Building Cyber Resilience with Tasha Cornish | Pt. 1

Show Notes

Join host Mike Shelah as he sits down with Tasha Cornish, Executive Director of the Cybersecurity Association Inc., to discuss her journey from Maine to Maryland, from medicine to cybersecurity, and her mission to make cyber education more accessible. 

Learn about the Association's three centers of excellence, their approach to workforce development, and how they're helping businesses become more cyber resilient. Whether you're a seasoned cyber professional or just starting to think about cybersecurity for your business, this episode offers valuable insights into the evolving cyber landscape. 

Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!

Transcript

Mike Shelah (00:01.669) 

Hello, cybersecurity and podcast universe. Welcome to another episode of Cyber Savvy. I am your host, Mike Shelah and the Cyber Savvy podcast is powered by DTC. To learn more, go to www.dtctoday.com. And remember, at DTC, we make shh IT work. All right. I am very excited for this month's guest. Tasha Cornish and I have known each other for several years, both cyber nerds, both been in this industry for a long time, working with businesses in the mid-Atlantic marketplace and now beyond. And I know Tasha's going to get into that in this episode. So Tasha Cornish, Executive Director of Cybersecurity Association Incorporated. 

Welcome to the Cyber Savvyy Podcast. Great to see you. 

 

Tasha Cornish (01:02.286) 

Great to see you too. Thanks so much for inviting me, Mike. 

 

Mike Shelah (01:05.839) 

Yeah, this conversation is going to be great because I believe what your organization is doing is so critical to the business community in the United States getting to where it needs to be sooner rather than later. you know, I'm sure that's going to come up in the topics that we hit today. But first, I like to call the opening segment business person, where you as a person in business, tell us a little bit about yourself. Now I know about your fondness for a good pumpkin muffin and a latte, but you know tell our community a little bit about you as the person without the cyber part to start. 

 

Tasha Cornish (01:53.886) 

Sure. So, I think it's important to start that I grew up in Maine. 

That's a really important part of my origin story. It was a lovely place to grow up and very connected to nature and to my family and to the quieter activities of life, I think because of that. I lived in Maryland now since 2010. I moved down here originally to pursue a career in medicine and research and public health. And that's what I spent the first eight to 10 years of my career doing. 

 

I had a wonderful time working with very diverse populations within the Maryland area. And then at the end of 2020, I said, you know, it's time to do something new. So I had been running an organization for older adults at that point. And I found this listing for the cybersecurity association and I applied for it. So that is how I have been here now for four years. 

 

When I'm not thinking about, dreaming about, doing all sorts of things I do as part of this job to grow the cybersecurity community, I like to spend time with my husband and my dog here in Baltimore City. We live in a lovely neighborhood that has lots of amenities, so we can often be seen walking around, the many businesses. When I need a little bit of a break, I love to escape to Western Maryland and point farther to go to the mountains and just spend some time again connecting with myself and those that I love. 

 

Mike Shelah (03:43.899) 

So the Maine connection with the mountains, I totally get that. I've only been to that part of New England once or twice in my life, but it's positively gorgeous. What kind of dog? 

 

Tasha Cornish (03:56.521) 

I have a Shiba Inu. 

 

Mike Shelah (03:58.489) 

Okay, I don't know what that is. 

 

Tasha Cornish (04:01.102) 

Are you familiar with DogeCorn? 

 

Mike Shelah  (04:04.102) 

Uh no? 

 

Tasha Cornish (04:06) 

Okay, so Dogecoin is a type of Bitcoin. There's also Shiba Inu coin. There was a famous internet meme 15 years ago called Doge. So that is a Shiba Inu. So that is sometimes, especially little kids will be like, it's Dogecoin. They'll point while we are walking our dog. Exactly. 

 

Mike Shelah (04:24.273) 

Even the dog's cyber! So you start out in medical and I guess just as an aside, I think I find it fascinating how so many people in our industry didn't start in the industry.  

They came to it. Now, I tried to start in the industry. So when I graduated from high school, I went to one of the premier colleges in the United States for computers. Like back in 1990, that's what they called it. You went to school for computers. And I quickly learned that I did not want to learn to write code. And I didn't want to learn Pascal or cobalt or C or C plus. Like none of that interested me. They said, well, that's like half of your degree. 

I'm like, okay, I'm not doing this then. So I did a complete 180 and I got a degree in English literature. So, actually that means I go into sales when I graduate from college. And yeah, I got back into technology for business in 1999 and I've been there ever since, but it's fascinating to me how I want to say at least 50 % of the people in our industry did not go and they were like, I'm going to be in the medical field or I'm going to write the great American novel or I'm going to do anything but technology has become so pervasive in the world of business that by necessity, everyone has to have some of that. is that sort of like the world that you see for the Cyber Security Association. 

