Episode Transcript
[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crowe.
Thank you for joining me at Protect It All, Chris. I'm super excited. We just got off this, this is what, Friday about a week after the event that we just had at Staccato Ranch. So obviously you were there, man, it's been, it's been, it was an amazing event for me and lots of good feedback and all that kind of stuff. So thank you so much for taking time out of your day to spend time here and kind of talk cyber and geek out. So why don't you introduce yourself, tell us who you are and what it is, your kind of background.
[00:00:47] Speaker B: Yeah. Well, first I want to say thanks for putting together that event. It was amazing.
There's not a lot of things out there like that and the chance to get to connect with a lot of the people in the industry is awesome. So I want to thank you before going on, but I'm Chris Robertson.
I am the CISO at Apogee Defense and I'm also a virtual CISO for a number of other companies across number of sectors. And then we also, or I also help implement a lot of the solutions that Apogee deploys out to customers primarily within the SMB space. And we focus a lot on the defense industrial base. But we've got customers that span a number of other industries as well.
[00:01:33] Speaker A: So I love that that name Apogee. My son is in a group called Apogee.
Anyways, it's just a tangent but talking on the vc. So that's a relatively recent term.
We understand what a CISO is. Talk a little bit just real quick about what that VCISO role and why more and more industries and verticals are kind of using that instead of necessarily maybe they don't need a ciso, a full time dedicated ciso, that kind of thing. Talk a little bit about that.
[00:02:05] Speaker B: Sure. So what has happened a lot with a lot of companies is you end up with someone who's the head, it had a development or something and they, they realize they have to have someone who's legally responsible as a CISO or ciso and so they just go and task someone to go, hey, you do it. And one of my buddies was like that a number of years ago he got pulled into it and I was like, well, I've been running, you know, CMMC development for a while. I'M like, I'll kind of give you some guides and help you get, you know, going. But he still had his, his normal day job, but he also all of a sudden had a lot of responsibilities as a ciso. So he was thrust into all of a sudden a lot of GRC stuff. He has to deal with the sec, a whole bunch of things, but he didn't have the background to really move into it quickly. So he, you know, he struggled. What I think a lot of companies have realized is that instead of pushing someone who's already got a full time job in house into doing this, they go out and find someone who can come in part time and fill that role and help guide the company and build the program up to the point where they can make it a full time role. So typically as a vc, so we've got companies that don't have a program in place at all or maybe they had someone in house doing it and their background is heavy in development or heavy in infrastructure or something and they realize that they don't have the time to sit there and go through and learn more about the intricacies of risk management, about policy development, that sort of thing. So they see value in bringing in someone from the outside as a consultant to help develop those programs and take that load off of them so that they can focus on what their typical job is. And in part, a lot of my time is spent coaching, spent a lot of time talking to those guys and helping both train them in how to make a decision and why decisions are made and lead them through that pathway of this is how we do the analysis, this is how we structure and weight everything and we build value on both sides of the equation of a decision before we make that final decision. So the, that helps them, you know, grow into that role if that's what they're going to do later or at least understand what the information security group is going to be doing.
And so that, that's really been a driving factor, I think that need for those outside consultants bringing them in, having someone who has already been doing that type of work and can help that company get their, their fee underneath them. And like I said, a lot of times those companies will end up growing and hiring someone on full time or there's even cases where they'll bring in junior staff who will report to the vcso and then so they start developing in house first to do a lot of the tasks that you don't need to pay someone as much to do.
[00:05:11] Speaker A: Sure.
[00:05:12] Speaker B: And so you know, they're Just being resource effective. And then from there they eventually will grow the CISO position into something else.
[00:05:21] Speaker A: Yeah, I mean that it's no different than, you know, any role. You can be the best engineer and the most, the best subject matter expert, and then what do you naturally do? You get promoted and now you're the manager, but you're not necessarily, that's not a skill set that you're great at. Right. What got you here won't get you there. You know, there are different skill sets to do depending on people managing and processes and technology. I can, I can configure firewalls and, and build code and all that kind of stuff. That does not make me a good leader. That doesn't mean you can't be a good leader. It just means that sometimes you may have to work on those skills. So having consultants and people that have that experience to help guide and coach, like you said, that could be huge. It could be that bridge to maybe this person is the person you want to be that role, but maybe they're not quite ready. You could, you can actually coach them into a place down the road where you can hand them that baton. And they now have that skill set and they're in house and they have the trust and understanding of the business and the team and all that kind of stuff. That's, that's a huge opportunity. Especially now, like you said, like the, the legal obligation for a CISO as SEC laws have changed, especially here recently, and how important that, you know, ownership and understanding of, we're accepting this risk, we're mitigating this risk and what all those things mean, because as a ciso, you're signing your, your name and the board's name down on, you know, those risks and, and taking that in house.
[00:06:41] Speaker B: Yeah, yeah. And then, you know, there's also the side where you've already got someone, they know they want to do it, they've got that title, but they still need someone to help them. They need that assistance. So while we're not taking the title of a CISO at that company, we're still coming in as advisors to help those guys navigate or just take load off of them because we, no one ever gets promoted within and fully drops the prior workload.
[00:07:07] Speaker A: Right.
[00:07:07] Speaker B: It just gets added on and all of a sudden the guy who is like, he's probably feeling comfortable in his job, I hope, and then he gets pushed this out there and all of a sudden his workload has tripled and so now he's struggling to figure out how to do it, so we, we can come in and assist with that group as well. And it, it really helps that those companies get into a better footing more quickly and avoid a lot of the roadblocks. So when I was first doing policy development, I can't tell you how many roadblocks I ran into trying to figure it out myself, sorting through issues. And it wasn't like, until I ran into so many dead ends and realized that I'd skipped, I'd missed a single sentence and you know, 20 page document that completely changed the order of how I do stuff. Like those are the things that, you know, if you haven't experienced it, you're not going to know what to look out for.
[00:08:02] Speaker A: Right.
[00:08:03] Speaker B: So, you know, taking that experience and bringing it to others is, you know, it's, it's actually really great to be able to show someone and shortcut their time of development because it, you know, you look at it and you go, well this should have taken you guys nine months to figure out. But bring it in someone that's got some more experience, we can get it done in four.
[00:08:22] Speaker A: Well, and, and there's something to be said about that, that, that it's, it's easy to look at. Well, it's really expensive to bring in somebody from outside. Like, you know, we don't have that budget or we're trying to save costs because of X, Y and Z. I mean obviously all, all boards and you know, CFOs are working on, you know, doing, doing the most they can with, you know, the least amount of, you know, revenue or output as they can. But at the same time, to your point, like maybe I do it in house and yeah, maybe I'm saving on paper upfront, I'm saving, you know, six figures, $100,000, $200,000, 3,000, whatever that number is. But if I do it wrong or it takes me 10 times the time and it's still not done to the same quality, quality that somebody that has the experience, has the processes, knows where the gotchas are, knows where the hidden bodies are going to be and, and you can navigate those things and you're not getting fined, you're not getting, you're not taking twice as long and impacts like there's, there's so many dominoes that can fall in that space with, without the experience, it's really hard. You know, I worked for a big four consultancy and that's why they, that's why you hire consultants, that's why you hire coaches, that's why, you know, little league, you get you get somebody that knows how to do it and you teach it. Like we've always hired coaches there. This is no different. And it's really just leveling up these spaces and mitigating that risk. It's not all a cyber risk. It's sometimes, it's a business process and lots, lots of those risks that you're also mitigating.
