Defending Our Communications Backbone in the Age of CyberWar: Dialogue & Career Retro with Mary Haynes

"Any country that intervenes in Taiwan will face serious consequences, including cyber attacks." 

This statement in January by the Chinese Ministry of Foreign Affairs made clear that the United States must be ready to defend itself in what many assume to be an inevitable conflict over Taiwan’s independence. It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world? 

At the heart of the answer is the United States infrastructure: an interconnected web of both government and for profit companies that provide core services to the citizens. This public / private partnership is most evident where it matters most: energy and communications. Mary Haynes, Group Vice President of Charter Communications and industry cybersecurity veteran, has worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks. 

Our 72 minute conversation with Mary starts with how our communications industry is responding to the threat and the Biden administration’s somewhat unique approach. We explore two critical areas to mounting a credible defense: 1) Ensuring the security of consumer managed connectivity hardware and 2) Addressing traffic hijacking and route misadvertisements by shoring up BGP with RPKI. Throughout the conversation, we get a clear view into the combination of big picture thinking, technical acumen and diplomacy that have taken Mary to one of the top roles in defending the U.S. communications backbone.

While the first part of the conversation discusses her and the communications industry’s readiness to defend against nation state adversaries, the remainder of our interview serves as a brief career retrospective for Mary as she plans to start her transition into retirement later this year. On the topic of dealing with seismic technology shifts, she reflects on our response to the public cloud and how that should inform the cybersecurity industry’s response to the current advancements in artificial intelligence. As we wrap up, Mary explains where we’ve made progress with regards to diversity and her advice for women considering a career in cybersecurity. Mary’s optimism and clarity of vision leave a strong impression throughout the dialogue; we wish her the very best as she moves from leader and practitioner to advisor and board member later this year.

About this episode

"Any country that intervenes in Taiwan will face serious consequences, including cyber attacks." 

This statement in January by the Chinese Ministry of Foreign Affairs made clear that the United States must be ready to defend itself in what many assume to be an inevitable conflict over Taiwan’s independence. It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world? 

At the heart of the answer is the United States infrastructure: an interconnected web of both government and for profit companies that provide core services to the citizens. This public / private partnership is most evident where it matters most: energy and communications. Mary Haynes, Group Vice President of Charter Communications and industry cybersecurity veteran, has worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks. 

Our 72 minute conversation with Mary starts with how our communications industry is responding to the threat and the Biden administration’s somewhat unique approach. We explore two critical areas to mounting a credible defense: 1) Ensuring the security of consumer managed connectivity hardware and 2) Addressing traffic hijacking and route misadvertisements by shoring up BGP with RPKI. Throughout the conversation, we get a clear view into the combination of big picture thinking, technical acumen and diplomacy that have taken Mary to one of the top roles in defending the U.S. communications backbone.

While the first part of the conversation discusses her and the communications industry’s readiness to defend against nation state adversaries, the remainder of our interview serves as a brief career retrospective for Mary as she plans to start her transition into retirement later this year. On the topic of dealing with seismic technology shifts, she reflects on our response to the public cloud and how that should inform the cybersecurity industry’s response to the current advancements in artificial intelligence. As we wrap up, Mary explains where we’ve made progress with regards to diversity and her advice for women considering a career in cybersecurity. Mary’s optimism and clarity of vision leave a strong impression throughout the dialogue; we wish her the very best as she moves from leader and practitioner to advisor and board member later this year.

Meet our guest

Mary Haynes

Group Vice President of Network Security Operations at Charter Communications

Mary Haynes is the Group Vice President of Network Security Operations at Charter Communications. Mary currently leads the network security program for Charter’s core networks and Spectrum services, including High Speed Internet, Telephony, Video Mobile and Wi-Fi products. Mary is also responsible for Charter’s Customer Security Operations, Law Enforcement Response Team, Abuse management and botnet remediation programs.

Mary actively participates in a leadership role in numerous security organizations and associations, including the National Communications and Telecommunications Association (NCTA), Communications Information Sharing Analysis Center (ISAC), Communications Sector Reliability and Interoperability Council Working Groups and Infragard. Mary is currently serving as the Communications Deputy Sector Chief for Denver Infragard. She is the founding member of Women In Security – Denver, the largest ISSA Special Interest Group. Mary serves as mentor to many women in technology through WICT, WiCys and Charter’s LeanIn program.

Mary has been in the information security field since 1996 and has served in security leadership positions for Evergy, Lumen, Sprint, and AT&T. She graduated Summa Cum Laude from Baker University with a degree in Business Administration.


[00:00:00] Mary: Historically, they never thought about security.

Just say yes. If it interests you, say yes.

I think we all know it will be used for fraud.

You produce hardware, you produce software, you're accountable for making sure it's secure upfront.

Seeing a slow adoption of BGP security.

I think people understand the risk, but making it a business priority is another thing.

In the end, I think it's getting better.

[00:01:04] Dave: In January of 2023, the Chinese Ministry of Foreign Affairs made the following statement. Any country that intervenes in Taiwan will face serious consequences including cyber attacks. This statement made it perfectly clear that United States must be ready to defend itself in what many of us assume to be an inevitable conflict over Taiwan's independence.

It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world? At the heart of the answer is the United States infrastructure, an interconnected web of both government and for-profit companies that provide all of the core services to the citizens.

This public-private partnership is most evident where it matters most. Energy and communications. Mary Haynes, who joins us for this episode is group vice President of Charter Communications and an industry veteran. She's worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks.

Our 72 minute conversation with Mary starts with how the comms industry is responding to the threat and the Biden administration somewhat unique approach. In comparison to previous presidents, we explore two critical areas to mounting a credible defense. Number one is ensuring the security of consumer managed connectivity hardware, those routers that you bought through Amazon, or God forbid at Best Buy, and how they must be configured properly.

Secondly, we talk through traffic hijacking and route MIS advertisements, the likes of which we saw in the early days of the Russian Ukrainian war, and we talk about how we can shore up these defenses, how we can shore up bgp. Using R P K I and where we are in that transition. Throughout the conversation, we get a clear view into the combination of big picture thinking, technical acumen, and diplomacy that have taken Mary to one of the top roles in defending the US communications backbone.

And while the first part of the conversation discusses her and the industry's readiness to defend against nation state adversaries, the remainder of our talk serves as a brief career retro for Mary as she plans to start her transition into retirement later this year. On the topic of dealing with seismic technology shift, she reflects on our response to public cloud and how it should inform the current response to advancements, massive advancements in artificial intelligence.

As we wrap up, Mary explains where we've made progress with regards to diversity and especially gender diversity, and her advice for women considering a career in cybersecurity, Mary's optimism and clarity of vision leave a strong impression throughout the dialogue. We wish her the very best as she moves from leader and practitioner to advisor and board member later this year.

We hope you enjoy this episode of Security Voices. Welcome back to 

[00:03:55] Jack: Security Voices. Hey Dave. Looks like we have another great conversation today. Do you want to introduce our 

[00:04:01] Dave: guest? Yeah, yeah. I wanna say about I. Ooh, it must have been like three months or so ago. I was out at an event in Denver that Mary was at, and I had the pleasure of sitting across her to get her to know her a little bit, and she was just had an amazing career.

