Elevating Cybersecurity: Importance of Relationships, Mentorship, and Honest Feedback with Ken Foster

Episode 28 October 21, 2024 01:10:02
Elevating Cybersecurity: Importance of Relationships, Mentorship, and Honest Feedback with Ken Foster
PrOTect It All
Elevating Cybersecurity: Importance of Relationships, Mentorship, and Honest Feedback with Ken Foster

Oct 21 2024 | 01:10:02

/

Hosted By

Aaron Crow

Show Notes

This episode delves into the world of cybersecurity with the esteemed guest, Ken Foster. With over 30 years of experience and a career that began in the Navy, Ken has comprehensive expertise in managing firewalls and antivirus systems and addressing today’s complex cybersecurity challenges.

This episode, hosted by Aaron Crow, explores the evolving cybersecurity industry, emphasizing the crucial roles of mentorship and networking. Ken and Aaron discuss the strategic importance of aligning security with business goals, the impact of leadership training and honest feedback on developing better leaders, and the necessity of balancing technical skills with effective communication.

Ken shares his insights on the dangers of over-relying on AI, the essential need for disaster preparedness and business continuity, and the importance of continuously evaluating business investments to avoid unnecessary expenses. The episode highlights the value of informal networks and mentorship in overcoming industry challenges and fostering personal growth.

Listeners will gain practical strategies and invaluable lessons to navigate the ever-changing cybersecurity landscape while ensuring their personal and professional development.

 

Key Moments: 

 

06:59 Translate tech leadership into business risk communication.

11:51 Integrating expertise, technical skills, and communication effectively.

18:13 No disaster recovery plan; business disrupted by flood.

25:36 Building relationships and listening are crucial successes.

31:39 Simplify explanations for effective cross-team communication.

33:53 Realized technical focus limited career growth.

42:12 Networking is crucial for finding senior roles.

44:06 Produced content led to advisory board roles.

50:06 Who supports post-handover? Security can't do it alone.

57:44 Translate work into clear business value requirements.

01:04:11 Ensure clarity and continuity for cybersecurity's future.

About the guest : 

Ken Foster is a cybersecurity leader with over 25 years of experience in risk management, global team development, and IT infrastructure. As Head of Global Architecture at Adient, Ken oversees global teams to align technical initiatives with business goals, driving innovation while managing risks. His career includes key roles at Fleetcor and Fiserv, where he built large-scale cybersecurity programs and led risk governance and cloud security efforts. With a strong focus on client trust and board-level advisory, Ken brings deep expertise in navigating regulatory landscapes and developing risk-based, business-aligned strategies.

Connect Ken Foster : https://www.linkedin.com/in/kennethfoster/

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

 

To be a guest or suggest a guest/episode, please email us at [email protected]

 

