Episode Transcript
[00:00:00] Knowing that is that next step of yes, I have an asset list, but what are each asset? What is the risk, what is its function and what is its priority? If I could only do one, which should I do?
[00:00:13] You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity.
[00:00:25] Get ready for essential strategies and insights.
[00:00:29] Here's your host, Aaron Crow.
[00:00:32] Thank you for joining me for another episode of Protect It All. This is a special episode. It's the 52nd episode. I do these once a week. It's been a little bit over a year. There were a couple of weeks in there that, that we missed due to conferences and business and travel schedules, etc. But 52 episodes, experts from all around the world, some really awesome amazing stories and, and lessons that, that were powerful for me. Hopefully they were powerful for, for you guys as well. This is the one year anniversary of the Protected all podcast roughly again and just want to thank everybody if you've been with us since the beginning, thank you for that. If you're, if this is your first episode, like, no worries, you're right on time. I appreciate you being here as well. Just want to thank the listeners. Y'all have helped, you know, grow bigger than just, you know, me talking to a screen and some, some experts around, around the world. But, you know, really focusing on building a, you know, community of, of learners and protectors and you know, people that, you know, frankly give a damn about cybersecurity and protecting, you know, whatever their thing is, whether it's, you know, power, utility or whatever critical infrastructure or, you know, enterprise, it doesn't matter. But we're all, you know, defenders of, of the things that, that we, we focus in. Right.
[00:01:58] You know, I want to thank the, the, the guests, the, the, the, the people that have come on my podcast and, and shared their journey, their, their experiences, their lessons learned, their, their struggles and their wins.
[00:02:11] And we've had folks from, you know, obviously here, continental United States, as far away as Iraq, South Africa, New Zealand. We had listeners from around the world as well. We've had global voices sharing unique stories and perspectives and, and the fun thing about that is that it's, you know, we hear those stories and, and they're so similar. There's differences for sure in the UK and Middle east, et cetera, but, but so many of the, the OT problems and cyber problems in general are not that vastly different. We're all facing the same, same hurdles in these spaces. We've talked about real and raw and urgent issues that we see in our organizations and our, in our use cases and implementing and shortcomings in products and vulnerabilities, etc.
[00:03:04] You know, some of the topics that, you know, kind of move the needle. We've talked everything from AI, cloud people, process and technology. Um, we've deep dove into topics that are people love or love and hate. Like it ot convergence, it's like a curse word sometimes, all the way down to enterprise risk, even, you know, small, smaller, you know, into entity defense, you know, wastewaters and small business and things like that. Right. Not everybody has a huge cyber security team. Many times they have folks that wear multiple hats and I may be the cyber person and the electrician or the cyber person and the, you know, desktop guy, any number of things. But not everybody has a dedicated cybersecurity role in these spaces.
[00:03:54] We, we've talked high level strategy, we've talked deep technical conversations.
[00:04:00] My entire intent is to leave nothing off the table if it's cyber related. Adjacent from leadership to recruiting people, process and technology, all these things. The whole intention is, is to, you know, bring value to, to us. Even as a technologist, even as a cyber security person, I still have to do presentations, leadership matters. You know, I'm going to have personnel and you know, staff and work and consultants and you know, business people. And you know, one of my, I've said this many times, one of my mentors along the way said, you know, said something that really stuck with me and it was all businesses of people business.
[00:04:41] It doesn't matter if you're the CEO or the janitor, you have to interact and deal and work with people and through people you get your success. And the other thing that one of my buddies says a lot and I stole it from him, I say it a lot as well is we do business at the speed of trust. And for me, what that means is the more that we are able to connect with the person sitting across from us, even if we disagree, we can be having an argument or disagreement about the way that we're going to implement something or the need for a certain technology or I want to use, you know, vendor A over vendor B or I don't think we should spend this money at all on this. I'd rather do xyz. Right? The whole reason that, that, that we can get things done is, and the way that we get it done faster is to build that trust in that relationship. It's one of the reasons why we do, you know, the, the lone Star Shootout. Right. And, and having a different event that is not focused on socks and B and, and you know, coffee, bourbon and cigars only. It's, it's more around building those, those trusted relationships as a vendor, as a, as an asset owner. Those things are value add when, when the person calls you and it's just a sales guy that you don't have any connection with and you just know that they just want to try to sell you something like you're less likely to answer. But if you've spent all day playing golf or shooting or having lunch or whatever that thing is and you've built a relationship, doesn't mean you're best friends, doesn't mean you, you know, necessarily want to, you know, go ride a motorcycle with the person.
