[0:55] Exploring the National Cybersecurity Strategy

Rachael: I'm really excited for today's guest because this is one of my favorite topics. Please welcome to the podcast Ilona Cohen. She's the chief legal officer, chief policy Officer, and corporate secretary at HackerOne. And she was formerly a senior lawyer to President Obama and served as general counsel of the White House Office of Management and Budget.

Welcome, Ilona.

Ilona: Thank you so much for having me. I'm so delighted to be here. And I'm sorry I missed you at RSA. It sounds like a fun time. I was there, but I did not get a chance to see you record your podcast live, which was a disappointment.

Rachael: Oh, that would've been awesome. We were posted up at St. Regis. They have this terrace place on the fourth floor. Not really good for soundproofing, but wonderful for catching up with folks. One of the interesting topics we talked about was something that's trending much like the National Cybersecurity Strategy now.

And given your background, I would be interested in your perspective there.

Ilona: The cyber security strategy came out last month, or I guess it's May 1st, so a couple of months ago. It really is a very comprehensive approach to our nation's digital security, and so it was terrific to see it. The amount of effort that goes into creating a document like that. Just the sheer coordination internal to the government is really something to behold. 

That's just the beginning though. Now they actually have to implement it, which is the hard part. And the last couple of pages of the strategy talks about the implementation that's forthcoming. There was a lot in that document, and we can digest that as we go along, but there's also a lot to come as well.

 

Harnessing Hacking for Safety

Petko: What were the key highlights from the strategy, just so we can tease it out as we're talking about it that you thought were really interesting?

Ilona: First, we were really excited to see that the administration called for coordinated vulnerability disclosure across all technologies in all sectors. That's something that HackerOne runs. We run vulnerability disclosure programs, and so we're really very happy to see that. But the bulk of the strategy is about moving from voluntary to certain mandatory requirements. That's certainly one of the key differences between the prior strategies and this strategy. 

And so as former general counsel of the Office of Management and Budget, as you mentioned. It's exciting to see them move to a call for certain regulatory action that played a pretty prominent part in the national cyber strategy. We're so used to seeing regs in other areas of our lives. We're comfortable with it when it comes to food safety or automobile safety.

We don't think twice about those regulations, but we haven't traditionally been comfortable with them when it comes to sort of technology safety. Especially when you're talking about the safety and security of public services, it's really important to get that right.

Petko: I actually like how you're framing it as a safety problem because I think we always associate cybersecurity as just a technical problem or a technical glitch, but never as a safety. That's a key thing that I think is critical. Outside of making changes to the terminology to focus more on safety, do you think organizations are going to really be proactive in the regulatory space here? 

 

Nurturing Future Defenders: Hacking the Talent Gap in Cybersecurity

Petko: I imagine the government's going to have some program here with funding coming up. But do you think if we had the funding, organizations will be more proactive in meeting the regulations outlined in the strategy?

Ilona: It really just depends. There's no consistent approach across the board when it comes to safety around these services. And so that's the point of the strategy. To level the playing field to make sure that where there are areas of critical infrastructure or where disruption of services could really impact Americans very broadly.

That we have a consistent approach so that we do protect those Americans. We ensure that there's that steady baseline that makes sure we're not going to disrupt the population or the economy or

really ensure that people are not harmed. It does vary.

Petko: Just speaking of Americans and just the population. I keep hearing that even if we had the funding, we're still going to have a huge challenge trying to recruit new candidates, given the shortage. Do you have any recommendations on how national agencies or even cybersecurity organizations can identify new recruits or leverage some kind of, given the shortages?

Ilona: Oh, I see what you mean. There is a shortage, there's no question. I do think that funding can help that, but I also think we need to think outside the box when it comes to the cybersecurity talent gap. Funding can be devoted to education, for example, like the government could work with academic institutions to introduce cyber education at a young age. That's not going to change things overnight, but it is going to make a long-term difference. 

 

Empowering the Future of Cybersecurity with Hacking

Ilona: Things that actually the Girl Scouts, I don't know if you're following what the Girl Scouts are doing. But they are really very heavily investing in cybersecurity and cybersecurity education. And I really hope that that's the cybersecurity workforce of the future. I think that could have a huge potential to impact the cybersecurity workforce in a terrific way.

