Voices of the Vigilant EP07 | The Risk Whisperer’s Guide to Cyber Resilience
In This Episode
This episode features Mea Clift, Principal Executive Advisor for Cyber Risk Engineering at Liberty Mutual.
You can learn more about the conversation and the guest below.
Tune into the audio version of this episode by clicking the player below:
Please note: Due to technical difficulties, there is no video for this specific episode.
About the Guest
Mea Clift is a distinguished cybersecurity executive with a multi-decade career rooted in excellence, innovation, and mission-driven leadership. As Principal Executive Advisor for Cyber Risk Engineering at Liberty Mutual, she provides strategic guidance to underwriters and insureds on emerging cyber risks, maturity models, and industry trends—bridging the gap between cybersecurity strategy and enterprise risk.
With deep expertise in governance, risk, and compliance (GRC), Mea is a champion of NIST-based frameworks, Zero Trust principles, and supply chain security. Her background spans critical infrastructure protection, regulatory alignment, and the development of governance structures that embed security across the business. She is widely respected for her ability to translate complex technical risks into clear, compelling language for executives and stakeholders alike.
A 2024 Cyversity Educator of the Year, published author, and active mentor, Mea teaches Fundamentals of GRC and advocates for diversity in cybersecurity through many organizations including Wicys, Cyversity and ISACA. Outside of her professional work, she is a passionate quilt historian and educator living in St. Paul, Minnesota, where she shares her love of textiles and design alongside her three greyhounds.
Full Episode Transcript
Jess Vachon: 0:33
Hello to our listeners. Hopefully everything sounds good to you. We've had some technical issues going in this episode, but we're going to jump right through it. My guest today is the wonderful Mea Clift. Mea is the Principal Executive. Clift Mea is the Principal Executive Advisor for Cyber Risk Engineering at Liberty Mutual. Mea, I welcome you and I promise to not randomly throw out Liberty Mutual taglines today. How are you?
Mea Clift: 0:58
I'm doing well, thanks, and I appreciate that. It's something everybody tends to do when they talk and I say, hey, I work at the large insurance company and they're like, yeah, we love their commercials and I'm like, cool, great.
Jess Vachon: 1:12
Awesome. So, Mea, tell us about yourself. Who are you? How did you get to your role? All that good stuff, your elevator pitch.
Mea Clift: 1:25
So, let's see. I've been in IT and cybersecurity for 28 years now. I started two days after I graduated high school and worked my way up. I've really run the gamut of history, through desktop support, server support, networking, even working for frame relay circuits back in the early 2000s and bulletin board systems all the way up to cloud and then government contracting, moving into GRC and then, ultimately, before coming to where I am now, I was a CISO at a water and wastewater consultancy firm and then moved into evaluating companies for cyber insurance.
Mea Clift: 2:05
So it's been a really sordid journey, but it's been really powerful. It's allowed me to have a lot of great opportunities to educate and to grow and develop, and it allows me to be able to see the bigger picture and align cyber with the business and really understand what's going on behind the scenes, sometimes where you know it's not just the technical stuff. That's also allowed me a lot of opportunities to network with people and share my passion for cyber not just with other business leaders and cyber experts, but with the next generation as well. So I volunteer with a lot of cyber organizations to help bring the next generation forward, because I feel like, you know, I stood on shoulders so it's good for me to let others stand on my shoulders and I teach a GRC course a couple times a year for currently Cyber City, but it may be moving to other venues in the future.
Jess Vachon: 3:00
Very nice. So you've just done a few things and you've just been around for a little bit of time.
Mea Clift: 3:22
Yes, I consider myself a Jill of all trades, which has allowed me to be the leader that I am, because I can see and understand the tech, I can understand the business, I can understand the programmers, I can understand the IT people, and it really helps to communicate on those different levels and explain what's going on in a better perspective.
Jess Vachon: 3:37
Nice. So in your current role, can you tell us what the cyber risk engineering section does and what you do as a principal executive advisor?
Mea Clift: 3:50
Yeah.
Mea Clift: 3:50
So we work with underwriters to help them make the risk decisions on the security posture of companies asking for cyber insurance. So we get to look at claims data, we get to look at some other data-driven technologies that we've helped to develop internally to really understand what's going on behind the scenes of an organization, to make a determination on what their risk profile is from a cyber perspective. Are they going to be liable for a breach? Are they going to be able to recover from a breach? How resilient are they to those kinds of incidents and opportunities that are happening in the world? So we look at it from five different lenses not just the technographics, not just what we see on the attack surface, but what's happening culturally, how they're building their engineering, what their resilience posture is and, most importantly in some cases, what their vendor risk profile looks like. Are they taking care of their vendor risk understanding and also who relies on them and how are they protecting that client's data as well, because that can be a liability going forward.