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. Hey, welcome to the show, Ken. I appreciate you taking the time today, sir. Last time we saw each other, we were, we were having fun and shooting guns and talking cybersecurity. So why don't you introduce yourself, tell us who you are and a little bit about your background. [00:00:30] Speaker B: Yeah. Good to see you, Aaron. Yeah, what a great trip out there to get to enjoy a good day of just good conversation and good day at the range. [00:00:40] Speaker A: That's right. [00:00:41] Speaker B: Yeah. Everybody. Ken Foster. I'm Beneso, it leader, veteran. Started when I was in the Navy about 30 years ago now, back when we still called this information assurance, you know, working on, working on the technology systems that ran radar, weapon systems and stuff like that, and, you know, to successfully transferred that into a civilian career after the fact of just working on whatever came at us. Right back in the early days of cybersecurity, it was, hey, you're the guy who knows about these, about what's plugged into the network and these computer things. Here's this firewall, here's this antivirus. Oh, here's the new thing that came out. So, you know, I kind of grew up in the industry that way, which a lot of us that are around the same time frame, that's kind of how we started out. You know, security was new and exciting and was something that got tacked onto your resume. And, you know, that's kind of where I got into it. And it was something that I gravitated towards and felt, you know, enjoyed it. It's a new puzzle every day. And the interesting thing about it is, is 30 years later, it's still a new puzzle every day. Unfortunately, we still suck at it, you know, from an industry standpoint because it's kind of funny because it's the, everything that's old is new again. Right. I remember giving a keynote six years ago. I was talking about the number one threat vector we were dealing with at that day, and it was ransomware. And I gave a keynote last year, and the number one threat vector we were talking about was ransomware. And I just got through reading through the IBM breach report, and ransomware is still the number one problem we're dealing with. So it's, you know, it's cyclical, but it's also one of those things. Yeah, they're figuring out new and better ways and they're improving at a faster rate a lot of times than we are on the, on the defender side. Right. Because they've got, they got more time to do it. We've got, we got a day job we got to worry about. And that gives us a, that puts us at a disadvantage. [00:02:48] Speaker A: So, yeah, you know, and it's so true. You know, my, my career has been, I've worked in cybersecurity without ever having that title way back in the day, you know, doing network design and making sure. But, but we were locking down, you know, I was exchanging active directory administrator for, you know, large companies like at and t and, and things like that. And cyber, that term was never part of what we did, but we were locking and least privileging and making sure, you know, people weren't getting into systems they didn't have access or shouldn't have access to things like that. Right. And then we just started, you know, hey, you know how to do this. Like, this is now your job, right. And how many over my career, almost all of my progression was, was because, you know, there was a need and nobody else raised their hand and they're like, you're it. [00:03:35] Speaker B: Well, you know, it's funny, right, because I think I've talked about this a lot. So when we started out in this industry, it was that way. You were a generalist. You learned a lot of things. You either started out on the network or the infrastructure, maybe a database guy, sometimes a developer, although that was a lot rarer. But you still were doing some coding of some kind because you were learning scripting, you were learning all this stuff. And we were very broad, very general people. And normally it was the people who had the curiosity, the desire and the aptitude and attitude to not be afraid to jump into something new and move, move into this new realm and understand, dig into it and self motivation, self teaching and just get there. And then over time, we went, okay, well, now I need specialists, I need a firewall guy, I need a network guy, I need antivirus person, I need an active directory, an identity person. And we said, okay, now we need a bunch of specialists. Then the cloud came along and moved it out of our structure and put it on somebody else's infrastructure and went, oh, now we need the dev, Ops, devsecops person, who, now we need somebody who has a broader understanding. And it's kind of funny to see how the circle is coming back around to what we really want is somebody who's got a broad understanding of how everything works. And I'm not saying we don't need specialists. We need mile deep engineering wise, understand the technology, can tear it apart, rebuild it, reverse engineer it, do all those things. But from a person figuring out strategy and a person trying to figure out how to integrate security into business, I think you need to have this broader understanding of how things work, right. And I think some of the best tapped resources, talent resource pools that I don't think we're focusing on enough is pulling people from other areas of the business that are not necessarily a cyber person. I want infrastructure people. I want network people. I actually want business analysts. I want people to understand how the business is trying to make money and how they're trying to design applications for what the customer is asking. I want to see them coming over and having an interest in that. Because this is a team sport. Everybody becomes part of the team. If you can get them interested, curious enough about the want to apply knowledge, their knowledge to how we do with security to make us in, to make it where we're putting less friction on all the other people that we're dealing with, right? Because we've got that is by nature of what we do. It breaks things and causes friction. And if we don't have a great understanding of what the business is trying to accomplish and how we're enabling that, then we're kind of doing ourselves a disservice. And we're becoming that, that group that nobody wants to talk to. And people goes, what did security do to me today? Right? Because I think there's a great opportunity for senior security leaders that have that great understanding of how the business works and can talk and can have the soft skills and the networking skills to be able to talk with those other peers. I think there's a great opportunity for you to move into that more senior it leader, business leader role inside your company. Because let's be honest, you're not just a technology leader. You are a business leader. And you need to be able to translate that into risk. You need to be able to talk to the business in a way that they understand what you're trying to do is actually an enabler for them and can make them actually move faster. Process and a set of guardrails that people can stay inside of and work actually speeds up the delivery of things that they're doing. And if you can help people understand how that translates into that speed, I think you have a great opportunity to grow within the company and become looked at more than just that pure technology leader really being looked at as that business leader and having that great depth of understanding and the ability to translate it from complex to not so complex is a key skill set that unfortunately, there's a lot of really smart, talented people out there that that is a skill set that they lack, because they see everything in an engineering mindset, and they see it in that these are the things you have to do, and it has to be in this order, and this is the standard or the framework that you're using says it has to be this way, and they need to be able to step outside of that and think about the problem in a way that says, okay, I need to be able to look at this in a different picture. And I think that's the great thing about the startup community today in the cybersecurity world. And you brought up a great point 25 years ago. You're talking about access control, network access control, you know, securing the network, securing the data, limiting people's access stuff. You know, Gardner was kind enough to put a marketing term around that for us called zero trust a few years ago. It's the same stuff we've been trying to accomplish for the last 25 years. We just don't do a great job at it, because, as you said, you start in a company that this problem didn't exist. This problem, we grew up with this problem, and we grew up when trying to build a company and build revenue and produce a product or produce a service, and all of a sudden the rules have been changing on us. Well, the problem is going back and applying those rules after the fact is cumbersome at best. It's cumbersome a lot of times it's costly. It reduces the time you have to produce features or to release new things. And understanding the full scope of how a new security product or a new security problem integrates into that overarching. How do we refactor? And refactor is more than just recode, right? How do we redo processes? How do we rewrite our code? How do we redo access? How do I take unencrypted data, encrypt it, and still keep business processes running? That that is probably going to break. And it's having that great understanding of the overarching scope of how this has changed over time, and how am I going to go back and get time and effort and resources? And the real trick to that is, what is the actual business value and risk that we're trying to accomplish? Do we actually need to do all this, or can we do other things that mitigate this risk in a way that allow us to keep operating and keep going. And when we're talking about the OT world, we were having a great conversation about OT when we were out with the group at the gun range, right? Because there was a bunch of us in that a lot of times, that's old technology. You just can't do anything with it. So the best thing you can do is put up some mitigations or fences or walls, whatever you want to call it, but you want to isolate it, you want to document it, you want to understand it's there. You want to limit access control to it, put as many protections around. But you need that system to stay running in the state that it is. You need it to be resilient, and you need it to keep producing product. So you have to think about it in that mindset and go, if I can explain to whoever is asking me questions about