As Chief Information Security Officer for NYC, Kelly Moan is on the front lines protecting New Yorkers from the latest cyberthreats. She juggles everything from implementing zero-trust security models to helping state agencies fend off sophisticated hacking attempts. Don’t miss the latest episode of WE’RE IN! in which Kelly opens up about her professional history and shares tips for anyone interested in supporting their own communities through pursuing a career in cybersecurity. Her office has worked to foster the next generation of cyber talent through efforts like the New York City Cyber Academy program. “The really amazing thing about the profession in general is you don't need a degree,” Kelly says. “If you have access to the internet and you have access to a technology product like a mobile phone, a laptop– there's so much out there and open source that, if you really want to, you can start learning.”
As Chief Information Security Officer for NYC, Kelly Moan is on the front lines protecting New Yorkers from the latest cyberthreats. She juggles everything from implementing zero-trust security models to helping state agencies fend off sophisticated hacking attempts.
Don’t miss the latest episode of WE’RE IN! in which Kelly opens up about her professional history and shares tips for anyone interested in supporting their own communities through pursuing a career in cybersecurity. Her office has worked to foster the next generation of cyber talent through efforts like the New York City Cyber Academy program.
“The really amazing thing about the profession in general is you don't need a degree,” Kelly says. “If you have access to the internet and you have access to a technology product like a mobile phone, a laptop– there's so much out there and open source that, if you really want to, you can start learning.”
-------
Tune in to hear more about:
* Why cloud security is such a top-of-mind concern for CISOs
* New York’s first-of-its-kind Joint Security Operations Center
* Kelly’s approach to ensuring “diversity of experience” in the infosec field
Blake: [00:00:00] Thank you so much for joining us. Kelly, it's great to have you on the program.
Kelly: Thanks
so much for having me. It's great to be here.
Blake: So thinking about what goes into defending a city like New York, it just, to me, an outsider, it feels so overwhelming. You have literally everything, elections, finance, municipal services, a huge chunk of the total US economy. So I guess, what do you prioritize from a cyber defense perspective and, and how do you stay organized?
Kelly: That's a great question. So I'll hit staying organized first. I think my team hears this a lot from me. Um, and anyone who you talk to about, um, doing cybersecurity, What is easy for, uh, an enterprise or a small business, relatively easy to get done without maybe a rigorous process gets arguably incredibly complex and and difficult to manage at scale if you don't have good people process in tech, in place.
Um, and that's no different right than we see in New York City. It's making sure. It's, it's one thing to, uh, [00:01:00] initiate, uh, something once it's another to make it a sustainable, a repeatable process. We have take a lot of time and effort to make sure that what we're building towards is sustainable and can be repeatable and really consumable by our customers.
Um, in terms of the, the attack surface and sort of the landscape at. You're right. It's, it's a huge portfolio. Um, and I think that's that one, that's what makes it a value out for working for New York City because you, I don't think any other, uh, any other organization really, if I'll call ourselves, that can, can, um, Sort of be responsible and see everything from the most basic tech to protect against in at most basic sector.
Think your, you know, windows laptop all the way to the most advanced think iot, emerging critical infrastructure. Um, and so that's what makes it really fun. I will say it, the prioritization really doesn't look any differently than you'd find in an enterprise. If anything, I think the stakes are felt more deeply, um, because, you know, [00:02:00] we're talking about protecting New Yorkers, right?
And making sure that mission essential services are, are up in their daily lives as they're interacting with city government. So making sure that, you know, the water is getting, getting to them in the tap, right? The, the, the, um, tra traffic lights are functioning as needed and. A lot of the prioritization that we work on really also means working with the private sector, right?
Critical infrastructure. A large majority of the entities are privately held, so it's in our best interest to work with partners to say, Hey, I'm seeing something on, on our end. Are you seeing something similar? So we can better protect each other? And so that's been really amazing to continue to build out in New York.
Blake: I'm glad you mentioned the private sector with critical infrastructure. I feel like, what is that stat that's always bandied around? Like 90, 90%,
Kelly: 80 to 90%. Yep.
Blake: Right, right. Does, does that resonate in New York as well? I feel like that's okay.