 

Tasha Cornish (06:22.894) 

Absolutely. I think it really represents the diversity of roles that we need and that we have within technology and specifically cybersecurity. We need folks who can cover the whole spectrum of what it means to secure our business, our data and our customers. 

 

Mike Shelah (06:46.865) 

Yeah, diversity, I think is the word to highlight there. Because you and I have talked numerous times about everything that goes into the technology for a business. And I was talking to a friend this morning and said, you know, five years ago, a business could set up a firewall and they could put antivirus on their computer. 

And maybe do two or three other things and they were safe. And you know, if you accidentally downloaded a virus, then your IT company would come in and they would remove the virus and they put it in this sandbox and they get it out so that your company was safe. But COVID really changed a lot of that.  

COVID created this pivot in the marketplace that businesses now really shouldn't and couldn't trust anything. And the hackers are getting far more sophisticated. One of the most brilliant, subtle things that I'm seeing hackers consistently do is creating emails using Cyrillic instead of English. So that the letter A is the only thing that looks different. And if you're not paying attention, like that's what gets you.  

Because otherwise, the branding of the emails, whether they're claiming they're from Amazon or they're claiming they're from your bank or whatever. I'm trained to evaluate this stuff. And there are times that I will take a good two, three minutes to look at an email and go, I don't think that's real. 

 

Tasha Cornish (08:38.252) 

Yeah, absolutely. And we've normalized, you know, sending text messages. Hey, I got this email from you. It seems a little off. Is it you? And they're like, no, it's junk. Ignore it. But I mean, I think we all have such diverse text stacks as well. So sometimes you'll get like a new email from another vendor or another system from a vendor that you trust. And you're like, oh yeah, that must be their new accounting service or you know, this must be our new collaborative project management thing. 

 Sure, that's fine. I'll connect to it. And it's really complicated how we assess what is real and what is not, for sure. But it's made us actually, I think, go back to more old school methods of picking up phones and walking down halls and knocking on doors if we're, you know, have the luxury of working in an office to see if this is really something to be trusted. 

 

Mike Shelah (09:30.811) 

Yeah, analog verification has become increasingly important. So I started with DTC at the end of September and I cannot tell you how many text messages and emails I've gotten from the owner Steve that say, hey Mike, need to talk to you. Contact me at this link or here's my WhatsApp? And I'm like, really? 

The owner of the company is going to use WhatsApp to communicate with me. But there are scenarios where somebody that's new to a company, maybe they don't know that and they fall, they fall prey to that. so like, are you having those conversations with the people that you interact with on a daily basis? 

 

Tasha Cornish (10:26.38) 

Definitely, all the time. And I think the wonderful thing about my job is I get to work with so many talented folks like yourselves and our members who are really living this day in and day out. But I also get to talk to a lot of people who aren't. And I think that that is something they are always also talking about. So, you know, I try to drop in those little hints where I can and nuggets if they're open to them. And usually they are, right?  

I think that cybersecurity can seem really scary and I think sometimes the marketing of our industry makes it seem you know, fear we have to scare this and it's all so you know whatever but when you see just me or one of our members out in the community it's a lot more approachable and I think people are more open to talking about it when they can put those faces to the industry and you know really feel the human factor of it. 

 

Mike Shelah (11:19.887) 

Yeah, I have two very real experiences in my own life just in the last month or so. So my wife's aunt, she's in her seventies now and she just moved into a retirement community not too far from us, just down the street. And I'm default tech support for my family. I know enough to be dangerous. So something goes wrong, whether it's my aunt in North Carolina or my wife's aunt across the street or my uncle in New York, you know, I'm getting the call, hey, how do I deal with this? And my wife's aunt was complaining that her Roku wasn't working properly. 

 

An because she was at the time she was living in Baltimore city. I'm like, all right, well, the next time I'm down there, I'll take a look at it I'll figure it out. And a couple of days later, we get a message from her that says, oh, well, Microsoft contacted me and said that my account had been hacked and that's why my Roku isn't And I'm like, that's not how this works. That's not a thing. 

 So she'd been hacked and I said, Call your aunt right now, her to shut that computer off, disconnect it from the internet. I said she needs to buy a new computer. I said, next time we go there, I'll pick the computer up and I'll try and restore the hard drive before the incident happened and maybe she can still use the computer, or we can sell it or something. She's running Windows 98. 

 

Tasha Cornish (13:00.363) 

Oh my goodness 

 

Mike Shelah (13:02.357) 

And I just said, yeah, I'm going to pull the hard drive and smash it. I said, this thing, you know, it's a piece of tin at this point. But somebody in their seventies doesn't know, hey, my operating system hasn't been supported now for 15 years. And, you know, even so I was away from the cybersecurity world for a couple of years and 

 

That was a real wake up call to me because I'm used to being around people that are, when it comes to cyber, way smarter than me. But when you work in an office where cybersecurity is not the focus of the business, the average everyday person on a scale of one-tenth is about a two as far as what can and cannot impact them. And that's, I'm guessing, you know, that's part of what's and Cyber Security Association wants to do, they want to educate. 

