Rachael Lyon:
Hello everyone. Welcome to this week's episode of to the Point Podcast. I'm Rachel Lyon here with my co host, John Knepper. We're excited to welcome back for our Part 2 discussion with Erika Dean. She is the Chief Security Officer at Robinhood where she oversees the security, privacy and corporate engineering organizations.

[00:42] Discussing Disclosure Challenges

Rachael Lyon:
She has over 20 years of experience in the security industry, including more than 20 years at Capital One Financial where she held myriad cyber leadership roles, including Chief Information security officer for U.S. cARD International and Small business. Now, without further ado, let's get to the Point. It seems that delicate balance, this has been an area that's always kind of fascinated me because disclosure can be difficult because you need to dig into it, you need to figure out what's going on, wrap your arms around it, and then, you know, you're being asked, what is it, two, three days to turn around and hey, you know, this didn't happen. 

I don't have all the answers. I mean, it's stressful in a lot and everyone understands the need to inform, but if you don't have all the information, it seems like could actually make things a little more confusing and more concerning. And I don't know what the answer is there, Erika, but I know there's been a lot of discussion on that front. What is the right kind of window for us to be able to give information so we fully under comprehend what's going on and we can have a mitigation strategy as well.

Erika Dean:
I do think that being transparent about where you are in the investigation is really important. Right? It is. From a regulatory standpoint, what they want to know is that you have a handle on your process, that you are progressing along in an investigation, but more importantly, that you've contained your issue. And I think that that is like, probably by far. You're right, it is very stressful. Because in the moment, in the moment when you're in the middle of an incident and someone's potentially in your system and you don't even know quite yet. Right. Because remember, the disclosure is from a material standpoint.

Erika Dean:
Could it be material to the company not to say that you confirmed it is now actually exploited and it's all done and that they've taken, I don't know, the $43 billion in crypto, but it is, does it look like that's where it's trending? That is when you actually have to start thinking about disclosure. And in addition to going through that process, you have to be going through the actual investigative process and making sure that you actually have it contained. 

Make sure they can't get to another place in your network or into your environment, or take additional funds from another wallet. And so making sure that you are measured, that you're documenting everything. It's a lot. You're absolutely right. But it's also really critical because you, if you're not able to share that you actually have a problem, then you're probably not doing your job as effectively as you need to. And it should be relatively quick.

Erika Dean:
If you're not able to contain within the first 24 hours and you know that they're in the system, that's even worse. I mean, do you, you don't understand how they got in, you don't understand where they're going. Sometimes it can be tricky depending on how long they were in your system. I mean, some companies don't detect it for months or a year. I think that that's one of the scariest things when you're reading this as a ciso, that another company didn't detect that someone was in their system for almost a year and they were able to do a lot more. It is a lot harder to figure out, like, are they still in the system? Did I actually contain the environment like I think I did? 

And so you're right. Sometimes you end up having to go back, course correct something that you said because maybe you thought they only took this one file, but in the end they end up taking 100 different files. And so it is, it is a little nerve wracking to have to figure out where are you in the investigation and did you give accurate and complete information.

Erika Dean:
But if you don't go back and course correct it, that's even worse. You do need to make sure that you're updating it. But having timely. We expect this is where we are in the investigation. We are still investigating. I remember like when I first started in this industry, one of my first handling of like providing information to a regulator, it was telling them like, look, this is where we are in the investigation. We don't have all the information, but this is where we, we feel we are today. This is the information that we feel was leaked outside the company.

Erika Dean:
And this is what we've done so far. So it is preparing them. If you aren't sure where you are, like, if you're not sure that you've completely contained it, you need to be honest about that. And bringing in a third party is also helpful. So if you. There's a lot of really good industry incident response third parties, the reason why you want that check is because, not that you don't think your team is great and amazing, but it does not hurt in an investigation to have a second pair of eyes to validate that what you discovered and what you've done is the right thing and that you have actually completely found all of the areas by which a threat actor might have touched or might have taken something. And so it is good to have that second pair by. 

So I always do recommend in addition to your team, not that your team might not be good because your team could be excellent, but having another third party like come in and do that validation step, it also makes regulators feel really good about it because it does mean that it's not just a reliance on one team, it's not a second team.

Erika Dean:
If you think about it from a vulnerability management perspective, you can have one pen tester test something and another pen tester test the exact same thing and they half the time will find two different things. They'll find some things that are the same, but a lot of times they'll find other things and it's because a second pair of eyes is always good to have.

