Beyond Compliance Cybersecurity Insights With Blake Hoge and Aaron Crow

Episode 56 May 05, 2025 01:13:17
Beyond Compliance Cybersecurity Insights With Blake Hoge and Aaron Crow
PrOTect It All
Beyond Compliance Cybersecurity Insights With Blake Hoge and Aaron Crow

May 05 2025 | 01:13:17

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow sits down with cybersecurity professional Blake Hoge for an unscripted deep dive into the world of IT, OT, and everything in between. In this engaging conversation, Aaron and Blake share their personal journeys through the cybersecurity landscape—from consulting roots and data center audits, to navigating third-party risk, compliance programs, and even some unforgettable experiences in global call centers and power plants.

 

This episode goes beyond the technicalities, exploring the importance of hands-on assessments, the unexpected vulnerabilities that linger in even the most sophisticated environments, and why fresh eyes are crucial for spotting hidden risks. 

Aaron and Blake also open up about their favorite use cases for AI—both on and off the job, and how these evolving tools are reshaping everything from incident response planning to everyday productivity.

 

But it’s not all about cyber threats and compliance checklists. The conversation takes a thoughtful turn as the two discuss the vital role of mental health, physical wellness, and community in sustaining long careers in high-pressure fields. From rucking at dawn and cycling in Moab to decompressing at cyber shootouts and embracing new technologies, Aaron and Blake remind us that protecting it all starts with taking care of ourselves and each other.

Join us for a lively, candid episode packed with actionable insights, relatable stories, and a reminder that cybersecurity is, above all, a people business.

 

Key Moments: 

 

09:47 Power Plant Fire Recovery Chaos

13:36 Infrastructure Maintenance & Security Compliance

16:10 Access Control Testing Concerns

23:22 "Design Process: Theory vs. Reality"

31:22 Dynamic Incident Response Planning

33:07 Commitment to Security and Transparency

39:21 Customized Consultancy for Unique Needs

47:05 "Understanding Contract Essentials"

50:42 In-House AI to Safeguard Data

57:47 AI Simplifies Search and Booking

59:13 Mental Wellness Strategies in Tech

01:03:52 Fitness and Energy Through Activity

01:10:44 "Business is a People Endeavor"

 

About the guest : 

Blake Hoge leads third-party security at Airbnb, strengthening partnerships, and founded AmplifyGRC to support small businesses in building security and trust. At Instacart, he developed and scaled security and trust programs and compliance programs. At Salesforce, he managed security for global data and call centers. With over a decade in governance, risk, and compliance, Blake holds CISA, CDPSE, and PMP certifications, reflecting his expertise. Blake lives in the greater Austin, Texas area, and enjoys connecting with other professionals locally.

 

How to connect Blake: 

Linkedin page: https://www.linkedin.com/in/blakehoge/

Company website: https://www.amplifygrc.com/

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

 

Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

View Full Transcript

Episode Transcript

Aaron Crow (00:01.038) Thank you for joining me today on the protected all podcast. I've got my friend Blake here with me today. Um, we are going to dive into all sorts of fun stuff. We don't have a script on this show. kind of go wherever we go. Um, but it'll be fun. Uh, we'll, we'll talk about some cool stuff. So Blake, why don't you introduce yourself? First of all, thank you for joining me today and introduce yourself to the, to the audience. And I tell us a little bit about your background in cybersecurity and all the things. Blake Hoge (00:25.719) Yeah, well first great intro love it so that's really great. Yeah, my name is Blake Hogue been in the security GRC space for, I don't know, I guess probably over 10 years now. Um, I guess I'll just walk through my journey a little bit, but yeah. So out of, uh, in school did accounting realize I did not like that very well. was a, uh, uh, very, very, very, uh, non, non, uh, non, non fun experience for me. And so midway through junior year, I switched over to a management information system. So, um, was already kind of half committed already to accounting. So I figured I would just pick that up and run with it. So did the whole double major, um, out of, out of school, I joined pro tivity, which for those not familiar, it's a consulting firm. So, uh, not a big four, not your typical EY Deloitte, those sorts of things. So, um, but joined for tivity really didn't know what I wanted to do with my life at the time. You know, I was told this is going to be basically like, you know, audit and, know, it really had no idea what that entailed. But you know, out of school started doing the audit stuff. It was, was pretty interesting and eye opening because got a lot of exposure to a lot of different industries. you know, it a lot of banking, credit unions, financial services, all those types of things. And then oil and gas. what was really cool about it and was, I guess, a humbling experience was did a lot of traveling at the time. So that was pretty fun. You know, as a young, young 20 year old, get to travel to different cities and see different. clients and interact with different teammates was pretty fun and exciting. know, it wasn't, it didn't feel, you know, it felt like, what, is this thing? Like, you know, Jack, you know, mastery of, know, Jack of all of mastery of none. So I kind of really got good about showing up and being like the subject matter expert in any situation where it's like, Blake, here's our senior and he knows how to do this audit from start to finish. Meanwhile, you were just like a warm body that just got pulled onto the project. So. Blake Hoge (02:26.037) For me, that was a little hard to kind of understand like my purpose and where I was going with it. Along the way, I made a really good friend through Pertivity and he was actually kind of my gateway into the tech space. So he was working at Pertivity as well, got pulled into Salesforce as a customer or as an auditor, got hired and as you know, probably within a few months, he called me. He's like, hey, we have a role on my team. Are you interested? And I was like, yeah, sure. What are we, what does this role look like? And, that role was kind of the entryway into the governance risk and compliance, you know, GRC space. And, it was very specifically looking at third party risk management and doing, for Salesforce at the time was doing like our first party data centers and call centers and supporting our security and compliance posture globally, which was. You know, at the time I didn't really even understand what I was getting myself into, but it was exciting once I got over there. I spent about five years there at Salesforce and again, got into the first party data center. So we did a lot of security on-site assessments. This was like all pre COVID, right? And, you know, we would go to all your main data center providers, do security walkthroughs, looking at. you know, all the lines of physical security, getting into a data center, you know, looking at their processes, their controls, um, you name it, basically any, any way that could be basically penetrating to a data center. were kind of looking at it, assessing it, providing feedback, findings, recommendations, all those sorts of things, which was really cool. Um, I know Aaron, you've, you've, you've used that a lot of time in OT, so you can definitely relate to that. Uh, but, um, And then we also did a lot of the call centers. So same thing kind of on the opposite end. know, all these big companies have all these call centers globally, you know, kind of follow the sun model and, know, trying to optimize for workplace efficiencies and costs reductions efforts and stuff like that. And so I definitely got to travel with my fair share, you know, as an India, the Philippines, like all around the world. And, it was pretty, pretty eyeopening experiences going to these places and really understanding what is a call center and what are these people doing? Blake Hoge (04:47.605) you know, how are we locking down the physical sites that they're working in, as well as, you know, limiting data exfiltration risk from people that are working there. and it was, it was a really good, good, eye-opening experience. So, but, from the OT standpoint, you know, I, I, that was kind of my first experience getting into it. So, you know, we would go into the data centers and we're looking at like the building management systems and, know, looking at, you know, the, the thresholds and. you know, looking at how people have access to that system, you know, what can they control remotely versus do they have to be on site? so that was, that was really cool. Felt like I was really getting into that, you know, very security realm of, investigation. So that was pretty fun. So, but yeah, I know you've had, you have quite extensive experience in that. I know. have you been into a lot of the data center world? Aaron Crow (05:37.948) yeah, so I worked in AT &T for a while. I was in there. We had a big data center outside of Dallas and we had another one outside of Seattle in Bothell. And those two data centers, I think the one here was almost 200,000 square feet of raised floor data center. It just a huge warehouse looking thing. I remember the coolest thing with there, obviously they had all the biometrics and all the things to get in the door. And this was, goes way back. and, and, but the, the really cool thing is the ceiling. the race for data center that AT &T had just built in Texas, and this was AT &T wireless. So it was pre let's see, it was like after the split, AT &T split off and turned into Southwestern bell. And then it got bought by singular wireless and then singular merge with AT &T. Anyways, it kind of went this whole big circle. It went from AT &T and then went back to AT &T. But anyways, the data center, was separate. So they had two data centers side by side. One was their, like they bought Time Warner, so it was their cable offerings. They had like cable modem internet and that kind of data center. And then they had a separate one, like neither of them had exterior, their name plates on it or whatever. But the data center, the ceilings were like, I wanna say 75 feet tall. And then when you open the raised floor, it was another 30 feet or something like that below. And they actually had little like rail cars that would drive like for the fiber team, like the physical wiring team, they would drive the cars to run fiber back and forth, because they were deploying fiber at the time. This goes way back, right? And underneath, like, it's like a grid, know, so A2, you'd see that upstairs when you're on top, but underneath it was all lit and it would have all of those coordinates as well. So when you put in a ticket to, hey, I need fiber ran to this rack at A2. Blake Hoge (07:22.273) You know, I have an appreciation for that. Back in college, I was an intern at like our computer center there. And so that was like my first, you know, role in a very small scale data center, but Aaron Crow (07:31.788) they would do it from underneath and all of a sudden you'd just see fiber sticking up the bottom of your rack. Blake Hoge (07:49.727) going in there and running some of the fiber optics from, the different racks. And I really appreciated going into some of these newer ones, you know, specifically with Salesforce, like how clean they keep those racks. Like the one we went to, it was like a spider web, you know, just a complete mess. And you're like, what is this going to? And, know, you're, you're trying to be cognizant of like, all right, if I have to run this, you know, I don't get cable burn and try to pull the cable and break it and do all that. But some of these other ones, it's like, it's a masterpiece with, you know, the highways and the cable trays and everything that the users. Very impressive. Aaron Crow (08:20.152) Yeah, I actually just got reached out to the other day. ran, I did a project at a power plant. shoot. That was probably 2016, I guess it was, I think. And we ran fiber between, they had different control rooms at this power plant and they had, we were running fiber between those and then also to remote locations. Well, this is in a coal fire power plant. So it's not a clean environment. You know, it doesn't have cable trays. It's hot because it's, you sometimes they go next to the boiler, which can get, you know, obviously thousands of degrees temperature. So we had to do this, you know, Kevlar coated shielded, you know, cable and we did MTP. So it had 48 strands in one fiber pole. So like you just put a termination on the end and then you fan it out to others. Well, we ran this and the fiber, I want to say the fiber back then it was, you know, a couple hundred thousand dollars in just physical wire that we got. custom built in a factory in Virginia and they brought it out on this giant spool. And I think the longest run was like almost a thousand feet. And then, so we ran it all, we got it all working, all this kind of stuff. Again, this was 2016. Well, this year, I think it was earlier this year, or it may have been the end of last year, they had a fire at the power plant. And when they were going through, the cables got cut. both from some of them got burned, but some of them in fire and trying to put out the fire and kind of contain everything, they just basically cut all the wires going into the electronics room, because they didn't want it to, I guess, maybe spread across the wiring, et cetera. So they were trying to rewire everything and they didn't have an understanding of where, how everything was and where everything went. So they're calling people like myself and my team that I don't even work at the company anymore, but they're trying to get the unit back up on the line and Blake Hoge (10:08.513) Okay. Aaron Crow (10:12.152) They're trying to figure out where all the cabling goes and how it all worked and all that kind of stuff. So it's amazing. That was almost what, 10 years ago, I guess. And they're just now coming back and trying to help us to remember what was done so they can get back up and running. It just goes to show work that we do today. You don't know how long that thing will have an impact to the next version down the road. So some of the stuff will last for a long time and others will be ripped out in a couple of years. You just never know. Blake Hoge (10:41.436) Yeah, that's interesting. like, yep, come back 10 years later, hopefully, you have a really good memory of that exact cable that you ran. Maybe you wrote it down on a napkin or took