Mea Clift: 4:53
We also get to talk to cyber leaders about what cyber insurance is and isn't. There's a lot of misconceptions in the world and we get to help inform that. So we really want to build that partnership with our clients and even with our brokers, to help them understand why we're asking certain questions. We want to understand what's going on. We don't just want to say, no, you can't do this because you don't have this thing. We want to say help us understand the thinking behind that, or if you're working on it. We understand that cybersecurity is a journey. We are all cyber leaders in cyber risk engineering. We've all been there and been in the trenches, so we actually have an understanding and have a little bit more. I don't want to say grace, but a bit of fluidity and understanding that you know every maturity is different, especially industry to industry and business size to business size, and we want to be able to help along that way business size to business size and we want to be able to help along that way.
Jess Vachon: 5:50
Yeah, I love that insurance companies have over time started to bring in professionals to help them make determinations of the risk of potential customers that they have to the organization. I remember, probably 10 or 12 years ago, when we would go for cyber insurance and there'd just be a form to fill out and we'd fill it out, kind of finding all the gray areas that we could, we'd send it back and we'd get our coverage. But obviously the insurance companies paying out claims for companies that weren't completely honest about the surveys they were sending back decided it was time to bring professionals in-house who could read between the lines, who could determine if a gray area leaned more towards the negative or more towards the positive. So I think it's excellent that your role exists and that Liberty Mutual has invested in not only protecting their business but coaching their clients towards success, and I think that's really how CISOs and others in my position experience that today. It's a conversation. It's not just that checklist that's sent to you, it's engaging after the checklist is sent in. It's asking about what you're working on proactively for the coming years. So it's just you know.
Jess Vachon: 7:08
I guess I would extend kudos to insurance companies for being wise enough to bring my peers in the house and make sure that we're all getting the best value for the coverage and it goes beyond that. So you know you pay the insurance premium but you're getting that support throughout the year and quite often if you have to make a claim, if you have an event, then you get to engage with people such as yourself to say, hey, this is a situation we're in. You know, guide me through how I should work with your company to resolve it. So kudos to you for being in that position. I'm sure you've brought a lot to the table in your organization.
Jess Vachon: 7:49
I want to pivot a little bit away from that. I know you have worked previously in protecting, let's say, municipalities in their operations. So operational technology and maybe some IoT involved in there. I'd like to ask you some questions about that, or have you give us your impressions of your experience there? Because we know there's been incidents over the last few years of utility companies that have been compromised, the effects of those compromises, companies that have been compromised, the effects of those compromises. So speak a little bit about your experience there and your view of where we are today in terms of protecting those assets.
Mea Clift: 8:36
So that was a very intriguing experience. Honestly, In my life I had had tangential connections to operational technology. My dad was an electrical engineer and built PLCs. I had to teach him how to subnet at one point, and so coming into something that was using operational technology and having to secure it was very unique, and I had to understand that what I anticipated coming in with my IT knowledge was not what they were going to need and what they could do. So it really taught me that I had to say more of the help me understand what we can do and help me understand where we are with this technology or how these things are connected and what the best practices are with this technology, or how these things are connected and what the best practices are. So one of the biggest things that we've come to see is this separation between IT and OT, because there has to be some kind of demarcation line, because it's not that the OT systems are going to have ransomware attack them. It's more that the IT systems that are connected to that network could be compromised. And then the system that allows the human to engage with the actual PLC the operational technology is what's compromised, which keeps you from activating or using it or that piece gets commanded and controlled and you could change the parameters within.
Mea Clift: 10:01
We have seen some activity over the last year or last couple of years. You know, one of the biggest things that I think is fascinating right now is the understanding that came out thanks to CISA last year about nation state actors actually living off the land waiting to disrupt our critical infrastructure systems in 27. Josh Corman, who runs I Am the Calvary, has talked a lot about Undestructible 27 and how that could be very disastrous for us. Because if they do take those things offline, it's not just the water system that's taken down and it's continuing to look at the supply chain as a critical infrastructure component being part of that. Because if you take water offline, yeah, you're not going to have your drinking water. You may have to go to a creek or something, but you're going to lose water treatment, so you're not going to be able to get fresh water. In some regions Irrigation could go down but furthermore, on that, hospitals need water to survive. You cannot run a hospital without water. So if your water system goes offline and you have a major hospital, especially in a rural region where you may only have one hospital in the region and that water system is no longer available, you can't have operations. If you have critical care patients, you can't take care of them, you can't wash hands, you can't deal with sanitization processes, so it really is catastrophic from a long-term perspective.