why I did something, if I could put that story together around this was the risk. This is what we did to mitigate this risk. These are how we're monitoring and watching it, and this is what we're doing to keep our business running. If you can explain all that and document it and have, and have that clearly articulated, then a regulator, an auditor, a business person is going to be able to have that conversation with you, and you're going to be able to keep the business doing what it's doing. And now you're a business enabler and a partner. You're not somebody who's coming in and going, you can't do that because the book says you can't. Right? And that's, I think we got to get away from that. We got to get better at that part of it. [00:11:21] Speaker A: Yeah, absolutely. It's such a, you hit on so many things there, right? And we see this, you know, look at medicine today. You have specialists everywhere, but who is looking at the whole body, right, and really tying those things together? Your heart and your, your, your weight and the food that you're eating and your exercise and your blood pressure and like, like you've got all these specialists, but they're looking in their domain. But you need that person that can tie and see all of the, you know, house MD, the old show that was on tv, like he could really pull all those things together and pull data from all these specialists and say, yeah, but you don't need a heart transplant. You need, you know, take some salt or whatever the thing is. Right. But, but it's, it's really being able to tie those things together. And you also hit something else there that I really want to kind of focus on is it was really easy. In a lot of my career, I was the technical guy, right? I was. I was the smartest at this, and I was the best firewall guy or the best network guy or the best whatever, right? And along in my career, I was introduced and started doing these softer skills, the communication, the presentation, the leadership stuff. Right. I was always, I feel like a natural leader in what I did, but being able to translate that, like, to be able to have a communication or a conversation and be able to get my point across, to sell to the business, to the leadership, that was a skill I didn't have. I could sell it and I would just beat you over the head and try to show you I was smarter than you. But that didn't win friends or influence people. But when I started understanding those software skills of, hey, wait, I'm a salesman, I'm an engineer, but I'm really a salesman because it doesn't matter how smart I am, if I can't convince you that this is a valuable thing and why it's a important, then it doesn't matter because my smart idea is going to sit in the corner. It's never going to get done. [00:13:14] Speaker B: You're 100% correct. Right. And I tell people that all the time. I said, ultimately, we're salespeople. [00:13:19] Speaker A: Yep. [00:13:19] Speaker B: I said, there's so much in what we're doing now, we're not necessarily selling a product. [00:13:25] Speaker A: Sure. [00:13:25] Speaker B: In our strategy, we're selling while we're doing what we're doing, but it's still a, it's still a sales type of job. Right. And, you know, I think one thing I like to talk to people about, too, is that soft skill development I got same thing. Right. Early on in my career, I wanted to be the smartest guy in the room. Now I want to hire the smartest guys in the room and step back and ask them the right questions. Right. And help guide them along in their career and help mentor them along. Because I realized a long time ago, no matter what I do, I can't keep up with everything that's coming out. Right. And, you know, no matter what you do, you can't read minds as long. As much as I've tried, I've still have failed at becoming a mind reader. But now it's about asking the right question and asking people, did they think about this, and did they think about this? And it's more giving guidance to those super smart people on your team or people you're bringing in from outside and going, here's overarching what we're trying to accomplish. Here's what we have, here's what we think we're missing. Help us understand and guide us through. And let's, let's pick this apart, because getting two things to work together, not the most complicated thing, right? But now I've got five other things that are also got to work with all of those things and making sure I don't break any one of those in the path because they're all critically important and understanding that. And again, it's about that resilient design. It's security by design. It's resiliency by design. And it's a data problem. Truthfully, it's an analytic problem. Now, the latest, newest, you know, we can't do anything anymore, anything without talking about AI. But I do think that that is one of the benefits that we're going to have when we're not, and I'm not talking about public AI models. I'm talking about building you a model that uses your data. And it goes back to what I've always said about threat intelligence. Right. Threat intel intelligence is data with analytics and context. [00:15:24] Speaker A: Sure. [00:15:25] Speaker B: Without that, it's noise. And you're going to make a bad decision off of not having all those pieces. So AI, if you build, you take a public model, it's, it's probably going to have make some bad decisions, right? You're going to have hallucinations, it's going to have some false data in it. But if you're building specialized models, smaller models internally have your data set, you understand the bias in your data, you understand the risks that are in that data already and can put that context around what we know about our environment. It's going to be able to help you make decisions faster. And then you want your super smart people to be the experts in their, their domain to look at the data and validate that it is correct, and then it hasn't hallucinated and it hasn't given you a false positive. And where you can trust that model and that, that help you're getting from it to be more efficient. The biggest one of the, you know, it's funny, I've been reading a lot on it, too. And I know Owasp has produced a recent top ten on AI, too. One of the things in there is over reliance on AI. So, and I think that ultimately is the thing at the beginning that people get too reliant on it. Oh, it's going to answer all these questions for us. And they're not spending enough time validating the data, so they're automatically over reliant on it, which now means they're going to miss some of the other risks that come along with it. [00:16:47] Speaker A: Right. [00:16:47] Speaker B: And I think we do the same thing with a lot of things. We get over reliant on a tool set. I mean, think about the crowdstrike problem that happened a little while ago. Crowdstrike's a great tool. Don't get me wrong. It's a phenomenal endpoint. EDR, XDR, whatever the hell you want to call it, threat intel, it's got a lot of things with it. It's a great tool. But you just showed that if you are completely reliant on a single tool, that it can become, not maliciously, but it can become the thing that it produces risk in your environment. And that wasn't necessarily security risk, it was operational risk. Right. It took. We lost production time because of it, a lot of companies lost production time because of it. And now you've got to think about, how do I have, you know, that's made a lot of companies who didn't necessarily have an out of band way of communicating with people, an out of band way of getting people on site into remote areas, and it's like, oh, crap, we didn't think through this. And let's think about what just happened with Hurricane Helene in North Carolina, right? A lot of great people up there doing a lot of incredible work and a lot of people, you know, I'm pretty close to that area. I'm only like miles out of Asheville is where I live. And we're, we're sending people up constantly and. But you look at, there's a local grocery store chain, regional grocery store chain that's headquartered in Asheville. They couldn't take credit cards and debit cards for almost two weeks. Right, Helene? Because they didn't have a backup system for their credit debit card processing, because they never thought about a natural disaster of a flood or a hurricane. In the mountains of North Carolina, their entire data center and warehouse was under like 8ft, six 8ft of water. So it took them two weeks to get a partnership worked up with somebody else to start processing credit cards on. Now, is that a once in a hopefully 500 year incident? Yeah, but it's still something you have. [00:18:43] Speaker A: To be thinking about. [00:18:44] Speaker B: Do we? They don't necessarily have to have a hot site, but they need to have resiliency built in. That goes, if we lost this, how would we go about getting a business partnership with somebody else to continue us to do business. And I think that's where companies get into this analysis. Paralysis when they start talking about resiliency and business continuity. Doctor is piece of that. Right. So some people confuse doctor with that. But overarching. I want my business to be resilient. BCP and doctor are part of that resiliency program. And I need to think through, okay. I don't necessarily need to spend a lot of money to have a hot, hot, but I do need to have a plan for who I'm going to call and a partnership, maybe a pre arranged negotiation. We all do it with people like Mandian and some of these other providers out here to have an incident response plan or retainer out there. So, you know, you got to think through those problems like that and go, what if this happened? How we continue to operate? And you got to do the same thing in your business is like what if this happens? And, you know, you don't have to plan on the moon hitting the earth, but you think about the things that are going to be kind of common to you. [00:19:51] Speaker A: Right, but that's a great point. And you've got to have these conversations, you know, so, and it's not always a technical solution. Sometimes it's, hey, we're going to roll back and we're going to manually do, you know, pen and paper. Right. That. And a lot of times that is the answer. Right. It doesn't have to be, I need to have a hot, hot. I need to have a third data center, you know. You know, I came from Ot and a lot of my career has been spent in critical infrastructure, you know, so supporting nuclear power plants, right? So they have tertiary of everything like they've got analog and then they've got, you know, triple redundant everything. But that's for obvious reasons. But then you look at like