Afternoon Cyber Tea with Ann Johnson 4.19.22
Ep 50 | 4.19.22

A Librarian’s Guide to Cybersecurity

Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea with Ann Johnson," where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson.

Ann Johnson: Today I'm joined by Tracy Maleeff, who many of our listeners know as @InfoSecSherpa on Twitter. Tracy's daily information security and privacy newsletter and open-source intelligence and industry news blog is followed by thousands as a critical resource for practical guidance and understanding the latest security cyber trends. Tracy is a well-known and recognized member of the infosec community, having received the Women in Security Leadership Award from the Information Systems Security Association, and she's been featured in the "Tribe of Hackers" cybersecurity advice and "Tribe of Hackers" leadership books. 

Ann Johnson: Most recently, Tracy joined the Krebs Stamos Group, a cybersecurity consulting firm co-founded by former director of CISA, Chris Krebs and Alex Stamos, the founder of the Stanford Internet Observatory. Tracy's previous roles were she served as information security analyst at The New York Times Company and was a cyber analyst for GlaxoSmithKline. However, this is where I want to start our conversation today. So welcome to "Afternoon Cyber Tea," Tracy. And also, tell us what kind of tea you're drinking. 

Tracy Maleeff: Sure. Ann, thanks so much for having me. It's a pleasure to be here. And I am proudly drinking Yorkshire Tea, right from England - their Malty Biscuit Brew, which, as per the box says, tastes like tea and biscuits. And it is truth in advertising. It does taste like that. 

Ann Johnson: That's absolutely fascinating. And I will have to add that to my tea repertoire. I have, like, containers of tea all over my kitchen counter that the family just kind of looks at and shakes their head because they're coffee drinkers, and I'm not. So I have all different kinds of teas. I think I can add that one to the collection. 

Tracy Maleeff: You definitely should. Yeah. The Yorkshire Teas are great. And I - I'm hoping they contact me for a sponsorship because I would (laughter) appreciate that. But, yes, definitely. I am a tea drinker. I'm a coffee drinker, as well. But, like you, I do enjoy a fine tea. 

Ann Johnson: Well - and it's perfect for the show. I'm usually drinking lemon ginger for "Afternoon Cyber Tea" just so I can keep my voice... 

(LAUGHTER) 

Ann Johnson: ...In a place it needs to be. 

Ann Johnson: So can we start by talking about misinformation and disinformation? Look, they're top of mind for many of our listeners, and you have worked for two industry giants - The New York Times and GlaxoSmithKline. So you have a media company and you have a health care organization who are both industries that have become key targets of disinformation. Having been on the inside of these companies, can you share with our listeners a behind-the-scenes look at the approach these organizations take to cybersecurity, but also the role that cyber plays in these industries in keeping information safe? 

Tracy Maleeff: Absolutely. Well, of course, I'm not sure how much I can divulge. But generally speaking, having good threat intelligence is key for companies like them to know what disinformation is being purported about them out in the world because that misinformation could then lead to threats against them or having the hacktivists assemble towards a common goal of going after The Times or GSK, which is definitely things that I saw happening. So what it kind of boils down to is, having good OSINT skills on your security team were important. And I can give you an example of exactly that. 

Tracy Maleeff: I believe I was looking at Reddit one day. I'm not sure if that was where I was looking. But the gist of it is I saw a piece of paper posted, and the comment was that someone found this piece of paper outside of a GSK location and on it was filled with chemical formulas. And immediately, I thought, oh, no, is this proprietary information that somebody dropped and it was found? So I knew enough to have that escalated and have someone who passed chemistry, unlike myself (laughter), who could read and decipher it and find out, you know, is this something of concern? And what other steps do we need to take? So it came back that it really wasn't anything other than just chemical formulas. It wasn't anything proprietary. But, you know, having found that - actually, now that I remember it, I think it is actually the, quote-unquote, "dark web." I think I was on an Onion site and found that posted because I think the person thought that it was something valuable that they found. But being able to have those research skills and those OSINT skills are really crucial for understanding what's being posted out there about you. 

Tracy Maleeff: Another thing that I used to deal with with The Times that - again, I don't think I'm giving away any secret sauce - but using OSINT skills, you would come across places in the world that were listing New York Times content and posting it, word for word, on their own site and either pretending that it was theirs or trying to act like they were some sort of authorized distributor for The New York Times. So, again, using OSINT skills and threat research and things like that, you would find these sites and then, you know, report them through the appropriate channels. But that's really the biggest way, to be honest, in my opinion, from what I observed, is just having those good OSINT skills, research skills and threat intelligence to understand what's being said about you because that could easily take a quick turn and become a threat. 

