Episode Transcript
[00:00:00] Speaker A: Larger the company, it seems like the more legacy tech. Now they got all the cutting edge stuff too, because they got the budgets for it. But man, trying to move off of Z, right, or some of these old programming languages is not an easy feat when you have hundreds of thousands to millions of customers. And I still know some organizations that are using some tech that someone put a shiny UX on top of it, right, Just to kind of make it look modern. They're like, wow, the heart of that organization, organization is still like tech from 30 plus years ago.
[00:00:38] Speaker B: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crowe.
[00:00:56] Speaker C: Awesome. Thank you for joining me on another episode of the Protect it all podcast.
I it's always fun to me to reach out to people, those that haven't been on the podcast or haven't engaged with me. A lot of the people that I'm having these conversations with, it's the first conversation we've had. Now maybe we've gone back and forth on LinkedIn or through email or text message, but these are a lot of times the first real conversation. And I do that intentionally. It's not because I'm lazy, it's not because those things. It's because I want these to be conversations. Like I said before we started recording, like you and I are sitting down having a coffee and you're explaining to me your experience over the last, as you said, three decades of experience. Right. So with that, Neil, thank you very much for taking the time joining me today.
I really appreciate it. And why don't you introduce yourself, tell us who you are and a little bit about that the past three decades and what you've been doing.
[00:01:44] Speaker A: Yeah, no thanks, Aaron. You know, first chat that we've really had been on a few different podcasts that are different reasons and you know, over the years, but a unique kind of format and appreciate kind of the way that you're, you're doing that.
Yeah. Neil Morris, I'm out here in Denver. Right. And currently the head of IT for Adaptive SO Energy and Sustainability Company, but been doing IT Cybersecurity for 3ish decades.
Formerly CIO and CISO for Ball Aerospace. So highly regulated aerospace and defense company.
Before that Maxar Technologies.
They're now going by Vantor, but intelligence and satellite imagery and a long background in enterprise architecture, cybersecurity going back to education and IBM and number of different organizations throughout my career, but currently leading it for Renaptive. Having fun doing that. Been doing that for about the last 14, 15 months and kind of excited to be chatting today.
[00:02:52] Speaker C: That's awesome. It's funny how thinking back on, I won't speak for you, but thinking back on my career, I'm looking back and like all, you know, starting out as a desktop administrator and you know, little network admin, working nights and weekends, you know, upgrading from Token Ring to Ethernet back in the day, like all of the things that I've done over my career, like I can, sometimes I have to look back at my resume to remember like where I was at that time. Because it's been, there's been such a trajectory right from crawling around in the dirt to, you know, to what I, you know, having a conversation like this today.
[00:03:24] Speaker A: So yeah, I mean you talk about starting with Token Ring and those kind of things like you had right out of high school. I did a seven month trade school kind of program which is what first got me into tech. And it was old X25 networking on the back of Cisco 2600s for what today would be described as a SaaS platform. But we were doing terminal emulators into an AS400 for. You had a little regional airline.
Right. And our authentication was Novell 312.
Right. Just because active directory hadn't won the war yet and there was still conversations on is it going to be TCP IP or SPX kind of networking or. You had all those kind of wars in the late 90s, right. Coming into 2000 area 100%.
[00:04:14] Speaker C: It's ironic because I was doing the same thing at power plants, rolling out SNA servers to be able to connect back to the green screen so the operators could log in and do their operations and order equipment or whatever, whatever they needed to do. So we took this big stack of servers just to be able to connect back to a green screen to have it on their desk so they could, they could log in and do whatever they needed to do from the mainframe.
[00:04:35] Speaker A: Yeah, I was flying around, you had California, you had Vegas area, Reno like for a regional airline and putting terminal emulators on old Windows 95 machines to. You had access, you had the centralized AS400 that was running. You have all the booking, reservations and aircraft maintenance kind of use cases for regional airlines.
[00:04:59] Speaker C: So the irony of that is so much of that has not changed as much as you would imagine. I know you would, but the listener may or may not know a lot of that is not that Much different today. Now granted it's probably not an AS400, but it's probably not too far along, you know, along the way compared to what it is, you know, what some of our bleeding edge enterprise architecture applications may look like.
[00:05:24] Speaker A: Well, maybe so, but I've been in a few conversations even the last few months. I believe you had IBM still making, you had P series I series AS.
I don't know if they're making the AS 400 anymore, but very similar systems and talking to these big banks, hospital institutions, larger the company, it seems like the more legacy tech. Now they got all the cutting edge stuff too, because they got the budgets for it. But man, trying to move off of Z, right, or some of these old programming languages is not an easy feat when you have hundreds of thousands to millions of customers. And I still know some organizations that are using some tech that someone put a shiny UX on top of it, right, Just to kind of make it look modern. They're like, wow, the heart of that organization is still like tech from 30 plus years ago.
[00:06:22] Speaker C: Yep. Yeah. And you know, you, you look at that type of stuff and that's, that's why none of this is easy. You know, we get into technology. You and I have seen a lot of different technologies come and go, you know, versions 2, 3, 5, 12, 158 of those things. But they're all, you know, the concept, underlying concept is, is, you know, obviously we have to do, you know, make it work for the customers in the use case and all the different types of things.