Fukushima, right? And they had everything and it was a great design and they, the 500 year thing happened and their backups of their backups of their backups because of the, of the water, got the generators, the generators stopped pumping. Now they were able to control the thing, which is the most critical part, but they still found a whole bunch of things. The great thing about the nuclear and the, and the critical infrastructure environment is every, every people are scared of nuclear because of, you know, Chernobyl and three Mile island and all these things, right? But every time there's been a major incident, wherever it is in the world, the whole industry learns from it and they do an after action and then they implement changes across the board. Everybody does it. [00:21:13] Speaker B: And you're bringing up a great thing. Right. And that is a problem in our industry. Look, I lived on top of, or beside and slept beside two nuclear reactors for six and a half years of my life on ship. Right. [00:21:27] Speaker A: When you're a librarian, right? [00:21:28] Speaker B: Yeah, but, yeah, I mean, you, you can, you see the safety mechanisms in it and you see, you see the control and the process that they have around it. But the biggest thing you just brought up was information sharing with the energy sector talks to each other. Now there are the ISACs for the financial sector, for critical infrastructure. I've been part of those. Still not great at sharing information because there's this distrust for the government involvement in that, and people are afraid that if they share too much information, they're going to get in trouble. Sure, hold back on that. The best sharing I ever have is with the other people. I know, CIsos and CIO's and other security leaders. I know that we all have each other's cell phones and or a slack group or, you know, or a private LinkedIn channel where we all share information there. That's probably the best. Share information sharing or the networking dinners and things like that, where we get together, nobody's recording. It's a great conversation. Everybody can be free to have that conversation. And I think that is the thing I tell everybody is there's nothing for the most part, that any of us are doing. That's super secret squirrel stuff. We're all fighting the same problems. We're all different magnitudes, different scales. We may not all be dealing with the exact same problem set, but we've probably dealt with it over our careers in some shape or fashion, or we figured out how to not have to deal with that ever again. Talking through people, helping our peers out, going, hey, if you're having this problem, think about it in this way. That mentorship and that coaching that is being provided by these networks of people that you build, that you build these relationships is probably the most important thing you can do in this industry. And, you know, it comes, it helps you figure out a problem, it helps you when you're thinking about a product or you're thinking about a new process, you can reach out to these people and go, I'm looking at X. Has anybody dealt with it? And they're going to come back to you and go, yeah, avoid this. Avoid this. Or this is a problem we ran into. This is how we got over it. Make sure you think about this as you're thinking out of problem. I like to tell everybody about rolling out cell point because I've done it multiple times over my career. And it's like if you don't understand how identity is being used in your environment and all the use cases that are out there, if you automate a process and there's a bad HR process because you didn't have a conversation with HR, next thing you know you're spending a holiday weekend trying to get everything back up because HR was doing something that they do on a regular basis off an automated termination for 200 employees. Oh shit. And it's also the administrator for sell point that they just kicked half the administrative team for sell point just got terminated in the system. Now we got to go back and do all this work, right? So it's thinking through those type of problems and making sure you've got every stakeholder involved and have a scope discussion to keep from biting yourself. You know, you got to quit. The best way to say is you got to quit kicking your own ass sometimes, right? You've got to have the convert be willing to have that conversation. Let people ask you questions that and make sure that your smart people who sit in the room don't ever tell people that they think that's a dumb thing because they understand the product. The stakeholders that you're bringing in don't understand. It goes back to what we're talking about, soft skills. I need people, but also need them to understand their audience and understand. You can't tell everybody they're stupid for not knowing this because it's not their job to know this. It's their job to know their piece of the process. Now what I need you to do, because you're super smart, is understand how their piece of the process ties into your piece of the process. Problem is, where's it going to bite me down the road. So if you can do that, then you're going to build the relationships and the partnerships with inside the business that you really need and are going to be incredibly important. [00:25:36] Speaker A: Yeah. You know, you're hitting on the culture side, both from information sharing between within your industry and outside of it, the networking side of cisos and how important those networking events are, but even internal to your company. And that was where I've been really successful in my career, has been pulling all of those people together again, working in OT, working in the business. You know, I'm, I used to tell my team, I'm going to get us a shirt that says I'm from it or I'm from corporate. I'm here to help. Right. And they're, they'll never let you in the power plant. Right. They'll just kick you out and you can stay right out there with, with the, we'll let the UPS guy in. But you're not coming in. Right. But, but when you build those relationships and they, and the business understands that you're there and you're there to listen and you will hear their concerns and you're not just going to say, I'm smarter than you. You're going to do it because I said so. Like, like my father used to tell me, like, dad, why do I have to do this? Because I said so. Well, okay, that's cool. But why, like, just explain. I'm not an idiot. Explain it to me. Like, help me understand why all this stuff that I don't understand is a requirement for me to put in my process. It's going to cost me money. I'm going to have to hire people. I'm going to have to have people processing technology that I didn't need last year or for the past 40 years of my career. And now you're telling me I'm stupid because I don't have it. Like, that's not the answer. It's not the way to win friends and influence people. Bringing everybody to the table and making this an environment, a culture that you encourage people to raise their hand and say, I don't get it, or I disagree. Right. And that's okay. And you don't want somebody to ram it down their throat because they're smarter than them. Again, I used to be that guy, and it didn't get, like, I was good at cramming a process in or a project in, but I didn't. When I, when I need to come back in six months to do something else, like, it was, it was amazing how I didn't have a warm welcome. Like, I wonder why. [00:27:26] Speaker B: Well, it's kind of funny, right? There's a, there's a big difference between being a very smart type a personality and being a leader. Right. And I think the leader thing is, yeah, you probably are a type a personality, more than likely in that role, but you've also learned how to address your, your audience. And this is one thing I think, unless talking about the CISO networking events and the security networking events. Now, granted, depending on where you are in the country and we're both in places where we have pretty good access to. To them, but what you wind up with is, I think there's plenty of senior guys who go out to these things, and we all talk to each other and we all, for the most part, agree on the problem and how that we got to address these problems. We may disagree slightly on how to approach them, but that's a great part of the conversation. What we're missing from this is that next down, two down level, people come into these things, asking, being feeling comfortable enough to ask these questions and get up and have a conversation with the groups of people who've seen these problems over time and have seen a broad swath of problems. It's kind of like the State farm commercial, right? I know a few things because I've seen a few things, and that's the thing, right? I've worked in multiple industries. I've worked across multiple verticals. You start seeing, you see recurring themes, but you also see some unique stuff in there. But then you, like I said, then again, you scale. So one of my things is, and this is also a great retention tool for your team. I think it's a talent development tool. It also helps people. It helps people with their career. And look, I may not be able to advance them where I want them to, but if I advance them to the point where they get a better job at another company, I'm happy for them. [00:29:18] Speaker A: Sure. [00:29:20] Speaker B: I don't want to be the person doing all the presentations inside the company. I may be doing the board presentation because you have to, but if it's a team external team presentation, if it's a project presentation, if it is presenting an idea to the internal group, I designate my team to be the ones who put those together and do that presentation, because it's so, it gives them an opportunity to get in front of groups of people that they're somewhat familiar and comfortable with and starts getting them used to putting together a presentation, putting together a talking point, getting in front of a group, then you get them. Then I want them going. Any of these free conferences that I can get them to. I want them to take a half a day when a conference is in town to go out and see these and get the opportunity, because once they start getting their name out there, too, and people start realizing that they get on panels, do a panel first. Volunteer to be a speaker on a panel. Volunteer to put together a small presentation. If you're a really smart technical person and you want to go do a B sides, are that more technical? Go do an IANs and I Saca, go put together a technical presentation. If that's what you want to do, you know, go to some of these larger groups if you want to do a more of a