Kavya Pearlman is an Award-winning cybersecurity professional with a deep interest in immersive and emerging technologies. Kavya is the founder of non-profit, XR Safety Initiative (XRSI). XRSI is the very first global effort that promotes privacy, security, ethics and develops standards and guidelines for Virtual Reality, Augmented Reality and Mixed Reality (VR/AR/MR) collectively known as XR.
Kavya is constantly exploring new technologies to solve current cybersecurity challenges.
Kavya Pearlman Quotes
- “Money, Money, Money. How much money you going to make? I was so put off. No, it’s not about money. I really just want to learn.” [17:03]
- “What would you become when you grow up? I would be a D.I.G. (Deputy Inspector General)” [18:10]
- “This country needs me. This world needs me.” [19:21]
- “You owe it to yourself to explore this little itch, and figure out whether this is your passion or not.” [20:05]
- “You will inevitably make (sometimes) bad decisions .:
- “Technical support IS security.” [31:46]
- “I don’t think anyone read that [report], but then it gave me some satisfaction that this is awesome. I can actually take what I’m learning and apply it to the job.” [32:09]
- “Believe in yourself, not just for information security.” [35:59]
Kavya Pearlman Links
- Kavya Pearlman – https://twitter.com/KavyaPearlman
- XRSI – https://www.xrsi.org/
- Caroline Wong – https://twitter.com/carolinewmwong
- Steve Hunt [22:17] – https://twitter.com/Steve_Hunt
Getting Into Infosec
- Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
- T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
- Sign up for sneak peaks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe
Kavya Pearlman 0:00
You know, when I move forward there is a term in our software industry is called fail forward. And I recommend that for every cybersecurity professional everybody who aspires to be a security professional is always fail forward and I think it's true for any career.
Ayman Elsawah 0:31
Welcome to getting into infosec. I'm your host, Ayman Elsawah. My guest this week is Kavya Perlman. Kavya had an interesting career twist.
Kavya Pearlman 0:38
I used to be a hairstylist, think about it, I was cutting hair for $10 an hour. So it's like I really need those people to come back to me and I had to really understand how to relate with people. You know how to provide them a good excellent customer service.
Ayman Elsawah 0:54
Customer service is such an asset in our industry, more than many people know both junior and senior. Just Like many of my guests, all of our experiences came together
Kavya Pearlman 1:03
every technical, psychological everything that I had learned in college, plus my previous experiences they all came together
Ayman Elsawah 1:11
you also share some valuable truths
Kavya Pearlman 1:13
be okay to be uncomfortable. So many times there are situations when you don't know and Google does not give you the answer. You really have to pink a no and dig and really investigate. The force is exceptionally strong with Kavya
Ayman Elsawah 1:26
though or willpower is amazing. As you'll hear. If you'd like to support the show, check out my book, give to a friend or leave an awesome review anywhere. Here's an excerpt from the book
Breaking IN - Audiobook Sample 1:34
live and breathe information security. Would you trust a chain smoking doctor who tells you to quit smoking? Would you trust a dentist with bad teeth? Would you hire a school bus driver that has a bad driving record or doesn't wear a seatbelt? Let's cut to the chase. You need to be an example for yourself as well as for others. You need to eat your own dog food. practice what you preach, walk the walk you get it right this is a mistake I see most often with people in information Security new or old, it tells me who is really serious about security and their work and who is not.
Ayman Elsawah 2:05
These episodes are on YouTube as well. So feel free to like and subscribe there. Get in touch via Twitter or email. Let me know how things are going with you, especially during this new world we live in. All right on to the show. Hi Kavya. Welcome to the show.
Kavya Pearlman 2:16
Thank you, Ayman. It's so great to be here.
Ayman Elsawah 2:19
Great. Yeah, thank you for coming on. So for those who don't know, maybe you could walk us through, I guess who you are and what you've done with security lately.
