Confidence Staveley of MerkleFence

Alright. Welcome back to another episode of Modern Cyber. I am super excited about today's episode because we get to talk to somebody who is actually more expert in the field than I am, who has been looking at this field longer than I have, and who has a wealth of knowledge, information, and experience in looking at a topic near and dear to my heart, API security. I am delighted to be joined today on modern cyber by Confidence Staveley. Confidence Staveley is a distinguished cybersecurity leader, best selling author of API Security for White Hat Hackers.

We are definitely going to talk about the book. A talent developer and advocate for gender inclusion with multiple awards to her name, a real trailblazer in the field. Confidence excels at making complex cybersecurity concepts available and accessible to a wide audience. She has a YouTube series, API Kitchen, that uses culinary metaphors to demystify API security. A ton of industry certification CISSP.

There's more. We don't need to get in every one of them. Also an author. Also being recognized as one of the top 40 global thought leaders in cybersecurity and safety in 2024. 1 of 150 Fascinating Females Fighting Cybercrime from Women Know Cyber.

We could go on and on. In addition to all of that, she has advisory roles on various boards and is the founder of MerkleFence, an application security talent and consulting company, and also founded the CyberSafe Foundation, which runs the Cyber Girls Fellowship, Africa's largest cybersecurity training program for women. We're going to get into a ton of all that today. We probably won't have time for absolutely everything. I don't know where you find the time to do it all and join us on the podcast, but I really thank you for making the time to join us today.

Thank you, Jeremy. That introduction is so warm. I really appreciate it. Awesome. Awesome.

And I really mean what I say when it when I say that it really is a pleasure to get to talk to somebody who has been looking at API security for longer than I have. I kind of started thinking about this problem in 2019 as a part of seeing companies transform as they migrated to the cloud and started to try to go more cloud native. I'd love to hear your journey. When did you start thinking about the problem, and what was it that prompted you to start looking at APIs as a critical attack surface? I mean, it's been a long journey.

I started up my career really with a background in software engineering. Okay. And then somehow, bumped into information security while taking an elective university. That elective was cryptography. So, coming with that background and having that combination of software development and knowing how to code and then adding that on with cybersecurity, I knew that it was a much made in heaven that would definitely help to make, applications that were being built in African continent and across the world more secure.

Right? And so I took those skills and I got this. My first entry level role was, just really assisting dev teams, the dev team I was interfacing with at this start up to really, ensure that security is is is part of what what is considered, you know, when products are out. And and really in retrospect now, I'm realizing how very early on that company was in terms of prioritizing security. I thought it was a norm until, you know, I left that job previously, later and saw that, a a bunch of what I was doing was something I still needed to pitch to a lot of companies because they were not taking this thing seriously.

And and it it was in that moment that I definitely knew that, we needed to do more in terms of ensuring that security is not something that we slap on at the end. Right. And that we actually both experienced the power, of APIs, but also, ensure that the risk of using APIs are curtailed. And and why I put it this way is because I typically describe APIs as the plumbing system of the Internet. It enables, you know, the different systems to talk to talk to each other and make it all seamless, but it's not seamless on the back, you know.

It it's just a bunch of systems connecting with each other because APIs exist. And because they're connectors and and sometimes they describe them as waiters at restaurants because they're connectors, they hold so much part to, serve us, but also if we're not protecting them and we're not proactive, we're ensuring they're protected, then we're exposing our systems to a whole lot of risk. And I say that very likely because I've also projected in the International Security Journal for 2025 that API will become a top vector for even social engineering attacks. Because Oh, interesting. Yeah.

We see very clear signs around that. For example, recently, DocuSign, was being investigated and it was done through an API. So this this are strong indicators that until we are proactive and and not unless reactive than we currently are around APIs. And, really, we have the frameworks and the guidance to ensure that we're not paying lip service to API security. We're putting ourselves at risk as we continue to innovate, and that's not what we want.

Yeah. No. I agree with you a 1000%. And I love that analogy by the way of the waiter. You know?

And and it it makes total sense. Right? The waiter comes to your table, takes your order, goes to the kitchen. Right? So there's your request, and then comes back with the payload, which is what you ordered, right?

