Why Cybersecurity Is More Than Just Technology and Tools with Paul Marco

Episode 58 May 19, 2025 01:07:57
Why Cybersecurity Is More Than Just Technology and Tools with Paul Marco
PrOTect It All
Why Cybersecurity Is More Than Just Technology and Tools with Paul Marco

May 19 2025 | 01:07:57

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow welcomes lifelong cybersecurity professional Paul Marco to the podcast. Fresh off of a fun, bourbon-fueled appearance on Paul and Evan’s podcast, Cyber After Hours, Aaron and Paul sit down for a candid conversation that covers everything from the pitfalls of shiny new cyber tools, to the real-world challenges of defending both networks and people.

 

Tune in as they discuss the importance of making the most of what you already have, the realities of cyber as a “cost center,” and how availability increasingly trumps confidentiality in today’s threat landscape. Paul shares powerful insights from decades in cyber operations, the difference between theory and real value, and why storytelling and business skills are now just as vital as technical chops.

 

From protecting small businesses to demystifying the impact of AI and quantum computing on everyday cybersecurity, this episode is packed with practical advice, plenty of war stories, and even a few laughs. Whether you’re a seasoned security pro or just starting out, you won’t want to miss this lively and wide-ranging discussion on how to protect it all.

 

Key Moments: 

05:38 Tech Rationalization Over Product Dependence

10:42 "Cybersecurity: A Costly Necessity"

17:44 Privacy Is Obsolete

25:51 Cyber Crime Funds Dark Activities

26:39 "Preventing Cyber-Facilitated Crime"

37:50 "Exploiting AI: Ethics Versus Greed"

46:44 Understanding Business Elevates Cybersecurity

48:01 Broadening Skills Beyond Cybersecurity

54:19 CISOs Need More Than Tech Skills

58:56 "Tech Threatens Critical Thinking"

 

About the guest : 

 

Paul is the Co-Founder of TALAS Security and the Co-Host of the Cyber After Hours Podcast. With over twenty years of experience in IT and Cybersecurity, Paul is a senior cybersecurity leader who has built, maintained, and operated enterprise-grade Cybersecurity programs in highly complex environments. His expertise lies in taking a "controls first" approach to Cybersecurity. He specializes in designing programs that maximize the use of existing capabilities to balance both defense and compliance to accelerate organizational maturity. He creates sustainable solutions that enable organizations to effectively manage their cybersecurity risks and is committed to staying ahead of the curve in an ever-evolving cybersecurity landscape and helping organizations securely achieve their business objectives.

How to connect Paul: 

LinkedIn: https://www.linkedin.com/in/pm01/

Talas Security: https://www.talas.io/

Cyber after Hours Podcast: https://www.cahpodcast.com/

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

 

Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: I want my life to be easy. I don't actually give a shit about my data. I know it's out there. Equifax was breached. Target was breached, Home Depot was breached. Like, the list goes on. [00:00:11] Speaker B: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. Welcome to the show. Thank you again for listening this week. I'm excited to have my friend Paul on the podcast. This is going to be a fun one because I was just on. On Paul and Evan's podcast a couple of weeks ago. We recorded there's. They had bourbon and all the fun things and drawing ideas out of a hat. So if you haven't listened to their podcast, absolutely go over there. Great content, a lot of fun, a lot of amazing discussions and people coming on guests. It's a. Etc. So, Paul, with that, please introduce us to the. To yourself, to. To the audience, and let us know a little bit about you. Sir. [00:01:01] Speaker A: Yeah. Well, first, thank you for having me. This is weird to be recording during the daytime. Usually. I usually record it's nighttime, it's late, like, work is over, like, so this is a different experience for me. But yeah, to your listeners out there. What's up, everyone? My name is Paul Marco. I am a lifelong cyber security professional. Right. As. As you said, we've been trading podcast appearances. So thank you for that. And this was my turn, right? And I'm. I'm super psyched to be here. You know, funny, funny thing is we. We started this podcast, Evan. I started our podcast, Cyber After Hours, because I was. I was basically just bitching one day. I was like, dude, I haven't. I can't get on a podcast. It's something I've wanted to do forever. You know, I've always wanted to, like, get out there and like, you know, have these types of conversations. He's like, well, just start one. Like, oh, okay, great. And now this is the second one I'm recording that's outside of mine. It's like, when it rains, it pours. Right? [00:01:50] Speaker B: That's right, man, that's awesome. [00:01:51] Speaker A: So, yeah, so a little bit, A little bit about me. So, like, I, like I mentioned, lifelong cybersecurity professional. Most of my career has been in cybersecurity operations, so almost entirely focused on things like building detection and response, incident response, cyber, cyber threat intelligence, kind of putting all those pieces together. Everything that's part of that ecosystem. I love the IAM space. I've run a few different IAM spaces from an ops perspective, even delved into things like vulnerability management and app security. Although app security is not my strong suit. Right. My app security experience is like, hey, smart people, like, what do you need? I'll help you. Right? That's it. The other stuff I can play around in, but that's really been it. It's always been. I've always been the guy that takes all these amazing tools, all the incredible innovations we have in cyber, and does something with them. Right. That's kind of how I like to explain. Ops is like, all right, we've made all these investments. We spent all this time tuning loading logs, normalizing, parsing, putting in blocks. Right. But now someone's actually got to take that information and do something with it. Those are the spaces I plan well. [00:02:52] Speaker B: And that, that's where the rubber hits the road. Right. It's, it's easy. I just got back from rsa. It's easy to go look at RSA or Black Hat or any of these, you know, Gartner, any of these large cyber conferences or at least conferences that have cyber vendors there and to see all the cool stuff. I mean, there's literally a thousand different vendors at rsa and they all have amazing things. But if you, if you really look at that and you think about it, hey, I'm an asset owner. I've got XYZ problems. I don't, I don't need a thousand solutions to my problems. Right? Right. I may already have a tool. Maybe I've got some overlap. Am I using my tools correctly? Are my people trained on my tools? Do we have a process to respond? Like, there's a lot of things that, beyond just going. And again, I came from being a vendor as well. I was the CTO of a software company. Software and products are good. I'm not, I'm not bashing the product space, whether it's hardware, software, or even services. Like, I do services, you know, consulting. But sometimes it's, it's really easy to, to focus on the FUD and, and the, the cool new AI or the new widget or the new capability. And it's just like, okay, are you really running what you have to the best of its ability? Because that, that's usually the first place I look as a consultant. I'm not your stereotypical. You need to rip it out. And, you know, the, the assessment has red all over it. Like my, you know, ninth grade English, English paper You know, that just looked like somebody bled on it. Because I'm so, so bad at that kind of thing. Right? But, you know, it's, it's foundational things. Like, are you doing well with the things you have? Like, what technology do you have? Are you getting the most out of it before you start upgrading? Right? And before you start saying, well, I need this new thing. I need this new thing because I've seen so many organizations that have bought the latest technology for the past five years, and they never finish implementing it, or they implement it, but it just sits there and nobody's actually using it. So they're really not getting the value out of those tools. How often do you see that? [00:04:48] Speaker A: Oh, my God, Preach. I think it was three minutes before he got on our first soapbox. This is gonna be a good one, right? I'm psyched on. No, look, I, I 100 agree. I find your ideas intriguing and wish to subscribe to your newsletter. Like, the things that you're saying are a hundred percent true. And this is the problem is, and I think part of the issue is, like, cyber security is born of technology, right? We're all technologists first. [00:05:11] Speaker B: Sure. [00:05:11] Speaker A: Right. And then we have to learn technology. We have to learn how those systems work, we have to learn how things are talking, and then we have to figure out the security on. On top of. So the thing is, as technologists, like, we love innovation. We love playing, man. We love getting into the new tech and the new interfaces and pushing the buttons and seeing what things do and saying things like, oh, this is cool. But that's the trap, right? The trap is you can start to look at products and be like, I wonder what problem I have that this can solve for me. When anytime you're purchasing tech, it should be, this is my problem. What's in the market that I can use to solve that problem, right? Otherwise, you're just collecting technology. And to your point, like, you know, this is where we start to get, like, the duplication of capability, right? I'm. I'm a fundamentalist, right? For me, it's never about product. I don't talk about Palo or Cisco or Splunk. I talk about, do I have the ability to block things at the network level? Do I have the ability to search logging? Do I have the ability to contain a workstation? Right? When you break that away, those capabilities away from the product, that's how you build true control. And the thing is, like, these products come with multiple capabilities. So when you buy something for that onesie2z problem that you have. You might have six or seven other capabilities you haven't enabled and now you're getting into duplication. That's where folks like you and me can, can come into an organization and be like, let's do some tech rationalization. We can actually save you some money. We can actually rip some stuff out. Every time I do an engagement, almost every time I'm like, you can turn that off, save some money and redeploy to something else. Send your folks to training or invest in this other capability you don't have. Like, that's where we get to like really like. See this is where we get to like show that value just by justifying the things that are in place that were purchased for a real reason. [00:06:57] Speaker B: Yeah. And some, sometimes simpler is, is better, you know, just because again, to your point, I love Palo, I love Cisco, I love Splunk, I love all of these lace things. I've got technology behind me and I'm tinkering and playing with the newest stuff and AI and building bots and all the stuff that's fun to me. But I'm doing that in my home lab. There's a reason. So a prime example of this is back in the day I had a completely, you know, custom built home network. I had PF sense as my firewall and I had like this hodgepodge of really cool. It had all this functionality. I had custom dashboards, I had all this stuff. [00:07:38] Speaker A: Amazing. [00:07:39] Speaker B: And it worked great. Until it didn't. And when it didn't, almost nine times out of ten, I was out of town. And it was so complex that nobody else in that I'm the only technologist. My kids were small, my wife is not a technologist. So it would go down and then we had already, you know, cut the, cut the cord. So we don't have TV other than streaming. My kids are like, you know, toddlers. So everything to them is, you know, Disney and, and streaming on a, on a tablet or whatever. And then now my wife is three days without to, you know, help in that area. And by the time I get home she's like pulling her hair out and wanting to punch me. So you know, I went to a very simplified system. I went to, you know, ubiquity is ubiquity the best and most and blah, blah, blah, whatever. That's not the point. The point is, is that it's all through an app, everything automatically. It's self healed. It's a mesh. Like I've got redundancy, I've got Battery backups on things. Like I made it so that it's reliable. It doesn't necessarily meet all of the technology. Now Ubiquiti is really great. They have a lot of capabilities, all that type of stuff. I'm not saying I'm not trying to bash on Ubiquity, but the point is, is that I had all this cool stuff. It's the same reason why I went to an iPhone. I used to be an Android guy. I went to an iPhone because I can control all of my kids devices. I know exactly where they are. I could control what apps they have on their phones. Like it's just, it just works and then I don't have to think about it. Like the days of me wanting to break down a server and look at a packet capture to troubleshoot my network in the middle of the day, I'm just not there. I do it on my spare time when I want to, but only when I want to, not when I have to. [00:09:11] Speaker A: Yeah, and not. And not because things are out and you gotta like figure stuff out. That's the worst, right? No, look, I mean, you know, I, I sat here and said, we're all technologists. You just went through your home tech stack and I'm legitimately worried that the rain is gonna cut my Internet on my satellite Internet here. So it's a little, it's a little different, right. I guess I'm a technologist at heart, not in practice. Growing up, we've all done that. Like I remember I was working early, early in my career, I was working at a law firm and they were replacing desktops and I was like, what are you doing with these desktops? And like, oh, we're going to recycle them or whatever. I'm like, can I have like six of them? And I brought them