with Omar. We have a lightning round. Okay. And so this is how it goes. Now, a lot of guests try to say both, but you have to pick one. Okay? It's gonna pin you down. All right, so I'm gonna give you two choices and you you gotta pick one, okay? Which one you prefer? Okay, so let's kick it off with the most important one. Coffee or tea?

Speaker

Bustello, coffee.

Tranquilo Advice And Lightning Round

Speaker 4

All that. All day. Did you use the press? Do you do the press? Uh no, not that fancy. Not that fancy. No, no, no, no, no. Uh control alt delete or stay on this page.

Speaker

Three finger salute. Control alt delete. Absolutely.

Speaker 4

100%. I love that. Morning meetings or afternoon meetings? Afternoon meetings. Okay. Oh, yeah. Um, iPhone or Android. iPhone. Work from home or in the office?

Speaker

Work from home.

Speaker 4

Slack messages or email?

Speaker

Am I in trouble? Because I prefer like Slack messages, but I will be the first one to email if I need a receipt. Like if it's official, if it's some, if I you know, and and I feel the same way. I I definitely put that on people. Yeah. Right? Why are you emailing me? Like, are you trying to wait a second?

Speaker 4

Are you trying to record? Well, well, Slack I feel drives me a little crazy.

Speaker

Oh no, the pings are nuts.

Speaker 4

The pings are like, you're like, what's going on? And it's like a hundred percent. And no one follows the rules. No.

Speaker

No one follows the rules. And that little message that says, oh, send it during hours. No, they don't believe in their mothers. It's like that. Terrible.

Speaker 4

I I can't stand it. Okay. Dark mode or light mode. Dark mode. Okay. Password manager or I'll remember it.

Speaker

Oh, password manager. Okay. Oh, yeah. There's no way. I can't remember all that. Yeah.

Speaker 4

Automation or manual control?

Speaker

Automation.

Speaker 4

Okay. Biggest pet peeve, just click approve, or can we circle back next quarter?

Speaker

Oh, can we circle back next quarter?

Speaker 3

No.

Speaker

The best time to sort something is yesterday, and the second best time is today. I don't like I'm no. Don't call me, I'll call you. Let's figure this out now.

Speaker 4

I love that because then the to-do list becomes uh it's never gonna happen. 100%. Once we go into the to do to-do list, we're done. It's not gonna happen.

Speaker

It's a myth.

Speaker 4

I love that. Well, thank you so much, Omar. It was a pleasure to see you. And where can we find you? I think on LinkedIn.

Speaker

Yep, LinkedIn, Dr. Omar S.

Where To Find Omar And Closing

Speaker 4

I love that. Dr. Omar S on LinkedIn. Thank you so much. Thank you for joining us on today's episode of Coding Conversations. Remember to like and subscribe and check out our swag. Thank you again.

Head Shot

Nikisha Alcindor

Host