That makes perfect, perfect sense. That point that you raise about APIs as a social engineering attack vector as well, this is really interesting. Like, just earlier this week or late last week, I can't remember exactly, there was a story, some research came out from the Accenture cybersecurity team where they found that SIM swapping that they found a SIM swapping API access for sale on the dark web. And there is almost, you know, aside from phishing, I think that that's probably the top social engineering kind of attack vector. But SIM swapping has got to be, you know, top 3.

And so if there's even an API to kind of programmatically steal access to phone numbers and then the one time passwords and the multi factor authentication pushes notifications that come out of that. Look I think you're probably spot on. That's really interesting. I hadn't thought about it rising to be let's say a top attack vector for next year. We're thinking a lot about API security and where it intersects with AI security and AI initiatives going forward.

I'd be curious. I imagine you have some thoughts on that area and that's probably a space you've looked at as well. What's some of your initial impressions about, like, where the worlds of API API Security and AI is all coming together? I would first say that, we're forgetting that AI is software. Okay.

I I think that's the first place. And we because we're forgetting that a, AI is software, we're also not treating it with the same amount of caution that we need to put in place, kind of structure we need to put in place to ensure that initiatives are on on the right footing in terms of security. But, the attackers are not forgetting that AI is softening. And and that's the most ridiculous part because because a API is there become a path to then, you know, doing wrecking all sorts of havoc with with AI, AI initiatives and, in what different ways that have been explored. Even more importantly is how threat actors are using open source, AI models to also begin to evolve what we know today as, you know, the different attack vectors that we're familiar with.

Yeah. Talk to them with social engineering, for example, deep fakes and just, deception attacks in general are gonna be changing because, threat actors are going to increasingly be wrapping APIs around, around AI, models and then using them to attack us. So I wanna first of the most say that we need to wake up in terms of AI initiatives ensuring that ML SecOps, AI SecOps are not just things that we are using as buzzwords and phrases in the boardrooms, in our teams, but, also, we are actually operationalizing best practices around AI security, and then we are ensuring that the APIs also have you are following best practices around them. Good thing is, the authorities like CISA have put put out very, very comprehensive guidelines around this. They've collaborated with intelligence agencies across the world to put together guidelines around how AI initiatives should protect APIs, for example.

I really wanna charge everyone listening to this podcast. Again, have a look at them and see how the you put it put together a plan or put together some sort of structure to ensure that they are maximizing these guidelines and ensuring that they are adhering to them. Yeah. Yeah. And there is, in fact, the, release from earlier this year, joint guidance on deploying AI systems securely that I think you're referencing there.

We'll make sure we get that link included in the show notes today. A very, very, good source of information for anybody to check out. I want to change gears for a second, and I want to come to some of your work kind of outside the API security space, and we'll come back to it. Because one of the one of the places where I first learned about you and got to witness some of your work was that I I recently watched your TED talk about personality and online safety. And I know it's kind of outside of the API security space and AI and it's not you know let's say the cutting edge thing but on personal online safety is I think a challenge that we've all had to deal with for I don't know what 15 20 years of the Internet at this point.

And one of the things that you raised in your talk was the focus on understanding different personality types and the inherent traits that we all have. How did you start thinking about that as being an important way to relate to people in discussing online safety? So first of all, I would say that my first indicator to to thinking about that was just looking about looking at what the stats say around the types of attacks and how, attacks even begin in the first place. A majority of the attacks we see that are successful actually begin with a social engineering attack success. You know, different types of social engineering attacks that become successful that then lead on to different other attacks.

So we see that as a leading vector. And, really, what what is the the thing the the thing between, an attack that's social engineering and its success. It's just the human. Yeah. It's the human.

And then if we're looking at that as a core thing, if the human is the core determining factor of whether or not it's shooting engineering attack be successful or not, Why aren't we studying this from the lens of psychology? Okay. And if you wanna put that in one hand also, I want you to then talk I want to talk about the second side of things. Cybersecurity is a relatively evolving field that is really taking on, you know, learning some other very advanced fields. One of the very advanced fields we're learning from is medicine.

Another one we're learning from is marketing. Right? And these fields have evolved. And marketing, for example, have has evolved to then begin to see if you're marketing to humans, we need to understand how humans think. We need to be able to see how they think so we can sell them a product.

