On this weeks’ Debate, Brian brings a truckload of acronyms for more single panes of glass to help us consolidate our various single panes of glass, Erik may actually be Brian (or maybe Brian is Erik), and Dan confirms he still (and likely always will) spend the rest of his days living in the house he just built deep in the Trough of Disillusionment.

What started out as a chat about some new technologies in the space turned into a treatise on the state of leadership and the future talent pipeline’s need for more curiosity (and why we think they are starved of the opportunity to learn to be curious). Along the way we talk about what motivates organisations to do security right from the get go vs leaving it alone based on difficulty to remediate, and the risk balances of both (think: productivity vs security). Throw in a little “binary opinions have dragged us into the mire” and you’ve got a full episode of The Great Security Debate.

We also drop some hints about a new show coming from The Distilling Security network in 2026 called The Final Act which will bring guests in the later stages of their careers about the urgency of our careers in security and tech, what they want to leave behind as legacy, and what they are doing to prepare their orgs for their eventual departure. Add on how they have and will give back to the community, and what their successors want to see done before this first generation of security and tech leaders hit the road.

Please subscribe and leave a comment.  If you’d like to sponsor the network, please email sponsors@distillingsecurity.com

Thanks for listening!

Show Notes:

• What is Data Security Posture Management (DSPM) - https://www.ibm.com/think/topics/data-security-posture-management
• What is Identity Security Posture Management (ISPM) - https://www.sentinelone.com/cybersecurity-101/identity-security/identity-security-posture-management-ispm/
• What is an Institutional Review Board (IRB) - https://www.hhs.gov/ohrp/education-and-outreach/online-education/human-research-protection-training/lesson-3-what-are-irbs/index.html
• Lucy pulls the football (hand egg) away from Charlie Brown - https://www.youtube.com/watch?v=9dsm7K1Xkn4
• Healthy foods are more costly - https://www.cnbc.com/2023/12/27/healthy-foods-are-often-more-expensive-heres-why.html
• Why Ford cancelled the Bronco after OJ - https://www.slashgear.com/1560204/reason-ford-bronco-discontinued-after-oj-simpson-trial-explained/
• Not enough data - GSD Episode 62 [Audio] - https://podcasts.apple.com/us/podcast/the-100-years-ai-flood/id1513770103?i=1000735045511
• Not enough data - GSD Episode 62 [Video] - 
• Book Recommendation - Anxious Generation by Jonathan Haidt - https://geni.us/lDrdn3
• Book Recommendation - The Coddling of the American Mind by Jonathan Haidt - https://geni.us/Xqary2V
• Ford has 5000 skilled mechanic jobs they can’t fill - https://fortune.com/2025/11/12/ford-ceo-manufacturing-jobs-trade-schools-we-are-in-trouble-in-our-country/

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Oh, you look fabulous, Eric.

This is going to be the clip.

This is going to be the intro clip.

Eric checking his hair.

Welcome to the great Security debate.

This show has experts taking sides to help broaden understanding of a topic.

Therefore, it's safe to say that the views expressed are not necessarily those of the people we work with or for.

Heck, they may not even represent our own views as we take a position for the sake of the debate.

Our website is Great Security Debate debate.net and you can contact us via email at feedbackreatsecuritydebate.net or on Twitter.

Security debate.

Now let's join the debate already in progress.

The DSPM.

So like if I was to look at AI projects, data projects etc.

The DSPM and the ISPM like the identity security posture management and the data security posture management, the solutions that can really do that fast are are the next gen dspm.

But what they miss is some of the data protection features where people focus on that DLP aspect.

They're all trying to get there but doing it agentless.

But it's building.

Can you tell how big my eyes are rolling right now?

Jesus freaking Christ.

I'm sorry.

What we need is le.

We do not need more tech solutions.

We do not need more bespoke crazy shit to not use fully and not know how to use.

We should need to get back to basics.

I am so, I am so committed to this basics thing.

Don't buy this is less about security like.

Like for them.

And what I mean by that is this is more use case by the CDO like the chief Data officer like yeah, how do I truly find all of my unstructured data in the context around it?

Right?

But then the security team like yeah, if you want to do tagging and whatnot.

So if you own purview of these other things can you integrate in everything you contextualize from all of our different data stores, repositories.

Right?

It's supposedly like I shouldn't say supposedly.

It's to help build those guardrails.

The problem is the protection piece.

The like they're designed more in a way for a data team to use but than a security team to use.

Right, but the hope is with being able to add prompting and stuff where you can ask it to do this.

Hey, can you take the security teams our policy around XYZ and implement it right and have it go in and do that to the data sets.

But Lucy, but Lucy, what's to say?

Sorry Charlie Brown.

What's to say that this 35th run at data management and is going to be the one that is successful because Lucy keeps pulling the football away every single time.

This is.

Yeah, we've, we've tried.

Different this time around?

Dan and Brian keep be honest here.

But they started at the different from a different perspective that instead of focusing on, hey, we're going to build out the controls and we're going to be able to stop things from going out.

It was really getting a handle around where is your data?

What is the data?

They're now just missing all of the controls that it's.

Hey, I can tell you where your data is.

I can tell you why it's there, why it matters.

Can you like do something to stop somebody from now we can't do that.