all home and I made domain controllers and DNS servers and like he just kind of like, you know, set them up. And I may or may not have borrowed the Microsoft server license. It's possible, right? [00:09:57] Speaker B: Yeah, possibly. [00:09:58] Speaker A: Yeah, yeah, allegedly. Allegedly. Right. That's how that goes. But no, like, like as a technologist again to this, to this point of like cyber and honestly like part of what makes cyber so complex, like part of the problem, the thing that we have to solve is that we have all these options. We have these like massive, huge like technical networks and we have smart people running them. But geez, like those things are living and breathing, right? We. How do you keep up? Like there's no level of documentation that gets maintained that we can Go back and look at and figure these things out. These aren't the clamshells I had under my, under my desk, you know, 20 years ago. These are like these massive, massive, like these massive networks. And then we have to like, we go out and buy this tech to make it all simpler. But that adds its own layer of complexity, right? The things we got to solve for. So yeah, I mean, it's a good problem to have. Like, it keeps people like you and I busy, but it's a problem nonetheless. [00:10:54] Speaker B: Well, the other thing that brings up for me is, is most of the time now obviously if you're in a cyber service, you know, you do cyber security as a profession or you have a cyber, you know, solution services offering hardw software, whatever. But most, most organizations, cyber is not their business. Cyber is something that is probably bolted on to protect their critical process. Whether that's, you know, financial services, which is banking and, and you know, all the transactions, or it's a retail environment where you know, that they have physical stores or it's, you know, you know, a power utility company or it's a manufacturing facility and they're, they're protecting their, their, you know, their intellectual property and, and whatever those things are. Cyber is usually a cost center. So every time we add something that we're solving a problem, we're also many times adding complexity or at least if not adding complexity, changing the way the process. And change is hard. People don't like change, especially at school. [00:11:58] Speaker A: Right? Right. No. Well, a. So, so yes, again, that is an absolute issue because the business just wants to do business right? They just want things to work right. And the problem is, and this is one of the like, kind of the age old issues with cybersecurity and cybersecurity professionals. You don't want to hear from me, right? You, you want me to be there. But if you hear from me, there's a problem, right? Like if we're talking, we have an issue. So you know, this is, this is like how do you solve that problem by demonstrating value but also being like the guy that's like, no, you want, you don't ever want to see me, right? Because then things are, things are down. Things are, there's an issue we have to deal with. And the thing is like, you know, it's, it's like these other, it's like these other products like insurance, right? People have no problem buying insurance and hoping that they never use it. They love throwing that money into a bucket and being like, I hope it's gone Forever. Because I have to use that issue. I've had that issue. But the thing is like, I don't think we've gotten there with cyber yet. At least not, not as a kind of a cultural conversation, right? People are still like, do I really have to buy this thing? Am I really going to spend $50,000 on this product, you know, to try to make things better and then just add friction to my, to my business? Like those are the conversations that make justifying those spends or, or spending time on the program itself a hard sell. Especially in smaller shops where it's really about being lean and running a business. Like now you want me to recertify access? Get the fuck outta here. Like, I'm not gonna wait. No, I need these people working. I'm not gonna sit here and have every manager review everyone's access. And by the way, I have no idea what the security group even means, right? Like these are the things that you and I and your listeners as cybersecurity professionals, these are table stakes for us, right? We don't want people to have expansive access, we don't want folks like, you know, traversing the web in all of its corners without any protections. We don't want endpoints that haven't been managed in heavy doctor but all of those things with a cost, they come with a cost. And the cost is either a licensing cost or it's, it's, it's hours, right? It's people like, and that's an additional cost as well. So it's, it is a hard sell until there's a breach, right? Like, and this is, unfortunately what I've seen time and time again is you have those companies that are splitting in these two buckets. And bucket one is, I'm not dealing with this, I don't believe in it, I don't care. I'm going to save the money. And then some shit happens, right? And then when things go down they're like, how could, how could you let this happen? All right, what do we need to do? What do we need to spend, right? And then there are those proactive companies that understand like not only is it important because you want to main that resiliency, the super smart companies have turned this into a marketing element, right? They've turned this into something that actually drives business. Hey customers, you, if you're choosing between this competitor and this competitor and me, here's what I'm spending to protect your data, here's what I'm doing to ensure that your services are up and you're not going to be stuck on the corner somewhere because, you know, the system didn't work and the data you needed or the service you needed wasn't available. This is why you need to work with me. The companies that have done that, well, they're killing it. [00:15:02] Speaker B: Yeah, well, and that's, that's another interesting point in that, you know, five, 10 years ago, you know, if you, if you were in a hack and it was, it was public, it was, it like people were really scared about that. Their, their, their, their name, you know, the bad publicity, the bad press, that kind of thing. It's so common now. I wonder how, how that's reduced people's response. Like we're constantly, oh, well, that, you know, Target released all of your personal information to, they were hacked and all of your personal information that was in your Target account is released to the Internet. They have your, your name, your Social Security number, your credit card numbers, your, your, you know, blood type, like whatever, right? And we're, it happens so often, here's a free credit monitoring thing and everybody has it and, and it's almost like, yeah, it's just another one of the same things. And, and I want you and I hear that and we're, we're freaking out, you know, and, But I wonder how non. I want to almost say normies, the non cyber security nerds that are just going about living their normal lives, how they don't necessarily understand what that means and the impact it could potentially have to them and you know, domino effect of things in their lives, their, their accounts, their kids, all the different things of, of how big of a deal some of these things are that hit the news and people are just like, yeah, whatever. [00:16:24] Speaker A: I mean, but here's the, here's the ironic part. Like you and I, we're cyber pros, been doing this decades, right? 42, 000 hours of experience. I'm at the point where I'm just like, right, like it used to be fear mongering. It used to be an element where people were truly like, concerned and oh my God, what's gonna happen to the stock price? Or am I gonna lose customers? And yeah, the stock price takes a dip, but it almost always comes back. I don't know any cases where it didn't. Right? And the thing is like yes, everyone gets those credit monitoring pieces. How many people actually sign up? I was doing a tabletop for a large company and you know, we're doing this tabletop and working through the breach scenario. Finally we get to the point where it's like, yeah, listen, double exfil. They took terabytes of data and, you know, and they're like, trying to quantify cost. And I'm like, well, you also have to provide, you know, credit monitoring. And they're like, yeah. And I'm like, well, what's it going to be? And they're doing the numbers. And let's just to make the math easy and the story simple, let's say it was a hundred thousand dollars to provide all of the credit monitoring, right? And I'm like, all right, well, it's going to be 100,000. And they're like, no, no, no. Statistically, only like 20% of people sign up for that. So it's going to be 20 grand, right? Like, the vast majority of people don't actually take it. And let's be honest, do we need it anymore? Those services are free. So, like, the reason why I love you brought that, you brought this up is because, you know, we think about confidentiality, integrity, and availability. The CI triad, we like, I won't speak for all your listeners. I won't speak for you, but I'll speak for myself. I always viewed those as equal pillars, right? I always viewed those as the three things that we as cyber professionals have to do. The times have changed. Confidentiality is not really a thing. It's really not. Like, if you think about what's happened to us culturally over the last 15 years, we've given up our data in exchange for free services. We happily give away all the information, our name, our birthday, all of our relatives, pictures of our kids to social media. And we do it gladly, and we love it. We share things out to the entire world with no concepts or semblance of, like, a concern for privacy. And we think people are going to be outraged because, you know, part of their Social Security number was implicated in a breach that showed up on, you know, a dark web forum a year ago. Who gives a shit anymore? Like, the thing is, like, what I've realized is that CIA triad was not equal parts. And the parts that matter now are really availability. Like, you know, it's it of confidentiality, integrity, ability, integrity is critical. It's always gonna be critical because we have to make sure no one's jacking the numbers, right? No one's messing with the data. They're not changing, you know, your age on. On a system or they're not changing numbers in a bank account either up or down, right, to commit fraud. So integrity is always going to be there. Availability is the new hotness, right? If you think about it like people just want services to be there and we want them to work. I want my life to be easy. I don't actually give a, about my data. I know it's out there. Equifax was breached, Target was breached, Home Depot was breached. Like the list goes on those. I'm sorry to pick on you all, but look, this is you, not me. Right. So deal with it. Right. But like the reality is like the data is out there. So like at this point I think we as cyber professionals have to rethink this paradigm and refocus efforts on the things that matter. Now I want to preface this because I can hear half of your, your listeners screaming at the steering wheel right