Coffee and Collaboration: A Security Pick-Me-Up [Security Sandbox Podcast]

Subscribe to Security Sandbox

Do you like to start your morning with a steaming cup of joe or an ice-cold brew? Perhaps a detailed threat intelligence report?

Either way, this month’s episode of Security Sandbox has a thing or two to teach you.

Listen in as Jiyonn Han, a Harvard MBA student who helped evolve her family’s coffee company to adapt to the pandemic, joins our hosts—Amanda Fennell and Tyler Young—to discuss light and dark roasts, fair trade beans, and the universal beauty of people, process, and technology.

Turns out cybersecurity and coffee make a brew-tiful pair—and not just because caffeine helps the world go ’round.  

Security Sandbox is about pulling from your curiosity and personal passions to inspire more creative security practices. So, tell us: What inspires you?

Transcript

Amanda Fennell: Welcome to Security Sandbox. I'm Amanda Fennell, chief security officer at Relativity, where we help the legal and compliance world solve complex data problems securely—and that takes a lot of creativity! One of the best things about a sandbox is that you can try anything. This season, let's explore how curiosity and personal passions inspire stronger security. Grab your shovel, and let's dig in!

In today's episode, we brew up a lightly roasted conversation on how to keep your business invigorated and caffeinated. Joining me to talk all-things coffee is Harvard MBA student, Jiyoon Han. While still working full-time as a student, Jiyoon quickly adapted to the new landscape of doing business during the COVID-19 pandemic by launching an e-commerce site to keep the family coffee business running. Also joining us is Tyler Young, who keeps our security practices buzzing as Relativity's director of cybersecurity. So grab yourselves a cup, and let's see what's brewing in the Security Sandbox.

Jiyoon, I know you've had to answer this question a lot in the past year, but we want to start with how you found yourself where you're at today. That's a very existential question. But let's say for your job, how did this come about—what you're doing today and what are you doing today?

Jiyoon Han: Sure. I lead experience and partnerships at Bean & Bean Coffee, which is my family's coffee business. Through the pandemic, I have been trying to innovate across all verticals, trying to come up with new areas of innovation for the business to be able to survive and thrive beyond the pandemic.

AF: Tyler, same question to you: How did you find yourself where you're at today and what do you do? You're not involved in the coffee business technically, even though you drink coffee every day.

Tyler Young: Yeah, I'm not involved in the coffee business, although I think I finance part of the coffee industry to some extent.

JH: Thank you, Tyler!

TY: Before coming to Relativity, I was working at a large financial institution and was just doing the day in, day out, like most people do, and realized that there was a really cool opportunity in front of us. And actually, Amanda came to me and was like, "Hey, I have this really cool opportunity. Would you want to come with me and help me build something really great? There's a really great leadership team, really great people, really smart people at Relativity." And I think us going there could help build a really awesome security program and something that could really shake up the industry and provide a lot of meaningful security posture and security buildout for an industry that didn't really have it at the time. And so when we talk about what was that pivotal moment, I guess it was the part of getting uncomfortable. You know, I was very comfortable in my job, and I had my day-to-day, and it was going to be this uncomfortability, which I realized later on allowed me to grow into my career and what I'm doing today.

AF: Oh, a moment of uncomfortability. But it's the sweet spot, right? Whenever you realize you're going to grow a little bit but not to the point of really uncomfortable. It's a little bit of growth mindset there. So, Tyler, every morning you wake up, and you direct a team who's in charge of cybersecurity. And I'm going to do this in the opposite way. It's going to totally throw you off. But I want you to tell me what makes a great cup of coffee and how you assess it, and then we're going to have Jiyoon tell us if we're right or wrong. So you go first.

TY: My favorite cup of coffee is a really nice Ethiopian Yirgacheffe that has really heavy blueberry notes. And so for me, if I can do a nice—

AF: I feel like he researched this, Jiyoon! He researched this, didn't he?