So it's just going to generate more alerts for a team that's already overworked as it is.

Yeah, pretty much, yeah.

That's what's missing.

Yeah.

I mean the other efforts were coming from a similar place.

Data classification was never about controls in its earliest days.

Putting some classification mindset to it so that later we could.

I guess I remain skeptical, as I always do, I remain cynical that another new tech is the answer to solve any problem.

When culture and culture and methodology and getting people to give a is I think a more important fundamental.

Because you can buy whatever tool you want, but it doesn't mean that people in the organization will start giving a sort of.

So is there like a.

A ship for give a market tools?

Oh, help us in that GSPM give a posture management here first it's Wiser's next, it's Wiser's next area.

So the problem with the give A one is they still haven't marketed enough where like people are still paying into gardener, right, for like the quadrant.

But the give a quadrant still hasn't fully hit mainstream yet.

When it does, shit's the limit, man.

It's the drop.

It's in the trough of disillusionment.

Oh wait, I just permanently built the house there.

So I agree with everything Eric said there.

Right.

And the, the idea of just discovering the data piece, it's.

It's AI being used for AI, meaning everyone.

People want projects and I say people, executives, boards, teams.

What are we doing with AI?

Can we use it to automate things or can we use it to create, you know, the idea of almost putting in.

What's the word I'm looking for here was really popular.

Rpa, right?

It's, it's.

The AIA is now like the RPA on steroids, but really they're trying to get a handle on the data.

Well, the, the large language models are built really well if you can plug them in to search the data to come up with the context to create the tagging and everything else where like the big IDs, the Varonis is like, even for Varonis, like in order to have those data collectors, I mean you're basically spinning up servers, right, that you were running as data collectors.

They were very much built as an on prem solution, right?

So now you have a solution that can use the compute power in the cloud and the LLMs scanning both on prem and cloud data.

So the usefulness is kind of twofold.

But the bigger fold of that is now these data teams.

Chief data officer knows where all that data is.

Now the security team is like, now I have a lot of data, right?

And this is where to Eric's point, it's, it's built first with the premise of let's discover all the data with a way to.

Whether you want to use the term label, classify, etc.

It truly can pull the context and the value of AI really is in the unstructured data.

And that's the stuff that, that's been the hardest to go back in tag, right?

Like moving forward, people are doing a better job because they're putting policy in place except.

Etc.

But moving backwards, it's like we got so much data, right?

I'm not going to pick on certain companies, but I can think of certain very large manufacturing companies in the state of Michigan that were working on backup projects.

And we're like.

And it was kind of like, do you really need to back up that much data though?

Like, why are you doing it?

They're like, well, we don't know what it is, but we've just had it for a really long time.

We're just going to back it all up.

It's like.

Or we're afraid that, oh, we might need it at some point.

Yeah, okay.

Yeah, yeah.

It's like you could, you could scan this really?

They're like, no, we tried that before and it took too long.

It's like, this is One of those where it's like in some of these companies that have come out in the DSPM space is to the point where now they understand like, hey, they're going to use me just like they're going to see me just to classify all their data.

And this way they can say we're going to move this, all of this data over here to cold storage and spend a, like we don't need to spend a ton of money on backing this up, but we, we're going to keep it because we don't know what it is.

But that's going to save them a million dollars.

So they realize this now.

So like if you're going to do a POC or something in that sense and do all the data they, they're actually charging for it because for them to do it is a heavy amount of compute and lift.

Right.

But it gets it done in a week.

Right.

And those results that you come back with, you know, I'm not going to put a percentage on it of, of of how tuned it is, but much better than it was before, right.

So companies are one, seeing the value and just wow, this is really cool.

This is going to help us on this.

I might come back to you guys though when I see some of the better controls be put in place.

But this is gonna, this just did a huge discovery.

Now we got six months worth of work to do.

Right.

Thank you.

I think I'd buy.

If the product came with a mandatory 80% deletion requirement.

You come in, analyze it and you have to delete 80% of it.

@ some point you have to force people down the, if we don't need it, get rid of it route.

And this is coming to you with the privacy hat on.

This is coming to you with the, you know, with the regulatory hat on.

There's just so many things.

Funny, Eric, if you buy the giant size bucket of give a shit products, it comes with that hat.

Is that an extra skew or how does that.

It's a bundle.

I'm working, I'm working to get these products into the Delta Amenity kits so that it can get into everybody's.

You can get a little give a shit to everybody on the airplane.

So, so separate of the DSPM side though.

Now on the identity side, Dan, this is the other side to that.

That is also becoming, I'm not calling it a buzzword, but the ISPM or the Identity Security Posture Management or just identities in general.

And I'm not going to validate that this statement is true.

Now I know that 50, 100 to 1.

I've seen where the NHI is the non human identities.

As companies have increased the, the AI tools that people are using whether they were allowed to use or not allowed to use let alone the projects that teams were doing they were seeing an increase of 50 to 1, 100 to 1 and they're in large organizations are seeing upwards of a th000 to 1 non human identities to humans.

So like as people are now doing these projects you have these human identities agents that are created communicating to agents.

Right.

That is for companies that.

For IT teams and security teams or IT teams that don't understand all those relationships becomes very pervasive within it because how are you actually keeping track of all the new identities and the permissions that were given to all those new non human identities or agent to agent thoughts Dan?