Kavya Pearlman 2:26
It's funny. I have Ayman recorded a few podcasts before, but this would be the first podcast where I would probably be able to say and sort of own the role that the industry sort of put me in a lot of the people are calling me a cyber guardian. Hmm. And which is interesting. In fact, it took me a while to sort of own up to it because, you know, we all have a little bit of this hunch, a little bit of this hesitation, am I up to the expectations or not right? So almost fairly recently, I started to like, own up to it. Anyhow, currently I am the founder and CEO of xR, safety initiative, xR safety initiative. It's a nonprofit, it started with an idea that we are moving towards a different type of reality. And xR, as you know, is extended reality. What is extended reality? It's, you know, a combination of various types of simulated, you could say, augmented reality, virtual reality mixed reality.
Ayman Elsawah 3:31
So xR is the acronym catch all for AR slash var slash Mr. Right?
Kavya Pearlman 3:36
Exactly, exactly. So even though you know, as an industry, we haven't even come together and admitted to that per some kind of written standards, but that's precisely like that's like the very minute example of what we are doing is standardizing these terms. Okay. All the way to standardizing privacy security. ethical aspects in these type of environments. So I mean, if I were to put in a sentence xR safety initiatives goal and the mission is to help build safe virtual environments, because you know, we are moving to this, you know, extended reality, we are inevitably going to be utilizing some sort of interface whether it is contact as I mean, at the moment we are in the era of putting these head mounted displays HMD goggles to experience these alternate realities. But at some point, we are kind of moved to the direction where these interfaces are quite seamless, even though they may still be hmds. But they will be seamless. And the question we've got to ask is, are we gonna wait for all the way to that point to start thinking about security, privacy and ethical issues? We can't afford to wait until then, we have to start now to think about the negative the unintended consequences of what could go wrong. In these type of environments, and then right now, as we are building these technologies, the software, you know, the overall development, the, you know, code of conduct, the impact overall on us as emotional or social human being, all of these aspects have to be thought through. And that's kind of what my mission is at the moment is to be able to guard against these unintended consequences wherever they come from, and what are some of these examples? So, there are several examples, let me give you a little bit of each segments example. So, if you talk about information security, we should think about the kind of data that these devices or the companies or the platforms are collecting. So, you know, we are experiencing reality through this digitally quoted environment, either they are overlaid on our existing reality, which is augmented reality, or they are completely digitally created artificial environment, which is we are so whenever you dive into these normals whenever you experience It you are inevitably giving out data about you know, sometimes you're giving away voice data, you're putting sort of your behavioral data, the way you walk, the way you gaze on something's the way you pose, of course, by your matrix data. And you know, these devices are now moving on to tracking your eyes and all of this. So, of course, that is also a concern is being able to track how you perceive things. And I mean, just about yesterday, Google had rolled out a particular project where they are going to place a particular cube, that if you're in a VR environment, our environment, if you gaze at that cube, it will open up and it will play a YouTube video. Oh, and think about that. So if I'm an organization already had some of these, you know, data related issues where companies are collecting massive amounts of data, they share it with third parties. And then what happens is these third parties misuse that data. So these kinds of issues, we have to identify Find them early on. Because what happens when big tech or even a small company has, you know, this gaze data, they can potentially manipulate you into looking at something that you may not want to, or persuading you to think about, you know, hey, I want to push now, Pepsi commercial, like all these ads could be placed in these virtual environments. And then we go on to the issue of privacy is we have these consent and these platforms, which is social platforms, these days, we don't have the ideal version of social VR quite yet, but we're getting there. So when these social media companies or the social platforms move to VR move to AR, we're going to have the same issues. We're going to have the same companies or similar people taking that data to persuade us to Hey, now buy Pepsi or now buy this thing. And they're going to use it against us. So those are like, you know, things that I think about, and then there's the ethical aspect of xR, which is effectively Second example for this when I was working at my previous organization, which is Linden Lab, and those of you who don't know, Linden Lab, it's known for its oldest virtual world called Second Life. Second Life started about 16 years ago. And they've had tremendous amount of experience in terms of virtual currencies, all of that. In 2017, they started their VR portfolio called CSR. I was absolutely interested. I used to spend a lot of time in that environment. One of these days, I encountered abuse. So somebody actually just literally yelled at me and screamed at me and use all sorts of swear words. Oh, wow. And I was really taken aback. That was like, very early on the first time that I experienced abuse in virtual reality. And it just ticked me because, you know, for whatever reason, my childhood was not like the ideal childhood and it triggered a lot of trauma sort of thing, which I didn't even realize, like, you know, for three days after that, in fact, probably more, I did not step into VR. And it occurred to me, I'm like, wow, if this is what's happening to me, there are people I mean, we are all human beings, we have various experiences, we as past experiences trauma. So then I started to think that, okay, well, this technology has positive impact, but it also has a negative impact. And especially in the social settings. So the way human beings behave with each other, they could yell at each other, they could harass each other, they could bully each other. These are like some of the ethical aspects that would inevitably come into this. We have to be ready for it.
