[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crow.
Morning. Good afternoon. Thank you for joining the podcast. James, thank you for being here. I know it's afternoon for you, it's morning for me here in Texas, in the States. So why don't you introduce yourself, tell us who you are and a little bit about the company that you work for as well.
[00:00:33] Speaker B: Lovely. Well, Aaron, thank you for having me. It's a pleasure to be here as well and seeing a podcast with all this proper podcast tech is new to me. We definitely need to step our game up a little bit, but yes. So I'm James Morris. I work for a company called NDK Cyber. So for the last ten or 15 years or so, we've been doing cybersecurity recruitment as a market. That's our bread and butter. That's what we're focused on. And we've been lucky enough for that to take us around the world. So my accent, you can probably tell just outside London, we're UK.
About five years ago, we started working more US centric based roles, and then that sort of trampolined us into places like Australia, Singapore, Israel, and so on and so forth. And cybersecurity, like I said, has always been our bread and butter there. And then more recently, it's in the last two years or so, this real transition seems to be happening where we're going from.
We'd like a cybersecurity engineer with a bit of OT security experience. That'd be nice. And now we're seeing the more OT security engineer in their own right coming through, build out of separate teams. The companies in that space have risen. So it's a real transition we spot at the moment and an area we're doing an increasing amount of work in. So, yeah, to be talking to you today, I'm excited to get into it.
[00:01:46] Speaker A: Well, that's exciting to hear coming from my background as long as I've been in this industry, and the conversations, both from an asset owner wearing the hard hats and being the asset owner, trying to get people and trying to justify resources, to working at a big four consulting firm and bringing resources and always trying to justify that budget, it's good to see that people are starting to get it. They're starting to want to hire those dedicated OT resources. So why don't you talk a little bit about what does that look like in a world.
How many are they looking for? Are they building out teams? You mentioned some folks are building out teams. Are these big companies, these small companies is a little bit of everything.
[00:02:26] Speaker B: Yeah, it's across the board, which is the newer thing, I think. I think we've always had energy and utilities seem to be a little bit further down the line, a bit more further ahead. Maybe that's driven through budget, through funding, through regulation. So they've always had those teams there. But now we're seeing your big brands in the space pop up, your vendors or your service providers and also your asset owners as well, bringing in their own dedicated teams. And they could be engineers, they could be architects, but also people with really niche specific skills in red teaming, OT, blue teaming, really specific, down to the wire, no pun intended when it comes to those skills. So that's a real big transition we're seeing as well. But then also you're having your more civil engineering type organizations building out their own dedicated practices and saying, you know what, let's not maybe get another third party in to do our OT security side of things. Let's develop a practice internally where we can do that. And then I think there's also the more traditional names in the cybersecurity space of consulting and consulting services are saying, look, we offer MDR, we offer incident response, red teaming, we're getting some requests coming through for the OT set of things. Our clients are asking for these OT security expertise. Why don't we offer that as well? So I think it's really good because it's creating a bit of competition in that space, but also raising awareness whilst doing so, shining more of a light on things. Even this podcast now we're doing here, this is sort of hopefully bringing more attention to the space, which is then maybe helping some of the challenges you touched on just a moment ago with when it comes to getting the budget or the buy in to secure headcount. This sort of thing, in my view anyway, certainly helps bring light to that, if you like.
[00:04:03] Speaker A: Yeah. The more that we see every week, it seems like there's a new attack.
We've been used to seeing it in the IT space, on the commercial side, on your web servers and your exchange servers or whatever. But now we're seeing more and more and more spaces being hit on the OT side in wastewater and manufacturing and rail and all these different places. And from colonial pipeline to the recent one in Philadelphia or Pennsylvania where the wastewater was hit, it's just more and more one of the things I've always said with OT, we talk OT cyber and cybersecurity, and that's a really niche thing and red teaming and all that kind of stuff. But it really also comes back to having an understanding. A lot of the incidents aren't necessarily China hacking an environment. It's not some nation state that's going after it. Sometimes it's just a misconfiguration. Sometimes it's know, put in the wrong configuration because he's not skilled to know networking and firewalls and routers and how all this stuff ties together. So a lot of those roles, and I've seen, I was on a call with a client yesterday, and they're like, yeah, we're hiring an OT architect because before, we've been using our it people to try to architect these OT things, and they don't really understand the OT side of things. And we use these not OT people, but engineers and control systems people that are also really good. But again, there's this gray area in the middle that nobody really owns or understands. And so they've seen struggles with it. And I've seen that for 15 plus years of, you need somebody in that middle space that kind of understands a little bit on the it side and a little bit on the OT side and can kind of bridge that gap in the middle to bring it together because it's similar technologies, but it's different skill sets. So a lot of the attacks that we see, a lot of the misconfigurations, a lot of the architectures that we see are that way because nobody that knew the right things were standing there saying, yeah, that's not the best way to do that. Why don't we do it this way? Because if we do it this way, then you don't get this, this and this. Right.
[00:06:13] Speaker B: Exactly. That seems to be a topic of conversation in almost everybody we speak to in their organization. And it's natural growing pains. Right. We're going through maturity here. It's not like there is one blueprint that fits absolutely everybody. You must do it this way. But I think I was going to ask you this. From your point of view, is this all better housed under the CISO, for example? We see a few organizations bringing that in. Or is it more with the plant guys and girls? Or is there a need for maybe a new division of both of, call it, I don't know, the cyber ot excellence center in organizations to bridge that gap. I'm not too sure where that sits.
[00:06:50] Speaker A: I've seen it in a lot of different ways. I've seen it be completely operational, where it's the plan or the manufacturing facility or whatever. So it's an operational focus really on the OT side. When I started at the power utility, that's where we were. We lived in the business. So I stood up this organization. My boss was the director over this organization. We reported up through operations, but we had kind of a dotted line over to the it side, the CISO. So we were kind of getting some direction from them, but we reported up to the business. And somewhere along the way, towards the end, before I left, we actually moved over to the business side. So we moved directly underneath the CISO. And I think we lost some things when we did that. And I don't necessarily think it was because reported to them. I think it was because we got outside of the business. I think that was one of the things that helped us the most. So that being said, as long, I think as there's still that dotted line one way or the other, I think it's important to remember.