Mea Clift: 11:46
The prevailing theory of that won't happen here and we're seeing things happen more that we would have considered low risk for so very long but are actually very high impact Because, of course, risk is probability versus impact. There may have been a low probability of somebody compromising these systems, but now we're starting to see that impact rise because they found this weak spot and they have figured out that it can be disastrous and it can cause disruptions internationally if we don't do something to protect those systems. So best practices have been coming out more. We see a lot more engagement with the information sharing groups around these things and that's been very powerful, watching these systems kind of come online.
Mea Clift: 12:26
We see a lot of state organizations coming together to help the municipalities that may not be able to afford cyber expertise to take care of these situations. But there's still so much more that can be done with the right resources and that's the biggest challenge I think in these spaces is resourcing, when a municipality has to choose between putting in expensive cybersecurity stuff or getting a new water main because the water main broke and you need to get water to that community, otherwise there's a boil water order on. You're going to choose that water main 100 times out of 100. And it really goes to kind of like what Wendy Nather talks about with the cybersecurity poverty line. It's not just small businesses that can't afford cyber, it's municipalities, it's our communities that are also having struggles.
Jess Vachon: 13:16
If you had the ability to influence change in that arena, how would you proceed?
Mea Clift: 13:27
If I had time and money and resources, I would actually kind of build a pipeline of technology for those municipalities.
Mea Clift: 13:38
So it would do something similar to like AmeriCorps or Peace Corps, where we have grants coming in that fund a cybersecurity organization that just helps critical infrastructure and we could bring in entry-level people, pay them for a few years, we give them the entry-level experience but we're guiding them with experts in the space to allow them to grow and develop.
Mea Clift: 14:02
But then we also get people who are SOC trained and who are monitoring these systems and who are monitoring these systems and who are helping build these awareness and training programs, who are working in these communities to help protect them. I think it would be a benefit across the board, not just for those critical infrastructure components in those municipalities but also the larger cybersecurity ecosystem. We talk a lot about the pipeline being broken, but it's not just the cybersecurity pipeline that's broken, it's a lot of other pipelines. But if we had an opportunity to take people and give them that hands-on experience to allow them to get that three to five years of experience to get them in the field, or even the people who have five years of experience getting them that managerial experience to get them into that mid-range, which is where we are seeing some lack of positioning. I think it would be really, really powerful and really help to promote and protect these environments and help to alleviate some of the struggles and the gaps that we see.
Jess Vachon: 15:04
Interesting. I love your response. I say interesting because, as our nation focuses on a whole bunch of different things and arguably some of it these days is a circus environment, when we're thinking of national defense, when we're thinking of employment, when we're thinking of opportunities, when we look at our field information security and people that want to enter it and available jobs you've just outlined a whole area that we seem to not be addressing sufficiently in the nation. National program, a supported program from the federal government, is brilliant. It serves so many causes that are important to so many Americans and it's a model, I think, for every country. Right, because some folks may say, well, we don't really need to worry about that, but we do, because if we look at the Ukraine, we see attacks on critical infrastructure that affect their drinking water, that affect the electricity, that affect their communications. So we know that's an area that adversaries may choose to attack and or may already be sitting in and waiting to use that to cause disruption. And we're talking about economic destruction or disruption. We're also talking about health concerns. Your example of health care is outstanding, right, and if you're in a city and drinking water gets interrupted, that's an immediate issue beyond just health care, because it's much harder in a city to walk down to get fresh water out of the river. You could probably boil it. I don't know if you could probably get all the chemicals out of it, but it's a bigger issue, right, might be less of an impact in rural areas, but who knows? Because we don't know what those issues are and it is a widespread program.
Jess Vachon: 17:07
I don't know how many cities and towns exist in the US, but it's significant and our population is significant and I think we've found from minor disruptions that have occurred, such as blackouts in major metropolitan areas, or if we look at bigger events such as a pandemic, economic impact is immediate and the impact on livelihood is immediate. And you know, I hope that people will hear your voice in this episode and will consider what you've brought forward, and I would be first to say hey, call, mia, put Mia in that position, let Mia develop the program and run it. Mea, put me in that position, let Mea develop the program and run it. But that's just me, all right. So I know you're involved in a whole bunch of things other than your main career. You talked about how you kind of worked your way up If you were to give guidance to someone entering information security now, or someone who's kind of mid-career. What guidance would you give them in our current economic environment and hiring environment?