Ayman Elsawah 9:33
It's like all the garbage of the internet in words now translated to VR. Exactly. Wow,
Kavya Pearlman 9:39
it really isn't too far away from the real world. You know, when you talk about the impact on our brain, whether it may seem like it or not, the impact is literally same as experiencing something in real life.
Ayman Elsawah 9:53
Okay. Ah, that's pretty heavy. So yeah, I guess you know, when you have private VR developers, do you have the same like byesies as you know, because there's a lot of news about, like game developers, and they have biases and the companies and etc. Does that exist in the VR space? And does that come under? You know, trust and privacy?
Kavya Pearlman 10:11
Ayman Elsawah 12:19
interesting. So let's shift gears for a second and talk about how you came into infosec. I think your path into infosec is very interesting. I've heard it before, but maybe in your own words, describe to us what you did before infosec. And how you got into the field.
Kavya Pearlman 12:33
Yeah, it's a very interesting story. And I must thank my good friend, Caroline Wang, who was the first person to encourage me to talk about my story. Yeah, she's awesome. She is great. And most people were an app sec. infosec dev sec. Ops, they know who she is. She's a superstar. I sent her a message on LinkedIn about some kind of a thing and she was like, No, your story is awesome. You should tell it. So talk about my story and And then that's when I started talking about that I used to be a hairstylist, and what may sound like previous life, it wasn't too long ago, it was about 2011. And then I have to really talk about a little bit before that, because Originally I'm from India, I grew up in India, okay. And until about 2007, I was, you know, in India, so around 2007, I moved to the United States, and I had a Bachelor's in computer application degree. And I had done a little bit of troubleshooting type of, you know, tech support for Microsoft HP back in India.
Ayman Elsawah 13:33
So you didn't you didn't have a career in technology, or you started off your first career, I guess.
Kavya Pearlman 13:38
Yeah, I wouldn't actually call it career. So let's put it this way. I did my BCAA which is bachelor's in computer application. Okay. I was always curious about technologies. But then when it came to getting a job, I just couldn't find a tech job. So I ended up working for different call centers, various odd jobs and you know, another reality but Back then growing up in India was that my English wasn't all that great. I couldn't even have a conversation with you in English though. It took me a while to get to sort of corporate level standard, be able to work in a tech environment. Okay, I finally ended up doing that for like last six months in India in 2007. But then I moved to the United States. And I was like, You know what, I can be anything I want. I was really fascinated about the idea of America is a free country. You can have any religion, you can be anything that you want, you can pursue whatever dreams you want. So I felt really empowered. And I was like, You know what, I'm just going to be a hairstylist. In fact, at that time, I felt like oh, that's my passion. Like, I want to be some creative or something. Right? That's great. That's great. Yeah. So I ended up you know, getting cosmetology license and pretty much for about four to five years. That's exactly what I was doing. I was just cutting hair. And I started out at a really upscale salon, but ended up doing like $10 an hour for 25 hours a week type of work, very simple life, you know, just enjoy my life, a lot of hanging around learning the culture. It was great, right? It actually really helped me. You know, coming from a different country, this culture can be overwhelming. And this was a perfect job to be able to interface with all sorts of walks of life stories from different people was like a perfect setup to give me that primer into this new culture. That makes sense. Yep. So how did I get into infosec? Well, that's kind of where the infosec door opened. Were one day, I was cutting hair for this gentleman. He told me he was a security analyst at a bank. And I was like, interesting. I thought he's like, really, really smart guy. So we ended up talking and then when he's leaving, he's like, Hey, you sound really interesting. Here's a book for you. It's called cyber war by Richard Clarke.