a picture. Maybe we can leverage that. Aaron Crow (10:53.41) Well, and luckily it's weird how my brain works. Like I'll meet you and as soon as you tell me your name, I forgot it already. Like I don't know what it is about me. have to like, no, I have to meet you like three, four times or say your name or something like that. I'll remember your face. I know who you are, but I can't remember your name for the life of me. But when it comes to stuff like that, I can still remember IP addresses of servers at that plant today. Like off the top of my head, I could tell you what the... you know, the remote access server and the domain controller and the IP address and what its name is and probably even remember my password. Hopefully it doesn't still exist, but you know, if my account still existed, I may be even remember the password. There is just like weird things that I remember and I remember all of the wiring and how everything went, where it terminated and all that kind of stuff. So I was able to help them just in a quick phone call to give them a little bit of a head start on things as they were looking for the documentation that we created and where it existed, all that kind of stuff. But Like, yeah, that goes to here and this goes to there and they're like, yeah, that's helpful. Blake Hoge (11:51.261) Yeah, that's really impressive. If it makes you feel any better, I'm the same as you, like with the names, like I hear it. I don't know if it's like the initial nervousness of like meeting a new face, but it'll just go in one eye or out the other and yeah, same thing. I'll recognize you, but. I just have to wait for that opportunity to your name again. Hopefully someone else says it so I don't have to ask you three more times. Aaron Crow (12:10.634) Exactly. I just tell people out upfront, like, Hey, I'm horrible with names. is nothing. I remember who you are. I remember, I can remember where we met. I can remember what you do for a living. Like I can remember that, you know, you like biking and Moab and all those types of things, but I may forget your name. Be like, I don't remember your name. What's your name again? Like some people get offended by it. Like it's not intentional. It just does what it is. You know, especially when you meet so many people, I work really hard to try to remember that type of stuff, but Again, it doesn't come naturally. So I have to like tell myself, okay, this is Blake. This is Blake. is Blake. This is Blake. This okay. Now it's Blake. Now I'll never forget your name again, but it has to get registered in there before it ever I can recall it. Blake Hoge (12:49.329) Yeah, totally. That's, that's the same for me, but, um, but yeah, I, um, the, data, the data center world was, was really, really cool. And especially, you know, typical Salesforce is, know, those, those facilities were just pristine next level, super high tech. Um, so it was really fun to see that, but yeah, I definitely got into like the more OTE space, I would say, or kind of more visibility into that from not really having much experience, but Aaron Crow (13:04.203) yeah. Blake Hoge (13:15.009) We were looking at all the BMS configurations, and we're also looking at the temperature humidity settings for this space. We're preventative maintenance checks on critical infrastructure like the chillers and the crate units, and looking at the UPS systems and the backup generators and their BCP plans and all that stuff. So it was super cool, especially when you see that some of these facilities that are just... seeming like billions of dollars of equipment and it's super impressive to see that. So that was kind of my experience within that first party, third party risk, physical security realm. I also supported within the Salesforce, a lot of our security compliance in ERC. So a lot of the testing we did on site, that would go into our SOC 2 controls or ISO 27001. Aaron Crow (13:42.83) Mm-hmm. Blake Hoge (14:08.609) And then we'd work really closely with our customer trust team. So when we would have like, you know, big customers that come and go, Hey, how are you getting assurance over these data centers or these critical third parties or sub processors? A lot of the time they would, they would defer to the work we would do on our onsite assessments and our documentation, our SOC two reviews and all that type of stuff. So, but that was, that was a really fun experience. So, Aaron Crow (14:33.902) What's some of the bigger things that you found in those spaces that maybe people didn't think about, maybe even surprised you, whether it's in the OT or the IT or, you know, it's easy to think that those big companies, you know, have it all figured out. Like they've got big budgets, they've got big, you know, teams of people that do all these things, but that doesn't mean that they've fixed all the problems, right? So what are some of the things that maybe, and again, you don't have to call out a particular client, but... you what are some of the things that maybe you were surprised by that you saw that were still you know vulnerable or or or gaping holes or things that they'd missed or or something like that. Blake Hoge (15:11.876) Yeah, I I think it's one of those things where, if it's your house, for example, you walk by a problem all the time, you kind of just become blind or immune to it, and you don't really realize that it's a problem. And it could be something as simple as like, even if you're not an experienced person, let's say you're not, this is your first time going into data center, like, there might be things that you see off, you're like, why does this critical hallway not have a CCTV camera facing on it? And they're like, that's a good point. We didn't wire one here. Okay, well, you probably should have one here watching your UPS room. Or, you know, let's test out your badge reader. Okay, like it looks like, you know, my guest badge plus, you know, my biometric is now somehow working on your door to get into this critical room. Are you testing that or what's your profiles and permissions for your badge access? this like you've deployed all doors to your guest badge and you haven't tested that? So there's instances like that where if it was exploited maliciously, yeah, some of it could be pretty bad. But I think a lot of people just become immune to it because they see it every day and they just, don't, there's so many other things they're probably doing just like in our daily lives where you get busy and. I'll get to it or you know, maybe it's not as critical. No one would actually get into that room. So it's not, you know, risk based approach in terms of dollars or time or effort. So you would see stuff like that occasionally. Aaron Crow (16:41.516) Yeah. Well, and I found it can be also the assumption side of, well, somebody else has to know about that. Like it's too obvious. Like surely somebody's already put in a ticket or there's already a work order for that or somebody's already brought that up. But many times it's not because either A, everybody's thinking the same thing. Somebody else will take care of it or somebody else will put in that ticket. Or, you again, like you just assume that things have been fixed. Blake Hoge (17:07.009) Okay. Aaron Crow (17:08.814) I was doing a walk down of a manufacturing facility and they build, well didn't matter, they build a lot of stuff and they've got like eight lines, like lines on the floor. And as we're walking around, I'm doing all this and it wasn't a cyber thing that I found it. And that's the other piece when I'm doing assessments and walk downs, I'm gonna find things that may be operational and not necessarily a cyber risk, but I'm still gonna bring it up. It's just. part of me and again, maybe because I have this OT and operational background, I bring these things up. But one of the things that came up was they had, you know, all it's this huge, you know, factory floor and they've got eight lines, like I said, and in between each line, I think it's three lines, three or four lines. They have this, this network cabinet and it's up on again, really tall ceilings and they've got these pillars and this network cabinet is like, I don't know, 20 foot or maybe, maybe less than that. It may be 15 foot, about the size of a basketball goal up, up on this pole. Blake Hoge (17:36.993) So, thank Aaron Crow (18:05.806) and it's this half rack and it's just mounted to this cabinet. And I was asked a question like, what's in that cabinet? Cause there's like one, you know, there's like four of them in this space. Like, oh, well that's the networking cabinet. I'm like, okay, so what's it used for? I'm like, well, all the lines tie into that. Okay. Is there redundancy in there? And they're like, what do mean? I'm like, are there redundant switches? No. Okay. Is there redundant power? What do you mean? I'm like, does it have two power supplies sourcing from different circuits or if I go trip a circuit, is that entire rack going down? There's no redundancy of any kind. Okay. And I'm like, so I can't, it had black darkened, know, tinted glass on the front. So you can't even see any of the indication lights on the switches. I'm like, are you doing any monitoring? No. Does anybody ever like walk by and check on those? No. Okay. I can't see them from here. I can't even tell what's in the cabinet, less if there's an indication. I can't hear any audible alerts. So what happens if one of those switches fails? Well, these lines go down. Okay. Why are they 15 foot up in the air? Well, we're trying to keep them out of the way. Okay. What if somebody hits them with a forklift? What? And we had just walked by a pillar and there was a TV mounted at about that height that was hanging from its HDMI cord because somebody hit it with a forklift. Blake Hoge (19:28.063) Okay. Aaron Crow (19:29.912) I'm like, remember that TV we saw back there? It's about the same height as that. So what if somebody hits that with a forklift? And it's little things like that that nobody thought of. And this was a brand new plant. They were just building it out, know, Greenfield and, and, and nobody had thought to ask that or push back on the design because everything on the, on the production line was redundant. But once it went back to the networking, it wasn't. And if that network switched, went down, the entire production line went down because the, everything transmitted across that network layer, which meant that the first zone, back to however many sections they had in each production line, they couldn't talk to each other. So it would just shut itself down. And they were like, I'm like, again, this is not a cyber thing. It's got really nothing to do with cybersecurity other than the cyber risk is as if I can hack that switch and shut it down or whatever. Obviously, I've got one place to go, but that's not the biggest concern here. My biggest concern is You know, you lose power, somebody hits it with a forklift or, you know, there's some, a power supply fails in one of the switches and I don't know what's happening. So it just, it just catches on fire because it overheats and nobody knows it happens until it's too late. And it's, it's one of those things where you have to really empower your staff to be okay to, say, you know, stop. And even if I'm the junior person or I just walked onto the facility the first time, I can't assume that somebody's already thought of it. Right. And a lot of people are. Blake Hoge (20:48.801) Okay. Aaron Crow (20:57.024) Especially if you just got hired or you're a junior person, you may be a little timid to say, hey, have you thought about this? Because they're like, somebody's gonna