Started out in the late eighties, early nineties at at and t and Customer Success. Moved on from there to Sprint, Nextel, Birch, telecom, all sorts of telcos in different places, and kind of moving up to senior positions in our current role as Global, global Vice President. Cso, all the things Group vice president, sorry, global sounds just as good.

Global group vice president, we'll throw more adjectives in at Charter, uh, at charter Communications. And at the time she was starting, she was getting closer to retirement and even closer now with the big date coming up in September, we thought it'd be amazing to have her on the podcast. So we have you who's already retired, Jack.

We have Mary who's edging up towards it and me who's looking wistfully out the window on occasion and hoping for that day at some point in the not too distant future. So thanks for joining us, Mary. 

[00:05:23] Mary: Thank you. 

[00:05:25] Dave: Awesome. Alright, so we're gonna go through past, present, future, a whole bunch of stuff as you guide us.

But let's start out with, with maybe a little bit of myth busting here as folks think of telcos. The, the common perception is, oh, you know, even though we get the Verizon D B I R report and other things, the telcos are dinosaurs. They're stuck in the past and so forth. There is as uninteresting as they are.

Vital. What do people miss from the sitting on the inside for a while? What are people not seeing? 

[00:05:59] Mary: Well, they're not seeing who, who it is that's actually connecting them to their communications, and that's the vital part of our business. We may not be telephone companies like we used to be, but we are your broadband provider and broadband.

It's all about broadband. It's why the country has invest so much into rural broadband and trying to get broadband everywhere. And so we're the ones that are connecting you for all your communications, whether it's a telecom or a cable operator like charter. We're the ones who are really creating the connections and we continue to introduce new technology every year to give you faster speeds, higher, higher downloads, and upload speeds.

So we actually consider ourselves a technology company, and we don't consider ourselves telcos anymore. We consider ourselves really communications companies and we're tech companies, which people never put us in that category before. We are how you're gonna communicate in the future. Even when you took talk about virtual reality and the communications associated with that, the reason we're really pushing things like 10 G speeds is so that we can bring that kind of experience and it's gonna be that at t or Verizon or charter communication that's gonna provide that connectivity for you.

So we're not the old dinosaur, we're not the old bell-shaped heads. We truly are the communications for the future. 

[00:07:27] Dave: And it, you know, as you were talking, I was thinking critical infrastructure. Maybe it's good that our critical infrastructure is stable and so boring that we almost take it for granted.

Maybe that's a good thing. It could 

[00:07:41] Mary: be, it could be, you know, I've always said in the past that bad people needed our networks to do what they need to do, right? So I think I always had this safety net around me, but I will say with some of the recent threats, um, by China, you know, as they're talking about taking over Taiwan by what, 2027 and you know, they're gonna take down any adversary that supports Taiwan, it's really made us look at network security.

You know, what would be the impact if they were to take down the US networks? That would be crucial, right? We're considered the second most important critical infrastructure behind energy. Energy being number one, telecom being number two. And it's really made us focus on what we need to do to secure the network.

Now, make sure that. Folks in China or where whatever nation state might be a threat to us, making sure they're not getting into our networks now so they can do damage four or five years down the road. So we're really a lot more emphasis around network security, even though our technology doesn't change significantly, they're always finding different ways to get in and do bad things.

Usually taking advantage of features in our routers that shouldn't be there and, and they use to our network. So we really are putting a lot of emphasis around network security, um, because we do think it's gonna be a severe threat in the future. 

[00:09:18] Dave: Yeah, it's, I mean, we were gonna finish with this, but why don't we start with it since we've already kind of gone in this direction.

And it parallels with, um, an event I was at a couple weeks ago that was actually to your point, it was, um, oil and gas related. It was energy related, and I was invited there to talk about cloud security. But Anne Neuberger was there and it was listening to her talk about the role of. Oil and gas of, um, of networks of our, you know, our critical infrastructure and how they were thinking about it.

And you could tell that she was, she was kind of pointing in that direction too, and just how intertwined critical infrastructure is and national defense. And it's been that way for a while. But when you've, it feels like maybe the big difference here is when you have a, a nation state adversary, adversary openly saying, we're going to go after your critical infrastructure if you retaliate, you know, is, is that the, the primary difference here?

Just the clarity of intent from the, uh, from, from a incredibly well-funded adversary? 

[00:10:23] Mary: It absolutely has. I mean, I think it raised everybody's ears that was made public. Where I actually saw, went to DC for a classified briefing and saw almost every branch of the government at that meeting. And that usually, you know, we might meet with DHS or we might meet with the NSA in these briefings.

And this is the first time where I saw doj, um, um, the FCC being there obviously, and then all, all the other three letter agencies were also in that room. So I think the direct threat really kind of opened people's eyes that we need to. Think about what are we doing around critical infrastructure and what are we doing to secure the internet?

Cause it just becomes such a vital point. It was very clear to me during Covid how vital the internet was to everybody when everybody started working from home and all of a sudden the homes became the connection to the business. Our business boomed during Covid. We always say we were the fallen angels.

People didn't even know what we were doing, but we were expanding our network to allow all these people to connect, um, to be able to do their work from home. And I think everyone gained a real appreciation. For the internet and what the internet service providers do to keep everybody connected. But it can also be one of our weakest links if there was a true nation state impact on that communications network.

So I think that threat definitely opened everybody's eyes and really made everybody start talking about, okay, we know the internet was built insecure by design. It was never built with security in mind. It was meant to share information freely. And so now we're looking at, okay, well what do we need to do to make sure we have all the checks and balances and every packet that we pass?

So that bad actor doesn't inject bad traffic or redirect or hijack our traffic going 

[00:12:33] Dave: forward. You know, I think back to the Sony hack back in the nail. I'll explain why in a moment. But when Sony Pictures was about to release the interview and the North Korean said, you better not do this. You're gonna have big problems if you do.

And Sony Pictures kind of shrugged it off. They got hit by a massive wiper. There's a bunch of people who should have been working, who instead went out and played Fri Frisbee because everything was down for a long period of time. And at the time, the Obama administration. Was, uh, you know, there was a great book by David Sanger who kind of went behind the scenes on this and some of the Obama administration's thinking, which went a little bit like, how far do we go?

This was an attack on a company that did thumb it's nose at this nation state. They weren't attacking critical infrastructure, but they were attacking a US company. How much does this matter to us? How much do we retaliate? And so on. And it feels like almost a quaint moment, you know, in history. Now as we look at this, it feels like the current administration is, is saying these are part of the national fabric.

They're part of who we are. An attack on them, to your point, affects how we work. It affects everything about our lives. Given how digitally we are now, it feels like we've moved on from that moment and there's kind of a broader recognition. Is that how you're reading the current administration, the current White House.