[00:09:46] Speaker B: Absolutely. And there's another side of it too, where within CMMC and with SEC stuff, if you have a breach and what you've reported you're doing is, is not what you're actually doing now, that turns into a possible criminal action.
[00:10:02] Speaker A: Right.
[00:10:02] Speaker B: So the federal government, when you're dealing with controlled, unclassified information, they're not okay with you saying that you're, you're a superstar in your security program and you might have written all the policy stuff, but you didn't actually go through and either complete the policy fully to meet the control, or you didn't document it, or you're not doing it. So if you just slap something in place and you put it out there and you get breached, you actually now are facing some major problems. Now if you do get breached, you know everyone's going to get breached. We can't stop that. And you come in, you get an audit and they see that, okay, well, you know, you wrote down what you're doing and you're doing it. And I may not even like what you wrote down, but if you wrote it down and you're doing that, you're at least being honest about that process.
So there's that side of it. And I think that that's something that a lot of companies miss when they're putting together programs. And I've actually had a number of companies come to us and say, hey, we're getting audit in two weeks. Can you give us a program that scores us a perfect score?
And the answer is, I could do it one day.
[00:11:21] Speaker A: Yes and no.
[00:11:22] Speaker B: I can't do it in two weeks.
Can I do it in two months? I don't know. Where are you guys at now?
But there's a lot of companies who are pushing out there that, hey, we are rock stars. We are top of cyber security game. We're scoring a perfect score for cmmc. And then the government looks at that and goes, something doesn't smell right. And they, they send over auditors right away to go check that. And if you're caught, you're caught.
[00:11:52] Speaker A: Yeah.
[00:11:52] Speaker B: So avoiding those situations, I think is really critical. And that's where a lot of the Ethics of the industry come into place where you know, if you're, if you're not ethically doing the right thing, like you probably aren't in the right role.
[00:12:04] Speaker A: Sure.
So how much, how much do you see? So briefly, we talked a little bit about OT before we started recording. Obviously I spent a lot of time in OT and these. And you talked about cmmc and how much are you seeing people that are in that virtual CISO or in a CISO role at all? Cyber leadership, you know, executives that, that really, truly understand their, their OT risk. And as more and more CISOs and executives are looking at the risk of their business and they're, they're better understanding the risks from an OT or at least they're hearing about it. How much are they, are they struggling to kind of implement changes? And from what I've seen a lot of them, I've seen them fail because they try to just take IT policies and push them into ot expecting that to work. I've seen them where they tried to start from scratch but don't get business buy in. Like there's a lot of, you know, hurdles to look at when you're looking at IT and ot. And even though the technology can be similar, those, those policies and procedures are really the difference. Right. It's people process the technology, the technology. You can use the same firewall in both places. But how I implement it are probably going to be a little bit different depending on the use case and the business. Justific.
[00:13:14] Speaker B: Yeah. So when I have talked to companies that are like very large, you know, multi billion dollar companies.
[00:13:19] Speaker A: Sure.
[00:13:20] Speaker B: And I've Talked to the CISOs there, I am not 100% confident. Even those guys feel like they've got a great grasp on ot. They understand that it's got to be protected and they understand a lot of intricacies to it. But they also recognize they need someone else to help them because it's, it's outside of their wheelhouse, most likely, unless they've been dealing with a long time. When you get into like smaller defense manufacturers, for example, you get two sides, one side. No one's going to come after us. We're fine.
[00:13:50] Speaker A: Right.
[00:13:51] Speaker B: And you know, that's just crazy. So they'll go ahead and connect everything up and just hope that, well, it's an esoteric machine. It uses, you know, coding that no one's going to know, which isn't true. We all know that.
[00:14:03] Speaker A: But security by obscurity.
[00:14:05] Speaker B: Yeah. So they run that mindset and then you've got the other side that they still don't know it, but they know that they have no idea how to manage that situation. So they just disconnect everything.
[00:14:17] Speaker A: Sure.
[00:14:18] Speaker B: And their response in that situation is simple. They go, great, you need to move files, instructions to that machine to go ahead and make something.
You go to your desktop, you load it up on a drive, you bring it over there physically. That way you're at least disconnecting. Opportunities for a lot of malicious attacks. So there's nowhere network connectivity. You're completely isolating it, except for you're transferring with USB or floppy dis. Even.
I mean, even. I'll give you an example. Even a $500,000 mill that is was new six years ago will have a floppy disk option. So they're still out there and they're still in use pretty regularly. But those guys recognize that they don't understand the risk. So what they do is they just disconnect it. And then they just hope that that endpoint computer is protected enough that they're not shuttling something over. And. Sure. Like, when you do that, you're probably really limiting the probability you're going to move something.
[00:15:32] Speaker A: Sure.
[00:15:33] Speaker B: But, you know, someone's really focused, like, suss. Next, you know, there's. They're going to target you, and they're going to figure out what you've got in place, and they're going to build payloads to eventually get to your equipment.
[00:15:43] Speaker A: Sure.
[00:15:44] Speaker B: And I think that that's, you know, we can't defeat that. Right. We can only try to defend against it, but we won't defeat it. But you've got that huge disconnect. So I prefer the guys who just disconnect everything and they recognize they don't have the ability versus the people who just say obscurity is going to save me.
But really the answer is they have to understand if they're going to connect it to the network and bring in someone who does understand the complexities to it. And I know your background with especially oil and gas. That's a mandatory. They can't disconnect an oil well that's, I don't know, 100 miles from the nearest person.
[00:16:24] Speaker A: Yeah.
[00:16:24] Speaker B: So, you know, that stuff makes a ton of sense.
[00:16:28] Speaker A: Well, and. And you've got to have it.
