Episode Transcript
[00:00:00] Speaker A: Just sharpening that knife from real sharp to razor sharp on the cybersecurity side is not going to help that much. But if you get a new knife now, you have a new whole new tool set to make the cuts with.
[00:00:13] Speaker B: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crowe.
[00:00:33] Speaker C: Awesome. Hey, thank you for joining me. Another episode of the Protect it all podcast. I've got my friend Josh here. We actually just went to a hockey game the other night, so hadn't been that long since we saw each other. Josh, why don't you introduce yourself, tell us who you are and kind of, kind of your background in this fun cybersecurity space.
[00:00:49] Speaker A: Absolutely. So, Josh Koontz, currently the CISO for a state agency here in Texas. I've been doing this for shoot going on 24 years now.
And this is my seventh state agency, the fifth one that I've led the security program for. Before that I was six years Marine Corps as electronics tech, which helped me make the transition over to state service and just really excited about kind of where we're going in this field.
[00:01:21] Speaker C: So what was it like? So I do talk with a lot of folks that were primary military and that transition. So obviously going from a, from, from military to state agency and, and, and in the, in the public sector, what does that transition like? So most of the folks that I've talked to have really transitioned into the, into the private space, which has been a harder transition. Would you, do you think it's been an easier transition going into the public space as opposed to the private space from, from that military career?
[00:01:47] Speaker A: Well, I made it, I made it a softer landing for myself.
So when I left the military as an electronics technician, I went to the Texas Department of Public Safety.
And so they're, you know, it's a law enforcement entity that is paramilitary. So they have a rank structure and chain of command, you know, very strong chain of command. And so that part was a little easier to transition over into similar mission as far as, you know, protecting the citizenry. And so that was, that made that transition a little easier. I will say that as a manager, a personnel manager, that was a much harder part of the transition. I lost a good portion of my toolbox when I left the military. The whole physical portion where so that I couldn't stand the position of attention and berate you for an hour or make you do push ups until you collapse. You know, that kind of stuff was gone.
[00:02:44] Speaker C: Now that's disappointing, I think.
[00:02:48] Speaker A: Yeah. Difficult. The first couple of times I had some, some disciplinary instruction to give and how to, you know, not go back into those, those old habits.
[00:03:02] Speaker C: So obviously again, this is not to be political at all. So I don't want to listeners, this is not that. Right. We, we see a lot in the news today with, with new, you know, administration coming in and, and doge and all the things and again, I don't want to talk about that stuff. What I'd love to talk about is, is since you have been at multiple agencies and their state agencies, but they're still large. Texas is a big state. We have, we had a lot of resources and a lot like what is the differences? So obviously you've seen multiple of those agencies. What's the strengths and weaknesses that you've seen, whether it be between agencies. And again, I'm not asking you to call out by name at all, but really just some of the struggles that you've seen because I know from a private, from a private side a lot of corporations struggle with finding budget and finding the right resources and finding the right, you know, justification to do these projects.
Having that experience from, from the, you know, the government side. Can you talk to that a little bit?
[00:03:59] Speaker A: Absolutely. And some of it is a little easier for me in the government side because we have regulations that require certain compliance and there's a floor that we have to meet and unlike the regulatory bodies hold on the private sector on very specific tasks, they get to direct every part of a cybersecurity program in the government space. And so I at least had the well it's required by statute. Part of my justification in my any of my funding asks. The next best piece I had in making sure that my funding asks got really the attention they needed is storytelling. And I will say that it's.
I was fortunate enough not to be in any state agency that had a major information security breach. But we have had some.
The most famous was the 2010 Comptroller Public Accounts breach where they, they had a server on the Internet that did not have authentication protections and was exposing millions of state employee data. And so it was a, a big wake up call. And the response to that, especially in 2010 when credit monitoring was not an inexpensive thing, the cost of that actually got born out of the campaign war chest of the, the comptroller that's a statewide elected official and that woke up a lot of state agency. Wait a minute. I might have to be personally responsible for this.
[00:05:49] Speaker C: Right.
[00:05:50] Speaker A: That's not okay. And so they started, you know, let's make those small investments now so I don't have this big cost later.