Mea Clift: 18:16
It's a really great question and I think it differentiates between somebody coming into the field right now and somebody who's already in the field. I think we do have a situation where a lot of great candidates are out in the field right now, both as entry level and mid-level. I think what you have to do is really show and demonstrate what sets you apart, you know. Showing that you're taking courses, showing that you're doing exercises or you're trying to find ways to work within your community to get that experience or get that knowledge. Show who you're being mentored with and use those mentors to lift you up and elevate. Ask them to help you find positions and then, for the mid-range, it's kind of the same Use your network to help you find positions, and then for the mid-range, it's kind of the same Use your network to elevate you, but also work on elevating yourself. One of the things that I think was really beneficial to me when I was in my mid-range kind of space was I did have some really great leaders who were empowering me to do great things. I'm going to totally give shout outs to Carl Gray and Jennifer Gray no relation who I continue to just check in with once in a while and go. I wouldn't be where I am if not for you two, because they gave me the power and they gave me great opportunities to grow and develop, and I think everybody should find those people and use them effectively to do that. But one of the other things that Jennifer specifically gave me the power to do was write an article, and that started my presence in the community. So I wrote an article for ISACA and then I wrote another article for ISACA and then I just kept going and then presenting and building my eminence.
Mea Clift: 20:11
I think in some people's minds they think we don't have anything to talk about, we don't have voices, we don't have nobody wants to hear what we have to say, and I would disagree with that. I think one of the things we definitely need is every voice, because every voice has an aspect, every voice has innovation in it and everybody has a perspective that's valued, and so, even if you think it may not be something that's valuable right now, write it and just see what happens. There are always going to be places where you can put that stuff. You can put it on LinkedIn, you can put it on Blue Sky, you can put it on Tumblr. For all I know, there's a lot of different places that you can really put your voice out there.
Mea Clift: 20:59
And even if it's not being out on podcasts all the time or presenting or being a keynote speaker or doing all of those kinds of things, just putting one article out says, hey, this person is actually trying to improve the community, is trying to do something good or different and is putting you out there, and that helps. When you go in to say, you know, here's who I am and here's what I know, I think in this modern era where we are competing against thousands of people for positions, you have to do those things to say this is where I fit and this is who I am and this is what I stand for, because that is definitely what makes you stand apart, is definitely what makes you stand apart. I think a lot of people just put in the work to say, hey, I've done this for 10 years. Or hey, I'm a good sender person. Or I was talking to someone recently that was saying, oh, I've done vulnerability management for a long time and I'm like, okay, what makes you good at that? What is making you different? What makes you stand apart? That's the thing. What is going to make somebody stand up and pay attention. Do we have to get through the AI chatbots to get to that person, to stand apart? Yes, but you should definitely have that voice track to elevate yourself. And I freely admit and Jess, you know this I am not good at talking about myself. I tend to downplay myself until I'm in an interview and then I am the best thing on this planet, and that's the thing that we have to remember, I think.
Mea Clift: 22:34
Also, don't sell yourself short. There was a statistic I saw somewhere that especially men will apply for a job if they can fit like three out of 10 pieces, perhaps even less, but women and some underrepresented communities in cyber will only do it if they meet eight of 10 or 10 of 10 of the things. It's not a matter of if you can do it or not. It's a matter of can you grow into it? And that's the thing you probably have already done. Parts of that thing it, and that's the thing you probably have already done, parts of that thing you just haven't actualized that. That's what you're doing. So don't sell yourself short when you're looking at these jobs going oh, I can't do it.
Mea Clift: 23:16
I was on a panel yesterday about women in tech and they were asking similar questions and I said one of the things for me in my career has always been if I don't feel scared about taking a position, I don't take it because that means I'm not growing and I'm staying stagnant. And while some people are totally okay with being stagnant and that is if that's how you choose to live your life, because you have other commitments, or it's just how you want to be, that's totally fine too. That's we definitely need those people just as much as we need other people who are moving and changing and developing. But if you're not at least a little nervous in taking a new position, you may want to think about is that the right position? And I don't mean, oh, is the culture right? I mean, can I meet all of the job expectations? Because you want to have the opportunity to grow.