So I have a prime example of. Of both of those scenarios, but the disconnected one. Right. Obviously, stuxnet is a great example of that. Which obviously that was, you know, whoever there was a military agency that went after that intentionally. You know, we all know the story. But. But there's there's, there's less malicious ones as well. Like I supported nuclear power plant and the power company I worked for. And there was a vendor. I won't say if it was our place or something that he talked about, but let's just say that, you know, it was an air gap system for sure. Like the nuclear environment. Those systems are very, very well protected. They have tertiary systems and they have backups after backups after backups of, you know, how everything works. But there was an example where a crane inside the protected area, not networked to anything, somehow got malicious code on it. We found it. You know, we went through all the, the steps and they had, you know, scanners and kiosks and all that stuff. We found it, we reloaded. It was acton walkie, we reloaded from factory load, all that kind of stuff. We being, you know, the company actually did. And then 18 months later at the reload, the, the refueling. So every 18 months there's a, there's a refueling outage at the, at the plant. They also had enough more main in the same thing happened to the same crane after that. Well, what happened was the, the. The vendor that was coming in doing normal maintenance on, on the system was bringing their laptop again, going through the scans, doing all the things that we had in our program. It's not like we wrote something in a program and they weren't doing it. They have documented steps of everything they were supposed to do and they followed it to the T. But as we know with antivirus, it's a blacklist. So if it doesn't, if it doesn't find something that's in its list that it says is bad, then it's like it must be good. And they were bringing in a malicious code and they did it twice. Two outages in a row. So that's the point is you can't protect from that. Right. If, if luckily it didn't do much harm. It was just there. It started acting a little wonky. We figured it out, it wasn't a big deal. But the point is, is just air gapping or just disconnecting doesn't remove all my risk. It just removes one attack vector. It doesn't mean there is no risk.
[00:18:42] Speaker B: Yeah, and I think that's a lot of people struggle with comprehending. I think if I just separate it, set it aside, you know, and I just create a limited interaction with it that I've covered myself, but, you know, there's still risk. And you know, now you have to do the risk analysis. Is it worth Remediating, is it worth building a better structure around it or do I take that risk and run with it? I think when you're talking about inside a nuclear plant, the equation for that risk and the risk tolerance is a lot different than it would be for a lot of other operational environments.
[00:19:15] Speaker A: Yeah.
[00:19:16] Speaker B: But if you don't know that you've got a vendor who's coming in to do that, it's hard to plan around that risk fully.
[00:19:25] Speaker A: Right.
[00:19:26] Speaker B: But that's one of the things that, you know, we in information security have to figure out and to manage that process. Right, right. And we're always, there's always a gotcha. Like, it's like, oh, you were, you're doing what?
Okay. And to be fair, there's a number of times it's, it's on me, like, I'm the guy who was in charge of that, that thought process and I didn't identify the problem or I didn't identify the opportunity. And it's like, okay, well, you're going to be a person, you're a human, and you're going to do what humans do, which is not everything we plan. Right. So they're always going to create their own version and we're not going to be able to anticipate it. And so that really falls on us. And you know, that it kind of actually leads into like, what my I've been thinking about a lot is how do we, like, build security into a business as a fundamental way and move it outside of just bolting something on place or in place to manage and remediate situations. How do we build an entire culture that thinks about cybersecurity? And I'll give you an example. I was looking at an MBA curriculum and roughly 50% of that curriculum is accounting and finance.
And then there's other stuff that you need to, to learn to manage a business, but there's nothing in there about information security, about what risk management, how to identify risk. And I think that we need to start shifting that focus a bit to get other people outside of information security to go, this is a real thing. And we can either ignore it and there's going to be a cost, or we can adopt it and we're going to save money and we turn it into something that can actually help business from the way that it prevents or even improves a situation for a company. And I'm sure you've seen where a lot of companies will go and they bolt on a security solution and all of a sudden the productivity of a user drops 20% because now they're going through too many sign ins or they've got, they have to pull up too many different disappeared applications to pull up data or the list goes on and on. Right.
So I think if we as information security professionals can look at that situation and figure out how to better set it up, and that includes IT people who are going to be heavily involved in it, but trying to design that security into every daily process at a business, we can help reduce a lot of that human like oops.
And I didn't realize and I think a lot of it is just that mindset. Like if you've got, you know, if you've got that guy who's the vendor's coming in and he's been like thinking about security because it's like a mantra that the company beats a drum. He might go, this laptop has the ability to bring in a bunch of stuff that they don't anticipate for this crane. Maybe I have to think about what I'm doing right. And it may not work, but might improve the situation.
[00:22:39] Speaker A: Exactly. Yeah. And you know, there were easy solutions around that like instead of, we call that a transient asset. So instead of that, instead of them using their laptop, we, we dedicated a machine that they would go plug in and it never left the site so there was no way it could get infected outside. And then all we had to do is get the media through and then we had multiple levels of scans and all the things. Is it 100% proof? No, but we improved it. Like we learned and we improved. Right. And that was the goal is, is really that, that security mindset of really changing and adapting to your point. You know, in these environments, especially in ot, we have a safety culture. Right. So it's, you know, a safety zero, zero impact. I don't want to have a safety incident like you see it in. You know, you go to a power plant or you go to a manufacturing facility or you know, a warehouse and there's, there's safety, you've got ppe, you know, personal protection equipment. I've got safety glasses and hearing protection and steel toe boots and all the things. We need to look at our systems in that same way.
Until now, to your point, we've been bolting on a lot of security because the system wasn't designed with security in mind. Many times the systems were designed 10, 20, 30, 40 even longer ago, years ago. And we're just trying to bolt on and they've, they've upgraded because they want to get, you know, process data out and they want to get logs and they want to get, you know, efficiencies out of the system. But by bringing that commercially off the shelf equipment into these OT spaces, we're bringing in all those inherent risks that we've been solving for 20 plus years in the IT world. And now we brought them in, but we didn't solve, we didn't, we didn't bring all the lessons learned from all of those things, and we just brought the technology and the coolness and we're like, oh, crap, now we have malware and all these other problems in these spaces. And it's, it's, it's not that we should not do it.
[00:24:28] Speaker B: It.
[00:24:28] Speaker A: Because there's definite benefits and we absolutely get huge efficiencies out of, out of doing these things. But to your point, like, we need to look at this holistically as a, as a risk, not just a cyber. Like, cyber has been this stepson of a word a lot of the times. In that word, it's always expensive, it's always difficult, and it's always, nobody wants to talk about it, nobody wants cyber. They just want to have, you know, a safe system. Right. So it's, we've got to get into the place where we're designing this as a risk and just cyber is another risk, just like safety and, you know, the market. Right. Those are all risks of my business.
Cyber is no better or worse. It just needs to be considered in the beginning in the designing process. Idaho National Labs calls this cyber informed engineering.
But it's, it's a bigger picture of just really looking at the big picture of the system and the health of it. And cyber is just one of the many risks that are, that are there.
[00:25:27] Speaker B: Yeah, I, I actually started thinking about cyber risk or just cyber security as akin to accounting 150 years ago.
[00:25:37] Speaker A: Right.
[00:25:37] Speaker B: So could you run a business without anyone in accounting? Absolutely.
[00:25:41] Speaker A: Yeah.
[00:25:42] Speaker B: Now, would you be able to identify every product that was a loss leader versus products that were jing most of profit? Maybe not. Like, you might have some intuitive feeling, but you could still run it. Would you catch the guy who's embezzling?
