It's great to be meeting with students and to share some of the experiences that I've had within the industry, how I got where I am today, I think is a combination of wanting to be in technology and opportunistically working towards different career paths as I learned and had more experience, I can remember a specific time early in my career, this is probably in the year 2000 at a software company that really doesn't exist in the same form today, but it was big at the time, called Novel and learning about a cryptographic piece of software that they had, I'm thinking to myself, "Wow, this is probably something that I should understand a little bit better and get into" and started to steer my career in that direction and have been very fortunate to have a lot of different security rolls along the way and to go in a little bit more about where, how I got where I am today, I think it was, I'll maybe just focus on a couple of items, having a hunger for continual learning and then having a desire and moving in the direction of not only understanding technical concepts but also understanding business concepts. And so I had a portion of my career early on that was a very technical focus that I was in a deep kind of technically oriented jobs, but then getting to a point where I realized, I need to have an understanding of the language of business and be able to articulate that and interact with other people in the company and understand where they're coming from, and so as my career continued to develop, I pursued an MBA and did a part time MBA at New York University while I was still working full time. And that really helped catapult and move forward my ability to not only address security and technical related areas but to also know how that translated to the business side. And that doesn't mean you need to get an MBA, but it does mean that as technical practitioners, we need to be aware of what the business side and how what we do in the security world impacts a company and its growth and its revenue and its customers. So I think the combination of those two things has been critical in shaping my career path.

Responsibilities and decisions, the way that I see my own responsibilities is empowering the team that I manage and being a resource that interfaces from my team to the rest of the business leadership and some of our pear counterparts within the company. So I'm dealing with decisions like, where do we allocate? I've got about 40 people on my team. Where do we focus? How do we manage risk? I rely on my team and my own experience to understand of all the many, many things that we could be doing in the security space, what are the most important ones, that are most impactful for our business today? And so thinking through that and understanding again, going back to knowing the business is important, because if I know that this is our critical product line and it has the highest customer impact, and that particular product has the most healthcare data in the healthcare space then that's where we need to be, focusing a lot of our controls and capabilities. So there's a lot of day to day decisions around focus risk acceptance, prioritization. There's an aspect of people management to my job and ensuring that our team is, everyone has an opportunity to develop their careers, to advance their perspectives, that everyone is delivering and performing at the level that we need to. There's an additional aspect of budgetary management, so there's a budget that's allocated to my team, that I need to manage and ensure that we're meeting our targets and then often asking for more budget because there's always more things that but we want to do and then maybe lastly, I'll just mention the operational aspects of a job when security and we try to minimize the number of security incidents that happen, but they do happen, and so they could be consuming, and so there's an operational aspect to that. We have security tools that were responsible for monitoring, so there's a day to day operational component of being able to make sure those tools are running that we have up time that our tools aren't slowing down, our internal products are impacting customers, so there's kind of those main pillars of my job responsibilities. About weekly work hours and the time spent on work, travel, or working from home, prior to Covid, on average for my particular role, I probably traveled a week or two on average a month. The weekly work hours are, it's probably rare that I work less than 50 hours a week, and probably between 50 and 60 is average. Sometimes it's more. There's been times when we've been in the middle of a more significant incident response where it's working 15 hours a day consecutively for a week or two, but more often it's kind of at that normal pace, and I think that very significantly by company, it varies by person too as far as how how much they put into their job.

One of the biggest challenges which I told about a minute ago is being appropriately risk-focused in what you do and knowing of the many things that you could implement, what are the best things to implement, or, I think as security practitioners today, I often observe that there is an attraction to the next flashy or shiny object. We're always going to implement the next tools and what's the security hot button of the day that we've got to go out and install this user entity behavior, behavioral analytics, new fancy tool, but we've neglected fundamentals like vulnerability management and having inventory and even taking the tools that we already have today and making sure that they are appropriately tuned, comprehensively deployed and that we're monitoring the activity effectively from day today. So there's a challenge of tempering that desire to look at new tools that sometimes do add significant capabilities with still ensuring that what you've done already spending and doing what you've done effectively. So that's a challenge, I think other challenges is just dealing with the massive amount of information that comes to us and being able to process it and knows where to focus time, on a daily basis, I probably get 20-40 solicitation emails from vendors of people that want your time, that want to sit down and pitch you their product, in addition from that, I probably receive another 30 to 50 other update emails that are either from industry subscriptions that I subscribe to, internal updates that are coming from various parts of the organization. And some of them are tangentially connected with what I do. And some of them are very connected. And so having the ability to sift through all of that noise and identifying where to spend time and where not spend time and then just keeping up on what's happening in the industry in general, who have abated incident or breached, most recently, all of the vendors that we use publish, product updates, they publish security updates, and so you have to figure out, again from a focus on the day to day perspective, how to sift through that noise and then still maintain an appropriate level of focus on individuals. To me, it's very important that my individual team members know that they're appreciated their value, that they're being developed, they're part of an overall business that needs their contributions. And they feel meaningfully engaged in the work that they do. There's always a training and awareness aspect to a security team and the need to ensure that there's training that's both targeted holistically at everyone in the organization and so you have to have a more simplified and more generically applicable message that goes to everyone, but then you also want certain parts of your organization to have more, more detailed training. So we have over 1000 software developers, as part of our particular division of 3M and each of them might be in different technology stacks and be using different software, some might be C sharp, some might be Java Script, some are doing Java, some are doing a lot of Lambda programming in AWS and so you have a strong diversity, but they all need to understand security best practices in their different ways. So we try and provide focused training that uses their time efficiently, so they're not sitting. One of the things that happen in Corporate America is you have required mandatory training to take at frequent intervals, and a lot of people tend to tune that out because there could be a high volume but you kind of have to do that for regulatory and other governance reasons. And so we try and make sure that our training is very targeted and uses the time efficiently for our teams, and we've found good partner organizations that have effective training from that regard. But to your other comment about making sure that people don't click on those links and compromise the whole organization and there's even been a sentiment in the security industry of the end-users, the weakest link. The human is the weakest link, and we kind of berate and bemoan the state of the end-user education but I would offer a different perspective and that if the security of our organization and the only thing that's keeping us from having a data breach or having a massive ransomware event that cripples our company, if the only thing that stands between us and that is someone clicking on the link, then we probably don't have enough layered security controls, we haven't done enough or done a good enough job of building a security program that's effective and that manages those risks. Sure, we still want to minimize that, we still want to educate people, but there is not an organization in the world that will ever completely eliminate the likelihood of people clicking on links. The threat actors that are out there are just too sophisticated. They have too much knowledge, you have a disproportionate amount of information that they know about us, we don't know about who is attacking us, but they probably have a lot of information about us, particularly nation-state actors that have years of data breaches, where they've built up dossiers and profiles on most people that they might ever want to target. And so I view the job as building layered controls so that you can have an effective program so that clicking on a link is never all it takes and that you can protect and insulate your users from being what causes a major event.