Kelly: much so. Yeah. And so that's what I think is exciting because it's not, yes, [00:03:00] there's the stat, and I think depending on what you cite, it's anywhere from 80 to 90%. But I sort of chuckle because, um, we, we know the providers in New York City that we, we ne need to make sure know us and vice versa and have really good partnerships in place for them because again, on your worst day working a cyber investigation, you certainly don't want to, to meet a helping.
The first time, right in the middle of arguably, uh, controlled chaos. It's better to know who we are and how we can help before. And that goes both ways. Um, and so that's the value add I think in the partnership that we bring can bring to the table, which is why people wanna partner with us, especially private industry.
Blake: And so how do you go about building those relationships with the private sector? Is that something that you do a lot of outreach on? Is that command a good bit of your day-to-day work? What can you say about that?
Kelly: Yeah, so it's a little bit of both. So I think the human factor plays a really big role. And cybersecurity, especially incidents, trust matters. Making [00:04:00] sure that, you know, if somebody's dealing. A, a complex situation that we're, we're not blasting it out there for everyone in the world to see. Um, but the, the human factor in, in building the relationships and then also just finding the sort of natural, um, touchpoints between private sector and government, which already are there, but typically present themselves.
You know, a technology effort or, um, a service that's, that's being used or that New Yorkers are leveraging. And that makes a really, um, really amazing sort of starter option for entities that we can work with. Um, because again, their success is our success and, and vice versa, right? In terms of failures. So we wanna make sure we know who they are, um, and they know who we.
Blake: Totally. Well, speaking of that human element, I, I heard that the first cohort of the, uh, of New York City's Cyber Academy graduated recently. So congrats to those individuals. [00:05:00] What can you share about that program and the, the rationale for launching it?
Kelly: yes. So I'm really, really proud of what we've been able to build with Cyber Academy. Um, so we've, cyber Academy was really born out of the idea of. You know, no one's gonna solve with, you know, wave magic wand and say, okay, all of a sudden we're gonna get a a, an influx of incident responders who have all the expertise in the world in this very, very critical field that, you know, globally.
I think private institutions, government entities, we're all seeing a, a shortage of. Talent and more positions to fill than people to fill them. So instead of just talking about the problem, we decided to do something about it and do something about it relatively quickly. Uh, I think quickly even comparison to, to government or even private.
Right. So, um, last fall we launched Cyber Academy, which focused, um, the first cohort being our cyber liaisons. Um, in the, when it, uh, mayor Adams took office, um, he very quickly instantiated executive [00:06:00] order. Which compelled city agencies to name a cyber liaison. Was not the CIO nor the cso. And so that presented a really amazing opportunity to invest in those cyber liaisons, to give them the hands-on skills and training they needed to be forced multipliers for us, uh, downstream at Citi, that at their agency.
Um, because we heard really collectively, Hey, I, I wanna learn more about incident response. I wanna be able to run investigations. And so we curated, uh, a number. Classes and, and training to develop the skills that are required to be resilient in that, uh, in that pathway, in that, um, career. And we model it a lot off of what.
The FBI does for their new special agents that are starting to work cybersecurity investigations. How do you take somebody who has maybe some tech background, maybe an understanding of how to run investigations, but not on, maybe on the cyber side? Um, what does [00:07:00] it look like to run a digital investigation
Blake: of a reskilling angle almost of.
Kelly: Yeah. And, and upskilling. And reskilling is really the, the focus of the, the cyber academy writ large. So we've got through, we graduated a, a initial cohort, um, just a week or so ago, uh, which has been amazing. Um, and they really, we got a ton of great feedback from the liaisons that they found the classes.
Really helpful to give them the hands-on training needed to be more astute. Uh, if and when incidents happen, and we're gonna be doing a fall and a spring, uh, academy cohort, um, until we get through the liaisons. And the hope is that we're gonna be able to expand to not just city employees, but also focusing on.
Getting folks into the cybersecurity field, um, who are interested. So it's a, I think it's been a great opportunity for us to showcase how we're investing in, in the city's, uh, cybersecurity, uh, community.
Blake: Well, and that that effort, which uh, certainly is, is [00:08:00] quite admirable given the talent gap that you referenced. Uh, plays into my next question a bit, which is how does New York compete for cybersecurity talent with the private sector?