[00:14:04] Mary: I would say that with each administration, cybersecurity keeps taking a higher priority. I think they really have come to realize how they're dependent on all these private sector companies to keep this critical infrastructure running. And I don't think there was ever that appreciation before. You know, I've been sitting on a lot of government committees since the mid two thousands, and it seemed like with every, every administration we were reeducating them about what we thought the threats were, what the risks were, what the impacts would be, how the last couple of changes of administration, I think they, they understand the impact's that's there.

And with that, I think they're putting more and more resources. To focus in on what are we doing private sector, what are you doing and how can we be involved and how can we partner with you to make sure that there aren't any real risks to the network itself. So definitely I'm seeing greater awareness.

We have to do less education as the administration's, each change, which makes our lives much easier. But at the same time, then, like I said, I went to a meeting a few months ago and every agency was there and they were looking at us saying, what you doing? Whatcha doing? So it, it really puts more pressure on us as well to think about what we, what we can be doing to protect the country as well.

[00:15:34] Dave: How far do you think they'll go? Uh, is it really at this point just them nudging and making sure you have a plan and that you're aware of the threat? Do you think they'll go so far as to, as to, you know, pass new executive orders, forcing you to do certain things? How do you think this plays out? 

[00:15:53] Mary: Well, we continue to push for public private partnerships.

We, we really don't wanna see executive orders and I dunno if they even wanna see those executive orders. Now, one piece and, and when I look at the telecommunications world, you know, the FCC has proposed doing this authorization equipment authorization program. And with that kinda a program, it's a, it's an excellent opportunity to address the vulnerabilities in like iot type devices.

So I think there's been, I remember being in meetings, you know, 10, 15 years ago where they said, okay, the telecom, you know, every, tele every one and oh passes over your telecom network, so you need to make sure those are clean. But in fact, what people are now realizing, we kept saying, no, no, no need to go back to.

That's where it needs to be fixed. And with the new White House strategy, they really do put the responsibility back on the hardware provider and the IOT provider. And with the fcc, you know, I know most attacks we see come from personal home routers. So routers that they don't get from their carrier that people have just bought at Best Buy, but they dunno how to configure it.

So it's configured in a way where it serves as an open proxy and bad actors use it to kick off tax. And so I think with the FCC equipment authorization program, that really they have to go through a certification to be able to put that kinda device on the network. And we really think the FCC should leverage its equipment authorization program to enhance that baseline security of devices that go on the network.

We make sure the ones that we issue to our customers are pre-configured in a secure format, don't have default passwords, don't have open proxy settings in them, and we manage those continuously to make sure they're secure. But people still go out and buy their own device. They don't know how to secure it.

And as long as that continues, There's gonna be significant risks. So we actually support the fccs Equipment Authorization Program. Those are, it's, it's gotta be a certified device before anybody can buy it and put it on a network. Take the responsibility away from the consumer. And put it into the device and make sure that the device is secure.

Cause consumers, we, we, we have people who don't run antivirus still today on their PCs, so we can't educate consumers to do this. We have to make sure anything we put in hardware or software is done securely to begin with. And that's a real eye opener. When I, when I do contracts with some of our providers for some of our cable equipment and our, our content delivery systems, historically, they never thought about security.

They're like, oh, you'll put us over into your own little dmz, it's gonna be protected. And it's like, well, it's IP if threat in my network, he could eventually hop over to your equipment and do something nefarious. And so with that, I think they're starting to realize, okay, we need to step up to the plate.

And that's what I think the White House strategy is really trying to drive is, Hey guys, if you produce hardware, you produce software, you're accountable for making sure it's secure upfront. And they've never really had that focus before. They've just said, oh, you know what, telecoms, you just clean it. You just provide a clean network.

And so I think they're getting to the root of the issue, which is really the iot devices, any hardware, software that's being produced to make sure that's, that's secure in the very beginning. 

[00:19:52] Dave: So that could come down as an authorization program whereby if you sell anything, it has to be approved beforehand, potentially for a secure configuration for a safe config.

[00:20:05] Mary: Yeah. Yeah. That's what I see. And I know we would absolutely support that and, and really partner with the FCC to try to make that happen, but I think it's gonna be true in, in any sector where they're producing hardware and software. 

[00:20:21] Dave: Yeah, it was interesting. I got a bit of a window into that space when I was at Norton, and this would've been 20 11, 20 12, and we looked at it and said the best thing we could do to protect consumers would be to go in and create like a new experience for their home router and basically front end that.

And it was an fascinating window into that space because you realize just how cobbled together, uh, maybe that's an unkind way of saying it, but how cobbled together a lot of these routers and different devices are, and the fact that like the user experience on top of 'em at the time, and this was about a decade ago, so it very well could have changed, but no one was really thinking about the user experience.

They cared a lot about the components, but bringing it together in a way to where someone could safely configure it, eh, that was kind of somebody else's problem. You know, to your point, they'd kind of kick it over to, you know, whoever the cable, the telco provider was. And that seemed to be the default.

But there's a lot of us, yours truly included, who I don't wanna rent it from someone, or I want to go out and buy a higher end version of and so on. In that instance, like I remember going through mine and the config still sucked. Like it's, it's like it's really easy to make mistakes. Having, 

[00:21:44] Jack: it's, yeah, having played with a, a bunch of different brands of stuff in the past several years for a whole bunch of different projects, uh, it's not any better.

There are some things that have gotten better, but the average consumer is, yeah, the average consumer doesn't stand a chance of, of getting all the features and functions they want without being exposed to an easy button, which blows their security out. I mean, you know, there's some protocols out there that are just horrible and, you know, and we, it's easy to point fingers, but, you know, let's look at gaming.

If you want to do online gaming, there are easy buttons and a lot of home routers that basically blow giant holes in your network so that they can monitor you to minimize cheating. But that it requires trusting way more people on the internet than I trust, and it's not getting better. And, but to your point, Dave, there, there are a lot of people that.

Don't wanna rent. Uh, some of us old timers who, uh, you know, still resent having had to rent a telephone cuz you couldn't own one back when I was young. You know, there's, there's still something to that, but if you, uh, yeah, the average person who, who, you know, buys, who buys their home gear because they don't wanna pay rent and gets the cheapest cable modem possible, uh, that's probably, I don't know how many security issues that introduces, but you're gonna get terrible performance out of it.

And then you buy the cheapest home router you can at Best Buy, or off of, you know, on the internet somewhere. Uh, and, and now you're gonna compromise your performance and your security and then Mary has to fix it. 

[00:23:21] Mary: Yeah. Yeah. And it is, we do see a lot of customers adopting by actually renting or leasing, um, the routers.

We're actually seeing an increase in that. Consumers have to understand if they're gonna choose to buy that device and tell these controls are in place in the future, they, they need to know a lot about how to manage that router or that cable modem and they get caught up in that. Yeah, I don't wanna lease my phone like did for years, but I think they realize now they don't have to worry about it.

So like all of our advanced in-home routers, you talked about what you did at Norton, we actually made that come to fruition. We didn't partner with Norton. We did, we tried to work with Norton and McAfee to try to build protection into our routers, but we ended up, along with Comcast buying a company called Cujo.