think I'm stupid. Same reason you don't raise your hand in the middle of class, because you're afraid you might have a stupid answer or something. I'm not speaking for you, I'm speaking for myself. That's why I would sit in the back of the room and just take notes and let other people ask questions. Blake Hoge (21:18.264) Yeah, totally. Yeah, I that. mean, yeah, from their standpoint, it's like, having the N plus one redundancy is, you know, very important. Like you said, whether it's a cybersecurity, you know, someone can exploit into there and control your box, your machine or whatever. That's one thing. But yeah, even from like a process is like, if this goes down, like you're not able to make money and that's bad. So you need to figure that out. But I agree. I mean, I'll point to another example here, kind of like you said, like the idea of a control, there's like good design controls and then there's bad design controls. So, you know, again, looking at some of my onsite assessments, right? Like looking at some of our call centers. I remember one instance where, you know, we were looking at their key management process, right? Like how do you store key, critical keys that get into this in case of power failure where, know, you don't have badge access, you don't have that like physical keys. And you know, you're like, right, you know, they walk you, they escort you over to key management. Here's our key management process. And you know, it's, it looks like, uh, you know, a racket keys, you know, kind of behind a glass thing, kind of similar to this, you know, nicely on display. And, um, you're like, okay, well, who's watching the keys? Like, well, one, like the, the, door is open so you can just open it. I think it actually had the key in it. So it was like the key to open, to open and unlock it was there. And then it's like, well, who's, who's administering this? There's a sign in sheet, sign in, sign out sheet. So does anyone here can just go grab whatever key they want, sign it out, bring it back, or maybe they don't even sign it out and you have no visibility here. Like, yeah, you can say you have a key management process, but is that, is that a good key management process? Is it effective? Like, so there's definitely concerning things that we, we, we saw on that front for sure. Aaron Crow (23:02.87) Yeah. And it's so easy to overlook things like that. Like, yes, I've got a process, but does it work? and sometimes you don't know and it's easy to, know, and this gets back to the whole, know, I, I went to school for engineering and you know, I remember, I think it was even my freshman year of college and you know, one of the professors, I want to say he was an electrical engineering professor and he was explained to us like, you can design really intricate electrical designs. you know, put a drawing together, all that kind of stuff. But if you can't take that to mechanical engineers and that they can actually build it, it doesn't matter how pretty your design is on paper. Like if it can't be built in reality, then it doesn't matter, right? So sometimes it's really easy to overlook because you put it on paper and then without testing that process and seeing it, it's really hard to know if it's gonna work effectively, right? So it's very easy as an outsider to come in and say, Blake Hoge (23:32.481) Yeah. Aaron Crow (24:01.582) you have the key there and there's a sign in sheet, but nobody's enforcing it. Like to see all of the issues and you mentioned it earlier, like it's really easy once you're in it to ignore or not ignore, but maybe not see how ugly the baby is, right? You created this thing, you spent a lot of time and pressure, know, time on it and effort. And you may not, you may just not be able to understand how, where you missed the ball. And it's really easy as an outsider. It's one of the reasons why consultancy is such a powerful thing is I'm bringing all of the experience that I have from seeing thousands of sites, literally thousands of sites and all these different verticals from corporate data centers to buildings and skyscrapers and power plants and manufacturing facilities and buses and trains and substations and a little bit of all those things. So when I walk in, I'm bringing all of that knowledge with me and I can see things that I've seen in other places. So they stand out to me like a blinking red light. So when I walk in, it's like, I've seen that, I've seen that, that's a problem, I've seen that be a problem. And you see it and not you, but whoever the person is that did it, They're like, I don't get it. Like, because they haven't seen. Blake Hoge (24:58.817) Yeah. Aaron Crow (25:15.022) 50 other examples of why that was a problem. to them, it's not that they're dumb. It's not anything like that. It's just that it's not the blinking light that it is to me when I walk in because I've seen it that way and the issues that it caused and why. So it's easier for me to point out and say, you know, ABC one, two, three, in a few hours of a walk down when I've got 15 people on their team walking with me and every one of them, I can hear it and see it under their breath is just like, how did he, how did we not see not, not that Aaron's so amazing. How did we not see that? Blake Hoge (25:28.609) Yeah. Aaron Crow (25:44.546) Like we walk by this every day. We've done this conversation a thousand times and we never thought about that. Blake Hoge (25:50.273) Yeah, totally. I've been there, done that. So I think, I think as you said, like from a consultant, you know, you have a very large and I guess in depth experience and OT and all that. And the infrastructure is like, you're able to kind of like mentally benchmark, you know, your clients and customers are like, yeah, I've been to this, this is what a good experience looks like versus this is not good. So you're able to really be able to communicate what, what good looks like, what good design looks like, and, and help provide that guidance, which is really good. And I think back to your point as well, like on paper, you know, controls and processes and designs look great. You know, that's where it's like, need to start doing the testing. So whether it's like, you know, incident response testing or business continuity testing, it's like, do some tabletop exercises, you know, you have this 30 page document, you know, are the people still that are supposed to be involved, are they still at the company or did they just get assigned to this document? They've never even looked at it. So when, you know, shit hits the fan, so to speak, people aren't reading through 30 pages and go, I have no idea what to do. I'm so lost. This makes no sense. And you know, in terms of like a compliance audit or you know what your customers want to see. Yeah, maybe that 30 pages looks really good and sexy, but when it comes down to like, let's get actually things done and show results and test this out, like it's going to break down and it's not going to be good. So. Aaron Crow (27:03.374) 100%. You know, speaking of tabletops, I love that, that analogy. And I think so many organizations and groups and teams and executives miss the point on a compliance, but also be like tabletop exercises. And I really see a tabletop exercise as, know, the fire drill is, the analogy I usually give, right? Why do we do fire drills? It's not because somebody wants to have to walk down 10 flights of stairs and go stand outside for 15 minutes and talk to all their coworkers. It's because if a fire comes, you don't want anybody to have to wonder, where should I go? What should I do? Should I take the elevator? Like what floor do I go to? Who is my point of contact? Where's the muster point? Like you want everyone to already have done this multiple times. So it's just, they know what to do. They're just, or also, and also when that floor warden says, Hey, Don't take the elevators, go down 10 floors, stop there, wait for more instructions. If you get there and that floor warden tells you to keep going, then keep going. Outside's the muster point, cetera, right? So many organizations that I come in and see, they take a tabletop, they do it once a year. They only include their executives and maybe the managers. They're not including the actual boots on the ground that are actually implementing and running the incident response plans or the disaster recovery plans. So they don't include all the right people. So they get this false narrative and false sense of security that they've gone through and they checked the box and they don't actually get the benefit that they're looking for instead of, so we've started doing these, we call them auto tabletop. So we partnered with a company called ThreatGen and we bring in and do these auto tabletops. And the benefit that it gives us is A, it's an annual license subscription. Blake Hoge (28:39.272) Yep, totally. Aaron Crow (28:54.486) So the teams can use it and I look at it more as like a training or even a team building exercise, right? So you can actually feed it as it's a local model. So it's not in the cloud. It runs locally on your machine. So it's not going anywhere. It's not leaving your network. So there's no worry about, you know, exfiltrating asset information or vulnerability information or anything like that. But you can feed it things like your asset inventory. you know, your disaster recovery plan, your incident response plan, and it'll go through that stuff. The difference then, an old school traditional, know, tabletop is, which is static. And I've done them many times and you walk in and you get to a certain place in the, you know, in the tabletop and then somebody raised their hand and yeah, that's not how we do things. Like that's not accurate. That wouldn't be how we would respond or that's, we have this control that mitigates that. And then you're just like, okay, well, we'll just continue. anyways, knowing that, just ignore that step, right? The difference with us is because it's using AI, we can actually say, oh, time out and adjust the tabletop on the fly and change the rest of the questions and all of the scenario based upon that. And then the other piece to it is just like a fire drill, when you run it, it's gonna score you. So let's say you do it the first time and you got a, I don't know, at a 10, maybe you got a seven, whatever, like whatever the number is. You can do that same exact exercise the following week, the following day, whatever. And in theory, you should have learned from your mistake. Kind of like what we talked about with remembering somebody's name. About the second or third time I meet you, I'm more than likely gonna remember your name. I'm not gonna continue making the same mistake over and over again. So if those teams have learned from those, I didn't pull out the instant response plan. I didn't call. Blake Hoge (30:38.951) So, Aaron Crow (30:42.604) you know, the supervisor in time, or I didn't, you know, shut down the network or whatever the step is. And once I learned from that, not only can you adjust your incident response plan documentation and let everybody know about it, you can also go through it again and see if you get a better score, right? So you're constantly improving and it documents it. It's really powerful, but it's only as powerful if I only do it once, then it's just the same as a static. But if I use it and say, hey, I want to do this monthly with my team and I'm going to have all the way down to the people that are actually hands-on, you know, that are actually doing the stuff, I want to make sure that they're part of it because all of this is going to roll up and bubble up to improve my