Hi Everybody. Ed Amoroso here. And for this week's video interview, I'm here with a very good friend of mine, Jose Dominguez who is the CISO for TD Ameritrade. Good to be here. It's very exciting and rewarding. Chasing bad guys all day long? More like defending. I think they're the ones that are running and trying to break down our walls. In our learning community, you have a lot of young people who probably would like to know how in the world they get to the point where you can have a cool job like it. Tell us a little bit about your background and how you kind of got interested in tech and so on. Sure. So mostly in high school and junior high school, I was pretty good in math, but I'll date myself a little bit. Back in the 70s and 80s, there were no PCs. But then when I got to college, it was right around the same time that the IBM PC had come out, Microsoft with DOS had come out. So my parents thought I was going to be a doctor. I started taking electives around programming languages and from that point on, I said, "Wow, this is a whole new frontier." The stuff you can get out of a machine to just whether it was Fortran or PO1, some of the old dead languages, it was just, I never looked back. So that's how really I got into technology. Do you remember your first computer? I did. It was a PCX 64, had 64KB memory, a floppy drive and 640K resolution on its screen. So we've come a long way. Now, as you sort of progressed, did you find yourself more interested in business, in technology? Because you do all the above. What was your path to kind of your career? Sure. Mostly technology. It was really programming and understanding applications that morphed into the business. So, I got to admit when I was a 15-year-old, my first summer job was delivering stock certificates. Back then there was no electronic settlement. There was no internet. We only had ARPANET. So most of the financial firms have dealt with physical security. So, while I was learning all these computer languages, I started working at brokerage firms, financial firms. And that's how I really started getting into business. Security, I got to tell you it was two books I read. One is "The Cuckoo's Egg". I think it's still out there. I think it was Stoll that wrote it. And the other one was in the late 80s, "The Puzzle Palace", James Bamford. NSA. He actually was able to publish what he did at the NSA all day long. So those sort of piqued my interest in security but I never got to apply it. So I kept an eye on that. But I was really more focused on delivering value to the business through programming and understanding how the business flowed. I've been at brokerages for about 30 years. And then security maybe four or five years ago, the opportunity came to me from my management where the security had morphed less about technical and more about risk management. So they said, "Wow, we've got somebody here that knows technical. We have somebody here that understands how the business operates." What a perfect fit to sort of make risk decisions because at the end of the day that's where it really comes down to. What framework do you have and how do you make those risk decisions. For some of your students you may think, what's he talking about? That's pretty easy, it's zero or one. No, that's the easiest risk decision. Whereas black and white speeding ticket. You went 55 miles an hour, you went faster, you get a ticket. It's a lot harder to quantify with that risk. And then on top of that, to sort of combine it what the potential revenue, potential reward of that risk is, that's where it really gets tricky. And we find in the security wall, we're doing that all day long. Are we allowing people to have connectivity to LinkedIn? Are we allowing people have connectivity to Twitter? Things that you take for granted but have some downside potential as well, and we're constantly trying to mitigate that risk. It must be exciting kind of being in charge of security for a financial services firm. I mean, that's pretty consequential if something happens. I'm guessing you have to be on your game every day. Yeah. Because we have over 800 billion in assets. We have about six million customers, and we have about 6,000 associates, so we're constantly protecting the data. We're trying to constantly protect those assets because our customers and our clients are the number one reason we exist. We want to protect that information. And we have, us personal, we have less folks trying to get our intellectual property. It's a pretty commodity business but is people trying to get information about the clients or actually get their money. I think that's the biggest threat that we have. But it's 24 hours a day, seven days a week. You don't get any days off. Now I know you guys hire a lot of people, young people, people with experience and so on. When you're interviewing or considering somebody, what do you think about? What are some skills that you think that impress you for cybersecurity, say, in finance? The number one thing I always look for is passion. Do you have a passion or desire to do well? That's the number one motivator that I would say. And then I look for technical skills. I found this true in my programming career where language is changed every three or four years. Whether you are PO1, whether you are a Java, whether you are Angular, Backbone, tose languages kept changing. What I was looking for was someone that would have a technology background and whether it was with networking, whether it was programming, whatever the technology background, understand the capabilities and how technology can leverage and maximize the firm's potential, but be able to quickly adapt the things that change. So I try to always learn technology first, and then I tell folks that are starting early in their career, learn your business. How your business operates? Are they on a five-day trading cycle? Or are they on a 24-hour banking cycle? How does that business operate will leverage your technology to an integrate? So, I almost think like three different pillars: the technology base, the business base, and security. You put those together, is that the right formula, you think? Perfect. But I think you need to understand the technology of what your company uses. Understand how it uses it for business. And then if you have both of those rings, then that top ring is, how do I now try to protect and secure that? We don't get to play offense in security. It's all defensive, and we got to understand what we're trying to protect in what different ways. You know, you look at threats every day and probably look at them all day long every day including weekends and nights and so on. You bet. If you step back and look and you were trying to comment on the trends, is it just everything getting way worse? Is it getting different? Like, what do you think? You must get asked that question a lot. Yeah. It's getting way worse, but it's also the speed to market of getting worse. I guess the best analogy I can try to use and for your students, they may not remember this time, but there was airbags. So, airbags only existed for the high-end vehicles. As time went on, it was almost like trickle down, every single car came with airbags. What we're finding is, with the fraudsters and the bad actors, technology that was owning nation state is easily turned into a commodity that's given to a lot of individuals. So, that speed where the individuals will have sort of we call them almost like weapons of mass destruction and how they can use them, that and just how much is available technology wise. One of the things that we saw a few weeks ago or a couple of months ago was the Mirai botnet. Your students can google this where with the internet of things and with things being even more connected, you're able to leverage that and then publicize it, and let others around the world be able to use that tool where you can actually do a DDoS attack using security cameras. I mean, think back years ago, nobody had a security camera at home. Nobody had their TV hooked up to it. So, this interconnecting of just about every single device. And as a society, our dependence on technology, it's got some great things. It's also though got some holes where certain bad actors can take advantage of that, and sort of use it for a negative reason. I'm not saying we should be Luddites and get rid of technology. By all means, the rewards are great. It's just getting more and more difficult to be able to do that in a secure method. With that speed of attack means the speed of defense has to keep up. That's got to be the hardest part. It is. It is. Because it's how do I build a muscle memory, a capability that it didn't have yesterday and I now need to react to it. So you try to get some talented people. You try to sort of stay a step ahead, and see where try to predict where the pack is going. You sometimes get it right, you sometimes get it wrong but you can't wait to see what happens in the news to come up with your defense. You've got to start thinking, where is this going? Where do I see a bigger risk coming forward? Such good advice, I could listen to you all day. I learned from some of the best. You should be writing a book on how you kind of got to be a CISO. After I finish all. I got the do over the next 20 years, but perhaps. But thank you. Listen, on behalf of our whole learning community, thanks so much for taking the subway over to visit with us. I hope you enjoyed visiting us here in NYU. Absolutely. I grew up in Brooklyn, over in Bay Ridge. So I love NYU and coming to Brooklyn. Thanks so much for coming. My pleasure. Appreciate it. We'll see you next time.
