Chris: Welcome to Barcode Yacht Edition.

Damian: Thank you for having us.

Jessica: Don’t be walking by. Come on back now. Come on back.

Chris: So, first off, I want to shout out to Keith McMenamin, Philly Tech council, and the generous sponsors that made this night possible. So I am joined by Damian Oravez.

Damian: Thanks for having me.

Chris: And Jessica Hoffman. Thank you for joining us. And I’ll let you guys introduce yourself real quick.

Damian: Sure. Damian Oravez. I’m the chief information security officer for the great city of Philadelphia. I’ve been with the city proper for a little over a year, and prior to this, I was the chief information security officer for the Philadelphia International Airport for about five years.

Chris: Nice. I think that’s where we first met.

Damian: Absolutely.

Chris: Way back in the day.

Damian: Yeah.

Chris: And, Jessica, how about yourself?

Jessica: What’s up? Jess Hoffman. I do what Damien doesn’t want to do for the city. It’s our first podcast together. Yes. Great city of Philadelphia. Safeguarding, you know, all our citizens and workforce and making a difference every day, even if they don’t see it. That’s what we doing.

Chris: So I guess my first question for you guys is, you know, as security leaders for the city of Philadelphia, I’m curious to hear about the blind spots that you encounter that other organizations may not encounter working for the city, you know, and how you respond to them.

Damian: Yeah. So, you know, visibility is everything. Knowing your assets is everything. Accurate asset inventory is everything. So with an organization as big as the city of Philadelphia, thousands of systems, hundreds if not thousands of externally exposed websites systems, tens of thousands of employees, keeping track of all of that from a cyber security perspective, is a challenge. What we try to do is use automated tools as much as possible to keep track of those assets.

Chris: Okay. And so, for the city, what entities are in your purview?

Damian: Pretty much everything you can think of. We probably have 40 to 50 departments. So think about the life safety areas, public safety, 911, fire, EMS, all the way through water, so critical infrastructure, the airport revenue, just to name a few of the 40 or 50 departments that are kind of under our security umbrella.

Chris: And Jessica, from your perspective, what do you feel is a differentiator working for the city versus other industries?

Jessica: Well, having worked in private and public sectors, I most certainly see a difference. I think the largest difference is he put me on spot. I’m thinking about what? I can’t say. There’s a lot I can’t say right now.

Chris: Full disclosure.

Jessica: Yeah. Full disclosure is no disclosure.

Chris: There’s no disclosure.

Jessica: Exactly. Yeah. No, we. A lot of companies have to work more with less. I don’t think that’s necessarily indicative of just public sector. But I do feel that we are held to a higher standards because we have unions, for instance. We are governed by elected officials. Officials. And especially when there’s changes in administration, it’s just different. And I’ve worked for the federal government as well, so I’ve seen it on multiple, multiple levels. And you know what? It’s a testament. I keep coming back, it mustn’t be that bad.

Jessica: But it is definitely different working from public and private. But I would just say personally, and I think that that’s the reason that we do the work that we do, is because we genuinely care. This isn’t a job that you can tell when people are just working at the city just to get a check, and you can tell when people are there because they want to legitimately make a difference in their community and be part of the change.

Jessica: And I will say, you know, we are in exciting times, I think, right now with the new administration. Safest, greenest, cleanest major city with economic opportunities for everyone. I mean, that’s pretty exciting. It’s pretty exciting. So I do feel that we’re, as a public servant, we are governed a little bit differently when it comes to expectations. Setting the bar and really the outcome of what we do has impacts to millions of people.

Jessica: Millions.

Chris: And you guys govern multiple entities. So who governs? You?

Jessica: Don’t ask us those things.

Chris: Don’t ask?

Jessica: Nah, I’m just playing. I don’t know.

Chris: No, I was just curious. I mean, you know, we deal with.

Damian: A lot of what the private sector.

Chris: Does, so higher government entities.

Damian: Yeah. Regulations. So we deal. We deal regularly with health information. So protected health information, HIPAA type data, Ir’s data. So it kind of starts with regulations and the regular audits that we go through.

Chris: Yeah. You’re susceptible to those across the.