[00:06:00] Speaker C: That's interesting. It's amazing how a little bit of, you know, ownership changes that perspective. And it also changes the risk, the willingness to accept risk. Because a lot of the conversations I'm having with executives and boards, you know, board directors, you know, C suite executives, it's all about translating that risk and making sure they understand the risk that they're accepting and that they're really comfortable. Because it's really easy to accept a risk on paper without truly understanding what that risk is. Right. You look at Colonial Pipeline, you look at a lot of examples where they accepted the risk, but nine times out of 10, if we went back to them and we had that conversation, they'd probably not be okay accepting those risks once they fully understood what that risk meant.
[00:06:44] Speaker A: Yeah. And I think that's a big. A big part of the job that is lost to a lot of CISOs.
I know that, you know, the traditional paths to cybersecurity were network server and desktop support. Maybe some folks came through application development, but, you know, primarily those areas, very technically minded. Now we're seeing that start to shift as more and more colleges and universities have cybersecurity degree programs. But it's a very technically weighted industry, and we tend to talk in technical risk. This CVE with this score and this risk level, and they don't understand that you got to break it down. A lot of this job, if you're doing it right, is translation. It's taking those technical risks and explaining how that can impact the business, how that can impact the mission of your organization.
I would say that there was some clamor over the new SEC rules when, especially in the CISO community, when the first rules came out and it was like, oh, you're going to require that you have someone with cybersecurity certification on the board.
Those of us who've been doing this a while said, oh, wait a minute, there's some board seats going to open up for us. And then they softened that. They said, you have to have board acumen or the board has to have cybersecurity acumen. Like, okay, we'll see. That goes. But they did add the rules about having to disclose cyber security incidents if they were material. And so the question started becoming, well, what is material? And how do you define materiality? And who says that it's material? And in our. In my Circles. We've been having this conversation in the last year or so and it shifted. Initially it was like, oh, well, you know, we need the CISO to tell us if it's material. And you push back and said, no, no, no, no. Our job is to tell you what happened. You need to tell me whether or not that's material. And so we started getting the risk attorneys involved and get people who have a better idea of how to translate that. But that's really, that that shift is you have to be able to speak in business language and take that technical knowledge and translate it into something they'll understand or you. Or it's just a bunch of gobbledygook and they don't care.
[00:09:10] Speaker C: Yeah. And you know, in my career, so I started out on that technical path you just talked about, right. It was network engineering and, and architecture and you know, systems administration and active directory and VMware, like all of those super technical things. And I got to a place in my career where I kind of hit that glass ceiling, right. I kind of hit the, I really can't. There's not much else to, you know, elevate me to that next level on that technical stream. So I really had to work on those softer skills and a lot. And I wasn't comfortable in those places. And honestly, when they, when they, I was thrust upon it, I worked at a power utility in Texas and they put us in this.
It was very forward thinking, but they created this thing and they called it leadership circle. And within that they took their top leaders and most of them were technical engineering type folks and they put them into this leadership circle where we did book reports and had to create use cases, business use cases, and go over business risk and do presentations and you know, really those softer skills that, that we didn't have a lot of opportunity to, to, to kind of hone our skill sets on. And again, the first year I was in it, I, I was annoyed because I'm like, I'm not in college anymore. Like, I don't want to read a book like, what am I doing? Like, this isn't going to help me configure a firewall and that's what I do. But man, I'm so glad looking back now that I did those things because that, that allowed me to get to the next places in my career. It's why I was a CTO of a software company. It's why I was, you know, an executive on, at Ernst and Young and, and now as a, you know, at Morgan Franklin and, and the things that I've done, yes, I'm still technical, but you don't want me configuring your firewall. If I'm configuring your firewall, then we've had a bad day.
[00:10:57] Speaker A: Working side as well. And if put a gun to my head, I could probably question mark my way through a firewall configuration, but it would take 10 hours, which would what would normal analyst? About 30 minutes.
But yeah, I haven't been hands on keyboard in years because of that. You know, I'm manage programs and personnel and so that has been the part that making that transition from the technical expert to the personnel and process expert who has a technical knowledge is what really has advanced my career through the years.
I do mentor a number of folks and I've given advice to folks that are asking, how do I get to the next level?
I'm going back to college, should I get a cybersecurity degree? And I'm like, well, are you already doing cybersecurity work? Well, yeah. Okay, well you don't need the cybersecurity degree.
[00:12:04] Speaker C: What are they going to teach you?
[00:12:06] Speaker A: You need a business degree.