It's like the Tailwag and the dog, right? It's the IT organization that thinks their justification is the reason for the business, but the business is the reason that it exists. Like if the plant doesn't run, there's no reason to have an OT person or an IT person or any of the technology that we're talking about, because we're not making money, we're not doing those things. The business crumbles, right. So we've got to remember that business focus, and that works for anything. It's it ot whatever, right. It's really that focus. But when we were in the business, I was directly part of control system upgrades and talking with plant owners and plant manager, and they were my customers. So when I moved over to the IT side, the it CISO was my customer, where I wasn't listening necessarily to the business. Not that I wasn't listening, but my direct response had to be from the business side.
I saw that as a struggle. So I think it's a delicate balance to understand and put it right, but to make sure you have the right seat at the table and you remember who your customers are.
[00:08:51] Speaker B: Yeah. It seems sometimes that maybe this is more anecdotal than. I haven't got the hard data in front of me, but it seems like it is the favorite child. Sometimes enterprise is the favorite child. They get all the toys, all the budgets, all the gizmos, and then OT is sometimes changing, but sometimes it left as an afterthought or struggles to get that buy in. For budget and things. Whereas it's strange because like you say, without the manufacturing plant in this scenario or the power plant in the energy space, there wouldn't be need for that.
Where does that come from? I don't know.
[00:09:25] Speaker A: Yeah, it's crazy. It's an afterthought. OT is like 20 years behind where it is going back to exactly the scenario I was just talking about, right, is I had a team and we supported 40 different power plants across the state of Texas, and I had a team of six, and that was a mixture of. And then we had a few consultants, but for the most part it was a very small team and we supported everything from at the site down. So the tech stack, the entire tech stack. So that was vmware and switching and routing and firewalls and the servers and everything in between, we supported all of that. Whereas my counterparts on the it side, they had a dedicated networking team with ten people, and a dedicated firewall team, and a dedicated server team, and a dedicated applications team, and a dedicated splunk team, and they had hundreds of people supporting, and they were specialized, they were specialized firewall people and they were specialized networking people. Whereas my team, again, I had a very small team and we had to do it all. So we had to be a mile wide and an inch deep. There's no way we could be experts in all of those things. We had to be good enough to support it. But there's no way that I'm going to have the maturity in a firewall manufacturer or any of those technologies as a dedicated team because I'm doing 15 other things during the day.
I see that a lot in OT is you've got multi skilled people, they're very intelligent, they're very capable. But I take the control system engineer whose job is to make sure the plant is running. And I also say, hey, you can speak IP, you understand what a switch is. So now you're also the OT guy, but you just tack on those requirements to the end of his job description. But the primary job is to make sure the plant is running. So when it comes to patching or maintaining or upkeep or any of that type of stuff, if it's not directly impacting the plant running, it gets dropped to the list. Not because he doesn't want to do it, not because he doesn't think it's not valuable, it's just because there's only so many hours in a day and he's got basically two jobs. And the main job is to keep the plant running right so the other things just kind of end up falling off the plate because there's just not enough days in the hour, hours in the day to get it all done.
[00:11:45] Speaker B: And it seems a little backwards because those two roles you mentioned there, okay, you might look on the outside and say two roles, but they're two really critical roles. It's not like one isn't like maybe it's okay, they need to happen, not just because we might get breached and lose some money, but you take that into high speed rail or something and there's the serious consequences if that breach happens and it goes seriously. And so there's a few schools of thoughts out there that we've spoken to people around in terms of getting that budget and getting that buy in, maybe from CISO or board or wherever it might be, and some sort of believe in a more trying to put value on it. Some believe in a more fear, uncertainty, doubt type approach, maybe a combination of the two. I know you guys run a calculator, don't you, on sort of impact and such. So I don't know if you've, have you seen any sort of particularly effective ways of getting that budget and buying.
[00:12:38] Speaker A: Know, it's, it's hard, you know, again, coming from consulting world, there was a lot of the fud, right? Fear, uncertainty and doubt, right? The sky's falling, China's going to attack. You get a lot of my counterpart or another competitor or somebody else was hit. The things that are in the news, I've seen things where incidents happen and that causes a response. You get a board that's really anxious about it. Obviously, power utility is more advanced than others, at least in the states, because of regulation, because they have to be, there's regulation that there's huge fines and penalties if you don't at least meet this baseline. So I think there's a carrot and stick opportunity there. And I have a lot of conversations and I go to Congress and talk with senators and congressmen and legislators and have these types of conversations of what's the right process? Because I don't think it's just beat people over the head with a stick and fine everybody because that's not a good incentive because then you do just enough to not get hit. Right?
On the flip side, there's also the carrot you look at incentivizing. Like if you reward entities for doing the right thing, but then on the flip side, then they don't have to. Yeah, I can do that because I want to. But if they don't have a forward thinking leader or they're scraping by and they're barely keeping the lights on or whatever the scenario may be. It's a hard. So just like I talked about, with which side of the business do I report to? It's always kind of a delicate balance, but I really think it's around speaking the language and being able to translate it. And I think it's a lot of things that you see in cyber products, a lot. And salespeople in general, they try to do whatever they think is going to move the bunny, the Fud, or whatever they think is going to scare somebody into buying something. But I think the bigger way to do this is to translate into business risk. Because a CEO, a CFO, the board, they don't really care about the cyber tools, they don't care about the widgets, they don't care about the blinky lights as much they care about how do I translate this into ROi? How do I translate this into reducing my risk? What is the risk of my business? What is this going to mean if these scenarios happen?
What I think happens a lot of the time is those risks are either ballooned up, they're made to be bigger than they actually are, or they're not clearly identified and they're swept under the rug because they don't understand the true risk that they're at. Because I think most people and most entities don't want to just have these blaring risks out there to their business. I think the reason they're there is because they didn't really understand how risky they were, or somebody thought that they weren't a problem or were just ignorant to it for whatever reason, because it wasn't communicated, chain of command, whatever that may look like. But there's just a lot of unknowns out there. I think if people were more aware of what they had and what those risks really were, and I'm not talking about how you've got Windows XP. So what? What does that like? Is it a risk to my business or not? Because just having XP in an OT environment is not a risk necessarily. Sometimes it's more risky to patch an update than it is to leave it like it is. But knowing that and having a really good understanding of that and that comes back to where you talked about, where we really kicked this off with is having the right skill set people, those RT architects, those dedicated ot people that know that because that control system engineer doesn't realize how bad it is to have a hub instead of a switch and what the implications of that is. Right. I'm being very generalistic. Right? Obviously, many of them do, but some may not or they may not understand how risky it is to have a firewall be configured in a certain way or have multiple things on a single domain or any number of risks and vulnerabilities that you may have, because that's not their skill set. It's not their expertise. So bringing in the right people to be able to say, oh, wait, by the way, I've seen that over here. That's a really big problem. And if we do it that way, these are the risks that we're inheriting, we're bringing into our business. And you don't want those risks. We can do it over here. It doesn't add complexity, it just makes it more secure or better, more reliable. Take the secure word out. Just make it more reliable.