But then we aren't doing that for cyber. If we see that humans are, the blockade or the entry point, you know, for social engineering attacks, then we must look at how humans think. And that's exactly where that Okay. Inspiration is coming from. Marketing has then evolved and is evolving even more to use psychology and personality traits to then begin to position product.

So we need to take it from there as well. And I I then looked at the 5 I looked at studies around the world. I don't take credit for for what you saw. Right? Yeah.

Yeah. I'm gonna share some some some of the sources for the studies that I looked at, for my tech talk. But then I looked at the studies and I I really agreed with them because they're 5 major personality trait, personality types across the, you know, across the world that we've we've basically had identified, and they call they call them the big five. I've coined it into an acronym. You know, I don't know if this acronym exists, but it helps me easily, remember it.

An acronym is ocean. Okay. So all for openness. People that are really open to new experiences, typically typically would react to social engineering at different kinds of social engineering attack, attack type differently as well. Because the factors that drive them to action are slightly different from those, for example, that are, they're conscientious, which is the sec the second type of personality.

Right? The conscientious people are a bit different. They want to follow authority. They want to follow, the rules that have been laid out. But then again, they are more likely to, be driven to action by authority figures.

And my talk I also talked about how authority really just plays a role as a persuasive, means of getting people to take action even in social engineering attacks. We also have people that extroverted and very much so. And people that extroverted generally want a community, they want to, interact with people, they want some form of acceptance and they want to be, in spaces with other people and seen in some way. Right? And and that also opens them to certain kinds of attacks.

And then there's also agreeable people, people who just want to go where everyone else is going to. So once a social group, for example, around a type of around a scam, for example, those people will basically jump right in because they want to be seen with other people, doing those things. Right? They're they're also then neuro neuroticism, people who, really are very rule based. So you see all of these kind of people will react to these things differently.

This kind this kinds of persuasion techniques differently. They were you would react to authority differently. For example react to social proof differently. And I I believe that very strongly we need to ensure that cyber security awareness isn't just an activity that we have having one size to fit all, but ensuring that we are then leveraging personality types to then address shortfalls or even certain strengths of certain personality types. And ensuring that we're delivering what people need to show up their reaction especially under pressure.

Yeah. I mean, that makes a ton of sense. And it's really interesting because I think what we all experience in our day to day and you know the same is true for us. We did our SOC 2 certification as part of that. We had to do some cybersecurity training programs for everybody within the team, etcetera.

There was one size fits all. It's exactly one line of cyber training. You know, whatever the attack vectors they had in there, which were mostly like anti phishing, recognizing malicious links in an email, that kind of thing. You know, they were very plain, let me say. And I don't think there was anything in that that that I connected with psychologically or emotionally at all, which I think it's pretty clear.

Like, if you I think all the studies show that if you have an emotional connection or you have some kind of response to what you're learning, it stays in your head better. Right? As I said, Jeremy, I wanna add that, that emotional bit is something that also missing out. Yeah. Most of the cyber attacks we've seen really spark on an emotion or more emotions.

More than one emotion is either fear, excitement, desire. You know? Yeah. Even when it comes, just casual scams like the lost car. It's desire that's been triggered.

Yeah. Absolutely. Like getting scammed on LinkedIn, you know, getting people to to download malware, during, say, interview sessions is also desire. That's an emotion that is packed. Fear of missing out is an emotion that is packed as well.

So also we also educate along the lines of emotions and also pack some of those emotions during the trainings to keep retention really high, we will be successful. So you would go back and redesign these programs. Right? And then maybe, like, so how how would you then put people through some kind of personality assessment to kind of funnel them into or nudge them into different training programs based on what what you think is gonna stick with them the best? Absolutely.

I will. And we do this even during recruitment during onboarding, sessions when we join companies. Some companies really just take people through, some sort of personality test to see alignment with company values, alignment with the culture of that organization. Why aren't we doing it with cybersecurity awareness? Why aren't we trying to understand the person more to ensure that we're tail Telo, we're Telo making what the experience is gonna be on that training.