And they look at me where I said if you're going to go for master, go for an mba because that'll give you the skills that you don't currently have.
Just sharpening that knife from real sharp to razor sharp on the cybersecurity side is not going to help that much. But if you get a new knife now, you have a new whole new tool set to make the cuts with. And so that's, it's really more useful the higher you get in the, in organizational structures and the more span of control that you're provided to have those softer skills, as you call them. I know that I went through the state's elite program which is really geared towards building the next generation of CIOs, but it was all they had that was, you know, technical, but then we had those soft skills in there. How do you testify in front of the Senate?
How do you prepare a legislative appropriation request? What does that process look like? How do you build a budget within the state parameters? Because we do biannual budgeting. So I have to think about what I need three years from now so that I can ask for it six months from now when the legislature's in session and then get it, you know, almost a year, a year and three months from when I asked for it to start to use it for the next two years after that. So you have to think way out ahead. Of yourself about in technology. That's ludicrous. It changes so fast and the threats change and the technology changes and to try to keep up with that is difficult.
So I teach a lot of folks, I have a mentorship program for CISOs and we teach that process that when you're asking for things, don't be specific.
They're not going to be, they're not going to be able to publish your list anyway because it reveals vulnerabilities.
Be general, ask for a, you know, to take care of a functionality problem and then once you get there you can start looking. Okay, well what technologies do we are going to address this and how much, you know, you have to get good at guesstimating cost and you know, what, what's out there, what will fit within the budget I got and how do I, how do I make that, that, that work for the, you know, the landscape that you find yourself in at the moment you actually have the money.
[00:14:43] Speaker C: Well, and another one of those soft skills I think, you know, you're really talking through is, is dealing with ambiguity. Right. And you don't know the answer to your point. Two years from now there's no way you can know exactly what technology is available or even what gaps you're going to have or whatever priority of your risk is going to be. But you have to be future case casting something. Hey, I know that I need some, some help around, you know, remote secure, remote access or even more general than that, you know, access into my environment and you know, data loss prevention and you know, whatever those things are that you're, that you're cloud based, focused AI, whatever those things are and put a big enough budget in those things and estimations in those things so that you're not trying to, you know, platinum code or gold plate every, anything. But you've got enough budget and wiggle room that you can actually get the things done, they need to get done. Because you're stuck with that, stuck with that budget for the next couple of years after you get it approved.
[00:15:39] Speaker A: And you know, even further than that, I mean who could have predicted two years ago or three years ago the impact that AI is having on cybersecurity?
You know, it was a thing, but it's like, well, where is it going? How advanced is it going to be? How useful is it going to be? Is it purely academic, you know, looking in the future? It's like, well, I know that quantum computing is a thing that's seems to be making, you know, some headway and that we may see Some what impact is that going to have on, you know, on the, the future of cyber security and how do we, how do we try to plan for that, you know, with when the technology's not, you know, not play super catch up, you know, we will have to wait till that comes out and then the next two year cycle, I'll ask for money about it then that's putting yourself on behind the eight ball. So.
[00:16:36] Speaker C: Well, and, and the other piece to this that, that we all have to fight with and I'm sure it is even more or not more so, just different for you guys in the, in the, in the government space is it's not just technology. It's easy to talk about firewalls or AI or secure mode access or whatever thing is, but it's people, process and technologies. Right. So you need bodies and you're impacted as, as the ciso. You're impacted by decisions that other people in the government agency are creating, whether they're hiring people or expanding or whatever they're doing in those spaces. Those all have things that impact you and you may not necessarily know what those things are going to be until too late. So how do you go about thinking about or planning for those things that you may not even be aware of two years down the road?
[00:17:21] Speaker A: Well, so the, so the fact that our legislature only meets once every two years for 144 days.
[00:17:28] Speaker C: Yep.
[00:17:29] Speaker A: Does have its advantages.
[00:17:30] Speaker C: Sure.
[00:17:31] Speaker A: That means they also can't come up with new ideas in the middle between session. So the good can't just visit all the time.
So that gives us some predictability in what the requirements are going to be.