instant response plan, but also make sure that everybody, when an incident does happen, that they know what to do because that's not the first time they've been looking at this piece of paper. Normally, you know, instant response plans are, you know, like you said, 30 page documents and they sit in some... Blake Hoge (31:08.896) Yeah. Aaron Crow (31:37.208) file folder somewhere and break glass in case of emergency, but nobody actually looks at it until it's in the moment. And then they've got 12 people looking over their shoulders and they've got all this attention and pressure and the sky is falling and people panic. Everyone does, like your blood pressure raises and it's just not the opportune time to figure it out. Blake Hoge (31:57.636) Yeah, you're shaving off years off your life with stress at that moment. Aaron Crow (32:01.676) Exactly. Blake Hoge (32:03.807) But yeah, I that's, that's, that sounds really, really, really cool. I have to actually look into that. But yeah, I think, you to what you said, just, testing everything out and making sure people are aware and it's muscle memory and, it's super, super important and not just doing, you know, sick, you know, things for compliance. Like that is an important thing, right? Like we have, you know, every, every company I've been at. So, and I guess I'll just bring it into this. So like when I was at Instacart, I built out. the customer trust program or customer security program. So being on the receiving side of that, of, know, opposite of third party risk is I was getting the customers coming to me and going, Hey, we need to see your, you know, your SOC two, your pen test, your, you know, pre-filled questionnaire. We want to know about your disaster recovery. We want to know about X, and Z. And being able to have that stuff and like confidently be able to share it out is not, you know, doing it, doing the security and process things for security and processes, not just to check the box and go, got the audit stamp or, hey, we're going to give this very fluffy, you know, artificial document to a customer just to make them go away. Like those things are important. And it's kind of one of those things like, let's, you know, we drink our own Kool-Aid, like this is our process. This is how we execute it. And we're happy to share it and educate people that we actually have good processes in place and we secure your data. And, um, you know, so that was my experience, but, um, a lot of, a lot of people I've seen, you know, kind of do the compliance first and then the security will process that again. Aaron Crow (33:33.58) Well, and know, came from power utility where it's very compliance heavy, right? So there's a lot of regulatory compliance that goes in power generation, transmission, distribution, et cetera, for obvious reasons, right? And I've also seen many organizations that do a really good job with it. All of them do a good job, but sometimes people don't understand the difference between compliance and security, right? I can be... I can have a really good, strong, cyber secure environment and not meet compliance. And I can be 100 % compliant and have vulnerable areas in my security posture. It's not a silver bullet, it's not one or the other, it's both. I can't just work on my compliance and then think that everything that needed to be done is in that compliance documentation because... Blake Hoge (34:09.953) . Okay. Aaron Crow (34:28.366) it gets too stringent. So when they do compliance, they try to keep it pretty high level. They try to keep it fairly, you know, open-ended so that you're not overly prescribing things that don't apply to all parties. So they really have to make it where it fits, it fits the right model, right? So I've seen so many that really struggle with that, that, that, you know, that the mixture between compliance and security and why it's different, right? Why it's It can be hard. to your point, you you talked about checking that box and it's really easy to go down the list and say, yeah, we do this. We do this. I've got a doc yet. Here's my piece of paper of my, you know, my compliance, you know, my, my incident response plan. But to your point that you said earlier, right? They haven't actually ran through it. They haven't tested it. They don't know if it's a good incident response plan, but it is one. It's just like, I can go to, I can go to chat GPT and tell it to create an incident response plan. Blake Hoge (35:10.859) Okay. Aaron Crow (35:24.666) and I can print it out and put it in our SharePoint and label it and timestamp it and all that kind of stuff. So check the box. I've got an instant response plan. But what's the point of it? If I haven't, if it's not accurate, if nobody knows how to use it, if it hasn't been tested, it hasn't been validated, like all those things. And I think companies are getting better. Even looking at cyber insurance, like cyber insurance has changed so much over the past Blake Hoge (35:40.353) Okay. Aaron Crow (35:53.164) five, 10 years where, you in the beginning people were using cyber insurance instead of the cyber, like cyber security. Like, I just got an insurance policy. I don't need to, you know, actually deploy controls. I'll just ensure in case somebody breaks in. And I think now obviously the cyber insurers have gotten wise and said, yeah, that's not how this works. If you can't prove that you have multifactor authentication and you have firewalls and you have segmentation and. Blake Hoge (36:15.587) Yeah Aaron Crow (36:21.698) You have endpoint protection and if you get proved that you have those things and I'm not insuring you and if I do insure you and I find out you didn't have those things, then I'm not going to pay the claim. Like those are it's it's it's compliance, but it's it's compliance in in proving that you have that you've done the due diligence that you said you were going to do. And it's not just a piece of paper. It's an actual instant response plan that works, not just something I created or grabbed from. You know, I went to UI and said, hey, give me a give me a. And it's a response plan that I can implement, and they just copy and paste. That's not what they're looking for. Blake Hoge (36:56.581) Yeah, yeah, and I think, you know, the compliance aspect that you said is important. For example, you know, having a SOC 2 or having, you know, meeting PCI or, you know, ISO 27001. Those are really good, you know, from a company perspective in terms of like sales enablement and, know, trying to generate revenue off of those and showcasing it. But it's one of the things where it's like design, design the documentation with your current environment in mind and how your current processes work and then fill out the documentation. And if you're doing that well, those things will satisfy the requirements, you know. Maybe there's maybe some very specific things that you might need to add a little language in for PCI or, you know, a scoping thing. But for the most part, it's like, Hey, we have an incident response process and we're executing and we're training and we're doing that. And it's going to satisfy, you know, five different control frameworks for these attestations and external audits. Great. Everyone wins and we can sell the business better. And, um, so those things are definitely important. It just, you know, I think a lot of people use that nowadays with like chat, GBT, forget it for bad. Create me this policy. And then an auditor comes in and is like, yep, ship shape. It looks like you have a great policy and nothing to look here. No deficiencies, no findings. And have a great day. See you next year. Aaron Crow (38:11.598) Right. Which again, not to beat down on chat tbt, if you don't have an instant response plan, you should absolutely use AI tools to help you create one. That said, you need to take it and customize it to your environment and make sure it works and make sure it's not missing things because chat tbt, you know, these AI models are good at what they do. But there's no way, unless you're feeding. Blake Hoge (38:21.451) Yes. Aaron Crow (38:37.122) you know, an open AI model, all of your proprietary and, and, you know, vulnerable information, which I highly don't recommend that you do. because then it knows all about all of the things and, know, there's all sorts of risks behind that. So, but, but again, that being said, there's no reason why you can't have it build a very generic high level, you know, incident response plan to start with. Like you don't have to re reinvent the wheel. You can find consultancies like, you know, Again, Morgan Franklin, we do this all the time. Like we can come in and help you. There's lots of folks that can help you. You don't have to start from scratch, but at the same time, you still need to customize it to your space and make sure, know, my business is different than your business. So you, yes, I could give you a copy of my incident response plan, but it's not gonna necessarily fit your business. Like your crown jewels, the things that are important to your business, where those risk factors live, all that's gonna be unique to your environment, right? So we need to make sure that the right people are at the table to raise those questions of where are the crown jewels? Where are the most important assets? Like what is our business process? Like where are the things that we need to make sure that we can get to and respond with? And that's where working with third parties, working with consultancies, but even that, just making sure you, even if I came in, Aaron has been to all these different places and yes, I can help you get a long way, but I'm still gonna need people on the ground that have that know the process and have done it to make it complete. Like as good as I am, as good as you are, like we can't come in blind and say, here, I know how to fix all your stuff. Like there's some, you know, investigation time and interview time that we need to have to really completely understand your business and how to make sure that you're covering all the bases. Blake Hoge (40:23.472) Yeah, and I think, I think you said like going into the AI topic a little bit is it is such a great starting point and tool. Like if you're not versed in one of those areas of, create me a policy or an SOP. Great. It will spit something out. And then like you said, whether you're capable or not, or you hire someone else, you know, go interview stakeholders, interview, you know, interview your security person, interview your BCP person, interview this person. And then you can kind of tune it. Like you said, specific to like your crown jewels, your processes, your people, your technology. But I mean, it's, it's, you know, I don't know what, don't know if you have any specific thoughts on the, AI and where it's going, but it is a pretty good, like, you know, Hey, I have a meeting, but I'm going to prompt this thing really quick to build me an outline. Once I'm done with that, I can go, you know, spend a few minutes in between meetings or the next thing and tune it. And it's, it's just, I found it's a pretty. game changer and just getting some threads and brainstorming ideas going and then can take it and run with it from there. But I don't know if you, if you're finding some good use cases for it, for yourself. Aaron Crow (41:22.868) yeah, for sure. It's it's it is definitely game changing. And if if you're not using some AI tools in your day to day operation, then then you're missing the ball, right? That being said, obviously from a from a cyber perspective and an organizational perspective, you need to be careful. You know, DLP, you don't want your data getting