Maybe like when he shows up in a super nice car and you're like, well, that's weird, I don't pay you that much.
[00:26:03] Speaker A: Right.
[00:26:03] Speaker B: But otherwise, you may not catch them. I think cyber's kind of getting to that point where, yeah, you can go without it, but if you go with it, you might identify a lot of, like, costs that occur in the case that you guys are talking or you're talking about with that crane.
[00:26:18] Speaker A: Yep.
[00:26:18] Speaker B: There was a cost to sit down format that, that operational software or that controller set it up again, you know, that was a cost that you guys identified. Zach and Wonky, you know, let's just say put a number on. Let's just call that cost 15 grand. Well, that's 15 grand that was lost due to an incident really, that, you know, if the program was designed, knowing what could have happened, which you couldn't have predicted everything. But that's a cost savings for the next time. So I think if we look at information security programs as more of like a core function like accounting, we can start seeing that if we do consideration for it, we can start identifying ways to reduce costs. We can identify problems ahead of time before they get out of control.
To me, there's a. The analogy is great and maybe it's just the way I think, but I think we're, you know, if we, if we separate it by a century, that seems similar to me.
[00:27:18] Speaker A: Right? Yeah. And the whole, the whole roi, Right. Is. Is. You're right. Like again, accounting, you don't necessarily think about accounting as a way that you, you're more profitable. Right. But. But you are finding efficiencies. I don't know about you, but I've walked into organizations and they've got five different antivirus solutions and they've got five different patching solutions and five different. Of whatever solutions because different organizations are using different things and they implement them differently. And, and it's just like, wait, timeout. If we had one, not only would it be more efficient, but it would be cheaper because we'd get cost, you know, economies of scale and licensing and negotiations and all that type of stuff. Instead we have one that's sitting over there not being used at all. We've got three that are over there only partially used. And the one that we use the most, if we just deployed it across everything, it would be half the cost of what we're currently spending. But nobody knows it because it's not getting bubbled up. We've got shadow it. Like there's all of these problems and having that understanding of that system beyond just the cyber aspect. But you can make it more efficient. You can understand.
You know, the other side of the cyber thing is that sometimes you, you know, the cyber nerd, and you just wants to lock it down to the most secure version, but that doesn't make it work for business. Like there's a happy medium in there where you can't just, you know, lock the door and not Give people the key. They have to be able to get in, and it can't be. So they can't need a blood test and a urine sample and, you know, a retina scan and, you know, to go to the bathroom, like. Like, you have to. You have to make the controls and the mitigations aligned to the process and the environment and the cost of it as well.
[00:29:04] Speaker B: Yeah. I mean, if you think about it, I don't. I imagine you did this too, Aaron. But many times in my career, whenever someone shut down some access I had, I. I'm like, well, I can't do my job as well, so I'm gonna go around it.
[00:29:20] Speaker A: Sure.
[00:29:20] Speaker B: And being technical enough, I could just move sideways through the system and go back to what I was doing. And at one company, I had a whole group underneath me, and I didn't want to teach them how to do it too.
So they would come to me like, hey, Chris, I need to access. So. And so. And I'm like, all right, cool. And I'd go and do it and then pull. Just let them sit at my computer to access whatever they were trying to access. And that's the thing. If you make it too hard, people are going to find a way around it. Now, whether that be, you know, one time we had a rogue WI fi in our office, and I remember the director of IT came up to me and he was like, hey, is that yours? Are you trying to get around the firewall? And I'm like, no, man.
I could do that other ways, but I'm like, I wouldn't be throwing up wifi because wifi was fully banned in the environment. But someone actually put up a WI fi antenna, plugged it into our network, and then was also using a cellular connection to bypass the firewall when they didn't want to access local network resources.
So somewhat sophisticated person, sure, but people are going to get around everything, right? And the more we try to tie their hands, the more likely they are to avoid it, to not do it. And the business is just going to get upset. So next time you want to go to the business, you're like, hey, great, guys, we got this new thing that's going to protect whatever. And you go, let me put some more stuff on. The things that you already hate and you're not doing, you're gonna get a lot of resistance. Whereas if you come in with them, you're like, let's. Let's look at your processes. Let's look at how you guys function. Let's see how the current Systems are working for you, and if they're causing you too much of a problem and it's a risk that you guys don't accept, now, we can change what we're doing, and we can put something in place that makes sense for you guys. But like you said, the security nerds inside of us are just like, dude, we got to block everything, shut it down. And I would.
It's not even just security nerds. I think maybe it's an even it mentality, because I remember decades ago, I'd have guys come in working for me, and they'd start shutting everything down. I'm like, dude, don't do that. We're going to get a revolt amongst that group of people. Because, yeah, going out to the Internet and those things is making them less efficient, but they got a hard job, and it gives them a break between their tough phone calls. I'm like. And the owners of the business accept this, and it's a risk they're willing to take. We, as IT people have to support that decision because it's not our decision.
And it's tough for a lot of ideological people to accept that sort of thinking where, like, dude, man, what if they do? Like, you know what? We have to trust the people are going to make decent decisions. And we also have to recognize that, yeah, they might do something bad. So we got to protect the environment over here.
[00:32:27] Speaker A: Sure.
[00:32:28] Speaker B: Keep it, you know, isolated as much as we can. Limit whatever damage they get into on their own because the business accepts that. We'll let that be. But we will. We'll protect as much as we can from the consequences of what they're doing.
[00:32:41] Speaker A: Right. Yeah. I mean, that's a.
[00:32:45] Speaker B: That's just common sense. Right. Like, but I mean, that's a tough thing that I think when I talk to a lot of other CISOs and just people at different organizations, you know, that's a.
They. They're coming from, like, the policeman point standpoint of, like, here's the law. We put it together, and the business doesn't understand. And I think when the business starts getting pushback, then there's a lot of animosity and people are starting to butt heads. And now you've got a breakdown of the entire operational program, and you got to avoid that at all costs, I think, because once you get to that point, it doesn't matter how good your security it is. Like, no one's going to agree to it.
[00:33:31] Speaker A: Yeah.
Yeah. In a lot of my world, I see that, and I've seen it in so many Organizations and it's the mentality of the tail wagging the dog. Right. So it is not the reason the business exists. You are we as IT professionals, as OT professionals and cybersecurity professionals, we are there to support the business.