And that's one of the things that I see in, we talked about before we started recording how fast things are changing because of AI, you know, whatever you want to call it. But the underlying is that's not going to change the fact that those customers that have been, you know, those big companies that have, you know, a million customers and they've got their processes so embedded into this, you know, architecture. AI is not going to fix those problems for them. Like maybe they can slap a new UI on it, maybe they can make it do some new whiz bang things, but the underlying capabilities are still going to be embedded in that unless they do that heart transplant, which is a big deal and a big change.
[00:07:22] Speaker A: Big deal, big change, massive risk. Which is my experience. One of the reasons why the companies don't do it because like you see knowledge, attrition, right? People moving on, retiring, right? You had all these kind of things and then like, oh, like we thought we had some really good documentation, but it's Scattered and, you know, who knows it and like, oh, you know, the modern, but you don't know that stuff. So how can we translate all these features and functionality?
There's customers using them and everyone. You duct tape something together at one point or another to make it work for one use case or problem at a time. It's like, oh, it's like it's not straightforward.
Right. And the time, effort, energy, investment to reverse engineer some of those where the documentation is close but not quite there, right. Is heart surgery or brain surgery is probably, you know, either one of those are a good way to look at it because it's right up there. You just don't might have not have to have the steady hand of a surgeon, right. When you're behind a keyboard. But everything else is pretty similar in a lot of ways.
[00:08:31] Speaker C: Oh yeah, a hundred percent. And you know, talk a little bit about. It's really easy as a technologist, right. I want to, you know, I'm playing with, you know, technology all the time. I've got, you know, meshtastic stuff and I've got all, you know, different things that I play with and tinker with, you know, AI, you know, all the different things. But at the end of the day, to your point, right, you all of this matters. It's the risk to the business, right? And is the roi, if I'm going to add this new feature and capability, is it a big enough roi, then it's worth the risk to rip out what's there, right? You know, my dad always had this old saying because he grew up in working in power plants and things, and they basically wouldn't break it. If it ain't broke, don't fix it. Right. If it continues to work, why would I change it? Right? There's, yeah, maybe I get a new capability, but is it that much better?
If you think about the cost and the risk and all the, the training, the upkeep, like all those types of things, is it that much better? And is the ROI enough to rip out what's old, train everybody on the new, build new processes or procedures? Because it's not just the tech, it's also all the people process as well that goes along with it, right? And there's a big risk, especially in a large organization, that that's, that, you know, tentacles out into the organization into all these different places. To your point, somebody left and we don't realize that Bob built this into 10 layers down. And when you rip that thing out. Now, this other process that you didn't know about is now broken and Bob isn't with the company anymore. So now what do you do?
[00:09:52] Speaker A: When I think about it kind of in terms, I mean it people, cybersecurity people like in general yet. And it's a little bit of a stereotype but you know, we, we're not really good at articulating the value not to the business but to our customers.
[00:10:10] Speaker C: Right.
[00:10:11] Speaker A: If you're in banking, you're in healthcare, like they're coming to you for some sort of result.
Right. And output and translating that new feature of like oh, is it going to penetrate the market? Or you help our customers or provide better, you know, patient results or better financial results from a banking institution and they just become so institutionalized it's really hard to tell that story even if you get good at it and you're articulating that to the CFOs and head of sales, I mean they've made a really good business out of doing business that the way they've done it. Just one of the reasons why I think you see a lot of times new businesses come into those same markets and really disturb those markets because they can come in with the new tech and the new way of doing thing and there's going to be those early adopters and you had some of those people that are going to lean into the new ways of doing it and you think you got Cash app and Zillow or all these Venmos and you had other financial services kind of companies disrupting traditional banking. But even when the traditional banks gobble those up or try to add those services, they never really go back and fix all the debt. They just kind of bolt more things on which just almost makes the problem worse. So it's just like trying to do that ROI analysis when it's not transformative. It's just small iterative changes make it really hard to tell the story of how those iterative changes can actually get you to something that's transformational. Because most of the time I don't think they will. Right. You have to rip it out and that always comes with a really, really big price tag. Right. And like if you're a scrappy startup, even a few hundred employees, you get up to 50, 100 million in revenue, you can move pretty quick.
The fidelities and those kind of, you have big financial organizations aren't going to be able to move as quick.
But a lot of customers don't want to move that quick either. Because when you're talking about their health or their money specifically, which why I like those examples.
Your customers are going to be just as risk adverse because you're going to have them all the way up from you have Boomers and Silent generation all the way up to Z's and Alphas nowadays.
[00:12:28] Speaker C: Yeah, well, and I think you hit on something really important there as well, especially as, you know, many of the people that will listen to this podcast are probably going to be leaning on the technical side, right? They're. They're probably tech people that probably again, are tinkering with crap like me and have, you know, whiz bangs behind them with laptops and all, you know, the rack behind me on the ground over here, like all that type of stuff, right? Um, so it's really easy for me to say, hey, this new thing has all of these new technical capabilities and I can do this and I can do that and it's got AI and I could do all this, but I have to be able to really understand the business process and really understand what the actual return and value to the business is. It's not just because, you know, nobody wants a firewall. If tomorrow we could have life without a firewall. I think everybody, including myself, who used to manage firewalls and love firewalls, I would love to not have to have a firewall. Right? Nobody wants a firewall because it's fun, right? You have a firewall because you have to, right? So having the newer firewall with some new capability, that doesn't really impact me, doesn't make me want to go upgrade it because it's a lot of work that doesn't get me a lot of value. How is that going to make my business make more money? That's what matters.