And good thing is AI is here and until we're I I believe that AI brings new promises in terms of that sort of, custom experience in in in cybersecurity awareness better than we currently have it because I I believe that we need to be more effective with it. I I have a series of videos coming out very soon, and one of the videos that I have is basically saying telling people not to click on suspicious links is is dated right now. Right? It's it's not active anymore. We need to move past it.

Yeah. Yeah. And I mean, do you think that there there needs to be and I've I've heard people kind of, give this analogy that, like, if you think about the Internet as something like what it used to be called often the information superhighway. Well, if you use that kind of highway analogy, there's this thing, you know, well, like, I would never let anybody out on the highway without having gone through proper training. Right?

You have to get a driver's license. You have to learn how to drive a car. And by the way, you need to take out insurance to drive this car and to operate the vehicle. And I've heard people raise the concept of, like, maybe we maybe we've reached a point where either the level of risk or the level of scammer activity is so high that it's actually irresponsible to let people on the Internet without them having some kind of minimal level of understanding and education. How would you react to that?

I would actually say yes. Yeah. Going with that analogy of of, the superhighway, would you ever buy a car for your loved one, for your child and have them drive that car without knowing where the brakes are. You will not. Right?

You would Absolutely. How to use the brakes and some other, you know, many other safety measures in that car. You will ensure that they have the seat belt put on, and they're going to do some sort of training and then before they get on the road. So, I would say that that's the same thing that we need to be able to do. We need to have cyber literacy as important as every form of literacy that we have as foundational right now.

Like Yeah. Like, we we teach children how to do math because we know that math is wrapped around a lot of things. We teach children English language because we know that that is wrapped around a lot of things. We teach children, creative thinking because we know that all the days of their lives they will need to be solving problems and they will need be creative around solving them. Why aren't we doing that for cyber when we know that everything from k to 12 and further down in their lives are all wrapped around technology.

We're putting our filter, we're putting our use, we're putting everyone else on the highway without showing them where the breaks are. No. And I mean, if we extend this analogy even a little bit further, we may be stretching it granted, but, you know, not all highways are created the same. Right? There are parts of the Internet that are pretty well and you know well understood and okay.

But then there are let's say some social media sites in particular that are very toxic and there are other sites that you know are full of malware and viruses and things like that. So, and yet we allow connection to pretty much anywhere. Whereas, again, in the real world, that that wouldn't really be the case. Right? You know, we have designated off limits facilities, whether they be prisons or military bases or sensitive government sites or what have you.

Right? So, yeah, I think I agree with you. I don't know the practicalities of it. I don't know if it's actually possible to get it done anymore in this day and age, but I totally get what you're saying. Going along the lines of analogies, I love the concept of the API security videos that you do using the kitchen analogies.

Admittedly, I've not had a chance to watch any of yours myself. But talk to us a little bit about, you know, kind of what inspired you to do that. What have been some of the lessons you've learned? Because one thing that I found, for instance, running this podcast, I've actually learned more by doing the podcast than I think any of my audience has. And I think you learn the most when you're, like, putting together content to to teach other people around this and just, you know, the range of exposure that he gets.

So I'd love to hear what your experience has been, been like. What's been the inspiration? What have been some of your favorite lessons? An interesting fun fact about API Kitchen is the name and the style of delivery is actually a protest. Okay.

A lot of people don't know this. I was protesting, something that I learned. I mean, a leader in in, I'm not gonna say where, a leader had said that women belong in the kitchen. And I didn't wanna say women don't belong in the kitchen. I belong in the kitchen.

Yes. But I belong everywhere else I wanna belong. And this is exactly what my thinking was. I'm not going to shy away from the fact that I love making meals for my family, but I'm more than making meals for my family. I'm a board member.

I'm an author. I'm a cybersecurity professional. I'm a leader. I I have this many other interests. Right?

So I belong in all of those places. So API Kitchen was one way of saying that and empowering other women to own that identity for themselves. There is no changing myself into a man because I want to be in cyber or seen in any other way. It was just really embracing that and embracing the power of being a woman. That is on one side.

The second side of things when I thought about it thoroughly before starting out was why would I think this would be effective besides, you know, for sharing and showing women the power and showing everyone else what's possible for women. But it was also from the lines of the fact that although we don't all make the meals we make oh, sorry. The meals we we eat, we all eat food. In fact, you won't be here, Jeremy, if you didn't eat 2 days ago possibly. You know?