Ayman Elsawah 15:50
Okay, it's awesome.
Kavya Pearlman 15:51
And I mean, you would think like, you know, what is the hairstylist got to deal with cyber war, but that's all the conversation ended. I went home downloaded the PDF. I found it interesting. I bought the whole book. And then I think within like a matter of a week, I knew that I just want to be a cyber security officer. Mm hmm. It was so clear to me on that day, that that's what I want to be. So I obviously made effort to be able to get there. And in 2011, there weren't that many resources. There were no coffee, they could listen to stories and figure out like, what is a hairstylist supposed to do? or a nurse or anybody? You know, it was like without a tech background, right? They had these things. Uh huh. We didn't have that many YouTube videos where people were like, Hey, I used to be this and that I got into infosec. That's right. So but we did have Google so I googled like top 10 cybersecurity colleges and one happened to be in Chicago where I was at that time, and ended up doing my Master's in network security. And that sort of put me on the right track to be able to pursue this career. And that's awesome. And my You I actually went to one of the college and I'm not going to name it. But the very first conversation these guys started to have with me is like, oh, wow, that's great, how much money you're going to be this much money, money, money. And I was like, so put off. I was like, No, it's not about money. Right? I really just want to learn. Tell me how competent you are, what kind of knowledge Am I gonna gain? And so the next school that I went to DePaul University, and they had this, you know, they were like, the NSA cyber Excellence Program or just cert or something. Right, which is a very good honor. So that happened to be the place that I wanted to, you know, be at for the sake of knowledge. That's awesome.
Ayman Elsawah 17:37
Yeah. And did you always have a knack for security? I mean, obviously, this person that recommended the book knows that you're a reader that you're a curious person, but you know, were you doing security stuff like even in your own personal it?
Kavya Pearlman 17:49
So the truth is not really. But the one thing that I had, which if I were to reflect back into my life now, right is ethics.
Ayman Elsawah 17:58
Okay, there you go. As a child, it's always something.
Kavya Pearlman 18:01
It's something right. Yeah, it was like a very, this is the first time maybe even mentioning this on a public sort of Avenue. It was like a deeply hidden dream as a really, really young child. If somebody asked me, hey beta, what would you become when you grow up? I would tell them I would be a DI G. And what that was is in India, there is something called as Deputy Inspector General. Okay, I had seen a TV show. Nice. So in this TV show this lady she was in, you know, all this uniform, and she was a Deputy Inspector General. She was, you know, taking out the bad guys in India and bringing people to justice. So that just impression stayed in my head. But when I became a cosmetologist, I was like, oh, that ship has sailed.
Ayman Elsawah 18:43
Kavya Pearlman 18:44
So with that sort of mindset when I'm reading this cyber war, I was like, Oh my gosh, this is it. I'm gonna live my dream. Yeah, yep, exactly. It brought it back. So that sort of ethical balance the compass guided me but at the same time cyber war. If you Read, it tells you that in future we're going to literally fight war, which we are now at the front of like information warfare, not just hints that it literally tells you. And the book was pre Stuxnet. Stuxnet is one of those viruses that, you know, yeah. really changed the game of cyber warfare. Yeah. So this is pre Stuxnet. But I read that I was like, oh, wow, I think this country is going to need me, this world is going to need me. I don't know if you believe it. But that's how compelling this cause was for me. And at the same time was like, Okay, I couldn't be a DI G. But I'm going to be a CS, Cybersecurity off, right?
Ayman Elsawah 19:38
You had somewhere to channel that energy, that energy this whole time. You're like, Oh, this is where I could spend my energy basically. Right.
Kavya Pearlman 19:44
Exactly. And, you know, this is what I tell people, when some students or people from different backgrounds, they come to me sometimes at conferences, and they're like, Hey, I'm really curious about security or I don't know if I can do it. I say you Hey, if you have any intuition, if you think that you want to explore, just do it part time, you owe it to yourself to explore this little edge and figure out whether this is your passion or not. And that's the important piece is to discover that sort of spark and fuel. Right? If you discovered that, I mean, yeah, this conversation shouldn't start from money. But money is not a problem in our industry, if you have the zeal for it, if you're a problem solver, right? And then you would absolutely never be bored, you'll do good work. And it's such a needed like, this is the work that we really absolutely need as humanity. We're diving into all these fascinating artificial intelligence, you know, distributed ledger technology, we're talking about xR, like all of these technologies are opening up these new doorways to cyber security's. Yeah, uncharted territory is that we must investigate. Yeah, yeah.