into the cloud that shouldn't be there, but that can go with training like, you know, anything that I'm putting into AI, you know, is not. anything that somebody couldn't find on the internet already, right? It's general information. It's a logo. It's a brand name, things like that. I'm not putting my crown jewels or my asset inventory or anything like that into a public model. We do have some local models that we use for things like that, internal tools, and we do some automation and we create reports and we'll do a lot of that stuff like tabletop type stuff, right? So I talked about the auto tabletop that we do. We also do some stuff with like asset inventory and doing assessments where we take a little device and we plug it into your network and it gets broadcast information. It's not scanning or doing anything like that. And then we take that and use AI tools again on-prem, our models, not going in the cloud, like no co-mingling of data with other clients or anything like that, right? And there's a lot of power in those things. But even to your point, just as an individual user, taking notes, like I go to locations and I'll hand write notes on things. And I know what it means, but sometimes it's really not super clear or I'll forget. Like if I look at my notebook from five years ago and I just look at the notes, sometimes I don't necessarily understand what I was noting about, right? So what I've started doing now, especially on important things is I'll take those notes. And then when I'm out of the meeting, I'll take time and I'll go through, I'll upload pictures of those notes to chat GPT. Again, nothing in the notes is proprietary. There's no, know, again, I'm not talking about, you know, critical IP addresses or anything like that, you know, high level conceptual type things. And then I'll go in and dictate into chat GPT as I'm looking at the notes and saying, this is what I was thinking about here. This is what this section is for. This is what, so giving it some context around what my notes were. Aaron Crow (43:38.318) So that way, then it creates me a summary. So it then takes that, takes all my handwriting, converts it to text, and then puts my summary on it. So now I have a summarized page of the notes and all the things and what they were for in a legible thing that I could give to you and you could actually make sense of it to some point. And it's a really powerful thing to be able to do. And I just started doing it it was like life-changing to me. Cause I'm like, I've got all these notebooks down there. Blake Hoge (43:48.609) Okay. Aaron Crow (44:08.302) And I can look back and some of the stuff makes sense and some of them's like, man, I don't remember what that was about because I don't have the context of what I was listening to in the meeting that I wrote that sentence out for, right? Blake Hoge (44:19.458) Yeah, no, it's super, super handy. Just like you said, is there a, which, which one of the engines is been your favorite? You found to be the best for your use cases or do you use a blind event? Do you kind of, start with wine, move over to another, try it through there. How do you do it? Aaron Crow (44:36.824) So I use them all or not all, but many of them. I probably default to OpenAI, chat, GPT the most. I like the projects that it does. Obviously it's not great at everything. You don't wanna usually create images from it or anything like that, but it's getting, all of them are getting better. So Claude is supposed to be good with like copy, the noting stuff I was just talking about. You know, Grok is really good at the research stuff, but they're all good. It's just a matter of, so sometimes I'll do the same task on three different chats and just to see which output I like better. Other times I'll actually take, let's say I'll put it into OpenAI and chat GPT and I'll take the output and drop it into Grok and take the output and drop it into Claude and just to see, okay, now what do I get from it? And are there any other enhancements from it, right? You know the template for you know a an SOP or instant response plan or disaster recovery plan. You know all those things are so. Blake Hoge (45:41.729) Okay. Aaron Crow (45:46.584) their language, they're learning from others that have put them in there. And you can get as specific as you want, again, without putting proprietary information in there, but it's amazing how they may say it a little bit different. when you, it's kind like getting the opinion of three different people and like they all say basically the same thing, but there may be a few like, wow, that's an interesting way to do it. So like doing it through all three of them, like there'll be little nuggets that you can pull out that I liked this better out of the chat GPT one, I liked this better out of the Claude one and this one out of the Grok one, right? So, you they're all very close and very, they're good at different things. But yeah, I spend a lot of time in Claude and you know, little things like taking a contract. Let's say it's some, you know, generic contract you have to sign for whatever. Like you can take it in there, you can drop it into GPT. And then you can just say, summarize it. Like, tell me the things that I should be concerned about. Is there anything that I should be interested or really dive into? Not that it's gonna do everything for you, but what section should I really read through and make sure I understand before I sign this contract, right? Little things like that, that I've read that I've got a real estate license and I've, so I've read thousands and written thousands of contracts for real estate, but still it's a legal contract, right? So I've read all that legal verbatim, all that type of stuff. Blake Hoge (46:55.208) Yeah, yeah. Aaron Crow (47:11.278) But still, it's just mind numbing when there's 30 freaking pages of it and it's always small print. But putting it into something like that really can help you kind of summarize things. I'll tell you one and my wife will laugh at me and it has nothing to do with cybersecurity, but I'll share it as a fun aside. My wife and I were in a disagreement the other day and I was trying to explain something to her and we were just talking past each other. We were not able to communicate well. Blake Hoge (47:14.878) Yeah. Yeah. Aaron Crow (47:40.728) So I took and I came in here in my office and I dictated like, this is what happened. This is where we disagreed. This is what I was trying to say. This is what she said. And I feel like we're talking past each other, but this is what I'm trying to say. And again, I'm not typing, I'm dictating it. And it created this response that was like, when I read it, was like, that's what I was trying to say. I don't know why the words couldn't come out of my mouth that way. that's, so I sent it to her and I prefaced it by saying, Blake Hoge (47:53.249) Okay. Aaron Crow (48:08.138) I did this through ChatGPT. I wasn't trying to pretend like I created the words, but they were my thoughts and dictated through exactly what I said. But because of the way that ChatGPT was able to kind of word it, it made her not be defensive about it. And she was able to see my perspective and saw that I understood her perspective as well. And man, was life-changing and using tools and it feels like a cheat. Blake Hoge (48:23.393) Okay. Aaron Crow (48:37.676) you kind of what I told her was I said, it's like any tool, like, you you shouldn't overuse it, but it's a tool that is in our, it's available to us. So why wouldn't we use it? Whether it's at work with your kids, you know, you can do things like, you know, I've got a three-year-old kid or a five-year-old kid and, you know, I wanna, they're doing fractions or whatever, you you could say, hey, give me 10 questions that I can ask my kid to see if they're good at it and let it do things like little things like that that have nothing to do with cybersecurity and maybe nothing to do with your job. but you can do funny things like that to start meetings and summarize notes and all that kind of stuff. It's amazing what you can do with it and make you more efficient in your roles. Blake Hoge (49:16.641) Well, that's a really good example. I'm going keep that in my back pocket next time my wife and I get into it. I think what's interesting is it's, you know, probably just from like an AI, you know, it's, you know, taking the feelings and emotions out of the human. Um, you know, I need to win this debate. I need to win this argument. I knew when this point and translating it into, uh, you know, without, without that bias, without that, that feeling not saying there's not bias there, but like, the feeling of emotion or communication and things like it lost in translation in those moments. So that's really good. I'm going to keep that up my sleeve, but yeah, my, my example of using it recently is we had a claim for mold water damage in our house and same thing. Like you said, we get us, know, Hey, what, what's our deductible? What is all of our information in our contract with our insurance ran into GPT to, you know, hold my hand, talk to me like I'm five years old. Like what, what is, what is the best case scenario here? So it was really helpful to like, break it down and like you said, like here's the good, here's the bad, here's how you should approach this. So yeah, saved me much time, less stress and definitely made that process smoother for me. Aaron Crow (50:23.15) So I've seen a lot of organizations that are doing like their own in-house custom, know, AI models, right? Local language, because they want their employees to be able to use it, but they obviously don't want, you know, proprietary and, you know, information in the cloud. You know, some organizations are completely blocking chat GPT, but it's not going to stop people from using their own personal devices, their phones, et cetera. You know, you can obviously train them and tell people not to do things and people make mistakes. But giving them the tools is the right answer, right? So if you can have those tools, if you don't want them using the free ones or the ones in the cloud, then give them an alternative, right? It's like, tell a kid not to ever drink and you don't tell them why. As soon as that kid, that's why the preacher's kid's usually the worst kid, right? They never got to do anything. And as soon as they get a little bit of freedom, they go over the deep end on it, right? Same thing with, don't have, make sure you keep the door open and keep a, Blake Hoge (51:06.113) Yeah. Aaron Crow (51:22.668) distance between you and a girl, like, you know, all that type of stuff, right? And as soon as you get that alone time, like you're just going straight after it. Cause well, if they don't want me do it, it must be really good. So that's what I'm going to do. Blake Hoge (51:33.361) Yeah, no, think, I think that you said, I companies should embrace it, you know, set up policies, set up the guidelines, allow people to explore it, test it, have fun with it. But like you said, like limit what the risk is, you know, bring it in house, you know, have, have yourself sustained environment, you know, limit what people are doing with it. But like you said, if you try to say, no, it's bad, you can't use it. Like people are going to find ways to do it and Chances are they're going to put themselves in or the company more at risk because, you know, maybe they're not educated enough or they're just doing silly stuff on the side. Um, so that, that would be my feedback and guidance. And when I see, hopefully people embrace it along the way because I don't think it's going anywhere. Um, Aaron Crow (52:14.542) No, you know, it's, it is, you know, everybody's talking about how AI is going to, you know, displace jobs and things like that. And, and, and although I do think that there's some of that, there'll be some low level, you know, entry level type roles. I don't think they go away. I think they just turn into something else. Like, you know, you look at the factory floor that we, you know, from 50 years ago and it was people and, know, it's like we talked about earlier, right? But now it's, it's automation, it's robotics, it's, it's things like that. It doesn't mean that you don't need humans. Those humans just have to do different things. Like now they're controlling the robots, they're validating things, they're tuning, they're calibrating, they're checking systems, they're doing different tasks. They're not just hammering a rivet, right? The robot's doing that stuff, the robot's doing the welding, the robot's doing the dangerous stuff. Then the human can just validate things are in there, they're working as performed and that human can do more tasks now, right? They can do more things. When I look at AI, it's that, how can I enhance that? I don't have to do the boring, mundane things that I don't wanna do. Writing a report, prime example. I don't wanna write a report. But I can tell you exactly what I want to say and I can dictate it. I know what I want it to look like. I can, funny story, when I was at Big Four Consulting, I would be able to, I can write on a whiteboard. It's like, I'm like, beautiful mind. I can write forever. Blake Hoge (53:28.145) Yeah. Blake Hoge (53:41.208) Okay. Aaron Crow (53:42.368) I can draw like all of these things, but turning that into a PowerPoint is not my strength. Like I, it's like, I can't do it. Like I can, but it's not going to look right now. So back then they would take entry level people. So seniors and they would bring them in and they would schedule a meeting with me and they would bring out their cell phone and they would record the audio. And then they would, they would ask me like whatever they needed to write a presentation or a report on or whatever. Blake Hoge (53:44.737) Okay. Aaron Crow (54:11.116) and I would draw it all out on the board as I'm talking. So I'd have pictures and diagrams and all the things. And then when the meeting was over, they would take the audio, they would take the pictures, and then they would use that to manually create a PowerPoint. So now I do the exact same thing, but instead of the entry level, you know, two people that are doing it and manually creating it, I dictate it to ChatTPT, and then I put it into another platform that creates a PowerPoint. I can create a PowerPoint in five minutes. Blake Hoge (54:41.133) Yeah, I it's. It's life changing from that perspective. Yeah. think, I think back to your point too, and that is like, people do get fearful that like you said, there might be some shifts in jobs and what that looks like. But I think overall, like if you look back in time, like this might be like one those transitions with like phones, like, you know, you went from working nine to five brick and mortar job, you went home, maybe you had, know, you had a life learning hours. Like, you know, you have your cell phone, you have, you know, the internet of things, everything is talking to you work. It can talk to you all hours of the day. So you're. you know, arguably working longer and more, and, same thing with like, you know, AI it's like, okay, maybe you're going to work more in a different aspect or a different capacity or pick up a different skillset and take some of mundane low hanging fruit that, know, like you said, just translating something like I already wrote this out. I free handed stencil it. I don't want to make a PowerPoint. This is really good at doing that. And it gives me time to go focus on this, you know, actually a high risk impactful thing versus just, you know, something that anyone can really do at this point. And I think along the lines as well with AI is as you're prompting it. So for people like us in this field, like we have experience. it's like, we kind of know what the output should look like or our desired output. But like, let's say you don't know about it and you start prompting it and you know, you're reviewing the reviewing the output and you, you know, you're going to be learning this stuff along the way. feel like it's almost like Google searching without less of the sponsorships ads, all the fluff. Like you can get to. answer is not to say you have to trust everything 100 % of the time, like you said, but like you're going to be reading the content, it's going to be pulling it together quicker, faster. You're going to be reading that and absorbing the information in a nice, you know, uniform dissectable, you know, speak to me like I'm five years old and educate me. So it's like, there's a lot of learning opportunities as, you're prompting this with, with new content, which I find really fascinating. Aaron Crow (56:32.782) 100%. Like I really feel that Google is Googling or search engines are kind of dead. Blake Hoge (56:41.173) Yeah, I don't use Google anymore. I grok, I open AI, I use those all. Aaron Crow (56:45.068) Yep. I use, I use perplexity. So perplexity has access to all of them. So if I'm looking, let's say that I'm, I did the other day, I was looking for a podcast studio in San Francisco, cause I'm going to RSA next week. And, I was saying I may want to do a drop in and record a podcast episode, while I'm there. So I, instead of Googling and trying to find all that kind of stuff and read the websites and seeing where they are, I put it into perplexity. And I said, okay, I'm going to be in San Francisco. I'm going to be close to the Moscone center. and I'm looking for a podcast studio that's within, you know, maybe a mile of there that has, you know, this, this, and this. And I kind of put in the criteria and then I just did it. And then it came back with like three of them in row, the closest one first, what their pricing was, like what, services they offered, all that kind of stuff. And I didn't have to look at 15 ads. or find 10 down that was the right one that was closest because it didn't trend in Google. So even though was the closest and best one, it's on the second page and I didn't see it. Like it does all that stuff for me and it's just looking at the data. Like it's life changing when you know how to use it and what scenarios to use it instead of, know, having to go the old ways and do it Google and then go to click on everyone and then try to find the right page that has the information to look for and then. five, six clicks later and then go back and then go back to another one and do the same thing. Like it would take you 30, 45 minutes to do that information. And now you can just do it at the drop of a hat. Same thing with booking travel, with finding hotels, with finding flights. Like you don't have to go to multiple sites. You don't have to go to Google flights. Like you could do all this stuff and just give it the information and let AI at least do the first round of searching and narrow it down. So you're spending less time doing these things. Blake Hoge (58:18.85) Yeah. Blake Hoge (58:33.552) Yeah. And then you can export it too. So instead of, you said, go and Google and then put in your Google sheet and tracking it and comparing it's like, Nope, I want this in a PDF or, know, Excel format exported so I can compare contrast it. I can also send it directly to the person I'm trying to coordinate this trip with or whatever. So it's super, super. Yeah. Big game changer there. just, one thing I wanted to touch on outside of the AI and some of the security ramen. I don't know how we're doing on time here, but one thing I'm passionate about, I believe you are as well. And I don't, I don't feel like this is maybe discussed enough and the field, but it's just like the mental mental wellness, health, you know, what do you, what do know, we, work in this stressful field. I'm not saying that this is the only stressful field, but it's stressful, right? What do you do to, I guess, endure, prolong your lifespan, de-stress yourself, stay in the game? That's something I'm always fascinated with and I haven't really chatted with enough people about that, what do you do to stay grounded and mentally sharp, physically sharp, in the game for as long as possible? What do you do? Aaron Crow (59:48.846) Yeah, so for me, I had this journey in my life. I was working in a job, great job. I was 150 pounds, over 100 pounds more than I am now. I'm a big guy. I'm 6'2", 235, but I was same height except 350 pounds, right? I had back problems and heartburn and pre-diabetic and all the things. Um, and you know, since then I've changed and, and, know, I, I eat different, I work out all the time and I, and I don't work out like, you know, I've done CrossFit and I've done, you know, uh, mud runs and competitions and, and, know, uh, marathons and, and climb mountains and done crazy, you know, 14 years in Colorado and, done all sorts of things. But to, to answer your point in why do I do that? Like, you know, I, I do it because that every day I rock. Rucking is, if you've never heard of rucking, rucking is you basically walk with a backpack, right? It came out of military, I did not serve, but many of my friends did. And rucking is something you do in the military. It's a backpack with weight on it and you ruck, you walk, not just leisurely, but you walk with a purpose pretty fast. And then that weight helps you with... You know, you get the benefits of a run without the physical breakdown of the impact of your joints, et cetera, right? So I've rucked, I've signed up for the past four years to do a thousand miles a year. So I've rucked over 4,000 miles in the last four years and I do it all around the world. take it with my backpack that I carry is a go-ruck. So I've done it London and Japan and Canada and Mexico and all the places on the beach, in the cold, in the snow, in the heat, you name it, right? And why do I do that? I do that because it starts my day off, right? It really helps me to level set. I've done a hard thing. I usually do it first thing in the morning. So many times it's five o'clock in the morning. In San Francisco, it'll be five o'clock in the morning, which for me, because I'm in central time zone, it's really only 7 a.m. because I'm used to that. you know, I rock a lot. You know, I do a lot of reading, you all the things on my book back there. They're not just props, right? I'm reading things constantly. I'm going to... Aaron Crow (01:02:10.37) you know, coaching seminars and webinars and, know, I'm constantly learning and not just in cybersecurity, you know, public speaking and mindset and, you know, personal health and all the different things. Because to your point, like you never shut it off now, right? To your point, like I work from the time that I get up, I'm checking emails and, you know, my boss may send me a message at seven o'clock at night and I'm probably going to respond to it. But because of that, I need to make sure that I have balance in my life. And balance does not mean equal. It just means that there is some balance, right? You know, the scale balance is a little bit. Like sometimes it's 60-40, sometimes it's 80-20, sometimes it's 100-0, but you can't run at rev limiter constantly or you will burn out, right? So, you know, taking time, schedule, you know, every day I schedule a lunchtime. That doesn't mean that people don't sometimes, you know, schedule a meeting over my lunch, but I carve out that time so that I remember especially working from home, to walk