From Battlefield to Boardroom: Lessons in Cyber Leadership with Patti Titus

Mick Leach: Hello and welcome to SOC Unlocked, Tales From the Cybersecurity Frontline. I'm Mick Leach, your host and guide on an exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest in industry news, emerging threats, practical strategies to keep your organization safe, and more. And this week we are excited to have a dear friend of mine, Patti Titus. Patti, welcome to the show. We are so glad that you could be here with us.

Patti Titus: Thank you so much for offering to have me on the show. I'm looking forward to it. I think you got some great questions, and hopefully I have great answers.

Mick Leach: Well, I'm sure you do. I'm looking forward to the conversation. first, as we always start out, just as a guide for if anybody's new to the show, we like to start out, learning a little bit about our guest, then kind of talk about, you know, past, present and future of cybersecurity, where we've been, things we've seen, what things are like today, and then what the future holds. Lastly, I love to end it out with some practical career guidance from our guests. They certainly have done lots of things and attained lots of knowledge. So we want to give them an opportunity to share that with our listeners. So that'll be the plan for today. And with that, Patti, I want to turn it back to you and just ask, you know, tell us a little bit about yourself, you know, how you got into into cybersecurity, what your current role is, etc.

Patti Titus: Yeah, so I'm going to take us way back in time to when I was a small child. I know that sounds funny, but I am the youngest of five kids and I like to call myself a survivor. But I also like to say that I've been doing risk management since a very young age. Little did I know it would prep me for this fabulous career I've been on as the CISO. So it actually became a CISO, the first federal, US federal CISO.

In 2002, when I joined TSA and I was actually, that was the brand new federal organization and I was actually penciled in as the wireless program manager to tell you how crazy it was in the early days of TSA standout. And I kept complaining nobody was doing security. And eventually I think I just wore down the CIO and he said, that's it, you're gonna be the wireless program manager and this

C-I-S-S-O, and I said, I don't know why you're stuttering. It's C-I-S-O. And so anyway, we went back and forth. But I would say that I was probably one of those cases of being at the right place at the right time and really asking to be able to do the job. And I think we don't ask enough for what we want in this field.

And so it was a good lesson learned early on in my career. I stayed at TSA for six glorious years. Thoroughly enjoyed the mission. We were all very mission-driven after the events of 9-11. And then I went out into the private sector thinking, oh, I did such a great job in the government. I'm going to take all that I did in the government and just port it over to the private sector. Yeah, a very lofty goal.

That took a very long time for us to get to the point where the National Institute of Standards and Technology frameworks poured it over to the private sector, and what we now is the de facto standard called the risk management framework. So a lot of things happened in between there, lots of different jobs, lots of different industries and vertical markets. So I've been a CISO for about, I guess that makes it about 23 years. So.

Mick Leach: Wow. That's fantastic. Well, Patti, I love it. What a rich history and great story from the beginning, if you will, from cybersecurity. I, too, was kind of cutting my teeth around the same time, but in a different kind of frame of reference. So no, definitely very interesting. So can you kind of tell us a little bit more? I want to just kind of double-click into this a little bit more around.

You know, what inspired you to pursue a career in cybersecurity, and how did you find your way into this world? So we heard a little bit about how you became a CISO and sort of wearing them down. I love that. I think also about being in the right place at the right time. I think there's absolutely an aspect to that for all of us. That's how you end up in some of the coolest places that you get.

Kind of go back a little bit further, and I'm going to tease out that risk management side of things as a kid.

Patti Titus: Well, being the youngest of five kids, the only way I was ever gonna get out of the frozen tundra of Minnesota was to join the military. So after a couple of years of college and thinking I was so much smarter than school was ever gonna teach me, I actually joined the Air Force. I'm a bit of an overachiever, being the youngest of five. was taught everything. My brothers are like, you're going in the military. We're gonna teach you how to shoot a gun with complete accuracy. So I was a marksman in the military, which is great. But the other side of that is when they take you out of basic training, they run you through some little tests to see if you have any unique skills. And so the unique skill that they tested me for was for Morse code. And so you got three code types, three letters, and they wanted to see how fast you could do it. Well, it was simple. No problem.

Then the next thing I knew, I was all of a sudden being processed for a security clearance and on a flight on my way to Japan, where I then was a Morse code operator. So I did that. It was actually during the Cold War. So we were at the tail end of the Cold War as it was winding down. And so that was really kind of that signals intelligence portion of my career.