[00:17:04] Speaker B: Yeah, absolutely. I think from what we gather and everybody we speak to and we speak to people all day in this world, and that seems to be the general sort of school of thought. And then there's sort of an argument for, well, okay, the board have asked me how likely we're going to be attacked, which is a really difficult question to answer.
How do you put a figure on that? How do you quantify that? But then it's a case of going, okay, well, let's make ourselves less of a target, less of an easy target. And then if we are, let's control as much as we can is the message that we seem to be getting on a daily basis which seems to go in the right direction. Correct me if I am wrong there, by all means.
[00:17:37] Speaker A: Well, and the other problem with that is what happens if you don't. So did I waste my money if we don't get attacked? And did we not get attacked because of the work that we did? If we hadn't done anything, would we have gotten attacked?
It's a no win conversation to have. It's almost like I use this analogy a lot. It's, you buy a brand new car, right? They tell you to change your oil every x number of miles, depending on the car. Depends on the number of miles. But used to, it used to be every 3000 miles back in the older cars, right? You're supposed to change your oil every 3000 miles. What if you never did? There's probably somebody running around that never changed their oil and drove to 100,000 miles and like, well, you all are idiots because I've never changed my oil and it's perfectly fine and they're fine until it breaks. Right? It's like, well, it's never happened to me. So you guys are morons until it breaks and then your motor is shot and you've got to replace the whole car or you scrap the car or whatever the thing is, it's like you haven't been attacked yet. It's not a matter of if, it's a matter of when. Given a long enough period of time, it's going to happen. And again, that doesn't necessarily mean it's a nation state coming in, because I hear that a lot as well. It's like, well, we're just a small XYZ manufacturing company. Why would anybody want to attack us? It's not about that. It's about opportunity. It's because your device showed up on showdown. It's because somebody just happened to be around and drive by and see that you had a wifi that was open and they could get on to. It's really because of boredom sometimes.
And a lot of these are ransomware, right? They don't care who you are. If they can get on, they're going to put ransomware on it because more than likely you or the insurance is going to pay and they don't really care who you are. They're not trying to go after necessarily three m or big companies or GM. They're just going after whoever they can get onto because it's just a matter of it's available.
[00:19:36] Speaker B: Yeah, I think that's it, isn't it? It's just sort of a copy and paste ransomware as a service, however you want to sort of package it up or term it. It's no longer the super bad guys in the hoodies in the dark rooms and the anonymous masks, or maybe not anonymous. That's the wrong people to use. But you know what I mean. It's no longer the supervillains maybe that have availability for this sort of stuff. But I think generally speaking, that the buy in seems to be getting there. The industries that were maybe a little bit behind seem to be sort of catching up and slowly getting there. Which I guess then brings us on to the next problem of. Okay, cool, we've got buy in. Go ahead, Aaron, hire a load of people. Right, great. Now we've got a bit of a skill shortage element to this as well. But I think from my point of view anyway, and you might have a completely different take on this, but we could learn a lot of lessons, I think, that we've learned from it in general or cybersecurity over the last, certainly since I've been doing it last ten years or so, those transferable skills, the cyberskill shortage. And I believe, yes, there is a bit of a shortage for the very specific roles that you need the experience for. But I think there's a lot of roles out there that we can take from maybe other skill sets that maybe we don't need a cybersecurity analyst of five years experience in a dedicated sock to be able to take from in the OT world. We might be able to look at that person who has unfortunately been lumbered with. You've got to keep the plant running, and you got to do the security on the way. We've given you a San certification. Fantastic. That person there, although they're not called a cybersecurity architect, I bet you they're doing a fair amount of that job to be able to then transfer into.
That's my sort of school of thought on this, of, like, we don't necessarily need this person to be called a cybersecurity architect in the ot space to move over.
[00:21:20] Speaker A: Yeah, I agree.
I've stood up multiple teams. I did it at a big four. I did it at a small. Not small, but power utility as an asset owner. And when I did that the first time, there was no such thing as Ot. Like, it was a term that didn't even exist when we started this, right? So nobody had that skill set. So it's not like I could go try to find somebody because they didn't exist. I didn't even have that title. I was an it person. And yes, I'd worked in OT, and I'd done this stuff, but again, that term didn't exist yet.
The first two people I hired were it people, and they'd never been in Ot. One of them came from a law firm, and another one came from, like, a publishing company. And it was just their skill set that I was looking for. It was troubleshooting, it was networking, it was coding things like that, firewalls, that kind of thing. I taught them that. So they came on, they started the company, they went through orientation, and then they showed up at a power plant. I gave them a hard hat and steel toe boots, and they were there for six months working power plant outages with me. Right. And at the end of that, they were ot people. They weren't when they started, they'd never seen a power plant before, but at the end of it, they had that. And then later on, as I expanded my team, I grabbed one of the control system engineer guys, the guys that he'd been at the company for 30 years. He'd always been at a power plant. He'd always been an operator, and he knew every way about the plant and had a lot of different roles in the different environments. So he brought that intrinsic ot knowledge, again, not ot cybersecurity, but actually how the systems work, why they work, what are they doing? Why are they doing it? Why is it done this way? Right. He brought that in, and it was a great, just different perspective to be in the room.
I was kind of that middleman. I had a little bit of the OT knowledge and the it knowledge as well. The people I hired were basically it people and zero ot knowledge. And then he was zero it knowledge and all ot knowledge. Right. So having that mix in the room, when we're talking about how we're going to approach a problem or we're going to implement a solution, or we're looking for solutions to architect, and we're looking at vendors that are coming in, he was able to ask questions that the other guys weren't able to. They didn't ever think to ask these questions of a vendor that's coming in, right. Because they're the blinky lights, know, Palo alto or firewalls or splunk or whatever. And he's like, yeah, but how do you do that here? And he would ask unique questions.