now as they kind of commute home. Yes, there is an element of confidentiality. It hasn't gone away. I'm just thinking about this like from the perspective of consumers and the perspective of other elements, like to think about these as equal pillars. Now that I think is the fundamental shift. There are still data sets that can't go out there. They'll move markets. Sure, right. If you start releasing things like non public information, that's a bad day. SEC implications. Right. You start losing things like military secrets, that's a bad day. Geopolitical implications. Like there is confidentiality there still. But this conversation has changed. [00:20:16] Speaker B: Yeah, it 100% has, you know, and, and it's been that way in the OT space. The, the entire time because we haven't really cared about confidentiality for the most part. [00:20:28] Speaker A: Interesting. Okay. [00:20:29] Speaker B: We, we really care more about availability. Now obviously Coca Cola cares about the, you know, intellectual property of the, you know, the secret Coke formula. Formula. But you know, you go to a power plant and you generate electricity the same at a power plant. Like they're, they don't have a competitive edge because of their secret sauce and how they, you know, burn coal. Right. [00:20:48] Speaker A: They don't have better uranium. Right. Yeah, exactly. Yeah. [00:20:51] Speaker B: All right, that, that's not it. There's no, there's no IP in that. Right. Like, and they, they share all that information because it's, it's, it's a, it's a career critical infrastructure. So that's not it. It's all about availability. Yeah, you know, obviously integrity, but you know, absolutely skewed on the, on the importance and the value statement on the availability side. And I agree with you. I think the consumer market is more that as well. Like I'm going to go to something that's reliable and even if like a prime example. So I use A password vault. Like again, we're in cybersecurity, we use password managers and password vaults. I used to use LastPass. Yeah. How many times did LastPass get hit? [00:21:31] Speaker A: Oh my God, all the time. [00:21:33] Speaker B: Like 10 times, right? Yeah, it was like eight before I finally changed. I'm like, yeah, but I've got my own password on my thing and they're probably not going to get to my database and my database is stored locally. And like it was like, okay. And then after like eight times, I'm like, okay, obviously these guys are not going to change anything. They're going to continue doing this. And I'm just playing with fire. So I moved it off to something else. But it just. Even me in a, in a, in a cyber role. I've been doing this for, you know, decades. And I was just like, is that a big of a deal? You know, I was, I had top secret security clearance, you know, for government clearance. And, and I worked in a power plant and I worked at nuclear facilities. So I had multiple clearances on for different, different places. And during that time is when DHS was hacked. So all of my, you know, everybody in the DHS thing that had security clearance, they have all of that information. So I'm just like, every time there's a thing, I'm like, there's no way, way it's worse than the one I had from dhs. So there's no way they could have more. I mean, I did a, a 500 question psych evaluation to get badged for a nuclear. Nuclear badge. Right. And you passed. They know. [00:22:41] Speaker A: Good for you, man. [00:22:42] Speaker B: Somehow passed. I don't know exactly. Maybe they just, you know, we're like, it's borderline. Yeah, we'll let him go. [00:22:48] Speaker A: Yeah. Nice, Nice. [00:22:51] Speaker B: But it's crazy. Like it's, it's amazing how much it shifted and you know, I think I may have told you guys this. You know, my mother in law listens to my podcast and she's a seven year old woman. She's not in technology. She was never in technology. She listens because she sees it. It's interesting to her, the guests that I bring on, the conversations that we have. But more and more people just in your daily life, cyber is going to impact you in some way. It doesn't mean you have to do it for your job. It doesn't mean you have to be a cyber security professional. But, you know, I was on, I was on a webinar with a, with a, with a group of moms, you know, while I was in rsa. So I was in San Francisco in my hotel room and I was talking to a group of about 50 to 60 moms. And it was about how they can, how they need to be digitally protecting their family and how, you know, today kids as, as, as young as eight is about the first time that they see pornographic material. And that's. [00:23:49] Speaker A: It's getting bad. [00:23:49] Speaker B: Terrifying to think about as a father, a father of three. Right. So we have to have those conversations with our children a lot sooner than they had the conversation with you. And I probably, you know, the birds and the breeze and all that kind of stuff because they just have so much more access. And all of that to me is about, you know, cyber security, digital security, availability. All those things are conversations and we need to be having those at home, at work, in everything that we do. It's something that, that cyber needs to be part of the conversation. [00:24:20] Speaker A: Oh, absolutely. And like, this is, this is the thing that I think most people don't understand. So, like, I used to give this talk. I would train up a bunch, like the co. The next cohort of, they called them CDPs. I don't remember what it stood for, but it was like development professional program, something like that. Right. And like, you know, these would be people who are just starting in the industry or people who just graduated college and I was working for an org. They would spend 40 hours straight, like a whole week, like full on training. Folks, this is what this is about. This is how you do cyber security. These are the things we're concerned about. Here's what a log file looks like. This is what normalization is parsing, like, like very in depth. That was great. A lot of the people that went through that program, they're huge, like industry influencers now. CISOs or founders or whatever else. Right. So it was very cool to kind of watch that happen. But one of the talks I would give when I was teaching these classes is I'd say, all right, I'll make up the numbers because they've changed. But let's say $100 billion a year of loss occurs to cyber, some cyber element, whether it's fraud or whether it's ransom extortion or whatever else, right? Let's pretend 50% of that gets written off because of insurance coverage. Right? So there's, you know, and then another 25 of that doesn't get paid out because if it was fraud, the money might have gotten pulled back or recovered. We're still at like $25 billion, a lot of money. And I would Ask the. Right. Oh, this is. Yeah, we're throwing around the B word here. But no, this is an un. It's probably low, if I'm being honest. Right. I'm making up these numbers for a fact. Right. But like, I would say, all right, so there's that much money that's out there that's going out to attackers that people are getting, recovering, and now have control over. And I would ask folks at this table, I'd be like, so what would you do with that money? Like, what are these attackers doing with the money? And I would inevitably get answers like, oh, they go on vacations or they buy a yacht or they buy sports cars or they have, you know, penthouses, or they save it or they invest it. And. And part of that is. Right. Some of that is right. But the thing is, we were getting answers from people who are not evil. Right. We were getting answers from good people, and those people were giving the good people answers. The vast majority of the money that's stolen and used from a cyber perspective is used for the terrible things you can't get bank loans for, like sex trafficking, like weapons trade, like paying suicide bombers, the families of those suicide bombers. Like, those are the things where this money goes toward. Because you can't walk into a Bank of America and be like, Look, I need 100,000 bucks. I got to move weapons from this country to this country. I got to pay the guys off. Where do I sign the application? Right. So when you start to understand that the dark side of this, this thing, the dark side of what we do is funding the things that are the truly evil elements of our world, well, it kind of changes perspective on what we do from a cyber perspective. Right. Every time we're able to stop that, we're able to provide some protection to that small and medium sized business that's going to fall victim to invoice fraud or we're going to help, you know, some company limit their fraud losses. Like. Yes. Are we helping shareholders? Are we keeping stock prices high? Are we making rich people richer? Sure. But we're also preventing that money from funneling to the things that are truly evil in this world. [00:27:33] Speaker B: Yeah, man. And I told the story on Yalls podcast about, you know, how I was hit by a phishing attack or. [00:27:42] Speaker A: Right. [00:27:42] Speaker B: Basically somebody calling me. I think I've told the story on here as well, but kind of the bigger point is, is that it. It. I hear a lot of, why would they go after me? I'm a small, small, you know, sporting goods store in, in this small town, like, why would anybody want my stuff? And, and what, what people need to realize is it's, it's, it's, it's just a opportunity. If they can, they will, like, they'll, they'll ransomware you, they'll fishing attack you. They'll, they'll, they'll try to steal money. They'll try to get, you know, access. Maybe you have access to somebody else. Like they don't care. These are not good people we're talking about. To your point, like, there is a lot of criminal organizations that are out there. There's, there's, there's state sponsored ones, there's individual, you know, old school mafia style, you know, criminal organizations in, in other countries all around the world that we don't even have legal repercussions of. That's the other piece that's really scary is you, you can't call, you call the police department, they'll be like, there's nothing I can do for you. Like you call the FBI maybe, if it's big enough, maybe they'll get involved. You know, there are some repercussions, but for the most part there's, there's a lot that just goes with no repercussions, with no resolution other than rebuild. And you know, that could be your personal finances. They can take out, you know, your credit, they can take out loans, credit cards, they can take money out of your accounts, they can shut down your business, they can sell your house. Like there's all of these scams that go in and, and fraud and cyber security theft and all these different things. Nobody is immune to it anymore. So we have to be that, that's why little simple things like password vaults and password managers and not using the same damn password across multiple sites is hard, as simple as that sounds. That one thing would probably stop a very large percentage. Now. Does that mean that you're immune? No, because if you click the thing and you fill out the stuff, then they're going to get in and get your password vault