Yeah. Yeah. For sure. Yeah. Right?

Right now. Yeah. Of course. But we all eat food. And so that's one language we all understand, food.

Everyone of us can relate to anything around food. And so for me, it was just using that abundance of relatability and really sticking to my personal brand, which is just really breaking things down and simplifying things. So it was right up my alley to then use food as a means to teach about API security. And Okay. Analogies have been ever flowing.

Okay. That connection with food and people just get it. And I'm very excited about the response. It's been I mean, I've been garnering from, the audience and everything. But I've also learned, you know, by talking to so many professionals that, the things that make the biggest difference are the barest minimum.

We got, like, very simple things around API security that make the world of difference, but we're not doing we're not operationalizing them. One of them is testing. Right? We have somehow find the time. We somehow find the time to test every API for functionality, right, before we send them out, before we release the API to production.

But then we don't have the time to test for security issues. I mean, we only test APIs maybe once or twice a year possibly because of compliance requirements. Yeah. It's something as simple as that. It's sometimes because once you're able to test them more frequently, you can see where authentication gaps, are.

You can see where authorization issues are. You can see where you have EP validation issues. You can see a lot of those issues. But because we're not testing enough, we're not even seeing them until the bad guys help us find the loopholes, exploit them like he was speaking about the APIs that are now helping with SIP swapping and then we find out that, we we we fasted around and found out, you know, I would Yeah. Having having to pay so much for that.

And we see that very clearly in big industries like telecommunications industries there is just heavily under attack and the role that APIs are playing. And you look at the report for example from, the last biggest, the biggest, find that was given, for a telecommunications company that failed protecting APIs Doing very simple, mundane issues. So I I think that sometimes when we talk about security, we are typically looking at the high hanging issues. Right? We're forgetting that the attackers aren't even reaching for the the apple on the tree.

Right. So to pick up the apple from the ground because we are not doing Yeah. Barest minimum. So we're not fruits on the tree. We are fruits on the ground.

And I think that was that whole discovery was quite eye opening. I I think it was of what I knew, but hearing from other professionals was quite helpful because it's then showing us that to change, security posture or to improve it, we just need to start with the basics. Get the basics done right. Get the nonnegotiables done right. I'll be better off.

Yeah. You know, this is a message that we share with customers as well when we're talking to them about it. And and, you know, and I think we were chatting a little bit before we started recording. For the most part, when we talk to customers about API security, they're usually looking at the problem for the very first time. And it's, you know, they kind of somehow recognize that there may be an issue around API security, and they want to start thinking about improving the security for their own organization.

And they ask, you know, well, what should we do? And I said, well, look. 1st, start with visibility. I mean, just basic question. Do you know all the APIs you have?

Once you have that, then the second question, which ones are good? Which ones are bad? Or you might ask the question, which ones are important and which ones are less important? Which ones are external facing, which ones are internal facing? Figure out, you know, what is the right way to think about the security problem for your organization.

But you have to just start with these basic understandings of, like, what do you have, what does it look like. And it leads me to something else that I've, kind of wondered, you know, and, another thing we're talking about a little bit before we jumped on. And I mentioned that, you know, there's not a ton of API Security regulatory compliance requirements around the world. And I know you had some insight and some thoughts about, like, what is the connection that you see between well, I guess between security and compliance in general and then API security and compliance maybe a little bit more specifically. I've always seen compliance as not the, it's not the holy grail.

You know? Okay. I see compliance as a springboard. So it's typically the jump starter. Now I think that's the thing I I I I would love the most.

It's a jump starter for things, security program specifically. A lot of organizations would very well continue to innovate without security. It's a nice to have for a lot of organizations. The time when it's no longer a nice to have and is a must have is when 2 things are core. Now the first thing is when there's a breach.

Everyone comes back and resets and throws a lot of money at the problem. The second time when, something jolts the showmakers or leaders to action around security and prioritizing it is typically compliance. So there's a regulation, maybe the oh, sorry. Maybe the regulatory body for, the industry they're paying, you know, then says this is what you must do for you to continue to do business. We see that with PCI DSS, for example, and how does driving a lot of security initiatives in the payment card industry.