I don't give a. I mean, I mean serious seriously.

There's.

There's fixing the symptom.

Is that going to be like your new tagline for this season?

This season?

I don't give.

It depends.

This is Dan on.

Dan on vacation goes from it depends Rock unhinged.

Right.

Like you're asking a question.

It's like F you Brian.

Right.

I'm like Stan there was the give a bucket.

Now there's like I don't give a bug.

We got big buckets here.

Very polarizing the.

It's.

I think it's more that these are fixes to symptoms not fixes to problems.

If you fix the problem if you fix the governance at the identity level.

If you fix it at the, at the.

At the creation of these kinds of entitlements and don't try and fix it later.

I think, I think.

I think I'd rather see us fix it earlier in the process.

I think I.

These are sound like great consulting engagement tools do once get fix then fix the underlying problem.

Don't sit there and allow the symptom to.

Don't.

Don't allow the herpes to continue.

But because you put a piece of paper over it, you know don't no longer have it.

You know it's.

Yeah, I don't see it.

It's great ostrich theory.

Let me go back to the herpes again.

Yeah, tell me more.

Let's double click on that.

Give it a couple, Give it a couple weeks and you know this is like the fourth time week I've used the herpes reference for.

I never go away.

I just sit dormant.

Then occasionally I'll pop my head up Be really painful and then disappear again for a while.

So is that the is, is the non human identity?

The herpes.

But I do agree.

No, no, no.

I think all of it it non human human.

If you have shitty process for creation of identity and establishment of entitlements and maintenance of entitlements, then you need this tool.

If you don't take care of yourself, you need this, this medical remedy.

If you do take care of yourself, you probably won't need this medical remedy because you've taken care of yourself.

Yes, there are variances, yes, there are times where you're going to need it anyway or something runs out of control, you need to do a cleanup.

But this doesn't sound like something that you should want to have to run regularly.

It should, it should be something that you, you do once every two years as a consulting deal.

Like I think this is a problem.

This is, it's funny you say that.

That's where I see it being like personally engagements where people are doing AI projects and then they're saying, hey, we're going to do an identity assessment.

And I've met with several different integrators and partners that we work with that do identity assessments, right?

And for them to do the non human piece, they're like, you really can't just give somebody a spreadsheet and say can you fill this out?

They're like, we actually use a tool, right, via B Permeso Oasis as somebody that we plug in and then it does a scan and that's how we come back to show all the non human identities, the permissions, etc.

But how did they get those permissions in the first place?

This is what I, this is where I'm, I'm saying, okay, yes, okay, we've let the cat out of the bag.

We've, we've, we've let the sheep out into the, into the farmyard.

Whatever it is for, the stuff has escaped and we need to figure out how to get it back.

Fine.

But if you run your programs correctly, if you run them with structure, you say you need a non human identity.

Tell me why, tell me what it's doing.

Tell me the data.

It's going to need access to.

Like there's a whole set of data management along with the identity that goes into it.

Are we creating toxic combinations?

Are we allowing certain things to happen together?

Like there's a whole set of data.

Data hygiene.

Think again.

I come back to Research World where this is the irb.

Should you, should this non human identity be having access to These things.

If so then it's been approved.

The access is granted.

I, I don't think we need to, you know, if we go into self provisioning and self access granting, we're into a whole other heap of trouble.

Don't disagree.

We need to get you into like instead of building a program from the ground up next foot of entry into a really old manufacturing company.

You'd have to.

It had.

Have to come with a gun and it have to start pointing at my head.

I, I can't think of anything that sounds more horrible.

I mean I applau.

Are the issues that.

These are the issues that people face though because the identities like the, the ability to manage it.

There was too much of I need access to this.

Right.

And it was an IT team saying okay, basically white listing and blacklisting permissions for people.

He wants access to this.

I mean Eric, we've talked about it before.

Like you got 32 plants and every five are using a different application.

That's somewhat doing the same thing.

Right.

But they're.

They started doing it 15 years ago.

We're trying to put controls but to get people to change is a lot harder.

So we're not going to do that because we don't want to be the office and know.

At least that's what we were saying five years ago.

And then all this identity stuff started to become popular.

But we didn't have someone on the identity team.

So we turned to Lucy because she liked people and those were kind of like identities.

So we had her do that.

But she didn't really have an identity background.

Haley Brown references.

Is Lucy gonna pull the football out again?

But I don't even know.

I don't even know this Lucy.

And I want to be.

I want to be crystal clear.

I have the utmost respect and enjoy shouting from the sidelines.

To all the people who do that kind of work who are in existing organizations that have to deal with that.

It's not my style.

I can't.

It's one of those.

I, I'm dealing with this with some, with some, some other things.

Some people I'm helping.

Where the people.

What was that the Budweiser commercials or this one's for you, Mr. Security Practitioner.

Mr.

Sideline Coach.

Yeah.

My style is let's get it done.

My style is let's figure it out.

And I don't care if you are sad.

We have something to do.

Yeah, we're going to figure out the right business balance of it.

But you know what that usually means not doing it stupid from the beginning or trying you.

Because I think a lot of times that when we think about the tech stack, we think about tech debt only.

Right.