The other thing that we could do is potentially work with expanding access to sort of non-traditional pathways like cybersecurity certificates or accreditation. We have hackers who are terrific and could make terrific cybersecurity policy officials or workers. And they might take a less traditional path to CISO but certainly would be just as accomplished. So I do think with the right funding and with thinking outside the box, you can get a pretty good cybersecurity workforce. But it might take time.

Rachael: How early should we be introducing cyber though too? I think back on my youth, and I think they had introduced it in junior high, and I'm really old just for context. 
Ilona: Hardly.

Rachael: It was computers or something, like DOS or something minimal coding in junior high school, which was really fascinating to me. And I realized my shortcomings at that time. But I'm just wondering if they were to start introducing more cyber curriculum or things earlier than let's say a high school mention or something like that. Is that how we are also going to try to feed the funnel?

 

[8:14] Hacking as a Path to Cybersecurity Excellence

Ilona: Oh, absolutely. And let's be honest, kids are on technology way earlier than high school and sometimes a lot earlier even than junior high. So they're going to find the technology anyway. So we might as well make productive use of that and foster it through cyber education.

Rachael: Because there was, I don't know if you remember years ago, he was nine or eight years old. This kid was hacking his toys. Now he's like a CEO of a company, he's like 14. But I think about that when you have that kind of access at such a young age. We should be hiring them out of elementary school, I don't know, as consultants. I just feel like there's so much brain trust there, just opportunity.

Ilona: Oh Yes. HackerOne has proudly been hacking the Pentagon since 2016. And we also hacked the Air Force among many other government agencies. And we had I think a young man who hacked the Air Force. He was under 18. He had to do so with the permission of his parents, he did it very successfully. 

I think maybe under 10 minutes he hacked the Air Force and now he's working at CISA, working for the government in a cybersecurity strategy and policy role. So that's an example of these folks are starting young and they have great talent and we should take advantage of that talent. And then maybe that pathway is not as typical. Now, meanwhile, he went on to do many great things and got a great education, but there's a lot of potential there.

 

Exploring the Intersection of Law and Cybersecurity

Petko: It's interesting you called them hackers, but it's really ethical hacking, right? Because I think hacking has a negative connotation.

Ilona: See, I think of hackers as ethical and we can say ethical hackers or you can call them security researchers. And then that by contrast, there are cybercriminals and they're going to continue to do what they do. And so we want to make sure our hackers are getting ahead of identifying vulnerabilities. So that cyber criminals don't exploit them.

Petko: It's interesting. I'm reading a book called Hacker's Mind, and it really clearly talks about how really just getting something to do something was not expected, but it's not illegal. They approach it from the standpoint of hacking a technology or hacking something that could do something that was not originally intended to do.

But it's still legal, but we always associate it with something illegal. And it makes me wonder, you're a lawyer at HackerOne. I bet you see a lot of illegal things. 
Ilona: No.

Petko: With cybersecurity. What I wanted to get to is I'm not used to having a lawyer and cyber be in the same sentence even. How does that intersect, how does your legal expertise intersect with cybersecurity? And I guess how important is for legal teams just to understand cybersecurity in today's digital landscape?

Ilona: Oh, it's critical. Let me take a step back. What I do as a lawyer within cyber is help make sure that folks understand what's legal and what's not legal. The Department of Justice just issued guidance actually, that said, "If you're a good-faith security researcher and you are ethically hacking, then we're not going to charge you under the relevant statute. 

 

Unleashing the Power of Hacking: Navigating the Legal Landscape in Cybersecurity

Ilona: We're going to make sure that you have the ability to do what you want to do because it helps us as a government. It also helps companies make sure that their products and their services are secure." And so that is essential to make sure that you understand that and that you understand what's within the scope of that guidance. And then what's well outside the scope of that guidance.

That's both legal, but it's also policy. And so HackerOne just launched this Hacking Policy Council, which I'd love to talk to you about as well. We spend a lot of time talking about policy but in the context of these statutes and laws you have to understand. And then there's the more specific work that I do at the company, and I'd say all companies need lawyers who have at least a basic understanding of tech. 