Ann Johnson: You know, we have this information that's so readily available to us because of social media and because of the internet and because of our global real-time and high-speed connectivity. I was - just moving that example into even the human domain, a friend of mine has recently started dating again after a very long-term relationship ended. And she's amazed because she'll tell me about, you know, a person that she's dating and maybe not just one date but has gone out with. And I'll come back with this wealth of information about them. 

Ann Johnson: And she's like, how does you find that? I mean, what are you doing? And I'm like, well, it's all publicly available. You just have to know where to look. I said, there's nothing - you know, there's very little hidden - right? - in digital footprints, which is both a blessing - right? - because we can solve really hard problems because we're really connected globally. But it's also this ability to spread misinformation and disinformation so quickly. 

Ann Johnson: And then to your point, how do organizations actually keep their IP safe and keep their - you know, their potential proprietary information from actually landing in some website or some forum or some - you know, something like a Reddit or even in the dark web? It's an amazing challenge that obviously continues to keep us on our toes. And when you think about the change, you know, from security and this threat landscape that's ever increasing and this tsunami of information that we'll talk about in a minute - but, you know, based on your experience and your expertise and all the things you and I have just discussed, what surprises you? Does anything surprise you? And if so, what? 

Tracy Maleeff: Probably just some of the boldness of some of it surprises me that - you know, things that people will post to harm others. That's probably just - I guess I should be numb to it by now. But just some of the audacity that people have of posting things - and honestly, the No. 1 thing that I - that really bothers me and it doesn't seem to be going away is any more people feel free just to take photos in public and post it. And, you know, you didn't consent to having your photo taken or posted on social media. And whether it's someone making fun of you or just a group shot or something, you know, that person maybe didn't want to be photographed where they were for a variety of reasons. 

Tracy Maleeff: You know, in our community, we have a lot of people who keep a low profile for security reasons, for their job and their own personal safety. So I really am disappointed by this new trend that people seem to think that if you're out in public, you're fair game to be captured and posted without your consent and without any context. And again, that's how misinformation, disinformation spreads. And then there's always the malinformation, the people posting things intentionally that are wrong, which - you know, we don't have enough time to get into the whole COVID misinformation, disinformation, malinformation. 

Tracy Maleeff: But I really like that you tapped on this because this is something that - with my background as a library sciences professional, it really concerns me that there's not more standards in place, especially in cybersecurity, for how we post information, how we obtain information. And I actually created a talk which, fortunately, was accepted by ShmooCon but, unfortunately, because they changed the dates, I had to withdraw. But my talk is called Information Literacy Makes for Better Information Security. And it's where I talk about, you know, the proper ways and methods that are time and tested of finding information, citing sources, the difference between primary, secondary, tertiary sources. What do you do with that information? That means a lot to me, and I'm very passionate about that because I want to try to make a dent in all this misinformation and disinformation that's out there. So I want people to have the tools to be able to cut through the nonsense and get to the truth. 

Ann Johnson: Yeah. It's - you know, we had Dr. Fiona Hill on the show a few months ago. And she was talking - I asked her to define the difference, right? What is the difference between disinformation, misinformation? You know, the moderation is hard, by the way. You know, we criticize a lot of the social media channels because of their inability to do content moderation at scale. But people who are actually putting disinformation out there know how to work around the content moderation systems. They understand what the systems and the algorithms are looking for, and they know how to work around it. And I think it's going to be a continual challenge for those of us in tech to try to stem this flow of, especially, as you said, deliberately malicious information that's put out there. 

Ann Johnson: One of the things that's so interesting, Tracy, is this debate about one of the social media channels - I think it was Twitter - recently said, look. We're not going to let anyone tag you in a picture without your - you know, post and tag you in a picture without your permission. One of the challenges that people mentioned is that some vulnerable populations use pictures and videos to call out abuse, right? So how do you actually balance those two things - this risk that's created to your point by people who want to and need to, for their own personal safety, not be tagged in social media and using social media as a way to protect vulnerable populations? 

Ann Johnson: These are really hard challenges, and I think there's not enough nuanced conversation around them. And I know from your background, by the way - you have this incredible background in corporate and academia, and you mentioned being a librarian and going to cybersecurity. How does that - you know, when you think about these really hard problems, I'm assuming your abstract thinking around them and your concrete thinking around them are going to be different than someone that came up purely on the technical side. 