[00:06:21] But you, it's more than just surface level transactional I guess is even a better way to say it. Transactional relationships. And when we, when we build, we build that integrity and have those deeper conversations and deeper levels, we can move faster. We're able to move forward because you've, you've built that, that trust and, and you're, you're more willing to, to take take risk and actions based on those, those relationships.
[00:06:49] We even talked through, you know, recruiting and, and how do I get into cyber? I have a lot of, you know, I go to a lot of conferences obviously people listen to the podcast and, and I'll see, you know, folks, guys and gals from, from you know, still in college, interns, you know, trying to break into cyber security. Even, you know, even folks mid career that are, that are doing a career change. So having conversations, insights from recruiters and leaders and, and, and and learners and you know, hearing people's journeys around how they got into cyber security, how they got into OT or IT or cloud or AI or, or whatever. The thing is that they do and found their niche.
[00:07:29] We've had some really cool conversations about emerging technologies from AI powered tabletop exercises like Threat Gen's Auto tabletop, you know, using those on how to pressure test your team and using it more than just a checkbox that many folks use a tabletop for. You know, all the way down to you know, one of the keys or you know, touch points or sweet spots and especially at ot. Is that asset visibility, training and process risk is, is, is part of that. But you know, really just the power of, you know, asking the right questions. It's not about just having an asset list, you know, having a list of how many PLCs I have one of the analogies I like to say is I can have two PLCs that could be the exact same vendor, firmware, all the things. One is controlling a turbine and the other is controlling the ice machine in the break room. They have the same vulnerabilities. They have the same, you know, risk of that vulnerability, but not risk to the business. The ice machine may upset people because they want to make ice or they want to have ice in their drinks, but it's not going to bring the business down. So the business risk of those two things are different. So knowing that is that next step of, yes, I have an asset list, but what are each asset? What is the risk, what is its function, and what is its priority? If I could only do one, which should I do? And if the other goes down, how do I isolate it? If I'm not going to mitigate or whatever, how do I isolate that so that it doesn't, you know, that Ice Machine 1 doesn't actually bring down the turbine every episode. My intent is to bring real value because that's the mission, right? I enjoy these conversations. I don't prep for them in that I don't give a list of questions that I'm going to ask. I don't want the guests to give me questions to ask them. My intention is, and I tell everybody that comes on my intentions. Is it to feel like we're sitting down, having a coffee, a beer, you know, a meal, and you're explaining. We're talking candidly about cyber security. We're talking about your journey. We're talking about lessons learned. We're talking about how you got in, what went well, you know, funny stories, you know, normal conversations, because that's what I want to hear. And those are the types of podcasts that I listen to. That's the way that I learn well, and hopefully those things work with you guys as well.