TY: No, no, this is real. If I can make a nice pour-over every morning, which I have to have time—because getting an 18-month old up and ready for the day is time consuming—so sometimes it's just a jug of Starbucks coffee that's premade and iced that I could just dump over. But yes, a good cup of coffee to me provides enough caffeine to be sustainable for the next two hours of meetings before I can go refill. And then ultimately I really like tasting fruit notes in the coffee. I used to really like dark coffee, and I got into dark coffee because I loved craft beer and all the craft beers were being made barrel-aged and then they were throwing in coffee flavors, and I was like "Oh, all this stuff is really great. I can get into coffee." And they were always dark and like this motor oil, and then I realized that light coffee actually has more caffeine in it. And so I was like, "I need to switch to that." And then I started finding the light of the coffee had the really great fruit and citrus notes. And I was like, "This is actually really enjoyable." So now I can't start my day without it.

AF: So I totally backed you into an absolute corner here because you sounded really great about how you assess coffee and what you think about it. But let's get a professional here on the line. Jiyoon, how do you assess coffee? What is good in a cup of coffee?

JH: Coffee is often treated as a commodity and is talked about as a commodity. I would say many people drink coffee for that caffeine kick every morning, and I do appreciate that. But also for me, a good cup of coffee is one that affords me a moment to reflect. This moment that I have to myself in the morning is what makes a good cup of coffee for me. But yeah, Tyler, I think it's so interesting how you got into lighter roast coffee, like light roast, fruity citrus flavored coffee, through beer. I got into beer through coffee. I started by drinking Guinness Stout and then I transitioned into lighter beers.

AF: I've experienced this with you. I've been on a tasting with you. One of the things I really enjoyed about it was at the end, was that moment when you stopped and said, "Here's the moment. This is what the coffee is about." Taking that moment to check in and all of that. And I really found that to be such an awesome takeaway—that you put all these things together, but you still had that effort that we have to put in in terms of really understanding: Why did we do this? Why did we come here today, and why did we put this together, and what did we create? I think, Tyler, this feels like such a good overlap with people, process, and tech. How do you put together the right security program? Is it similar to a cup of coffee? Does it take the right grind? Does it take the right tools? Do you always have your full barista kit?

TY: In theory, I'd like to say yes, you always have your barista kit, but that's never the case because there's always new attacks and new vulnerabilities and new things are always coming at you, and you never know what to expect. However, there are three things you can always fall back on, and it's always having the right people and investing in those people, and then ultimately having the processes to handle—or at least the defined workflows—to handle each type of thing. And I think that's really where making a cup of coffee, like, there's always structure and how you get to the end result. While the ingredients may change, the common things are always, you know, you need water, you need coffee beans, and you need some type of coffee grounds, I guess? And so it’s the same thing, when you look at cybersecurity: You need people, process, and technology. You need some type of technology to give you the data that you need, whether that's a SIM to look at event logs or some type of endpoint agent to detect something. Then it's the really great people that you work with, whether it's engineers or analysts. And then ultimately you need a process to get those people to interact together and get to the end result, which is that moment of, “Ahh,” we're relieved. We had protections in place. We had detections in place. We are safe.

AF: This is kind of an interesting one, though, because for those that don't know—which is probably everybody, because this isn't like on my LinkedIn—I worked at Starbucks for quite a hot minute. Really into coffee, specialized in beans there, because I was super into it and tasting and so on. But there's this dynamic about how what you use is so important. Is the water filtered or is it just tap water? Et cetera. So really that quality of the ingredients that you would use for something, and I know, Jiyoon, you spend a lot of time making sure you have these quality ingredients for what you provide for your blends and for this coffee in this product. I can tell from experience of having had it. So let's talk about that. The grind to get through a filter is actually an exact tie-in to security in filtering. So I'll start: Tyler, you have a ton of stuff that comes at you in a SIM, you filter a lot of logs down, and you really get down to what's really important, right? It's essentially like a coffee filter, right?

TY: Yeah. You look it like that. Yeah.