[06:32] Adapting Regulations to Meet Modern Threats

Jonathan Knepher:
Yeah, I completely agree with you on the, on the third party aspect and I think you're hitting on a really important point here. I think, you know, third, from folks we've talked to before and just like the regulations at large, right. It feels like there's this assumption that once you've detected, you've been able to lock the infiltrators out. And I think too, thinking about your space, like fintech, it's not like you can just unplug and shut your whole service down because that would be incredibly disruptful. So like what, you know, thinking about that, is there more, are there more changes that need to happen on the regulatory space to kind of deal with this level of complexity on these kinds of modern threats.

Rachael Lyon:
And I want to piggyback on that. Sorry, Erika too, because I think, you know, I worked a little bit, you know, with government teams and you know, kind of like voice to text when that was becoming a theme. And largely a lot of the particularly government folks need education on top of that. Right. So I'm wondering about that compounded question with Jonathan. You know, how do you shape more regulations but also the Education required to get these regulators to truly understand what we need them to understand.

Erika Dean:
Yeah, I would say that being in this business for so long and interacting with regulators, I probably have been interacting with regulators for the past like 15 years. So a really, really long time. And I will say that there are definitely two components. One is shaping regulation, but there is that component of education. So a good example would be when, when I was at Capital One first going to cloud. Cloud was a relatively new concept in the sense of like a true infrastructure as a service. And we were the only bank looking at it. Matter of fact, every other bank was pretty much scared to move into aws.

Erika Dean:
And when we first proposed it to OCC and frb, they were like, what? What are you thinking? And it was because they didn't understand the cloud environment cause it was too new. And so we did have to go through months of like training and helping them understand like how can you secure this environment? Because they were so nervous about letting a financial go into something that had never been done before. And so a lot of times with new technology you see that even today with regulation around crypto, they're trying to figure out like, how do we regulate this thing? That's new, that's different than a brokerage, right, where you're trading stock. 

And so it is about education helping them to understand, like, how is this new technology going to impact a customer base, especially in the financial realm. I find that financial regulations are a lot more strict than a lot of other regulations that we see. And it is because it is people's livelihood. It is the way that people are able to like pay for their groceries because there's not a lot, at least in our country where we're utilizing cash in a lot of places. And it got even more so after Covid, that is more digital currency.

Erika Dean:
So how to be able to protect that is of the most importance. So of course the regulations are going to be stringent and sometimes it might go a little bit overboard. But I think that it is about the, how do you make sure that you help them understand like, well, this is how you actually secure it in a cloud environment. It's not a bad thing because it's new, it's just different. So it is. Luckily I have found most regulators have been so, so agreeable to learn about the environment, about how you actually are leveraging a new technology. I've never found where they're like, no, you know what, we're not going to listen to you because we know best. It's usually they'll even bring in, I found that they're starting to hire more technical resources to be on, also engaged.

Erika Dean:
And so the partners that we have, like finra, there's a technical team and a policy team. And that's been really nice to be able to see. Even from a regulatory exam perspective, that's starting to evolve. I do think that that's really important because when you have an auditor that understands the technology in addition to a policy, now you have a good marriage of okay, now you're able to have a real conversation about this is how we secured it, this is what you don't have to worry about, or maybe here's a gap and here's why we reduced it with these other controls. 

Both from a policy making perspective, before policies gone into play, having conversations around that platform, that new technology, a new way of doing financial business is always really critical. So you spend a lot of time as an executive in a business like ours having conversations with regulatory bodies to educate them and help them understand before regulation is actually passed. It goes the same way for privacy. Privacy is the same way.

Erika Dean:
It's really hard to do privacy. The regulations are all over the place. If you look at U.S. versus European law or Asian law, it's very diverse and it's nuanced even between like UK and Europe, the eu, same thing, like same gdpr. But what they look at is slightly different and they hold a slightly higher bar in some places than another. And so when you're a international company, you have to understand all of those things and being able to talk to the regulators to help influence like this, this policy is really great. But here's the challenge you're going to have in meeting it because the technology isn't in the same place to be able to meet the regulation that is, like I said, part education but part helping to drive how the changes work from a regulatory standpoint and policy standpoint.

Rachael Lyon:
Do you see a place where regulations are falling short and or what is the next big frontier that you see shaping regulations? I mean, is AI a piece of this at all? I know a lot of folks are grappling with what this looks like ahead and how do you control it?

Erika Dean:
Yeah, I will say that we'll definitely see more policies around AI. I think that the technology is so new that trying to wrap your head around what does it mean and how will it be exploited. Right. So how do you make regulations to help protect against that but still enable the progression of the technology itself. It's a balance. There isn't a ton of regulation Today, there's a little bit that's starting to form from a European standpoint. You're starting to see it bleed a little bit. A lot of it's around privacy.

