Cybertraps Podcast

Okay, welcome to this, uh,
special edition, live edition

of the Cybertraps podcast.

We're here at the Inch360
event, uh, in December of 2023.

Uh, we've got Najee Sehanle.

Did I say that right?

Yeah, you got it just right, Jethro.

Okay, good.

Uh, why don't you tell us a little bit
about, you know, 30 seconds introduction,

who you are, where you work, what you do.

Sure, my name's Najee Sehanle.

I'm the IT Security Analyst
at the Spokane Regional Health

District in Spokane, Washington.

I've been at the Health District
for, uh, about 15 years.

and in my current position, a couple
years, I'm not historically an IT person.

I come from the, uh,
broadcast media background.

But, uh, yeah, uh, I oversee, um, security
from a cybersecurity standpoint, um,

at an agency, a public health agency.

We call it a district.

It's a, or local health jurisdiction.

Uh.

We've got, uh, 250 to 300 employees,
various, uh, programs, efforts at

the Health District, and so I'm
the, uh, sole person in charge of

cybersecurity there, along with,
um, my colleagues in the IT program.

Okay, so tell me a little bit
about what cybersecurity looks like

at a public health institution.

Uh, I'm, my background is
school administration, and so

Probably some pretty similar
things dealing with confidential

information, keeping that safe.

What are the things that are, that
you're focusing on as it relates to that?

I think you,

I think you used the right word, focus.

Uh, you know, everyone knows there's
so many, uh, aspects to cybersecurity.

And in, kind of a smaller entity
with a smaller group of staff, uh,

with one IT person, focus is key.

So, you're right, we, we
have some, uh, main focuses.

I think one of the things that's been good
for me is my lack of knowledge initially,

you know, just kind of being able to see
what's out there from a fresh perspective

or an inert perspective, maybe.

uh, I look at our, our
employees as a vector.

I know that's, uh, probably a negative
connotation, but, um, phishing, email is a

vector and, and user accounts is a vector.

So we focus very heavily with
Microsoft products on securing user

accounts, uh, and just kind of,
um, Stopping, um, stopping that as

a vector for bad things to happen.

Intrusion protection with things like
sims, firewalls, using VPN clients.

Really just basic, um, the basic
cyber hygiene, um, fundamentals that

we hear from all over the place.

CISA, NIST, um, all the local
authoritative jurisdictions.

Just focusing on cyber security,
hygiene, you know, multi factor

authentication, administrative accounts
being secure, that kind of stuff.

We focus on the hygiene, and we've, I
think, done a really good job with that.

Now we're starting to move into
education, awareness with our staff.

communication's been huge, so that our
staff sees, um, themselves as a part

of the cyber security and IT team.

And so we've moved, what I like to say
is we've moved past the technological,

not that we've got that showed up.

But we really focused heavily on
technology and we've done what we could

there with our, um, our resources.

And now we, what I, we've moved on to what
I think is an even bigger, again I'm gonna

use the word vector, but I'm gonna, we're
moving on to the, the, the person, right?

And it's kind of, for lack of a
better term, securing them too.

So put the two together, uh, we've got
the technology, we've got the human

aspect, and kind of shore up, um,
everything as best as we can with that.

with what we've got.

Yeah.

And so what I think, what I like about
that approach is you, you're taking

this situation and you're saying,
okay, here's all the technical pieces

we can put in place to protect us.

All the, uh, protocols, strategies,
software, things to implement.

And then it's about education and teaching
people how to be smart about it, how to

make good choices, how to not, Not get
stuck in something or reveal something.

What's the challenge with teaching people
those things because to be honest most

people don't think too much about it
And a lot of people will still reuse

the same passwords over and over even
though that may not be the best thing

What what's the challenging part of
teaching people to be cybersecurity

aware?

You know I'm not sure there really
is a challenge, um, from the,

at the, you know, employee kind
of human, element at that level.

They're actually really willing,
and able to, you know, to

act on what you tell them.

The challenge is, it's for me, and I, I
attended a conference at NIST, uh, a few

years ago, and learned that the, that the
challenge is to impart that information,

to get those, you know, the, the human
aspect to get them to understand what you

want from them in a way that they accept.

So you have to reach, uh, the
old school folks, you know, with

an email or, you know, a poster,
you've got to have a, uh, a piece of

electronic media for younger people.

You've got to meet them in person
when you can, You've got to have a

rainbow of approaches so that you can
reach those people and listen to them

and create that dialogue so that if
you're not getting what you want that

you continue to ask them what it is
that they need from you so that they

can put into place what you want.

It's that, uh, it's not really a
challenge but it's a, it's an effort.

You know, that communication effort.

I know we always say
communication is key, right?

No matter what the
industry, but it's true.

If you can reach them and use the
method that works best for them, they'll

actually follow through and work with you.

Um, they'll report phishing to you.

They'll even come to you and tell
you, Hey, I reported this, but I want

you to know, or they'll say, Hey, I
see something weird with my password

here, or should I be getting this
authentication method on my phone?

Um, they'll, they'll start to come to you.

you know, and the old
term champion, right?

Then they're your champion and
they champion their colleagues.

They champion their, their,
whatever their work structure is.

And they become that person
who kind of pushes your, your

efforts on down the road.

Yeah, sure.

That makes a lot of sense.

so what is it that you're hoping
to get out of the inch 360

event that we're at right now?

I'm kind of old school, and I like face to
face and I know COVID's come and gone to a

large extent, but it's a good opportunity
to see people and face to face.

I saw some of the people
I work with here online.

I saw them in person for the first time.

so I'm hoping to see that again.

Um, and really just hear where other
people are going and kind of stack

myself up, you know, to what I, what
I'm, I try to listen to as broad

a range of, Voices as possible.

And this is just another venue to hear
voices and, get an idea of whether I'm

not, whether or not I'm doing the right
thing if we're on the right track.

If there's something new that I can
implement, you know, We all hear sometimes

I've gone to a conference or a class.

You're not going to take
everything home and use it.

But if you can hear just one thing and
take it home and put that into practice,

then that's, I think for me, that's a win.

So yeah, I'm looking
for that one thing that.

That I can put into

play.

Yeah, very good.

Well, I hope, uh, I hope you find it,
and, uh, that, that is the question that

I'll be asking everybody else, but you're
the first one that I interviewed before

the conference started, and so, wanted
to hear your hopes and dreams of what

you're going to get out of it, but that
is, that is the question I'll be asking.

What's your one takeaway from people?

Okay, I'm going to go in
there and tip everybody off.

Okay, sounds good.

Appreciate it, man.

Thanks so much for being here.

Yeah, I appreciate it.

Thanks for having me.

Have a good one.