And we use their malware protection and DDoS protection in our advanced home wifi routers that we literally give to our customers. Now, we want our customers to run that, and it comes with a security shield. So I can pull up my phone at any time and see did my block a threat? And it's amazing to see that now because consumers know how to manage it.

They know what ICMP is. They don't know what, uh, a SIM card necessarily is. They, they're not technical. Most customers aren't technical. And so this takes all of it outta their hands. So both Comcast and Charter, I think Cox Communications is doing it as well. When you lease our routers, we've built in that protection, which basically.

Protects all your devices in your home because we're not allowing that traffic into hit your refrigerator or anything else that might be running on your IP address. By having this security shield built right into the router, um, it's really helped a lot. I, I get to see the weekly reports that come out and I'm amazed at how many threats we protect.

And you can see every time a new big piece of malware comes out. Cause we see huge spikes where quickly we figured out this is what's happening, and then we're blocking that malware. Um, and consumers, you know, they just think their internet service is bad. They don't know why the Internet's running slow, why they're not getting the speeds that they need.

They don't realize they might be infected with malware. And oh, by the way, somebody's using their IP address to launch DDoS attacks, therefore, You're not getting very good bandwidth at that point in time. And so they blame the telco, they blame the cable company that provided the service, when in fact it's that device and it's the device that's unsecured and not being managed properly, that is being leveraged for cetera, or to infect more things in their home.

And, um, that's the root cause of the problem. So you really are better getting a device today from your carrier than you're gonna best Buy and buying it off shelf. 

[00:26:33] Dave: Now from a national security perspective, we've gone deep on the, Hey, if you have a Misconfigured network device, you probably have a better network than ever before.

You have more robust access than you've ever had, I think. And during covid, I will say that we upped our network bandwidth. That was one of the times where it was like, oh God, not all providers are equal. Like I think a lot of us took for granted how good our access was or how bad it could become during Covid.

Like that was, that was a moment when we all became super reliant upon it. Traffic patterns changed and so on. But anyways, like it, it feels like we're past that. And I gotta say, I have great access at home. I don't notice any difference between when I work from home or at WeWork, which is a triumph, right?

Like that's a, that's a good thing. Mm-hmm. And we've gone through how it might be used by China, it might be used by a nation state adversary to harness that incredible access and attack and a DDoS and. Or, or another type of attack. What are the other things you worry about as a provider of national infrastructure, as part of that fabric That's clearly the primary thing you work, you worry about, or at least it was top of mind.

Do you have other things that, that are of primary concern to you as you think about the, the possibility of China mounting a really aggressive attack and retaliation for, you know, defending Taiwan or something along those lines? I 

[00:28:01] Mary: think the biggest thing we're concerned about is them hijacking the traffic.

So the primary protocol used to route traffic is the border gateway protocol. BGP and bgp, the way carriers connect and send traffic today was all built on trust. Okay. Comcast, you're sending me traffic to my peering location, I'll pass it on to the customer. And it was just ba ba all based on trust. And, um, with that, unfortunately, that inherent risk, that trust is built in and that you know, who's sending you traffic and it's legitimate, there's a problem and it makes it very easy for them to hijack that traffic.

So a big push has really been putting in BGP security, so implementing a R P K system. Where all the traffic is signed and validated and you know that it really was Comcast that sent you the traffic or it really was Verizon that sent you the traffic. But we're seeing a slow adoption, uh, BGP security. So Charter rolled it out a couple of years ago, but there's even some big US carriers that haven't fully implemented it.

So right now we don't really drop any of that traffic cause it's, they're not signing it. But we, we know, we think it's coming from one of those carriers. So we're really trying to push our peers. To make sure that they're implementing this R P K I so that all their traffic is being digitally signed and authorized and we know it's coming from a valid source.

So then when we get traffic that appears it's not coming from valid source, we can start dropping it. But we, you know, we all have concluded that with the UK Ukraine crisis, that one of the first things Russia did was redirect their traffic. That's how they gained control of their network and they hijacked it because they didn't have R P K I implemented.

And so we're really pushing to make sure all of our peers, not only in the US but across the world, are implementing this so that if we get into some type of World Nation state threat, bigger than the UK Ukraine crisis, that we are in a position that we can drop invalid traffic. Because that would be, that would be the scariest thing for me is God forbid somebody hijacked our traffic, started directing it to their country or dropping it or doing something that shouldn't have that would cause a major, a major communications outage in the end potentially.

So getting, uh, secure BGP implemented is, is a top priority. I had it put in all our contracts with all the people we peer with and send traffic back and forth with, but again, we're seeing slow adoption by many of the carriers. 

[00:31:05] Dave: And just for, uh, for those kind of following along, I just did a quick search on it here.

R P K I is resource Public Key Infrastructure. It is a security framework by which network owners can validate and secure the critical route updates or B G P announcements between public internet networks. There you have it, and not a chat g p t answer for once. Just a basic old Google search. So it's, it still works.

Y'all arguably better than Bard. Not even arguably, usually it still works better than Bard anyways, um, we digress. Why do you think folks have been so slow on the uptick here and I see a, a CloudFlare blog in it going back to 2018. Is it just that they don't, they don't perceive the risk as great as, as you do?

Is it the cost? Is it some combination of both? Why do you think it's taken so long? 

[00:31:58] Mary: I think people understand the risk now, but I will say it's only been within the last couple years that people have understood the risk. It's a, it's a time and resource issue. It always comes down to time and resources.

When we first started looking at implementing it, um, we realized, oh, we had to upgrade a lot of our routers and in many cases we had to replace some of our legacy routers. So it can be a cost. If you've got older routers out there, and it wasn't really until about thousand 18 that the routers could even support.

So unless you fairly routers either required some major upgrades or replacing some of those routers to, and, and there's some, you know, support and backend processes that have to be implemented. You know, detection capabilities that have to be built. Um, when we started looking at monitoring systems to monitor specifically for B D P, they weren't there.

Aaron has since come out with a service that can do your BGP monitoring, but there's not even necessarily all the technology components. So I think a lot of people were waiting cause they knew that it was gonna be a lot of time and effort to either upgrade or replace all those routers and then to get.

Monitoring in place to know, okay, how much of your traffic's unknown, how much of it's invalid, how much is it's valid? It, it wasn't an easy project to get done and we're still working with some of our business customers where they provide their own own ip, getting them on our, our Secure BGP program. But I, you know, I think it's time and time and resources is what's holding people back.

I think people understand the risk, but making it a business priority is another thing. And 

[00:33:53] Dave: I mean, if we're to be kind to people, if this became really possible in 2018, that was like a year before the pandemic where everything changed. And even if people had plans maybe to act on it, they might have been understandably blown up by all the mayhem that ensued with C O I and the shutdowns and everything else.

So, yeah, 

[00:34:12] Mary: no, what got our attention is we had some little provider, a little provider in Georgia, Jack who, a small company, data hosting company that mised some of our routes and it caused an outage for some of our customers. And the question was, how can we prevent that? It's like we've gotta implement PGP security.

We, we can't let anybody be able to advertise our routes. And that got my executive's attentions right away when they realized it was customer affecting, what do we need to do to make sure this doesn't happen again? And it was really, uh, an enlightening conversation I had with them about how insecure the internet is by default and how easily it is.