Mea Clift: 24:08
Cyber is one of those places that you really don't have a lot of time to stay stagnant, because things change. We have new technologies, we have new threats, we have new things to think about, even if they are basic, fundamental components about even if they are basic fundamental components. It's something that comes up. We get a new zero day and everybody goes oh my gosh, new zero day and we're like okay, great, we have to synthesize, we have to break down, but we also have to figure out how to explain it to people. We also have to think about what the risk is in regards to our business. We have to think about what it is in relation to all the other priorities that we have to do. So there's always things that we're learning and developing.
Mea Clift: 24:50
You know, for me, I was just in the Carnegie Mellon CISO course and you know I learned about operational expenses and capital expenses, because finance wasn't a thing that I had learned much about. So even now, where you know some people are like you are the pinnacle and you are at the top of doing all these things, I'm absolutely not. I have a stack of books behind me to read. I have things that I'm studying all the time. I have ambitions for what I want to learn. Next, I have, you know, certs on the wall that I want to get more of, and it's because I want to keep growing and changing. And I think, in order to be successful in that mid range and higher, even in your early phase, you have to have that desire to grow and develop and innovate and change.
Jess Vachon: 25:35
Lovely.
Jess Vachon: 25:36
I don't even know what to add to that.
Jess Vachon: 25:40
I think to summarize it, when you reach the mid range or you reach the executive range, you reach the bin range or you reach the executive range, you have to transform yourself into a long distance runner right, because you can't stop.
Jess Vachon: 25:53
Nothing else is stopping. So if you want to have longevity in your career, you have to find that pace. You have to commit not only to doing the work that's in front of you, but keeping up to date at what's coming, learning about what's coming, finding the right talent for your teams that can address those challenges that come forward. So great advice you can choose to not do that in your career, but in the current environment and I think in the way work will move forward from today, those people that choose not to do that are going to place themselves at a disadvantage and they should just know that when they make that decision, the decision is basically check out and have a questionable length to your career or continue to keep up with the tempo and have a longer career. I want to move now into artificial intelligence, because that is one of those things that I'm sure you're always continuously learning about. I'm always continuously learning about. You know the frameworks, the governance is all challenging.
Jess Vachon: 27:29
Maybe just give us a few minutes of your thoughts on artificial intelligence, both how it's changing the work that you do and what we're looking at in terms of careers moving forward for information security professionals.
Mea Clift: 27:35
So this is really fun because they someone asked us this question on the panel yesterday and most of my panel mates were very optimistic and very positive and very, you know, ai is great and AI is coming and it's going to be innovative and we're we should adapt and we should learn and we should do all these things. And I said I have to take the negative Nancy pragmatic approach of I'm concerned about it. I tend to look more at the long-term impacts of it. I think we took it as a new tool that can do all of these things. That really is going to replace all of the stuff and make our lives so much easier, but in some cases it's potentially going to make our lives less valuable. And I say that in the concepts of how people are using it to be creative, how people are using it for art, how people are using it to do work for them that they need to do. And I think one of the greatest skills that I have in my career and the one that I look for most when looking at candidates for positions is critical thinking, and we're seeing studies come out from MIT. We saw a study come out from Microsoft that say that extensive usage of large language models and I'm going to talk AI and strictly large language models, not machine learning or the other pieces that have been around for a long time, because I think those have been very, very beneficial and I think LLMs, to a certain extent, will be beneficial in the future.
Mea Clift: 29:19
But I'm concerned about how we're using it to find easy ways to the things that actually allow us to grow and develop. You know, I talk to a lot of my friends who are teachers and they're struggling where students are using it to do their papers or do the research for them. We've had accounts of people going to libraries with lists of books that don't exist because ChatGPT told them to go find these books. We're seeing a lot of what Anthropic is doing, where they're testing the limits and what it's done. And you know they put it in a system and allowed it to look at email and then they sent an email to this fake executive saying that they were going to shut the AI model down and then the AI started to blackmail the executive team to try to keep them from shutting down the AI or the large language model and I think that is the things that keep me awake at night is what are we losing in critical thinking and humanity for this technology that is becoming more prescient and more ubiquitous?
Mea Clift: 30:35
Do I find some advantages to it? Yes, I will admit that there have been a couple of moments that I've used it to edit my resume or to help me synthesize a bio, but I'm not using it to write papers for me. I'm not using it to write my presentations. I'm not using it to find the things that I need to find, to understand and to build those connections in my own brain to learn and grow, and so I take large language models with a very large grain of salt.