too, but at least helps in, to slow it down to, to stop the spread, to keep it isolated to one thing because, you know, if they have access to your email and your password, then they can get into your bank and then they can get into, you know, the next thing and the next thing and the next thing and then they're in your parent. Like it just, the dominoes just, just fall so quickly and then they're into your work. Like that's the other thing that people don't always think about is where do you work? Right? Yeah, maybe they can't get, you know, well, you can't get blood from a turnip. Okay, Maybe you don't have anything they can steal. But for them, 5 bucks, 10 bucks, 50 bucks, 100 bucks, because they're doing it at scale, they're doing it across to thousands, tens of thousands, millions of people, and there's zero overhead for them. They just keep banging away until they get. [00:30:24] Speaker A: Oh, it's all automated. Yep, exactly. Right? No, you're spot on. And you're right. And like, you know, I hear this a lot, like, oh, I don't have any money. Like, there's nothing that I'm like, you know, like a small business. Right. Here's a great example. Small business. All right, maybe not. But if they get control of your email, they can start doing business, you know, email fraud. Right. Or business email compromise. They can now go out to the people that are supposed to pay you and redirect payments, and you really won't have anything. They don't have to steal anything from you, but they can use you as an opportunity. And that's true at the individual level as well. You know, coming back to, like, what you were talking about, like, you know, I'm sure your listeners know they're all cyber pros, but, like, let's just reiterate, like, this stuff goes deep. Like, North Korea funded its entire nuclear program on, on cybercrime, right? Like, the Russian crime syndicates effectively operate in Russia under safe harbor, which is why the trick used to be if you set your secondary keyboard language to Russian, you would avoid getting hit by those organizations. That's one of the first checks that their software did. They would check to see if, if there's a Russian language keyboard. That's it. Shut the whole thing down and move on. Because that was their, that was the ground rule. Like, yeah, you can operate wherever you want. Just don't, don't do it in Russia. Right? Like, there, there are major implications that come to this stuff. And, and I, you know, I always try to, if I'm going to get on my soapbox for a second, I always try to get, to remember, get people to remember that there are real people on the other end of these things. These are not just bits and bytes. These are not just strings of text. There are real players in this game, and this is the game that, that we have to, we have to stay diligent about. [00:31:59] Speaker B: Yeah. And, and there's, there's real victims as well. Right. And for sure, you know, I'VE I've had a few folks, unfortunately, friends and family, that have been greatly impacted financially, and they didn't have money either. Right. We're talking about retired elderly people that continue, and they still believe it. They're. They're giving away their money because they think it's like, oh, well, if. If we just keep giving, it's gonna. I'm gonna get the return. They. They got. They got hit, and they just don't see it. They don't want to admit it. Right. And. And sometimes you got to cut bait, but it. It's hard. We. We grew up on this. We've been doing this for so long. You know, our kids generation, the younger. You know, the younger generations than us, you know, they've always had technology. You know, the baby boomers and that generation haven't. So they're. They're very susceptible to these. Some of them are better than others, obviously. It's a generality, but, you know, obviously, they didn't grow up with technology. You and I grew up. I can't speak for you. I grew up. You know, that. That Macintosh plus back there was one of my computers. My first. [00:33:04] Speaker A: Amazing. [00:33:05] Speaker B: That's cool, Tandy. TRS 80 a Trash 80. So, I mean, I remember, you know, AOL and Dial up and Juno email and, you know, all the things. So, I mean, technology has kind of been part of me. I. I remember time before the Internet. I remember the Internet and I remember, you know, everything since. So I've kind of grown. Grown through all of those changes. So change to us is. Or to me and has been, I don't know, simpler, I guess. But my wife is funny. Like, she. She can't tell the difference between, you know, one version of an iPhone and the next. Like, she doesn't know the new features that come out. I'm like, I'll show her something. She's like, how'd you know that? I'm like, I don't know. I just do. [00:33:41] Speaker A: Right, right, right. And we still get caught, right? Like, this is the thing. Like, I've. I've trained. I've trained my wife up on. On some of this stuff. And, like, what I've told her is, I'm like, if you ever find yourself and you have to, like, you're you. It causes pause. You're like, what is this? Stop. That's it. Like, listen to that Spidey sense, right? Because if you're just like, if you don't understand, stop. Call me. Double check. Don't click links. Go. Like, if it's coming from, let's say, I don't know, credit card, go direct directly to the site, log in, don't like. And like, these are the things that, you know, you and I and, and our, our people in our cohort have figured out and like, learned, trained ourselves to do. But, like, to your point, not everyone knows this stuff, and that's why these scams keep working. That's why victims keep growing. [00:34:25] Speaker B: Yep. Yeah. And. And it's going to, it's going to get worse. Right? It, it is a, it is a, A fishing hole that they have learned and they're getting better with it, and AI tools will help them be more efficient with it. There's so much that we can, we can glean from. I mean, I can write outreach for. Let's say that I wanted to get Paul on my podcast. I can find Paul's email, I can find Paul's LinkedIn, maybe his Facebook or Instagram. And I can give that to, let's say, chat GPT and say, hey, I want to outreach to Paul and have him come on to my, my podcast, Protect it All. I want you to look at what you can find on him, make it personable, make it something that he would be interested in talking about something that would show value to him. And in five seconds it goes and it, it finds all those places, the information that it can, and it gleans a really good introductory outreach, whether I send that on LinkedIn or I send you an email, or I send it through Facebook or Instagram, but it can glean quite a bit of information just on the things that it searches in a few seconds off of our, of our Facebooks or whatever. Right. And, you know, and when we go out of town, how many people are checking at the airport? And then we check in when we're out of town, and we check in, you know, you know, at the remote destination or, you know, our friend, our kids put their, their GPS tracker on and their friends are tracking them as well. And how many. You know, there's just all of these things that you're. We're being attacked from all these different directions, and we don't all even have an understanding of where the risks are and how to protect it. And it's the same way in the business world, right. We have all these new things and we add this new tool, but we don't think about that. I just added five vulnerabilities when I implemented that thing that I wasn't thinking more than that. [00:36:11] Speaker A: Yeah. Oh, more like think about how deep this Goes right? Like, here's the other thing you bring up, you know, AI and the outreach thing. Awesome. By the way, it would probably not recommend you lead with shampoo for me, but it may very, it may very well say something about, you know, talk about Woodford. I, dude, I had to shave. I had to shave my beard. I was getting too much. I couldn't keep up with, you know, the famous Aaron over here. But you know, like, the AI stuff is crazy. We talked about privacy or we talked about like the data we give away. I, you know, I randomly did an experiment. So I pay for the private instance of chat gbt, right? Because I use it for business. I want to make sure it's not training models. Like, do you try to do the right thing? And it keeps, it keeps the chat history and it does that for everyone. Does it on the free version too, right? But I was like, all right, let me, let me, let me, let me do a little experiment. Let me have some fun. I wrote a prompt one night. I was like, hey, we've been talking for a year now, right? I've asked you a bunch of things. You've helped me with a lot of, you know, whatever, X, Y or Z. I was like, I want you to go back through the chat history and I want you to write a profile about me. Who am I? What do I believe in, right? What is it that I do? And man, if this thing wasn't 85, spot on, and I'm not even even talking about, like, you know, the, the normal things I got knew I was a cyber security professional. It knew like, you know, LDL and some of my business that I've pasted in there. But it made inferences on like, personal beliefs, religion. It made inferences on, like, you know, my childhood. Like it would. There were some wild things that I was able to figure out and this thing had me pegged 85%. So like, yeah, that's a vulnerability. Like, it knows these things, right? And like, you know, you talk about we add new tech. Like, one of the things I'm worried about, man, is like, AI is as much as it's going to be a powerhouse, as much as it is a transformative tech in our space and, and in the world, right? This is the next big thing. It's. It's just as dangerous. It's just as dangerous. [00:38:02] Speaker B: The bad guys got it too. And they don't have. Just like you talked about earlier with, with your example of what are they spending the money on. Those bad guys don't have the Same morals or you know, foundational beliefs that, that good people, relatively good people. You know, I pay my taxes. I, you know, I stop at stop signs. I, I help old ladies cross the street type of thing. They, they don't have those concerns, right. They. They are looking at what can I do to take advantage and, and get access to the thing that I want and I don't care the. The outcome or the consequence. Right. In fact I want the outcome and I want the consequence consequence. So they you know, we, we have, we have the ability to use AI and a lot of these tools to, to benefit humanity. To benefit. You know, streamline our processes, you know, find gaps in, in, in our security policies and procedures. You know we have a custom auto tabletop process that we use that uses AI. It's all offline but it's really cool because you can, you can, you can make it it. We did one and it was the, we were attacking the Death Star so the rebels were attacking the Death Star and it was all using cyber security and it was using an actual incident response plan. But we were just, it was like changing the characters and dragons, right? [00:39:22] Speaker A: Yeah yeah, super cool. [00:39:23] Speaker B: But using, using Star wars or Battlestar Galactica or you know, Star Trek, whatever your thing is, you can