Erika Dean:
But I do think that that is going to be the next wave of, like, policies going up and down around how do you actually get your hands around it? How do you make sure that it's not being utilized in processes that will form bias in hiring or whatever the case might be, or in decision making? When you're trying to, like, onboard a customer, you don't want things to be biased. And I can be biased, right? It's, it's pulling data from a lot of places. It doesn't mean it's clean data. And so you have to make sure that the AI that you're leveraging isn't going to introduce a new problem from an ethical standpoint or from a technology standpoint, or even from an attacker standpoint. And so I think that, yes, the regulation isn't there yet. You don't see a lot of it at all. 

But I imagine over the next few years you're going to start to see that change and there'll be more and more discussions around, like, how do you regulate something like this? Similar to cloud, the cloud environment, there wasn't standards and requirements at first because they were still learning and figuring, like, how do you put requirements around it? But now it's embedded in almost every regulation. Like, you need to make sure you secure your cloud environment.

Erika Dean:
Here's what we expect. You look at New York's rules, right? It's pretty clear that they went through a lot of work to make sure that the regulations were going to help ensure the protection of the companies that are like, leveraging it so that something's not exploited. So I do think AI is going to play a major role. I think that as the financial industry continues to leverage technology and go into directions like the cryptocurrency is a good example, we still haven't actually made a lot of regulations around cryptocurrency. And so I do think that as we continue to see technology advance, more regulation will come about. But it's, it takes time. Regulation takes a long time to develop, and we see that today. Right? And sometimes you have to go back and course correct it.

Erika Dean:
So it takes a lot of time. I mean, look at, we've had brokerage around a very long time. The stock market has been around a very, very long time. And we continue to see that evolve and modify year over year around even what that looks like, and how do they monitor and govern the stock market? And so it's the same thing. No matter I. No matter where we go, there will always be new regulations. There always have to be tweaks because times change, you discover more.

Rachael Lyon:
You know where I'm going to segue, John, do you have any other questions? Okay.

Erika Dean:
Because this is.

[16:31] Erika Dean’s Path to Cyber

Rachael Lyon:
This is my favorite part. What I love about the cyber screen industry is everyone has a unique path on how they got there, you know, and we've had people with like a PhD in medieval studies who is a. At an international bank. So I'm always curious on what was your path to cyber. How did you get here?

Erika Dean:
Well, it's funny, I would say I fell into cybersecurity. So I started my career in cybersecurity at Capital One. But technically, my first job at Capital One was a customer service agent. Right after high school, I went to Capital One and I was a CX agent for more or less two years. And then I decided that answering calls, getting marriage. I got marriage proposals on the cause a lot. And I always thought that was weird. I'm like, you never even met me.

Erika Dean:
Why are you proposing to me? I got offered a cruise, a whole bunch of other things. And I decided that I wanted a change. I didn't want to work on the, on the phone anymore. And so I applied for this job and data warehousing because it said no experience necessary. I'm like, that's awesome, because I didn't go to college for it. I had no technology background. I applied for the job, they rejected me. And they said, you have no experience.

Erika Dean:
You've literally never touched technology. We can't hire you. And I was like, well, I said no experience, and I promise I can learn. But interestingly enough, at Capital One at that time, they had this process by which they pass resumes around and information security got ahold of my resume, and they say, we want you to come and help our identity access management team. And I was like, oh, okay. Yes. We see that you increase productivity and morale no matter what role you have at what company can you come and do that for our IAM team? And I'm like, so is there a manager? And they're like, no, as a peer, we see you do that all the time. I'm like, okay, why not? So that was my first job, was an IAM role.

Erika Dean:
It was six people granting access on paper forms that are coming in the fax machine. So it was like filing cabinets of paper. And it was a very manual process. And so I started to change that process, helped to automate it. And at the same time, these other teams were like, hey, can you help us with this process? And so I started doing forensics. I also started to learn Unix and Linux to help secure Unix and Linux platforms. And so soon enough I was just being passed around to help a whole bunch of different teams. And it is fun to actually play around in almost every area of cybersecurity before you get a role like this because it allows you to have such a deep understanding of almost every role on your team.

Erika Dean:
And so to me, that's like the best. But that's how I got my start in cybersecurity. And then from there it just kind of took off. I was just like, oh, I'm in love. And I soaked up all the information I could. Learning how to pen test build websites, learning how to code, to be able to detect controls within the environment. All of that was something that I got to learn on the job and as I was growing up in cybersecurity. So that was a ton of fun.

Rachael Lyon:
That's what I love about cyber too. Just every day you're learning something new, really, and that just doesn't happen in every industry.

Erika Dean:
And it never stops. It never stops. There's always new attack vectors, there's always new technologies, always new ways to evolve a threat. And to me, you get to not only understand technology and play with it, but you get to be creative about, like, how would I make sure that protect against this person trying to attack? So you get to think like an attacker and then also be a protector all at the same time. It is probably one of the most rewarding jobs besides being a doctor and saving this person's life. Right? And so to me, it's, it's, it's really great because you can literally go, almost any industry still require this type of function and do such rewarding work. And it never gets boring, like, ever. I would say stressful.