Ayman Elsawah 20:53
So let's talk a little also about your childhood. Walk us through, you know, so you mentioned the DI G, I guess you probably were watching some sort of law and order, unquote. In India, yep. Were you exposed to technology when you're younger, like any other technical influences when you're younger,
Kavya Pearlman 21:06
there are actually quite a few instances that I remember if anything broke in our house. And I have two brothers, but I would be the person to be called upon to fix those things. Nice. And thanks for broke and break off and we're talking about, you know, back in the day, so, if an iron broke, I'm like, okay, here's a screwdriver. Let's fix this. Great if there is a loose connection, you know, electric, all of this and just about, I think it's a high school. And I was really great with languages. So I was really good with Sanskrit and other Indian languages. Everybody told me too, you know, hey, do your biology or be a doctor engineer, but only thing that I wanted to do after I saw a computer. I was like, This is my life. I don't know how I've always had this intuition and the willpower to one by intuition, find what I'm supposed to go and then using the willpower to absolutely pursue, so I absolutely threw a tantrum. To my parents who didn't know what the hell is computer science, and they were like, what, what is this girl want? Right? I was like, No, mom, if I'm going to study any further, this is what I want to do. So I ended up, you know, taking computer science major, and you know, just learning technology. So I think I was always interested in this sort of technological aspects.
Ayman Elsawah 22:17
Nice. I think you hit on the head there is about persistence. And you know, like, say, for example, even you're trying to fix an iron, right? So you have the hacker mindset, you're like, I can fix this. But you know, you're not gonna always get on the first try, I'm sure. Right. Yeah. So having the hacker mindset to persist in their fixing, you know, kind of go through it. Right,
Kavya Pearlman 22:34
exactly. In fact, it came up quite often. So imagine, you know, you've completely sort of gotten away from it or computer science and then moved into hairstyling, right for about four or five years. That's all I did. So when I went back to masters in network security, I mean, you're talking about reading packets of the wire, doing port scans, packet tracing, building, you know, signatures for intrusion detection systems, and all that. This was very complicated. This was very tough. In fact, and so many of my first six months or probably almost a year, so many of my classes, I just sat there, and I thought to myself, like, Oh my god, am I ever gonna be able to understand it to the point that I could actually be a cybersecurity officer? What was that feeling? Oh, it's very uncomfortable. It's very uncomfortable, especially if you are a person who believes and wants to excel at something. So if you always have been like somebody who's like good at stuff, it's a kind of feeling that we all get when you have like a new job, right? Feel like a fish without the water, even though you may know a lot of it, but you still gonna have this sort of uncomfortable territory where you're like, Oh my gosh, I don't know if I would be able to do this. It's a little bit of a self doubt.
Ayman Elsawah 23:44
Did you ever feel like giving up?
Kavya Pearlman 23:47
No. Okay. Yeah, I don't know. But I have always been a person who, you know, when I move forward, there is a term in our software industry is called fail forward. And I recommend that for every cyber secure Professional, everybody who aspires to be a security professional is always fail forward. And I think it's true for any career is fail forward. Sure enough, some things may not work out, but just persist and see it to the end, like make sure that you have already completed that course don't give up in the middle. Because you would always wonder what if I had taken it to the end, maybe I would have succeeded. So those were uncomfortable times classes that I sat through, and I was like, Oh, my God, it doesn't make sense. It doesn't make sense. But then one day, one day, there was one class that I took, and it was talking about convergence of it and security. My amazing Professor Steve hunt, who is by the way, now an advisor for xR safety initiative. How cool Oh, cool. Nice. Yeah. So he was teaching this convergence class and a light bulb just went into my head and I was like, wow, every technical, psychological, everything that I had learned in college, plus my previous experiences They all came together. Oh, wow. And I really understand how these dots Connect how we're supposed to think about cybersecurity. And there's other ethical privacy, all of these aspects. It was just amazing to really that was the class and it happened almost after like a year and a half later. Oh, interesting. I started college. So it takes time. It takes time, but you'll get there.