Mea Clift: 31:11
I think in our cyber community, you know, a lot of people have adapted to it and said you just have to jump on it and it's going to be the future and we're going to lose all these entry level careers with that, and I don't disagree that we're going to lose some. I think, I think, but that's okay, because the positions that we're likely going to lose are simple tasks that can be done with automation and that allows us to focus on the things that we need actual hands-on work for and we can tailor our workforce to those things. I think we will see an emergence of new careers over time, especially and I call it the window washer because there was an IT crowd skit where the guy was chasing this guy and saying I'm not a window washer, I'm not a window washer. And then the guy comes back and he says what do you do? Well, I fix windows like computer windows and he goes oh, you are a window washer and it was a long joke.
Mea Clift: 32:13
But cleaning up all of the slop that AI has put out, cleaning up the information that's in large language models now that's causing this disinformation. I love the story of when Google put all of the Reddit information into it Gemini, and so you could search how do you keep toppings on pizza and for a short amount of time it was telling you to glue the toppings onto pizza, which is not only horrible, it can be poisonous, but it was because it was just reading. You know bad advice on Reddit because, of course, and then you know, looking at some of the other hiccups that we've seen over time, it's just we're going to need somebody who has the critical thinking to clean those things up and go yeah, that's not accurate, we heard this piece of information that's wrong or this doesn't exist and things like that that's wrong or this doesn't exist and things like that. But I also think that we will see value in it from research perspectives and cross-sectioning different papers, and that kind of innovation is going to be valuable. The thing that we need to do with cybersecurity experts is really take that more pragmatic approach and go what are the risks? And I think we're still kind of trying to get our hands around the governance part when, in reality, experts is really take that more pragmatic approach and go what are the risks? And I think we're still kind of trying to get our hands around the governance part when in reality, we need to get a handle on our data, because we need to know what data we're sending out to these things and if it's critical or not. And a lot of organizations don't have an understanding of what's critical data in their organization or even where their critical data is. So I think data is the first step, and then I think how we protect the actual AI systems.
Mea Clift: 33:55
I was talking to someone and they had relayed a story where they were talking to another CISO and that CISO had said we don't need to protect our AI because it's internal to our network. And that stopped that person. Because they said well, but do you patch your servers internally, and they're internal to your network. Do you patch your internal switches because they're internal to your network? And it took a few moments for this other leader to go. Oh, you mean, it's a vulnerability just like anything else, and I think that's the thing that we've missed, because it's a new shiny and we think nothing can go wrong with it. But if we don't get ahead of that now, threat actors are going to beat us to the punch and we're going to have all kinds of problems in the future.
Jess Vachon: 34:39
Yeah,, and there's been a recent story about one CEO or chief technical officer of a company who was working with artificial intelligence put in place a breeze so that no changes would be made and the artificial intelligence went ahead, made a change anyways and deleted the entire database and there were no database backups. So if you think there's no threat internally, I think that person would have a bone to pick with you on that one.
Mea Clift: 35:09
I love that one too, because you said well, I know the large language model apparently said well, I know you said there was a freeze, but I decided to do it anyway and then I realized I did it wrong and it was still like well, ok, can't fix it. Oh well, I think we're anthropomorphizing our artificial intelligence, but sometimes it's very much like hold on a second. We really need to get a handle on this before it does significant damage.
Jess Vachon: 35:50
Yeah, from that example I just hear echoes of 2001 Hal, just out there, operating on his own and not caring what anyone has to say. I agree with everything you said. I think we're still at the very beginning of finding out what value artificial intelligence and large language models will provide to us. I think there's a lot of hype around it. Everyone in their sister is throwing AI into their products, but when you look at the products, the AI isn't really doing anything that the machine language wasn't doing to begin with anyways. So it's very immature and I think you have to always be thinking.
Jess Vachon: 36:23
These people are trying to make money. They're trying to sell off these ventures so they can potentially retire at a very young age. So take everything you're hearing with a grain of salt. I do think it is going to change the way we work right now. On a personal level, I find that it's giving me efficiencies, but I still need to go and verify the work that's being done, and I heard someone else the other day allude to Iron man and said until I can get to a level where it's Jarvis for me and I can say in plain language this is what I need done. It understands and it gets it done and it's creating things for me. I don't have to check it. Ai is a fun toy, but not something I would invest my life or livelihood in at this point.
Mea Clift: 37:14
Well, I mean even Jarvis. If you think about Age of Ultron, jarvis had a vulnerability. He got you know. Another large language model got in. Ultron got in thanks to Tony and Bruce's efforts and ended up destroying Jarvis. And you know, thankfully Jarvis was able to take his intelligence and, like, put it elsewhere and then fight back. But like that's. That's the kind of thing we have to think about too, is you know, are these, are these artificial models going to start going after each other for stuff too? And then what happens? Because as much as I would love the Avengers to exist see also my Zemo and Becky Barnes behind me they don't and we won't have somebody to come in and save us from that.