strategic or some other presentation, like we talk about talent retention all the time and the job market all the time because it's a hot topic right now, we still have the problem of most of us can't keep our people because we can't get our HR company's lined up enough to not let them escape to other companies, or we just don't have the right opportunities for them, or we're doing a poor job of showing them how they can move within the company and grow. Right? [00:31:03] Speaker A: Sure. [00:31:04] Speaker B: I think that's. That's important thing is you've got to mentor and coach your people on the skills, and you got to be. You can't be mean about it, but you got to be transparent and you got to be truthful. You got to tell people where they're good, and you got to tell people where they need to work. But you can't just tell them, you suck at this. Go fix it. You got to give them pointer. You got to tell them, look, you presented this in a way that made it confusing for people. You saw a lot. You could see the reaction in the room. You saw people's faces. You lost them. You need to think about how to think through this problem. You need to dumb it down or talk it down to a point that makes sense to other groups that haven't worked with one of these products all the time. You need to make sure that you're putting out enough information that they ask you the right questions. If it's a IT team or an HR team or legal team or privacy team, they need to understand what questions they should be asking you because you need to be explaining it well enough. They understand how it's going to interact with the thing they care about. So. And I love to use that as a coaching method and a mentoring method for my teams because I think if you show people that you invested in them getting better at their jobs and giving them the opportunity to grow, they're going to stay with you longer. Now, you're going to lose some of them to those places that offer from 50% pay raises. There's nothing you can do about that. Right. Without having a great relationship with HR. And that takes a long time to understand the cost of not doing that. But you're building the next set of leaders who are thinking about these problems in a way that allow them to ask those critical questions and teach them to think about this problem not just from a technical standpoint, but an overarching business interaction, business risk and like I said, I use the term resiliency a lot because everything we're doing should be building resiliency and enablement for the business to keep doing what the business is doing. [00:33:05] Speaker A: You know, as you were saying, that I think back in my career, and I was very fortunate, and I worked at an asset owner, a power utility here in Texas. And again, they brought in an outside consultant, and they built this program. They called it. This outside consultant, called it leadership circle. And they brought, like, a hundred people in, and they said, hey, all of these people are really good on their technical field. And that was everything from, you know, electrical engineers, mechanical engineers, chemical engineers, you know, technical it type people, networking people, whatever, and they brought them in and they put us through this thing. And it was. It was a six month program, I think the first one. And. And we. We did book reports and public speaking and all that kind of stuff. And then they kind of took the cream of the crop, and they moved us into the. The level two of that, which I made the level two, and I made the level three. I did this, like, three years in a row. And in the beginning, it's funny because I remember as an engineer, I'm like, I don't have time for this. How's this going to help me? Like, I want to go get a certification in XYZ technology, because that has been the way, you know, what got me here won't get me there. The thing that it had pursued or grown my career over the years is learning a new technical skill. And that had always got me the next job, and it got me the next promotion, because, again, I was focused on being the smartest guy in the room. What I didn't realize is I was limited in that. That. That career track, because I was only focusing on the technology. And there's. There's a. There's a ceiling in how smart and how much you can grow on that technical track. It just. It just is. And. And so I was very fortunate because the company that I work for, they paid, I'm sure, not a cheap price, not to mention that they took me out of work and, you know, we were. We were there for, you know, paid for food and all the things, and the consultant, however much that costs. And I did this for three years, but it catapulted my career. Like, I became a CTO and all of these things, consultant for EY and all these things that I've done, I never would have been able to do those, because on the technical track I was going for, I never would have acquired, or maybe if I did, it would have been another ten years in my career. But so few companies are offering that as an. As a guidance and a certificate, a training track for their staff. Yeah, they can go to a conference. Yeah, they can go maybe do a certification. But I rarely see anybody that offers that to their customer, their employees. And it's a great thing for retention, but it's also a great thing to build leaders from within instead of trying to recruit from. From outside. [00:35:42] Speaker B: You bring up a great point. Right. Like, so I got lucky, too. I mean, yes, I got put through the same, you know, a leadership school while I was in the. In the Navy, so, you know, the military that. Right. So I went to a leadership school, which. Yep, kind of funny. It's kind of same thing, right? They put you in the give you scenarios, they speak in front of the public, do all these reports and all this. It was great training, right? Luckily, I was, God, I guess I was 1012 years into my career outside of. Outside of the military. [00:36:15] Speaker A: Sure. [00:36:16] Speaker B: He's been in somewhat of a senior role, right? And it's kind of funny. I got out of the military and kind of almost automatically was right into kind of that more senior role, but, you know, always had people working for me. But I will admit, early on in my career, I was a shitty leader because I was that smart ass. Smarter than you. I'm just going to hammer it into your head and we're going to move forward and I'm going, I'm going to get this. This is going to be successful by my sheer will and stubborn headedness. And, you know, it worked to a point. And then I got lucky and was my first CISO job, a company I worked for, they hired a consultant, leadership consult, coach and consultant, and offered it to the entire executive team. And they got us. And people probably heard of this, but it's a 360 degree review, right? So they go out, interview not only your direct reports, but to people you work with, outside people. They put together this big report and you get to find out how much of an asshole you are when they do that, if they've got honest people doing this stuff. So it's kind of interesting, right? And it's not always. It's not always easy to hear, but if you can get your ego out of the way and take to heart the things you're hearing and go, you know what? They're 100% correct. If you can ever get your mind shift to go, they're right, that is me to a t. And how do I deal with that. And that's where you have the great conversation with that coach and go, how do I fix this? How do I think through this problem? What is the, what do I need to change in me to do this? And that's where a coach or a mentor is so important, somebody who's lived through this stuff and somebody you trust, somebody you'll listen to when they tell you you've got to stop doing this because it's, it's detrimental to you. And if you can find somebody in your career path to help you do that, it's going to be, it's going to change the way you think and the way you work and the way that you approach life in general. And, you know, like I said, we've both been lucky to have some of those opportunities put in front of us. I agree with you companies because we've all heard of this over our careers as somebody's been over promoted. [00:38:44] Speaker A: Yep. [00:38:44] Speaker B: You know, or the Peter principle, I guess, is the other way people talk about it, right? Is somebody, and the truth is you're going to have those individual contributors, those technical folks who may never want to lead people, and you shouldn't put them to a people leadership position if they don't want to lead people. They may be perfectly happy and they're going to be phenomenal for your team because they've got that historical knowledge. They're technically experts. You may want them, but, you know, the only way you're going to figure that out is to have one on ones that are meaningful. One on one with your employees should never be a status update. [00:39:23] Speaker A: Correct. [00:39:23] Speaker B: Come in an email weekly with bullet points. Say, here's the things you need to be worried about, and that should be daily conversations. What you should be doing in one on ones is talking about career, career development, career growth. Talk about the good things, talk about the bad things because you should be talking about bad things in private. Be having that clear conversation and go, you're good at this. You're not good at this. These are things that we can do. Let's get you here. Let's have you go take this class. Let's get something for you. If you can pull the budget for it or even suggest, look, I can't afford it. But you know what? Look into this kind of training or this kind of education or this thing that will help you. And those are the most important people conversations you can have in a leadership is just being transparent, not being a bully, not being mean, being transparent and honest with them and go, but you should also be asking for the same thing about you. What can I do to help you? How am I not doing? What should I should be doing from my leadership seat? What are things that you think that I should change? You should be managing up to, and we don't train people enough on that manage up piece of it. And I think that's one of the great things that, and I do tend to lean towards hiring the veteran community because a lot of us have been through that and we've, we've had some training on that and we've been taught how to because we've been put, we get thrust into high stress leadership positions a lot of times when we're very young. And, you know, it gives us an opportunity to grow a little faster, I think, than it does if you're just purely getting it out