That's because if you have a breach if you ultimately have a breach. It's going to be the lawyer who is working hand in hand with the tech officials in the company in order to make sure you're driving that to success. That you understand the investigation, you're responsibly mitigating it, you're notifying everyone who's affected and you're trying to prevent it in the future.

And that's both because the lawyers do it in part because you want to protect the privilege associated with that investigation. But also lawyers are capable of driving investigations generally in order to make sure you understood what happened and you make sure it doesn't happen in the future. So there's a lot of actual relationship between legal and cyber. 

 

Empowering Ethical Hackers for a Secure Future

Ilona: Actually, I often think that lawyers sometimes think like coders, because it's all very precise and you have one mistake and it could blow everything up. And so there's a lot of similarity between the various fields.

Petko: That's really interesting, actually. I've never thought of it that they're so close that way.

Ilona: Ask a hacker if he or she feels the same, maybe they'll give you a different answer.

Petko: I could just imagine. You remind me of a lawyer.

Rachael: That's hilarious.

Ilona: Yes, exactly.

Rachael: Hilarious.

Petko: You mentioned the Hacking Policy Council. You guys just recently partnered with the Center of Cybersecurity Policy and Law to form it. Could you elaborate on what are the key challenges that it aims to address?

Ilona: Sure. This is exciting. We've never had a policy council or even an advocacy group that focused on issues of interest to hackers. We have so many obscure groups in Washington that are designed to protect every interest. So it's a real miss that we have never had a group focused on hackers and hacking. 

And the reason it's so important is because, look good faith security research, it really does drive the security of our system. And so it's the backbone of our security infrastructure. So it's really important to make sure that if they're going to do such a service for us, we need to make sure that we're looking out for them. The US, as I mentioned, has come a really long way in terms of understanding the value of ethical hackers and making sure that their interests are protected. 

 

Introducing Ethical Hackers and Educating the Public

Ilona: As I think I just mentioned, I was in the White House at the time. The Hack the Pentagon program was launched, and that was the first time there was ever a bug bounty program in the US government. And the discussions in the White House at that time, the consternation and concern about inviting hackers to hack a Pentagon system.

They were very different than the conversations that you would hear today in the White House. Given that, as I just mentioned, they just announced to, in their strategy, we should have these kinds of programs in every sector, in every technology.

So huge, huge change, but it's not quite the case across the world. And so the US system is a little bit further advanced here. Certain states are lagging behind. The Hacking Policy Council just went to the UK in a letter, in formal writing, and in meetings to tell them. "You're thinking about revising your statute that would affect hackers in a negative way."

So we're trying to make sure we're exploring laws that affect hackers across the world to make sure that ethical hackers can do their work and continue to keep us all safe.

Petko: I'm curious, you're making the distinction here between ethical hacking and malicious hacking. Because it's better to have someone ethical that tells you how they got in versus someone who gets in and takes your data and doesn't tell you about it. But how do we educate the public on that distinction? 

 

[17:40] Evolution of Bug Bounty Programs in the Hacking Landscape

Petko: Because I think the industry puts it up in just hackers, but I think there's an important distinction here for cybersecurity. One's a partner, and the other's a criminal. How do we educate the public? I think the hacking policy council's one way, but is there something else we should be doing? I'd love to get your perspective on that.

Ilona: We have customers who might come to us with some reluctance to start. Or prospective customers I should say, who might come to us with some reluctance like, "Oh, I don't know, legal is telling me this is really difficult. Can I really let hackers into my system?"

And all it takes is literally one vulnerability to get them on board. You hire a team of ethical hackers and they can seek out the organization's vulnerabilities and prevent them from being exploited by cybercriminals. 

And you just get that first vulnerability and their eyes open and all of that concern disappears, just almost immediately. So we have very long-standing customers like the Pentagon and others because they see the value in being able to find those bugs and fix them before they're exploited.