I went on to work for the State Department, the Department of Defense, and then my last overseas gig, I actually worked for the Swiss government, standing up and running a diplomatic mission in Africa, in Zambia. So just a really diverse background. I was always involved in either like physical security or, you know, communication security. It all kind of came together.

And so that was kind of the setup to it. came back to the, that was all living overseas. So I spent those 13 years living overseas, and I didn't really know what I wanted to do when I grew up. And so I came back and I did some loan processing and then some underwriting and assistance and some, you know, all kinds of other interesting things. I was parish secretary for a while, and I just got into this tech thing.

Patti Titus: And I took every free class that was offered by Bay Networks or Cisco or whoever was offering free classes. I went to them because I was fascinated by this thing called tech. And it was at a time when we were doing X25 to frame relay to ATM translations on the wireless or on the networking side. So I got into the networking engineering side and was actually encouraged by one of my dear friends, John Stewart, that I could actually be an engineer if I wanted to be. I didn't have to go to school. OJT was the best way; on-the-job training was the best way to learn it. So he was very encouraging. He was the CSO at Cisco for many years.

And he's always just been a huge supporter and a mentor for me. He's always taken me under his wing. And so I did, I actually figured out how to dual partition a Windows laptop with Linux on one side and Windows on the other. And it took me a long time because back in those days, we had to load it with the CD-ROMs, and the CD-ROM would time out and you'd have to start all over again.

So it took me a while, but that was kind of my foray and entry into it. So a kind of an assorted past, right? Not a straight line, which I think if you talk to most CISOs who are my age, you will find it wasn't a straight line. And really that path isn't there anymore. The path is very different today if you're coming into cyber versus the way it was back then.

Mick Leach: I love that. Yeah, and I guess that's really what I wanted to tease out a couple of things there. First, what a varied history that you have. So cool. First of all, thank you for your service. I appreciate that. In the Army, we did not get those kinds of side checks, or at least maybe I was in the dumb group and didn't get that choice. But yeah, we didn't get that option. They did not fly me anywhere by myself.

Patti Titus: You weren't making the Air Force; people do it.

Mick Leach: I went with lots and lots of friends, to different places, but no. So thank you for your service. I love that. But you have such a rich background living all over the world. Zambia, mean, that's so cool. Japan, I've not been to either of those places. So that's really interesting to me. But the other aspect that I really wanted to double click into a little bit was just the idea that there's no straight lines into cybersecurity and no path looks the same, because I think there are probably a lot of listeners who feel like, I can't get in, or not me, or not with my past, or I didn't get in the right way. And so I think it's very encouraging for folks to hear from our guests, the journey that they took to get into cybersecurity, because it's always different, and yet worked out.

Patti Titus: Yeah, mostly. Mostly. I do think, you know, it isn't a straight line. I think a lot of people are, you know, I don't have a college degree, or women who maybe took time off to stay home with kids, or dads. I want to come back into the workforce. That's probably not the right place for me to start.

Mick Leach: Yeah. I love that.

Patti Titus: There's a lot of healthy discussion on different forums. Is security job? Is it a first job? And there was a super healthy discussion and people said, no, it's not, it's a second job. Like maybe you start on the service desk or you start somewhere in IT. I completely disagree with that. As an example, and I hope she doesn't mind me using your name because I've used it many times.

I had, I, there was an executive assistant who supported the CIO and myself when I was at one company. And I got to chatting with her. She was a fascinating woman, very young and she had a human behavior degree in counseling. And I said, I said, have you thought about a job in cyber? And she's like, no, I mean, that tech stuff, no, I mean, I'd be terrible at it. And, I said, I think you should think about it because the human behavior science background is really instrumental in how we think about threat actors and how they attack our networks. And she thought about it for about a month and then came to me and said, you know, I've been researching this and I've been looking into it and I might want to give it a try. And it just happened that I had a junior-level position open, which she applied for and we hired her.

And today now, multiple years later, she is one of the greatest APSEC people I think I've ever seen. And so I don't think there is a straight line. There is an educational requirement. There's a lot of discussion about certifications. Are they helpful or not? I think it really is such an interesting field where it offers so much opportunity to anybody.