AF: So let's talk about the beans. You have a lot of time and investment and concern about where yours are coming from, what you're doing with them, and so on. Can you tell us a little bit about what beans you're using, where they're coming from?

JH: Definitely. So as a coffee roaster, I started roasting a couple of years ago, and as a coffee roaster, you're always thinking about how to perfect that roast and how to make this beautiful roast that tastes really good, that your coffee drinkers will really enjoy. And it all comes down to how good your coffee beans are. My family's coffee business is called Bean & Bean. It's because we really care about the beans and where the coffee is coming from. There are all these extrinsic factors that relate to where it's coming from and what name or brand value it has. But there are also intrinsic qualities to coffee that I think are almost as important, if not more important in many cases. One of our core commitments as a business, as a family business, as a woman-led business, is to source coffees from women-led, women-owned farms. And this is because, even though more than 70 percent of the labor force across the coffee value chain consists of women, they don't get equal representation. They don't get equal opportunities or access to the same global markets as their male counterparts.

AF: This is an unexpected turn, but as you can imagine, security doesn't have a lot of representation from women and minorities, actually, so it's a big area of concentration for us. Tyler, you have a specific focus in the same area for cybersecurity. Do you want to talk about it?

TY: When we look at diversity, for us it's really about creating equal opportunity through developing diverse pipelines. Diverse pipelines refer to the finding of continuous top talent from all different backgrounds. You know, there's probably three main categories for this. For us, it's women, minority groups, and veterans. We've been successful at this ultimately by partnering with organizations like Year Up, Women Who Code, and hosting veteran security panels where we've had some of our internal employees that are actual former veterans talk about their jobs and how they got here. We really believe, and I think data will support, that building diverse teams is really key to the success of a security program or any tech-based program, specifically because the environment you create allows for individuals to be themselves, stimulate creativity, and ultimately solve complex problems, which is what we're all here trying to do.

AF: Yeah, this idea of diversity is such a focus in tech right now, and everybody wants to have a diverse team and then they complain that there's no diverse candidates. But the reality is, that's on you! You need to create diverse candidates. Instead of just complaining that there are not enough people who are applying for a job, it's a really vicious cycle. We can't get underrepresented minorities and women in this industry because they can't get experience. They can't get experience because they can't get a foot in the door. So this was our way to fast-track that and say, "Okay, we'll get you the experience. We can get your foot in the door. We can get you some training." What you choose to do with that will be up to you, and that's absolutely understandable. But we really just wanted to break the cycle. So it's a focus for us, too, Jiyoon, and it's something that I hope makes some kind of effect out there as much as Bean & Bean is doing now in terms of this really big focus that you have. We appreciate it, so thank you! There's another thing here that I think is an interesting thread to pull though—some barriers you see about customers learning to make their coffee at home. Are there barriers and what advice would you give some first-time brewers?

JH: That's a fantastic question, especially in this time and age when a lot of people are becoming more adventurous with homebrewing. It starts with understanding what you need to have at home in order to make a delicious cup of coffee. That's going to evolve through time as you have more and more access to equipment and ingredients. I recently published a piece with my mom on the Huffington Post about seven tools you need in order to brew delicious coffee at home, and they're all pretty budget-friendly. So, yeah, you want a grinder. You want to have a brewer that's pretty forgiving, that doesn't require super technique. You want to have a kettle, and you want to have, most importantly, delicious beans.

AF: Alright, Tyler, what are barriers for people at home in security?

TY: I think the biggest thing, when you look at security posture, it's there's no one-fits-all for every company based on the size of the company, the geographic region, your industry ... And so with that, I think it's really important that everybody doubles down in this area of threat intelligence and threat detection. If you don't know what's coming at you, you can't protect it. If you can't protect something, how do you know that it's even happening? That's really where the threat intelligence gives you that competitive advantage over the adversary—when you can start studying the different tactics that they're throwing at different companies, the different industries that nation states are targeting and cyber criminals are targeting. And then ultimately you can build a proactive threat detection posture off of that intel that you're collecting. I know that's one thing that we've really focused on, and I think that's what's really taken our program to the next level, is having intel at the nucleus of everything we're doing. Having the vulnerability management integration with intelligence, and the threat detection integrations with threat intelligence, and leading even sometimes business strategy with threat intelligence and knowing that certain markets are targeted by certain groups and things like that. And so I think that's the big one.