You mean again, this small little web hosting company in Georgia that, um, mis advertised our routes that caused this outage. And once they realized that they were a hundred percent all in, okay, do what you need to do to make this happen. We got all the time and resources and headcount to be able to then implement that.

[00:35:18] Dave: And how big of an investment was it for charter? And you don't have us have to give us the exact dollars and numbers, but was it like your biggest project for the year or was it along those lines? Like how, how big of a, how big of an effort was it? How long did it take and so on? It took us about 

[00:35:39] Mary: a year.

It did require that all of our routers had to be upgraded. Our Cisco routers, we were able to enable it sooner. We actually had to wait for Juniper to give us releases that could support BGP security. So, so even our vendors weren't ready for us to start doing it. But within that year, you know, again, when you start asking the vendors, it begins with us.

If we don't ask for it, they're not gonna produce it. So when we started asking, they're like, oh, okay, well we're working on that now. Um, so we actually put them to the end, but got all our Cisco gear up. Very, very quickly and then waited until we could also upgrade all the junipers to a version that could support BGP security.

But it took us about a year, and again, we're still working with some of our business customers cause we gotta handle that one by one and make it a priority for them to also join the bandwagon and, uh, get this in place. And they're, they're the one, they're the hardest ones to explain cause they don't, they don't understand the risk.

As a carrier, we understand the risk and we know the impact to our customers, right? It's gonna cause an outage potentially. But for some of the businesses we work with, they don't really understand that yes, this could cause an outage for you. You don't get this in place. 

[00:36:57] Dave: And it sounds like there's been real incidents outside of the, the small, you know, Georgia incident that y'all had.

It sounds like there's been real instances of Russia taking advantage of this during the Ukrainian crisis. Is that, is that fair to say? Has that made the risk more apparent to organizations? 

[00:37:17] Mary: I was surprised when I started studying it. So when I was trying to, you know, pitch to the executive team why we needed to get this implemented and make it a top priority number one project, and I started doing some research and there's actually thousands of mis routings that happen every year.

Just somebody who mistypes an IP address or a subnet space can, if somebody doesn't have, uh, RP K I implemented can, can cause a, a mis advertisement of routing tables and thousands of those occur. Every year and I was surprised to see how many, now how many of those were true hijacks like Russia taking over Ukraine traffic?

I dunno if people can always quantify that. Obviously you have an outage. The first thing you do is you look at your routing table, see if anything's wrong there. Um, you look at the traffic flow and that's when you can actually quickly then determine, oh shoot, somebody else is advertising my routes, my traffic's not going where I should be going.

But it does take several hours to get that back in place and get those new, new routes advertised. So it can cause outages for four or five hours once just diagnosing the problem and then re-advertising the traffic correctly can be impactful for four or five hours. And you know, people probably assume, oh, there probably was another fiber cut.

Most outages in telecom these days are fiber cuts, whether they're malicious or, or valid fiber cuts by a construction company. But, um, a lot of it's actually just mis advertisements of routes. But how much of that's hijacking? I don't know if anybody's been able to quantify that. 

[00:39:01] Jack: It's, it's funny you talk about fiber cuts.

Our neighborhood is getting fiber and so the fiber company, and actually their contractors are cutting everybody's sewer lines because, uh, I mean, you're a charter, you can call Dig Safe or eight one eleven or whatever it is in your area and they'll mark the stuff they know about. But just like the problems in our own networks, it's not the stuff that you know about that gets you in trouble.

And I live in a old neighborhood and a lot of the sewer stuff has been moved here and there. Um, so yeah, it's, it's the other way around here. There's fresh, uh, there, there's fresh, uh, fiber. But I know the, the folks at the fiber company are actually kind of terrified cuz they've realized how much of, uh, this part of town is not mapped well.

So they're thinking about what happens five years from now. When somebody calls Dig Safe and they flag it and the tree fell over. And so now the, you know, that we're in that kind of neighborhood. Uh, my property lines are based on a tree that hasn't been in the park down the street for over a century, so makes it a little hard to, uh, to do it.

But yeah, that's probably why they have the heavy shielding that they've got on their 

[00:40:12] Dave: stuff. How far do you think the US with respect to our infrastructure, if you, we kinda look at it as totality, kind of the, the collection of carriers, the backbone of our communications and so forth. How far are we along with the transition?

Are we, are we at the 50% mark in aggregate? 60, 70? Where would you, where would you put us? 

[00:40:35] Mary: Yeah. I saw, uh, some numbers about six months ago that showed us to be in like the 60% range. Like I said, we've got a couple of major carriers that still are taking a long time, and then it's really the really small providers.

That really haven't even addressed it. And that's what's gonna bite us is all that those small providers and the traffic that they, they handle less customer impacting obviously, but it could affect the small pockets of where we've got small providers. And I do think there's, again, like the meeting I mentioned earlier, I went to where all the agencies were being represented, all the carriers were there too.

So I think they got the wake up call that, Hey, listen, now we have all the agencies talking to us about getting this implemented. Hopefully that's gonna drive them to get things done faster. 

[00:41:28] Dave: Yeah. I mean, I would imagine if you get all the big ones, the at ts, the Verizons, I don't know all the names, nor would I, I know enough to name and shame or anything on that.

But I imagine if you get the really big ones, you probably get what the, the 90%, the 90, 95%. And then if things happen, it's, it's unfortunate, but at least it doesn't, like, it doesn't take down the US or create this wide felt widespread panic. 

[00:41:56] Mary: Yeah. And they'll, they'll be a time where we'll just start dropping that traffic, so it's only hurting their consumers if we don't take their traffic.

[00:42:05] Dave: Yeah. Well, and let's. Let's shift gears for a moment here. A, as you look at, at your job at charter and whoever else comes after you, um, what percentage of your job is actually protecting the infrastructure versus protecting the consumers? Like how do you, they're part of the ecosystem. Maybe that's even the wrong way to ask the question, but to a certain degree, you know, I would imagine your primary responsibility is protecting the company and its infrastructure, but the consumers have to be protected along with it, right?

You've already mentioned the dynamic with making sure that they have secure routers, but how much do you think about and, and reason are you involved in the decisions that get all the way down to the actual consumer and what they're doing? 

[00:42:54] Mary: So, one of our key objectives that our company is all about is customer centricity.

So we're very focused on the experience our customers have. And so security goes hand in hand with that. Actually, if you look at my vision and mission statement, I talk about making sure our consumers have the best and safest experience using our products and services. And I'm responsible for network security.

So at Charter we have a CISO who runs our IT security organization and our corporate systems, but then I run our network security organization, which includes all of our products and services. So when we talk about building a resilient network and having a, a resilient backbone network and a core network, that's all tied to making sure that our customers in the end have a positive experience.

You know, if there is a fiber cut, we've got dual routing or triple routing, so they don't even know that there's been a fiber cut, you know, so making sure that our services are resilient, but also making sure that they have a safe internet experience. So it is very much tied in together. Um, in my organization I have a team just dedicated to customer security.