Ayman Elsawah 25:20
Yeah, that's so wonderful. And now a message from our sponsor. Are you experiencing malware and bugs in your data center, seeing payload droppings on your servers and equipment. Oftentimes, these bugs are in your walls and hard to reach places on your servers. We have a solution for you. Introducing the Cybersecurity fogger. Simply place your fogger every 2000 square feet, pull the trigger and run our patented AI powered nanotechnology mist we'll get to those hard to reach areas and squash those bugs instantly. No more exfiltration or keyboard logging. It will even remove any bugs on your communication lines to not say for admin In insurance. And so after you finish the program, walk us through the interview process and you know, was it difficult was easy, you know, some challenges that you might have went through and things that maybe would have made it go faster, you know, a few on hindsight for that job, for sure.
Kavya Pearlman 26:17
And, you know, this is another point of advice for anyone who is trying to come back to it kind of career or security career, or who is trying to just first time take on this career is you have to really try to connect the dots back to technology. So how does the hair stylists go from hair styling creative aspects to technology? In fact, I heard your interview with the infosec Sherpa, and she used to be a librarian, right? And you know, it's a very similar thing that we all have to think about. If we're coming from a non technical background. How do I go into technology so what I did where I kind of got lucky I picked up a tech job at the university. It was literally just like 10 hours of Doing technical support, fixing servers, doing remote monitoring, fixing some of the endpoints and all that. So that was the interface that connected me back to tech. And once I finished my grad school, then I was able to do some network analyst and security analyst type of work. And the interview, let me tell you that my first interview when I went to for that technical support job, I basically prepared for the interview, searching all of the stuff they could possibly ask me, because no, you forget things. I googled, what is an IP address? I was ashamed to do that. But I was like, You know what, I've forgotten all these concepts. And I prepared for this interview and it was very uncomfortable to admit that I don't know all this. But take that leap and research learn and I think interview process can be challenging, but if you prepare, if you know that who you're speaking with, if you know the level of complex questions they may ask, there's always a chance and you have to go for it. One of the interviewers which was the critical interview was security operations that are in a sock analyst interview, okay. And thankfully By that time, I had learned enough basic skills from college. And I've had a little bit of an experience doing network analyst type of work, some tech support, and that sort of paved the path. But let me tell you, I had to give at least a few interviews, which means I had to face a bit of a failure at least four or five times, which is normal, you know, right. Sometimes people get really disheartened when they feel like the big interview and I've got friends who literally called me in are very sad because they feel this Facebook or Google or this other interview as they couldn't get an internship and it's their first time. I'm like, that's great news. That means you're like one step farther or one step forward, closer, closer to whatever you want to achieve. And that's the way we have to look at all this is failures. Sometimes you know, when you are actually in the game, you will inevitably make sometimes bad decisions, failures will happen. Your technical competencies are not always going to be right. But again, as I say, you have to fail forward.
Ayman Elsawah 29:06
And four years in plus of hairstyling, I mean, that's like excellent customer service, right? You have to learn good customer service to be a good hairstylist. And so how does it apply now to your career in information security?
Kavya Pearlman 29:17
It certainly does. So I think I mentioned you know, the whole cultural aspects, if you're coming from a different country to the United States, or you know, just changing your culture, overall, that sort of interface with various people set you up for being able to relate with people. And I mean, you think about it, I was cutting hair for $10 an hour. So it's like, I really need those people to come back to me. And I had to really understand how to relate with people, you know, how to provide them a good excellent customer service. And those aspects are always going to stay with you because that's part of the job and these are the things that come handy in customer service. So now that I'm you know, at times when we have to speak to the board to give bad news Right, or you have to relate with software engineers, you have to relate with different managers, managerial type of roles. All of that helps you navigate these things helps you with the human aspect of information security, cybersecurity, and that is very, very essential. A lot of people have a lot of technical knowledge. They are excellent. They could be a great pen testers, but when you put them in front of people, they're really like a fish without water. And that's the aspect I think that four years five years of hairstyling oh my gosh, I have absolutely no regrets. I wouldn't do it all over again the same awesome. Yeah, it really helped me out.