Kelly: Yeah, so I, I don't really see it as competing. Right. And the reason I say that is because I'm pretty practical. I think anyone who's worked with me in the past or even currently knows, Uh, the, the diversity of experience you get as a cybersecurity professional is the thing that makes you stand out on your resume and in your interviews and makes you better in con contributing to the community.
So how, how on earth is somebody getting a diversity of experience? It means you're not, you might not stay in the same job for. You know, many, many, many years, um, working, you know, as a vulnerability analyst for, you know, your entire career. Um, so that means that the, in terms of competition, I see it as, you know, I'm city government.
Could be, uh, a stop along your journey and hopefully you can come back to us right [00:09:00] as you, if you pop out, you can always pop back in. the private side, right? I, I can't compete with all of the salaries that the private sector offers, but what I can compete with and what I can offer, which I think arguably a number of people come to city government for, or government writ large, is the mission.
And you get to, you get to protect some pretty interesting technology.
Blake: I can
Kelly: I said earlier,
Blake: Yeah, I, I, I mean, I guess a lot of it is sort of what you'd expect in a city environment, but also just being able to walk around and say like, yeah, I defend the city of New York. You may have heard of it, is a pretty cool tagline to have.
Kelly: Yeah, it's definitely a point of pride and I'm just so impressed with the team that I have and the security team at large in, in New York City. It's definitely a, a point of pride that we protect and defend New York City and being a new, a new, relatively new. New York, new Yorker. Uh, it's an incredible point of pride for me that I get a chance to, to be in this role and [00:10:00] move the cybersecurity defense posture forward for New York City, which has been awesome.
Blake: So let, let's talk about that new New Yorker angle a bit because I know you've had a range of experience at federal agencies in the private sector, from Apple to the Department of Homeland Security. Uh, how did you come to land in, in NYC and, and what sticks out for you in your thinking about your journey to your current role?
Kelly: Yeah, so I, I took a leap of faith in the pandemic and uprooted my life to New York City to be the CSO for N Y P D. I wanted a, a bit of a change. I wanted a additional, um, perspective and experience. So I was working at Department of Homeland Security and I, I stumbled upon an opportunity to take a, a sizzle level role at N Y P D, which I.
Really exciting. And now being the New York City Chief Information Security Officer, I've gotten a really good sense of how the city operates, right? And all of the different agencies and mission perspectives. And again, I did not expect to uproot [00:11:00] and move in the middle of a pandemic, but I think some of the best opportunities come when you least expect it.
And this leap of faith has absolutely worked out and I, I feel very deeply in the fact. You have to take those chances in your career to push yourself and understand, you know, how to get to the next, um, the next step in your career. Because again, my, my pathway, um, to New York City and even into cybersecurity was not linear, not traditional.
And I think there's a majority of people out there that are probably like me, who maybe started in the tech field, got interested in cybersecurity, um, through maybe mentors or just, you know, interesting problems to solve and then found themselves in this really exciting new world of cybersecurity. Um, and you know, now here, here is where I am, which is fantastic.
Blake: Well, I, I can't imagine picking up and moving during [00:12:00] the pandemic sounds a little bit stressful, even though you were based in the DC area. Before I take it,
Kelly: Yes, I was for like the, my entire adult, uh, career life.
Blake: Wow. Well, we don't need to get into the DC New York controversy comparison. Uh, new Yorkers would probably say there's no comparison to start with. So, uh, so we'll, we'll leave that to the listeners to hash out, but I did want to highlight a quote from, uh, New York City, mayor Adams, who, who said recently, and it was kind of alarming, honestly.
I looked at it and I was like, wow, this. Uh, cyber threats can bring our entire city to a halt if we're not prepared, costing us time, millions of dollars and even livelihoods and lives end quote, that is quite a strong statement. Uh, so how do you navigate preparing for that sort of low likelihood but really high impact potential cyber event that he seems to be referencing there?
Kelly: So I think that's a great statement. Uh, it opens folks eyes to the reality of what occurs every single day, right? We are on the front lines every single day. [00:13:00] Um, preparing and prepping for, you know, worst case scenario, but beyond that, measuring ourself against resiliency, right? The concept of cyber resiliency, especially for state and local government, including municipalities, um, is, is one that keeps getting talked about for a reason.
How do you prepare? For worst case scenario and all flavors of worst case scenario. So, you know, I, I take that incredibly seriously, that that sense of urgency and importance to our mission and my team does as well. And that's the really powerful message I think, especially within a municipality like New York City Minutes matter.