So, and, and that's, and I talked to my fellow CISOs about this all the time. So you got to be plugged in with your GR folks, your government. If you're not, you're going to have a problem because they need to know that you need to see bills as they're being, you know, considered and going to, you know, the one when they get assigned to a committee, they've got legs now you got to have a idea of what the impact is and you got to write impact statements like, oh, well, this is going to add a whole new regulatory framework to our agency and it's going to require us to look at different data than we currently do. And oh, by the way, that's regulated data by the feds. I got to put different security controls in place. Well, that's going to cost some money. So I need to add some, you know, I need to add, you know, bodies or funding for, you know, new tools or new security controls to that bill to say, hey, that's got a fiscal note on it. It's going to cost me money to implement that because it has implications. But not being part of that conversation, it just comes to you say, oh, yeah, so this passed. Now you have to do it, figure it out with what you got.
[00:18:56] Speaker C: Right. Which means you're robbing from Peter to pay Paul to try to figure out where you're going to find the money. Because it unfortunately, as much as, you know, my kids think money doesn't grow on trees.
[00:19:09] Speaker A: Yeah. Well. And, you know, that is one of the other things we're blessed here, Texas, is that we can't just print the money.
We're constitutionally obligated to have a balanced budget, so we can't run deficit. And that helps because that makes us a little more conservative about the spending. It also gives us the opportunity, if you have a bill that's going to be really crazy and that happens, you get stuff where people, we want to regulate manhole coverage and we're like, okay, I don't think that's really necessary. And in order for us to do that, we'd have to increase the number of inspectors we have by, you know, 6,000.
And, you know, you start attaching those kind of numbers to those bills and they start suddenly they get disinterested in regulating manhole covers.
[00:19:57] Speaker C: Right. Yeah. Maybe that's not as important as I thought it was.
[00:20:00] Speaker A: Yeah. And so, you know, it's just, that's where, you know, so that's part of that process is understanding where to say, okay, is this really needed, do we need to be a little more. Well, in, in, you know, you said it in the, the age of the Doge.
And Texas is picking up that, that mantle a little bit. Except it's the, the council, they are committee for delivery of government efficiency or effectiveness, I can't remember which. They're looking at, you know, how do you do more with less? And which I also have to laugh. I'm like, you know, we came into this budget cycle with a record surplus.
Why do we have to cut.
You know, let's, let's, let's figure that out. Is that, is that really necessary?
[00:20:49] Speaker C: Yeah. So, yeah, well, Texas is unique in that way. Right. Is, is, you know, we have a record surplus, you know, us and a few other states. And again, this is not a political statement, guys. We're not talking politics here. We're really just talking logistics wise of, you know, Texas is in a Great unique position in that they've handled our budget very. So that we're talking about getting rid of, you know, property taxes because we don't need it. Right. We're in it. We're in a surplus and we have enough revenue coming in from other avenues. So, so offering things like that and still. But to do that, to your point, we have to be fiscal with the, with the resources that we have if we're going to do interesting things like that and continue to grow and be safe and provide services that are, that our citizens are, you know, look forward to a need, whether that be, you know, roads or bridges or you know, you talked about Department of Public Services or firemen or policemen, all those things that we've grown accustomed to and not to mention power utilities and our Texas grid is independent of the rest of the country. There's just so many things in a big state like this, in any state really. But, but there's so many factors that go into those things. And you said you've worked at six different agencies within, within the government. There's so many agencies and so how much do you guys share and cross pollinate with programs and processes and, and work that you're doing to kind of get the benefit of, you know, economies of scale? Because I know Texas is big, but we've got X number of agencies that are y'all sharing stuff and are you getting a Microsoft license? And like how does that work across agencies?
[00:22:26] Speaker A: So we do have a state central IT department that does the large purchasing thing and that sort of thing. So they get better contract terms and cost. Instead of agency trying to negotiate contracts with Microsoft, there's one major contract to Microsoft for all state agencies for buying, you know, email and you know, support and that kind of thing. We have, you know, they do big contracts with the laptop suppliers. So we get. No. Okay, well it's not just I'm doing a deal with an agency that's 300 people. I'm doing a deal with the whole state government. It's you know, ten thousands. Okay. Now I'm, you know, it's, you get the better economies of scale there and that works. Mostly you do have some inefficiencies or some lag because that process is cumbersome, you know, and it's like the pendulum swing, right? So it gets more and more cumbersome as people make foolish mistakes like brother in law deals and no bid contracts. And so okay, so they put a lot more process on top of that and it makes it harder, it takes longer.