Tracy Maleeff: Yeah, I definitely think so. And I can't explain how, but I just knew that my library and information science master's degree would be a big asset to information security. So when I was looking at doing a career change, I knew I wanted to get into tech, but I didn't know exactly which area of tech, and I very quickly was drawn towards cybersecurity, which I joke is because I had the revelation that my natural paranoia and distrust of things was a career path (laughter). But it helps me look at information differently and organize information differently. And, you know, you really have to understand that you prepare, you aggregate, you curate, you archive information with the usability in mind. So I see a lot of people who, in tech and security, think they're being helpful by crafting playbooks or guides or things like that, but they're not really good, organized information. So just because you can find it and you can understand it - you need to think outside yourself. You need to think, can somebody pick this up? You know, especially if you're writing playbooks and you're in a SOC - are you writing your playbooks that a new hire can come in and immediately understand what's going on and what's happening? 

Tracy Maleeff: So that's what I try to highlight, you know, when I give talks or just give advice to people, that there's ways to organize information that you have to make sure that it can be understood or it doesn't - then what's the point? There's no point of it. It's just garbage. So that's kind of what I try to help with. And my big one is that I like to emphasize to folks that they have to be mindful of what - from where they're getting their information. I talk about provenance a lot in my talks, and I always joke it's not a place in France; it's, you know, the origin of information. And that's really important because I explain to people, look; I worked in law firm libraries for 10 years, and when I did research, I had to make sure that what I was submitting and handing over could ultimately be admissible in court, you know, because that was a possibility. So I had to be absolutely dead certain that what I was handing over was verifiable, was accurate, and I had some sort of trail. 

Tracy Maleeff: And when I say this to InfoSec folks, a lot of them say, well, you know, well, this is never going to go to court. But I raise the issue - but you don't know where it's going. You don't know what you're handing over. It can make its way to the boardroom of your company where they're using it to base major company and financial decisions. So I just tell people, you know, assume that you don't know where this information is going to wind up. So why don't you make absolutely sure that it's verifiable, that it's good information, and it's from a reliable source, a source that you can point to say, like, this has validity. And that's a lot what I cover in my talks and something I'm just very passionate about because I think - also stemming back to the misinformation and disinformation, I think that if we were more mindful of that in our community, it would really make things a little bit easier to digest all this information that's coming at us constantly. 

Ann Johnson: Yeah, and I think the curation of information is important. And I want to read you a statistic, too, actually. The first one is that by the year 2025, which is three years from now... 

Tracy Maleeff: Oh, my goodness (laughter). 

Ann Johnson: Yeah, I know. Think about that. Yeah, I know (laughter). Humans are going to create more than 175 zettabytes of data. In addition, by the year 2025, 75% of the workforce will be millennials and Gen Z, who think about privacy a lot differently than the prior generations. And you have this specific tagline behind your Twitter handle... 

Tracy Maleeff: (Laughter). 

Ann Johnson: ...Which says, your guide to a mountain of information. I love that, by the way, because we have this impending tsunami of data, right? We also have a generation coming into the workforce that thinks about data and privacy differently. So I would love to understand both the inspiration behind your Twitter handle but also how we are going to be evolving. What are your predictions, you know, if you could, for how we're going to be evolving the way we think about data? 

Tracy Maleeff: Sure. Well, I'll address the origin - my origin story (laughter) of my name. So I actually started out as @librarysherpa, which is still an active account that I've had since, I want to say, 2006 or 2007. I was an early adopter of Twitter. And it was your guide up a stack of information, I think it was. I had a very similar (laughter) tagline because that's how I see myself. I see myself as a helper, as a guide. I like - I want to help people. So I want to help them - at that time, it was understand legal information research and other research. And the reason why I created that is because the law firm I was working at at the time, my library manager was very concerned about me writing blog posts under my real name and/or using the firm name in my byline, which in hindsight was a little silly that she was telling me I couldn't even use my own name, even if I didn't attribute the firm where I worked. 