[00:13:35] Speaker A: Oh, I think a firewall is in a very similar way. And you could talk about DLP and all those kind of things. You got a lot of the AI and stuff. I mean, it will make you life yet better, cheaper, faster for the cyber analyst or the firewall administrator, the tech folks, right? And we, like me, certainly got all the tinker toys and everything right around me too.
Like, that's valuable to me.
But when I'm talking to the business, they don't give up, right? It's like, like, why are we going to invest to make your life easier, right? That's a little bit maybe of a hard statement, but it's like, oh, yeah, it's like you take your car to the mechanic, right? I used to do a lot with cars and they stuck some starters and some parts. Those things are not built to be worked On. Right.
So like, like, why, why are we going to rebuild this or replace it? Because it would be easier for the mechanic. Like, if it breaks down a lot. Right. Maybe that's a good thing to save us some money. But it's like, as a person, consumer driving it, you know, business not going to do me much good. So how do we articulate those stories and show the value? Because people don't probably want locks on their front door either, but they do because they understand the risk.
And sticking the key in and turning it or typing in the code is what they're doing to protect people coming into their house. Firewalls are no different. Right. It's the competition between ease and convenience, and you got security and risk management. And like, depending on your view, it's going to be radically different.
[00:15:17] Speaker C: Absolutely. Yeah, 100%. And that's where, you know, if you are a technologist and you are not partnering up with somebody and learning the business and putting all of your language around the business, then you're missing out. You know, know, I seem to say this every episode, but, you know, one of my mentors told me, you know, all business is a people business. It doesn't matter if you're the janitor, you know, the, the CEO, whatever. You're having to engage and you're, you're basically a salesperson. Even if you're a technologist, even if you're the programmer in the basement, you still have to sell your ideas to your teammates, to your manager, to your supervisor. They have to sell it up the chain like you. You can have the best ideas in the world, but if I can't convince someone else that the idea is good and worth going forward with and it doesn't matter. So we all have to be able to sell our ideas, which means we have to learn skills that we may not have learned by learning how to program that firewall or learning how to code that program, or learning how to tinker with, you know, our toys. You know, we have to learn other skill sets that may not come natural to some of us, you know, introverted tech geeks on the spectrum, whatever thing that may be afflicted by me, all of those things, you know, I had to push myself out of my comfort zone to be able to have those types of conversations.
[00:16:33] Speaker A: And when you're talking to those business, you have folks, whether they're. You had in finance, sales, you had human resources. Right. Marketing, like getting good enough at understanding it and be able to communicate in their language.
Right. Goes a long ways because you do have to sell yourself. You do got to sell your ideas, right? You do gotta. You got sell the value to the business, to the end customer, right? And just part of that learning, some of it is just learning how to communicate and asking someone else to learn, I'll say our language as tech geeks, right? They're like, oh, like SPX, TCP, IP x25, Novell Windows, Palo Alto firewalls or Checkpoint or all these kind of things. It's like, whoa, I don't care, right? What does it mean for my.
How do I get leads to opportunities to sell? How do I turn it into revenue? Right?
But if you can remove that language burden just by talking their language, and that's an area where I certainly did not focus on for the first two decades of my career, right? And once it smacked me in the head and I realized, stop being a putts and start talking in their language. Whatever it happens to be, things got a lot better and a lot easier to sell things within the organization and externally.
Yeah.
[00:18:09] Speaker C: Well, and to me, so I was a CTO of a software company, so we, you know, I was a vendor and I sold, you know, into organizations and looking from the outside, I'm also a consultant, so I'm selling services into companies all the time. You know, cyber and, you know, assessments and program development and, you know, all the different types of things.
To me, it's just surprising to me, more sales organizations, more vendors are not putting their marketing language around those in that way. Right? Meaning that it's easy to sell the new feature of the firewall, which you're talking directly to the firewall administrator. Awesome. He's on board. It's probably easy to get that guy or gal on board because it would definitely make their lives easier. They like tinkering. They're going to play with the new stuff. But how do you convince the CFO to get funds for it?
[00:18:54] Speaker A: Yeah, hold on. It's. That's where you got to switch to the like, oh, yeah, maybe it's not going to drive revenue, but maybe it's going to reduce risk, right? And you start talking about, hey, like we get hit by a ransomware attack, right? I think the last number I saw was average is like 4 million bucks, right. I've been talking to a lot of smaller businesses, right? And smaller businesses, when they get acquired, right, There's a point in time where they're a major target, right? You get these people that pop these little small companies, you know, at 10 million, 50 million, 100 million in revenue, they get acquired by a big PE.