I see. There's a way skills gap is true. Some people say there's not. I can't imagine how you could even possibly say there's not a skills gap. I see it every single day. And some of that is not because of lack of knowledge. Some of that, like I already said, is because this person, me or you or whomever it is, maybe they have the knowledge or the capability, but they don't have the freedom to do it because they have all these other tasks on their plate. If you took that person out of the role they're in and put them in a dedicated OT role where they didn't have the other things to worry about, then they'd be really great at the job. But you've got to give them the opportunity.
In fact, one of the plants that one of the plants actually hired a local OT person to be on site and actually help. And this was early on. This was 2010, something like that. And they hired him specifically to be the OT engineer. Right? Handle the firewall stuff, all the technology stuff, all that kind of stuff. Well, because he had all the OT knowledge as well, they naturally started giving him normal control system stuff to work on. So then all of the other tasks started falling off his plate because he was focused on keeping the plant running. Because they needed an extra person, they weren't able to hire somebody, so they started putting new things on his plate. Because he was smart, he could do it, he was very capable. But because they were putting these non ot, cyber focused things on his plate, the other things were falling off the plate. Right. So it really goes down to, it's not just about skills, it's about hiring people, but also giving them that barrier and protection not to stop them because you don't want them to do things, but really to protect them so they can focus on the things that you want them focusing on. It's like you take your car to the mechanic, your air conditioner is broken, you don't want him changing your tires. Like, okay, focus. Fix the air conditioner first. That's what I want you to do first. Like the other things we'll talk about later, but get that going first.
[00:26:04] Speaker B: Yeah, I think that's a really good point. In fairness, the point you made there about hiring the team, and if you're blessed with the budget to hire a team and you have multiple headcount, bringing people from both sides of the coin in, I think that could be a really good point for people to take on and not go like, okay, I need to hire four ot cybersecurity engineers here. Why don't I hire two and two or three and one or something like that? Because then you're doing two years down the line. You've got a team that completely understand both parts of both sides of the coin, and then the next organization or wherever they go next or wherever they'll have that. So the industry benefits that as a whole. And it makes hiring easier because you don't have to focus on hiring five years ot cybersecurity experience, for example.
[00:26:46] Speaker A: Well, and there's just not enough of them out there that have the experience that you're looking for. I'm a unicorn, and the reason I'm a unicorn is because I'm the one that's been sitting in both seats. And ot hasn't been around that long. Not enough people have been hiring it. Not enough companies have had. So there's a very small group of people that have the experience that you're looking for. So know that going in. And unless you're willing to pay huge amounts of money to pull them out of someplace they're at, because most of those people are not struggling to find a job. So they probably already have a job. So if you're going to get them to leave a job they're already in, you're going to have to make it worth their while. Right? So another way to do that, instead of hiring me is to hire again, hire somebody on the left side and somebody on the right side, knowing that he's going to be weak in these things. And he's going to be weak in these things. But they're yin and yang. They're strong where the other is weak and they're going to naturally be able to, hey, as they're working together, as they're looking over each other's shoulder, they're naturally going to get better at all of those things. Does that mean that the OT guy is going to be an expert firewall person? No, you don't need him to be, but he'll get better at it and he'll ask the right questions. And you don't need him to be that skill set. You need him to ask the questions of the guy that is the firewall guy. So that the firewall guy doesn't make assumptions in the OT space. It's going to break stuff. That's the perfect balance. It's not even necessarily hiring. It's also just putting the right people at the table, bringing those control system people in, bringing the IT firewall team in, bringing the compliance, whoever those groups are, putting them at the table and letting them have those conversations. But the problem that I've seen in a lot of these spaces is OT is understaffed in always control system people. The plant folks are just understaffed and they don't have time to dedicate on any of this. So they just do it. They trust their vendors. They look at their vendor and they say, hey, they're going to take care of it. And they don't really ask questions.
So they end up paying more. Sometimes they end up getting solutions that are not right for what they need. And they don't know what questions to ask because they don't trust the it people. Mainly because they haven't built that relationship.
One of my mentors a long time ago told me all business is the people business. So those relationships and building those connections and doing tabletops and breaking bread, going to the plant, taking them donuts, like building those relationships, building that trust both ways. You need to trust the plants and the environments, need to trust the OT side, needs to trust the it side and vice versa. And that only starts with people. It's not the technology, it's not the organization, it's not the title that's going to get the trust. It's the people. It's me and you. Me, Aaron and James having a conversation over a beer and us building some kind of relationship that I know James, and if I have a question, I know I can call him, because I know him. I know you. I have a relationship with you. We've talked, we've connected. We built something beyond just. We both work for the same company. And I've sent you an email before. Right.
[00:29:52] Speaker B: No, I think you're bang on there. We're all people. We're all human beings at the end of the day. And I think maybe the whole Covid thing opened that up a little bit more, maybe it closed it a little bit down a bit more. But I think we're all much more interconnected now. There's no longer sort of the huge barriers there once was. But, yeah, you're right. We speak to people, probably one person a week, that they're on either side of the house, the OT side or the enterprise side, it side, and they've never met anybody on the other side of the house. They communicate to their boss, who then shunts it over. And they communicate and they point it out. They say, look, we know it's disjointed, but it's no one's real responsibility to get that sort of cohesiveness happening. So it sort of just lands where it does. So perhaps we could work on that a little bit going forward. I don't know.
Go on. Sorry.
[00:30:41] Speaker A: No, I was just going to say, I mean, do field trips? Take your it people, take them to the plants, take them to the manufacturing environments, put them in the day of the life. Like if you're doing a big project on the OT side, bring in your it people. They're going to have skill sets that you can use. Even if they're not touching anything, just put them in a room with the vendors and help you ask questions. When you're looking at the configuration and the vendor is saying, you need to do it this way, have your it people in the room with that expertise to be able to say, yeah, that's not the best way to do this. There's another way. Why can't we do it? At least just ask questions again? That doesn't mean you're giving them architecture. It doesn't mean they're controlling everything, but they have this knowledge that you don't use it and vice versa. Like, the it side shouldn't just be designing things in a bubble thinking they can push it down into OT and expect it to work. But if you start building those relationships and just inviting each other to the party. You're going to start building this trust and this understanding because we're both playing for the same team, we both have the same goal, right?