We see that in, telecommunications space as well with how that has really grown in terms of what is being done. So I believe that regulation and compliance as as a whole in general is just that jumpstart. And from there on, whole in general is just that jump starter. And from there on, organizations begin to see why they have to mature the programs and then continue to grow from there on. And this also is something that accounts for why companies or businesses that play outside of the spaces that are heavily regulated also fall behind heavy in terms of security practices.

It's a very straight line you can draw between the two things. And I and I and I I really hope that we can see specifically more. You're gonna say something? Yeah. I was just gonna say along that lines of drawing the straight line, do you mean that, like, let's say, you take these heavily regulated companies and you can draw a straight line between let's say the regulatory requirements and what they actually do.

And because they'll only do the things that are kind of within the regulatory scope. Absolutely. They would Yeah. Do that. And that that's also why false compliance as well because it's the barest form.

It's it's not the holy girl. It's the barest No. Definitely not. Yes. So, and and that's what we see.

But we see that that begins to drive things, that jump start things, which is generally good. Something is better than nothing in place. For sure. Mhmm. Yeah.

But along those lines, I mean, I I, you know, you mentioned, of course, somebody gets breached that obviously kick starts a lot of efforts around that. I think one of the things I've observed over my career in cyber is, you hope that it's your competitor who gets breached and that is what drives you to start looking at it. I honestly see more purchases made by companies whose competitors get breached than the company themselves. And I don't really I've never really understood exactly what's going on there. But you could take, you know, 2 hotel chains.

1 got breached. The other one didn't. You have an opportunity if you're if you're a vendor who sells a solution to how hotel chain a got breached, you can go sell that to hotel chain b. Yes. Some somewhat effectively.

But I've never really understood, what is hotel chain a actually doing? You know, what why are they not now kind of, like, you know, trying to do something to fix the problem for themselves? Mhmm. Never understood that one. Yeah.

Along those lines, I think one of the things that I've I'd be curious what your experience has been, we talked recently to somebody around the consent decree between a major wireless carrier here in the US and the Federal Communications Commission. And they had some API driven breaches that led to this consent decree. That's a reference I was making earlier on. I thought it might be, but I wasn't a 100% sure. But but the point that was raised with one of our, somebody on our advisory board was, like, okay.

Well, once you start to see it, that's basically what starts the ball rolling, and then it's just a question of time. It's gonna be, like, one industry after the other, one regulated space after the other, one initial set of regulatory requirements that will evolve into more and more complex requirements over time. How have you experienced that with the companies that you've worked either at or, you know, let's say customers of your yours in helping them to navigate that process? I think that it's it's very true. It's it's, it has a knock on effect.

Yeah. Because a lot of the big companies are served by smaller ones. So, if there's a regulation, for example, that touches on third party, management and ensuring that that is done properly, it means that you then automatically require the companies that serve you to then rise to, to a level to be able to provide services to you. And and there's nothing that makes leaders respond more more than anything that touches the bottom line. So once you touch the bottom line, you're talking to me directly as a leader and and that's what we've seen in the space.

So that knock on effect really just, creates, yeah, creates a a pack of cards, you know, a positive pack of cards, across the space. We also see that, or rather I have also seen that, regulation from an industry perspective really works. Yeah. So we see that strongly in the industry really works. Yeah.

So we see that strongly in the financial services space. Aside the fact that I have a lot to lose, we've also seen that across the world, the regulators have been very proactive in some way. We're speaking earlier on, just before we started recording around how Nigeria is is doing quickly at this. And it's because the regulators, they are fish strong around, best practices. You know, they come in and they actually check.

Yeah. Get some some licenses and they're really the the experts that advise them are also very forward thinking, in terms of what the the threat landscape is going to be and how that's evolving. So we see that that also transcends to, you know, as innovation grows, then security is also growing with it at some pace that I I believe, is is really forward for for what we think about Africa and and has and how it has to do with security. Well, that brings me to a question I've been wanting to ask and, you know, with the few minutes that we've got left in today's conversation, you work with customers here, you work here in the US, you work with customers in Africa. What are the major differences that you see, if any, or are there no differences and that's just, you know, something that people kind of think might be a difference between US and Africa, US, Latin America, US, and, you know, really the other part of the world.