But if you swing too far the other direction and you get, you know, less and less requirements and guidelines, then you have grift and people doing sweetheart deals and it's, you know, it's not in the best interest. So you're trying to find that sweet spot of enough regulation to make sure that everybody's honest, but not so much that it takes too long, especially technology space where things change so fast.
You know, it taking five to six years to get on a state contract. You know, the technology, you know, those new inventive technologies have come and gone.
They got here, it's a thing, and then now it's baked into other things. It's like, that's a tough position to be in.
[00:24:30] Speaker C: Sometimes it is. But also, if you think about it, the fact that you survived even though the technology came and went and you didn't get the technology shows that, okay, maybe the technology wasn't all that great in the first place and that you could figure out another way around it.
[00:24:45] Speaker A: Oftentimes what we have to do, we just have to figure out how to work through it. But with that, we do, like I said, we do have the economies of scale of purchasing.
You have some economies of scale in like data center services, that kind of thing.
But it gets.
Because so bureaucratic, it gets cumbersome to try to meet the business needs of each individual agency who have different missions, they have different, you know, leadership, executive leadership, who have a different vision and have, you know, different things that they're trying to accomplish. And so trying to meet all of those and balance between, you know, having being, you know, lean, having just enough staff to meet the need without having so many staff that it's, you know, that you, you have people going idle. It's. It's a tough balance.
[00:25:45] Speaker C: Yeah. And throw into mix with COVID and work remote and all those things just made everything more difficult. Even, you know, in state governments and, you know, corporate and the private sector, it's all of those things. And we're still having those conversations. I know that's. That's another topic right now is. Is working remote and all those things. And again, not, not to get to the political thing or, or say where, where somebody should work or not, but there's just. There's technical and cyber and risk statements to every one of those things. If somebody works from home, then your device is in their home network and then is it. Is it safe on that network? And what else are they plugging into it? Like there's just all. Are they taking it to Starbucks and Connecting to the public WI fi. Like there's just all these other risks that come aboard where you don't have that when you're inside of the office. Because your device, I mean back in our day it was a desktop attached to your desk. So you, it was perfectly safe unless somebody broke in and physically walked up to your desk. Right.
[00:26:42] Speaker A: You know, and that's in different organizations have the talked about risk tolerance and levels of amounts of risk that they're willing to accept when it comes to how inconvenient can we make the desktop experience versus being secure. I'm fortunate that we're a little risk averse here. And we only use agency devices, so it's only managed devices that come to our network. Some of that came out of what we affectionately call the Governor's ban on TikTok where in order to utilize BYOD you had to have the ability to do management of those devices for what, what other applications could and could not be on there, containerize the area that the agency data would be on. And we're like, you know, I don't, we don't have the, we don't have that tool currently and we don't have the extra people to manage that kind of thing. So we said we're just not going to do it. So it's, there's no byod. You have to use an agency managed device.
We have VPN on login so when you log in and you're on the Internet, it connects you directly to our systems. You don't get to go to the open Internet on anything else. So that helps alleviate, eliminate but it helps alleviate, mitigate a lot of those risks with the work at home.
We still, you know, in many areas we still the. Well, the government still struggles.
If you have regulated data that you're dealing with and the rules around that regulated data were built pre Covid.
They don't, you know, they're expecting certain physical protections for the area that that data is being handled. Especially if you're dealing with criminal justice information and draconian measures. If you're going to try to do it remotely, like you must be subjected to a physical inspection of the workspace. You have to have a separate workspace and doesn't have outward facing windows or the computer can't be facing an outward facing window. You have to have the ability to keep family away from unauthorized personnel, away from those kind of things so that it creates a burden and work through that is sometimes cumbersome. I'll say that for sure.
[00:29:24] Speaker C: You know, again, like I said I came from Power Utility. It's been a lot of time there. And you know, regulation, like with NERC SIP for instance, same thing, right? Is who has access to that data, where can you access it from? You know, what data is available. You have to go through training courses to even be able to have access to the databases and, and you know, the asset information and all that kind of stuff. Right. For obvious reasons, like the data that we're talk, talking about is, is protected. And the same thing goes with pci, you know, people's personal information and credit card information and Social Security numbers. And you know, I, we've all been hacked. Everybody's. I always laugh when people are like, well, they're going to get my information. Like more than likely, if you've been on the Internet in the last 10 years, they've already gotten your information in a number of different attacks. You know, I, I had a security clearance. It's not secret or anything, but you know, I had a security clearance and I work for a nuclear power plant. Right. So I had the, the DOE's background check to work at a nuclear power plant. And I also had a security clearance so that I could have, you know, certain conversations with three letter agencies around, you know, risks and things like that pointed at power utilities in general. So that database was stolen. So all the information for all my background checks and all that information was taken by whomever. I'm pretty sure it was China, but you know, whatever. So that information was out there. So anytime anybody's like, well, they're going to get your Social Security number like it's been gone 50 times.