Mick Leach: I love it. Awesome. Well, Patti, thank you so much for that. I appreciate it. I think with your rich history and without putting your security clearance at risk, we don't want the feds stomping into your office and taking you away in handcuffs. You know, we do love stories though here, right? That's kind of the heart of what we talk about. So can you describe for us one that you're allowed to and feel free to change the names of the innocent or the guilty parties as necessary. But tell us about a challenging cybersecurity threat or attack that you've encountered and how you and your department handled it.

Patti Titus: Sure. Well, I have a great one. I was two weeks into a job, and I was courted heavily by the CEO of the company, who said, I really want you to come to work for the company. And he really didn't have to wear me down because I was very excited about the opportunity. I'm two weeks into the job and there was a major release of data that had been taken six years prior from the company. Six years prior. And here's Anonymous, my favorite group of people, that loosely federated group of crazy people, releasing that information to the internet.

Now mind you, when you're two weeks into a job, you're probably still figuring out where the parking spot is, the bathroom, the office, people's names, what they do. And I'm tossed into the middle of this event. It really wasn't a security incident, but it was because it was our data. But I had to craft the message to go to the board of directors to say, hey, this thing happened.

And our playbooks were designed for internal incidents of virus outbreaks and, you know, the typical play. This was just didn't fit the playbook at all. And so we kind of just had to figure it out as we went. And what I've learned over the years is figuring out as you go is almost every incident because none of them actually follow a template. You might get lucky.

But I think the crazy thing was at the time, we ended up with like 150 people on an incident call. And I'm like, this is not, you know, because people were worried about their customers and they were worried about the data and what's the messaging, and, and, and the CEO kept sending me messages saying, hi, welcome to the company. And I'm like, not funny. But there were so many moving parts.

I think first of all, the stress of it was unbelievable. Just dealing with not even knowing my own people's names really well, pulling the right people together and getting the incident response process in play really changed how I onboard in a company to be completely honest with you. After that, it was fairly early in my career. So I was fortunate that it gave me like, a different perspective that maybe set me up for success later in my career. I just, you think through all the things that can happen when you arrive at a company that is not even on the first two weeks. You're trying to get your laptop set up. You're trying to get training done, get your bank deposit set up so you can get paid and 401k stuff. And the last thing you're thinking about is it's gonna go sideways in the first few weeks. I mean, even the first 30 days.

So great lesson learned, but I will tell you that the lessons that I took away from that were fantastic and that have been applicable throughout my career, that one incident. it also, as Mick, as you probably know, I was a privacy officer a few times in my career as well. But it also made me think about the value of data. so companies that have breaches and it's like two or three years later and they think, I can breathe a sigh of relief that this isn't going to impact us even though we knew it was taken. Data has an intrinsic value if for nothing else to damage the brand of the company itself, which was really the objective of the threat actors at the time.

So, don't ever think that your data is devalued because no one's popped it out on the internet. Somebody will eventually look to see if there's value in smearing your company's name and then use that information to do it. And today, with the great thing called AI technology, it's easier to find stuff like that and easier to leverage it. So that was my big lesson learned is data has almost a never-ending intrinsic value.

Mick Leach: Yeah, and it never goes away, right? Unless you outright delete it and we should be doing that, right? Data minimization. That's a key aspect of what we do. But you're right. Not only does it never go away, but there's always value to it. And I hear so many folks, even in the security space, say, no, it wouldn't be my company. We just don't have any kind of valuable data that bad guys would be after, that they care about.

And that couldn't be further from the truth. mean, every company has some sort of data that bad guys would be happy to take and to pivot in some way, combine it with other data that's already out there, and then be able to either sell it or action that in some way. So too often, that's at the heart of the way a bad story begins.

Patti Titus: That is so true. So true.

Mick Leach: Yes. So in your opinion, right, we talked a little bit about how things have been in the past and had a great example of what can go sideways on week two. That's crazy, by the way. But what is what is the biggest threat that you see facing, you know, security teams in particular, but but companies as a whole and impact those security teams?

Patti Titus: Yeah, you know, today everybody's working under pressure. It doesn't matter if you're in the government, if you're a private sector, everybody is working under pressure. There's been a lot of layoffs. People are trying to make sure that they're doing the best job they can. When people are working under pressure, people make mistakes. And I think the biggest challenge that we have of security professionals is recognizing that humans are going to make mistakes.