So they look at, you know, customers who are violating our policies. Cause you know, if I'm, if I've got malware or maybe I'm initiating DDoS attacks, that can saturate a hub. When I generate that traffic. And so we monitor those kinda things and help educate our customers. You know, Hey listen, you've got botnets.

You really need to clean that up. Cause you might think it's poor internet service, but really it's your computer that's causing all your problems. So we tie the two together. Um, we don't really separate it, so I've got a team dedicated to customer security, and then I have a couple of teams that are dedicated to our, the security of our products, our services, and our core backbone network.

[00:45:03] Dave: I would imagine. The malware botnet side of it is pretty, is pretty straightforward, right? Like those are things like, they're not good for your networks. They're certainly not good for consumers. Like everyone's in, in complete agreement. And they're fairly deterministic too. I mean, not that it's easy to detect malware, but it's, it's very possible.

And we've been doing it for a few decades now as an industry. It feels like the harder part is what's coming with respect to just fraud. What we've already seen with phishing and fraud and scams. And you know, we did an episode with Michael Zalucki a while ago who, you know, he's brilliant and he was going through his big concern with respect to the use of generative AI and all the things that are possible now with respect to fraud and how we really, you know, it's the tip of the iceberg and.

You know, it, it came through to me. I was watching a, um, I was actually, I was tricked for a moment by a fake press conference that someone did, and I know there was, there's been some other really compelling things that have come out lately where you just see the potential for generative ai, it's use at scale with respect to fraud and scams and so on.

How are y'all thinking about that? Do you see that as, as an extension of your responsibilities or it's pretty far outside the network, I would imagine. Like you could, you equally look at it and say, you know what? That's just a step too far for us. It's not really related to the network. We're starting to get into meddling with people's affairs a bit here.

How do you guys reason about it? 

[00:46:42] Mary: Yeah, we are having lots of debates about it. It's the best way to describe it. So our threat intelligence team has done a fantastic job of demonstrating to us how generative that AI can be used in a fraud way. We've done things like replicate our CIO and CEO speeches with chat G P T, you know, they've been really educating our leadership team about the risk associated with ai.

We have actually just formed a working committee to put together what is our policies gonna be around it. Something just as fundamental of do we even allow our employees to access these tools, right? Because they could potentially leak customer data if they put something out there into chat GT or open.

So we're working on working groups around putting some policies and standards together. I think we all know it will be used for fraud. So how can we mark that traffic when it's coming from an AI system versus it coming from a native system? Is there a way we can mark the traffic to see, okay, this may be fraudulent traffic, but I don't think as an industry we've thought about.

What we would do, is it our responsibility to monitor that and take action of that? You know, there's always the privacy concern and one of the things is I may look at traffic protocols at a, at a higher level, but I'm not looking at Dave Cole's traffic. I'm not looking at what you're, what websites you're going to.

I'm not looking at emails that you're sending, I'm not doing deep inspection on your traffic. Cause that's, that's a privacy issue. And, um, I don't think that'll change. We, we acknowledge our customer's privacy, so I don't know where it's gonna fall. Who's gonna be responsible? I know that, you know, the companies like Microsoft and stuff are working on ways to mark traffic to say this is being generated by an AI form, but then how do you know it's a valid versus invalid form?

So I think there's still so much more to be. Understood. 

[00:49:04] Dave: Yeah. I mean, it wasn't that complicated in the early days. When I say the early days, I wanna say like eight to 10 weeks ago when it was just chat G p T, and you know, you'd look at it and you'd say, we were talking through a policy at the time, we're like, okay, no code and no customer data.

That's pretty straightforward. And for us, we're small, so everyone kind of gets that. We talked through it, signed off, good to go. And then stuff like GitHub copilot comes out where you're like, geez, I think we'd be nuts if we didn't use that for the potential productivity games. And if Microsoft has a whoopsie.

I'd feel pretty okay about the com, the community I would be in, if they had a whoopsie and I was impacted, I think people would understand that. And I, I think there's gonna be a whole bunch of shades of gray in between chat, G B T open model, your stuff will be used to train it and Microsoft and you know, and then all the private models and attacks that go with it and just how fast it's progressing.

You know, my sense is charter maybe, maybe post-retirement in September when you're advising afterwards is gonna have some really interesting decisions it makes with respect to where is the boundary with respect to my privacy as a consumer and your responsibility to defend me from really deceptive attacks.

[00:50:40] Mary: Yeah, it's gonna be interesting to watch this evolution. This so much reminds me of, you know, 10, 12 years ago when we started moving to the cloud and companies like Charter moved quickly to the cloud, putting applications out there, but there were no standards or governance around any of it. People weren't even thinking about, okay, how do we keep control of this?

Now it's very common to have a cloud governance practice in place. You've got standards that decide whether this goes in the cloud or stays in your data centers. I think most companies have embraced that, but that was, it took us 10 to 12 years to get to that point where cloud governance was a practice.

I think there's gonna be the same thing with AI governance. People are gonna move fast with it. We've, we've had vendors who have sent us letters saying, Hey, we're now using this with our products. So some companies are making a big deal outta, Hey, we're using this as making our product better. And there are some great advancements that are gonna be brought to us with this capability.

I mean, it's, it's, uh, boundless, unbound is the right word. And I'm really curious to see where it's gonna be 10 years from now. Cause it kinda reminds me, okay, we moved to the cloud, nobody really understood what the cloud was and what data could be out there, and how easily it could be accessible. Now, now we're dealing with ai, you know, in 10 years down the road it'll be quantum computing that we'll be dealing with.

So we knew this was coming, we just weren't prepared. And some time governance practice place. 

[00:52:26] Dave: Yeah, I think cloud is is another example where the technology arrived and we realized pretty quickly that we under, we can understand the technology even though ai, like it's hard to understand, like go and read, you know, the article alls you need is attention and like your eyes roll back in your head.

It's like I kind of get transformer architecture sort of maybe. But having said that, you can understand the tech but rocking the implications of something so transformative and so big, whether it was cloud, whether it was mobile. I think we're still to the point where we're trying to understand the real implications of social media.

You know, we understood during, during the election cycle and we're starting to rock what it means for young people too. And now it's rewired our brains. But it's like this is another one of those moments where it's so big. We can get the tech, but we can't possibly understand the implications. So let me ask you this, with respect to charter and your role as a ciso, where have you stepped in so far and said, here's our policy, here's our approach.

Like, have you done that yet? What's kind of your, what's your take towards AI as a security leader and where you're stepping in with policy and where you're just kind of letting it breathe for a bit? 

[00:53:46] Mary: Yeah, that's where we're putting together this working group that's, that's really gonna work on setting the policy and standard.

You know, it was suggested that we start blocking access to all of those tools. Well, we haven't done that yet. So I think we really are trying to figure out how do we govern, how do we educate people? So we still have a ways to go at charter on how we're gonna deal with this. 

[00:54:08] Dave: So thus far, it sounds like you've, you've let it run its course a little bit, keeping an eye on it, but you haven't come in with thou shall or thou cht as of 

[00:54:17] Mary: yet?