make it fun. You can also gamify it like so there's a lot of good that comes from it. But think about a bad actor that can take that same stuff and say hey this is what found out about this, this company. These are. You know I went to showdown and this is what I found publicly facing for them. These are their IP spaces and how can they use that to get away in. And it doesn't have to be a technical in as we know what is the, the biggest risk in our environments? People, right? [00:39:56] Speaker A: Yeah yeah, Always always. Every time. I mean if there were no people there'd be no problems. Right. But correct also be no people. So. Right. No it's it. You know, here's the thing like you, you triggered on something for me because like this is part of the other issue of, of what it means to be a cyber defender is it's not a fair game. The game's rigged man. Like these, you know the, the. The cyber criminals that we're up against are well funded and they have no rules. We have change control. We have, you know, we have systems we can't touch. We have to make sure we have other priorities. We, we have to support the business. Like there's all these other things we have to do. They have one mission Compromise, that's it, that's their mission. Whatever their, whatever their benefit, they're after monetization, data theft, whatever. Like their mission is compromised. Our mission is defend. As long as it's not between these, you know, free these freeze periods and as long as you put in the proper paperwork and as long as you're not going to cause any business impact. And also make sure you get the, you partner with these business units. Also don't forget to let folks know about the thing that you have to do and oh my God, we have to change the website. Hold on. I'm going to need at least three weeks review. Like these are all the stumbling blocks we have to deal with. And like the reality is like, you know, I've talked about this before. You think about game theory and the types of games that are out there, right? And there's the finite game, the games that have a clear end, and then there's the infinite game, the game that you just keep playing until you fall over, right? Defenders, we're playing the infinite game. We don't stop. Cyber doesn't end. We have to keep going. Cyber criminals, they're playing the finite game. They have an end. They either, they either move on because we couldn't, we could, they couldn't compromise or they win. They get and they monetize in some way, but those rules are completely different. So it gets, it gets portrayed as this cat and mouse game or this chess game, but it's not. We're in totally different realms and we have to like find that sliver in the Venn diagram. We have a benefit to in some cases not even properly defend an organization. Just get the attacker to move on, find an easier target. I tell my clients that I'm like, look, your goal is not to be perfect. Your goal is to, to be good enough that an attacker's like, ah, this, I'm out. There's an easier one out there, I'm moving on, you know. [00:42:07] Speaker B: Well, and, and, and I think I see it a lot as well. And, and, and it, it's less about probably 10 years ago, at least from my perspective. It was all about, I'm going to make it really hard to get in. I'm going to, I'm going to be so impossible. We're not, we're never going to be hacked. I think it's shifted over now. Like it's not a matter of if, it's a matter of when. So what else can I do now? Obviously I need to remediate. I need to, you know, still do my protections there. But I also have to focus on what happens. Worst case scenario, they get in and they lock my stuff down. Can I recover and what does that recovery look like? How can I, how quickly can I recover and how, how, you know, what does that recovery process look like? Right. So the sooner that we start understanding cyber is about risk. Right. It's about mitigating risk. Just like you talked about on the insurance policy. People are okay with paying money and hoping it never happens. And that's what cyber is. Right. It's really mitigating my risk about something that hopefully never happens. I hope that nobody ever hacks a nuclear power plant and causes a, you know, meltdown. I really hope that never happens. There's a reason why we have so many controls that, that redundant, triple redundant systems to make sure that type of thing doesn't happen. Right. Same thing in, you know, in our, in our fighting forces and, and submarines and, and all the things like we have all these protections for all these reasons. And, and it, it's about, you know, that, that whole, that old motto of defense in depth. Right. So it's not just about keeping the bad guys out of my network. I always assumed they are already in. I always assumed corporate network was compromised. Yeah, it was already done. Right. I don't trust it. I don't trust any, any other network other than a device that I specifically configure and I own. And every other device I assume is bad. [00:43:53] Speaker A: Absolutely, absolutely. And like that, I mean, that's the change in the framework is it is not if it's when and it's being comfortable, being uncomfortable. And the reality is it's. Can you minimize that blast radius? All right, like, you know, if a workstation gets popped, yeah, it sucks. Like they got in. Someone clicked the wrong thing. Cool. But could we contain it to that or did the attacker. Was the attacker able to dump creds and pivot and, and set a foothold on a server or a cloud PC that doesn't turn off? Right. And then were they able to like enumerate the network and then figure out like, you know what, where the data stores were and then start exfiltration over socks, proctor proxies or encrypted channels. Like it keeps going, like it doesn't stop. So if you can minimize that blast radius, that's a win. If you can make your controls layered enough that even if something fails, the next control kicks in, that's a win. Right? This is, this is about that long game. [00:44:46] Speaker B: Well, it brings up a funny story. I Think I was telling somebody at rsa, you know, I did an assessment at this power plant one time, and we did, we did, you know, scanning on devices. They were having some problems. It wasn't just a random red team or a pen test. So we pen tested it, but we were also doing, you know, asset level, you know, investigation, because there was just something hinky going on and we weren't exactly sure what. Come to find out, which had nothing to do with the original problem they had. But as we were doing these scans, we found stuxnet in their environment. Sitting on their devices. Just sitting there. [00:45:20] Speaker A: Yeah. [00:45:20] Speaker B: Just dormant. [00:45:21] Speaker A: Yeah. Yeah. [00:45:22] Speaker B: Now, of course, the cool thing is, is stuxnet was not dangerous to them because they didn't have the, the targeted devices. That stuxnet, they weren't located in Iran. [00:45:31] Speaker A: Right? Like. [00:45:31] Speaker B: Yeah, exactly. It wasn't, it wasn't an Iranian, you know, centrifuge and all the things. So it really, you know, it didn't even have Siemens equipment in there, so there really wasn't any risk to it. But still, it's not something good we want on the environment. But there's a prime example. What did they want to do? The site said, yeah, we'll wait till outage and we'll. We'll rebuild the systems in that. Right. We didn't, we didn't rip them out. We didn't, you know, rebuild the new ones, anything like that. So we left them with a documented, hey, you guys have stuxnet running in your environment? They're like, yeah, we're good. And they're right. That was the right decision. Like, they didn't need to shut down the plant because stuxnet was right. Or they're dormant because the risk was super low. Like almost zero. Not zero. It's never zero. You know, it was really, really low. So they made a decision to move and, you know, we came back and during their outage and, you know, we wiped it out and cleaned it up and all that kind of stuff. But again, that's the kind of conversations we have in these spaces. It's not just all about having the latest, greatest, most capable, all the things, because that availability is more important. And then the other thing that's not on that CIA triad that needs to be there is that dollar design. Right, right. Availability is important, but so is the business. Like, I can. I can put a million dollar cyber program at a site that only makes a thousand, you know, a hundred thousand dollars a year. [00:46:48] Speaker A: Right. [00:46:49] Speaker B: But why would I do that? [00:46:51] Speaker A: Yeah. And this is the thing that then. [00:46:54] Speaker B: I don't make money. [00:46:55] Speaker A: Well, this is the, this is exactly the thing that actually dilutes like a cyber professional's cloud. Right. And like, you know what, what I would say to anyone listening, especially if you're early in your career, you're kind of just budding and you're, you're trying to learn, like learn the business, figure out what the business is doing that you're actually trying to protect. Because if you can reconcile that story, if you know that this is how the business operates, this is how they make money and now I can layer in how I'm going to defend it that aligns with those business goals, you're going to be infinitely more successful. Right. Because to your point, like these are, you know, these are not zero sum games. This is not like, you know, on or off, like there are levels of risk that are acceptable that the business does have appetite to. Now it's your job to coach them. Right? Coach them into what the appropriate risks are and are not. Right. This is not a roll the dice, like we'll see how it goes. But the reality is like there is an element of understanding what those tolerances are and applying those tolerances in the appropriate way. [00:47:54] Speaker B: Yeah. I mean it's the same in all things that we do in business. Right. We're constantly making that decision and, and analyzing. And to your point, like, you know, I talk to a lot of cyber folks that are in cyber and you know, oh, I think I'm gonna go get a master's in cyber, I'm gonna go get this or that. And I'm not again talking anything negatively about that. But the biggest question I have is, okay, you're already in cyber, you already have a degree or certification or you're already, you've already got the job. What is the thing that would benefit you the most? More than likely usually that is something else, a different set of skills that you don't currently possess. Like maybe you, you know, 80 or, or you're, you know, you have your bachelor's or whatever and that got you in the door. How, how much more benefit do you think? Maybe a business degree or you know, finance or something like that. Business acumen, like that's the thing, you know, in my career, I started out my career in the technology hands on, you know, I started out as an engineer going to engineering school, electrical engineering and then, and really pivoted into this technology space. But all those years I hit this limit by being hands on keyboard until I got to a place where I was like actually doing business stuff. And obviously at EY when I was there, you know, I had a