Tracy Maleeff: So, you know, kind of like how Prince created the symbol (laughter) to get out of contracts or for legal reasons, I created @librarysherpa so that I could still write blog posts. And I came up with this, you know, the Zen of it, that I want to be a guide up a mountain of information. So that's how that that started. And then when, in 2015, when I decided to dip a toe in the security world, I created what initially was just a lurker account called @InfoSecSherpa, which has now grown a lot. And that is how I'm known. And I will answer to it if someone meets me in person, so - so that's the story behind that. So going back to your question, I love that you used the word tsunami because there's actually a quote that has guided me for a long time back when I was a librarian. And the quote is, "in the nonstop tsunami of global information, librarians provide us with floaties and teach us to swim." And that quote was by Linton Weeks. And that really has been my driving force for - and even into infosec - that I want to be the person that is going to help you swim. 

Tracy Maleeff: You know, I will do my best, based on all the training that I have, this master's of library and information science degree I have from the University of Pittsburgh - go Panthers - that, you know, I have all this knowledge that I want to help share and help people. A lot of this just comes to me naturally. You mentioned my newsletter, you know - thank you - earlier. And people always ask me, how do you find all these stories? How are you able to find these things that nobody else is able to find? You know, the Malcolm Gladwell 10,000 hours. I've been doing this for a long time. I have it down, and I'm trying to share the fruits of that with everyone. 

Tracy Maleeff: So, yeah, information - the data overload is definitely concerning because there's the security concerns, there's the storage concerns and, yeah, the privacy concerns. And something that has struck me, as you said, talking to Generation - what - are we calling them Z or Zed or whatever (laughter) you called them? The Gen Z folks - yeah, they do regard privacy very differently. For example, a young woman I know recently said something to me about, oh, you should join Strava, so, you know, I can follow where you walk, or something like that. And I, you know, raised my concerns to her. And, you know, she's been in - of that age group that probably never really truly knew privacy to begin with, if you think about it. I mean, how many of these 20 - early 20-year-olds, their parents have been posting about them online in some form, you know, basically all their lives. I mean, especially, I would say, high-schoolers and middle-schoolers, right? They probably have the most chance of their entire lives being captured from birth until now. So yeah, they probably don't even know what privacy was like, whereas maybe in Gen X, my mother wouldn't let us wear clothing that had our name on it because in the '80s, the fear was someone would see your name on your clothing and talk to you as if they knew you... 

Ann Johnson: Yeah. 

Tracy Maleeff: ...Which as an adult, I thought that's also kind of selling kids short that I would just assume that someone knew me because they knew my name and maybe forget that I was wearing clothing with my name on it. But I digress. But my mother - and now we didn't call it OPSEC, but I realized in hindsight that my mother was very astute with OPSEC and way before her time because, yeah, anything that revealed my name and all, she - or, you know, and my sisters as well. But yeah, she was very protective of that, and that definitely taught me some lessons early. I didn't - it all came together now that I'm in InfoSec because, you know, for a period of time, you think it's a burden and you think your mother's being weird. But now I appreciate, oh, OK, I understand why she did that. And maybe that was a little too extreme, but I can appreciate the, you know, the warning of it. 

Ann Johnson: So I will tell you that I wrote a blog a few years ago, and I couldn't tell you exactly when, but I'm probably going to repost it, that talked about, you know, teenagers and privacy and expectations. And the - what your mother was doing with OPSEC, I grew up the same generation, right? You know, you can't have your name on your clothing or your backpack because it'll create familiarity and someone may kidnap you and, you know, lure you away. That is not, you know, the expectation. By the way, I have a Gen Zed daughter, right? And she just rolls her eyes at me when I talk about social media controls and, you know, location things and not talking about - and she's finally, I think, understanding personal safety more than she was when she was younger. But it's interesting because people are bringing those - going to bring those same views into work, right? So how do organizations protect their intellectual property and protect their - all of their - the things that they do or their proprietary with this generation of folks that are used to having things that are much more open and anything goes on, you know, whatever social media channel that they're on? It's going to be interesting. We're not going to solve it today, but it's going to be an interesting thing to think about, right? 

Tracy Maleeff: Well, I would like to give you a quick OPSEC overprotective mother pop quiz brain teaser, if I may. So my mother always said to me growing up, If you ever go between Los Angeles and San Francisco, you can only go south to north. You can only go from LA to San Francisco. I do not want you going from San Francisco to LA. Why did she say that to me? 

Ann Johnson: I don't know. 

Tracy Maleeff: Because if you go from south to north, you stay on the right-hand side of the road and you hug the coast, whereas if you go north to south, you're along the guardrail and the cliffs. So that is something that for some reason my mother thought was important to instill in me from a young age (laughter). 

