Jothi Dugar is a cybersecurity executive at the National Institutes of Health, holistic wellness specialist, author, international speaker, and mom of three. She has been the only female executive in the room for over 25 years. Her work merges the eastern world of wellness with the western world of corporate leadership, bringing modernized transformational leadership programs that combine mental fitness, energy psychology, body hacking, and neuroscience to the corporate setting. She also runs a dance company and is the author of a chapter in “Ultimate Guide to Self Healing” on busting burnout for corporate leaders.
Host: Richard Lowe | Guest: Jothi Dugar
Conversation Transcript
Richard: When you say one of the few leading female cybersecurity leaders, that’s curious to me. There aren’t that many.
Jothi: I honestly wish there were more. When I first joined, it was probably about 5% women. Now it’s about 14%. Women in cybersecurity leadership, even lower, about 1 or 2%.
Richard: What’s causing that? It seems like it would be an ideal place for women to find a career.
Jothi: Currently it is male dominated. For women to see themselves in that type of role, especially leadership, when they don’t see other leaders that look like them, it doesn’t prompt them to want to be in that field. Also, cybersecurity is relatively new. I joined about 20 years ago when it wasn’t even called cybersecurity. It was information assurance and a whole lot of other terms. It’s also perceived to be very technical. My goal is to change that perception, because it’s not only about technical skills. There’s such a broad field that most people don’t recognize. There is a lot of scope and room for women and the innate skills they bring to the table.
People Are the Biggest Asset, Not the Weakest Link
Richard: I was actually in charge of cybersecurity for Trader Joe’s for about 20 years before I was a writer. So we have some confluence of skill sets here. I know what you mean about it being treated as too technical. Most breakdowns are caused by people, which has nothing to do with technology. It’s social engineering.
Jothi: That is my mission: to drive the people-centric approach to cybersecurity using a holistic approach. Since I’m in holistic wellness and cybersecurity, I bring a pretty unique mind-body-energy connection. If you look at the mind, that’s where the people come in. If you teach and empower people, they will make the right decisions. But a lot of times in cyber, people are looked at as the weakest link instead of our biggest assets. If you’re treated as the weakest link, you’re going to act as the weakest link.
Richard: Of course. A lot of companies don’t want to train people in cybersecurity because they don’t want them to be alarmed. So they’re ignorant. We had a problem where hackers would come in dressed in a uniform and replace POS terminals in stores with ones that were modified to copy card data and send it to the hacker site. If people don’t know about that, they’re just going to go along with it.
Jothi: By empowering people to ask questions, to look for things, “say something if you see something,” and giving them the tools and skills they need in any role, not just the cyber team. Even a cashier can use cyber-safe practices from a physical security standpoint and a computer security standpoint. When we talk about social engineering, that can be anything. Gone are the days when somebody actually has to steal your laptop. Now you can do it remotely because there are so many Wi-Fi networks people want to connect to. They choose convenience over security.
People use technology for a reason. And somehow cybersecurity professionals most of the time just concentrate on the technology and the process, but not on the people at all. Other than looking at them as weakest links. If we don’t empower someone to do the right thing, we can’t call them our weakest link because we’re not giving them the tools, the knowledge, the information, or even how to report things. If your identity gets breached, does every person know what to do? There’s no equivalent of calling 911 for a cyber incident. Nobody really knows the next step.
Even Security People Get Fooled
Richard: I used to ask myself how people fall for Nigerian-type scams until I almost fell for one myself. Then I realized how easy it is. I had somebody who wanted a big ghostwriting project. He seemed real. It wasn’t until he asked to send more money than the book would cost and then asked me to refund the rest that I realized I was dealing with a scammer. Had I not been awake, I’d have been out $40,000.
Jothi: It happens to everyone. Even for me. I also teach dance classes and have a dance company. Sometimes someone says they want to enroll 10 people and they start asking questions. “We’re in the hospital and want to get our kids in the class.” I’m like, first of all, you have 10 kids? Then the excuses start piling up and you look up the phone number on Google and find out it’s a scam.
Richard: A big clue is they won’t talk to you. They only communicate over SMS or email because then you’ll hear their accent and know it’s not legit. That’s one of the first red flags. And then they want to wire money, which of course you can’t get back. I’ve ghost written four cybersecurity books now. The number of red flags people tend to ignore is interesting. And this has nothing to do with technology.
Jothi: Exactly. People use technology for a reason. Most organizations have once-a-year annual security awareness training and then never talk about security again.
Richard: I always compare it to crime scenes. The police are always looking for witnesses because they are your biggest strength. “Who saw something? Can you describe what happened?” They don’t treat people as the weakest link. But when there’s a security incident, the first response is finger-pointing. “Why did you click on that link? Did you not know any better?” Without taking the time to embed security into everyone’s roles.