Because the criminals will come, they will find them, they will exploit them. There's no question about that. So you want to make sure you've got it right to begin with. And I think just repeating those successes over and over again is going to continue to bring more folks on board.

Petko: I bet you've seen the bug bounty program quite evolve since you started it back at OMB. That was the first real nationwide bug bounty program. How's evolved since then? How has HackerOne evolved in the vulnerability space and the bug bounty program space? 

 

The Role Of Bug Bounty Programs in Government Hacking Initiatives

Petko: You have this bird's eye view from conception to where we are now. How has it changed? Can you share any success stories?

Ilona: Just take a look at the hack the Pentagon program, has been tremendously successful. There's been 40 plus Bug Bounty programs over there, over 1400 security researchers. I think they found over 2000 vulnerabilities in the Pentagon. So just in the

Pentagon alone, there's been a tremendous success. There's also, they've just expanded that recently in a pilot to the Defense Industrial Base. So all of the contractors now, or not all of the contractors. 

But it would be great if all of the contractors to the defense Department also had a similar program just because of the value. There's just been a huge evolution in the federal government because in 2016 that was the very first time that any agency had

implemented a vulnerability disclosure program. And then in 2020, the Office of Management and Budget, as well as CISA issued guidance that said, "Every agency should have a vulnerability disclosure program."

So huge evolution there in terms of the federal government's approach. And it'd be great to see that same set of requirements applied to anybody who touches the federal government system. When I was in the White House, I worked on cybersecurity breaches in addition to cybersecurity policy and strategy, and law. 

During the time that we were there, the Office of Personnel Management was breached, and it affected 20 million employees and a billion records. The person got in through a contractor. And so it's really important to make sure that we expand the requirements around vulnerability disclosure programs to all folks who access government systems. 

 

Shifting Paradigms in Proactive Cybersecurity

Ilona: But we're getting there. As I said, that Defense Industrial Base pilot was a huge success, as have all these federal programs that have launched since the requirements began.

Rachael: I dare to venture here too, you talk about basically proactive, vulnerability hunting. And when I think about proactive security, it naturally leads me to the discussion of offense. You got your defensive and your offensive tactics. And I just wonder, when are we going to start addressing that element too? Because is that the next step of how we get ahead of the threat? Just your perspective, I'm just spitballing here.

Ilona: Well, what do you mean when you say go on the offense? Because I think of that as more of a cyber command responsibility, not a hacker responsibility.

Rachael: And I'm just hypothesizing here where you have these large global organizations that want to proactively protect themselves. And perhaps they do have ethical hackers on staff, but they're also seeing this activity. You think about Ukraine and the conflict with Russia. You have this cyber war that stood up with these volunteer cyber armies. And it just seems interesting that is an offensive strategy better than a defensive strategy when it comes to security ahead.

Ilona: Yes, I think it just depends on how you define the offense. If you define offense as making sure you're preventing attacks from happening in the first place, absolutely. Yes, it's essential to do that. You want to make sure you have a zero-trust architecture, which is something that the government's been promoting pretty heavily. 

 

[23:54] A Mission-Driven Journey: From the White House to Cybersecurity and Hacking

Ilona: You can't trust any aspect or any person, It's no longer enough to just defend the perimeter, you have to make sure you're secured in every space. And so you launch whatever cyber strategy for your organization that will get you there. If that's what you mean by offense, absolutely.

Rachael: That's absolutely a piece of it. I also think of the movie version too, like the Hollywood version where you go out and you're hunting them down. Like "I'm helping the government." I'm sure that people look at that.

Petko: You're flying through the machines.

Rachael: Exactly.

Petko: You mean where you're flying through the machines.

Rachael: Exactly.

Ilona: I think you've seen WarGames one too many times, maybe in the eighties. I don't know.

Rachael: What was that show, the movie Hackers back in the nineties too? Hilarious. Hilarious. Yes, but I'm more interested in that topic. It's a dicey topic, right? Anyway, you slice it. But Yes.

Ilona: That was a great movie. I think maybe that led me to this job.

Rachael: Right.

Petko: Can we talk more about that? I want to know, given the background that you've had with the Obama administration and everything else, how has that informed your perspective. How has that informed your perspective now on cybersecurity in general and vulnerability programs?