I think, the major difference that I see is, there are a lot more structure. There's a lot more structure around how regulation is done. There are a lot more, there are a lot more big pockets of regulation, in in the US than in the African continent. So let me give you an example of what that is like. The regulation that is actually enforced because that's what I'm I'm actually speaking about because there's a lot of regulation.

Sometimes it's not enforced. It's just something that Yeah. Yeah. On our shelves and collectors, then we have picture, you know, picture sessions to talk about Yep. Yep.

Done. But really, the dogs don't have teeth. You know, we're not talking about those set of regulations. We're talking about regulations that actually get enforced. And we see these very strongly in, regulators of industries actually bringing those compliance requirements in.

So I think that that is the difference I see. The pockets of those, regulations are wider in the US. Okay. More far reaching than they are on the African continent. And then the African continent also has so many countries in it.

So we have over 50 countries in African continent. Yeah. They all have different levels of maturity. There are different levels of maturity. And then industries all have different levels of maturity.

Maturity. There are different levels of maturity. And then the industries also are different levels of maturity. I think that very varied and wide range of where cybersecurity programs are are in the enterprise is what I find as one of the biggest differences. But as it has to do with attacks, I don't think that I see a huge difference.

Before now in Africa, it used to, you know, have a chill pill to take. You know, there was not much emphasis or much, attention from threat actors on the African continent. But that has changed. We see how much innovation is taking up on the African continent and sadly that has also brought in the threat actors. So Africa, Asia are now also taking the hot seat like many other parts of the world.

Then I would say that the place of regulation, how it's done across the industries and how it's done across the industries and how that industries and how that touches on different businesses has a different impact and that's the major difference I see. Yeah, how cybersecurity issues, you know, really are managed. I'll give you an example. In the UK, small businesses are required to have some sort of cybersecurity program in place and there are simple steps they have to take and they get some sort of recognition for doing that. We see that that that particular thing, although not a regulation, has driven best practices with a lot of small and medium scale businesses.

That And again, just the basics. Right? Like, just the, you know, get the apples off the ground kind of motion. Right? Just a standard of stuff.

So really that I would say that coordinated way with large scale impact around cyber regulation or best practices that's, you know, that that way is what I would say is the biggest difference that I have seen. Yeah. Yeah. And and across all the 50 some countries, there's not really, let's say, regional blocks that have consolidated a set of standards across countries or across industries. Absolutely.

And that's a challenge. Is lacking. So when you're driving programs, you're driving, cybersecurity, best practices, then you have to do it on a per country basis. They're they're not closely neat blocks of Yep. Regional work or bodies that drive into are are influential enough to drive the kind of change that we need on the African continent.

And it's it's quite a big continent as well. Yeah. Yeah. With few with more players than I I'd see in the west. Yeah.

Yeah. I mean, it's a 1,000,000,000 plus people and I think it's correct me if I'm wrong, but I think it's the fastest growing both in terms of, let's say, net economic growth across the continent and in terms of population growth across the continent. Yeah. It's also the youngest continent in the world. So Yeah.

Think about workforce, grow. Think about just about a lot of things. It's it's just growing really fast. Yeah. Really interesting to hear your perspective on that.

Thanks for sharing on that. And one other question, I know you do a lot of work around diversity, equity, and inclusion efforts in cybersecurity. I you know, what do you think we're still getting wrong with regards to this as, let's say, like, you know, we're we're a cybersecurity software company, so we're kind of more on the vendor side. But I imagine that there are steps that need to be taken not only across vendors but let's say like consulting firm system integrators and then you know even just teams inside organizations on the cybersecurity side. What are we maybe misunderstanding or what are we how should we be thinking about doing a better job relative to DEI?

I'll say there are 2 major things. One is hiring process. Okay. We're we're not looking outside of certain pools. And and sometimes regulation also doesn't help as well.

Right? In some in some places, it doesn't really help as much. So we are casting our nets in very small pools, and then we'll catch the same kind of fish. As against we cut if we we had our nets spread out very widely. And DI is one of those things that doesn't happen by chance.

As a matter of fact, even the way we we naturally work as people, we gravitate towards people that look like us. Yeah. Similar experiences as us. Yeah. People can we we can relate to easily.