[00:30:51] Speaker A: Yeah, the key is, the key is don't give them any extra information to get your bank.
[00:30:56] Speaker C: Correct.
[00:30:57] Speaker A: And I talk about that a lot. I've worked at agencies where we had highly regulated data, FTI and IRS data, PUB 1075 requirements and CGIS requirements and Federal Office, Child Support Enforcement, ss, the Social Security Administration, Department of Labor, Department of Education, and they all had a little different requirement on you're doing. And so, you know, that's, and we had, you know, it was an organization where we were paying out benefits. So, you know, now you have the possibility of fraud in multiple vectors because billions of dollars are going out. Well, I'm currently with a regulatory entity. We collect a fee and the way we collect it is either you send us a check or you go to the state's online payment portal, which I don't manage, and pay for it. Well, you know, I don't have a massive target because people got all. We have millions of personal records. Yes. And they're worth about a nickel a piece.
What they want is your bank account or a credit card where they can actually get money. Your PII is, I mean, yeah, we have to protect it. We want to protect, we don't want to be just willy nilly letting people have it. But they're only going to expend so much effort to get that kind of information because it's just not worth it. Now your, your routing, your checking account number and your routing number and you know, a copy of your signature, that's value a lot more valuable than empty out your bank, get some actual money for, for that, that transaction, you know, so that's, that's where you know, you're having to kind of temper those, those expectations sometimes where you know, doing a business impact analysis whereas, and, and everybody wants to believe that their stuff is critical. And I've worked at agencies where the data was critical, the system was critical. If the system went down, people's lives were at risk.
Okay, that's critical. And then some conversations when I'm doing this like oh, I have this critical application. Now you have an important application. No, it's critical. If that application goes down, will anybody die? Well, no, nobody's going to die. It's not critical. Listen, let's level set what critical is.
And everything can't be number one. If everything's number one, nothing's number one. So having to go through that and that sometimes that's a really hard conversation to have with the group of executives where you're having to tell them that out of the 10 programs we have, yours is number eight. And they're not happy about this. Well, you know, that's why we have these group discussions where we can talk about what is actually critical, what is the next most important thing, what's the next most important thing after that. And the surprising one when we have those is you need to be able to get your HR payroll people back to work right after your life safety systems.
Why? Because your state workers are not going to miss a check and still work for you.
Most of these folks might have one month of slack in their budget where they've got a savings so they can make in one month after get, after the check stops coming. So but some of them don't have that. Some of them are waiting for that check to hit so they can go to the grocery store for next week.
So if you, if the, and we only get paid once a month said if the disaster happens on the 25th of the month. And, and we're not, and we haven't found, and we haven't certified timesheets yet. They're not getting paid.
[00:34:53] Speaker C: Right.
[00:34:53] Speaker A: And there's a problem.
[00:34:55] Speaker C: Yeah.
[00:34:55] Speaker A: So let's make sure we get those things up first.
[00:34:59] Speaker C: Well, it's, it, it goes to understanding the risk to the business. And it's not always a nation state, bad actor, you know, Russia, somebody coming after. Sometimes it is, but many times it's not. Ultimately, it's understanding the risk to your business. Right. And that cyber risk, it doesn't matter. The attack vector doesn't matter that it's malicious or it's a, it's malware or it's phishing or whatever. The thing is, what is the impact? What does impact to your business? What is impact to your employees? What is the impact to, you know, the customers that you're servicing? What does the impact your reputation? Like, those are the conversations that you've got to have. And I've been in those conversations, you know, where, where the CEO, you know, thinks his email server is critical.