of a, out of a higher education setting. But, and then that's the other thing I want to tell everybody when you're looking at, you don't need to just be focused on higher education. You need to be focused on people. There's a great program that's rolling out countrywide, nationwide, actually, but they're getting it set up in different places, and I can't remember the name of it off the top of my head, but I'll find the information for it. Community colleges. Yeah, look at community colleges, because think about the typical student at a community college. Yes, you've got the first out of high school, and that's what they can afford, and that's where they're going. But you got a lot of mid and late career who are dedicated to reeducating themselves. So not only are they working their ass off to get a college degree, they're also working a full time job. [00:41:39] Speaker A: And they probably have family and kids. [00:41:41] Speaker B: And family kids. They got commitments. They are committed to being better. They are committed to learning. Those people will work harder than anybody you've ever seen, and you got. That's an overlooked community. It doesn't matter where their degrees from. It doesn't matter if they got a degree. I mean, I'm that guy who's been a CISO twice, been a senior leader a bunch of times. I never finished college. I may eventually go back and finish it, but I've never gotten around to finish it because the job always get in my way. And same here. You know, I think we have to work on talent. And as a guy right now who's on the market looking for a new job, the networking part of this is important because you're going to especially a senior role and especially as weird as the job market is right now, you are not going to find rarely, I'm not going to say you're not, but rarely are you going to randomly apply for a job on LinkedIn, any job board, and get that job. It's going to be through the relationships you have developed. It's going to be getting out, talking to people. It's going to be making sure you're being heard. It's making sure people understand where you're coming from. Because I know one I don't like, I don't like bragging about myself in a resume. I put basically what I've done. But I feel if you get me to where I can talk to you and we can talk about a problem, I'm so much better at the talking part of it than writing a dissertation about myself. But that's the. And I think a lot of people are that way. Yeah, we struggle with getting that, that, hey, this is me on paper and. But if you get people out and you talk to them and you ask them questions and you have the conversation, I think it's in super important and I think the networking events, the getting out to go into these conferences and stuff and just talking to people and don't be afraid to put yourself out there, get out there to people. This kind of stuff, getting on a podcast, getting it out there, getting the viewership that comes in from these things, it's all helpful. Don't be shy because you never know when that right opportunity, that right person is going to come up. I mean, I've learned over the last, especially Covid, the being locked down a couple years, right. Not a lot of travel and everything going on. I spent a lot more time sitting in front of my computer setting. I spent a lot more time on LinkedIn. Next thing I know, I'm because of stuff I'm producing stuff I'm talking about all of a sudden I've got CEO's and founders of companies reaching out to me and the next thing I know, I'm now on a bunch of advisory boards. Because I was willing to, because I had some time on my hands, but I was willing to have the conversation. I was willing to give transparent feedback. I was willing to tell them go, why the hell did you start a company in this vertical? 500 other people doing the same thing. What are you doing differently? And it's just being able to ask those, being not afraid to ask those questions and give real feedback. Right. Don't and I'm. This is probably one of the last things I like to say about our side of the house, the community, the CSO community. Look, you, you ask everybody you do business with to be transparent, truthful, and honest with you. Do the same for them. Pay them courtesy. You know, you don't drag them on for months on end about something you're never going to buy because you're afraid you won't get invited out to another state dinner or get another yeti because none of you need it, just like I don't need another one. You know, it's. It's give. Give what value you bring. It's your experience. It's your ability to ask the right question, its ability to guide them. Whether it's a company you're doing business with, whether it's a junior person coming out of college or somebody coming out of the military who reaches out to you on LinkedIn and says, I'm looking for a job. Can you give me some advice? I'm not telling you to make a full time job out of it, but you should at least be taking a little bit of time to do some of that mentorship and coaching when those people reach out to you. And if I tell anybody anything, I have gotten more value out of doing that in my career, in this past 15 years of my career than of just about anything else. And I take so much pride in the ability and just letting, having those conversations. [00:46:00] Speaker A: Yeah. [00:46:01] Speaker B: It fills me with happiness when I see these people being successful in landing jobs. [00:46:07] Speaker A: Well, you know, you know, one of my mentors a long time ago told me, and it's really stuck. It's all businesses of people business. Right? So it doesn't matter if you're the janitor or the CEO. And it really goes in a lot of different ways. Right. We talked about it from, from a, hey, you got a technical is great, but you still have to sell your technical idea to somebody. You have to explain it, and that is selling. But the same thing on this side. Right? Giving back and helping others. That stuff, it all comes around. Like we have a reputation. Right? You know, you. You are your name, and people know Ken, and they know Aaron. Right. And what they say to your face and what is said behind your back are. Can be two different things. The thing with me is you may not like me, but I'm the same on camera as I am off camera. I'm the same person anytime you see me. If you meet me on the street or you meet me in a professional setting in the boardroom or at, you know, drinking a beer, I'm the same guy, right? I'm an asshole all the time, but I'm consistent with it. Right? But my point is, is that when you get that stuff comes around. This is a small network, right? You know, everything. Your reputation precedes you. It gets out there, even if somebody hasn't known you. You mentioned that, right? When I'm a vendor and I call you up and say, hey, I've got this new cool thing, you're gonna be like, all right, I'll set up a meeting, and then you're gonna hang up with me, and you're gonna call your Ciso buddies and say, hey, Aaron just called me. Have you talked to this guy, and what is he selling? And have you had any experiences with him? And every one of those ciso people, or all of your network is gonna be like, yeah, he's an asshole, but you know what? He was honest. Or. Or, no, don't work with him because he lied to my face and, you know, whatever, right? And from my experience, being both a vendor, being a consultant, being an asset owner, you know, beating a c suite executive, a salesperson, or a company values clarity and honesty. I had rather you tell me I'm not interested, I'm still going to send you the yeti or take you to a steak dinner, because to me, I'm not wasting my time on you. I'm just going to build my network with you, because then you're going to tell somebody. Aaron didn't continue to hound me when I told him that we weren't interested. That's valuable to me. Again, my reputation is more important than me selling one widget or trying to push you on something that you're not interested in. [00:48:20] Speaker B: Yep, 100%. And, I mean, that is. It is about relationships. [00:48:24] Speaker A: Yeah. [00:48:24] Speaker B: You know. You know, you hear that preached in the sales side of the house all the time? It's a relationship game. Well, what we do is a relationship game, too. And it's not only the sales side of the house, but it's also that internal partnership. Because you, as a CISO or senior security leader, can do your job on your own. [00:48:43] Speaker A: Right? [00:48:44] Speaker B: You're providing guidance, you're providing strategy, you're providing process, you're providing a tool set. Very rarely are you actually the person that's rolling that tool set out. [00:48:56] Speaker A: If I'm configuring your firewall, it's a bad day. [00:48:59] Speaker B: But what I'm saying is it's even. You may have your team configuring the firewalls and setting that up, but you need the network team involved to get it connected in the network and or if I'm rolling out a new agent that goes on a server, I need the server admins to do it. If I'm rolling out something that's interacting with a new application, I need the app team and the development team working on that. So rarely are you alone in a vacuum doing security. And you need these partnerships, these stakeholders, and they need to trust that you're not just throwing work because you found a new shiny toy that you wanted to go buy and throw outdevelop on the network. It's. [00:49:36] Speaker A: That never happens. [00:49:37] Speaker B: Yeah, never happens. But it's actually bringing value and reducing risk and increasing the resiliency of the company. And as long as you're presenting and having those conversations, and again, it's that total cost ownership, that total ROI, because that's not just money, that is how effort am I putting on somebody else? What is the workload that I'm going to ask these other teams to do? What is the downtime that's going to be taken? How long is it going to actually take to roll this out? [00:50:04] Speaker A: And then who's going to support it after the fact? [00:50:07] Speaker B: Where's the handover? Does it stay with the security team completely or is this, or is this thing going to be collecting data that now increases the workload on the app teams or the engineering or the infrastructure teams because now they got about do a bunch more patching on a much more regular basis because we have better visibility into it. Cloud team, it's so entwined. And I feel like a lot of times the security teams act like it's, we're against the world, right? And we're trying to, we're trying to protect the world. And granted, I know the mentality, it's the protect everything, make