 

Tasha Cornish (14:02.538) 

Absolutely. It's a huge part of our pillars. 

 

Mike Shelah (14:07.813) 

So I know that it used to be called Cami. And the M in Cami was for Maryland. And you made the decision to really increase the outreach. And so now you're doing events outside of Maryland as well. So talk to me about how and why that evolved and became important for the Cybersecurity Association. 

 

 

Tasha Cornish (14:12.14) 

Yeah, so we were founded, actually next year is our 10 year anniversary. So we were started in 2015. And as you summarized, it really was focused on Maryland owned businesses, headquartered businesses created by Maryland residents to increase cybersecurity awareness and sales basically of those services and those products and I only know the cyber association post COVID.  

So when I came in 2021, it was very clear that our companies were hiring folks from all over the country. Our members were no longer just here. And our state, because we have a lot of government agencies here, because we have a lot of state regulations, you know, more so than some other states, we require a lot of folks to do this work. And a lot of those companies were also using Maryland as an inroads to the national defense world. And it really didn't reflect who our members were. 

 It didn't reflect the opportunities where we could go with our members. And as we position ourselves as a resource center, there's a lot of misunderstanding about what we were as the Cybersecurity Association of Maryland. People thought we were a government agency. They thought we were a training school. They thought we were a whole host of things. And so by minimizing the words in our name, hopefully they will see very clear Cybersecurity Association. And we've worked a lot in the past year to really shore up that branding and just breathe into our new identity. 

 

Mike Shelah (16:28.029) 

Use the magic word, resources. You're a nonprofit. You're out there to serve the business community. Talk to me about the resources that you're delivering and who takes advantage of them or who you want to take advantage of. 

 

Tasha Cornish (16:43.362) 

Absolutely. So we organized our activities into our three centers of excellence a few years ago. So I'll go through the three of them. It will end with cyber resilience because that really is a huge piece of who we are. But our Center for Cyber, excuse me, our Center for Business Growth and Innovation is really focused on those small to medium sized businesses, Maryland based or not, who want to grow and who really are critical to our national 

 

I think a lot of times when people think of cybersecurity, they think of all these really large contractors and all these companies that we all know about. But so much of the work is done by these smaller innovative companies and the folks who work at them. 

 And if they don't know...their customer, right? If they don't understand marketing or sales or any of those business activities, finance, it's going to be really hard for them to continue to grow their business and complete their mission. So we provide a host of activities, networking events, business summits, different webinars, and the different interest groups that I mentioned to bring those folks together so they can grow their business. 

 Secondly, we have talent acquisition. So sure, this is a center for students and other job seekers, but it really was created as a center for the employer to make sure that they understand skills-based training. If they want to create on-the-job training opportunities at their company, what does that look like? And we also do a lot of advocacy out of that center for more investment at the state and also federal levels in workforce development to make sure that we have the workforce that we need for now and the future, which is critically important. 

 

Tasha Cornish (18:29.932) 

And then lastly, we have our Center for Cyber Resilience, which is where we do all of our education and outreach for the non-cyber company. So this could be for cyber professionals, right? We know, again, a lot of folks are growing up in their careers. They want to be connected. This is a great opportunity for them to join one of our practitioner round tables. And then we also have a lot of curated directories and others for those who need cyber resources. 

Whether you're the defense industrial base or you're a small business or you're a non-profit or you're a state or local education agency, which we also provide a lot of services to through our different seminars and one-on-one consultations. 

 

Mike Shelah (19:18.117) 

I love it. And for me, I find the workforce development the most intriguing because there, for whatever reason, there is this gap where employers say, we can't find enough qualified people to do this job. And on the other side, you have all of these people that have the degrees and they have the certifications. And they're like, I can't find, I can't get somebody to respond to my resume. And as someone who was in the job market just six months ago, I saw that firsthand. it's funny, I was sending out my resume and I, you know, I did the thing. 

 

where you go on LinkedIn, you see a job that fits your background, LinkedIn and we will go so far as to say, hey, you're a fit for this job. And nine times out of 10, it's like, no, I'm not. 

 

Tasha Cornish (20:28.883) 

Yeah, they need to improve that algorithm, but that's okay. We'll conversation. 