Uh, they, they matter more deeply, I would argue to a municipality because we're dealing with New Yorkers information and services. And again, the stakes are incredibly high. So protecting and defending those systems so that behind the scenes [00:14:00] you, you have no idea what we're, what we're seeing and defending again, and you're going about your daily life interacting with city.
Um, with no issues. Like that's, that's blue skies and steady state for us. Um, and I think that that sense of importance and urgency that you see in that, in that message from Mayor Adams stands true today.
Blake: Well, against that backdrop, I hope you'll pardon me for asking a, a stereotypical question for chief Information Security officers, which is the, uh, what keeps you up at night.
Kelly: That's, I hate that question, and I love that question. I will say, I always think it's funny depending on who you ask that question, I'm sure you've asked it to a number of people. Has anyone ever said they don't sleep at night? I don't know. Has anyone ever
Blake: are like, some people are like, I sleep like a baby, and they're just like, you know, they just ignore the question altogether. So it does vary.
Kelly: Yeah. So I think, uh, from a, from a real perspective, I
sleep
at night because I have an incredible team and I know that [00:15:00] even if and when something were to occur, we are well poised to respond accordingly. Um, And that's what, that's what's great about doing what I do. On the flip side though, I think Amy Siso, who doesn't say that, you know, we we're always trying to do better.
We're always trying to push the envelope of getting us stronger and more resilient. If you're not reaching for something, then what are you doing? So I'm a little bit. More practical on that end. So I have an amazing team, which is why I sleep, which is amazing. I actually do get to sleep from time to time.
They've got my back. And I think that's, that's really, um, that's a powerful testament right to the, to the mission serving folks that we've got here on, on staff. And, you know, I've gotta give them a lot of kudos for all the hard work that they do day in, day out. Very often do people not realize the countless hours, the, the breaks away from family.
The investigations that go far into the night that you just don't realize behind the [00:16:00] scenes the cyber professionals are working, you know, 24 7.
Blake: Yeah. Yeah, and, and it's so. Interesting to see, uh, you know, to hear from people on those front lines. And again, hopefully we don't have to see in the headlines, you know, what could happen or what's going on. Uh, and I know a big part of that comes down to, uh, information sharing for the threat analysis piece and making sure that you're staying on top of, you know, what the latest and greatest is.
So, you know, being based in Washington, DC myself, we have a lot of these information sharing and analysis, uh, centers. Headquartered here. I, I know the electricity ISAC is, is, uh, down the street for me a little bit and I, is there like a, a city isac or, uh, you know, how do you stay in touch with your peer, you know, chief information security officers and say, I don't know, Chicago or San Diego to stay ahead of threats.
Kelly: great question. So I like to answer that kind of a little bit differently. So, New York City, given how big we are, we operate unlike, uh, states and [00:17:00] sometimes other municipalities. And the value add that we offer again, is if we're seeing something across New York City from a campaign perspective, we believe in the.
Solve for one. Solve for all, right? Feeding that information back, uh, to the community so that the next entity or the neighboring county can better protect themselves. So we don't only partner with. Other, other municipalities, other states, other operationals, the ISACs, I mean, you name it, we likely have a connection to that entity or that org or that person.
Um, in early 2022, mayor Adams and Governor Hoku launched the Joint Security Operations Center, which is where I'm sitting today. Um, we have partnerships across New York, um, and even I would, I would argue across the world, and that's because we really have to think about cybersecurity. Bigger than just the other state and city CISOs, but really Okay.
What are the private firms skiing, what we're seeing? [00:18:00] Um, so anyone and everyone that, that has, um, a stake in this, in this game, we are looking to make sure that they're protected, like we're protected. Um, and we can kind of, we can share that intelligence across the board so that, like I said, that includes public and private sector.
And a lot of that's through word of mouth or through direct engagements. They hear about what we're doing, we hear about what they're doing and then reach out and it's been great. It's been great to see that partnership across the US for sure.
Blake: On that threat front. I, I, I've noticed that ransomware, attackers in particular really seem to have taken off the gloves and are just going after, you know, soft targets like schools, hospitals, and other critical infrastructure organizations. It's, it's, it's really terrible. And, you know, as somebody who's on those front lines, again, as we've discussed already, what, what ransomware trends are you seeing and, and how do you help defend organizations?