Ilona: I'm a really mission-oriented person. Working in the government for a long time, you take for granted that at the end of every day, you get to feel really good about what you do. And so at the end of every day, I worked in the Obama White House. I felt really good about the things that we were doing. 

 

Embracing Vulnerability Disclosure Programs in Private Industry

Ilona: Yes, not every day was roses and sunshine, but it made me feel like, okay, I contributed in some small way to the overall mission. And it's a little bit harder to do that in the private sector. But I did feel like I had that at HackerOne in part because of their service to the Pentagon and other agencies. You get to feel like, I'm doing my part to protect data and the service men and women who rely on that data. 

And it really is very satisfying to be able to help deliver on the government's mission in that regard. So that is how I got here. But Yes, it was funny to go from being in the White House when the program started to now being on this side, working for the same company that won that first contract.

Petko: I am curious, just given the broader scope you had at the White House around cybersecurity strategy. What are the key takeaways or lessons that the private sector should learn from the public sector's approach to cybersecurity? Because the government, I think there's a lot of things they get right.

What are those things we should learn from in private industry?

Ilona: Sure. I guess number one is they have vulnerability disclosure programs at all agencies. That's a mandate. They said "This is important and it helps us identify problems. And so we are going to make sure it's a requirement for all agencies." And yet, as I mentioned, federal contractors and other companies haven't gotten on board yet. 

 

Prioritizing Cybersecurity Investments

Ilona: And I do think that's one thing that the government gets right. Our customers obviously understand the value, but I think there are a lot more who need to understand the value of it and get on board.

The other thing is investing in cybersecurity. It wasn't a coincidence that they released the strategy and then a couple weeks later they released the budget or the president's proposed budget. And so there has been a huge amount of cybersecurity funding in the past, but they nonetheless proposed a 13% increase for next year's budget in cybersecurity. 

I know times are a little bit tighter than they have been in the past, and a lot of folks are watching this economic climate with some trepidation. But you really can't skimp on cybersecurity because you'll pay for it later. And the government, I think, gets that right.

They're investing or they're proposing a pretty substantial increase, even though they had a pretty substantial increase last year as well.

Petko: I think it's interesting when you have a bug bounty program or some kind of vulnerary disclosure program you're basically asking, "Hey guys, come and hack me. Find stuff I missed." And typically the assumption is your team already is doing individual pen testing, vulnerability scanning, and application scanning. 

The goal is to reduce the number of things that are found by these ethical hackers and these vulnerability bug programs. Because I would imagine that it forces organizations that don't have the right rigor around vulnerability practices to stand up also if you think about it.

If I require you to be part of a vulnerability disclosure program where you're eliciting third parties to come and hack you, well, I better have my house in order first. A little bit.

 

Maximizing Value through Ethical Hacking and Vulnerability Scanning

Ilona: Well, yes and no. We have a multitude of customers and they're at different levels of cybersecurity sophistication. So we have the super well-resourced, absolutely very mature programs who still see value in having their whole systems open to ethical hackers because we are human. We make mistakes, and things change.

Configurations of software might lead to vulnerabilities. You need to have a constant review. No disrespect to the pen test, but they're periodic, they're not as frequent. You don't get the results right away. 

We offer pen testing at HackerOne too and it's value to it, but there's also value in that continuous review. A sophisticated customer gets just as much as a customer who is at the beginning of their cybersecurity journey. In between the time that I left the White House and the time I started HackerOne,

I went to a different startup that didn't have a cybersecurity, it didn't have a CISO yet. They had a very good chief technology officer, but no CISO, and said one of the first things I did is hire HackerOne. Because I wanted to make sure that we were, at the time it was a healthcare company. 

And so had a lot of PHI, personal health information, and it was a make-it-or-break-it situation. We had to ensure that we were protecting that healthcare information in order to keep our business. We wanted to make sure that we ultimately did that by hiring HackerOne. So lots of different folks, and they all get different values out of the continuous review.

One other thing about the value is actually that you can scan your system all day long.

