author photo
By Karly Tarsia
Wed | Sep 7, 2022 | 12:16 PM PDT

In the Secure World Spotlight Series, we learn about the speakers and Advisory Council members that make our events a success. In Q&A format, they share about their professional journeys, unique experiences, and hopes for the future of cybersecurity—along with some personal anecdotes.

Gary_Chan_2021Gary S. Chan helps organizations innovate, stay secure, and meet compliance using information security as the vehicle. He has architected anti-fraud systems for state agencies, led the information security teams for a large-cap technology company, leads the information security department for a large multi-state healthcare system, owns an information security consulting company, and is an evaluator and mentor for cybersecurity start-ups.

He served as President of the FBI St. Louis Citizens Academy Alumni Association and is on the board of the Greater St. Louis Area Association of Certified Fraud Examiners. An adaptable individual with international experience, Gary has been based out of Asia, Europe, and the U.S. and has a refined ability to resolve conflict through negotiations and mediations. He holds four security certifications and a degree in Electrical Engineering & Computer Science from MIT.

Get to know Gary Chan

Question: Why did you decide to pursue cybersecurity as a career path? Answer: I like breaking things. Where else do you get paid to break things?

Q: What encouraged you to join your current organization (employer)?
A: My wife is a physician. When she and her colleagues get together, everything they talk about is medical related. Since every industry needs security, I thought I'd work in healthcare so that I would have a little more context at my wife's business events. While my security work certainly hasn't earned me a medical degree, my experiences have allowed me to tell stories in settings (e.g., hospitals) that they can relate to.

Q: What do you wish more people knew about your organization?
A: We are much more technologically advanced than what people assume. We use the latest and best security products in the market. People who work on my team learn extremely useful skills and are on the cutting-edge of technology. Hackers want to steal patient data because patient data is amongt the most lucrative data sets. Thus, we invest in our technology and our people to protect our patients, employees, and organization.

Q: How would you describe your feelings about cybersecurity in one word?
A: Fun

Q: What has been your most memorable moment thus far working in cybersecurity?
A: When most non-security people think of investigations, they think of a detective finding who dunnit. Some of the most memorable experiences I have had were when we've done the opposite: We've used cybersecurity tools and techniques to prove the innocence of people who were accused by colleagues of bad behavior. Without us to prove the negative, innocent people might have been punished.

Q: If you had to choose, what's the one cybersecurity practice people can adopt that would have the greatest impact?
A: Use two-factor authentication with an authenticator app (not SMS and not email). It's a lot harder to hack accounts with 2FA turned on, and it's even harder when that second factor uses an authenticator app versus text or email.

Q: What is an industry-wide change you would like to see happen in 2023?
A: Greater self-awareness when it comes to phishing. If you think you are too smart to be phished, you might be the one being phished. Given that double-digit percentages of people click on phishing emails and almost every single person says that they would never click on a phishing email, there are clearly some very overconfident people.

Q: If you could pass or change one regulation/law in cybersecurity and data protection, what would it be and why?
A: Protection of security researchers. There are Good Samaritan security researchers who notify vendors and organizations of vulnerabilities that they find. Instead of receiving an award or just a thank you letter, the researchers are slapped with cease-and-desist letters. The researchers are trying to help, and they should be rewarded and protected, not threatened with legal action.

Q: What is the best aspect of SecureWorld?
A: Connecting with security experts. It's always fun catching up with people I haven't seen in a long time, as well as meeting people who are new to the field.

Q: What is your favorite hobby outside of your 9 to 5?
A: I love performing mentalism. Because of my security background, I've built a security-themed show that melds security concepts with mentalism. For example, one of my routines is to perform a truth-or-lie interrogation of a willing audience member to showcase the effectiveness of different interrogation techniques. Audiences rave about the mystery and fun of my show.