Richard: There’s individual security too. If your wallet is stolen, what do you do? If your identity is stolen? Most people don’t have a clue, and they won’t until they go to the cops, and the cops don’t really know either. For me, because I’m in cybersecurity, I always have plans. What if I lose my wallet? There could be a hurricane. Someone could steal it. I need that driver’s license, those credit cards, so I keep duplicates. I was also in charge of disaster recovery at Trader Joe’s. That’s a huge part of security that’s often overlooked. What are you going to do when the system goes down? Because it will. Even in the cloud.
Merging Cybersecurity with Holistic Wellness
Jothi: What I’m trying to do now is merge the cyber world and the holistic wellness world. If your cyber leaders are not taking care of their mental health and wellness, then we know the state of your organization.
Richard: If your core security people are not healthy mentally, you’ve got a problem.
Jothi: A lot of people give importance to the malicious hacker out there, the nation-state actors trying to hack into networks. Yes, that’s a threat. But most often it’s what they call insider threat, and the only reason it’s a threat is because you haven’t empowered these people with the right tools and training, or they’re being overworked. Especially now with the pandemic, if you have kids at home and you’re juggling being a parent and possibly a teacher while doing cybersecurity, all it takes is one split second. You get an email, you’re configuring something, your child calls out and creates a ruckus, you come back and accidentally enter the wrong thing or click a link. It’s split-second decisions. If you’re trained to pause for a second, like “I was really distracted there, maybe I shouldn’t be making this decision right now,” that changes everything.
Richard: There’s also the perception of risk. Clicking on a link is considered extremely low risk by most people. I was expecting a package from UPS a couple of months ago. A scam email from UPS came in. What did I do? I’m a security guy. I clicked on the link. Fortunately, Malwarebytes said, “No, you don’t want to click on that.” Because I have multi-layered defense. I realize I’m not perfect. Even security people get fooled.
Jothi: If you have a set of practices to take pauses in the moment, it helps. A lot of people think taking a pause takes away from efficiency. But it’s the opposite. When you keep going without pauses, you drive yourself insane, have less energy, and are less effective. I always use the analogy of NASCAR drivers. Fastest people in the world, but every race car driver comes to a complete stop in the middle of the race to check tires, get the car ready, get their mindset right, and then keep going. If they can do that, all of us can take that moment. I recommend about five minutes every hour. What I teach in my holistic wellness programs for the corporate setting are two-minute, three-minute, or five-minute techniques you can incorporate into your workday.
The Always-Connected Mindset
Richard: One thing that causes a lot of problems is today’s mindset that you have to answer emails and Facebook posts instantly. How many likes did I get in the last five minutes? What I do, partially for security and partially for sanity, is look at my email at certain times during the day and ignore it the rest. I don’t keep the phone with me constantly checking who’s talking to me. That mindset of needing to be instantaneous leads to security problems. You could reply to a scam message, click on a link, or somebody could be hijacking a Facebook account. You’ve got to get off the hair trigger.
Jothi: Technology, like everything in life, has great uses. But when you overdo it, it becomes a health issue. Being connected and wired to technology from a mental state is a wellness issue. You’re also getting EMF rays whether you appreciate it or not. Kids wearing glasses at two years old because they’ve been staring at iPads. Behavioral problems because they’re not as active anymore.
When I was growing up, you came home from school and spent the first hour running around outside. Now kids don’t know how to be creative. Once they’re done with an activity, they say they’re bored. You just came back inside one second ago. Figure out something else you can do. “We don’t know. We’re going to watch the phone.” No, you’re not.
Richard: They want to play video games because it’s “creative.” But it’s not creative. You’re following somebody else’s creation. And it affects people physically. I know when I sit around I get a sore back and a headache. What do I do? I take walks, exercise the back, do stretches. I’d rather do that than take medications that have side effects. It’s a simple matter of getting off my butt every couple hours for 20 minutes and taking a walk without the smartphone.
Jothi: The five-minute techniques I teach include things for the body too. Not just mindset and energy exercises. Simply getting up off your chair, changing your physiology. If you don’t have time for a two-mile walk, you can face a different direction and do some squats or arm circles, twisting and turning. Changing your physiology changes your emotion and mental state.
Richard: There’s also the hypnotized stare from looking at a screen at the same fixed distance all day. It tends to hypnotize you, makes you less effective, and more prone to errors that cause security problems.
Jothi: I think you’re the first podcaster I’ve been on where the host is also from cybersecurity. That’s unique.
Real-World Security War Stories
Richard: We had breakins, and we got the first “I Love You” virus. Our email server crashed from billions of messages. Then we had Blaster rip through the place. It took months to get rid of because it kept replicating and we couldn’t find the machine that had it. We had a consultant install OphCrack and break into systems, and we had to fire him. All kinds of security stuff you get in a big corporation.
Simple things like making consultants sign contracts that they won’t do certain things. We had people attached to the network who didn’t have secure computers. We became PCI compliant, so that was a no-no. They had to go through the guest network, make sure they had antivirus. Consultants could be fired for violations. All important, and those are all people problems, not technology.