It, it's important. But if the email server goes down, we still do business. Nobody's lives are impacted. Like, we're, we're still able to make payroll. So, yes, your email server is really important to you, but ultimately to the business, it is not critical. Now, you can make it critical if you want, because you're paying the paycheck, all right, and you're signing the checks. But ultimately you're going to have to prioritize that over other things because everything can't be critical to your point, unless you have an unlimited budget. And even that, you still have to prioritize. Because if everything's a 10. Okay, which 10 do I take care of first?
[00:36:18] Speaker A: Yeah. At some point you got to put them in an order. And which one am I first? Yeah, because we can't bring them all up at once.
[00:36:25] Speaker C: Right.
[00:36:25] Speaker A: So, yeah, that's a, that's a good point. And we, we talk about that.
You know, the thing that's most important to the, to the executive management is sometimes gets the most, most grease. And it's like, well, yeah, but, you know, is that the thing that really is the most important?
I like using the new example, the, the Clorox breach. And we know about that because they're publicly traded company and they had to file their AK on that.
And this was no longer that. I think that was one of the turning points that and Sony were the turning points where it went from.
Well, you know, if we have a cybersecurity breach, it's data. We'll have to make a notification. The cost of, of credit monitoring has gone down. It's only, you know, 25 cents a person.
It's not really that. It's not going to cost us that much. Okay. But those, those data breaches cost you. The thing that you actually use, you know, in the case of their intellectual properties is their movies. So that's, that's their whole. In their music. That's, that's their portfolio in the case. And it was more poignant in the case of Clorox, that ransomware event shut down production line.
They can't make the product they sell. That's critical. Yeah. And I guarantee you their cyber security budget got a 5x in injection after this because they never, ever, ever want to have that happen again.
Because in, you know that I love this classic meme of the. The pile of pennies, you know, the cybersecurity budget before the, the breach and the pile of, you know, $100 bills, you know, the cyber security budget after the breach.
[00:38:15] Speaker C: Yeah.
[00:38:16] Speaker A: Which, you know, most. You know, I'd like to not have to go through a breach to get the budget up to where it needs to be. But that's why I point to these examples and say, let's not be them. Let's spend a little now to not spend a lot later.
[00:38:30] Speaker C: So how much, how much do you see your job as a CISO and your, and your peers, your CISO peers as a job to be. Because to your point, we, we've seen the yes man. We've seen the, the, the cyber, the CISO or even just the executive in general. That is the. And it happens all the way down in the military. Right. You don't want to, you don't want to, you know, talk about the bad. You want to, oh, everything's great. We've got it under control. It's going to be, we're going to win it by next week, you know, you know, I'm going to, I'm going to sign the treaty by, by tomorrow, the day, you know, all the things that you hear politicians say and yes men say, but ultimately that's not the best thing for the business. The struggle is, is how do you, how do you weigh the benefit to you and your career over telling the boss bad news or their baby is ugly when it. Maybe it's the real thing to do. So how much of that is your job is to be the one that really stands up and says, hey, these are the facts. Just the facts, ma'am.
[00:39:30] Speaker A: Yeah, unfortunately, that's the job.
And I keep saying this. We have a, in our service CISO mentorship program.
The last session that we do is on managerial courage. I talk about that and talk about, there's, there's the everyday managerial courage with a small C. That's the having the guts to have difficult conversations with your subordinates. Right. Hey, your performance really isn't. I need to, you know, I need you to make this improvement or, you know, what you did was not okay. You know, if you keep doing, have a problem, you know, nobody likes to do that stuff. It sucks.
But you got to have the courage to make those little, you know, get through those tough moments. Then there's managerial courage with a capital C. And that's those life changing moments where you have to go and tell the boss's boss's boss that there's a problem and that problem is going to cost him public embarrassment. And your boss's boss is the one that started it and that's gonna be a problem.
[00:40:45] Speaker C: Hey, everyone. Unfortunately, we had a sudden technical issue during our conversation with Josh and his video feed got disconnected. We tried to reconnect, but it looks like we weren't able to actually get him back this time.
That said, we hope you found the conversation valuable up to this point. Josh shared some really insightful thoughts and we're going to definitely plan to have him back soon for part two where we continue where we left off. Thanks for sticking with us. Sometimes tech just doesn't play nice. But the mission stays the same to help you protect what matters most. We'll catch you next time on the next episode of Protect It All. Until then, stay safe, stay smart, and keep protecting it all.
[00:41:19] Speaker B: Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity.
Remember to subscribe. Subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