 

Revolutionizing Software Security

Ilona: And again, there's a lot of value in that, no disrespect to any other system or program, but you get so much noise. There's so many false positives, and you need people who are ultimately going to decipher through that noise.

And so you have a much higher hit rate when it comes to human-based security because they're not going to get paid if they send you something that's just a bunch of noise. So there's a disincentive to make those reports.

They want the biggest reward, they want the biggest yield, and so they're going to focus on the highest impact.

Rachael: And I can imagine a future too where this becomes more part of your standard operating procedure. Because you hear a lot about how can you trust consumer software with all the open source and all the other vulnerabilities. If we were to go to a grading system, much like we have for restaurants, there's a grading system.

I imagine something like this would be very critical to help assess where a company and its software may fall in the spectrum.

Ilona: A plus, all around a plus. Yes, I absolutely agree. I like this idea. I think we should implement it. And if you have a vulnerability disclosure program, you get an A, and if you have a bug bounty program, you get an A plus.

Rachael: I love it.

Ilona: Okay. Let's do it.

Rachael: I would use that software.

Petko: I'm picturing going on Amazon and every toy has not just the price, but underneath it is some rating.

Rachael: Yes.

 

[33:35] Enhancing Cybersecurity: A Graded Future for Connected Devices and Code Review

Ilona: Well, actually the administration is proposing a rating system for devices. So it's not so far-fetched to grade somebody based on their cybersecurity policies and programs, but I like this idea. Let's do it.

Rachael: I like it too. We joke about my Furbo, but I have no idea. I don't know what kind of rating my Furbo has, and it's recording everything in my home. It's right over here.

Petko: Rachel, do you know where it's going?

Rachael: To the cloud?

Petko: Who's cloud?

Rachael: Well, exactly.

Ilona: Exactly.

Rachael: Exactly. That's a good question.

Ilona: Before we went on cam, or before we went on the mic, we talked about our Amazon addiction. And so if you put a grading scale next to the product, it might actually help me curb some of my Amazon purchases. So I actually like this idea for more than one reason.

Rachael: Absolutely. Especially all the connected devices we keep adding to our day-to-day lives. You just have no idea what's going on in the background.

Ilona: It's true. It's scary in that regard.

Petko: So I got to ask, what's the future hold? Everything you're working on at HackerOne and beyond, what are some of the projects that most excite you right now?
Ilona:

Yes. HackerOne actually just launched a brand-new product, which is pretty exciting. And it's a code review product, so this is at various stages, developers might want someone to take a look at what they've created. And this allows a new look at code review. 

 

HackerOne's Innovations in Hacking Defense and Solutions

Ilona: And then similarly, we just for one customer helped them, they had been breached, and we just help them look. "We know that this happened, our code is out there, so will you please take a look in real time to tell us what vulnerabilities we need to fix right now."

That's a relatively new product for HackerOne, but one that's just as important as the product we've been delivering successfully for 10 years. That's the future of HackerOne. We also launched a pen testing business as well, which is going really well. So I'm excited about all of these products for HackerOne.

Petko: I like it. You're shifting left and expanding right, meaning you give to the developers and you're expanding to the external pen test side as well.

Ilona: Absolutely. Folks are excited. Our customers are excited, they want to have a one-stop shop, We actually launched even one more product, which is asset scanning as well. So we're partnering with another company to do an asset scanning and to then be able to help advise after that scanning is complete. 

Again, a one-stop shop. That was my takeaway from RSA. I don't know about you, but I walked the floor and I thought, "My God. there are so many individual products that target one tiny little sliver of a company's cybersecurity strategy. How many of these products do I have to rack up in order to have a full stack?"

Rachael: It's staggering.

Ilona: I don't know, I'm not a CISO. It's staggering. It was staggering. And so if I was a CISO, That's just a lot to contend with. So you want to go to a company that has a more comprehensive solution.

Rachael: Absolutely.

 

Embracing AI in Hacking Defense

Petko: It's funny, I think I've heard most CISOs or security departments have like 50 to 70 different technologies that they use just to basically meet the requirements. There's definitely I think a trend I saw where more of the platform consolidation more than ever.