And then two weeks later or a day after it hits the news, they lock it down because now they got someone with much deeper pockets that they can go after. Right? So you can talk about like, hey, the risk of acquisition and the valuation of the company could be directly impacted by our security posture. Those are things that CFOs and CEOs and others will look at because it's like, oh, if I get paid 100 million for the company or 500 million, right? That's a big delta, right? And like, you can start to see some of those risk numbers, but you gotta be able to phrase the argument in a way that it makes sense. And you can back that up statistically and by numbers and research.
Right? Because especially like CFOs, it's all about dollars and cents and organizational valuation and sales. And if you don't talk in that language, you're never gonna get it. But to your point, on VARs and consultants and companies, I mean, a lot of them, my personal opinion is they got founded by a techno wizard, right, that knew his stuff or her stuff, doing a really good job, leveraging their network, selling into IT organizations, which is why you see a lot of really good smaller MSPs and VARs and consultants, but not too many that are able to cross that chasm into real scale.
Because they are selling to the IT Org and they're not selling to the CFO or the CEO or the head of legal.
[00:21:14] Speaker C: Yeah, well, because it's, it's a different conversation, right? And you have to be able to really translate that. And you can't just say, oh, yeah, I'll reduce your risk. How, how much? Give me something that I can trend, that I can put in my model that would say if I do this, if this, then that. Because that has to be a translatable thing. And it's mental, you know, gymnastics to try to figure out how to get.
[00:21:37] Speaker A: From A to Z through Q.
Yeah, oh, absolutely. And especially in the cyberspace, it becomes said, no one wants a firewall, no one wants a DLP solution, no one wants to do security training.
All of these things are cost, right? But if that cost is really about risk avoidance or maintaining company valuation, right. You get some interesting conversations with the C suite.
[00:22:07] Speaker C: Yeah, well, and you know, so you came from some highly regulated environments, you know, organizations that have regulations behind them. And, and there's reasons that, that those regulations exist, make sure that people have a bare minimum. And when we say bare minimum, the bare minimum is high enough that, you know, this regulation says you can't do this bare minimum, you have to at least do this. Right. It's a level of those things.
And you look at critical infrastructure as a prime example. So I come from power utilities and a lot working in a lot of these critical infrastructure spaces. You look at, you know, power utility and power utility has an earth sit, which is pretty highly regulated around, you know, cybersecurity. And you compare a, you know, a power plant or a substation, the security infrastructure, the maturity of their programs, even the training of their people, and compare that to a wastewater, like a city municipal water district. Right? And they're not the same. And there's a, there's a lot of reasons behind that. A lot of that is budget and funding. But a lot of that budget and funding has been forced down into these regulated, you know, entities like power utility because they don't have a choice. It's not like they can just say, yeah, I'm not, I'm going to opt out. That's not an option. Yeah, you can, but then you're going to get millions of dollars of fines. It's way cheaper to just implement the technology. Right. So, you know, coming from a regulatory perspective, it's that carrot and stick. I don't always like the carrot or the stick because I don't like overreach and I don't want, you know, it's hard to regulate cyber because it's such a, you know, subjective and personal thing per organization. But sometimes you need it to push the ball forward, especially in these very highly risky environments, especially when human life and other, you know, are the way of life is at stake.
So what are your thoughts? And it was a long, roundabout way to get to a point of what are your thoughts on pushing down regulation, even if it's internal, but even beyond that in regulatory from an outside source as well, with fines and audits and all that kind of stuff that kind of backs it up.
[00:24:03] Speaker A: I think you and I are in a similar space because I have this internal monologue that goes on because fundamentally I'm like, okay, I'll pay my taxes because I have to.
There's a need for government, but I'm kind of a small government guy, but I want to provide services. So I have this mental struggle between like, how many services can we, should we provide at a federal level, you know, state level and all those kind of things.
And certainly I come from more aerospace and defense. And the talk now is cmmc, right? And it's like, if you don't not comply with CMMC, which maps closely to Nest 800 171. Right. You're not going to be able to bid on a new government contract, so you're not going to be able to even get to the starting gate to be competitive. Right. So you're going to have to do these. And that's been a highly regulated environment for decades. Right. And this is even a push above that.
But it drove culture. And when I had conversations with peers and other executives and teams, they understood the need of cybersecurity. So the evidence and the auditing and the extra overhead of CMMC or NIST or like HIPAA or pci, DSS or all these other security frameworks was a much easier conversation than it is with smaller, unregulated kind of organizations.
And I think my personal opinion is we need even a little bit more regulation now. I'm in Colorado and State Bill 205 and Colorado AI act and, you know, federal AI regulation versus state. And what's California going to do? All of that is like, we got to figure it out. But I hate to ask for any sort of regulation because I hate what I might get. Right? But I think if, like, on a macroeconomic scale, if companies as a whole don't get better at cybersecurity, understanding the risk, right? The, the small plumbing shops or auto shops or manufacturers or all these other companies that aren't power generation, even waste water, waste disposal or some of those kind of things, if they don't get better, we're going to just see a lot of companies get owned.
We're going to see a lot of trust and technology start to erode.
We're going to see these struggles that are going to be very difficult to overcome.