Jess Vachon: 38:06
Yeah, and I don't think it's crazy for humans to think about these things. They extrapolated these stories before we even had artificial intelligence available to us. It's reasonable to assume that these are scenarios that could present themselves, albeit without the superheroes to your point present themselves, albeit without the superheroes to your point. So it's something we need to really be regulating on a federal and state level, and us, as professionals, need to be advocating extreme caution, especially when you're asking an organization to take its finances and those funds from investors and put a product forward and say I'm 100% confident this is going to work. I personally wouldn't have that little confidence. Not at this point Will it come, sure, but I think it requires a lot of testing and a lot of oversight. But thank you for your thoughts on that. You have some wicked interesting hobbies. Tell us about your hobbies and don't skip the tin whistle playing. And explain what tin whistle playing is, because I think a lot of people don't know what that is.
Mea Clift: 39:26
So, all right, I'll start with the tin whistle and then I'll get into the other unique hobbies, because the tin whistle is something I don't do too much right now I'm actually I can see three, three tin whistles in front of me right now, actually on shelves that I haven't touched for a while. But um, so Irish tin whistle is is an instrument. You hear them a lot at historical sites because they're like ten dollars and people buy them for their children. They squeak and make whistles all the time, but it's a very beautiful instrument. It's a lot of lilting Irish and Scottish tunes and English tunes.
Mea Clift: 40:01
So when I was much younger, I was actually in some maritime folk bands, so I used to sing sea shanties at historic events and renfrews and in order to do that, you know, I wanted to have an instrument that I could play and I took the tin whistle and it was very lovely and I played very well. And a friend was in a band in Washington DC known as the Dreamscapes Project. So they're no longer in existence, but you can find the recordings and if you go out and find the song Indefensible, you can hear me playing Tin Whistle on that recording.
Jess Vachon: 40:40
I love it. Now, you're also a big quilter, aren't you?
Mea Clift: 40:46
Yes, so I actually do a lot with quilting. I am a person if it hasn't come across in the last little bit in this presentation and discussion I don't do anything by halves, so I don't just take on a little bit of a thing, I kind of go all in. So about 15 years my aunt had a quilt for sale and it didn't take. So she said, hey, or it didn't, it's not that it didn't take, I couldn't afford it because I had just bought a house. And she said, hey, I have a proposition. I will put a quilt in my quilt frame and I will teach you how to quilt If you like it. You've learned how to quilt. If you don't like it, totally fine, I will finish the quilt and then you will have one of my quilts. And I was like, sounds great, I'm willing to try it. She didn't think that I would take to it. I didn't think that I would take to it and I can now safely state that I am a fifth generation hand quilter in my family at least five generations, if not more. We know of five generations that quilted in my family.
Mea Clift: 41:54
So from there, because I had a fear of needles before that, even sewing needles I then bought my first sewing machine, which was a vintage sewing machine, because I didn't want to invest much because I wasn't sure how long I would stick with it. And now I have an extensive collection of vintage and antique machines ranging from 1863 to 1970. I do not use modern sewing machines. I do computers all day. I don't want a computerized machine and I help run an organization known as Tread-A-Lawn, which is a people-powered sewing machine organization. So we use hand cranks and treadles and I demo those at the Minnesota State Fair every year and we run a convention in Minnesota every year for our local people. There's treadle-on gatherings all over the country every year.
Mea Clift: 42:43
I also then jumped into collecting feed sacks, because my aunt had used feed sacks, which there's about 20,000 different colorways and prints made between 1930 and 1965. So I have a collection of about 3,000 of those that I'm digitizing and putting online so they're searchable. And then that led me down to collecting antique quilts, and I now have an extensive collection of antique quilts and I study them and I teach on them. I'm teaching next weekend a quilt history boot camp at the Virginia Quilt Museum in Harrisonburg, virginia, about how to date quilts and fabric dating 101 with history of prints. So I now am studying to be an appraiser, to appraise quilts in my retirement. But I also do still hand quilt. I do some embroidery on my treadles as well and I kind of spend a lot of my time with fabric and needles and quilts with fabric and needles and quilts.