Not, not yet. 

[00:54:19] Dave: Not yet. Mm-hmm. Is there any place that you're kind of watching or, or an organization that maybe you're looking at and kind of taking cues from? Or how are you, how are you sort of educating yourself on this and, and reasoning your way through it? 

[00:54:35] Mary: So we're actually kinda collectively looking at this with our industry.

So through our national Cable and Telecommunications Association, we're starting to socialize, you know, how should we approach this? Gonna be a big topic for us at a upcoming, finally, face-to-face meeting after Covid. Haven't seen each other in three years. Face. Face. But that's the topics we're gonna touching on.

Um, we don't think it's charter problem. Uh, we wanna look at it more from an industry. You know, how does the industry wanna approach this? 

[00:55:08] Dave: Got it. And is there a, um, I guess going back to something like cloud or, you know, choose your favorite transformative technology, what, what were the lessons you pulled from that and terms of where you feel like, you know what, we, we stepped in, we did the right thing.

And where were you? Just, you know, you feel like, you know, going back, we were just too slow in this area, or maybe we were too hasty. Like, what do you, you know, with your, your retirement is a mere, gosh, let's see, we, we sit here on the precipice of June. You've got June, July, August, September, and then it's somebody else's problem.

Like, if you were advising them on this, what are the lessons of the past Tell you, like, how would, how would you advise your successor in this one? 

[00:55:55] Mary: Um, address governance. And establish the standards upfront and make sure you educate people on those standards. We did not do that very well with the cloud.

And it wasn't until just a few years ago where we finally said, okay, stop. Everybody needs to stop. We're gonna have one organization in charge of this, and this is how it's gonna work, and these are the standards. So I think that's why, again, we're trying to get this working group in place. It's gonna establish the policies and standards for the company as a whole, but getting that governance in place in the very beginning, not waiting until it becomes a problem and you're losing data potentially, or creating things that maybe you shouldn't have, but addressing it upfront with the governance 

[00:56:43] Dave: and standards.

All right. Well let's delve into the, um, a bit of the career retro here. Going back, you became, A security leader at WestStar Energy back in the early two thousands. Is that right? 

[00:56:59] Mary: So I took a CSO position at WestStar in thousand 12. Of course, I'd been doing security since the mid nineties. Um, when I was at att I was in a leadership development program.

I was, I was actually running call centers. I was originally hired as a customer service rep right after divestiture and quickly moved into management, um, at at t and through their leadership development program, they do all these, uh, companies don't really do this anymore, but they did all these psychology testing and you have to go through all these exercises and they're like, okay, it's the mid nineties.

We need more women in tech. This girl likes policies and rules. She likes law. And she has a high technical aptitude. And lemme tell you my technical aptitude was because I had um, was working on a project. We were bringing in what was called an intelligent workstation for our customer service reps. And we'd hired some consultants to come in and build this thing on these sun spark machines.

But we forgot to hire them to maintain it. And so once they left, I had to figure out when the thing went down, how to get it back up and running. So I was basically hacking Unix cause I knew nothing about Unix, but I also kind enjoyed it. So when I went through this testing, obviously I came out with this high technical aptitude and said, well, and here's a position insecurity cuz you like rules and.

And I had no idea what I was getting into. Um, I had, I knew one person over in that organization that worked on that floor, not in the organization. They were part of network operations at at t but they weren't part of the security team. And I thought, well, she got over there, she's doing fine. I'll, I'll be fine too.

So I said yes, and that was the best decision I ever, ever made. Um, it's actually the one thing I tell people, especially women in security, is, you know, most women, um, unless they know they need all the qualifications, they won't apply for the job or they won't accept the job. And my job was to figure out how to start auditing the security of our UNIX systems.

I hadn't even been trained on Unix, but I still said yes and pretty much every position after that. I knew I wasn't maybe the best qualified person for it, but I accepted the challenge and said yes. Um, and that's what led, led to my career growth is just saying yes and learning something new. So I, you know, started off I went from being in a management role to back being an individual contributor and then again, slowly worked my way up.

I always say the guys that I went to work with at at t Security really embraced me and taught me what they knew. Next thing I knew, a couple years later, I was their manager and then I was leading strategy for security at at t. So I just progressively moved up with each role. But I always say it's cuz I said yes, I was willing to take on the assignment and I brought a whole different skillset.

Maybe I wasn't the most technical person in the room, but that first security assessment handbook that we had to write, I wrote it, you know, I brought in the writing skills and the presentation skills and all those soft skills, um, while I was learning the tech. Um, and that really, really helped. So, again, years at at t then went to Sprint, which merged with Nextel and then came Embark.

And, and every other name that you can think of, I think we're, there's now, now that division's called Lumen. And then I decided to leave the comms business. A friend of mine had taken a CIO job at West Star Energy, which is the utility company, the electric company for the state of Kansas. And she said, I need a CSO or I need a cso.

So I made the hop over there. And as a cso, not only did I have cybersecurity, I had physical security. And that was also, uh, when the Sandy Hook shooting occurred. So physical security and active shooter became a real, um, concern. And so I was spending a lot of time figuring out how are we gonna train our employees?

Cause we were on the, in the capitol of Kansas, right across the street from the capitol was where our headquarters was. How are we gonna train people on active shooter type situations? And while that's very, very important, it's not my expertise. And so I said, you know, it's time to go back into, I, I just wanna do cyber, I don't wanna do physical security, I just wanna do cyber.

Cyber isn't necessarily life and death, like physical security can be. So, um, then I came to charter shortly after that when I decided, yeah, I don't wanna do the physical security side, so I wanna, I wanna get back to communications. That's what I know and what I love. And that's how I ended up at Charter.

[01:02:19] Dave: If you wind the tape back to your early days as a woman in cybersecurity to today, how much progress have we made? Where do you see, where do you see progress and where do you see us just stuck and failing to progress as an industry? 

[01:02:37] Mary: So two things. One, first, when I joined, I remember going to my first all hands meeting in Homedale, New Jersey like three weeks after I started the job.

And when I took the job, they hired another guy. Him and I were gonna work together in Kansas City, which is where my office was on building this unit security auditing program. And so at that time, I just knew my boss, who also was a guy, and then I knew Bill and me, but I go to my first all hands meeting, which was in the offices in New Jersey.

And if you ever been to the at t building in Homedale, It's a huge, huge facility and I remember getting directions on how to get to the conference room and I opened up the door to the conference room and I looked in and there was this table with all these men in suits, and I thought it was business casual.

So Bill and I were dressed really casual, so I thought I'd walked into the wrong room and went back to the guard, talked to the guard for a little bit, and she's like, no, no, no, that, go back up there, maybe open the wrong door. We went back, we went to the exact same door. I opened it back up and all of a sudden I heard, hear my boss say, cause I recognized his Atlanta, Georgia accent, Mary, is that you?

And it's like, oh, okay. Guess this is the room. So that was my first awareness in an all organization. It didn't even cross my mind when I took the job. When you work in customer care, customer operations, it's predominantly female. So I never crossed my mind that I was going into an environment that was not mostly male, but all male.