everything better, but you can't do this alone. And pretty soon, if you're doing it, if you're, if you're doing it alone and being that big of asshole, you are doing it alone and nothing you're ever going to be. And I, you know, I saw Jamil from Equifax is for, you know, I know pretty well. He posted something on LinkedIn the other day that was phenomenal. It was talking about all the cisos out there selling themselves. Right? Ultimately, if you can't deliver, if you can't actually execute and deliver on any of the strategy and stuff you put up, what's the point, right? Because very quickly that'll also get out in the community. Yeah, they talk a lot. They never actually able to deliver anything because you, you're biting off too much of the world and selling a bill of goods that you're never going to be able to implement on your own anyway. And if you haven't built those partnerships and come up with that and have a strong execution plan, all you're doing is telling people that I can talk a lot, but I can't execute right. And sometimes execution is just getting a small thing, low hanging fruit, rolling it out over time, making sure you understand, like I said, partnerships, scope, understand the actual effort that goes into it. And if you'll spend the time doing that, you're going to be much more successful. Yep. [00:51:59] Speaker A: Yeah. I mean, you know, one of the very first projects I got when I was hired on at the power company, it was right after a winter storm, and we had like, three months to implement these things that our CEO had told the Texas legislation because we'd had some outages and we had three months, and I had to basically deploy secure satellite communications and weather stations at all 50 of our locations, power plants and all this stuff. And we had three, three months to do it. And basically my manager said, whatever you have to do, we have to get this done. No exceptions, no whatever. So I might, you explained it earlier, my type a personality, I just killed everybody in front of me and just blazed a path and I got it done. But afterwards, you know, when I got my review, I'm thinking, hey, I'm going to get this clearing review because I did this almost impossible thing. And my, my boss said, yeah, you did a great job, but you left a body, just a wake of bodies behind you, you that I had to help clean up. But you told me to do that. Like, you gave me the instruction, don't fail at anything. Everybody that got in my way, I just moved them or went around them or, you know, whatever, and I got it done. So it was good and it was bad at the same time. And you talked about it before with the 360 review, is I had to look in the mirror and say, that was true. Right. Nothing he said was wrong. Could I have gotten it done politically? Probably not. It was probably the only way I could have gotten it done. But there was an impact and there was a consequence to the way that I implemented in the way that it had to be done. Not all of that was my fault in that, you know, we only had three months and all the things I waited to the last minute, blah, blah, blah, blah. But still, I was the person. My face was the one that pushed that through. And I had a lot of repair of relationships I had to do over the next 15 years at that company or ten years at that company to repair because I broken that trust and I had this reputation and some of those people that, that I chopped off at the knees. [00:53:55] Speaker B: Yeah. And I mean, we've, I've had that conversation before because it happened to me in my career when sometimes, yes, you are the agent of change and that's what you're there to do. Right. Is to get something done. And unfortunately, sometimes there is going to, no matter what you do. Yeah. Contention. You're going to upset people's feelings. You're going to step on toes because you have to. To get, to get the job done. [00:54:18] Speaker A: Sure. [00:54:20] Speaker B: That typically means you're probably short ten years. If you can't repair that, that's, you're probably going to be a short tenured person and sometimes that's what you're hired for. [00:54:31] Speaker A: Sure. [00:54:32] Speaker B: Or occasional roles that were hired to do that. Yeah, I've been in a couple of those roles and, you know, they're short term. You know, they're going to be short term because you were brought in to step on toes, break some eggs. Yep. Get people now. Now, luckily, in every situation I've been in that I've been told, yeah, you're leaving this place in a better shape and better condition than it was when got here. But now we're going to make a change because now they need somebody who doesn't have the animosity with correct teams and then that happens. And I mean, if you've been brought as long as you understand that your role going into it. [00:55:09] Speaker A: Right. [00:55:09] Speaker B: Then be prepared for it and understand the detriment that it's going to cause that company. Right. What you want to be able to do is have a conversation and make sure that that is not perceived as your personality holistically in the community. But this is what you were brought in to do. [00:55:26] Speaker A: You were brought in as an assassin and that happens. [00:55:30] Speaker B: I mean, you know, most nowadays it's McKenzie that they bring in do that to most correct. [00:55:35] Speaker A: You know, it's the bob's, the bob. [00:55:38] Speaker B: The Bob show up and, you know, that's, that's happening a lot right now in the industry. There's a lot of that going on because people are having to reevaluate with the way that the economy and the environment, political environment is today. Yep. Job markets crazy because of it. The way companies are spending and buying product is crazy because of it today. Nobody's doing anything right now because they're scared. [00:56:02] Speaker A: Yeah. [00:56:03] Speaker B: They don't know what's going to happen. So, you know, a lot of companies are like, are we overspending? Have we over committed? So the Bob show up and, you know, finding out the efficiency experts are there to figure out what you're doing. And I think, I think we're going to continue seeing that for a little while in the industry, and people are going to have to be. So you need to be thinking ahead of that. Right. You need to be thinking about your strategy and going, am I spending $5 to protect the dollar? [00:56:31] Speaker A: Right. [00:56:32] Speaker B: I designed a program that actually looks at risk appetite. Have I had a risk appetite conversation with the board and the business leaders? Do I understand what they're willing to accept, what they're not willing to accept? Have I looked at my current tools and processes and understand all the gaps and understand where we're good, where we're not good and be honest about it? [00:56:53] Speaker A: Yep. [00:56:53] Speaker B: We're good at this. We're bad at this tool. We're not using all of its capabilities. Do I need a new tool or do, do the 80% that this tool does? Is it good enough? If it is, then let's just do that. Let's build processes around it. Let's figure out where the gaps are, and then we can design a well thought out program that shows I'm being fiduciarily responsible for my budget, and I'm also taking into account making sure the business is still able to do what the business does, whatever it does to generate revenue. How am I enabling them? And that's the first question you have to ask yourself. And it's the first question I think typically ask my teams when I first take them over and meet them is like, what is your job? Get them to tell whatever their job is. Then you go, how does that enable the business to do what the business does? If they can't answer that, then that's where we're going to start having conversations. We translate what you do and how it enables the business to do whatever the business it does, whether it's produce a widget, provide a service, you know, whatever you need to make sure you understand how you're enabling, supporting that mission for the business. And as long as you can do that and you're designing a well thought out program that takes care of that, you should be successful selling it to the, whatever your needs are to the business. But you got to be clear about it, right? I need this much money. I need this many people. It's going to take this much time and I need these other five people, people, people to be involved in it so we can make it happen. Don't, you know, like I said, don't, don't go in there. It's a vacuum that only we're going to be able to solve it as security because everybody else sucks. Don't do that. You need more than you, you need most of your people, truthfully. [00:58:35] Speaker A: So I think the theme today is, yeah, I may be the smartest guy in the technology or whatever, but that doesn't matter if I can't get the business on board. And you're not going to win friends and influence people or get your thing done and implemented that you, you think is the right thing and you might be, but it's, it's, it doesn't matter if, if you can't convince the business and, and, and get it done and you have to partner with them. You can't cram it down their throat and expect them to take it. Right. They're not going to continue to take your bad medicine and smile at you. [00:59:06] Speaker B: No, because there's way too many, there's way too many places out there, too many people who've got millions of dollars worth of heart, of software and hardware sitting on the shelf that's never been, that's never been switched into the o n position, you know, and, you know, board, a board's only going to do that so long. They're going to look at something go, what value am I getting out of this million dollar year spent or don't even have to be a million dollar. It can be a hundred thousand dollar your spend. What value is it actually bringing to the company? And if you can't answer that question, why held you buy it. [00:59:40] Speaker A: Right? [00:59:40] Speaker B: Right. Why are you trying to implement it? [00:59:42] Speaker A: Why are we renewing it? [00:59:43] Speaker B: It, you know, it's, it's one of those conversations that you've got to be having and you got to be looking at it constantly because the, the, what's happening out there shifts now, granted, still we got the same primary problems coming at us. Right. But, you know, how it's happening and why it's happening is, is still pretty much the same thing. Somebody wants money, right? They're monetizing it. Yeah, but how are we protecting against it? And do we understand fully what we need to do to protect against it? And are we only buying what we need and not buying extraneous bullshit? Then