Board Member Spotlight: Tonia Dudley, Strategic Advisor | Cofense

This year you took over as our Marketing Committee Chair What has this role been like for you?

As someone that’s been a member of this subcommittee from the start, I have enjoyed being able to carry the torch.

Since implementing the Executive Committee and subcommittee leadership format, we’re really starting to see the benefits of this structure in moving the organization forward.

The Marketing Committee is currently working on some very exciting projects. Without giving too much away, what are some of your goals for the committee?

Under the previous chair, we kicked off a branding initiative. Much of the groundwork was established before I took on the role as chair, so it’s exciting to see the project move to the execution phase. We have our goals set to launch in October, stay tuned!

Our Board member companies are well-known and competitive within the marketplace. How does the mission of the National Cyber Security Alliance create an environment where Board members are unified?

While we may be competitive outside of the National Cyber Security Alliance, we all have the same goal to bring everyone together for the common understanding of the threats that impact organizations, as well as the consumer.

Having this unified message allows us to collaborate with great vision to protect organizations, as well as individuals, and defend against the changing threat landscape.

How does Cofense’s cybersecurity interests align with the mission of the National Cyber Security Alliance to educate and empower our global digital society?

Cofense, by its very existence, embodies the mission of the National Cyber Security Alliance.  From inception, our goal was to educate and empower our customers to stop phishing attacks in their organizations. Our phishing defense products, which includes phishing simulations, help employees readily recognize and report phishing emails, use positive feedback to empower employees. But phishing is not just an enterprise problem – it is prevalent at home as well.

Being educated to recognize phishing emails in their work environment empowers them to carry that to their home environment, thus being more vigilant about their personal email as well.

You seem to have had a diverse career in a few different fields. Can you tell us a little about that and what made you ultimately choose the cybersecurity field?

After several years in finance and IT roles, I was ready for something new. I’m always looking for “what’s next” and willing to take a lateral move to expand my capabilities. After holding a role for 5 years doing IT Compliance, I was starting to notice the infosec group in the organization. We had an external hiring freeze at that time, so it allowed me the opportunity to take a role in policies and standards. I figured this was a great way for me to learn more about the various elements of infosec.

I haven’t regretted that move.

It allowed me to really leverage blending all the other disciplines I learned along the way, especially when I took a role managing Security Awareness programs.

Do you have any advice/tips for our blog readers to prevent phishing attempts from working at their organizations?

When it comes to defending against phishing threats, it’s important for organizations to use a holistic approach to their program. As threat actors continuously find ways to maneuver their way into the inbox, your users are your best line of defense.

We believe it’s more than just training them on how to identify a suspicious message, but also making it easy to report to the security team. Arming your security team with the indicators found in these messages allows defenders to quickly mitigate and prevent an incident from even taking place. There is value in applying automation, however, this works best when integrated with the human intuition.

We so often hear that people are the weakest link in cybersecurity. However, in your published work, “Users are an intelligence source: Are you leveraging them in your detection strategy?” you wrote “Users are a built-in army of cyber defenders.” Can you explain why you feel that way?

While we can implement layers of controls and detection mechanisms, at the end of the day it is the user that can review that suspicious message and know something just doesn’t feel right about this and get it off to the security team. They are the ones that know the CEO doesn’t use an iPhone when an email is signed “sent from my iPhone” or the third-party provider doesn’t use email to send invoices. It’s the SOC analyst that can dig a little deeper when their intuition tells them something’s just not right about a suspicious email.

What is a characteristic that cybersecurity professionals should value more in the industry?

Curiosity and Composure. I’ll start with curiosity. Everyone is built differently and a team is made up of various strengths and capabilities. Team members that are curious are always asking WHY and digging deeper to find the WHY something is happening. These are the individuals that are looking at the big picture or the end to end of a process to see where there’s breakdown.

A curious person isn’t satisfied with putting a band aid on something as a fix, they want to prevent the issue from happening again. This is a characteristic you want in some of your SOC analysts. They are going to look beyond the alerts and have the intuition that something just isn’t right.

Why is composure important? Anyone involved with incident response understands how quickly things happen or new information is discovered leading to quick decisions. In times of crisis – like dealing with a major incident – individuals who have a sense of calmness can navigate the team through an incident and bring order to the team without a sense of chaos.

This is critical for managing the team through the incident, as well as communicating to leadership when necessary.

Can you share a fond memory from serving on the National Cyber Security Alliance Board of Directors?

One of my favorite events is the Nasdaq event to kick off Cybersecurity Awareness Month. My first year attending was when my oldest son lived in Brooklyn, so he and his wife showed up in time to see us ring the bell.

What was the last book you read?

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perloth

I was involved in some incident response during the time period she covers in the book and could relate to much of what she wrote. The insight I gained was around the bug bounty market and how that evolved to what we have today.