You get what I mean? So we typically would gravitate towards people that look like us. So DI would not happen by chance. DI typically isn't succeeding because it will happen out of deliberate intentional steps put in place. Because the companies who do them strongly know why they're doing them and the benefits they have that are strongly justifiable by the business.

And that's something that I think we're lacking. The second key thing I think we're lacking is we have when we do hiring, when we didn't do hiring well, we have this thing that we forget what happens after a talent is hired. Right? There has to be a culture, there has to be an environment even, that then allows that talent to thrive and give us even the best of themselves that enables us continue to justify why we have these initiatives in place. And Yeah.

In the US, we clearly see how that is being pushed back and we're going to see things deteriorate from here on, as it has to do with DI. But putting that aside, I believe that we are leaking the talents that are diverse, people of color, women. We're leaking them at different stages because we don't have policies in place. And I'll give you one as a woman myself. When women have children in the United States of America, we we just have 6 weeks to nurse his children, right?

We're back to work. And I don't know any large brains for she that only has 6 weeks to nurse his children. I don't know anyone. We are the only ones who have that. And so when we think about that and how difficult it is for women as talented as they could be, then leak out of the of the talent pipeline because they're even punished for having children.

Men get promoted, but get make more money, you know, to staying in the workforce. Women get punished for having children. You know, there's not enough policy, there's not enough care and support for how to raise children. But you see, there's something that we're missing because once women are supported in that way, women are very loyal, they are going to bring their A game in. You know, so I mean those are the things that we need to look out for if we're actually maximizing our DEI initiatives by showing that not just are we pulling these talents, diverse talents into the pipeline, we will maximize their presence.

We're supporting them, and it's showing that the culture promotes and supports them through out their time in our companies. Yeah. I think that's a great point to think about. I mean, this maternity question, I think, is one that I've I've been wondering for a little while why, for instance, more women aren't accepting remote positions. American women aren't accepting remote positions working for European companies that would give them much better maternity benefits.

If I if I were a woman considering starting a family or or let's say in the process of thinking about starting a family and I had 2 job or job offers in front of me and one is 6 weeks of maternity and the other one is I don't know, 3 months, 9 months, whatever it might be in the case of that company. I'm definitely gonna take the one with better maternity benefits. Right? Absolutely. And to your point, I'm gonna feel more valued and more, you know, let's say, like, accepted for who I am and in my natural of growing as a human being.

The other thing that I think I just want to kind of build on something that you said there about, let's say, giving people the opportunity to give the best of themselves within the within the organization. When I was getting my MBA, there was a study about teams and team diversity. And, you know, I think this has been replicated a number of times. But when you take a an unclear problem, meaning a problem to which there is not like a clear and obvious answer of what is the best course of action. Mhmm.

And you give that to teams of varying levels of diversity. What you see is that, I think, you know, on on average, the teams that are less diverse are more often wrong and they are more often very confident in their answer. Whereas the teams that are more diverse usually have maybe less certainty in their approach, but they have a much more considered reasoning process and they arrive at a more correct outcome more often than the less diverse teams. And I would leave that as for anybody who's thinking about how you could think about this. Make sure the people on your teams feel empowered to talk and that they have opportunities to present, to share their own talents, research abilities, skills, etcetera.

And I think that's a great thing to think about. Well, confidence, David, we're coming up just to the last, last little bit of our episode today. We've got a bunch of links we're gonna share in the show notes. We've got the API Kitchen. We've got your TED Talk.

We've got some of the CISA stuff that we talked about earlier. But for anybody looking to learn more about your work, where's the best place for them to look? LinkedIn. I LinkedIn. Okay.

Share almost every day, something that's valuable on the platform. So, you can find me on LinkedIn. Just type my name, confidence stably, and you'll find me. I I also have a website, confidence stably.com, that I'll be sharing with the the show notes, and then you can check that out as well. But I'm typically very, very active on LinkedIn, and I would really like to connect with you.

Awesome. Awesome. Well, confidencestably, thank you so much for taking the time to join us today on this episode of Modern Cyber. For everybody listening, you know what to do. Rate, review, subscribe, share with your friends and colleagues, and we will talk to you next time.

Bye bye.