Carolina Terrazas on Gaming Your Security Strategy

Mike talks with Cisco cybersecurity specialist (and avid gamer) Carolina Terrazas about how she helps CISOs prioritize their security spend using game theory.

Show Notes

In this episode of In Scope, the healthcare security podcast, host Mike Murray interviews Carolina Terrazas. Mike and Lina have been friends for some time, though up until this point, their friendship has been mainly virtual. Today, though, they sit down together to talk about Lina’s recent training for healthcare customers. The webinar was a project Lina completed in her position as a cybersecurity specialist for Cisco. Before turning to the main topic of the interview, Mike explains that Lina has worked in security for many companies, such as FishNet Security (now Optiv) and Microsoft, but for the past 7-8 years, she has been with Cisco.

This experience gives Lina broad knowledge of the security field, including the sub-section of healthcare security. Mike clarifies that, in a conversation with Lina on Twitter, he learned she had recently offered a training to her healthcare customers. However, when he asked to watch it because of his interest in the topic, he learned it was not recorded. From there, the idea for the current podcast episode was born; Lina agreed to join Mike to share with listeners the healthcare security insight she shares with her own clients.

Jumping right into the content of the training, Lina shares that the training was a response to recent announcements and advisories about healthcare customers being targeted semi-overnight and about people seeing indications of large-scale attacks in the world. Lina wanted her customers to go into “triage mode,” focusing on security issues in order or importance. So, she applied game theory to help them think about their portfolios and assets, thus helping them pinpoint their priorities and necessary security tools.

As Lina went about this work of applying game theory, her isolation of priorities showed an amalgamation of various annual security reports, heavily favoring things like Cisco’s annual security report. There were no surprises in the data she collected, but there was a reaffirmation of the need for customers to focus on DNS (Domain Name System), email, and 2FA (Two-Factor Authentication). All three are, after all, critical to protecting the three environments blended within the healthcare space.

Looking directly at DNS, Lina and Mike discuss its value for rendering clinical technology useless for hackers. Moreover, they discuss the fact that healthcare companies often do not place ample focus on DNS, even though it is not challenging to talk with someone like Lina about and it can solve a lot of problems.

Switching gears, Mike asks Lina to explain her use of math in the sphere of threat intelligence and security. Lina provides a basic definition of game theory as it applies to her work, explaining that it looks at all possible outcomes or solutions to a problem, assigns value to them all, and ranks them. She explains how security workshops and visualization were not satisfying for her; she wanted to give more to customers. She wanted to offer numbers as she made prioritization recommendations, numbers concerning different technologies and revenue impact.

The concept of assigning values arose out of Lina’s sense that something was lacking in recommendations made to healthcare companies, and over drinks in Chicago, she and some of her engineer friends came up with a grid that assigned values and correlated factors, allowing for the determination of priorities. The work did not stay with Lina, though; it left her lands, and other Cisco team members turned it into an internal app.

As the conversation concludes, Mike and Lina, both vendors, talk about the failings many vendors often demonstrate – failure to listen to customers and understand them, making targeted recommendations rather than a blanket push for every client to purchase all available security tools. Mike points out the need to be better for customers, and Lina notes that, because of her company’s many competitors, she has to be different in order to stand out. And of course, she’s already demonstrated a commitment to serve her customers well!

Timestamps

0:27 – Mike introduces the episode and Lina.

1:02 – Mike shares how the conversation came about.

1:30 – So, let’s talk about the recent training webinar!

3:22 – What priorities emerged from Lina’s work?

4:21 – Mark and Lina talk DNS.

7:38 – Mark wants to switch gears and explore Lina’s decision to apply math to her work.

10:55 – How did the concept of assigning values come to be?

12:07 – The grid left her hands and was made into an internal app.

12:55 – As vendors, Mike and Lina offer thoughts on common vendor failings.

Links

Connect with Carolina Terrazas on Twitter
Connect with Lina on Xbox at @d0rkph0enix.
Learn more about Mike Murray and follow him on Twitter
Learn more about Scope Security and read its new whitepaper
Connect with Scope Security on LinkedIn and Twitter

If you have show ideas, tech tips, or would like to be featured on our show, contact us at [email protected].

Get Scope OmniSightâ„¢ Request Demo