Not, we don't drive it, we don't dictate it. Like we are, we are absolutely a support organization to support the main thing that they do because what we do does not make them money. Unless you're in a cybersecurity company. And you know that that's a different conversation. We're not talking about those like we're talking about, you know, companies that are making widgets that are selling things that are, you know, OT or it, whatever those things are, a financial company, a bank, whatever. Your IT organization is not the reason you exist. And so many times I see these power and I don't think they're doing it maliciously many times, sometimes they probably are, but many times they're, they're trying to do what they think is right. So they're really passionate about it. Like they know that this is best practice and you should never allow these things. But what they have, what you have to remember is in these roles is you are supporting the business. If you make it so complicated that they can't do their job, one of two things is going to happen. Either they're not, we're not going to be able to create the widgets and we're going to lose market share and we're going to close shop and then you're not going to have a job anyways. Or they're going to go around you and then when, when you walk in their office, they're going to be like, get out. We're not using you. I don't trust you. You don't understand my business. I don't like you go away. And I've been on both sides of that coin as the person they told to leave and the person that told somebody to leave.
[00:35:15] Speaker B: Yeah, yeah. And that happens. Like you said, it's way too often. And I think it's to be fair, a lot of businesses have zero tolerance.
[00:35:27] Speaker A: Sure.
[00:35:27] Speaker B: Like don't you touch anything we do. I don't want you to get involved at all. And so I'm not going to put the blame fully on us as security professionals. But you know, it's a two sided thing. You know, we're often responsible for, you know, starting those situations. But people that don't realize that there's a need and driver for it, you know, they're going to run into a lot of problems on the other side.
We can't exist without that business functioning.
And I've tried to think about and try to implement programs where we come in and we. I'm sure you've walked into a number of situations where you watch someone doing something and you go, well, this seems messed up. Like, I'll give you an example. I was going into healthcare company that's a customer of mine and I ended up having to sit outside for much longer because first I showed up early, then their meeting ran long. So I was watching and I could hear someone. They were booking a series of appointments and I could see the person behind the desk and she had to keep scanning her fingerprint over and over and over. And it took about five minutes per appointment to book. And this person was booking I was like five or seven appointments or something. But they, I, it took almost a half an hour. Right. At a half an hour I finally went in, but I was like, that's messed up. Like whatever's going on there. And later I went back to the receptionist and I was like, I told the, the person I was meeting with about it and I'm like, matter of fact, you go chat with them about what was happening and they go, they accepted the situation. Like, oh, it's just, just how it works. And I'm like, it shouldn't take you five minutes to schedule someone's appointment. Like I saw you scanning too often, authenticating, you're looking up some sort of calendar stuff. She was checking schedules and different applications.
I was like, now maybe someone already evaluated goes, this person's pay isn't enough to justify improving that system.
[00:37:42] Speaker A: Sure.
[00:37:42] Speaker B: Which is unfortunate, but I think we have an opportunity at businesses to add extra value. Where we go, we just see this stuff and the business unit may not know better where they look at and they're like, oh, you think we could improve that for a minimal adjustment or minimal cost and minimal investment. Yeah. Now all of a sudden we even saved that business, you know, I don't know, let's say 10% of their labor just by removing a lot of roadblocks from maybe it's legacy programs that were had bolt on security that just weren't functioning well, or maybe just a poorly designed system to begin with. Whatever it is, I think we've got opportunities to see it, interact with it and then help businesses improve that process.
[00:38:29] Speaker A: Yeah, it's. We're all on the same team. Like, yeah, we all have the same jersey on. Like whether you're in it, you're in the business, whatever. Like we're on the same team, right? And Neil and I talk about this a lot and we do business at the speed of trust, right? The sooner, the faster that you as the IT professional, the cybersecurity professional, whatever, the sooner you can get the business to trust you, the more likely they are to, you know, to work with you. Right? And when one of the superpowers that I have in this OT space is because I've worked in OT and I've worked in it, I kind of understand both sides of the coin. I've worked in the power plant, I've worked at, you know, the manufacturing facility, I've worn the steel toe boots, I've worked during outages, you know, and I've also been in the data center, you know, doing server upgrades and all the policies and all the things that go on that stuff. Right.
And the superpower that I have is being able to kind of translate those two worlds and come to a realization, help the business understand the concerns and the risks from the technology and the IT side as well as translate to the IT side, the concerns of the business and why they're hesitant to lock things down. Something as simple as like, I've had it, you know, say, well, you can't use this model of switch that you guys have been using that then your manufacturer gave you. We only use this model of switch and that's fine as long as it works with the manufacturer. And the other piece to this is, hey, but you can only go through our support. Okay, well, okay, so the question is this thing fails at 7 o'clock in the morning on a Sunday. Are you answering your phone?
Are you going to come out and replace the switch? Do I have a spare that I can do? Well, you have a spare, but you, you won't be able to get the configuration.
So this doesn't work. Like you can't just lock it down and say, well this is mine. You can't log into my switch because it's my switch. That's fine if you're going to be there at 7 o'clock in the morning on a Sunday. And if you're not, then you can't do that. Like you can't have both. Like you have to release some control and some trust to me and, and the business. If you want us to go, follow your, your path. Otherwise that's when you get shadow it, that's when you get kicked out of meetings and they're saying, don't come to my site.
[00:40:51] Speaker B: Yeah, absolutely. And then like kind of going on that, that subject line. I think my superpower comes from. I've, you know, I've been in it manage IT departments. Then I got, Yep. I got did marketing as well. So I started getting into the more business side and generating revenue for the company. And then I, you know, I actually ran a sales group as well as doing it just because we were a small business. So we're wearing multiple hats, but getting exposure to running purchasing, running planning, running all these different departments. Now when I'm in security, like there's, I'm like, okay, well how's this going to impact the accounting group, the purchasing group, the planning group, production? Like, what are we going to do? How do we make sure those guys are not like going, oh man, security.
These guys are killing us. And it's funny, we. I've been hired at multiple companies to come in as a secondary opinion behind an existing vciso.
[00:41:50] Speaker A: Sure.
[00:41:50] Speaker B: Or a consultant. And they come in and I'll see stuff. And I see ultra conservative thinking where companies are being told they got to spend millions on solutions where there's an alternative path that is wildly cheaper.
And I'm like, you guys could do that. Sure.
Or you could implement one of three other options with varying degrees of costs, but they're all cheaper, they're all going to meet the requirements for the program and they're going to work better for your employees. You're not going to have someone who's going to be upset, you're not going to have the alert fatigue or you're not going to have someone who's having to scan too often to meet something. I think just that diverse experience that we all have, we have to utilize that and bring that into our daily lives, within our jobs. To go, I'm not just the security guy and the technician. I know, I'm the guy who's been over there and done that. So let me think, how's that guy gonna respond? We have to deal with that. I hate saying it, but we have to be empathetic about those other people. And how do we make sure that we're empathetic to them doing their job, making sure that we're helping them meet their goals while also protecting their future job and the company itself. So it's a, it's a wider role than just going, let me just protect and lock everything down.
[00:43:16] Speaker A: Well, you know, we think about this in products. There's a reason why Apple is so, so, you know, prevalent. And everyone has one. Right. It's that user experience. We think about that when we're using a platform, when we're looking at a software package that use that ux, that user experience is super important.