Maybe don't have a ton of resources at their disposal to throw at a problem like this.
Kelly: Yeah, so I'm sure you've probably seen this in the industry. [00:19:00] It's something that I've been watching pretty closely as I, as I look at industry trends across the board, depending on the sector you're talking about, we're noticing, uh, uh, I think across the industry, the, the fact that there could be ransom, but not ransomware.
Right. So, um, attackers that, that leverage, you know, uh, ransomware to conduct their operations, obviously, but then sometimes we also see just ransom requests for payment, right? So without actually dropping malware, because sometimes it's worse to just be able to touch the information and say that you. You don't actually need to deploy malware.
So I, I've been noticing that definitely as an uptick across the industry. I, I'm sure you've seen that probably from, from your end as well. So it's definitely something that we're watching. Um, and I think maybe five years ago that was not, A trend that you'd see a lot. Um, but now it definitely, with the [00:20:00] rise of ransomware, I think that that's gonna be something that's continuing to promulgate as, as folks, uh, start to diversify their TTPs, um, from a threat actor perspective.
Blake: Right. Right. They're tactics, tech techniques and procedures we'll say for people who may
Kelly: There you go. Thank
Blake: not be caught up on those. No. And, and, uh, speaking of TTPs, you know, one organization that certainly plays a role in getting that word out is the, uh, cybersecurity and infrastructure security agency, which, uh, does a lot of promotion nationwide around cyber awareness.
And, uh, how do you promote good cyber hygiene in New York City?
Kelly: Absolutely. I, again, I think we're a little bit different in this regard. Yes, we absolutely do promotion. We have citywide cybersecurity awareness training, um, for city employees. We've also got a little bit of, um, the, on the public engagement front, again, elevating the cybersecurity conversation. So you're a resident in New York City, you can download NYC Secure, um, which gives you a little bit of, uh, security protection in your mobile phone.
I would, I would say that most. People have a mobile device and are likely joining in secure wifi, right? And maybe not realize it. So little reminders like that, Hey, this is a phishing link. This could be a, a, a suspicious text message. Um, gives that level of protection and extends it not just to city employees of course, but also really.
Focusing on the public writ large. Um, and so any opportunity we have to get the word out there about how to pro protect yourself and be cyber safe, um, we take advantage of it for sure.
Blake: Definitely that's, that's so important that that messaging and, uh, now I know speaking of work to be done in the industry. There, there is, I think it's widely accepted that there is a, a little bit [00:22:00] more. That could be done to build out that diverse pipeline of cybersecurity talent, industry-wide tackling these issues.
And a, as a woman who successfully risen through the ranks of InfoSec, uh, what would you say to other women who may be on the fence about pursuing a cyber security career in the first place?
Kelly: Yeah, I would say representation does matter. I think, um, I think for me, I didn't even, I had all the opportunity in the world to do what I wanted to do in life, and I did not realize cybersecurity was an option for me. Not that it couldn't have been an option, I just didn't realize until later in life, oh, hey, cybersecurity could be something that I could get into.
Right? And I think that a lot of that had to do with the fact that I didn't, maybe I didn't see folks that looked like me in roles, um, technical roles in cybersecurity, but I think for the women out there, Considering it or maybe it doesn't, don't even know that it could be for them. You just have to start.
You just have to [00:23:00] try. And I think the really amazing thing about the profession in general is you don't need a degree. Arguably, you don't need even a lot of money. If you have access to the internet and you have access to, to a technology product like a, a mobile phone, a laptop, there's so much out there and open source that if you really want it, you can start learning.
Without an instructor, without a really expensive bootcamp, and you can just start, and that gives you enough to go off of to say, oh, this could be something for me. And again, not every cybersecurity career means you have to be a pen tester. For example, nine times outta 10, when I talk to people cyber, they say, oh, but I, I don't have the.
I don't have the technical chops yet to be a pen tester, an incident responder, and I always remind them like, do you think those people started out as that? No, absolutely not. They had to learn, they had to sort of, they had to be around the technology and have an understanding about how systems are built and then you grow from there.