[00:09:49] We've had some standout moments, you know, truths from CISOs and tough questions that need to be asked. And guess who came in and. And shared. Vulnerable, passionate, you know, and. And. And things that they. They're doing from. From volunteering at nonprofit organizations, from, you know, how they're. They're. They're retrofitting their environments and, and so many amazing, fun stories that, that have come out from people's experiences. And, you know, all these folks that I've. That I've had the pleasure of talking with have been passionate about what they do. They don't come on this thing. Like, I've never had a single person on this podcast as a guest. That is not extremely pumped about the things that they're doing and the value that they, they see and their desire and drive to do more and to, and not from a perspective of, of just capitalism in selling and, and and conquering more so in they see value, you know, like a, A you know, a suit that you're putting on like a, a uniform, you know, and you're. We are the defenders of these spaces. So with that, you know, some of the, the lessons learned for me, you know, personal takeaways, you know, consistency isn't easy. There were a few weeks where we missed a couple of episodes again due to scheduling and travel and you know, guests couldn't, couldn't make it. It. It's not easy to schedule something like this. Everybody's busy. All of these things happen in, in our downtime. Like this is not my, my job. I don't get paid for this right? We, I do this in in addition to having a full time job and, and not allowing this to get in the way. The same thing with the guests that come on like these are, you know, I'm not paying them. They're not paying to be here. They, they're doing this because they want to, they want, they see the value in getting the message out and having that, that personal brand and you know, getting those, those cyber lessons learned and passing that on to that, that next cyber defender. Some of the best conversations came, you know, because. And when we don't try to be perfect, I always talk to the guests about just take a breath. This is going to be easy. It is edited if we need to cut something out, if your dog walks in the room or your wife, you know, comes in or, or your phone rings, which all of those things have happened. There's been some funny stories around some of those Typ. It's okay like that that that happens in life and you know, it's still able to get that raw result when we're just having conversations.
[00:12:23] I've learned so much from having these conversations. From having these, these, these subject matter experts come on and share like we can all learn. It's like you know, a lesson. It's like a college course lesson in all of these perspectives. We've got people from you know, all the different critical infrastructures from around the world sharing stories like all this stuff. And again, they're not doing it to push their product. They're not doing it to push themselves necessarily beyond. The primary value is, is to bring, you know, up, uplift the community.
[00:12:57] You know from an industry insights perspective. For me it's, you know, I still see us as way too siloed, you know, as much as I have, I've been an OT person much of my career and I see the value in OT and IT being segmented.
[00:13:14] We're still all one team, you know, so even if we do have IT and OT and cloud and identity and, and you know, all the things, we're still wearing the same uniform. Like we're, we're on the same team. We're not opposing, on opposing teams going against each other. And that's the value that I think we need to continue and, and growth that we need in, in, in the industry is to remember that. And, and how can the IT team learn from the OT team? How can the OT team Eng IT team without, you know, giving up the keys without releasing control, but, but getting the value out of their experience, their knowledge, their, their capabilities and their teams. Usually in all the places I go, the IT team is vastly larger than the OT team. They also usually are more focused on a particular thing, firewalls, networking, etc, whereas the OT team is usually more general. So they have to cover more things. They have to kind of do it all jack of all trades type. So, so leaning on those OT teams or technologies, their, their, their you know, T's and C's with their vendors and their support contracts and pricing and all that kind of stuff is, is beneficial instead of just necessarily going directly, you know, to a separate vendor. Having a different switch vendor like that just doesn't make sense.
[00:14:33] Cyber security isn't just about tools. I can't harp on this enough. Like it's easy to go to Black Hat and RSA and you know, see all the latest tech and all the, the, the widgets and the hardware and the software, et cetera, et cetera, et cetera. But it's not just about product, it's not just about technology. It's not just about blinky lights. As much as I love blinky lights, anybody that knows me, I love, you know, the, the hands on demonstrations. That's why we built an OT box, that's why we take it to, to conferences and part of you know, ICS Village and all this stuff. Because people learn visually, I do at least react from that, those blinky lights, but it's way beyond that. It's about those people giving a like, understanding the why. If I don't, if I can't translate or explain that why and have them take that baton and into their daily job and they're just checking a box, then you're going to struggle and that's with everything. It's not a cyber unique, you know, problem people in, in their drive and desire is, is, is the more, you know, raving of that person to be a fan and, and driver of OT and cyber security and IT and cloud and all the things, the more likely they, you know, give more and put more thought and energy into it.
[00:15:50] And the job is, is not just about defense anymore. Right. It's, it's resilience, it's leadership, it's education, it's, it's, you know, you, you can't just be a firewall guy. Like eventually you're going to need to do more. You're going to have to interact. You're going to have to sell your idea even to your leadership. Everybody is sales. Even if you're, you know, the, the, the entry level SOC analyst, like you've got to pitch your idea or the problem that you see or the issues that are there to your team, to your leadership to get, you know, an improvement, remediation, whatever that may be. Right.