So a little story from my days early at TSA, well actually it was about mid into my career. The deputy or the administrator of the organization said, I was telling him, I really wanna buy this technology and I need you to agree that it's a good investment. And he said, you're buying this thing to protect the organization.

But yet every time I talk to you, you're saying, people are my first line of defense. He said, you've got to get to the point where you stop using people as your first line of defense. at that point in time, didn't have, yes, AI was around, but it was in DARPA and secret hidden places. wasn't, know, GenAI certainly wasn't available to the normal person and behavioral AI wasn't available at all.

And if I jettison forward to today, where we have the ability to behavior to take behavior and analyze what's the right thing for a person to do versus a bad. If I would have had that back then, I could have said, Kip, I've got a solution that will take that person out of that front line of defense. But people continue to be the weakest link, but yet our first line of defense, no matter what, how we look at it, it's the who's on the other side of the keyboard is what's really important at defensive measures. If it's your security operations team or if it's your end user on there, you know, trying to do their job effectively. And I think that's the other pressure cooker thing that we're working in is everybody is talking about AI. want to bring AI into my environment. I want to make things happen better, faster, cheaper.

Patti Titus: But yet you've got the legal team, the security team, the privacy team, the HR people saying, we need to tamp the brakes, down the brakes a bit on bringing this AI in until we get a risk management framework. And, you know, like to say it, but security has been figuring out risk management kind of. We've been flying the plane while we've been building it. And all of a sudden we have this AI thing and all the other divisions across the organization are like, whoa, we better slow down with this. It could have ethical implications or create bias or, know, and it's actually, this is a fascinating time to be involved in AI. But so we want to put all this framework in place. And people are just like, if you won't let me have it inside my environment, I'm just going to take my data outside, take your data outside. And that this is like,

It's like data loss prevention, data loss on steroids and finding the preventative capabilities and monitoring where data is being extracted from the environment for people who are trying to get their jobs done. I mean, I feel their pain. They want to be more efficient. They want to be more effective and they want to use these modern capabilities. And we are slow to embrace this emerging technology. It's mind boggling how great people could use this for, but how slow this technology is emerging across enterprises.

Mick Leach: Yeah. You know, it makes me think of, you know, too often security dreams, security teams try to be like a rock in a stream, right? And they're going to, they're going to block the use of something. Listen, it's like water. goes around it just like in, in Jurassic park. when, when they're, they say life finds a way, listen, users will find a way. If you don't, if you're going to block AI, access to, to generative AI outright.

They will find a way around you. know that most often that's when I have found the most creative users Because they can they can find interesting ways to get around whatever you put in place Because they want to make their jobs easier and I think on the whole right they're not Typically malicious on the whole and they just they're looking for ways to do their jobs and do them well On the whole their course will always be malicious insiders just disgruntled employees, those kinds of things. And then a, a, a bad external threat actor becomes, you know, an inside threat actor as soon as they compromise an account. So, you know, certainly things we have to be on the watch for, but, but I like the way you put that. So yeah, definitely an issue. Kind of teasing that threat a little bit though, as we talk about, you know, some of the big challenges that we have today, it makes me think about the future as well.

You know, in the future, what advancements or changes do you foresee in the field of cybersecurity? And how do you think that they're going to affect our security teams?

Patti Titus: Well, I mean, let's keep pulling the thread on the AI for a minute because I think in AI, we're going to see organizational changes, new titles, new qualifications where we might have an AI security architect. We might have an AI security engineer, AI risk management in the cyber portfolio. So I think we're going to see organizational reaction. The positive side of that is that organizational reaction is going to create career opportunities, which I think is always good. Some people will always be the ones who say, just want to come in every day and turn the crank. And then other people will go, hey, we could have a robot turn in the crank and I could go do this other fun thing. So I think there's going to be massive changes in the near term and it's already happening. just saw, I was reading my superhuman subscription today that Jack in the Box and White Castle have now purchased robotic fryer's deep fryers and that it will it fries foods the right temperature and it's you know, it has to yes be overseen by human but it is taking that workload off because there's such a problem of turnover in the restaurant business, especially fast food.