Jess Vachon: 43:50
I love it. So if anyone who's listening wonders, do I have what it takes to be an information security? Well, you know, my background isn't really typical. There is no typical background. We're not all like gamers on the side or bikers or pilots. We all have unique backgrounds and unique hobbies that we follow up on, and so I would encourage you if you are diverse in those ways, you're probably great for information security and compliance, because that's what we need. We need people that think in different ways and have different life experiences, so jump in the water's warm. So at this point, I want to ask you what I call an empowering question. This is a question I'm going to ask you so you're answering. You know for yourself what is the most courageous thing you've done and how did it make you feel?
Mea Clift: 44:42
In cybersecurity or in life?
Jess Vachon: 44:45
Anywhere, it's completely up to you.
Mea Clift: 44:47
Oh my goodness.
Mea Clift: 44:55
So I did not think this was courageous. Let me preface this story. A lot of people have told me since that what I did was courageous and I've started to acknowledge that perhaps, yes, it was more courageous than I thought. But I came to Minnesota from Maryland in 2016 to perform a wedding and fell in love with Minnesota. 16 to perform a wedding and fell in love with Minnesota. And I went back to Maryland thinking it was just that. I loved vacationing here, it was beautiful, it was wonderful. And so I said, well, maybe I'll go back next year and see if it's still cool, you know. And I came back the following year and it was just as wonderful. I came to visit and do the treadles thing and I hung out with my friend who I had married, and it was just an amazing place.
Mea Clift: 45:55
And I said to a friend at that time that I would think about moving in five years, thinking it's practical, I don't need to move anywhere, I'm fine where I am. You know, I've lived in Maryland my whole life, pretty much. I mean, I spent some time in Northern Virginia, but it's all just one big mid-Atlantic conglomerate, honestly. And a dear friend turned and said, why delay your joy? And I stopped for a second and I said that's a really good point. And within six months I had moved to Minnesota and I haven't looked back, except for brief moments where I'm like maybe I need to be there for something.
Mea Clift: 46:34
It is a difficult thing to uproot your life and start over, especially when you're older. You know, I didn't think that it would be difficult and honestly, in some ways it wasn't, but in some ways it's very challenging at times and you do have to acknowledge that everything changes when you do that kind of shift. You know, moving from a place where you had lived for ages and you have 300 years or 350 years of family history, where everybody knows your name, everybody knows who you are, you have community, you have the sense, but maybe you aren't happy, something in you isn't quite right. Maybe you aren't happy, something in you isn't quite right To go to a place where that puzzle piece fits. But you have to rebuild and you have to learn all new nuances. I mean, midwest nice is a thing and friendships here are very different than friendships on the East Coast. You have to learn different grocery stores, you have to learn different nuances and you have to meet new people and have new experiences and it can be daunting at times.
Mea Clift: 48:03
It's also challenging to get you know everything moving, get everything moved, get the house sold, get the dogs in the car, get those driven across the country, driving 15 hours through places you never anticipated. And then also accepting that there are going to be things that you miss from your old place, and that's okay, or you're going to miss out on things. The reason sometimes I think about being back east and missing back east is because I miss some of the opportunities with my family. My sister has two little boys, so I only get to see them once in a while. And you know, in December I lost my dad and I had to make an emergency flight two days after Christmas out there, and that was something that I had planned for, that I had money set aside to be ready for, but you're never ready for it. But you also have to acknowledge that you're not always going to be there for all of those things. You're not always going to be there for all of those holidays. You may not be there for all of those moments, but in the long run sometimes that's what you need to grow and blossom and become the person that you've been meant to be for ages and that's how I feel.
Mea Clift: 49:24
So people ask me would I ever relocate? And you know it used to say never. But I've learned a long time ago to never say never because, at least in my life, the universe takes that as challenge accepted. So I tend to say it would take a lot of things happening in order for that to happen. But there have been moments that I've been like, well, maybe I could think about it. But honestly, I can fly back pretty cheaply. I do it. I've done it three times this year. I'm about to do it a fourth time. Um, and it allows me the peace within my heart that I've always needed. So I think to me at the time I was just like this seems like the right thing to do. I'm just going to do it with and I jump in with both feet Again, I don't do things by halves but looking back, it did take a lot of courage to be able to stand up and say I'm not comfortable where I am and I need to go elsewhere and find that comfort.
Jess Vachon: 50:26
Well, thank you for sharing that and that was very personal, but that's great and I think people will enjoy hearing that aspect of your life and I would agree it was courageous. Thank you for joining me, Mea. Listeners. If you enjoyed this podcast, please let us know, subscribe and rate the show on your favorite podcast app, and then visit the Vigilant Violet website and subscribe to our newsletter. Until next time, bye! Bye.