That it's infrastructure, it's applications, but we don't think about process debt.

Yes.

Going back.

And is it a harder decision to make to go back, retrofit it and do it right?

Absolutely is right.

And I think there's a lot of just BS out there.

The team, oh, we don't have the capacity, we don't have the time.

So you end up spending more in the long run because you need tools to do all of these different things.

Or the other is let me do it.

And this is, and this is what I love about working with startups.

Startups are great because especially when you're doing acquisitions of startups, startups need and want this stuff.

So they're very eager and excited to come into a, into either existing central process or you know, take it on because it opens up markets for them.

Like this is, this is not the problem as a security leader, this is not the practice part of the business.

I enjoy doing.

I enjoy figuring out how to get them to use security to drive revenue.

Like these are the kinds of things I'm that kind of a security leader.

I am, I'm done being like a super internal tech leader.

Like that's sort of what I've changed over the past.

You'll only do it for greenfield build out small companies.

Oh no, no, no, no.

For manufacturing.

I haven't worked in green.

I haven't worked in a true green field in forever.

I mean it.

You know you bring 15 acquisitions together and they all have very different things.

But what it is is you create a meta layer of good process that you then move them into.

But you move them into it.

Yeah.

They call it the metaverse.

That's what connects on premise ad to entre to all of your different.

Not that one.

I'm sorry.

As I deal with my mother having bought a Windows computer and an entire family of people who have no idea how to support her and yeah.

Oh hi mom.

I know you listen to this.

This brings us back to the manufacturing versus tech side because and for those that were listening right when Dan said in the, in the world of M and A, in the world of of M and Ms.

If you want to call it hypergrowth etc if, if you're acquiring a company and you've already put in all of these policies and procedures etc a lot of times those are also align to certain requirements.

Right.

Whether use.

Use a requirement in Europe Right.

Or a requirement.

Or even take the regulatory out of it, Brian.

And say customer requirements, things that are needed by the people you want to sell to.

Again, if we want to stop thinking about this as stick and start thinking about it as carrot.

I think we all grow as security leaders by not thinking about it as what do I use to beat you.

Over the head startup.

And your sales team's coming to you like, hey, we, this company reached out with this opportunity, right?

And it's like, yeah, but we don't have this stuff put in place to be able to work with them.

They're going to require a, B and C. Right.

You must be this tall to ride this ride.

It's like we're working to that.

But we got this team that's asked for this.

We got people telling us we should be fedramp, but yet we have only ever had one government client reach out.

And we'd love to get into that space.

The next thing you know, here comes a company Dan's worked for that's going to gobble you up and acquire you.

Right.

But it opens up all of those markets because what Dan and team have been building is exactly that.

And it's not just regionalized, it's globalized.

Yeah, right.

In order to go.

But now let's look at the other side of the business.

Manufacturing.

Right?

So Eric's company decides to go acquire somebody else, right?

That's building a unique, beautiful white pine cabinet.

It's going to open up.

Yeah, it's going to open up marketplace.

Right.

There's not a whole lot of regulatory, etc.

They get gobbled up and they're like, oh my God, look at all these rules Eric's built.

It was so much easier for us to do production like this.

Right.

And communicate.

This is going to make it harder on us.

Right.

All they wanted was the open market of a distribution to be able to sell a physical good.

Right.

Of what the company had.

But the idea of all these policies, it's like, did you just say identity?

Like, I'm Lucy, right?

And it's like, yeah, going to need to dive in and kind of do a little, little, little check of your systems here real quick.

Ask my wife.

I have multiple of those.

Multiple identities.

Yeah, because.

Because you separated your admin access from your regular access.

Like a good boy.

Right?

So that's where Dan I from.

A legacy side, like small company growing and you get acquired.

It's like, wow, this just opened up the doors because you've helped build these policies.

Right.

And they Were looking for someone to give them that direction right.

In a path forward.

But then when you fall back in the manufacturing side, you've been around for a very long time, you've done things this way.

There was people I was talking to this week and they said some of the hardest things for them to do.

Right.

Even though they know this is the right thing and this isn't about buying a product, etc.

They're like, this is simply just changing a policy to say we're going to do something different.

They're like, that takes longer to implement than a technology.

Oh yeah.

To get people on board that have done something one way.

So long way bigger dividends down the road.

Yeah, yeah.

But, but people.

It comes back to how are people compensate people.

People will do based on what they're compensated on.

And if it's about, if it's about revenue or production, throughput or productivity for this quarter and this big change is long change can come in that's going to affect the quarter even though it's going to positively affect, you know, let's say, you know, fiscal year two years down and beyond at, you know, at, at logarithmic methods.

No one's going to want to play today.

Log rhythmic methods.

Part of log rhythm, the old sin.

No, no.

This is, this is, this is hockey stick up into the right.

My favorite kind of, my favorite kind of direction.

I think this also comes back to a fundamental challenge that I see this more in the security space than other acumen that there is a myopic view on technology and process.

And this is what I do without taking a step back to do a holistic view of understanding the organization.

Right.

And if we're brought into a conversation and our first propensity is to jump into solutioning, that's what we're going to get rather than understanding what are we really trying to solve here where we can start.