Jessica: Oh, yeah, it’s pretty standard, you know, any kind of regulatory data, but just in general, I mean, we have a. We have a requirement, we have a duty to safeguard our, not just our workforce, the city of Philadelphia workforce, but our citizens. So, you know, when you talk about critical infrastructure, critical services, to some degree, every single service that we provide is critical to somebody. So, you know, that’s another difference there. You know, as far as, yes, other companies are critical in what they provide their services, but we’re like, actually, to some level, this is like life or death. Right. Our health centers, you know, making sure that they’re equipped with the equipment that they need to be able to provide their services.

Jessica: And when we talk about it, you know, continuity of business, and there’s just so many levels to it where it’s directly impacting the quality of life. And I think that’s really. If we want to quantify it, it’s the fact that we have that ability to really make sure that those things are happening to the. To the citizens of Philadelphia.

Chris: Yeah. And when you think of conventional critical infrastructure, like utilities and transportation systems, you know, how does that shape your security priority levels?

Damian: Yeah, we start with the priorities of the city as a whole, which, in turn, it really is the priority of our residents. So all the. All those critical services that we provide to the city. Street cleaning, waste removal, 911, water systems, transportation, the airport. So we start with, what are the critical systems, and how do we ensure the confidentiality of those systems, the availability and resilience of them? Because that’s really what the residents are counting on us to do.

Chris: So what role does collaboration play in your strategy, both internally and across other city departments? Are you pretty much siloed as an entity?

Damian: No. If we were siloed, we would never be able to get our job even remotely.

Jessica: We’re breaking down those silos. That’s what we’re doing.

Damian: I love the saying that culture eats strategy for breakfast. So what I’ve found in my tenure here is that we get the most done when we’re out and about at the departments, sitting down with department executives, talking about security challenges and trying to get buy in for our strategy. Jess has been an absolute rock star with that. There’s nothing that Jess would rather do, but that’s how you get things done. So there’s 30,000 employees here at the city, 50 departments.

Damian: We just hit the ground and we visit them and talk security with them. Jess and the team have put a security roadshow program together.

Jessica: It’s been a lot of fun.

Damian: We are out and about at the departments, at their locations, meeting them where they’re at on a weekly basis. And that’s how we’re getting buy in for the security initiatives that we’re trying to roll out.

Jessica: Yeah, just meeting people where they are, you know, I think that at some point, if people keep clicking and people can, you know, the things keep happening, and we have these trainings we do. Like, maybe there’s something we’re not doing and I think that a combination of awareness and meeting them where they are, as well as tools. Right. We gotta have the right tools in place for preventative measures and detection.

Jessica: But that combination. Cause let’s be honest, people gonna be people. They. People in, right? They gonna keep clicking.

Chris: Natural instincts.

Jessica: Yeah, it is. It really is. And it’s just so advanced, you know, with AI out here. I mean, we were just talking about from a hiring, I’m sure you read the article where the guy, you know, fooled know before, right? You know, we see an uptick in applications like a surge, and something’s not right here. Something’s not right. So, you know, we just really gotta be head on a swivel, man. And us as security professionals, we’re like, oh, yeah, we see that.

Jessica: We know what’s up. But then you gotta think about somebody who isn’t cyber professional. They’re just trying to get to work and do their work so they can go home and feed their family, too. You know what I mean? So that’s another difference with the city, too. I mean, we’re all working to work, but, like, we really, we employ a lot of people who are there. That’s how they grew up. Their parents, their family was city employees. That’s their culture.

Jessica: And they’re just, you know, they’re just really trying to feed their families and do the right thing.

Chris: Damn, you had to say AI because I was trying to get through this entire night without hearing that.

Damian: I was hoping we would get through without.

Chris: With the rapid rise of AI. How do you balance innovation with security in a public sector environment?

Jessica: We have to be innovative, and that’s something Damien and I both definitely agree. And we have a lot of colleagues and even our CIO, we’re on that page. Like, yes, the city, we, city in the government, be government. And like, we have some stigmas that are absolutely true from a government perspective. But then we also, you know, we also have the capability and ability to make a change. And so I think that we have a really good team in place.