that's probably the biggest thing I can say, is you got to look at it in those terms. And, you know, like I said, reading the IBM breach report was pretty interesting because it's went up. I mean, it's. It's pretty damn expensive. Like what, 4.8 million or something like that is the breach now. But, you know, and they're. But what's causing that number to go up? And this is something that I'm great that they're pointing out because I've talked about it for years. When doing risk and stuff like that is. It's not necessarily directly related, like incident response or communication or something like that. It's. It's the actual production outage. [01:01:03] Speaker A: How. [01:01:04] Speaker B: How long production was out and how much revenue was lost is what's caught is one of the biggest factors of what's driving the cost of breach up is how much that production outage impacted a business. Yeah. [01:01:18] Speaker A: Yeah. It's. [01:01:19] Speaker B: It's. [01:01:20] Speaker A: It's multiple. It's always multiple factors. It's never black and white. It's never easy. If it were easy, anybody could do it. You know, my dad used to tell me that when I was a kid. Like, if it was easy, anybody could do it. Right. The reason that you're getting paid to do it is because it's not easy. So one of the things I always wrap up with this is I ask everybody, and I don't prep you, so you're getting this out of left field. But in the next five to ten years, what's one thing that you are excited about coming up over the horizon in cyber or maybe one thing that's concerning that you think we need to make sure that we're careful of or adjust to stop before it happens. [01:01:56] Speaker B: So, you know, it's. I think we. One of the biggest things we've got to be worried about in the next five to ten years. And I'm not going to think. I'm not going to say the thing that everybody probably thinks. It's actually making sure people are still interested in coming in and dealing with this and getting the appropriate training and the appropriate knowledge level coming into this, getting people excited about coming in this. Now, do I believe all the numbers saying that the. That we're negative unemployment as it is? No, but what I do believe is we do not have a good enough pipeline of new people coming in at junior and mid level jobs. The engineers, those people. I don't think we have a good enough pipeline of those people coming into the environment. And I think that that's something that concerns me because the need for more people in this industry is not going away. And I don't think we have a steady enough pipeline of people coming into it to keep us moving forward in the way we should be. So that's something about, is making sure that we're encouraging young people to get into this career. And then on the flip side of that, I think burnout is a concern of mine. I have seen several senior security people walk away from cyber. Yeah. In the last few years because this job, stressful. It is, it's, it's a lot of work. And it, I think people are getting burnout on the, it's a thinkless job in a lot of cases. Right. Because you're constantly inundated now with breaches and stuff happening. You're constantly dealing with the business, trying to get budget to be able to do something. It's kind of a double edged sword, though. If you, if you understand it well and you can explain it well and you're still not getting help, that's a different reason for walking away something. But if, if you're, if people don't understand why it's important, then you need to be looking back and go, am I delivering the message correct? [01:04:10] Speaker A: Right. [01:04:11] Speaker B: I've done everything that I should be doing to make sure that the message is clear on why it's important and what it's not. So those are, those are some things in the next five to ten years, I think, that we got to really watch for because it's kind of interesting, right. Because a lot of the guys, you know, in ten years, I'm, ten years, I hope I'm actually retired or longer doing this on a, on a day to day corporate basis. Right. More on that board or advisory side of the world. But, you know, a lot of the guys that have been doing this as long as I have, we're all getting to that point in our career where we've been doing this for 30 years. It's starting to get time. And we need to make sure that we've got that pipeline of talent coming up behind us that are thinking about it in ways that continue the good work that the cybersecurity community is doing and continue to be protecting the environment, protecting the environments that we're in and protecting the people that, the business that we're in. And truthfully, nowadays, with the amount of data that most of us have at larger companies, protecting the people that we do business, our customers, for a lot of us, that's, globally, we're protecting people's data, we're protecting people's livelihoods. So be thinking about that that you're, you're responsible for a lot of people's money. Yeah, a lot of people's reputation. So figure out how you're going to deal with that and make sure that you've got an appropriate pipeline of people coming behind you. That's the stuff I'm worried about. [01:05:43] Speaker A: Yeah. [01:05:43] Speaker B: The new tools and stuff like that, then column tools. Those are interesting. They're going to be able to help us. There's risk with that. There are also value that comes with that. But make sure you're focusing on how it brings value and how it reduces risk, not just focusing on the FuD and FOMO that is out there about this stuff. So you think smartly about how you're going to utilize the new tooling that is coming out. And talk to these startups because they're thinking about it in new ways. Talk to them about the problem they're trying to solve. Ask them hard questions, give them advice, get them, because they're the ones investing the money to deal with these emerging technology and emerging problems and hopefully help us deal with problems we've never been able to solve. Give feedback, give advice, be transparent. Don't be an asshole. [01:06:36] Speaker A: That's the tough one, right? Well, awesome, man. So, hey, Ken, how can, how can people find you? You're all over the place and networking. [01:06:44] Speaker B: Events, and probably the easiest place to find me is probably, probably LinkedIn. And it's just, I think nowadays if you search Kenneth Foster, Kenneth R. Foster on LinkedIn or Kenneth Foster on LinkedIn, I think I'm the first suggestion that pops up for most people now. They. But, you know, I'm out and about, you know, I'll be doing a few CISO dinners and networking events in Atlanta this week. I've got some, some charity golf tournaments I'm involved in over the next few weeks. They said I'm actively out there looking for a new role and we'll keep everybody up to date when I find the next place I land and see what's going on out there. But, you know, I'll probably be hopefully back out there with you guys in January, another cool event. And we'll get some people out to come out and be part of that, because there's something about getting a group of like minded people sit down together and have a. Have an open, honest conversation about cyber was a bit, was a big part of that. We covered a lot of topics that I thought were incredibly interesting and just getting the points of view and having that conversation and sharing the camaraderie and the brotherhood of that was. And, you know, getting to put a few thousand rounds down, a bad way to spend the afternoon, either. [01:07:59] Speaker A: Not a bad way, but, you know, talking to that. Right. It's so important. And one of the reasons why we did the event is to be little different than everything else. And there were people there in different verticals and different experiences and different backgrounds and people in government and private and all the different things. But all of those things goes back to the people aspect of the business and how. How important it is to build those relationships. Whether you're looking for a job, whether you've got a problem that somebody else may have seen or issued, or you want a question about a vendor or a product or a capability, like, all of those things are value add. And having that network of people in your Rolodex that you can pick up the phone and say, hey, remember me? I was at this event. We shot guns together. You said you were doing this with XYZ. Let's talk about that, right? [01:08:43] Speaker B: Yeah. And I think that's the thing, right? Get out of your own echo chamber. Talk to people that got different experiences than you and ask them questions on how they dealt with it, because building that broad base of experience is one of the best life lessons you'll ever get on, on multiple fronts, whether it's professional, personal, whatever. Get out, talk to people. Make yourself available. Let people ask you questions. Just be honest and answer the question, because this is how we all learn. This is how we get better. This is how we bring up the new group of people who get interested in what we like to do. [01:09:18] Speaker A: Yep, absolutely. [01:09:20] Speaker B: My big thing is don't be afraid to share your experience. [01:09:23] Speaker A: Yeah. Awesome. Well, hey, Ken, I really appreciate your time today. As always, it's good to connect with you and definitely look forward to hanging and shooting some guns and connecting in other times as well, man. [01:09:34] Speaker B: Absolutely. I appreciate it. Thanks for having me on. Enjoy. [01:09:36] Speaker A: All right, brother, thanks for joining us on protect it all, where we explore the crossroads of it and ot cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time. [01:09:55] Speaker B: You.

Other Episodes

Episode

October 07, 2024 01:09:01
Episode Cover

Building Resilient Tech Environments: Lessons from Dennis Maldonado

In this episode, Aaron Crow engages in an insightful conversation with Dennis Maldonado, Director of Technology for Harris, Fort Bend ESD 100. The discussion...

Listen

Episode 18

July 24, 2024 00:49:21
Episode Cover

From Concept to Reality: ResetCon and the Future of ICS Security Conferences

In this episode, host Aaron Crow dives into critical infrastructure and industrial control systems with special guests Matthew Miller and James Warne. Together, they...

Listen

Episode 4

February 20, 2024 00:57:21
Episode Cover

Harnessing AI in Cybersecurity: Revolutionizing OT Protection

Hosted by: Aaron Crow Guest: Clint Bodungen Clint Bodungen is a globally recognized cybersecurity professional and thought leader with 25+ years of experience (focusing...

Listen