And this is where I'm going to use a Gartner term that I do like the concept of the decomposable architecture that as we think about the different tenants that we built in more probably outside of security.

But so a service oriented architecture that we design in a way that we can just plug and play and break things off.

If we start thinking about that in context of security and the processes we build.

I agree with you, Dan, that we're, we are in almost the same situation that if you look at pharmaceutical market, right.

That we don't want to get to the root cause, which is our food here in the US is crap.

I'm just giving Brian an in to talk about food because there's way more.

There's way more money on the pharmaceutical side that we can keep fixing the symptoms and selling those.

But we need to take a hard look and go back and start to, to revamp some of our upstream processes that caused all of these issues.

Yeah.

In the, in the food industry, to your point, is one of those that because of acquisition going to automotive next.

Yeah.

It goes food, automotive, sleep, Right.

These are the three most important things to me.

So on the food side, when you look at the acquisitions, it very much reminds me of, you know, look at Rockefeller.

Right.

When you go back.

And I'm not going to get into the oil and data side of it, but just the idea of how you grew a company but if you could control the markets, right.

What that did.

Well, like you take the number of slaughterhouses we have today, also almost equivalent to the number of refineries we have today.

And no new ones will ever go in because of policy that have been put in place, which just makes it very expensive to put in.

But you've been able to reduce down so that only five to 10 slaughterhouses exist.

So all meat is going to pass through there.

Right.

And that's the distribution.

Right.

So now you've reduced it down to these refineries, Right.

Or slaughterhouses that then ship this product on out.

Same thing when you look at the grocery store chains, right.

I look at people and I think, this is really cool.

Right.

But how do you go to market and grow your company when, you know, I say this is really cool.

People that are like, you know what?

I believe in this bar that I'm making.

And it's healthy, it's natural.

I'm not using, you know, high fructose corn syrups.

I'm using, you know, you name it, honey xyz to create something that I. I know every ingredient in it.

These are grown here in Michigan.

It's healthy.

And I'm going to make this.

But your only way to market is small local stores until you build up some brand reputation.

If you tried to go to Kroger or try to go to this, they own that.

Like the distributors, right.

Like the people that have access to that market makes it very, very, very difficult.

You sometimes see the same thing on security and the way people get funding and the access they have to the market versus the ones that don't.

What this has done is created the.

These food conglomerates that that mass produce certain foods and now to the worker The.

The Dan, Not Dan.

Dan's different.

Sorry, Lucy.

I've been so told that my whole life.

Yeah.

You have this grocery store right up the street.

Like your favorite little one is now gone.

It's been gobbled up, right.

You have a Meyer, you have a Kroger, right.

And maybe there's a Bushes right next door for some odd reason, right?

They, like, that was going to work from a competition standpoint.

And if you went into that grocery store and removed out all the processed foods, you'd be left with just the produce section and like maybe two or three aisles and that's it.

Right.

So understanding your food in the education, this is where security is.

Education too, is important.

The education of what you're eating is really difficult.

Like, how do you tune out the noise?

Because of whether this is true or not, what you read online and people post on your.

Your Facebook, I think they just said 51 of all media content is now AI produced.

Right.

That's still a better rate than that of marketing content for security tools.

That's at least 99.

Slop.

So point there, though, is now you start to educate people.

But because it's become so easy just to go to this one store or order this stuff online and the stuff you see, it's like, yeah, that's what I'm going to buy.

That once you get the education piece, you're like, oh, I know I need to do something different.

But it's so hard for me to drive an extra two minutes down the road to this shop, especially because I need more than just the seven things I was going to get there.

I also needed the meat, and that's what they have.

So I just.

Oh, but Amazon is working on that right now, Brian.

So we created the own.

Have we created our own problem that we're talking about though, right?

We've given power.

Because if you look at.

Look at.

All right, let's just take on training, right?

Because I think we would agree that to get somebody in the mindset that blocking and tackling matters way more and can do more to change the posture of an organization than any tool that you're slapping on top of it.

Right, then, okay, so they need training.

We need to help them understand how they can actually architect and build something, which means they're usually going to a conference or a class.

Well, where does the funding come from?

All of that from tools, right?

So we're asking to fundamentally shift the mindset of a community that's funded by the tools.

We're saying, oh, you're saying because you're saying because neutral conferences have been supplanted by brand specific ones.

Okay, yeah, yo, completely agree, completely agree.

Because all the cons now are, are, you know, are just sales pitches.

Yeah.

And I'm not, I'm not saying there shouldn't be room for tools to be able to market or anything.

Without question.

I mean I think this is where the sands of the world, you know, need to continue to.

Need to continue to flourish.

Yeah.

What is it, like $20,000?

Yeah, well but, but again go back to, go back to Brian's analogy.

This is one I can actually participate in.

Unlike automotive stuff, you know, you pay more, you end up paying more for good origin story vegetables.

You pay end up paying more for non processed food.

It's an unfortunate reality, but it does cost more.

My eggs cost $8 a dozen because you know what, they came straight from the chicken onto my plate.

You know, there was a middle ground in a fridge and there was nothing in between.

You know, that's how does it cost.

More in the long run though?

Like if we think about this, put this in the context and go back to where.

Oh yes, because they've artificially grown vegetables and stuff.

Right.