 

Mike Shelah (20:31.153) 

Yeah. Yeah, but that's a crucial part of it because if you're not savvy in the workplace, in the business community, if you're not a known name, cutting through all of that red tape can be so hard. And again, a conversation you and I have had offline, one of the things I loved about DTC when they hired me was they had me sit down with every employee in the company and spend a couple hours with them. What exactly they do for the company to support our customers. So that's really a good business. That's the goal. I don't care whether you're the CEO or you're the receptionist or anything in between. Your job is to take excellent care of the customer. 

 And the number of people that we hired, not because they had a degree from XYZ company but because they had the right character and they showed the willingness to learn. It is astounding. Now don't get me wrong, we have guys with cyber security degrees and know, 15 different certifications for everything under the sun and they handle very specific pieces of the customer experience and that's necessary. 

But we went on the strategy of hire good people, good characters that want to learn and want to be part of something. And I'm guessing that's the conversation you're having with a lot of these employers is say, hey, no, this person doesn't check all of your boxes, but they check seven out of 10 and should take a look at them. 

 

Tasha Cornish (22:21.966) 

Absolutely. And you know, when you're posting job descriptions. It's the same thing we talk about when we're looking at federal contracting too, right? At the government, when people are approving OMBs, approving new contracts. Is there a bunch of language in that contracts that isn't really needed, but is just copied over from the past contract? Sometimes we do that.  

Sometimes you see jobs and you're like, wait a second, why is that part of this? And it's really just something that's been copied over. Or people don't interrogate. Do we really need somebody with a four year degree right now in this position? Maybe, maybe not. If they have the right skills and they can learn and maybe if that's important, they can go back and do that at a later time. That's great. And you know, something from the medical field that I talk a lot about in cyber is working at top of license. Sometimes I see really educated, smart, experienced cyber people working on some tasks that could be done by another person, not a paraprofessional, but you know, an entry level person, a person who's still learning on the job. 

So, when we're thinking about how we're breaking up our work days and what our job roles look like and task and accountability and all the different things our businesses need to succeed, I really encourage our members to interrogate that and say, know, is this really the best use of this person's skill, of this position, et cetera. 

 

Mike Shelah (23:49.563) 

Love that comment. Several years ago, I was hired by a company. I won't say that it was a bait and switch. But the communication around my responsibilities was not terribly transparent until after I had been hired. And compound that with the man that hired me who had been the sales manager there for 15 years quit after my first week. 

 

I go into a team meeting because now the regional vice president and the manager above him have come in to talk to the team and say, Hey, you know, so and so left, we're going to hire a new person, but we're going to be thoughtful about this. We're going be intentional. We're not just going to hire anyone. And I pulled the two of them into a room and I said, there's been a mistake.  

Like. what you've hired me for is not what I came here to do. And frankly, you could pay somebody a lot less money than you're paying me to do this job. Like if that's what you want done, you're wasting your money on me. Now, can I figure out the job? Can I do the job? Yes. But I don't want to. And that's not why I came here. 

 So let's talk about how to correct that. And because they're a global organization, they said all the right things and did all the wrong. But that's probably another podcast for another day. But the medical industry is certainly an interesting one from a cybersecurity perspective. 

 

Tasha Cornish (25:50.516) 

Absolutely. 

 

Mike Shelah (25:52.177) 

When I first got into a pure cybersecurity role, I knew enough to be dangerous. And I said, I need to understand better what's impacting businesses. So I found this other excellent podcast called Help Me With HIPAA. And it's these two IT people out of the South. I want to say one in Georgia. And they've got like 200 episodes now. And it's 30 minutes of them just talking about all the complexities that go into HIPAA. And you, as someone who cut your teeth, you probably saw the front lines of that. Because 10 years ago, HIPAA looked very different than it does now from a technology. 

 

Tasha Cornish (26:45.772) 

Right, absolutely. And when I worked at the NIH, I was responsible as a clinical research coordinator to do all of the compliance when it came to the research study. So it was myself responding to the IRB when somebody did not encrypt an internal email that had patient information. And, you know, or I had to tell the FDA when I realized that people had access to information that they didn't need access to, right? So I was thinking about data segmentation and network segmentation and encrypt before I even thought about it as that because it was just part of my job as a clinical research coordinator. 

 

Mike Shelah (27:25.115) 

And it was somewhat ingrained into the daily for you. And because of that, you had to point it out to people that it wasn't. 

 

Tasha Cornish (27:33.088) 

Exactly. Exactly. 

 

Mike Shelah (27:34.703) 

Yeah. Well, Tasha, I think this is a great place for us to wrap up this episode. And I'm so excited to continue the conversation in our next one. So thank you, Tasha Cornish, Executive Director of Cybersecurity Association, Incorporated. And again, my name is Mike Shelah. I am your host. This is the CyberSavvy podcast powered by DTC. To learn more, go to www.dtctoday.com. And remember, 

 

At DTC, we make shh IT work.