And so being able to [00:24:00] socialize. The, or even demystify the, the profession at large. If you're a woman out there that wants to get in the space, start asking questions, be bold, reach out to someone and start poking around right. And get your curiosity up. I think that some of the best, um, security professionals that I've met in my career that I really look up to are the one.
Were persistent in their intellectual curiosity and really had a, a strong drive to learn and, um, you know, talent to, you know, to, to grow in the field. And, and that really matters, I think, and that comes across when you're interviewing and that comes across when you're talking to folks. And, um, it's an exciting, it's an exciting profession to be in, and you can feel that when you talk to folks in the.
Blake: It's certainly dynamic. There's always something new around the corner. It's constantly changing. You know, we talk about the ever-evolving threat, and it's true, right? Every day there's something new that comes up and, uh, needs to be dealt [00:25:00] with. I, I, I imagine that that keeps you pretty, pretty busy in your day jobs.
Kelly: Yeah. I always joke that I feel like we're, uh, if you work in cybersecurity, you're a glutton for punishment. You love to always try and figure out something faster than the attack. you know, one step ahead of the game. Um, but it's that, it's that new and exciting learning opportunities that I think keep, keep people coming back to the profession.
Blake: Not to mention a perfectionist. I know there's that mantra of, uh, the attacker only has to be right once, well, the defender has to be right every time, which, you know, I Okay. Maybe a slight exaggeration of the reality, but still there's a kernel of truth
Kelly: No, I absolutely think that that's the reality. A thousand percent. I always joked it's like you could lock every single door in your house. Intruder finds a, a window that has is unlocked or that they can break into, they're gonna try. Right? It's the same thing. They only need one small window of opportunity.
And, and that's what makes the defender's job incredibly hard, but incredibly rewarding when you can [00:26:00] stop things from happening.
Blake: was there ever an aha moment for you when you realized that you wanted to. Move into cybersecurity as your career.
Kelly: That's tough, I think because. I, I, throughout my career, I think I've gotten so wrapped up in learning about cool and new, uh, tactics and, and techniques that oftentimes, I think in general, I'm probably like most cybersecurity professionals, we, we have a hard time stopping and reflecting and looking back, I will say, um, I thought it was, I thought it was incredibly cool when I could call myself a security.
Um, for my entire career I did not go to school for engineering. I, um, my bachelor's is international studies in Russian language, and so when I realized that I was a security engineer and not just entitled, but I. Was doing the work, right? And I, my peers knew that I was doing the [00:27:00] work and I could sort of humbly say, no, I'm, I'm doing this.
Oftentimes that comes after you're already doing the work when you realize it. But I think that was the moment where I said, wait, I'm actually pretty good at this. This could be something that I could continue. Um, and, and so I think that that's the closest to the aha moment that I had when I could explain something really, really technical from the building of a system and securing it perspective, um, that I even said, oh, wow, I, I knew something that normally this other person always knew more than me.
I'm finally bringing to the table some of these skills that I've been working so hard at. So that was, that was probably my, the biggest moment for me.
Blake: Well, security engineer is certainly an impressive and hard-earned title, but let's not sleep on the Russian language skills either. I have a, a bad feeling. Those might come into play at some junctures in your,
Kelly: Well, I'm not good at it anymore, so I can say that I am not really good at all. But, um, but yeah, it was fun while I was learning it [00:28:00] for sure.
Blake: Yeah. Yeah. Hopefully, hopefully some of your, uh, your other analysts have you covered on that front with, uh, with the potential threat from, from that nation state. Uh, but so I, I, if, if we're not, if we're not gonna reflect as much here, what's next for your office? What's coming up on the horizon?
Kelly: Well, I'm very excited about our spring cohort of Cyber Academy. We, um, are focusing and really doubling down on operationalizing Zero Trust, which I love to talk about, but not in a buzzword way. Um, we're we're doing it. Yeah, I
Blake: that, that, I'm sorry that that is a buzzword, so let's just stop
Kelly: Yeah, a thousand percent. It's a buzzword, but we're actually, we're, we're putting some rigor behind it, which is great.
Um, and again, just bolstering the resiliency across the city. And I, I say this all the time, we have to meet our customers. Where they are customers are, are both the public, the city agencies, and making sure that we're giving, uh, [00:29:00] the agencies and ourselves the, the tools and the, the guidance to succeed in this.