People have artificially depressed the processed food because the industries have artificially depressed the, the, the processed food costs because they can do it at such scale.

That's the, that's the cost differential I'm talking about.

I'm not saying oh if you were to do it yourself, no, it doesn't cost more.

But this, this is almost going into the car.

A lease vers buy that.

Everybody looks at a lease and goes oh well it's less expensive.

Yeah.

But over the long haul you have to keep turning that call.

You've always got a payment rather than yeah, higher upfront costs pay it off and now you just have maintenance every once in a while.

Or if you've got a car once in a. Ryan.

Yeah.

Old friend of mine at the best.

You happen to choose one of the worst residual value cars or highest cost of maintenance cars.

Brian.

That it is going to be way more excellent.

You should have just leased that one.

This is a great pivot back to last or two weeks ago's podcast.

Eric.

There wasn't enough data for me to know that this was going to be bad.

It was too new.

Right.

Dan will argue well no, there's enough data on GM to understand or Ford to understand, but not this particular engine.

And here I am still on a monthly Brian over month just crying with the issues I have If OJ If.

OJ Drove it, you probably shouldn't.

Whoa, interesting.

We got Lucy.

There's a reason it went off the market for 20 years.

The good.

Eric, to your point though, I, I do agree with that.

Like it's easy for people to look and say, oh, this is cheaper.

Over time.

I, I was going to make the argument that, yeah, but buying with the way warranties are today, unless you can get them to agree, like, yeah, this vehicle should last me five years, are you at least going to give me a 50,000 or a hundred thousand mile warranty?

Right.

Not this 24,000.

Right.

Because now you're basically saying, well that's a business decision of looking at.

We do two year leases.

Right.

But if I sell this vehicle and give this guy a 50,000 mile warranty, that could get us to year three or four and we could reduce all that down, you know, basically washing our hands of people, increase the service that we do for people later.

Taking a different lens on this, right.

If you go back to the conversation that we had on the last podcast and we were talking about and I think we touched on the topic of AI and what it's going to do to probably developer or what the suspicion is long term, it's going to do to junior developers, it's going to do to the personnel kind of the, the human marketplace.

Right.

Is that change the world.

Change the world, yeah, yeah.

Talk about the, the hype cycle there that we'll see how that plays out.

I come back to Dan still lives in the trough of disillusionment.

Do you think there's a component of that that starts to play into this, that for the longest time we've talked about we don't have enough people in security.

And I don't necessarily agree with that adage.

I think it's oftentimes we don't have the right people in security that we're missing the right people that have the curiosity to.

Yeah, I could fix this symptom by plugging in Tool X.

But if I take a step back and let curiosity run, how could I build it differently so that I don't have that upstream problem?

I feel like we're missing a lot of that curiosity that used to be there in building some of these programs.

Well, that I think is that's a factor of modern life.

So I have a high school senior and in watching the last 12 years.

There'S what band is he going to be playing?

Well, we'll find out soon enough.

But it actually plays into the point.

I'm about to make we in watching kids, they are on rails.

Like they're, they're driven on rails.

Everything that's done is being told to them what to do.

And wandering off those rails now has dire consequences.

AKA you won't get into the school, into the college that you want to get into.

Your grades will be affected.

You know, somehow there's this, there's anything you do if it's a disciplinary measure, whereas in the old days, the cops would bring you back home and mom would, mom and dad would go, and that was the end of it.

Now it ends up in the school.

Somehow, somehow if you are, if you skip school, like there's all, if you get a bad grade, if you get a B, like all of these things lead toward dire consequences.

And so the kids are designed to stay on the rails given to them because these are the rails that take you to the place you want.

And so as a result, I mean, and combine that with, and I'll use the tech example, combine that with, you know, a device that is not playable.

Like, I could open up my computer.

I could, yeah, I could take cards out.

I remember the, the, the long discussions with my parents about taking the then, you know, $2,500 computer, opening it up and putting a modem into it.

And the fear that went along with that from the people who had paid $2,500 and 20$500 then was a lot of money.

Money.

What still is a lot of money, but, but being able to go in and play and interchange and see how things worked and even, you know, be able to make resolders and, you know, and, and, and splice things in.

Now it's also glued and micro architected and compressed in a way that no human can actually play along with it.

So that's one example of how we've boxed people out of the ability to be curious, the ability to mess around.

I combine that with the fact.

One more, one more point.

I combine that with the fact that being on rails means you don't take adventures.

I'm hoping that none of the administrators of the Ann Arbor Public schools listen to this, but I'll, I, I tell my kid if the chance comes up to take a day and go have a skip day and go, but real skip day, not the one that ends up on the official school calendar, because that's not a real skip day, go do it.

Go have an adventure.

Because, you know, where I learned all of what I need to know about life was figuring out how to get out of the Pickles that we got into when we went on adventures we didn't have GPS is when you got lost, you were lost.

You didn't have like all of this stuff means this is why.

And this all comes back to we have kids, people coming out now that don't.

They aren't.

They're not.

They've not been allowed to be curious because the consequences of being curious have been dire.

And therefore it's not a skill that they know or have seen to frame.

In a different lens.

I would say that we are creating very risk adverse individuals.

Right.

I'm hearing this secondhand from my wife.

She's reading Anxious Generation, the same author that did coddling of the American Mind.