The other thing is the security culture. You know, a security team of five people or 50 people, they can't do it alone. There's always human-centric risks that are coming from all over the place. It's really investing in your entire organization to level-up security. I think we went from a week of like, "Hey, let's try this work from home thing," to like, "Okay, we're working from home for good." And we had a period of literally a week to put together an entire strategy and how we can get the exact same protections with everybody working remote as we would in the office. We accomplished that, but going through that exercise, it showed us a lot about our architecture. It also showed a lot about how teams can collaborate cross-functionally to get things done, even if it's not their expertise. I think that was the really cool part. As far as for myself in my career, I think it's allowed me to go outside of my comfort zone and expand in areas that I didn't think I could have based off of the cross-functional projects and things that have had to happen. I think we all get in this area, you get comfortable in your daily job and you're doing this constant cycle. This was like, "Oh, wait, we got to do something different, and I have to work with this team now I've never worked with before." And so it's help from a leadership perspective and being able to stimulate this buy-in from others. In the past, it was just your team, but now it's across the entire company.

AF: Speaking of stimulating an entire team to get them moving to do something ... Jiyoon, if people want to get caffeinated and they want to have this experience of a tasting with you, how do they get in touch with you?

JH: I am always accessible. I read every single email that gets passed through or that gets sent to us. So go to our website, beannbeancoffee.com, and drop me a line, or you can also reach me directly at j@beannbeancoffee.com.

AF: I can't even tell you how accurate this is. I think when I first had this realization that, "Oh my gosh, I'm having a tasting with her, and I want to have a podcast episode about coffee because I love it..." It was so immediate. We clicked immediately. I was like, "Okay, great, she's super responsive!"

Because I love coffee and I love security, these are some of the things where naturally I see the two going together. One of the things that's become very apparent here is both coffee and security are super accessible to people in different paths. How you find your way there could be through a beer, could be through an ice cream, could be wherever. Your security path could be an experience with the program that we have at Relativity. Tyler, for our cyber, it could be reaching out to someone on LinkedIn. Different paths lead to the same thing here: a good cup of coffee or a good career in security.

The second one is quality ingredients and process can lead to something amazing in a cup of coffee or a security program, but you do have to take that minute, like you said, Jiyoon, and you have to appreciate the minute of what you're doing there and being really present in it.

And the last thing: I really think it's about the human element and that, with security and a cup of coffee, it's not made by just one person. There was a path for that cup to get into your hands, and a lot of people were a part of it. And there was a path for that data to be secured from A to Z, and it took a lot of people. It wasn't just something automated. There were people behind it. I think there is a real human element there that is worth embracing.

I love to end on a quote. This is a really interesting thing I came upon. I love Teddy Roosevelt for a lot of reasons, but it's interesting because a famous quote about coffee is actually not him saying it. It was someone else. It was his son. And he said that his dad's coffee mug was more the nature of a bathtub. I totally appreciate that. I'm 100 percent down; that's the same for me. I have two cups every morning, et cetera. But it means that there's a very caffeinated president who said this very famous quote: "Believe you can, and you're halfway there." Jiyoon, I think you believed you could, and you got there very quickly. You made an amazing pivot. You've done so much for the organization that you have with your family. I love it. It's such a great story. I hope many people reach out and get to experience coffee with you as I have. Tyler, it's always a pleasure to have a cup of coffee with you. Thank you so much for being here, both of you.

Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments, give us a rating—we'd love to hear from you!

Follow Along with Security Sandbox by Subscribing to The Relativity Blog