And like, we got to get the bar for people to, I hate the word comply, but to get right from a cybersecurity perspective, low enough where it's palatable, right? You know, if you had to put 12 locks on your doors and spend their five minutes trying to get in your front door, right. No one would do that either. Right. But putting a key in or putting a pass key in to get in, right? It's like, okay, that's an easy enough bar, right? You know, clicker to get in my car. Okay, I'll lock my car, right? Yeah. But we got to get cybersecurity technology to a point where it's so easy, right. People can meet those requirements of basic locks and guards and protections and, you know, training. Right. Which is always a big one for me because regardless of yet any Generation. It's always been the human element on the side of you at the 10, 20,000 keyboards. Right. That become the greatest risk.
[00:27:44] Speaker C: Right.
Yeah. You know, it's that catch 22 of, you know, hey, please help regulate. But then you're afraid of what that regulation is going to come down with.
But on the flip side, you know, again, working in power in any of these regulated environments, the budget never goes dry and says, hey, I don't want to spend this money on this cyber program. I'm going to move this over to marketing or whatever, because they can't. Right. So, you know, it's going to be there. And that's one of the, that's one of the strengths. And it's not just to buy technology. It's also for people, people, process and technology. So that money is there. I'm dedicating people. I'm making sure I have the right resources, I make sure I have the right skill sets, I make sure I have the right training and awareness and, and technology. Right. So all those things kind of go together and it really pushes the envelope and it makes you have a different kind. And I agree. I'm the same way. I'd be perfectly fine if we didn't have to have government. But I'm also a realist saying, well, we do. Right?
[00:28:41] Speaker A: Yeah, exactly.
It's a weird balancing act to say, yes, there's some regulations required, but how do we make sure industry specifically has enough voice at the table?
Because I think when I get worried about regulation is like, I know a lot of different politicians and lawmakers and different people that are brought in to support and help. Right. But talk about talking different languages.
Right. Talking to a CFO is completely different than talking to people that are trying to write into law. You had different regulations or put different.
You have things in place and we got to educate them and bring them along as well so that we get reasonable regulations that don't hinder business and innovation. And especially with the. You talked about the rapid pace of change.
It's like there's regulations on the books that talk about specific technologies that haven't existed in 20 years. Right. With AI and everything else changing so quickly, how do you write those regulations in a way that's adaptable enough and flexible enough to kind of meet the current and future needs is incredibly difficult.
[00:29:59] Speaker C: Yeah.
Well, and it's pushing us. You know, we're seeing, we're already starting to see impacts from AI and we already know there's a risk anytime we. We put any new capability in there's there's always going to be risk to it, but there's also a risk to sitting still and doing nothing. And you hit something earlier and it kind of. Now we can circle back, but you talked about, you know, we've got to be able to be, you know, adaptive to the new technology.
And the thing that came to mind when you were telling that story of, you know, the Venmos and the, you know, the Airbnbs and all those, to me it was BlackBerry. You know, BlackBerry owned the market. Everybody had a BlackBerry. Every corporate person had a BlackBerry linked to their phone, linked to their, their email. And they were so egotistical to think that, you know, it's, we're too big, we're in everybody's hands, they'll never replace us. And then the iPhone came along and within a few years Nobody wanted a BlackBerry anymore because, like, why do I want to carry this other device that's just for this. And the keyboard's stupid and all it does is corporate email. And now I can have this and I can have my personal email and, and social media became a thing and like it just almost overnight. And then they, they were too late. They let the momentum get so far down the road that they lost it, right? This very large research in motion, huge company. But because they didn't see this and they were not willing to take the risk and they stayed where they were thinking, we're too fail. Nobody's going to go away from us.
We're at that place now. So people have to adopt AI. They have to start using all this type of stuff. But at the same time, I also see you go to conferences and every product has AI bolted on it, right? It's, I said this the other day. It's like, you know, you go in the, in Best Buy and like every other appliance has, you know, a screen on it and can connect to WI fi. Like, I don't need my toaster to be smart, thank you. I, I just need a freaking toaster.
[00:31:49] Speaker A: Oh.
And it drives me a little bit crazy. I was looking at talking about like, oh, I have to remind myself of what I did 20 years ago. It's like the fundamentals of AI, right? I get frustrated with the term, right. Have existed for 70 years. Yes, exactly.
And I'm like, okay, when I was doing early networking, right? And you're looking at configuring algorithms to find next best hop and work around different failure points on a network and build auto failover and those kind of things. And anomaly detection is like all the fundamentals of machine learning, right? And it's like, okay, that was AI at that point, right? Then I got Aerospace and Defense, and you're looking at computer vision and writing algorithms to detect you have planes, trains and automobiles from imagery, right? That's AI, Right? So it's like you can say, yeah, the toaster's AI because it automatically determines that it should pop up in 35 seconds, right. Based on the thickness of the bread. It's like, really help anybody. And by calling everything AI, it just makes nothing actually useful in the space.
But, yeah, I could almost jokingly put on my resume, it's like, yeah, 30 plus years of AI experience. Because, like, there's always been an element of machine learning or error detection or like, that's always been there.