[00:16:28] So what's coming next? Where we go from here? More the same. Right. I, I continue to want to do more solo episodes. Hard truths, real stories, you know, talk with more folks around the world. I love the fact that we've been able to, you know, hear perspectives from, from different environments, from different, you know, organizations from around the world. Different perspectives in the UK versus, you know, Middle east and, and, and you know, Kiwis in New Zealand and, and, and you know, East Texas. Right. And everything in between.
[00:17:05] Looking to do more, you know, panel episodes with more, you know, multiple bodies round tabletop exercises, you know, live events. Lone Star Cyber Shootout. Having folks come out to those things and value add on those. Doing one during Black Hat August 8th.
[00:17:24] Details be releasing with that very soon. Um, and then more, you know, around the physical and cyber. You know that Lone Star Shootout is really around that. Right. Bridging the gap between physical and digital. You know, you can't just put a firewall and then leave your front door open.
[00:17:41] They can just bypass the firewall and plug straight into your network. Right there, there is that thing of we need physical protection, we need cyber protection and all those things kind of the concepts are the same, the implementations and tools are a little different. Obviously the teams and the skill sets are different, but they're, they're still using the same models and the same ideals. Right. Defense and depth works in physical. It also is the same thing that we do on the digital and cyber side. A lot of These concepts are similar, just like in IT and ot, you know, the concepts are similar. Implementation may be a little different. Training may be a little different. You know, remediation may be a little different. You know, I'm going to remediate differently if somebody jumps a fence at a nuclear power plant than if I, if it's in a manufacturing facility. Right. Nuclear power plant, there's going to be a, a pretty stiff response plan. I've been responsible for a nuclear power plant and all that that entails and heard some, some harrowing stories about things that people tried to, you know, evade the physical security parameters at those facilities. It's a little different than if it's at a, you know, small manufacturing facility. Yeah, I'm just going to call the police or you know, remediate. Right. Stronger focus on empowering individuals, not just companies. Like, I love the stories and I don't care if you're, you're by my competitor. Like, I love hearing the stories of folks that come on here and share because I see the value add in lifting, you know, rising tides, raise all ships. So final thoughts. You know, a little over a year in 52 episodes. To me, it's just the beginning.
[00:19:09] Technically this is, you know, year two and a half or so. The first version of the podcast rebranded as this one 52 episodes ago, but before that it was another 40 episodes. So, but doing this and I love it, I, I, my intention is to continue doing it, have more conversations, more, more amazing interviews. So, you know, my ask for you is to make recommendations on topics folks that you want to hear on. You know, dig into things like, you know, AI cloud, OT in, in the cloud, like all of these things that may be taboo. I'm not saying I'm, I'm endorsing any of those things, but we need to talk about them. If we can't talk about them, it's hard to find solutions and see all, even the problems and how to mitigate those things to the guests. You guys have made this valuable. It's amazing to go to conferences and, and people say, hey, I listen to your podcast. Like it's so weird and, and amazing that it, it's not just going out into the ether. So I appreciate everyone that listens, I appreciate everybody that, that subscribes and likes and comments and, and all the things all of you guys are, that's the reason we do this and I do this right. You know, to that, you know, my ask is just welcome to the mission. Right? Dive in, share it. Right. Subscribe, subscribe and share it. Get that voice out there.
[00:20:30] Bring on folks like we need more and more and more people in cyber security conversations around difficult things like we need to. Just because we've done something in the Same way for 40 years doesn't mean we need to continue to do it. And the only way we, we get past some of those, you know, limitations is by having conversations, having a diverse discussion and dialogue around the problems, the solutions, the, the issues, the shortcomings and, and everything in between. So thank you for 52 episodes.
[00:21:02] For those of you that have listened to them all, like, wow, that's amazing. For those that maybe this is your first one. Also, thank you so much for being here. I appreciate you and definitely excited about the Next, you know, 52 epis and see where, see where we go in the next year. Thank you for joining me and see you next time. Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity.
[00:21:32] Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.