Ayman Elsawah 30:35
That's awesome. That's really good. You have any war stories from your time insecurity that you can talk about either interesting incidents or anything like that
Kavya Pearlman 30:42
hacker war stories, interesting incidents?
Ayman Elsawah 30:45
Yeah, that you could talk about, you know, either a time that you covered some sort of security incident that happened or anything like that.
Kavya Pearlman 30:52
I've covered a lot of cyber security related active attacks and incidents. So before my question, Core security job. You can call it the intermediate or job where I was working for a managed service provider. Okay. And I was also going to grad school. And this is something that could happen to a lot of people where your core job is not really security. But it's technology. You could be an IT admin, you could be somebody just, you know, coding in the part time or something. But Around this time, I was working for an MSP, and one of their clients had a denial of service attack, like a DDoS. Yeah. And since I was going through my grad school, I was like, Hey, you know what, this is an incident and, you know, 2012 or something. They didn't really care. I was like, No, we need to write this incident report. Yeah. Well, my bosses really didn't care. Understand. Right. I collected two of the tech support folks. And I started right, that incident report and nobody cared. But I really just, you know, on my own, wanted to standardize these things for this managed service provider who didn't really focus on the aspect of security At that time, my job wasn't it. But wherever possible. I think that's probably the passion part. It came across as that I wanted to standardize these things instill security wherever I was, even though it was not a core security job, right. And so I ended up you know, sort of investigating where the traffic was coming from. Okay. At that time, I'd recently learned about black holing of traffic. So we further investigated together it's like, Okay, what can we do, or we already actually mitigated that and you know, technical support is essentially security. Front Lines. Exactly. Yeah. You're trying to protect the confidentiality, integrity and availability. So I had to just tell those guys like, Hey, this is a security incident. We are trying to protect availability here. And they're just looking at me like, This girl is crazy. He's like, hey, our job is done. Go home. And I'm like, No, no, let's prepare incident report. And I don't think anybody even read that. But then it gave me some satisfaction. That, you know, this is awesome. I can actually take what I'm learning and apply it to the job. No.
Ayman Elsawah 33:00
You don't need security in your title to do security. Exactly. Yeah, that's awesome. That's really good. So with xR, si, it's a nonprofit, I'm assuming and you know, how can people help you in this initiative?
Kavya Pearlman 33:12
Yeah, since it is a nonprofit, we absolutely need a lot of help. And one thing that you just said that in order to do security don't have to have security in your title. But that's the other truth about cyber security, information security is not just the security work, there is a lot of other aspects, the dots that have to be connected in order to deliver that core objective. So you know, we need to fundraise. We need to be able to interface with organizations that are international and that are in the same type of environment because we don't want to have to re spin the same or reinvent the wheel kind of thing, right? So we want to utilize their resources. So, you know, currently we're talking with organizations like National Cybersecurity lines, stop thinking that type of campaigns so when we're trying to connect these dots. We obviously need people, I'm just alone. And then we have few advisors. But then we need people to be able to reach out. There's so many different spectrum of skill set. And just overall a diverse input from you know, I could think about technology one way, I absolutely need other perspectives to contribute to Yeah, and you know, with that same mindset, a regime, those are the other co founders of xR, si, we've tried to put together a really amazing team, but we still need more people to contribute. And the people are really excited. They're coming together actually, because one, they want to learn about emerging technologies and in all these immersive environments. The second thing is it really gives you a great experience, and to just be around these awesome set of people. It will help you think differently, will help you think security privacy. So there are a lot of good benefits that you can gain out of working for us.
Ayman Elsawah 34:58
Yeah, I think there's a lot of work to be done here. And With any emerging technology, it's gonna take a lot of wrangling and getting kind of the vendors on board. And I mean, just like anything in security, it's good to get ahead of it early than late. Right.