So we're already seeing these movements very quickly of robots taking over certain menial jobs. Amazon, think, is deploying lots of robotics as well. So that's the first thing. But when I think about the future, like what are some of the futuristic things we need to be thinking about and worried about, know, obviously there'll be some new emerging technology that'll come out of this. It'll be maybe AI-driven or AI enabled. But I think one of the things that totally got overshadowed this year at RSA is the whole quantum conversation. so, you know, a couple, it was pre-COVID, it's funny how we use that as an indicator, but it was pre-COVID, I was in Tel Aviv, and I was meeting with some academics. So people from the big academic facilities in Israel and Tel Aviv.

And they said, so Patti, what are you worried about? Because I kept bringing up this whole quantum, I'm concerned about it. And they said, what are you really worried about? And I said, quantum computing is going to break all my encryption algorithms. And they said, they've already harvested the data they're interested in, and they'll decrypt it when the capability happens. They said, maybe what you should be thinking about is A, how do I use quantum to further my security program?

Totally blew my mind. The second one is, how do you devaluate the data that could have been stolen?

I'm like, wow, I hadn't even thought about that. So I can't devalue my social security number or my government ID number, but I can change my password. I can do other things that minimize that data footprint. And so if I'm in health care,

Are there opportunities to look at changing medical codes for diagnosis? Is it standardized? Is there a way maybe to rethink how that happened? I don't know. But it was fascinating to me that I hadn't even thought about minimization and devaluing data that could have been taken. So I remember the early story where we talked about the worst day of my life.

The reason that data didn't end up completely damaging the company is the data that had been taken had been rewritten so many times that it was no longer valuable. There was only one piece of data that was valuable and that was fairly easy to correct. So that was an instance when I look back where we actually minimized the data's value, even though we didn't know that's what we were doing.

Quantum is one of those things that we're going to have to really think about getting ahead of. And for Pete's sake, it's been in the front windshield since at least 2019, and yet we're still not making progress. so, yes, NIST has come out with some encryption algorithms that we... But what's the vendor community doing? Have the CISOs actually looked across their estate and said, where do I have cryptography? Where do I have tokens? Where do I have digital certs?

So have you actually inventoried those? Do you know where your data is encrypted? Do you know where your keys are? Have you talked to your vendors about how they're going to handle post-quantum encryption? Should you be planning investments and driving procurement only in technologies that are doing encryption that have a post-quantum answer? I don't think we're thinking that way because we are unfortunately, a profession of very tactical operators. We're used to reacting. And in this case, as a CISO, the strategic thinkers, we need to be thinking ahead of this wall of water that's going to come at us if we're not thinking about it.

Mick Leach: Yeah, mean, great points all around. I mean, I've heard many companies say that after a breach, after a data breach, don't worry, the data was all encrypted. There's nothing they can do with it. yes, today, but tomorrow, to your point, right? There are so many bad actors that are collecting all of this encrypted data and knowing later we can decrypt it, right?

Patti Titus: Well, that's interesting point, because what you're talking about is something that we looked at in one of the companies I was working at. And that was, if we encrypt the data and we remove the keys from the database, the database is stolen, but the keys were someplace else and I can prove it to a regulator, I do not have to serve privacy notice on that data. I might have never been told my data was stolen because it was encrypted and the keys were somewhere else. So I might not even know it. So even a bigger problem for companies when all of a sudden it's like the data gets exposed and they're like, oops, now you have to serve notice because it's decrypted. So all these companies that thought they were safe. Yeah. hope it's post my lifetime in this career.

Mick Leach: Agreed, agreed. Boy, that's going to get hairy someday. I'll tell you that. I hope it's beyond me too, because that could get crazy complicated. Yeah, that's wild. So all right. Well, listen, I loved our discussion and the stories that you've shared so far. And now I want to kind of transition as we talk to the folks. And we did a little bit on the front end of this, but now more around career advice.

You know, there's undoubtedly lots of folks listening to this podcast that, you know, they love what we're talking about. They're excited based on the stories that have been shared and it just sounds interesting, but they're not sure. How do I get into this? you know, do you have any advice for folks, pardon me, looking to get into a security role? You know, what would you recommend in terms of education? Do they need a formal, traditional four-year college education?

Will certification suffice? Will self-study work? What are those kinds of avenues that you've seen be successful in your very extensive career?