The GPUs and the hardware facilities to run it. And the idea of large language models and more of the generative stuff is really cut an edge. But if my toaster ever talked back to me, I might put it in the trash because, yeah.
[00:33:40] Speaker C: I think I'd probably shoot it.
[00:33:41] Speaker A: Yeah.
[00:33:45] Speaker C: But, you know, that's the funny thing that is coming out. And that's. That's the hard part, you know, and it's hard for us. And we're technologists, right? It's hard for us. And we know what we're looking for. And we've been here for so long. Imagine the CEO or the CFO that is on the, you know, in first class reading the, you know, the new Wall Street Journal or whatever, the paper article or whatever, and they see this new thing and they're like, well, we have that. Shouldn't we get this new AI thing? And they go back to their CTO or their CIO and say, hey, shouldn't we have this new whiz bang thing? Because everybody else is having it. Why don't we have that, Neil? And you're. Then you have to say, okay, let me put this in terms you understand, and let's have this conversation. And this is the risk, this is the cost, this is the. And the ROI is just not there. Yeah, it's cool. But do you really. Do you want to pay for it? Like, we could do that, but does it make sense to do those things? Right? And it's almost the inverse of what we talked about before. Trying to sell your way up. You're almost having to unsell them because they want all the cool new features that they saw in the magazine or on 60 Minutes or whatever thing.
[00:34:49] Speaker A: I almost think of that a little bit differently. One I Laugh as soon as you said that. Because it's like anytime, like, you know, someone comes back and, you know, call it cfo, CEO, right, Whatever. It's like, oh, I was just talking to a buddy or I just went to a conference. It's just like, okay, I know this conversation is going to be bad because there are a lot of really cool stuff out there and the marketing is really impressive. And some of the stuff is like, ooh, that could be valuable.
Right?
But I think we have a unique moment in time, right, as technologists to get in front of that. I think waiting for them to go and look at all those kind of things and come back.
I think we actually have the opportunity to lead.
If we can talk the business, the language of the business, and go and educate those leaders. Like, oh, okay, you always hear about Zappos from a customer experience perspective, right? Huge use case. Spend as much time on the phone with the customer as you need. I mean, you can go look up case studies there. It's like strategically, that business has appeared to make the decision that we are valuing that high touch. Right? And the decision for AI then is like, okay, we're probably likely not putting AI right in front of the customer for a call and tech center customer service because our strategy does not align to that. So helping the business understand, okay, what's our strategy? Who are we selling to? What's our core product?
Right? What does that mean? We will and will not leverage AI for, okay, now we have strategic alignment. Now how do we get clarity on where do we implement it? Right.
Do we want to be risk forward and put AI in front of our customers? Right. Or do we want to leverage more intelligent process automation and make our back offices more efficient? Right. We see how things flow through the system, right. And if we can start educating and leading, ooh, this is what we need to do to clean up our data to be AI ready. Well, these are the pilots that we can run that could really show real roi. And this is how we can measure them in business results.
We can make that pivot from technologists to business executives in a way that I don't think we've ever been able to before.
[00:37:14] Speaker C: Yeah, well, kind of the one of the ways I look at AI, especially when it comes to business, right. You know, AI can do amazing things, right. It can automate a lot of things. To your point, though, it's not anything magic. It is not magical. If you don't understand your process, you can't make expect AI is going to fix it, right? The first step in it is not sexy. The first step is understanding your flow, your workflow. And if you can train an intern to do it, then you could train an AI, then you can get the AI to be really good at it. But if you don't know your business process well enough and don't have, if no one's doing it, if you're immature in your business processes, then AI is not going to save you. In fact, it's probably going to make it worse because it's going to go off doing things that it probably shouldn't do because you don't know what to tell it to do or what not to do. So it's going to go off thinking it's helping, like any, like, again, it's like, you know, you get your 10 year old son to come down and help you and you say, hey, I need you to go clean my office. And then he does. You didn't actually give him instruction and he just starts taking stuff and throwing it everywhere and he's like, look, I did a good job, right? Like, no, it's way worse than it was before. But it's not his fault, it's your fault because you didn't give him instructions and have that, you know, structured idea. And so many people, businesses, you know, technologists, you know, business owners, CEOs, C suite executives, they're looking for the easy button. And AI can absolutely help you. But the first step is not turn on AI and hope for the best. Maybe we'll get there one day. We're not there today.
Today you really need to be able to understand exactly what you want. Like I use AI all the time. Like I, it helps me write things for my, my podcast when I'm posting things. Like it helps me, you know, edit articles that I've written to post on LinkedIn or whatever those things are. But I, it's not like I can just give it to AI.
Some people do. I don't. You can say, you know, hey, write me an article on NERCSEP or CMMC or whatever, it'll write you something. But is it right? Is it accurate? Does it sound like you, Is it what you wanted to say? Is it the, the look and feel like no, like technically it did what you told it to do, but it's not direct enough that it's going to build your business. So if you want AI to be, and I'll get off my soapbox, but this is just drives me nuts because people are looking for AI to be this like magic fairy that Just comes in and you just sprinkle. You turn on the AI and it just, it fixes all your problems. Like, it's going to make you have a good wife and a good relationship with your kids, and it's going to fix your cholesterol and it's going to help you work out in the gym. Like, yeah, it can fix. It can give you a workout plan, but you still got to get your butt up and go do the work.