Ann Johnson: That's a fascinating - by the way, that's - that makes it real, right? It's something that - people can see it as tangible. 

Tracy Maleeff: Yeah. 

Ann Johnson: All right. We should get back on course. 

Tracy Maleeff: (Laughter). 

Ann Johnson: So, look, I talk a lot about enterprise cybersecurity. But I actually want to talk for a second about consumers and have you talk about consumers. 

Tracy Maleeff: Oh, sure. 

Ann Johnson: You know, consumers are much more aware of attacks than ever before. But the security news is overwhelming to them. We use this weird lingo that the average human doesn't understand. What do you think are the most critical issues that consumers are facing? And more importantly, what can the industry do to help them? 

Tracy Maleeff: Sure. Well, I think that the most important thing to realize right now is there's not really a choice anymore. You pretty much have to get a smart appliance or a smart device. It's getting harder and harder to have, quote-unquote, "dumb" devices. So that's really giving consumers less options, right? I mean, if they do want to find something that's a quote-unquote, "dumb" device, then it's probably going to be lesser-grade quality and things like that. So that's really unfair to the consumer. 

Tracy Maleeff: You know, I said years ago on a podcast, when I was just getting into InfoSec - I recognized it then - that the only way that any changes are going to happen on behalf of consumers are going to come through litigation or legislation. And neither one moves very quickly (laughter), do they? And it's that kind of thing that - you know, history repeats itself. 

Tracy Maleeff: And I think we need to look back at, you know, Ralph Nader and his campaign for seatbelts, right? You know, he was an advocate for seatbelts. And now it's a law. So there's a lot of grassroots campaigns that really need to start. And companies aren't going to get the message about requiring security and baking it in, not bolting it on, until consumers boycott products or there's grassroots campaigns, you know, similar to Ralph Nader's. And that's what's really, really sad, is that a lot of consumers just aren't even aware of the full spectrum of the privacy and security, or lack thereof, features with these products. And it's not because they're dumb or they don't care. It's - it is confusing. And there's not really easy ways to break this down. 

Tracy Maleeff: And I think there's a real responsibility on the manufacturers to lay that out more clearly - of, you know, this is what this product does, you know? This is how you can turn things off, you know? Or this is what we're collecting, whether or not we have your consent. Let people make decisions, you know? Let them make the choice, you know? Oh, I am OK with it collecting this information, or I am not. But that's what I think is the most scary thing, is just that there's really no choice anymore. That's the only products on the market. And it may not be clear what exactly is being collected if they're not forthcoming about it. 

Tracy Maleeff: I mean, how many times have we heard stories about, you know, TVs having listening capabilities that people were unaware of? So that's what's really a shame, is that this has really kind of gotten out of the hands of the consumers. And the manufacturers are ruling. And it's just - it's hard to clamp down on that. And, like I said, legislation or litigation is just going to be slow coming. So I think it needs to be more of a groundswell effort to - for groups to help educate folks. 

Tracy Maleeff: I know I see online - there's lots of websites that give very clear instructions that you can go to specific sites and how to turn off or on certain privacy and safety features. Like, we need more guides like that. I'd like to see something come from, CISA, you know, for example, of, you know, something more standardized rather than this piecemeal instructions of how to do things. I think if you give consumers choices and the ability to make decisions about these products, then I think everyone'll be safer eventually, or at least just aware of what they're getting into when they buy a new refrigerator that has a monitor in it. 

Ann Johnson: You know, I think the other thing, though, that's important is - and I want to switch to a couple things - but I think the other thing that's important, though, for consumers is they need to actually read the terms of service. But most importantly, they need to go to the privacy and security settings of every app they're using and adjust them to their preference. They need to understand the preference. And most people do not do that. They download apps. And it's whatever the default setting was. And then they're surprised that they're sharing their data or they're giving something away. They - if you're going to download an app, take the personal responsibility to understand the privacy and security settings, and set them to your comfort level, whatever that is. And I just think this incredible awareness-raising for consumers is so important. 

Tracy Maleeff: Absolutely. And I know that a lot of InfoSec professionals are already tired. But still, to the best of your ability, even if it's just on your Facebook page - like, I use Facebook really just for family and close friends. I will post articles like that or instructions. If I know that there is a Chrome update or something like that, I will - I already have it typed out. And I just repost it. Remember, this is how you, you know, update your iOS system or your browser. And it just takes a few seconds. And I know that people appreciate it. So, you know, yeah, we have the knowledge and the ability to help people. And I just - I think that to - much as you're able to, people should take initiative to try and share that with people in their inner circle. Just try to keep more people aware of what's going on with these apps and devices and appliances they're buying. 