You have to expand that beyond just the product itself. Like so if we have a system of tools in our environment, it's more than just the technician that's logging into the interface. It's also the end to end of the process. And we need to consider that as part of that user experience as the person on the ground that's having to actually do stuff. If I'm having them to your point, if they have to scan something and it takes them five minutes to do a task that used to take 30 seconds, that's a cost. There's a frustration cost, there's an actual hours and time and resources and there's, there's a exponential cost to that. So all of these things need to be, need to be weighed. And this is where truly understanding. And sometimes, you know, when I'm brought into to do an assessment on things, obviously I look at the cyber, you know, yeah, you've got a missing firewall rule here, or you know, the obvious things. You've got Windows XP plugged directly in the Internet. You're gonna die. You know all the stuff that happens. But a lot of times it's simple stuff. It's like you've made this process way more difficult than it needs to be. Like if you just remove this out or disconnect this or turn off rdp, then you don't have to worry about patching it. Like, yeah, it's Windows xp. We're not going to rip it out. It's sitting there, it's been there for 20 years. Just put a crunchy bubble around it and let it do its thing, monitor it, pay attention to it. Don't let anybody plug a USB stick into it. Don't let it connect to the Internet. But as long as you do those things, it's going to continue to run into perpetuity. Like it's just going to do its job. And sometimes that's enough that reduces my risk enough where I'm accept, I'm comfortable accepting that risk.
[00:45:09] Speaker B: Yeah. And I think that's where. Have you ever heard the adage that human beings are terrible at understanding statistics and risk? Yeah, like we, we don't really know what 1 in 15 chances we like. You know, we can't. We could do the math and look at a calculator, but what does that mean? So I think when we do this risk analysis for businesses, it's kind of the same we talk about it when we start throwing dollars on it, that helps people take that percentage and turn it into something that's a little more tangible.
And we go, you get that XP machine and the probability that it's going to happen based on the new crunchy wrapper we put around it is 2%. While the cost of it going down is, you know, this amount of dollars, the cost of we don't put that crunchy bubble on it and it gets infected and then it becomes an, an entry point into our wider network.
[00:46:05] Speaker A: Right.
[00:46:06] Speaker B: And the havoc that can be caused is this. Now people can understand it, but when we just put statistics around stuff, people, you know, they're, they can't process what that really means functionally. They just see, they just see numbers and they're like, well, you know, 1 in 15, 1 in 21's a little worse. But when you throw numbers on it, you know, people start to get it and understand it a little bit better. And I think that's where, you know, making that shift from the probability of something occurring, the likelihood of damage, you know, the resulting implications, remediation, that's where we can just boil it down and make it really simple for that group. And I think that's, you know, that's a key part of our jobs. Right. That's what we end up talking a lot with our customers is how do I put this in dollars and cents for you to go, oh, okay, I get it. You know, one of the harder things I have to talk about people is reputation. Sure, that's a harder thing to put out there. You know, personally, it's easier to talk to someone about reputation, but when you start talking about a business, it becomes a little more nebulous. Sure.
So that's one where I think that I still have to do some journey on figuring out how to like communicate reputation, risk and cost to people. But I think it's also something that, you know, we often overlook.
[00:47:27] Speaker A: Right, yeah. You know, and we, we briefly talked before about, you know, the, the difference in digital and cyber security for a person and, and take a look at a celebrity, you know, name, name a person, Taylor Swift or whomever that may be. They're more than just themselves as a person. Like they are a brand, an entity, almost a corporation. And many times they probably have a corporation that's linked to that. Right. But you know, if you attack Taylor Swift or somebody like that, it's more than just her as a person. Right. Obviously she is a person. She's a human being just like you. And I. But she also is this brand and there's this business that's attached to it. So her reputation directly impacts her ability to sell records and sell out concerts and sell T shirts and all the things that she does and all of people of that, of that caliber do.
So a business is no different. Like, if I'm. If I'm a mom and pop shop selling water or whatever the heck that I'm selling, my brand is that thing, that entity that if I get attacked and somebody steals, you know, my, my information or, you know, I had a, A thing I went to the other day and I took a friend as a guest and, you know, there was a fraudulent charge on their card. And so they reached out to me, like, hey, do you know anything about. Obviously it wasn't me. It was, you know, that. The place that we were at. But again, I was, I took them as a guest and I'm like, no, let me reach out. Well, apparently it was just a, you know, somebody got their information and. But still, the fact that they went to this place and then there was a fraudulent charge at that place, it didn't leave a good taste in their mouth. Like, they, they were very hesitant to go back there and trust that they could buy something without something, you know, somebody stealing something. Now, again, they figured it out, but that's. It doesn't matter. It doesn't always matter if it's true. My perception of something is going to impact it. Especially now with social media and all that, it's very easy for something to spiral out of control before you can get access. Say, whoa, timeout. That's not what happened. Here's the truth.
[00:49:30] Speaker B: Absolutely. Yeah. And I think that, you know, the more that people, you know, realize that and accept it and, like, you know, the better we'll be.
You know, celebrities realize that, right?
[00:49:42] Speaker A: Yeah.
[00:49:42] Speaker B: But everyone else doesn't see that, because celebrities can probably point to someone else who had the reputation tarnished, and then that person disappeared from the celebrity world.
But I think businesses don't see that as often.
I mean, Wells Fargo is kind of the case where they've been majorly hit multiple times.
And more than likely people. A lot of people don't know.
So I hear people talk about Wells Fargo specifically, like, oh, man, those guys done a lot of stuff they've gotten a lot of trouble for. And I'm like, I bet less than like, 5% of their customers left because of that.
[00:50:24] Speaker A: Right.
[00:50:25] Speaker B: So there's that, I guess, mega corporation mindset where maybe they don't have to, but I think that.
[00:50:32] Speaker A: Too big to fail.
[00:50:33] Speaker B: Yeah, I don't think that's a sustainable posture.
[00:50:39] Speaker A: No, not long term, especially not today, as, as things are, as technology levels the playing field of a lot of these things. You know, back in the day, the Wells Fargo's of the world, you know, they, you had to be that big entity to be able to compete and now you just don't like. Yes, obviously I'm not saying I can compete with Wells Fargo on the banking platform, but there's a lot of newbies that are out there. I mean, you, there's, there's a lot of banking that has been kind of turned on its head and technology is only going to make it even more so. And that's going to be the truth in all things. I mean, again, back in the day you had to be on the news channel to, you know, really get your voice out there. As we know now there's, there's influencers and podcasters that have way more reach than any of the broadcast networks, any of the newspapers, any of that type of stuff. And I'm not saying it's good, bad or indifferent, it just is what it is. Like technology has changed the way we do things and you can either adapt or you can not, and that, and see how that, that works out for you. But I mean, again, you know, Joe Rogan, for instance, has more listeners that listen to his podcast like him or not that there's, there's millions more people that listen to his podcast and listen to the most popular cnn, msnbc, anything else. And he's not even a news guy, but it's just, he gets more, more listens and more eyes than anyone in the world. And, and so that power is important. At the same time, it's very easy that Joe's reputation could get tarnished by any number of things and that could impact his ability to do that. So all of these things are tied together. We have to look at these risks holistically and understand what the risks are. And to your point, we suck at judging their risk and saying what. And my experience is especially in those spaces where they do have ot and the CISO or the executive leadership team doesn't have an OT experience, they don't really understand the thing that they're creating. So if you work at a power company and the CISO didn't come from the power industry and they're a, you know, they're a consultant or anything like that, yes, they understand the cyber side of things, but they may not understand the business side of things, and that can impact you. That doesn't mean you can't do a good job. It just means that you need to let your ego down and make sure you have somebody sitting at the table that understands that business risk so that when you're. When you're accepting the risk, you can look at that person, say, do I understand what I'm accepting here?