lot of different conversations and it really opened my eyes. But even before that, at the previous company, like we did this thing called Leadership Circle where they really came in and they brought in the leaders, the future leaders of the space and they taught us public speaking and we did book reports and we did, you know, use cases and we did business justifications. Business cases. Yeah, absolutely right. We were doing all these things and at first I was like, this is stupid. I don't want to do this. I don't understand. But man, it made. It really ended up opening my eyes and obviously changed the trajectory of my career from, you know, going to EY being senior manager, you know, CTO of a software company. Like I never imagined, Yes, I was still very technical, but without that business side and that business acumen, I would have never been valid or, you know, any good in any of those other roles. Would have never been considered for a CTO role. Just from my technical skill sets because that's. You need a lot more than technology to be able to get to those C suite levels and a CISO or any of that type of stuff. You really have to understand the business before, you know, the technology is important, but the business is as, as important, if not more, especially at those higher roles. [00:50:16] Speaker A: Oh yeah, I like, we. I talk about this all the time. It's about storytelling. If you want to be a good storyteller, you got to understand the story. You have to be able to speak the same language as the people you're telling the story to. Like one of my, one of my, you know, favorite stories is, you know, I was doing, I was, I was running security operations, large Fortune 500 financial. And it's Christmas Eve, I shit you not, it's Christmas Eve, get a call. It's like seven o' clock, family sitting down for Christmas dinner. And it's like, yeah, we have a pretty critical cross site scripting vulnerability on the main site. We see evidence the attacker is testing it. Like, we got to spin up a P1 right now. All right, can't be mad. This is what I signed up for, right? So get on a call, right? Spin up a bridge. Do we got to do? And get on. And you would start paging people out. And they're pissed, of course, right? Because that's not what they signed up for. They didn't sign up to leave Christmas Center. And then, you know, they're just like, we're going to, you know, we're not doing this. I'm like, no, no, we got to, here's our options. We got to like disable this part of the site, take away the search box. We got to change this or we got to patch that or change the web server, whatever. Like there's a bunch of different options, couple levers we could have pulled. And they're like, no, we're not doing any of this. You kidding me? It's Christmas Eve, we don't have any changes, 14 day waiting period, blah, blah, blah. And like at first I was being like the shitty cyber guy. I was like, no, we have cross site scripting, right? We have to do a patch now. Or this is, listen to me, I'm smart, right? And that didn't work, right? So finally I had to pull back. I had to kind of like, you know, swallow my pride and take a step back. I'm like, let's just tell the story, right? And a very simple shift in the tone was, hey, do you know how attackers use this? And they're like, what? What do you mean? Like, so we, we have a cross site scripting vulnerability on our site. Do you know what the attacker is going to do with it? They're like, no. I was like, okay, so here's how they're going to weaponize this particular thing. This search box has a vulnerability in it. So if you put in like a very particular code, what'll happen is it'll put a pop up on the screen that'll be from our site and they can make the pop up say whatever they want. So what they're going to do is they're going to craft phishing emails that are going to have a link that is going to link back to our site, put a piece of code into that search box, and it's going to cause our site to pop up a box to our customers that says, your account has been compromised. Please click here to verify. And they're going to harvest credentials and commit fraud. Oh yeah, you're right. We probably got to take that search box down, right? Like once you put it into a simple, like a simple communication so that people can speak the same language and tell that same story, that becomes impactful. They made, they made the tactical change. We didn't shut any web servers down. They did the tactical change and then, you know, a week later the whole thing was fixed and everything was up and running. But it's about telling that story. It's about using those skills of being able to communicate with other people in the business. To your point, Right. And then have that to propagate what your mission is, which is defense. [00:53:07] Speaker B: Yeah, yeah. I had a mentor tell me during that, that leadership circle thing. He, he, One of the things he. That really stuck with me was all business is a people business. He's like, I don't care if you're the janitor or the CEO. Yeah, right. You have to be able to work through people with people. Not like through, like, run through them, but like, if you can't convince the person sitting across from you that, that this needs to be done, it doesn't matter that you're, you're the smartest person in the room. Like, being, being intelligent and having a high IQ and, and being able to get something done are not necessarily the same thing. I'd take somebody that has that high eq, you know, emotional, you know, information. Right. And that can, that can read a room and connect with people and, and I'm not saying IQ person is not valid. I'm just saying having the, being the smartest guy at the firewall is a great thing, but it's only going to get you so far. Right. You still need someone. If you can't do it, somebody else is going to have to do it. And the bad thing for you is they're going to get more, more light shined on them because they're the ones having those conversations. And it, it's why sales people get paid so well. It's why that, you know, salespeople are usually the ones that, you know, that turn into CFOs, that turn into CEOs, and all these different higher roles. And you know, even in CISO roles, you look at those people and yes, they, many of them come from technology backgrounds, but almost all of them, the reason they got where they are is because they stepped outside of just that technical track and added these other skill sets where they were, they were lacking in public speaking, in, you know, being able to win friends and influence people, being able to sell and pitch, you know, pitch a story, you know, public speaking. Because if you're at that role, you're talking in front of the board, you're talking, you know, to, to regulatory agencies, you're, you're talking to who knows whom. And you have to be able to pitch your idea and get that across or, you know, that, that thing, the hacker would have got it on Christmas Eve and, and nobody would have. And then they'd have been screaming at you because you didn't fix it. And all because, not because you didn't know how, but because you couldn't win, not push them, not bully them, but win them over so that they're willing to do the work and understand people want to be hurt. They don't want to be beat over the head. They don't want to be forced to do things when you, when you bring them along with you instead of trying to force them. It's like, you know, dragging a dog as opposed to a well trained dog that just walks beside you. There's a big difference between the level of effort it takes to walk a dog between those two. Two animals. [00:55:46] Speaker A: Yeah. You're 100, right? The best leaders are the leaders who can get people to follow them because those people want to, not because those people have to, To. Right. If you can, if you can align mission and if you can align purpose with what you're trying to do, you can move mountains. Right. And that's a, that's a powerful, powerful thing. And you know, I'm sure there's definitely some fraction of folks that are listening to this that are still hands on keyboards. Right. Pulling packets apart. And that's amazing. Those are amazing skill sets. But don't forget about the other side of this. The ability to communicate, the ability to tell that story, the ability to get people to follow you because they want to. Those are the things that are going to really propel change in your organization and get things that you want done, done. Right. Because that's the other thing we struggle with. We know how to defend the place. We just got to get it done. Like we just got to figure out how to get it done now. Right. That's the other hard part. [00:56:36] Speaker B: Yeah. I mean, most of my career, I mean, especially in the later part of my career, the reason I was successful is that exact skill set, being able to win over people to, to be willing to do what needed to be done in the time frame and the way all that kind of thing, it wasn't a technical, technical difficulty like that wasn't the differentiation. Yes, I'm smart. Yes. You know, the hard hats and, and my experience in the OT space, all those things buy me credibility. But even with that, it wasn't enough. I had to win those folks over and make sure that they, they were brought along. And that, that is, is priceless in the marketplace. And no matter what you're doing. So you know, the new folks that are out there that maybe you're, you're, you're just now getting into cyber or you new to your point, you know, they're, they're, they're hands on Keyboard. For every, you know, five technical classes or trainings that you take, take a non technical one, take one in business, take one in public speaking, something fun. Do something else that's outside of your current, current capacity and current skill set that will also help you in your career trajectory because you will, you will differentiate yourselves from your peers very fast. Everybody can be taking the technical stuff when you asked, hey, I'd like to go do public speaking. You're going to start being noticed. [00:57:51] Speaker A: Absolutely, absolutely. Man. So what a good conversation. [00:57:57] Speaker B: We kind of went all over the place with it. So my, my wrap up question is always the same. I, I warned you about it, but all that we talked about, maybe, maybe some of this we can bring it back, back around. But you know, next five to 10 years, what's one thing coming up over the horizon that's maybe concerning and maybe one thing that's exciting that you see in the, in the cyberspace? [00:58:19] Speaker A: Yeah, you did warn me, so I appreciate that. Although I think I would have come up with the same answer anyway because it has been, it has been on my brain a lot lately and the, the things that I'm going to call out are both concerning and exciting. So it's definitely, so it's definitely AI and, and I, I love it. I love it. It's amazing. Like we joke on my podcast, right? Because like, you know, it comes up every damn conversation. I'm like, oh, again, we talk about it again, again. But the reality is like this is the transformative tech, right? This is, you know, however long ago the Internet came out and it transformed the world and then search came out