We're not opposition.
We have the same jersey on you're offense and I'm defense. We've got to remember we're on the same team. We just happen to be in different sides of the ball for whatever reason, but we're on the same team. We both want to win the championship.
[00:31:56] Speaker B: It's exactly it. And I think for me it's one of these things where it's not super time consuming really in the grand scheme of things. It's certainly not that expensive to do. So it's one of those sort of quick wins, low hanging fruit that you could maybe tackle first of all and then look at the bigger picture after that. But I think you mentioned there on the transferable skill side of things and bringing people in, I think that's a fantastic way to do it. But I think just throwing my two pence in is if you're going to do that, I think you need to have that open mind to begin with.
Years ago we worked for an ecommerce company. They had an application security team and they said, look, we'll happily hire a more c sharp developer style position to come in here. And the truth of the matter is, I don't think they were fully bought into having a non security person in the team. So this hiring process went on for a few months and then by the end of that process it got to the point where there was projects that were critical that we said, look, we can't now take a transferable skills style person. We need a more experienced person in the seat. So there was a good three month period there where there was sort of back and forth and budgets, chains and chops and things like that, which they do. But I think if you're going to do that sort of thing, genuinely have that open mindedness to bringing in somebody who has maybe a security mindset but just not the experience just yet would be my thought on that world.
[00:33:11] Speaker A: Yeah, I agree 100%. And a lot of this is just being open to doing this because again, it's not like we're chunking, creating OT people a day a minute.
They're not just coming out of nowhere. So you're going to have to build some. Some of that may be you get an intern or somebody right out of college or something like that and you create one, but they're not going to have the experience in anything.
Or you can bring in somebody with a lot of it experience and teach them the OT stuff like I did, put them at the plant. The first six months of your life, all you're going to do is shadow that guy and whatever he wants you to do, you do. It's got nothing to do with what you've ever done in your life before. It's not it related, it's not cybersecurity related. But you are going to understand everything about our plant. You see this a lot of times in undercover boss or in a lot of these places where you roll around and you do the job of people to really understand it. We used to have this idea of a plumber. You don't become a master plumber until you work for a plumber for a certain amount of time. Like you have that apprenticeship. Right. There's a real loss in our work world where we lost this apprenticeship. Right. And we think that people should just come in with all the skills, they should be a master before they show up. But we're not willing to pay those master prices, and there's just not enough masters in the world. So if there's not enough masters available and you don't have an unlimited budget, the only other thing you can do is start building them. And that takes longer time. And you have to be okay with bringing more junior people that don't have all the experience in at an earlier rate and having that open mind to doing it a different way. But it can be very powerful if you're open to it.
[00:34:53] Speaker B: Yeah, I think so. If you get it right, it works. Even if you don't fully get it right. I think there's merit in.
If four out of five people work out, I think that's a pretty good hit rate. Absolutely. So it's not going to be perfect every time. I guess you mentioned there around, they're not coming out of nowhere, these people. There's not sort of maybe a pipeline coming through. How do we bring more people into the OT security space? In specific.
[00:35:21] Speaker A: It'S the right companies looking to focus on it, which is exciting to hear that you have more and more folks that are reaching out looking for those types of roles. That's what it takes. Right. It's a supply and demand thing. Right. It's enough entities that are looking to invest in that space, invest in the talent, invest in the.
If they're not willing to spend money on the technology, then they don't need people to run the technology and design it. It's a big loop. So now that they're looking to actually focus and put time and effort there, then now we'll start seeing more and more people coming in that space. There are sans courses, there are ways that you can get some experience and we'll start seeing more and more folks there. But there's not that many people that have ten plus years experience in OT because it just hasn't been a term that long. So you have to be willing to put your money where your mouth is right, and really focus on the people, process and technology. It's not just about a person, it's all of the things that go together to really take this thing to the next level.
[00:36:29] Speaker B: Yeah, absolutely. I think that's the whole picture. Everybody talks about that. And you mentioned there around your sounds do a course, but there's that. But there's a lot of free material out there.
There's huge communities, YouTube type ot security, ics security into YouTube. There is communities and there's talks. And for me, it's one of those. If you're thinking about getting into this world, have a listen to those talks. See if you line up with some of those areas. I don't know if you come across these and feel the same or whether that's you encourage.
[00:37:02] Speaker A: I go back to when I started in it, right? I didn't have a lot of the skills, so I went and beg, borrowed, not stole, but got switches and gear. Kind of like the lab stuff I've got in the background here. I just started playing and tinkering, and then when there was an opportunity or a program or a project, I volunteered and I'd jump on even if I was the junior guy. Like I'd go from the senior on this side of the fence, but I wanted to do that stuff. So I would take a pay cut or a dumb ocean in title just so I could get that skill set. So, I mean, that's the reason why I did a lot of this stuff. Know, you can buy a lot of this gear on eBay for next to. It's very, very affordable, and that translates there's online ranges that you can be part of that. You don't even have to have the equipment, so you can be part of that. There's a lot of open source, and the Internet is amazing. With YouTube, it's one of the reasons why I do this podcast is because I want to expand people's understanding and give them places that they can look to.
Look at beer IsAc, they've got a list of podcasts that are available specifically for Ot. There's a lot of us out there, right? And we all seem to have kind of, like I said before, we're all wearing the same jersey. Like we want to expand the knowledge.
I'm not out here doing this podcast just so that everybody sees my face. It's really just around getting the message out there, right. And trying to pass on the knowledge that I have as well as give people another perspective on how can we grow this thing. Because it's really important. We need to be focusing in this OT space and we're behind the ball. So let's continue to come together and realize we haven't got it all figured out and have conversations like this, because this is how you start. Oh, well, I didn't think about that or I'd never seen it from that perspective before.
[00:39:00] Speaker B: Yeah, I think massively. And I don't know how you feel about this, but I speak to a few people each week and they almost have, they're not in the OT security space or even maybe the cybersecurity space. They've got half an interest in it. But maybe that interest is something as simple as socially engineering into their mates hotel room or something like that. It's that sort of stuff. But there seems to be this sort of illusion of cybersecurity that's really technical, isn't it? And then they go back into that sort of, you've seen Mr. Robot on very, very sort of technical, tappy tappy. And there's coding and it's all that sort of stuff. And I think that can sort of maybe paint the illusion that you have to be that way inclined. But there's all sorts of different roles in this space that don't necessarily need those hypertechnical skills.