Jessica: As far as AI. Yes, there are services out there that will absolutely help us with efficiencies, especially with reduced workforce members, you know, all those things. But obviously, as security personnel, I’m gonna tell you right now, we gotta be careful with the security, right? And that’s where, you know, it’s, oh, the next shiny thing. I want a chat bug. I want this, I want personal assistant. You know, let me make my deep fake so I can not have to get up in the morning, get on Zoom okay, well, hold on there.

Jessica: What actually is going on in the background? You know, it’s those kinds of conversations. But I think as a city, though, like, we’re. We want to get there. We’re going to get there, but we are also going to get there in the most safe and compliant way possible so that we’re not putting ourselves into a situation that we get on the Philly inquiry. You know what I’m saying?

Chris: Yeah.

Damian: We’re going to take a measured approach. Are we going to have a public facing chat bot next month? Probably not, but, but we do want to be forward thinking and we do want to use the tech where it’s appropriate.

Jessica: So I’m excited, though. You know, we. I really, I like Damon. He’s cool. I’m not just saying that because he’s next to me, but he is cool. Like, he comes in with his, like, super smart, like, tech tool. Let’s do this. Let’s implement this. And I’m. I’m like, well, let’s talk about the compliance piece or let’s set some standards or, like, let’s, you know, let’s talk about this a little more. Let’s share the good news. Like, so we make a pretty good team. And I think that does show because, Melissa, you know, people even say that it’s cool, like, having that balance, but I think that from AI, I am excited about that. Like, we could be making some serious moves in the next few years, you know what I mean? But like I said, at the same time, like, sometimes it’s okay to have paper processes, sometimes it’s okay to have old tech. You know what I mean? Like, I ain’t gonna say nothing, but you know what I mean?

Chris: Yeah. I think a lot of companies focus on AI because it’s AI.

Damian: Yeah. You know, and there’s been, the term AI has been in marketing and sales for years and years in our industry. I think generative AI, I think, is a different. Back in the day, it was more machine learning, and I think generative AI is certainly a whole other animal, but.

Jessica: Yeah, good point. Good point. Google have been using that shit for years. If you don’t know, you don’t know. I mean, I guess that’s good, right? That’s the point. AI is going on in the background. You don’t even know. So that’s kind of what we would be wanting to do. But I was just at a conference in Denver’s Denver AI summit, which was actually really, really dope. Dere mayor out there. Oh, Mayor Mike, I’ll deficiency in later.

Chris: Saying his name so he doesn’t get offended.

Jessica: Okay, good. Wait, he’s here? What’s up, Mayor Mike? No, he was great, man. Like, as far as like, a city being innovative, like, they’re there, you know, and, you know, Denver is like, I love Denver. Like, Denver’s amazing, period. But, you know, they’re big on the startups, the tech community they were talking about, they just opened up a quantum computing park or whatever. So, like, you know. Yeah, it is interesting. So, like, it was a, it was a really great conference. And I think the best thing was because it was geared towards government related AI resources and some startups that were specific to how AI can be used in a safe and productive way to really support or enhance, I should say, to enhance our existing government or.

Jessica: Yeah, I guess government processes and services that we provide to our constituents.

Chris: One more question for you guys, because this is last call and I think we’re getting ready to pull.

Jessica: Can I get a wine? Wait, last call? For real?

Chris: Last call? So you guys have time for one more?

Jessica: Yeah.

Chris: All right. If you opened a cybersecurity themed bar, what would the name be and what would your signature drink be called?

Jessica: Gotcha. That’s the name of the bar.

Chris: That’s the name of the bar.

Jessica: That’s the name of the bar. Gotcha. And in the summer months, I would have a sparkling vodka type white claw with a little extra spritzer in there, some lemon and lime, depending on the day, some fruits. And in the wintertime, we are getting hard and dirty with some bread breasts. Woodford angels envy. And a couple cigars. I know that’s upstairs. Did you save me one? I see y’all, I’m seasonal, dear. All right.

Chris: I like that.

Jessica: I got layers.

Damian: I would call it external vulnerabilities. Okay. Cause that is the bane of our existence right now.

Chris: And that’s who walks in the door.

Damian: Exactly.

Chris: Okay.

Damian: That’s all I got.

Chris: I love it. Well, thank you both for joining me. Enjoy the rest of this beautiful night and thanks for everyone coming out and supporting.

Jessica: Thank you, guys.