Following her induction into the 2024 class of Cyber Defenders, we were thrilled to catch up with Carolyn Duby – who is the Federal chief technology officer and cybersecurity GTM lead at Cloudera – for an in-depth talk about harnessing data for cybersecurity analytics, the enduring value of the Federal government’s migration to zero trust security, how to proceed safely with artificial intelligence technologies, and the urgency of getting ready for quantum computing.
MeriTalk: Congrats on the Cyber Defender award, Carolyn! Can you tell us a little bit about your job and what security work you are doing at Cloudera?
Duby: I am a field CTO at Cloudera, and we are a data management and analytics company. I’m working with our customers worldwide on different types of use cases, but one of the really compelling use cases for data and analytics is cybersecurity.
Cybersecurity is a big data problem – there’s a lot of log data and it’s challenging to prepare the data for efficient analytics. I work with customers to help them determine what use cases are best on the platform. I run a small team and I hosted an open source project called the Cybersec Toolkit, it’s an open source accelerator so anyone can use it, and what we’re really trying to achieve is to help customers own their cyber data and to be able to create analytics quickly and then deliver on AI. A lot of AI these days is locked up in products or black boxes, but most of our customers are not black box organizations – they’re large public sector, telecommunications, financial services, and oil and gas customers.
What we’re really focusing on is delivering insights that customers need at scale with low code or no code so that we can have cyber teams that are deploying AI so they can quickly respond to new threats in their environment.
MeriTalk: In the bigger picture on security, what are some recent policy and tech trends you’ve been seeing that are helping to improve security and that we should be doing more of?
Duby: I think that the Biden administration has done a great job with its Cybersecurity Executive Order, which is kind of forcing government and folks in the commercial space to go to a zero trust security model. Zero trust is really about doing the basics on security so the mandate to do that is a positive thing.
I also like the focus on secure by design for technology products to make them more secure and resistant to attacks. We have all the social engineering attacks that we have today because the products allow people to inadvertently engage in insecure actions. Safety and security should be the default. So products should be designed with safety and security in mind, without making them difficult to use. In a normal mode of operation, we should be able to confidently pick up our mobile device or interact with a government website or work with our local government and expect that this is going to be secure by design.
MeriTalk: How about on the AI technology development side?
Duby: On the policy front, there’s still more work to be done, like figuring out how to govern AI – if we should govern AI – and then how we should do that. There are a lot of risks in that area and there is a lot of interest from both governments and from the private sector.
Half the battle with a lot of these regulations is finding people in government who really understand technology. A lot of our elected leaders don’t come from a technology background, so they don’t have an in depth understanding of how it works. If you listen to questions asked in hearings, for instance, you can tell that some of our elected leaders have no idea what an algorithm is or how it works. Our government should take steps to make sure our lawmakers are educated in technology. This could be through training or professional education geared towards policymakers. The training should explain technology in a way that is accessible to policymakers who are not necessarily software engineers.
Another obstacle within the AI space is getting people to understand what is a large language model, what is a neural network and what are its capabilities, and what are the things that we have out there that are really risky? We don’t really know exactly how they work and there are things that they’re not sure they’re going to be able to fix. There are a lot of a lot of unknowns out there – very powerful, but also very unknown.
MeriTalk: Also in the bigger picture, what looms large for challenges in improving security?
Duby: Quantum is a big unknown at the moment, when will we reach it, when will it be able to break encryption algorithms – those are big questions. IBM, which is big into quantum, announces their progress and is pretty public about it, but adversaries will not be announcing theirs. So, there are a lot of unknowns out there. We have to really move towards quantum-safe encryption, and that is going to be a huge amount of work. And then people will have to buy into the fact that they will have to change their encryption.
I think the U.S. government needs to look more strategically and invest more heavily in technological advancement. Government needs to view it as a strategic investment so we can stay ahead of adversaries that are very smart and very motivated.
MeriTalk: How did you find your way to the tech security field, was it something that always seemed like a natural path, or was the path more complicated?
Duby: I love science and math, and my tech path started in high school where I took a computer programming class for BASIC – this was in 1985 before the email, the internet, cybersecurity – I didn’t realize it at the time but it was really foundational in my development as an engineer. Then I started in college at Brown University as a pre-med major where I did all of the requirements, but also took programming classes, and I was pretty much hooked after that. I looked at the potential – and educational costs – of both medicine and tech, and decided on the tech field, with my first job at a great company called Cadre Technologies. I was a co-founder at Pathfinder Solutions, then went to SecureWorks, and I just took off with cybersecurity from there.
MeriTalk: Finally, what do you enjoy doing in “real life” that doesn’t have anything to do with technology and security?
Duby: I grew up in Rhode Island and live in Massachusetts, and I love to go to the beach. I love the ocean. My husband and I enjoy getting out in nature, hiking, and visiting the National Parks. I’m also a cat lady with four cats – cat ladies have been in the news lately.