and it transformed the world, right? Like this is the next thing and it, for as much benefit as it's, as it's providing, I'm very concerned and I'm actually not concerned for the things that you and maybe the others would think like, yeah, the attackers are going to exploit it. It's going to get used to weaponized stuff. I get that. I'm actually more worried for society. I think it's going to make us lazy, right? I think it's, I think unless people make a concerted effort to maintain critical thinking and really focus on building skills like writing skills or, or even just like, you know, pulling, pulling things together that you would have had to think about before that. Now it's just easy to just write a prompt and it gets done like over time, that's going to have a negative impact on our ability to think about things critically and to write though, and to have those skills like Writing. Right. Or the ability to like, you know, even just think about things in a way that you're not just taking for granted what's being presented to you. So that's, that's the thing that I'm a little worried about. I hope that folks realize that this is a tool. It's not meant to replace thought process. It's not meant to, you know, copy and paste things and pop them into whatever you're using it for. Like there's an element of, of review and critical thinking that has to stay in place. And I'm really concerned that this is so easy that that's not going to be the case. [01:00:13] Speaker B: Yeah, it's a muscle that especially the younger generation as they're coming up, you know, I've got an 11 year old as my youngest. I can imagine how difficult it's or different it's going to be for them, for him and his peers as it was for you and I. Again, coming up, you know, I remember a time before the Internet, so I've had to, you know, I saw, I saw Meme yesterday and it was like, why ask a Gen X? Or you wonder why Gen Xer is so, so angry. We had to trans, you know, transfer our music from records to cassettes, from cassettes to CDs, from CDs to DVDs, from DVDs to, to MP3s. And now we have to pay for it on streaming, right? [01:00:51] Speaker A: Yeah, no, it's like this is the. [01:00:53] Speaker B: Speed of the world, all of those things. Right. And you know, I remember even my parents or my dad had a, had an eight track player. So my, my son just got a truck and, and he hasn't replaced the radio in it. And it's a 2004 vehicle and it has a six disc CD changer in it. [01:01:10] Speaker A: And that was the hotness of the time, man. Yeah, yeah. [01:01:13] Speaker B: It doesn't have an AUX connector, it doesn't have any way to plug anything in. So he was kind of annoyed having listened to radio and my wife found my old CD collection and he is just loving it because he's listening to, you know, my mix CDs and you know, Metallica and all these different things. And he's loving it because he's got a six disc CD changer in his dash. I'm like, gosh, I haven't even played a CD and I can't remember how long. [01:01:35] Speaker A: I don't think I've seen a CD in years. So like, it's interesting because like that, that leads me to the thing that I'm most excited about, right? And the thing I'm most excited about now is quantum computing. Like I geek out on quantum all the time and I know that the conversation around cyber is very much about like, well, it's going to break RSA encryption and all the passwords are going to be exposed and that's what everyone's worried about. But I'm on the other side of the thing, man. I think quant like to open up quantum computing to, to add an entire different dimension of computing and the processing power that that comes with. We're going to be able to do some amazing, right? Like the thing I'm waiting for over the next five to 10 years is just for it to get smaller because that's what's coming, right? If you think about the first IBM computer that was delivered in the 50s or 60s or 70s, I forget what decade that thing showed up on a freaking and flatbed truck and they had to take a portion of a brick wall out of a building to put it in the, into the room, right? Well, we carry around computers that are tens of thousands times more more powerful than that thing in our pocket every single day. That's what's going to happen with quantum. They're figuring out cooling, they're figuring out power, right? Like it's going to become accessible. And when it becomes accessible, all the things that we worry about because the processing is too much or, or there's too much data and we can't munch through the data, these things are going to not even think twice about it. It's a whole different way to compute data. It's a whole different way to think about things and it's going to open up a world of possibilities and we'll see things that truly only existed in the movies in the next five to ten years for sure. [01:03:09] Speaker B: I agree. It's, it's exciting and, and to your point, there's, there's always a yin and yang. There's, there's a good and a bad on, on both sides of the coin. It's the same, the same coin though, right? You can't have, you know, the good without the bad. You can't have the bad without the good. So, so we have to know those things. Obviously encryption is going to be broken just like that, which means we'll have to build new, new capabilities, etc. But to your point, like confidentiality, other than, you know, some of those examples that you gave in a few others, we, we aren't as worried about those things. Again, my, everybody knows you can, there's entire products that go out there and, and find your information on the dark. Yeah, yeah, man. I mean, it's there. Like if, if you don't believe it, search for your name. Like yellow pages.com, which. It's funny they even call it that because most people don't even know what the hell Yellow Pages are anymore. [01:03:58] Speaker A: I didn't think about that. That's hilarious, right? What's a yellow page? Why do they. That's a weird company name. Why did they come up with that? That's so strange. [01:04:05] Speaker B: The days of the big ass books being delivered to your door once a year and just dropped off on your front porch so that you could find the, the, the pizza place and the phone number to the pizza place. Because that's what we used to have to do, people. And then you could beat someone with it. [01:04:20] Speaker A: All right, you all right. So, so for the younger generation, that's why so many companies would be called like aaa, right? AA this or AA that. Because they wanted the first listing in the yellow pages, which was listed alphabetically. Doesn't matter now, right? There's no alphabetical listing. But that's why if you look back, like a lot of these companies had a names and it was aaa Bail Bondsman. That's right. That's right. It was all because of the phone book. Oh, man. Yeah, I'm gonna geek out all night thinking about this. [01:04:47] Speaker B: Well, and so that like, I remember this is complete tangent and then we can wrap up. But I remember in kindergarten they, they put us in order of our first name and I'm a Ron, right. So I'm always very first. And then I think it was like second grade, they transitioned from first name to last name game. And I'm pro, so I was still close to the front, but there were people that were ahead of me and I did not like that because I liked being first and now I'm not first. Like, wait, who, who voted to change this? And I was not included because I used to be first and now I'm not. [01:05:24] Speaker A: That's hilarious. No, these are the, these are the things in life that happen. And you know, like we just keep the names and culturally they get adopted. It's incredible stuff. Stuff. Well, Aaron, thank you so much. This has been a blast. I appreciate you hosting me for an hour. I appreciate you, you letting me with you and, and hopefully your listeners had some fun and we got some stuff out of it. [01:05:45] Speaker B: Yeah, man, I appreciate you taking the time. Tell everybody how to find your podcast and, and where to listen to it. All the things. [01:05:51] Speaker A: Oh, my God, I'm the worst. I'm the worst at this. All right, so Cyber After Hours. I'm pretty sure if you Google it, you'll find it. We're on all the major podcast outlets. Outlets, right? Wherever you. Wherever podcasts are sold. Is that the right way to say it? [01:06:03] Speaker B: Yeah, yeah, we're on. [01:06:04] Speaker A: Yeah, we're on YouTube. We're on Spotify. So check us out. Cyber After Hours is myself and Evan. The thing with that podcast is we have no idea what we're going to talk about. Right. That's why it was kind of psyched to come on here and not have a topic. Right? Just kind of see where the world takes us. And the way that works is every we. Sometimes we have a guest, right? Aaron, you're on an episode. Sometimes we don't. But every single time, we pull a random cyber topic out of the fishbowl. Goal. And that's what we're talking about. Sometimes it's amazing and sometimes we're making a bunch of up, but every time it's fun. So appreciate you. Appreciate your listeners and. [01:06:34] Speaker B: Yeah, absolutely. Yeah, I was just gonna say. And. And all the while they're drinking bourbon and. And. Or whatever they happen, whatever spirits they happen to have in their glass. It was a lot of fun. So definitely check out that. I'll make sure to put the show. Put it in the show notes links so you can go check those guys out. Really great content, guys. You know, we. We talked about this on the podcast when I was on there. It's like, I don't see this, this. I want more people doing this, having these conversations. Everybody needs to hear these things. I don't see my friend Paul and Evan as competition. I see it as more. More value and more volume out there. Right? So. So I want to lift these guys up. They do a great job. I had a blast being on their podcast. Had a blast today. Paul. So had a blast. Evan was on my podcast as well. So love, love getting that message out and supporting, you know, good people in the space and definitely put all the links out there. So thank you again for your time today. Great job today. I really appreciate it, sir. And until next time. [01:07:29] Speaker A: Until next time. Appreciate you, pal. Take care. [01:07:31] Speaker B: Yeah, man. Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time, sa.

Other Episodes

Episode 28

October 21, 2024 01:10:02
Episode Cover

Elevating Cybersecurity: Importance of Relationships, Mentorship, and Honest Feedback with Ken Foster

This episode delves into the world of cybersecurity with the esteemed guest, Ken Foster. With over 30 years of experience and a career that...

Listen

Episode 45

February 10, 2025 01:12:29
Episode Cover

From Navy to Consulting - Dan Ricci's Unique Perspective on Bridging Security Gaps

In this episode, host Aaron Crowe speaks to Dan Ricci, founder of the ICS Advisory Project, to delve into OT cybersecurity. Dan brings a...

Listen

Episode 9

April 19, 2024 01:09:10
Episode Cover

From Basics to Quantum: A Comprehensive Dive into Cybersecurity Trends

Summary The conversation covers various topics related to cybersecurity, including offensive security, IoT devices, hidden threats in cables, advanced hacking devices, privacy concerns with...

Listen