Ann Johnson: I agree. So let's talk about one last thing. These have been incredible insights, and we try to send our listeners off with one or two key takeaways. But before you get to key takeaways, what are you working on right now? What's exciting to you? 

Tracy Maleeff: Oh, well, I am working on just continuing my newsletter. Just - I'm always looking for new ways to make it more impactful, more useful to people. I think that I'm going to be creating a new crypto - cryptocurrency security-focused newsletter. I have transportation. I have Caribbean. I have African newsletters. And I'm starting to get interested in the security aspects of cryptocurrency. I personally don't have any interest in cryptocurrency myself, but I am very intrigued in the security aspects of it and the legislation and litigation that's surrounding it. 

Tracy Maleeff: And also just mentoring - I work a lot with groups in Africa to help the infosec students and professionals there. I really want to create a more level playing field so that they can interact more. Africa is an emerging power when it comes to cybersecurity, and I want more people to realize that. And also underrepresented folks in tech and infosec here in North America - I do what I can to individually help people or I get involved with a lot of groups to try and help them through fundraising or making recommendations. 

Tracy Maleeff: But, yeah, I just want to help people. That's (laughter) my mission in life. I lead my professional existence under the phrase - there's a phrase in Hebrew called tikkun olam, and it basically means, like, repair the world, heal the world. And that's my driving factor as an infosec professional. Every day, I try to do one thing that either heals or repairs the infosec world around us. And I just do the best that I can. 

Ann Johnson: That's a beautiful way to think about it because this is mission-driven, purpose-driven work for most cybersecurity, you know, professionals. Last bit - I'll put you on the spot. What are a couple of takeaways that you think our listeners could do right now to either improve their consumer security or the security of their organization? 

Tracy Maleeff: Well, two-factor, two-factor, two-factor. It should already be enabled, but I want more people to embrace multifactor authentication. I want more companies to require it. And I just - I think that that will make a lot of progress in having people have their information protected. And the other thing I'd like to see progress on - and this is something that I talk about a lot, and I created a - actually, a speech about it, which is "Empathy as a Service to Create a Culture of Security." I want information and tech - tech's not absolved from this either. I want tech and information security professionals to be more empathetic and compassionate, not only to each other, but to all of the consumers of technology and security products. 

Tracy Maleeff: I was pretty much shocked when I came from library world into this world to see the contempt and disdain that a lot of people hold for the users, and they're the reason why we have jobs. So - and there's a really great quote - and I'm probably going to mispronounce his name. Is it Goethe? I know, I never took German in school. But he has a quote about, you know, basically, people act the way you treat them. So if you treat your users if, oh, they're stupid users, they can't do anything, well, then they're just going to keep doing that then. But if you empower your users and educate them in a supportive way, they're going to be your infantry. They're going to be your front line, especially when I was at a large organization like GSK. They were the ones who were getting the phishing emails first and letting us know about them. 

Tracy Maleeff: So those are the two things I'd really like to see, is more embracing of multifactor authentication - especially in a way that it's more user-friendly for some parts of the population that it might still be kind of a scary thing for them - and just also more empathy, compassion and understanding on the behalf of all the companies and professionals, and just, you know, treating people with respect and dignity when it comes to privacy and security matters and not treating them like they're stupid, and being really aware that different populations have different privacy and security needs. So it's not one-size-fits-all, and that's why diversity is mission critical. 

Ann Johnson: Tracy, thank you so much. That's a wonderful, wonderful way to end the episode. I want to thank you for joining us. I want to thank our listeners for joining us also. And join us again on the next episode of "Afternoon Cyber Tea," and listen to us at afternooncybertea.com or wherever you get your favorite podcasts. 

Ann Johnson: So I chose Tracy Maleeff to join me on "Afternoon Cyber Tea" because she has this really wide and varied experience from working at The New York Times, from being at GlaxoSmithKline. She's at the Krebs Stamos Group now. But she has a background in library science. And when you think about this tsunami of data that we have coming in the world, that the world is creating, it's necessary to have, actually, somebody who understands how to process and organize the data so the data becomes useful for us. And I think you'll find this episode was really, really informative. She was a wonderful guest. It was a pleasure to have her on.