Patti Titus: I think the answer to that is always yes to all of that. So will you need higher education? Yes. If you're applying for a chief architect, a chief security architect job, you may even need a PhD. If you're a chief security data analytics data scientist, yes, you're going to need a higher degree. Do you need certifications?

Yes, if you're going to be in forensics, digital forensics, and you want to start somewhere in the middle versus at the bottom, yes, you need some certifications. I would say self study is also equally good. Because to me, when I'm looking at a resume, I'm not just looking at the certifications, but I'm looking at the person's LinkedIn profile for are they a giant sponge?

Because the thing about this job is it, you we had that conversation early. It's not linear. It doesn't just, you know, this is the way in. It's constantly changing and evolving. It's like being a doctor, you know, and you have a specialty. That specialty doesn't stay the same. My knee surgery 30 years ago is not the knee surgery of today. And so there's this constant education and evolution when you're in a career. I think if people are looking to get in, find some mentors, that's probably a big deal. And they don't have to be the CISO, especially if you're trying to break in.

Find some people at the practitioner level and get advice. I don't know how many people in the companies I've worked in set up time to come talk to me and say, I'm really interested. Sometimes they're interns. I'm really interested in getting into cyber. What would you suggest?

And the first one is, you should try to set up some time with some of the people on my team. You know, what are you thinking? GRC? Do you want to go into risk management? Do you want to be in the operations side? Do you want to be an engineer? You know, what are you thinking? And if you get the blank stare, then it's you need to go do some research and figure out based on what you like to do. Do you want to be the seven by 24 by 365 getting up in the middle of the night when the threat actor gets in and does something bad?

Or do you want to be more the person that's managing risk and helping everyone figure out what they need to do and prioritize vulnerabilities? I mean, there's so many different facets to our field, which is so cool. So I think people need to figure out what they'll be good at. Like, what do I like to do? Like, I like to garden, right? Is gardening gonna port over to some sort of relevance. Well, it's gardening is a bit quiet. It's a bit repetitious, which could be a lot like setting up a board report. You know, I got to analyze things. Did I put the right amount of fertilizer on? You know, do I have the right level of measures and metrics? So I think you have to figure out what you're good at and then focus on that first. I do think it's super important. I just had this conversation with someone at the CISO level.

You got to work your network. You got to get to know people. You got to get out there. Some of us are introverts. I might know one, me. And I might not be great at getting out into the network. And that's really a plus. You have got to get to know people. You have to put yourself out there. And you would be surprised how many people who have reached out to me and said, I would like to talk to somebody at your level about getting into cyber. I will almost, I hate to say this on a podcast, but I will almost, almost always take that phone call because that is the future. That is the future security analyst. That's the future vulnerability management analyst. That's the future person writing measures and metrics for my organization. So yeah.

Mick Leach: I love it. So I'm not gonna let you off the hook though. I'm not gonna make this easy for you. You'd mentioned go out and find a mentor and you said, make sure you get, do some networking. I wanna double click into that because I know there are lots of folks that are like, everyone keeps saying that. How, where, where do I find these people? So I'm gonna ask you that: where do you find a mentor? Where are some options to go out and find some folks? And then in terms of networking, you had mentioned LinkedIn, and LinkedIn's good. It's useful to an extent, but I think you and I would both agree, like in person, you know, pressing hands together and meeting people face to face, as uncomfortable as that can be for the introverts, that are probably listening. yeah, i'm like an extrovert introvert anyway, You know, it's awkward for all of us to some extent, but where do you do that? How do you find these groups? How where do you where do you begin?

Patti Titus: My gosh, there are so many grassroots efforts happening around your cities and neighborhoods. There is ISSA, there is IC squared, there's the Cloud Security Alliance, there's every vendor in town is hosting events. You just have to do some research. I would imagine you could probably set up a prompt in your favorite generative AI to say what cybersecurity events are happening in my town that are free and would welcome myself. And you might get a spit out of all kinds of things. Sure, you can buy the expensive going to RSA or Black Hat or Def Con. I think the bigger value for you are getting to know people in your community that are going to help you. And there are a ton of events happening. You just have to figure out how to dial in. LinkedIn is great to a point. I have a zillion people on my LinkedIn site that I'm loosely connected to. But you can always reach out. Please, the thing I would encourage people is if you're new in cyber, don't go for the executive because they're not gonna have time. You'll have a better, you'll have better luck trying to find a way to reach out to more at the operator level, more the practitioner level. That's my advice.