[00:39:44] Speaker A: Absolutely. And I've got kids and anytime I pull my lap, I mean some of my job is that technical Mr. Robot type thing where there's like terminal window and coding and that kind of thing. But that's a very small part of my job and part of that's because of the world that I'm in now. But still, even back when I was hands on keyboard a lot more than I am now, it still wasn't that all the time. Sometimes it's just having conversations, sometimes it's not all C sharp and Powershell and hacking and all that. Sometimes it's installing patches, sometimes it's rebooting servers, sometimes it's updating windows, sometimes it's looking at firewall logs. It doesn't have to be one thing. And a lot of this it also goes back to, and this is a question for you as well.
I know for me, when I hired that team, I was just talking about, one of the guys that I hired was a friend of mine and has been. I was in his wedding when I was 18, and I'm not 18 anymore. So that was a long time ago.
So I've known him and he worked for me before, and I knew his skill set, and I knew he would be good for the role. But the job description that HR put up was so technical and so specific. He looked at the job description, he's like, there's no way I can do that job. And I'm like, I'm telling you, I'm the one hiring. I'm unfortunately not the one that was able to write the job description. That's the job description they came up with. But I'm telling you, you are the perfect candidate for this role. And I had to convince him to even apply. And this is coming from his friend, who would be his boss, telling him he's the right person for the job, and he still was hesitant to do it. So imagine how many job requirements and descriptions are out there that people are looking at, and they're like, well, I mean, I like all that stuff, and maybe I'm okay at some of it, but expert in this and masters of cybersecurity and bachelor's in this, and you had to have a 4.0 GPa and you have to have 20 years. It's just like nobody has all of those things, or very few people have all of those things. So the way that job descriptions, do you feel that the way that job descriptions are written many times make people not even apply, that maybe there's more people out there that do have the skill sets that would be good for the job, but they don't even think to apply or that it's out of.
[00:42:07] Speaker B: Their league 100%, thankfully. It's a sort of a slight snag that we've hit over the last ten years or so that is slowly changing. And I think the best job descriptions or adverts or whatever you want to call them out there are those. For me, it's a one pager, and it's at the top. It almost has a paragraph that reads something along the lines of, are you an ot practitioner now looking to get into cybersecurity? Have you socially enjoyed your way into a friend's hotel room when you've been on a bachelor party or something like that? Well, you could be right for us then. That's for the transferable skill set of things. Or I've seen even job descriptions that read along the lines of, look, we'd love for you to have this, this and this, but we know that's not always possible. What we're looking for is this. And it almost brings like a human angle to it. And so it reads really well, really smoothly. On the other end of the scale, you've got your job descriptions that list everything about the company on the first three pages, and you're sort of almost lost by the time you've got like 13 values in front of you. And then you get to the fourth page and then it's the long list of requirements and things like that. I get why they happen and I think there's a slight disconnect and it's not to put blame on anybody here, but I think what happens is the hiring manager say, will say, look, I've been asked for by four or five requirements for this role. Then that goes into the machine, and then there'll be HR will have their go and then legal, and then maybe internal talent will have their go on the job description. And out the other end, what you get is this sort of Frankenstein of what we're looking for, which is all accurate and all true and all valuable information, but it's got to be put at the right time. And I don't blame internal talent or HR, because if you're in a company of more than 500,000 people, you've got so many of these going on, there's no way you're going to be able to sort of fine tune each of those in time to get it out with deadlines. And often it's a case of we've got approval to hire, let's get the adverts out. And it has to happen really quickly. So I think we're learning. But, yeah, from my point of view, if you're advertising and you're looking for that sort of thing and you can have that transfer global skills edge, or you don't need everything on the spec, make that really apparent and b, put it in real human language and you'll just get more applications. There's a whole sort of metric around men applying versus women applying. I think that, don't quote me on these stats here, but I think if a woman is only likely to apply if she meets 70% of the skills on the job description, where a man is like 50% or something like that. So there's still pretty low numbers, but if we can just make it more inclusive and you take away that. Must have, must have, must have.
I think we'll see a lot more applications going in and going out and, yeah, hopefully that will help the whole machine a little bit more.
[00:44:48] Speaker A: Yeah, I remember this is kind of peeling the banana back of telling of my past. And I remember being on a job interview and I was super anxious. It was a job, it was like for, I don't remember, Microsoft or somebody. I don't remember. It was a super technical job and I was really good at it. I was really good at that thing, firewalls. I don't remember what the job was. That's not the thing that actually stands out. I remember I was anxious about it. I was super nervous. I was on this call and I'd already had two other calls, and it was like the HR conversation, which is usually just a personality type thing. And then I had an interview with the manager, which that went really well. And then they passed me to their technical person and that technical thing, I think I was like ten minutes in and they asked me a question that I had no idea the answer to, and I panicked and I hung up the phone.
[00:45:47] Speaker B: Oh, no.
[00:45:50] Speaker A: I don't know what happened. I just panicked and I hung up and they called me right back and I didn't answer it. And I just ignored them from that point on. I don't know why I did that. I'd aced the other two interviews.
It was one question that came up, and again, I have no idea what it was. This was probably 20 plus years ago, right? But it just stands out to me because that was just like a pivotal moment to me because I remember looking back and being like, why did I do that? Why did I panic? What was the worst thing that could happen if I didn't get that question right? I didn't even give them the opportunity to give me a chance because I just said I couldn't answer that question. So obviously they're not going to want me because I wasn't good enough to answer it.
And that was after I'd already gotten the first two interviews, like I was already in the door. And so it just goes to show the numbers, you said, when I'm looking at a job description, if I don't have all the things, all the boxes, all the required, you look at the requirements and it's like master's and bachelor's of this and PhD of that and these certifications, and they list, like every possible thing of their wish list, but they put it in the requirements section, not in a hey, this would be nice, but even putting it in the nice to have can be overwhelming. Like, well, I don't have any of those things, but maybe they're the right person.