away from my desk and go eat, right? Sometimes I'll grab food and I'm sitting here at my desk on a call or whatever, and it's okay to shut this off and go walk away for 15 minutes and talk to my wife and then come back to work, right? It's okay to step away. And when we go to the office, we used to go to lunch and we're talking with friends and all the things. It's really easy to just get in the groove and work nonstop all day long. So for me, it's a mixture of fitness. It's a mixture of you know, whether it's meditation, know, grounding, know, obviously hanging out with friends and, know, I do jujitsu, you know, a lot of things like that, that I'm, 47 years old. do jujitsu. I work out every day, many times twice a day. You know, I do a lot of physical things because to me, it, it's amazing how much more energy I have when I go do those things than when I just wake up, have coffee and don't do anything physical. Because then I'm like tired at two o'clock and I'm like passing out. It's it's it's it's exactly opposite of what you would think. But for me, it's true. Blake Hoge (01:04:12.298) Yeah, no, I'm the same way. Like I like to start my day off with some exercise and you know, today was one of those days where I did some walking, not as much as I want, not as physical exertion. So definitely a lot more caffeinated. But yeah, you know, I just feel a little bit slower, a little bit more tired. But yeah, for me, I love the sense of like fulfillment of like I did that hard thing today and like everything else is seemingly easier or less stressful or gets to me less. And then on top of that, just from like a mood and mental, like, you know, I'm less agitated, I'm less, you know, less stress and not going to yell at my neighbor or someone because like I've had a rough day. So for me, it's definitely a big distressor and you know, like the competitive aspect. And then you mentioned like jujitsu, like I don't personally do that, but it's like, I like competing. Like I use, you know, do cycling triathlons, like racing. And for me, like I use apps like Strava where it's like, Oh, who was the fastest on this route today? and hopefully it be better be me, but I love that. just, I think it just, like you said, grounds me. keeps life in perspective. Like the job is fun, but it's, you know, this is, this is a part of me. It's not my identity and there's definitely more to it that keep me in the game longer, keep me happy, healthy, and, you know, connected with my, my wife, my kids and my community. Aaron Crow (01:05:29.838) A hundred percent. Yeah. mean, the, the other thing obviously is, where, where I met Blake was, was shooting. So this evening I'm going to staccato. They're having a meeting tonight. So kind of a meetup type thing. So, so I'm, going out there in a little bit after, after this call on Friday. So, you know, shooting and I love that you brought this up because I think so many people don't focus on this and it's really important. The irony is, is the more that you pour into yourself and do these other things outside of work. the better you show up at work, right? The more energy you have, the more clarity you have, like all of these things that you have one physical body that you're in and the better you take care of it and take care of it doesn't mean sit on the couch and do nothing. That's not taking care of your body. Taking care of your body means moving it. It doesn't mean you gotta go run an marathon. It doesn't mean you have to rock or do jujitsu or any crazy stuff like that. Just move your body. Like it can be just walking. It could be going and standing in the grass and grounding yourself. Like it can be really simple things that have profound impacts. on how you show up in all things. Like you have more compassion for your spouse, more compassion for your kids, your coworkers. Like you have more clarity around looking at these things because you're not as groggy, you're not grumpy, like all those types of things. So find something that works for you. And again, it doesn't have to be extreme. This isn't about weight loss or having a six pack or doing extreme sports or anything like that. Happens to be what works for me. I'm just crazy like that. Sounds like Blake is too, just a little bit different. He's going to go, you know, jump boulders and Moab next week. So, he's got his own version of crazy. you know, I'll be, I'll be dodging homeless people in downtown San Francisco while I'm wrecking at five o'clock in the morning. So that that'll be my extreme sport. Blake Hoge (01:06:56.641) Yeah, yours arguably sounds more dangerous than mine. Aaron Crow (01:07:13.454) Irony, I probably shouldn't say this, but you know, usually what I do when I go to San Francisco, cause I can't carry anything on the plane, I usually buy like a, a very legal pocket knife and I'll Amazon it to me there. I'll pick it up and I'll carry it with me just in case. And then I just throw it away at the end of the week. Right. Cause I don't, you know, I can't get it back on the airplane cause I don't check a bag, but you know, just that little bit of thing or, I'll, I'll carry like a, you know, set of keys or something. because it's pretty crazy down there in San Francisco these days. Blake Hoge (01:07:44.667) Yeah, I used to live, so my tenderloin area, I think we talked about this last time, but yeah, it was, yeah, it was, it was not my cup of tea. Saw a lot of, troubling things do not, do not miss that area. So, you're brave for going there. Aaron Crow (01:07:58.348) Yep. It's a gorgeous city. love the weather. I'm, always excited to be there, but every time I get there, it's just like, man, how have they let this place get so bad? Blake Hoge (01:08:06.239) Yeah, yeah, I agree. Aaron Crow (01:08:09.322) Awesome, man. Well, hey, what's the call to action for folks that want to, you know, kind of check you out and or anything like that? Blake Hoge (01:08:17.729) Yeah, mainly stay active on LinkedIn so you can look me up. Just play code on LinkedIn. Happy to connect happy to do one on one chat. Just get to know people share ideas. So just look me up and and happy to happy to have some more people in my network so. Aaron Crow (01:08:33.154) Yeah, absolutely. Definitely, definitely check out Blake. Awesome dude. come to one of our, cyber shootout events. So you'll probably see him there. you know, rocking and kicking tail on the, on the range as well. So. Blake Hoge (01:08:44.341) Do we have another one in Austin coming up? know you guys have one in Las Vegas, right? For, was it black hat or yeah. Aaron Crow (01:08:49.346) Black Hat. Yeah, we've got one coming up for Black Hat in Vegas and then we'll have another one in the fall, October. It's another thing I'm talking about. It's to Cato today is setting dates on that, but yeah, there should be one in October, late September, early October here in Austin. So definitely reach out. If you want to hear about how that goes and you don't want to just hear bias from me, you can reach out to Blake and he'll tell you, cause he's been to them and he's seen and had some fun at those things. So. Blake Hoge (01:09:14.441) Yeah, super fine. Bring your wallet in case you want to buy some new goodies. But yeah, can't, can't speak highly enough. Super fine. Great way to be able to build connections and, know, get away from the slide decks for little bit. So highly encourage it. Aaron Crow (01:09:27.84) Absolutely. And more that, you know, working on your mindset and getting away from things and decompressing. Like that's part of the reason why we do these types of things. You know, I had a happy hour last night that you aren't able to make, which it's fine. We'll make it. We'll have another one. But that's why we do these things, right? We're a big community and we can help each other. You never know how that person that you just met is going to help you or introduce you to somebody or, you know, maybe they're hiring, you know, kind like what you talked about when your friend went to the separate company and then brought you in. Those connections are priceless, right? You know, our brand, our personal, you know, our integrity, who we are, like we're one big community. And the wonderful thing that I love about this community is it seems like most people are wanting to help others, right? So if you show up with integrity, people want to help you. They want to, right? If you show up and you're taking advantage of that, then yeah, nobody's going to want to help you. But if you're willing to give as much as you're willing, you're asking for, people will give you the shirt off their back. I've seen it a thousand times. So. If you have questions, if you're looking to get into the industry or you're struggling with something, you have a question like anybody I've had on my podcast, myself, like reach out because everybody I have on here, I have them on here for a purpose. It's because not only are they capable, very smart and successful, but also the reason they've got there is because they're willing to help people because they've been helped. We've all been helped by someone along the way. Most of us, many, many people. And we have stories, I have war stories I could tell you with. mentors and friends and colleagues and bosses and coworkers and all these great amazing stories of people because it's all people like all businesses of people business like it doesn't matter for cyber security. You're as gender the CEO all businesses of people business. So remembering that whether you need help or remember also when you get into those positions to remember the people that helped you. So when people are asking you for help you're willing to do it as well. Blake Hoge (01:11:17.555) Yeah, I love that. I I completely agree. And I love the community out here in Austin. I feel like there's tons of people out here, some really good people in the network. So if you guys are on the fence of moving out to Austin, highly encourage it. Definitely a great community. Aaron Crow (01:11:32.558) You get to go to fun shooting events and happy hours and jujitsu events and all the things that we're doing out here. Sounds like, sounds like Blake needs to lead a, a cycling, a cyber event. Blake Hoge (01:11:39.539) Yep, exactly. Blake Hoge (01:11:45.023) Yeah, maybe I'll get that set up. definitely, definitely be fine. Try not to get anyone hurt, but I think we can have some fun with that too. Aaron Crow (01:11:51.234) Yeah, maybe we can get Lance Armstrong to show up. Blake Hoge (01:11:53.899) Yeah, yeah, yeah, exactly. Aaron Crow (01:11:55.847) All right, dude. Hey, thank you for your time. I appreciate it. Have a great weekend, sir. Always, always a pleasure to speak. Blake Hoge (01:12:02.495) Yeah, thanks for having me on. Appreciate it.

Other Episodes

Episode 17

July 22, 2024 00:46:53
Episode Cover

Bridging the Security Gap: How HERA Transforms Remote Access in Industrial Environments with Andrew Ginter

Welcome back to *Protect It All*! In Episode 17, host Aaron Crow is joined by Andrew Ginter, VP of Industrial Security at Waterfall Security...

Listen

Episode 55

April 28, 2025 00:57:43
Episode Cover

How AI is Transforming the SOC: Automation, Challenges, and the Future of Cybersecurity with Amy Tom

In this episode,  host Aaron Crow dives deep into the buzzing world of AI in cybersecurity, joined by special guest Amy Tom, Community Manager...

Listen

Episode 6

March 05, 2024 00:51:48
Episode Cover

The Future of AI: Determinism, Security, and Beyond

Sevak Avakians, CEO of Intelligent Artifacts, discusses the limitations of neural networks and the need for a new approach to artificial intelligence. He introduces...

Listen