[00:39:49] Speaker A: Yeah.
Oh, it's. You're absolutely right. And I heard a handful of times over the last few months that it's an accelerant, right? And it absolutely is right. And you can either put that accelerant on a really good process.
And like, the companies that I see that are really winning, right? Like, they hire a new seller, they have a selling academy that teaches them how to sell. These are the conversations. This is the pitch deck. This is what. This is how you do the job that we hired you for, right? They hire like a new attorney. This is what good is. This is what we'll accept. This is not right. Structured process procedures, right? And if you look at web and you talk about your different books, atomic habits and all these different items, it's all about process and consistency, right? And if you throw AI on a really good process and help people get that account plan faster, right? Having the conversations, doing the research, yeah, you're cooking with juice. But you throw that same accelerant on just an unmitigated disaster of data and lack of process, right? You're just going to have fire, just going everywhere. I like the analogy of kind of an intern, right? It's like the intern that comes in with 12 PhDs and access to a bunch of information and knows, like, has absolutely zero common sense, right? Or more importantly, your own business sense, right? And so it's like, okay, what are they going to do?
[00:41:32] Speaker C: Right?
[00:41:33] Speaker A: They might be the smartest person, they might be the smartest LLM on the planet, but without yet understanding the context and what good looks like and what it should do, you're just accelerating the bad, right?
And then on the flip side, if we're just talking cybersecurity, right?
AI and what it can do, because people that have their process in order, there's like hackers and cyber criminals, right? They know exactly how they're going to go after people. They got good processes, and they're throwing that accelerant now on it on the other side to infiltrate.
[00:42:13] Speaker C: Exactly.
[00:42:14] Speaker A: Better phishing attacks, spear phishing, not only for the top 1% of the company, but for everybody. Right. And they're going to use it to their advantage.
[00:42:26] Speaker C: So yeah, you know, it's, it all goes back to. And I think this is probably universally true across the board. It's especially true in technology.
You know, again, I've walked into organizations from all sizes and you know, hey, we need help with this. We need you to help us build out a program or advise us on our program or you know, you know, give us an assessment on where we're sitting in our program. And most of the time, you know, when I'm done with that, most of the results, like, yeah, I'm like, yeah, there's some fancy cool stuff you can do. But most of my recommendations are super simple. Like, hey, don't have an any, any rule in your firewall. That'd be a good idea. You know, let's segment our networks. Let's lock the front door. Right. You know, little things. It's usually, hey, let's do basic stuff. Let's, let's have a backup. Let's have our backup off site so if that backup server crashes, you can still recover from the backup. Right. Little things like that that we've been doing in technology for 30, 40, 70 years. These are not new technologies. I am not brilliant. I'm just doing things that I've done time. And, and why? Because I've had a backup fail and I've had the backup server sitting in the same rack as the server it was backing up and the whole damn thing caught on fire. And then I don't have a backup for either one of them.
[00:43:44] Speaker A: Right.
[00:43:44] Speaker C: You know, I've been there, I've got the battle scars. That's why I know, hey, let's have a backup in another building in a fire safe proof, you know, environment that is not in this room.
[00:43:55] Speaker A: Absolutely. Which is kind of the irony of AWS and everything else or AI or cloud or any other technology is at this point, 30 plus years into a technical career, you could say three, four, five different waves of technology.
The basics just never bleep and change. Right. And it's really like the basic you had. Hygiene is probably 80 if not 90% of the solution.
Right. Everything else is the sexy shiny stuff on top.
Right. Which is what kept everyone attention.
But it's that 80% of just like, oh yeah, don't put your password on a sticky note under the keyboard.
Maybe we should lock their front door. Oh, maybe we should give the neighbor a spare key so I have a backup. Right. In case we do get locked out. From a ransomware attack. Maybe we should have basic cameras to understand what's coming in and actually look at the logs. Or mine is like, maybe we should not a whole lot of backups on tape anymore, but like, oh, maybe we should test those tapes every great once in a while, right? And maybe not store them in the battery room, right?
[00:45:16] Speaker C: So, yeah, you know, it's, we laugh, but it's, it's so true that if most organizations would just take care of the basic stuff that's not super expensive, it doesn't take a big team to do. If you do those things really well, you'll. You've got a big percentage of the work there, like you can recover. Like, that's the thing is, is can you do a basic recovery? Are you basically, are you doing the basic stuff, right? Like you've got a basic firewall. I don't have any, any rules. You know, I'm doing a backup. I have a disaster recovery plan. I've practiced that. Everybody knows where it is, you know, the players know where it is. I'm locking the door, I'm monitoring logs. Like, those little things are not sexy. It doesn't take a lot of technology, it doesn't take a lot of training, doesn't even take a lot of time. Obviously, size of an organization is going to add time and complexity. Of course, I'm making this very basic, but those are the things that we can do. And if we do those things well and be really good at those things, your organization is going to be a lot lower risk than. Because even if you get ransomware, if you have a good process and you've got a good backup and you've tested it? It's not. Is it going to impact you?