Especially with the macroeconomics we're seeing, I think it's pretty common to say, "Hey, how do I do more with less? Or how do I simplify security to make sure that the people I have I can train them on two technology instead of one." Let's say, that just have to be on the same platform.

Ilona: Absolutely. Yes.
Petko: Given the background you've had, you've had the Obama administration, you're now dealing with ethical hackers. You've got a really unique perspective and experience. Where do you see the future of cybersecurity in the next five or 10 years? It sounds like you want to have Amazon rate everything for you.

Ilona: Again, just to curb my own purchase problem, anything to help with that would be much welcomed. It's hard to say. Obviously, everyone's thinking about AI right now. I know actually HackerOne a couple of years ago did a pilot for a company to try to get hackers to see if they could identify biases in AI. And so I do think the future is very much there.

I'm not entirely sure what it looks like. If I did, I would have a product to announce to you today. I think it's just constantly evolving. In the last couple of years, even the government strategy has been constantly evolving. 

 

Pursuing Passion in the Hacking and Legal Landscape

Ilona: I think a couple of years ago, and then certainly when I was there, everyone was focused on nation-states. That's obviously always going to be a concern, but instead, the most disruptive cyber attack came from cyber criminals in 2021 with the Colonial

Pipeline. It totally disrupted the entire East Coast. Sometimes it's hard to even see next year, let alone five to 10 years. And we've seen constant shifts because there are constant changes in technology and the sophistication of cybercriminals.

Petko: What advice do you give young professionals who are interested in cybersecurity, in a role like yours, chief legal officer? Do they go cyber? Do they go legal first? Or do they hack while they're in high school and then become a lawyer? Which would be interesting.

Rachael: That would be interesting.

Ilona: I always tell young people generally to just pursue their passion because you're going to do your job well if you are happy doing it. So that is my strategy. I just jump from place to place if I'm happy. I don't jump frequently, but if something is moving to me,

if it's meaningful, if I enjoy the work and enjoy the people, then I think it's worth doing. And so my advice to young people would be really to pursue your passion. And if that's cyber grade, if that's law grade, if it's both, terrific, there's room for everyone.

 

The Changing Perceptions in the World of Cyber

Rachael: That's definitely. So I do want to be mindful of time, and this has been such a great discussion, Ilona. I think we're just scratching the surface here too, because the whole ethical hacking, there's a lot to talk about there. And I think to Petko's point, just the perceptions, that's a huge shift on its own.

On people to embrace more ethical hacking and the good that it can deliver to them.

Ilona: If I've done nothing else. I hope I have convinced you that the word hacker should not have a negative connotation and that you should always distinguish between hackers and cybercriminals. If I've done that, my work here is done.

Rachael: I like that. Well, I'm on board, so you got me, that's for sure.

Ilona: Great.

Rachael: All right.

Ilona: One down, a hundred million to go. Yes, we're working on it.

Rachael: One at a time.

Petko: Well, it starts with one domino, right?

Rachael: Exactly. Just flick it over and we're ready to go.

To all of our listeners, thank you again for joining us. We really appreciate it. Ilona Cohen, thank you so much for the great discussion. We have a new outro we're going to try today, right, Petko?

Petko: Yep. Let's try it.

Rachael: All right. This has been Rachel Lyon and Petko Stoyanov bringing you another episode of To The Point Cybersecurity. Remember to stay informed, stay secure, and always stay ahead of the ever-changing threat landscape. Until next time.

 

 

About Our Guest

 

Ilona Cohen is currently the Chief Legal Officer, Chief Policy Officer, and Corporate Secretary at HackerOne. Cohen was formerly a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). Prior to joining HackerOne, she was the Chief Legal and Compliance Officer of Aledade, another venture-backed tech company, where she successfully built and scaled the company’s legal and compliance teams. Cohen is already highly experienced with cybersecurity and ethical hacking solutions. Ilona was part of a core group in the White House responsible for development of President Obama’s long-term strategy to enhance cybersecurity awareness and protection in the public and private sectors. These efforts led to the decision to launch the first U.S. government bug bounty program, Hack The Pentagon, run by HackerOne.