Cybersecurity can be an intimidating field, full of jargon and lacking in diversity. Tazin Khan Norelius doesn’t fit the mold — and she wants to help break it for others.
Tazin founded the online community Cyber Collective in 2019 and uses videos, podcasts, and social media to carve out a welcoming space to merge the complex topics of cybersecurity with everyday people. As a Muslim Bangladeshi-American, she faced racial bias and immigrant-American discrimination, which has become fuel for her efforts.
“I wanted to meet people where they were,” Tazin told The Record in a recent interview. “My people were on social media platforms, and I wanted my people — immigrants, Bengalis, Muslims— to understand that they are constantly under surveillance in communities.”
Tazin discussed the ethical issues of complex jargon, as well as the humanizing approach of understanding in order to protect those who are most vulnerable. The conversation below has been edited for space and clarity.
The Record: Can you give some background on who you are and how you came into this field?
Tazin Khan Norelius: I wouldn’t be here without a fabulous, badass woman who came into a Michael Kors store I was working at in nowhere Leesburg, Virginia back in 2010. She was wearing all black. I’ll never forget — cream and black leggings with thigh-high boots. She had her man just walking behind her, carrying her bags. I was like, “Who are you and what do you do?” I found out she was in cybersecurity.
I emailed her every month for four months until she hired me. I was in my last semester at school and I got an offer letter. I still needed to keep my other job, and I did. I only had 18 credits left, but I dropped out of school and started doing security sales for a government contracting firm. That is how I got into the security industry. Actually, I ended up finishing my degree in the spring of 2021.
TR: I would assume that most younger people wouldn’t go to Instagram to learn about cybersecurity. What is your goal or purpose of using this platform in the way you do?
TAZIN: One of the things that I’ve learned is that no one’s going to go to a blog. In the news, they’re telling you information, but they’re not really teaching you what to do about it. They’re giving you headlines that this breach happened or this other thing happened. I didn’t start doing social media stuff until 2018 because of how elitist the cybersecurity industry was and how I knew I would be judged if I did that.
But over time, I realized people are genuinely interested. Many said, “I don’t understand this, but can you tell me more?” Everyone was so curious, but the information wasn’t reaching them. If you speak to anybody above the age of 35 they get a distaste in their mouth when hearing the word ‘influencer’ because of whatever biases. I wanted to meet people where they were. My people were on social media platforms, and I wanted my people — immigrants, Bengalis, Muslims— to understand that they are constantly under surveillance in communities. I wanted them to understand the data aggregation system and the entire data ecosystem, aggregation, and distribution. And I wanted them to understand how to protect themselves on the internet because they’re the ones who are impacted. Doing it on social media was the way.
TR: Did you have difficulty transcending this desire to change the industry into something tangible that you could put out there?
TAZIN: No, I always knew how to do it, there was just so much judgment. There are so many incredible academics, scholars, professionals, and I want to help these professionals know that having everyone talk about this isn’t going to take away from their expertise. I can understand and appreciate that to do research and to be an expert takes so much time, hard work, and effort. But I think that these conversations belong to everybody and anyone that uses the internet. Anyone who is interacting with anything digital has a right to know and understand it.
I remember, at one company specifically, I put together this security training. I audited the program that they already had which didn’t make the topics tangible for the people that were listening and who needed to understand. The group of people that were potentially impacted were black and brown women. They were working at the insurance company and, for a lot of them, English was their second language. So you’re using technical jargon to explain to these people something that is going to impact their livelihood. How can you fire them if they click on the wrong thing, but you’re not even making the effort to explain it in a way that they can understand? Where’s the connection? So, I did an entire presentation where I shared and translated what phishing was, then I decided to build something which was how Cyber Collective came about.
TR: There’s obviously this issue with consumer trust that is rooted in an inability to understand the language. What should the top priority be for companies to rebuild and regain consumer trust?
TAZIN: I think that’s hard to answer in a blanket statement because the biggest thing about trust is that it’s personal. I have to pull this quote out from C. Wright Mills because I read it in a book called Digital Sociologies co-written by Karen Gregory. “We find that the promise of sociology lies within the discipline’s ability to cultivate the quality of mind that is capable of critically reflecting on the relationship between our personal, subjective lives and larger social realities, as well as clearly articulating those findings beyond the walls of academics.” I think that’s what goes back to building trust in this industry for government and industry experts and vendors. Are you building trust to get people to trust your product, or are you building trust to get people to understand the larger social realities as they exist now? That is the difference.
Your trust has to be in small communal environments. Each vendor has to build their trust in their own way. And I think we’ve got to start small to expand and use the help of people outside of our industry to rebuild. That is my biggest concern.
TR: Is it difficult to get younger audiences (who are primarily using social media platforms) concerned or interested in learning about security and privacy?
TAZIN: No, I think that people really care and they want to know, but the way that the industry appears does not seem inviting. When it comes to privacy, as an industry, and as we know it right now, it is related to regulation. Privacy is related to compliance and the way that data can spread is handled at the organizational and government level, that is the way that privacy exists. But then because of the way that the public understands privacy, it goes into, well, “I don’t have anything to hide, so I don’t care about privacy.” But if they were told and if we explained to them that it’s not about privacy, it’s about data protection, then they care. So it goes back to translating the words that we use in a way that people can grasp.
They do care about security because they don’t want to get hacked. But what about the way that we were discussing security? There’s a lot of, “Don’t do this, don’t do that.” What happens when you tell people don’t do something? They’re going to do it anyway, right?
A lot of the people that I’m reaching care about racial justice, equity, and injustice. Everyone seems to be fighting for something right now. If you aren’t aligned with people through compassion and empathy, they’re not going to care. I could go to my family and say, “don’t use public Wi-Fi,” but they’re not going to listen. If I say it differently: “Hey, we’re Muslim and there is a lot of potential for surveillance after the Patriot Act, and being mindful of how we use the internet is very important to protect us,” that lands.
TR: Do you think that convenience can coexist with security? This seems to be more relevant than ever, considering we are so accustomed to convenience.
TAZIN: I think it has to. I think that we have no choice because convenience technology is the way of the world right now, everything that we’re doing is based on finding convenience. That’s what’s being advertised to us. This is why we’re on social media because it’s convenient for people to talk about this information on these platforms. I think it can coexist. I think that we have to find the avenues to educate people and break through whatever convenient traps they’re in because it goes back to consent, but they don’t always know what they’re exchanging for the convenience. And once they are aware, it doesn’t mean that they’re not going to make that exchange, but at least they have agency in the exchange.
And, I just want to say, I don’t consider myself an expert in anything. I honestly hate that word. I’m not an expert. I’m a translator. I am somebody that is a professional learner, and I don’t ever want to be an expert in anything because I feel like it’s an infinite experience. It’s not easy to be a translator, right? It is hard to try to translate this type of information. It is about being real in terms of asking yourself, “Is this guy or gal the best choice to teach people something?” Just because you are an expert doesn’t mean you’re a teacher. I think that’s a really, really big difference.
The Metropolitan Opera confirmed that it is dealing with a crippling cyberattack that has shut…
South Korean authorities issued an interagency advisory Thursday warning companies about hiring North Korean IT…
Apple announced several new security features designed to better protect users from an array of…
Hackers allegedly connected to the Iranian government have been accused of targeting diamond companies in…
Internet Explorer users in South Korea were targeted by a group of North Korean government…