Kavya Pearlman 35:09
Exactly. And you know, one of the projects that we are currently working on is this xR DCF project. It is x our data classification framework. Hmm. And that's like, the easiest thing anybody can do right now is every Thursday, we meet up and we talk about how should we classify this type of data? Now everybody talks about case data pose data by matrix, you know, what does that look like at the database level? What kind of encryption should be put on it? If you are destroying the data within? You know, like, if it's an ephemeral data, do you really need an encryption, like all these kinds of questions we're trying to solve. And every Thursday we meet these people, you could be a software developer, you could be you know, some people are literally just no technical background, but they dial in just to sort of listen into and learn how we are approaching these problems. And that's like the easiest one, and then you could actively commit tribute to be such as you know, one of my mentee, Emily, she reached out and she's like, Hey, I really want to contribute. And she's helping me interface with external partnerships, you know, all the way to you commission. Sometimes when we have to talk to these people, she can help set up some of these calls, be the frontliner to like, open up doors, and then bring me in to have the core conversation. So those are all kinds of things that people can work on and pick up on the security mindset eventually build up to become the core security person. That's awesome.
Ayman Elsawah 36:30
That's really good. any parting advice for those out there looking to get into a field?
Kavya Pearlman 36:34
Oh, yes. And I think I would go back to and refer to my previous experiences. And first of all, believe in yourself. And that's not just for information security. If you want to pursue anything, people want to pursue music, art, anything, you have to believe in yourself. Even before information security, I wanted to do cosmetology if I hadn't pursued that I probably wouldn't have arrived at the moment of breeding cyberwar. So you know, just Go with your gut, believe in yourself. Anything is possible. So lately, you know, since about 20 1617, I've had the honor and the privilege to receive several awards. So what I say is what you do in private and quietly and put your mind to put your hard work to, people will then recognize you in public for it. And that's why like, you know, I've gotten several awards for my work. That is now is sort of a testament to you know, I persisted, I pursued, right. I didn't care about, hey, am I talented enough to do security, this field is more about skills, you will become talented eventually. But like, it's really about acquiring the soft skills, the technical skills. So pursue this field and persist and keep going and you will be able to be successful. I guarantee you. One of the things we have to think about when you're like going into this change is inevitable in the speed with which you can perceive two faults. You can think oh, My gosh, no matter how much I learned, it's always going to change. But that could be a good thing. You'll never be bored. You know, you'll always be learning new things, solving new problems. Yeah, that challenging aspect. It should be a driving force, it should be like, Hey, I can do this and be okay to be uncomfortable. So many times there are situations when you don't know and Google does not give you the answer, right? You really have to think and know and dig and really investigate. So it's okay. It's okay to be uncomfortable for a while, and then you'll persist, you'll get to the comfort zone. So those are my advices. You know, just don't give up. Yeah, no matter what you do, is you have to persist. You have to continue. You have to learn you have to just keep at it.
Ayman Elsawah 38:42
Right. That's awesome. Great, wise words from yourself. So Kaya, thank you so much for sharing your time today. And I think people really benefit from your episode.
Kavya Pearlman 38:51
Thank you. Amen. And this is good. Like I really appreciate what you're doing here as well is especially someone who had to Transition to IT security career. We really need these stories to be out there because sometimes people think that Oh yeah, these people must be these awesome, you know, very, very intelligent, right? Always insecurity or grew up with this computer science mindset hacker mindset, right? We're all just different diverse, normal people who came from different places. Yeah. But then ended up insecurity. And so these stories are really important. I'm really glad that you were taking the time to go dive into these things and help other people to understand this aspect.
Ayman Elsawah 39:32
Thank you so much. Thank you. Yeah, absolutely. We'll leave it there. Thank you so much coffee.
Kavya Pearlman 39:37
Thank you. Ayman. Bye.
Ayman Elsawah 39:38
Bye now. Thanks for listening. Hope you enjoyed that as much as I as always if you like the show, please thank my guests for their time and let others know about the show. They might thank you for it. Intro Music is Cascadia by trash at trashy comm check out the website getting into infosec calm for show notes, clickable timestamps, a preview of my book and more and stay in touch on Twitter. More getting into infosec reflections. Every week I let my guests pick their Outro Music This week, it's the little robot by forget the we'll see you next time.