And really make sure you understand the business process side of it as well. Like, that's. Again, it goes back to, we're all in the same team. We need to be looking at this holistically from a. We all want this to win, and I don't have to be the one that comes up with the answer. I just want us to get to an answer collectively and then we go forward.
[00:53:16] Speaker B: Yep, absolutely. And I think that's, you know, that's where we're all struggling to get to. Right. We're going to work our way to that point and make sure that we, or at least we. Hopefully we make sure we get to that understanding, that agreement. And now it's just making, you know, spreading that message out there and, you know, talking to people and making them understand the opportunities and the risks that are involved so that they can go, oh, makes sense. I think most of us are reasonable, right. And we're going to look at a situation. We're going to go, okay, I'm going to go ahead and, you know, hear what you're saying, and maybe I'll make some adjustments and how we're functioning to take something into account. They may not buy into everything, but at least if we get a better adoption rate, at least to some degree, you know, that's an improvement. That's all we can do. 100 just keep improving.
[00:54:04] Speaker A: Yep. Constant improvement. And that's the other piece to this, and I think we mentioned it earlier, but there is no goal line. You're never done. Like, it's like going to the gym. Like, you can't go once and say, I'm done. Like, I worked out in 1982. I don't have to do that again.
Unfortunately, that's not the way it works. We got to keep doing it if we want to continue to improve or you're going to go the opposite direction, which I know that firsthand. So with all that to say, you know, I kind of lead with it or end with this question, and I did prep you a little bit, but next five to 10 years, what's something, you know, maybe come up over the horizon that's exciting that you see, and maybe something Something that could be concerning.
[00:54:44] Speaker B: Well, you know, thinking about that, I, it's kind of, there's kind of constant improvement, but within security. So I was having a conversation with a big company about a different role and they were talking about AI security development and they were, they were telling me they're running about 18 months ahead of what's publicly known from their security development perspective. And it was pretty interesting what they were doing. Then if I flip to the other side about the bad actors, they're running with similar tools, maybe not the same researchers, but they're creative and they've got access to boatloads of data. So now they're implementing AI in their attacks and they're getting through places we've never seen before. They're discovering tons of zero day on the, you know, the defensive side. You know, we're trying to build the same sort of AI protective system and it's just, it's a war. Right. So I think we, I'm sure tons of people have talked about it and I don't think that there's ever going to be a winner. So from a functional standpoint for people within security, you know, we're going to have people's jobs change, but they're still going to be there. They might dramatically shift. They might have a lot less work in analyzing events, but there might be a lot more work in another area that we're not seeing. So I think there's going to be a lot of upheaval. But overall we're not going to see a big shift in our labor. Just our labor is going to be reapplied to other areas. And you know, it's, it's a double edged sword. Right. Like we're going to have a lot, I think we're going to go through a lot of like bad dark events where someone got the, the better of a critical system and took advantage of it and hurt us. Whether it be a state actor or just someone out for a buck or just script kiddies. Right. Like you'd have found something amazing. So we've got that side. So I think we're gonna, we're gonna suffer more things like that. And then on the defensive side, on the defensive side, we're gonna get better. But it's just an arms race, right?
[00:56:59] Speaker A: Sure.
[00:56:59] Speaker B: So as we know from like the Cold War, there's no winner in the arms race except for the people making the arms.
[00:57:08] Speaker A: Right.
[00:57:08] Speaker B: Those are the only winners and everyone else is just gonna suffer through that. So as us, as professionals in that environment, you know, we're just going to be going along for the ride and you know, on one hand it's exciting to see what we can develop and create and how we're going to completely retool our infrastructures to accommodate tons of new AI agent based security and processes.
But I think that there's too much unknown to really predict what it's going to be. Other than massive upheld in our daily programs. I don't think that the wider businesses are going to have a big impact from the security standpoint.
I do think that we're going to have a lot of that on the back end and how we're managing it and how we're processing stuff.
So, you know, you and I are in for a wild time. The rest of the company is just going to be along for the ride.
[00:58:07] Speaker A: That's right.
[00:58:08] Speaker B: Dealing with negative times. But you know, that's why we're there. We're to limit those negative times to make them maybe a bump instead of a tsunami.
[00:58:17] Speaker A: Right? Yeah. That limit. Limit the exposure and the overall impact of the, of the bump, Right?
[00:58:24] Speaker B: Yep. Yeah, absolutely.
[00:58:27] Speaker A: So call to action. How do people get a hold of you, reach out to you, what you got going on coming up in the future, all that kind of good stuff.
[00:58:35] Speaker B: Yeah. So, you know, you're welcome to look at me on LinkedIn. You can reach me at Christopher S. Robertson on there. You can go to Apogee's website, apogeedefense.com I'd love to talk to people about what they're experiencing. You know, I like to mentor people and coach them on different things. So certainly I'm always looking forward to doing that. And you know, those are the, probably the best ways to reach me, you know, find me on either one. You can find my email on both of those. So please reach out, let's have a discussion. Because there's nothing more I like than just to talk to people and learn from their experiences. So you can see I've been having a lot of lighting issues. We, I put a sensor in place to tell me when there's movement outside and it's, it's going nuts. So apologies for the crazy.
[00:59:27] Speaker A: It's like, like I said, it's a Taylor Swift show. You're like, all lights are going all over the place. That's awesome.
[00:59:31] Speaker B: I know, I know. At least it's not changing colors. That would be even worse.
[00:59:35] Speaker A: That's right.
Well, hey, man, I really appreciate the time today and the, and the, the conversation. I appreciate you being at the event the other day. It Was a. It was a blast. I'm looking forward to more. To more conversations over guns and bourbon and all the things. Because, you know, what better way to. To get to know somebody than, you know, to do more out of the traditional, you know, Danish and coffee thing that we, we see so many times.
[01:00:01] Speaker B: Absolutely. You know, and there's a side of that where you put us in those situations and you learn people that you can trust. Like, you watch how we're all interacting. You're like, okay. You know, that person, like, recognizes their weaknesses.