Jothi: That’s where, going back to women, there are a lot of misconceptions that the only aspect of cybersecurity is the technical part. But when it comes to people, women are innately wired to be collaborative and be more of a people person. If they allow themselves to be authentic. A lot of times they don’t, because they lack confidence and there’s fear in a male-dominated environment. But if they bring out their femininity, it can boost the field because you need that collaboration with all your stakeholder groups.
Women, especially if they have families and kids, are used to speaking different languages. You talk to each of your kids differently because they’re all uniquely different. You’re not going to talk to your husband the same way. When you come to the workplace, you treat each group of people you work with differently. Cyber is a very unique role. Women have a lot of what it takes. They just don’t realize it.
Diversity Drives Creativity
Richard: I think it’s true of technology in general. I was reading about an AI initiative at Amazon where they used AI to make hiring recommendations trained on 10 years of history. It biased strongly toward men because that’s who they’d been hiring. They pulled the plug immediately. But if they’d had one woman on the team, that would have been caught right away.
Jothi: When I speak with CISOs and cyber leaders, there are misconceptions like “we just hire the best for the job.” But what if the best didn’t apply because they’re wired differently? Women won’t apply for jobs unless they meet 90% of the criteria. Most men would apply meeting 10%. So you don’t know if you’re hiring the best among those who applied. You’re leaving out those who didn’t apply because they didn’t feel confident enough. I do a lot of mentoring and coaching with women. Just go ahead and apply. What’s the worst that could happen? You don’t get the job. But you already don’t have the job.
Richard: That’s true of everything in life. I remember when I was 19, this guy used to pick up women all the time. I asked how he did it. He said, “You got to ask.” Well, they’re going to say no. “Some of them will, but not all.” That was actually a turning point in my life. You just have to open your mouth and ask.
I always tried to have a diverse staff at Trader Joe’s. I felt it was important because I got different viewpoints. You put a woman, a Black man, a Cuban, and an Israeli at the same table, they’re all going to have different points of view. Your problem-solving becomes more enriched. Somebody comes up blank, and the Israeli says, “How about this approach?” The Pakistani says, “How about that one?” The women have a different approach. I found it always very empowering. Sometimes more frustrating because we weren’t always on the same page. But I didn’t want a group of yes-men. I wanted people who actually used their brains.
Jothi: This has been scientifically proven. The more diverse the workforce, one, it makes a happier team, but they’re also more effective, efficient, and it drives creativity. When someone takes apart your idea, it opens your awareness. “I didn’t think of it that way.” It drives creativity and innovation that you wouldn’t get if everyone thought the same way.
The 70-Hour Crash
Richard: I still remember our worst computer crash. A simple thing, removing a disk drive that should have been safe to remove. There was a firmware bug. It rippled through, the system crashed, affected the DR site, and the backups were corrupt. No recovery at all. I was awake for 70 hours with one of my team members. Reality gets different when you’ve been awake that long. My mind was on another planet. We were probably having some very bizarre conversations.
Jothi: It’s one of those unique fields. In healthcare your shifts have some structure. You know when you’re on call. In cyber, it catches you on the fly. You have to be mentally prepared to handle something at any time, any day, even on vacation. If you’re the leader, you have to be prepared to get calls in the middle of the night.
Richard: There was one time I was going to Fresno for a renaissance fair. I’m a photographer too. I had three models meeting me there, costumes, photoshoots, the whole thing. I got a call saying the computers were down. I was 100 miles away. I had to run the recovery effort on my phone from 100 miles away while doing photo shoots. Very bizarre day.
Jothi: That really gets to you if you do it for a long time and nobody else understands. “Can’t you just tell them you’re not working?” Kind of not. You’re the leader.
That’s been my passion, to bring that wellness aspect to this field because the people in the field don’t realize how important it is. If you have practices to take breaks, changing your physiology, you respond differently. There’s a reason it’s called emotion, because it’s motion in energetic format. People in incident response or crisis mode want to keep going until they’re done without realizing the crisis might take a long time. If you don’t take that physical break, you’re going to burn out and you’re not going to solve the crisis.
Closing Words
Jothi: My first book is coming out October 1, called “Ultimate Guide to Self Healing.” I wrote a chapter called “Busting Burnout for Badass Leaders,” dedicated to the corporate field. It covers three easy mind-body-energy techniques you can incorporate into the workplace. There are about 24 other chapters on spiritual tools, meditation tools, and more.
From a mental health and wellness perspective, always reach out. Never feel like you’re alone. If you’re facing something, somebody else is too. The more you talk about it and put yourself out there, the more help and support you can get. And you can encourage and inspire others to seek out assistance as well.
Learn more about Jothi Dugar at jothidugar.com.
Find Richard Lowe at TheWritingKing.com.