Okay, I'm gonna have to read it.

But it's really interesting because I think one of the components that the author was talking about links will be in the show notes that we've now raised kids that are afraid to climb a tree, that are afraid to do all these things.

But at the same time, you know, let's fast forward into life.

You talk about those guardrails that we put up early on that, hey, you have to stay between the two bumpers if you want to hit the pins.

That means that we still suck as leaders.

We're not removing those guardrails to allow them to try things.

We've still got a culture that's managed by.

You have to hit these KPIs.

These have to be the only thing this, this is what matters.

Or when you do screw up, that we're going to scrutinize it and we're going to make you write a dissertation on why it won't happen again, why it happened, what we can do differently.

I just, I guess for me this is just.

It seems so foreign.

Right.

Agree.

Let's bring a little.

Or go play pickup baseball.

Go pick.

Go play pickup baseball.

Not travel baseball.

Go.

Go out and play and fight.

Don't look at it as a career end means to an end.

Look at it as.

I had a fun day and you know what?

I met some new people and did some new things.

Learn how to get along with six people in the backyard.

Right.

With.

Without having parents.

No, no, no, no.

Everyone gets one turn.

Right.

Yeah.

Take parents out of it.

Because we are parents are 95% of the problem.

Yeah.

So I'm going to use this one example, right?

The idea of three kids in the backyard, want to build a fort.

Right.

But you see him get the life example.

Or is this metaphor.

You see them get the saw.

I'm using this as a real life example.

Like, they get the bow saw, right?

Because they want to cut a few branches.

They get the hatchet out, and immediately you're like, no, no, no, no.

Guys, guys, guys, no, no.

You're not playing with that saw.

You're not playing with that hatchet.

Right?

And I think back to us as like, I.

In my head, it's like, what's the right age for me to teach them?

And then I have to smile and think about the age that I was when I first picked up a hatchet or learned how to swing an ax.

And actually I have my badges.

In the process of moving, I found all my old cub scout stuff.

Right.

Like.

And like, it just brought back these flash memories.

Be home by dark.

That was the only rule.

Yeah.

I've never seen so much firewood be for sale these days.

Where like now your grocery store sells firewood.

Your heart, your hardware store.

Right?

And it's five to ten dollars for this little bundle of.

Right.

That.

That's like the kindling that we used to.

That we used to create.

I mean, our fires were big, right?

I'm thinking, and I'm watching people and they're grabbing like three or four bundles, right?

You're going to have a bonfire for like 40 minutes.

That's it.

Right.

Maybe that's good enough.

But you're going to spend 40 bucks a hatchet is like 20 bucks a nice.

The new splitting axis.

Maybe 70 is what I paid for mine.

And that thing's awesome.

Yeah.

But we don't have attention spans for longer than 40 minutes anyway.

So the short is it's been purpose built just for the modern blip vert generation.

I forgot.

What are we talking about, huh?

Buying bundled wood.

Right?

Because I don't.

I never got the opportunity to grow up as a kid swinging an axe or a hatchet.

So because my parents were afraid, I cut my foot off.

But they were more convinced I'd make enough money to then budget in $400 a month to go buy firewood.

Which seems absolutely ridiculous.

Right.

Would you like to come to my backyard?

I got plenty of wood you can take good LM.

I was predicting the 400amonth was going to buy you a new foot.

My bad, dude.

You're going to need way more than 400 bucks.

But I agree.

And that.

That's changed society.

I remember growing up.

So we.

My parents built a house out in Macomb.

And it was.

Gosh, I think there was three or four phases that were built after us.

And when they cleared one of the phases, we built a giant bonfire out there.

And somebody, somebody, you know, just because a bunch of kids are burning things naturally called the police fire department comes out and they look at it, they go, actually, guys, we're pretty impressed you did this, right?

The walls around it, you had water ready.

But I, I do feel that that mentality and being able to have that conversation that, hey, we're gonna need you to put it out, but kudos to you is starting to disappear, right?

That we've moved into this very binary that it's either right or it's wrong and we've removed the gray.

And that's.

I think we, well, philosophically, we see this play out in society, right.

Look at the, the conversations that we have.

Well, if you're on that side and I'm on this side, we can't be friends.

We can't have a conversation that's made it into what we call leadership.

And that there's.

Either it succeeds or it doesn't succeed.

And if it doesn't succeed, guess what?

Here's all the process and everything you have to go through to explain why it won't happen again.

And that's just, that's.

That stifles any type of innovation and.

Creativity or willingness to go out on a limb.

Right?

Let's take a flyer, take a flyer.

On the word limb.

Because we were talking hatchets.

Yeah, yeah, because I've been out.

I've been out both, both literally and figuratively on some pretty thin limbs.

And sometimes they crack and they fall and sometimes they pan out.

But you know what?

You learned something from that experience that makes you into the person you'll become.

And I, I, I, we have created childhoods, we have created organizational structures that we never actually let people experience.

The highs and the lows, the learnings and the takeaways, the real learnings, not the, not the after action review, formulaic, cover your butt, whatever it is that ends up happening.

But the real, oh, yeah, I see where I went wrong and I'm willing to tell other people about it that we used to.

And again, it, it applies to, I shouldn't have ridden my bike over that big curb.