[01:00:15] Speaker A: Sure.
[01:00:15] Speaker B: Which I highly value. And people are like, look, I'm not great at this. I like that.
[01:00:20] Speaker A: Yeah.
[01:00:20] Speaker B: I like when someone stands up and goes, hey, I need a little help here.
[01:00:24] Speaker A: Right.
[01:00:24] Speaker B: And those situations, like that event, you know, highlights when people are honest and, you know, I like that I want to be around more people like that rather than someone who's like, I got this. I got it all. I'm great. And that's when you have to go, okay, and maybe they do. Maybe they're a superstar. We'll figure that out. But, you know, at least we can see that pretty rapidly when we've got a bunch of guns around and we're enjoying ourselves.
[01:00:52] Speaker A: Well, you know, the important, the. The intention. Desire with. With that is. Is to put people in uncomfortable situations. Not unsafe, just situations where they're not great. Right. And we have, you know, range officers and safety people and everything there is, is say like, even in, you know, when we did the helicopter, you're strapped in, but it's still an uncomfortable. There were plenty of people there that were. Had never flown in a helicopter. They weren't, they were scared of heights. And I, I know at least two people that did it. And like, they were super excited that they did. They were terr time. But when they got down, they're like, that was the coolest thing I've ever done. Right. And it's getting out of that comfort zone and being willing to admit I'm not comfortable and I'm not good at this. I'll need help, but I'm. I'm willing to go forth with it. Right. Those are the type of people you want in your corner instead of one that's like, oh, I've done this a thousand times. This is nothing, and I'm the best. And then they show up and you're like, you're not very good at this. What do you mean?
[01:01:44] Speaker B: Yeah, yeah. And just speaking about those range officers, I shared with you a conversation I had there. So I was doing like a Pull from conceal type shot. And after I shot a magazine, one of the rangers officers said, hey, so just be careful with that. And I'm like. And then he walked away. And I was like, wait, wait, did I do something that was concerning? Did I do anything that you were uncomfortable with? And then someone else was doing it. And he. He's like, no, I just don't know you.
[01:02:21] Speaker A: Right.
[01:02:22] Speaker B: And so because I don't know you, I don't know your proficiency. I don't know. He's like, you didn't. Everything I saw was. Was exactly right. I just don't know you. And like, that's. That's the perfect response.
[01:02:36] Speaker A: Sure.
[01:02:37] Speaker B: It's better to be cautious and go, hey, be careful, be aware, than someone who's just like, oh, I assume this person knows what they're doing. I'd rather have someone come out and say something to me than not. Because that way we're both on the same page. We can have a conversation about it. And I was like, whoa, did I do something that was slightly questionable? And he was just like, no, I just didn't.
I don't know.
So I love that. And so, you know, the event was incredibly safe. I think anyone from someone who's never shot would be completely fine there.
Probably super exciting. Like, there were people out there who'd never shot some of the types of firearms or shooting, and they did amazing. They learned a lot. So it was awesome. Then we got guys that were, you know, wildly experienced and did amazingly well.
[01:03:36] Speaker A: So, yeah, and everybody had a fun time. Like, the person that won the shotgun competition had never shot a shotgun before that day, which is just awesome to see. And probably the reason that they were is because they were willing to say, I've never done this before. And they were able to take direction and they had no bad habits and all those types of things. And they were. It went really well for them. Right. As opposed to somebody that maybe has done it more, doesn't ask for help, doesn't ask for guidance, thinks they've got it in the bag. And then when the new guy that's never shot before out shoots them, there's like, how did that happen? I'm better than them. Well, you. You were better. You were better when you started, but they quickly surpassed you.
[01:04:15] Speaker B: I have to throw lodge a complaint against that. So one of the guys that was like, I've never shot before, and he won my entire group, so he got. I forgot his name. The. Who was. Who was the shotgun expert?
[01:04:31] Speaker A: Jay.
[01:04:31] Speaker B: The former. Yeah, no, no, the Guy who'd won Olympic medals.
[01:04:36] Speaker A: Oh, yeah. I can't remember the guy's name, but, yeah, I know what you're talking about.
[01:04:40] Speaker B: Like, probably one of the most decorated shotgun guys out there. Maybe, if not by far the most.
[01:04:46] Speaker A: Sure.
[01:04:47] Speaker B: Anyway, he's like, who needs help? And I'm like, well, I could definitely use some guidance on how to be a better shotgun shooter, because it's not a big thing in my wheelhouse. The guy next to me is like, I've never shot. I'm like, like, well, I'm not going to steal the time from that guy, because he for sure needs it. Like, I'll be safe. I may not have a high hit rate. And then he won. He did amazingly well. And I was like, I would. I actually wanted some guidance and, like, some pointers.
I'm like, I mean, he needed it more than I did, but shoot, I missed an opportunity.
[01:05:26] Speaker A: But it just goes to show how when you're willing to learn and you're willing to put your ego aside and you're willing to listen, that doesn't mean that everybody's going to go out in the first time, win the competition. That's not the point. But the point is, is you can grow really fast. Your ego is the death. Right. As soon as you put that ego up and think, I shouldn't ask, I can't ask. You know, it's the old adage of, you know, men don't ask for directions. They just drive around endlessly until they figure it out. Like, that's the stupidest thing in the world. Like, stop. Ask for directions. Like, it doesn't make you less of a man or a woman to do that. Right. It's just, put your ego down, raise your hand and say, I don't know what I'm doing. Help people more. My experience is people are more than willing to help you exp. Especially here in the South. But people in general want to be good people. They want to help people. But if you don't ask, they're not going to just butt in and say, hey, buddy, do you know what you're doing?
[01:06:17] Speaker B: Yeah. And I think that, you know, probably society suffers from more ego problems than anything else. If we could just learn to set aside our ego. And I'm certainly guilty of not putting it aside every time.
[01:06:31] Speaker A: We all know that.
[01:06:33] Speaker B: And we. We look back and we're like, oh, dude, I. I could have dealt with that situation better if I just set aside my ego.
[01:06:39] Speaker A: Yep.
[01:06:39] Speaker B: You know, and, you know, that's one great thing, is when we're able to like recognize it and be self aware, set it aside, you know, things get so much better.
[01:06:48] Speaker A: Oh yeah, 100%. It's amazing. It's amazing how quickly we can learn when we're willing to actually put our ego down and do it.
[01:06:56] Speaker B: So yeah.
[01:06:57] Speaker A: Well, awesome, man. Hey, thank you so much again. This was awesome. I enjoy the conversation and I'm sure we'll be in contact many times in the future.
[01:07:05] Speaker B: Yeah, absolutely, Aaron. Well, I appreciate your time and I love talking to you. So I'm looking forward to another event and seeing you out if I stick and I.
[01:07:14] Speaker A: Thanks a lot. Have a good one. Thanks for joining us on Protect it all where we explore the crossroads of IT and OT cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