[00:46:22] Speaker A: Absolutely.
[00:46:22] Speaker C: Is it going to impact you the same as if you didn't have a good backup and a good recovery? Not nearly as much.
[00:46:28] Speaker A: Absolutely, absolutely.
[00:46:30] Speaker C: So all that to say, we've talked about a lot, like, what do you see coming up over the horizon again, I warned you that this question was coming and I've changed it from putting a time period on it because things are changing so much. But give me one thing that you see come over the horizon that's exciting and maybe something that's concerning.
[00:46:48] Speaker A: So exciting is.
And I touched on it a little bit, I do think that technologists, right, have the opportunity over the next couple of years to help lead the business and help them understand and ask questions and like, hey, let's look at this AI thing together, right, and figure out what we can do to Help drive our business forward, make sure that we're putting that accelerant on really good defined processes and really get what our business niche is down, get our processes and everything dialed in and build those intelligent process automations leveraging AI that makes sense to really add a lot of organizational value.
And I think that can switch us as technologists from being the guys in the closet managing the firewall with the hoodie up. Right. No one comes to talk to unless something's broken to actually having a legitimate seat on how we can help drive organizations forward that I find exciting.
And I think it's. It's time to shine the threats on the other side.
So if you haven't ever really looked into the economics of cyber threats, right. And adversarial countries and what they can do, or these little businesses, like all over the planet, where it's like, oh, I got five people, like very defined processes to hack companies. It's like, oh, if I get one a year, right. I'm making a really good living. Right. AI, right. Is going to also accelerate their processes.
Right. And I don't think people appreciate the economics of cyber warfare. Right. Which could be at a nation state or it could be down at an individual organizational level. Like they do it because there's really good money in it. Right. And it's just going to continue to get worse with AI yet just like everything else. So that's the part that I find most concerning.
[00:49:00] Speaker C: Yeah. And it's just going to accelerate it. I mean, we see it already with, you know, simple things like phishing attacks and those phishing emails and how much better they've gotten. I mean, again, we've been at this for a long time. We've seen all the really bad ones of, you know, hey, the Nigerian prince, that's gonna, you know, whatever. The English is really bad. It doesn't make sense. It's obviously not from it. But now, like, it's hard to tell that it's not real. It looks, the logos are right, the language is right. They're using the same marketing copy. Like it's coming from your CEO or from whomever it's supposed to. Like, it's. They're using these tools and it's going to get easier and easier for them, which is going to make it harder and harder on practitioners. Like, I've been almost hit with a couple of attacks, phone one and another. And I'm a practitioner and I do that like my spidey senses were going off, but I got two or three steps down the road. I didn't get impacted, but it was close. And if they were, if they could do that to me, somebody that's looked. Looking for it a lot and I've got a lot of experience with these things and they still like my body sensors going off. I'm like, this doesn't seem right. But I just kept moving forward and finally I'm like, yeah, you're full of.
[00:50:04] Speaker A: Yeah, organizational, safe words are gonna become a thing, I think, because it's like, like I've seen some of them. I had one the other day that someone showed me like, you know, one of these deep fakes, like taking off of a YouTube video. Right? And these go up on like, of a senior leader talking in their voice that they had taken off of a presentation that they did. I was like, damn, that's good. Right?
[00:50:33] Speaker C: And it doesn't take much time anymore. Right. And if you think about, you know, I say this a lot, I've got hours, you know, I've got what, a hundred and some odd episodes of, of this podcast, about an hour long each one. So there's literally, you know, hours and hundreds of hours of me talking on video, seeing my facial expressions, the language that I use, the inflections of my voice, all that kind of stuff. It is very easy for somebody, even with technology they have today. Imagine what it's going to look like in a year or five years.
[00:51:02] Speaker A: Yeah, so that's the part that makes me quiver in my boots. A little bit of like the basic port scanning kind of attacks and stuff. I don't think that's where the money is going to be at from these cyber criminals. They're going to move on. Right. And try to stay one step ahead.
Right. And if we're all looking at you at shiny objects and what we can do to drive, like, it's like, oh, like looking out the front window and the back door is unlocked. Right. We could get owned pretty quick. Right. Which is a major, major risk and could impact valuation of companies, ability to sell, like, and all sorts of badness.
[00:51:46] Speaker C: 100%.
Well, awesome, man. I appreciate your time today. How do people find out about you? Any call to action for anybody come check you out, all that kind of stuff.
[00:51:55] Speaker A: Yeah, no, Always happy to chat. I love having these conversations. I consult with a lot of different boards and executive groups on AI and cyber and just enjoy talking about it. Best way to find me is just on my LinkedIn.
Neil D. Morris. Right. We'll include kind of a link there and, you know, reach out. I'm always open to have a conversation. I'm just a geek at heart that enjoys nerding out on some of this kind of stuff.
So appreciate you having me on to just, just do that.
[00:52:27] Speaker C: Absolutely. Thank you again for your time. I appreciate it man. And everybody definitely check out his LinkedIn, see what all the reach out if you have questions, etc. So thank you again for your time.
[00:52:35] Speaker B: Until next time, thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cyber security.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