So that was kind of an eyeopener, but I quickly figured out that I probably communicate more like a male. So I'm very direct, very authentic in everything I say. I'm, I'm pretty much a straight shooter, and that's what I really enjoyed working with the guys that I was working with. And like I said, they embraced me, taught me what they knew.

They knew I could do things they didn't wanna do cause they didn't wanna write procedures, they didn't wanna wanna write process flows. I, I could do all that for them. And in turn they were teaching me how to do security assessments and physical assessments, et cetera. So, Again, that was mid nineties.

Hardly any women. I think by the time I left At&t about five years later, there was a handful of us, mostly in the group that did secure id. So in the ID management team, there were really only about three or four of us that was doing technical consulting, true technical consulting. So still very, very limited.

I can't say I saw much progress until really probably the last five years until there's been a real focus in establishing women in security groups and getting out in front of audiences and saying, Hey, this is a career option. So there's been studies done that show that, that um, if you go back and look at the studies done by the Mont Institute as well as ISC squared, that 22% of the women.

Don't even know that cybersecurity is a career option. So if you don't even know it's a career option, or if you don't know somebody in that field, you won't even think about it as an option. What I am seeing in the last five years or so is a younger population coming in, they're very well educated and they're rising very quickly in cybersecurity.

So they, again, the studies say that in 2017, we were about 14% were women in cybersecurity. But in, uh, the 2020 study, we say that 25% of the folks in cybersecurity are women. Now they measured it differently. So in 2020, it's, if any part of your role is cybersecurity, then we count you as being in cybersecurity.

So people who are in an IT role and part of their job is security are now being counted in as being part of that cybersecurity population. But I correlate it to title. So Title IX was passed in 1972 and 50 years later, for the first time the NCAA AA Women's Final Four was sold out. That took 51 years since Title IX was approved.

And if you even think of women's sports, it's really been in the last five to 10 years where you've seen an explosion of professional women's sports. And I think cybersecurity is follow a very similar trajectory, that it was very, very slow. And now we're starting to see an explosion and it's people like me that have been it for a long time that have to get out and talk about, hey, this has been a great career.

My, I've taken a lot of different paths during my career and I based it on what was the needs of my family. So when I left at t and I went to a small little clac called Birch Telecom, I thought it would gimme more time at home. Cause my kids were in middle school, which is always a dangerous time with teenagers, right?

I wouldn't be traveling as much cause it was a little local clac and that was a good move. I ended up going to Sprint right after that in an application security role, which was a Monday through Friday, eight to five job. I was home every night with the kids on the weekends. Um, but when they got older, then I got into incident response and things that took me, you know, you weren't working a traditional Monday through Friday job.

So there were lots of different paths I was able to take as my family grew and my responsibilities changed over the time, and I don't think a lot of women know about those different paths that are out there. They think they're sitting there behind a keyboard at a hoodie working all night looking for security flaws.

And, and there's really so many different career options in cybersecurity. And you can parallel, parallel those with what's going on in your personal life and make career moves to support your personal life. And so it's up to people like myself to get out there and help educate women specifically about the different opportunities they have and how you can have really good control of your career path because of these different opportunities that are out there.

So it's getting better in the end. I think it's getting better. And I think, again, we have to continue to make it a priority. Having special events at conferences for women to gather and network is really key in keeping them not only getting them into the cybersecurity field, but keeping them in the cybersecurity field.

[01:10:06] Dave: What advice would you give to women who are either considering a career in cybersecurity or have started a career in cybersecurity? What would you pass along to them? 

[01:10:17] Mary: Like I said earlier, say yes. Don't feel like you have to know everything. I did become an expert in Unix System five, release four, pretty old, but I became a true subject matter expert in, in that UNIX system.

But when I, the job. Just say yes. If it interests you, say yes and then get in there and you'll learn about it. And if you're that, that willing to go for it and say yes to that role, then you probably have the aptitude to master that role. And so say yes. Just say yes to the opportunity. 

[01:10:58] Dave: All right, before we wrap up, what's one industry event you're glad you'll never have to go to again after September?

[01:11:06] Mary: The RSA conference 

[01:11:10] Dave: is there. Is there one you'll actually miss? I 

[01:11:13] Mary: will miss. We have actually a fabulous conference here in Denver, Colorado called Rocky Mountain Information Security Conference. Um, it's put on by the local I, SSA and ISAKA chapters. It's a fabulous conference and I just love going and seeing all my peers as well as all the people I've worked with over the years.

It's like a mini rsa. We take over the Denver Convention Center. But I will miss that one because it's very personal and it's mostly people from the Denver or Colorado area that you've come across at one point or another. But they bring in fabulous speakers. It's like a, a mini RSA without having to walk from building to building to building to try to catch a keynote or catch a little talk that you might wanna go to.

So yeah. Awesome. Rmc, 

[01:12:05] Dave: that's the one I'll miss. And if somebody wants to reach out to you after this LinkedIn, LinkedIn's the best way. Yep. Awesome. All right, Jack. Any final questions, thoughts from your side before we wrap 

[01:12:19] Jack: up? No, not really. I will say, uh, I will say this, Mary, you know, uh, even when you retire, uh, you can still go to the things you love.

I mean, I'll, I'll be at B side Vegas this year, but of course, the one thing I noticed, uh, after retiring was that I didn't have an employer to pay for travel and tickets and things like, oh wait, I have to pay. Wait a minute. Maybe working. Wasn't that terrible. 

[01:12:42] Dave: So, well, I've 

[01:12:44] Mary: just joined a board with, uh, a private security training company.

So even when I retire, I'm still be gonna be probably engaged. And again, my passion is all about getting not only women, but also underrepresented populations in cybersecurity. So this is also the mission of that company. So our passions align. And again, it was such a great career for me. I, I had no idea.

I thought I was gonna be a phys ed teacher. That's what I thought I was gonna be. And here I'm this cybersecurity geek. Um, and absolutely love it. So I really wanna open that door for others, 

[01:13:26] Jack: the people in the industry and the people who have the, the curiosity of, you know, the hacker mindset and the, the security curiosity are, uh, why I continue to do everything I do with BSides and a few other projects, the history project and things, because it's about the people.

And that's one of the things that we're, we're proud of with BSides, is trying to be welcoming to anybody who's even vaguely curious. Come on, see if it's for you. So yeah. That's awesome. Glad you get to, uh, stay connected that 

[01:13:57] Dave: way. Absolutely. Outstanding. Alright, and with that, somehow it's been well over an hour.

Mary, thanks so much for your time. We appreciate it. This has been great. Thank 

[01:14:07] Mary: you. Thank you, Jack. Thank you Dave. 

[01:14:10] Jack: Thank you. Thanks for joining us for this episode of Security Voices. If you have comments, questions, or feedback, please reach out to us at or reach out to Security Voices on Twitter, or you can always contact either Dave or me directly.

If you'd like to hear other episodes of Security Voices, see transcripts of the shows or learn more about our guests, check out our We'll be back in a few weeks with another great conversation.

[01:14:47] Mary: In the end, I think it is getting 

[01:14:49] Dave: better.