[MUSIC PLAYING]
Do you have any advice
for some of the students
that we're beginning
to see that are coming
in from the legal profession wanting
to get up to speed in cybersecurity?
Take the courses.
Be interested.
Play with the technology.
I have never been able to
learn how to do anything
with computers without playing with
it, which is actually fun for me.
And if you don't find
it fun, you probably
won't find it a fun profession.
If you do find it fun, if
you like things like chess,
you'll find trying to
figure out cybersecurity
and outguessing the bad guys or the just
smart enough greedy guys or the clients
who won't listen to you
and do dumb things, that's
all sort of three dimensional
chess with a lot of other players
out there trying to do things that
you do your best to anticipate.
I'd like to address a question from the
point of view of the larger audience
that we have taking this class.
As I said, many of the students that
come to us, new to cybersecurity,
and even those that have been
in the field for a while,
don't truly appreciate
how diverse the field
is from an operating perspective,
all the different areas, disciplines,
that need to come together
to manage cybersecurity.
Can you describe the
kinds of the environment
that students are going
to find themselves
in from the legal perspective
if they choose this career
and move up and take on more
and more responsibility?
What's out there?
What do you see?
You've seen it from the beginning.
It's evolved quite a lot.
What I would say is
that it's going to be
people who can combine an
understanding of the technology issues
with an appreciation for
organizational issues, the need
to work within an organization and among
organizations, between organizations,
and with an understanding of
how the law actually works,
not just how it's written down,
but how you have to work with it.
If you can combine those,
you can help your clients.
You can help, you know,
whether you're in-house
as an IT professional,
CISO, as an attorney,
as a risk manager, if
you can combine those,
you can help your clients come up
with solutions that actually work.
I see problems where people
aren't able to do that.
And, for example, you might do
something like vest somebody
who is a very competent network
administrator with being
your chief information security
officer in a large organization.
Unless that person can get very quickly
up to speed on organizational politics
and how to both explain the technology
and security issues to the bean
counters-- you have to explain yourself
to your CFO or you don't get a budget--
and to possibly legal counsel,
who doesn't quite get it either,
you need to be able to say, well, you
know, there are penalties out here,
or there are major risks in this area.
Once you can start
articulating that, then you
can get support for your initiatives.
Likewise, if you're a lawyer and you
can't talk to the technology people
effectively, you can't
explain to them that, OK,
you've identified a vulnerability,
but the cost of solving it
would be very high and the actual
legal risk associated with it
isn't all that high.
So you're right on a technology level, a
good engineer would solve that problem,
and that would be ideal engineering.
But you're not in an ideal
engineering environment,
you're in an organizational environment.
And sometimes the organization
gets to accept risks.
So you have to speak multiple languages?
Absolutely.
[MUSIC PLAYING]