[00:47:13] Speaker B: I agree. And I think in my book, if you are proactively looking for something, whether you're out of a job or you're in a job and you just want to change up, if you meet half of that job description, maybe even a third of it, the worst that's going to happen is you'll throw your hat in the ring. A lot of this stuff now is one click apply type thing. Throw your hat in the. And the worst case scenario, if it's through a company like myself, we'll give you a call anyway. Because although you might not be right for this one, there's something else. Or if it's through a company direct, they'll give you a call or an email or something and it might work. But, yeah, interviews. Going back to your hang up story, I've always said this, we prep people for interviews all day long and it's a case of they are one of the most unnatural things you can ever encounter. You're meeting either face to face or on Zoom or even the phone, you're meeting people you've never met before. You've had little to no information about them. Maybe they're going to ask you super invasive questions about your personality, your skill sets. You've got to then sort of, in your mind, go, I've got to impress it. Especially if you really want that job, you've got to impress and you get no immediate feedback, so you've got no idea how you're doing. They are so unnatural and I think there's a bit of a trend now, rightly or wrongly, to interview people just to sort of see the parameters of their technical skill set. So you might have ten questions and we're only expecting you to get five right, but if you get ten right, well, you've blown us away.
[00:48:32] Speaker A: Right.
[00:48:32] Speaker B: So you could come out the other end of that call and think, that was horrible, that was a complete mauling, but you've actually smashed it. Right.
It's so weird. And we try and coach people on that and if you don't know something, ultimately, just put your hands up and just say, I'm not too sure, don't hang up the phone and revisit later. Yeah, I mean, hang up the phone, that's one way to do it, I suppose.
Yeah, but it's a weird one.
[00:48:58] Speaker A: So what is another way that you can a find the right people. I know we've been talking a lot about this OT space from the companies looking for folks, from people that are looking to get into it. Maybe they've gotten some.
What advice are you giving folks that are really wanting to get into this OT space? And as far as helping them find the right role, maybe they don't have the experience. Maybe they have experience in other things that translate well. How do you help them as far as narrowing down what they want to do in this Ot thing and what kind of roles and companies and positions they're looking for or should be?
[00:49:39] Speaker B: Yeah, I think there's a few different sort of schools of thoughts on this, and there's many ways to skin a cat, but I think ultimately what it boils down to is doing those free activities we talked about there, the YouTube, the twitters, whatever platform you're using here, just to get sort of an inkling of what you might be passionate about. And then once you've found that out, and so whether you want to go super technical or whether you want to write policies on OT security, find out what it is that you like, and then we can talk about. Okay, cool. So we don't necessarily now need to go and book onto a master's in OT cybersecurity, but we can do other things. We can maybe go, okay, let's network with people like yourself. LinkedIn is a largely free tool. There's communities out there that you can search up people on, connect with people, and more often than not, they're going to give you that help. I've never asked for help from somebody on LinkedIn, and they've said, please leave me alone. They might have politely know, not now, but maybe next quarter or something. Sure. But there's people out there that will help, will share knowledge. They'll happily give up their time to give their guidance. And then, yeah, when it comes to applying for those vacancies, those roles out there, I think writing the resume in a way of it being quite digestible, but also highlighting the work you have done in the OT security realm and even going back to that job description piece you mentioned of, look, my opening paragraph might be, I haven't got any experience in OT cybersecurity, but what I have done is, and then it's watched all the YouTube series there is to watch on this. It's attended free training. You might spend, I don't know, as much as $500, for example, on an online training course just to better that or attending conferences. There's so many areas and ways that you can do that and then bringing those into the forefront of this is why I think I'll be good for this role. And if that company then is genuinely open to transferable skills, then I think there's a door opening there for sure.
[00:51:23] Speaker A: That's awesome. How many of these new opportunities, when you're having customers as far as like businesses, companies coming, how many of them are being more open to writing those job descriptions better and being open to training people and not having that perfect unicorn ot cybersecurity person that has all the experience in the world versus being able to build and train people that have the desire and some of the raw skills needed just needs to be kind of honed and tuned.
[00:51:56] Speaker B: I'd say before a lot of the organizations, before we speak to them, they've sort of gone maybe a sort of direct advertising route. And then they said, look, we're not getting the people we want and then we can have that call with them. And very sort of in a human way just put it as well, you're asking for quite a lot. That Venn diagram of crossover is really small, what you're after, which is probably why that person exists, but it's got to be right for them as well. They've got to be unhappy where they are, or this has got to be really attractive or whatever it might be. So, yeah, I think a lot more organizations are now opening up to, okay, cool, we're speaking to someone like yourself, and there's others that do it. There's not just me, but have the finger on the pulse of the market and are able to say, well, what about if you just dropped one of those skills areas and we can work on that and then we can get you more people, which you more pipeline and more choice, and then the hiring solves quicker rather than sort of just waiting for that right person, which might be six months, the business is then pretty livid that you haven't got your person in your seat and so on and so forth. So I think it's definitely getting there. And I think it's getting there quicker than maybe general cybersecurity did. I'm going back 810 years now or so when we were asking for the unicorn or we were asking for five years cloud experience, when cloud hasn't even out yet, and all that sort of stuff.
The classic job descriptions we used to see, and it's all for like something.
It definitely seems to be catching on quicker than in general cyber. So maybe that's a lesson we learned.
[00:53:17] Speaker A: As an industry overall, yeah. It's a common phrase that goes around in entrepreneurship. It's hire slow, fire quick. Right. So you want to take a lot of time making sure you're getting the right people. You have an understanding, and that doesn't necessarily mean a bunch of time interviewing different people, because in my experience, usually many times, the first couple of folks that you hire or you interview may be the best people available. Right.
But secondly, it's about making sure you're really clear. So part of that slowness is making sure you're clear on what you need and what you're open to. And then once you get them in there, making sure. I've had a couple of entities that have gotten rid of folks not because they weren't great at what they needed and gotten rid of isn't even not necessarily exited from the company. It was just like, this isn't the right role for you. Yes, we brought you in here for this, but you're really good at this. Let's move you over here. So that way you're showing up where you're best at. And let's find somebody else that can do this other thing that we need, because we need somebody washing the dishes. And you really want to clean the windows. Well, let's let you clean the windows and let's find somebody else to do the dishes.