As it continues to ever evolve, um, and that not is not just on the, the, the technical side and the, the patching and the remediation, sort of your. Your core pillars of cybersecurity portfolio, but that's actually prioritizing the things that matter the most to protect ourselves against the next, you know, swath of attacks.
And, and so looking at the investments that we can make in our people, bringing folks into city service and getting them the skills so that they can go back out to the community of cybersecurity when they're ready. And if, if they choose that, and we're, again, we're feeding the c. With better, better cybersecurity practitioners, which ultimately is gonna pay dividends as this whole of society approach to cyber.
So for us, that type of engagement, both from the city employee perspective, city agencies, and then the [00:30:00] public for the residents of New York City, is the thing that I'm so passionate about, means I think that this. Opportunity as the CSO of New York City allows us to kind of move that forward.
Um, and so I'm really excited, excited for that on the horizon. And again, just bolstering cybersecurity protections in not a buzzword way we'll say.
Blake: Right. Right. Well, and I think that whole of society approach you mentioned is so important when it seems like everything's connected. Now digitally you get just your, you know, put a chip in. It seems to be the answer to literally only new technology. Do, do you see what's next on the technology front?
What's the next frontier for New York? What, what is the next attack surface you're sort of thinking about potentially protecting?
Kelly: So I think. It's not what's next, it's, it's what's already here. And I've been focusing very heavily with across the city on cloud security for a reason. Uh, if you think about iot, internet of things, device, if you think about the interconnectivity [00:31:00] of systems, it doesn't matter if they're my system, pub, private sector system, it doesn't matter, right?
There's connectivity to. Cloud infrastructure people are building in the cloud more. Um, and so bolstering foundational skills and understanding on how to very rapidly assess and secure cloud infrastructure, whether that's an infrastructure as a service, uh, platform, as a services, software as a service, or those backend components for, let's say an iot and Internet of Things device.
That's the future, but it's now, and that will only continue to be complex as the sprawl of interconnected devices continues. So, um, we've been focusing very heavily on robust cloud security as an enduring theme. And yeah, of course we're always, we're concerned about, you know, post quantum and all those fun things as well.
Um, but the very big reality right now I think is, is focusing up [00:32:00] on. Um, tightening cloud security.
Blake: Talk about the ever-evolving landscape and needing to constantly learn. Quantum's a good example of that. Who to think that we'd need to be staying on top of this and paying attention to what Ness is saying about encryption standards and oh my goodness. Well, I won't keep you away from your mission too long.
I really appreciate your time here. I, is there anything that we didn't get a chance to cover that you wanted to make sure listeners, uh, heard straight from you?
Kelly: Well, I'm absolutely going to plug if you are interested in doing good within New York City and for the community at large, we're actively hiring across a number of different roles. Like I said, it's, it's an interesting mission space and it's incredibly valuable and you're around sort of the brightest minds in cybersecurity, I would argue my team.
Um, and so if you wanna come work for the. You should, um, we're actively recruiting, um, nyc.gov/jobs. Um, come work for New York City cyber.
Blake: The fact check checks out on my [00:33:00] end. Our tagline on we're in is get inside the brightest minds in cybersecurity. So I'm not exactly gonna gonna second guess that conclusion. And uh, now we do have one question that we ask all of our guests here on the podcast, which is, what's something that we wouldn't know about you just by looking at your LinkedIn
Kelly: Oh, that's a great question.
I grew up working on a farm in an orchard, um, for many years of my life. So hard work and perseverance is core to who I am and arguably has, has made me what I am today.
Um, so yeah, but you would not see that on my LinkedIn profile.
Blake: The big apple, apple orchard, I take it, or what kind of
Kelly: Yeah. Apple orchard, the whole nine yards. New England, yes. Known for their apple orchards, stunner orchards in South Glastonbury. I've gotta give a plug to, to uh, to that family owned farm that I grew up with.
Blake: That sounds lovely. I'll have to check it out. Get some, uh,
Kelly: you can go apple picking in the fall. There you go.
Blake: gonna test my knowledge of my knowledge of Apple [00:34:00] varietals here. I'm like, I don't know what they grow up there, but I'm sure
Kelly: Lots of varietals, lots of pick your own, you know.
Blake: Great. Great. Well thanks again for joining us and uh, great talking
Kelly: You as well. Thanks so much for having me on. I really appreciate it.