Mick Leach: I love it. I love it. No, it's great. This is incredibly helpful. I would also agree with, you know, the local things. As you know, I live in the Columbus, Ohio area. We have hackers teaching hackers here, which was formerly known as 614Con. Just to the north, there's GRRCon and Grand Rapids. I mean, there's so many good local conferences that are put on, and those are the folks you really want to get in with.

Those are the folks, these are the ones that are passionate about security enough to host a conference, which is incredibly hard. It's so much work to do that. It's thankless work in many cases. So yeah, go out and find those groups. They're everywhere. Every big town has one of these.

Patti Titus: Educational systems as well. So your local universities, your local, and you don't have to go to that university to get dialed into it either. So, you know, there's spinoff clubs that are happening. There's, you know, K through 12 hackathons. There's, there's just like so much opportunity. It's just a matter of doing a little bit of homework.

Mick Leach: Yep, absolutely. Could not agree more that try hack me's of the world and, and, you know, you'd mentioned the free classes. We certainly have those in my area as well, both, from vendors in some cases. but also from, from universities will have, you know, an open house night where, and many will let you audit a class for free. So you may not get the certification. You may not get the credits for the course.

But you could go and sit in for a little while and go, is this for me? If you fall asleep 10 minutes in, maybe that's not your speed, right? Maybe that's something else that happens to me in like legal classes. Emily, I'm looking at you. You know Emily, my producer just graduated with her JD. Congratulations, Emily. Yes, she's awesome. But I just remember thinking I would fall asleep so fast. That is not for me.

Patti Titus: Yeah, and I think there's a lot of clubs. there's most of the colleges have clubs, cybersecurity clubs. So that's one way to get involved. And think about, do you really want to have your first job be in cyber, or do you want to have your job somewhere else where you can get a good foundation? But there's a ton of online free online. LinkedIn's got a lot of you know, you know, like forensics classes, and there's just so much out there. If there's one positive thing that came out of COVID was the volume of people just publishing podcasts and learnings and it's there. Yes. Just look, you can get smart people like Mick Leach.

Mick Leach: Well, I don't about that, but I've had the opportunity to speak with some very, very smart, very amazing people. So thank you for that. Awesome. Well, Patti, listen, this has been such a great conversation that was wide-ranging. Here's the thing. If our users, our listeners can only take one thing away from what was ultimately an amazing conversation, we're 40 minutes plus in here. What would you have that be? What would you have them take away?

Patti Titus: I would say it was from the very beginning of our conversation and that was if you want something, ask for it. If you think people are going to see what a great job you're doing and then promote you, that's not how the world works. You got to ask for it. You got to go after it. You got to be a little bit aggressive, respectfully. But if you want something in your career, or even at the start of your career, ask for it. You will be amazed at how many people will help you achieve that goal.

Mick Leach: Yeah, yeah. And I agree. I see too often, think, especially early in the career, folks sit back and kind of just wait for things to come to them. Listen, friends, that's not how you get there. I mean, you can, but you're going to wait a long, time in many cases.

Patti Titus: Well, as the youngest of five children, I will tell you, if you didn't sit down at the table and call what you were eating, a lot of times there was nothing left on the plate. So if you really want something, go for it because parents are going to look across their little children and say, is everybody full? The answer to that would be yes. Right?

You know, think about as you were growing up, if you wanted to borrow the car, you had to ask for it. Your mom didn't just throw the keys at you. If you wanted, you know, I want to join the sports team, you had to ask for it. It's no different when you're a grown up. It's just you get to be a little bit more assertive about it.

Mick Leach: I love it. Well, you heard it here folks from Patti, get out there, know, ask for it, work for it. Put yourself out there. This has been such a great conversation. Patti, thank you so much. I appreciate you being willing to come on the podcast and speak with our listeners. I think I got a lot out of it. I'm certain that a lot of folks did as well. So thank you so much.

Patti Titus: Thanks for having me on the show, Mick. I really liked it, really appreciate it.

Mick Leach: Awesome. Well, listen, folks, this has been SOC Unlocked, Tales from the Cybersecurity Frontline. I am your host, Mick Leach, reminding all you cyber defenders out there to keep fighting the good fight. You're the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out our other SOC Unlocked episodes. We'll see you all next time. Thank you.