[00:54:27] Speaker B: It's exactly that. Just to put a small story on it. It's a case of there's a company we work for that have a function that's very customer facing, but it's quite a technical role as well. And they have these sort of three pillars of got to be great with customers, got to have the technical know how piece, but also if they had any sort of experience in a sales capacity with billable numbers, that'd be fantastic. Now that's a pretty niche area in the middle there you're asking for. That's a really niche area, but it'd be fantastic. So what they do is they say, look, put the billable piece to aside if they're customer facing or even if they're not super customer facing, but they can have that communication, that back and forth. They're not sort of at home in a back room and hidden from society type thing. We can work with that. We can train the rest of that in there. So that's sort of just a real small example of how you can get the most out of people. And they hire quickly, relatively quickly anyway, because drawing on what you said, they know what they want and they know where their parameters are.
[00:55:23] Speaker A: Yeah. And the clarity makes all the difference in the world. Like, knowing what you're okay with and what you're not makes it easier to say, this person fits my requirements, or they don't, and, okay, move on. It's not a personal thing. It's just this is what we're looking for, and I have clarity around that. I'm not trying to find this unicorn. I'm really clear on what we need and what we can make.
That's. That makes it that much easier for everyone. Right. It's just like, hey, you're great, but this isn't the right role for you.
[00:55:50] Speaker B: Exactly. The last thing you want to do is bring somebody in and you're at that sort of 9th hour. We need someone in the chair immediately. We'll just take Steve or Sally or whoever the lesser.
Yeah, exactly. Then they start. Then three months, in you go. This isn't really working, is it? Then we start all over again and everyone's annoyed. It's a mess.
[00:56:11] Speaker A: So what are you excited about coming up in the next five to ten years? What's something that you're excited about you see coming up and maybe something you're worried about or concerned about that could be coming up over the next five to ten years?
[00:56:23] Speaker B: Wow. Excited. Definitely excited to see where the OT security space goes. I think, like I said, it's been this sort of 18 months ago, two years ago, it was sort of, oh, this is sort of growing. Wonder where this is going to go. And then the last six or so, it's all I see. Whether that's the algorithms pick me up and it's just firing me. All these relevant stories and people and news, I don't know, but, yeah, really excited to see where that goes. I'm excited for teams to hire out there. Excited for the. Like I said earlier, the civil engineering firms are getting the action now, and that creates more of an industry overall, hopefully brings more people in, raises more awareness. So that's cool.
Not excited about. I think it's sort of a double edged sword of. I think we haven't really spoken about the buzzword of AI and ML just yet, but I always think what a cool bit of technology this is fantastic for. We want it for. We use it here a little bit as well. The imagery stuff is really cool, but it's just that bit. No, that means the bad guys have got this too.
Yeah.
Not too sure how I feel about that with all the geopolitical stuff coming on at the moment as well. So we'll have to see how that pans out.
[00:57:33] Speaker A: Yeah, absolutely.
[00:57:33] Speaker B: How about yourself?
[00:57:34] Speaker A: Yeah, same thing. It's exciting to see you leading the conversation with you've got more and more folks that are reaching out, wanting those ot roles.
That's exactly what I want to see. And one of the reasons, again, I have this podcast is to get that visibility out so boards and folks understand that business risk and why there's value in this. It's not just fud, right? It's not just fear. I'm doing this because it's going to help my business. It's going to make my business more profitable by having the people that are in there because they don't have outages, they don't have cyber incidents, they don't have misconfigurations, they're not having to undo things they've done over the last two or three years because they just did it wrong. So now they're having to go undo work they did because they didn't have the right people or understanding when they did it the first time. Right. Why do it right when you can do it twice? It is not a good motto to have, but on the backside is the fear or the uncertainty is there's so much the economy is bad with people are spending less, they're being more intentional about the money that they spend, which is not a bad thing in general. But sometimes one of the first things to go is things that they weren't doing in the first place. So maybe they were thinking about OT or maybe they were starting to budget in OT or they were starting to fund some projects in that. That's usually the first things that drop. Unfortunately, that scares me because if they were maybe dipping their toe or maybe they were putting some budget in there and they start pulling back from those places, that's when bad things can happen. It's like go back to the oil change analogy. I was changing my oil every 3000 miles. Now I'm going to push it to 5000 miles just because I'm not going to spend as much money. I'm going to try to push it closer to that limit to try to get it as far. The problem is catastrophic things can happen when you do that. So we're in a place now, globally, where there's all sorts of geopolitical things going on and economies are in a weird place and inflation and big four firms. A lot of people in general are laying people off left and right, and it's a volatile environment right now. And like I said, this is an area that you don't want to just ignore and hope that everything will be fine. And at the end of this, when the storm clears, if you have to spend a dollar, you don't want to pull it from OT, which is, like we said in the beginning, it's where you should be focusing your money, not where you shouldn't.
[01:00:07] Speaker B: Yes, it's an odd place, the world at the moment, I think. But hopefully things level out quickly and we're all okay.
[01:00:15] Speaker A: Absolutely. All right. Anything you guys have coming up or people, how do they reach out? Get a hold of you? Where you all going to be? You said you guys have a podcast as well, so make sure that everybody knows that, as do we do.
[01:00:27] Speaker B: Yes, we got a podcast. Are we able to chop a link?
[01:00:30] Speaker A: Absolutely.
[01:00:32] Speaker B: Yeah, we'll do that. I'm on LinkedIn. James Morris worked for a company called ndkcyber
[email protected]. If you wanted to reach out directly, always happy to help. And, yeah, never turned down an opportunity to do a bit of.
This is really. This was really fun.
[01:00:48] Speaker A: Absolutely. Thank you, James. I appreciate it. It was a great conversation. Everybody reach out to James. If you're looking to get into OT, even if you're not looking necessarily for a job, I'm sure that he can help you on some. Hey, what are things I can do if I want to get better or long term? Looking at moving or transitioning or growing in your career, it's always good to have recruiters that you're working with. They have a lot of knowledge in what companies are looking for, what skill sets are trending, and how to organize your resume and how to have conversations and interview. There's just so much value in having those. And like I said before, all business is a people business, so having connections is always a good thing. I've never been sad because I knew somebody and I had some kind of relationship with that person.
[01:01:33] Speaker B: That's awesome to hear. I might steal that for our marketing material, if that's.
[01:01:36] Speaker A: Absolutely, absolutely. All right, well, thank you, James. Have a good evening and a happy holiday, sir.
[01:01:42] Speaker B: And you, too. Thanks, Aaron. Take care. Bye bye.
[01:01:45] Speaker A: Thanks for joining us on protect it all, where we explore the crossroads of it and OT cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.