Erika Dean:
It gets a lot more stressful in cases, but not stressful. Certainly not boring.

Rachael Lyon:
That sounds fun. Okay, I'll ask you one more kind of fun personal question, given all of your experience too. We've been having this discussion, a side discussion here. Do you watch movies about cyber attacks, you know, like hackers or Mr. Robot? And you're like, you know what, you guys, you're not even close to the truth here. They would never really work like that in the real world. Or, you know, do you kind of get frustrated because, you know, you know. No, kind of.

Erika Dean:
Well, I don't Watch a lot of TV or movies. It is funny. My peers often talk about it and they'll reference a movie and they're like, erica, why don't you watch any movies? And so I'm like, the worst. But on occasion when I see something like they're doing, like, I'm hacking. And I'm like, that's not real. So I do think about it when I see it. But generally speaking, I don't watch a lot of movies. And so I don't actually get to get all riled up like my counterparts.

Erika Dean:
And I will say my friends do talk about it a lot. Like, a lot. They get really frustrated and then they just start going down this rabbit hole. And I'm like, you know, it's just a movie, right? It's pretend. It's okay.

Jonathan Knepher:
But it has to be accurate. It's not entertaining if it's not accurate, Right?

Rachael Lyon:
Exactly.

Erika Dean:
Well, imagine being a doctor or a nurse and you're like watching these medical shows and they're all about the hospital and you're like, that never happens at the hospital. So, yeah, it is funny. But, yes, I'm always like, you know, it's a movie, right? It's just a. It's just pretend. It's okay. It's too funny.

Rachael Lyon:
Back and watched what was like a 1995 movie, Hackers. And it's just funny to see how things have aged over time too, and, you know, wow, killer refresh rate on their computer and, you know, go to a pay phone to try to hack. It's just, you know, does not age well.

Erika Dean:
But it's.

Rachael Lyon:
It's so much fun to see the evolution and perception of the industry over the last few decades.

Erika Dean:
Yes. I mean, if you think about it. On it, though, it has changed so much over the last 20, 30 years. Like, technology has just, like skyrocketed. And the things that are possible today were never even thought of 25, 30 years ago. And so to me, that's like, it's like such a cool error to be in such a cool place to feel like, wow, you can literally have your computer on your hand, like in your hand or on your watch. Right. It's amazing.

Erika Dean:
It's just absolutely amazing to see how technology has advanced and helped just the world. Right. In everyday things. The technology in hospitals today are. It's phenomenal what you can do and see and detect so early on how many people it's helped. And so to me, I'm just thankful that I get to be a part of all of that, be a part of a world by which is literally makes miracle happens. And sometimes you're, you're, you're there to help pioneer that direction. So that's a lot of fun.

Erika Dean:
Yeah.

Rachael Lyon:
And you just don't know, you think where we are today, it's five years. I think it's going to be so incredibly different and it's seemingly a short window of time, but the way things are dynamically adapting and moving, it's going to be a very different world. And not log at all.

Erika Dean:
Yeah. I mean, even if you look at like five years ago, things are so much faster than they were. Right. It's just, it's, it is this wild, wild at the pace at which we continue to change and evolve. So. Yeah, can't wait. It's exciting. Yeah.

Rachael Lyon:
And then there's quantum.

Erika Dean:
Then, then there's quantum. I can't decide if I'm excited or scared. So that's gonna. Both. It's definitely going to do something.

Rachael Lyon:
Never a dull moment. Well, thank you so much. This has been such a fun conversation. We greatly appreciate your insights. We could talk about fintech for days. There's just so much, so much there. So thank you for sharing your perspective with our listeners.

Erika Dean:
Yeah, absolutely. This has been a lot of fun. Thank you both, definitely.

Rachael Lyon:
And again, to all of our listeners, Jonathan, what are we going to ask them to do this week again?

Jonathan Knepher:
Smash the subscribe button?

Rachael Lyon:
Oh, yes, yes. And then you know what happens though. You get a fresh, fresh new episode every Tuesday delivered right to your inbox. How nice is that? I love it. So to all of our listeners, again, thanks for joining us this week and until next time, stay safe. 

About Our Guest

Erika Dean, CSO Robinhood

Erika Dean is Chief Security Officer of Robinhood Markets. She oversees the Security, Privacy and Corporate Engineering organizations, which include the information security and productivity functions. Erika has over 20 years of experience in the security industry. Prior to joining Robinhood, she spent over 20 years at Capital One Financial, where she held a variety of leadership positions in cybersecurity, including serving as the Chief Information Security Officer for US Card, International, and Small Business.