It was larger than I could do without popping a wheelie.

Or this is a project around data classification and the attempt to automate the discovery of data in a way that will net somebody else some, you know, really great revenue.

But me, a failed project, after we do it once and then lose interest in it because Come back to, we only have a very short attention span.

A controlled screw up should be a badge of honor.

Absolutely.

It shows that you're trying.

Absolutely.

If you haven't failed you.

If you haven't had a failure and a controlled failure, perhaps not a haphazard one, but if you haven't had a failure, you are failing in growth.

I was having a conversation with somebody recently and I forget what the project was and I reminded them that I go, guys, before stepping into this role around Christmas time, may have written a script that was supposed to clean up stale accounts that locked out everybody in the company.

Yeah, I remember.

Survives.

We reverse it, we fixed it.

What's the alternative?

That we get into analysis paralysis.

It never actually gets done and just gets shelved.

At some point, we're no better off.

Or even worse, that no one ever writes a script again.

And you just keep, keep the status quo forever because no one will, no one is willing to, to take a flyer on making something big happen.

Right.

So, and, and just to kind of put a bow on that too, is instead of this being like seven guys getting together or only three getting together, three guys getting together, you know, a group of people getting together personalities.

We're back to that.

I don't give a.

Right.

You're, you're on vacation.

Instead of it being like, hey, Bill, you're headed to the grocery store, right?

Budget 300, go grab this food.

You know, hey, Lucy, go to this store, get the firewood to burn.

Etc, you're actually saying, hey, Steve, grab the ax, Lucy, grab the hatchet.

You guys are on firewood.

This isn't, hey, let's just go spend money.

Like, the only way to do this is to go buy this, bring it in, or buy that.

Bring it in.

Like, hey, you're in charge of making that.

You're in charge of making that.

You got to build that.

And by the evening, you got a full sit down dinner, you got a bonfire that lasts all night.

Right.

And the money you use was spent on booze because you didn't have enough time to make moonshine.

Right.

So there are certain things that you still go out and buy.

And I'll, I guess I'll tie it around to a couple of other things.

This is becoming a leadership episode more than anything.

Yeah, maybe.

I think it also comes back to we as a, we as a civilization have decided that we're about experiences and not about doing.

We've taken, it's taken a rather selfish turn.

And I just, you know, to bring it back to automotive that's twice in one episode.

The Jim Farley just put out that they have 5,000 jobs for manufacture for skilled manufacturers in the US that they cannot fill.

These are six figure jobs, cannot fill them because people aren't.

Don't want to do.

People only want to experience, live whatever it is.

So I think we need to get back to doing this also plays out in go come and bring it back to the kids.

You know, recent experience in which teenagers are doing what they think is called leadership.

And by the way, that's the also this, this artificial insertion of leadership into, you know, into your requirements to get into the school.

And I think leadership is good, but unpopular opinion just like colleges and for everyone le, not everyone has the capabilities or the skill set or the emotional, the EQ to be a true defined leader.

You can experience, you can exert leadership capabilities and qualities in everything you do.

But not everybody needs to be the head of something.

And we come to the realization that it looks and feels like the kids believe that leadership is sitting there and pointing and dictating and not actually doing.

Managing.

Managing, exactly.

But they still use the term leadership.

And this is really, again, it comes back to this idea of I don't want to do.

And that's, I think that's an underlying problem.

It comes back to why we don't take risks or, or maybe as a result of not taking risks.

Like there's this whole circular cyclical thing that is, you know, become very interesting watching the youngers, the mids and us old farts and just watching all these dynamics come together.

And some of that is.

Eric, to your point.

Oh, sorry.

When you say risk averse, they're afraid to take risks.

You're right.

But some of that is those experiences growing up not having the courage to want to pick up the ax because nobody showed you how or pick up that because you have to still look at it now as you now, you know it's dangerous.

Right?

Whereas a kid, you looked at it and you're like, I want to pick that up and do this, but everybody slapped your hand and said no, it's dangerous.

Careful.

No, it's dangerous.

Careful.

So then by the time you're older, you're like, I know that's dangerous.

I would love to swing it, but I have no one to show me and I'm afraid to ask.

Right, let's.

On leadership, there was, there was some wrapping up or I just wrapped up 21 irrefutable laws of leadership and there was a concept in there that really resonated that it was talking about the exponential nature of leaders.

Right.

That a leader, leader just using the term that amasses a large following.

When they move out of that role, what happens to all the followers?

They disperse.

They just go their own way.

Right.

But a leader who understands what it means to be a leader and builds other leaders has an exponential effect.

They in turn build other leaders.

Right.

And I was having a conversation with somebody internally and, and it was, was around kind of the decision making structure.

I go more often than not, I intentionally am not going to be the one making the decision.

Dictating a direction is easy.

Yep.

What dictating a direction doesn't do is gain a following, an understanding, allow people to have a voice to move in a direction.

There isn't.

You're, you're missing that rallying piece that brings everybody together.

And like that's what I think we need to start to.

And Dan, you hit it on the head start to really kind of think about from a leadership perspective on how are we going about this.

Are we just hurling, whether it's a framework controls or something over the fence, thou shalt do this or how are we handling mess ups rather than embracing learning and trying new things and giving the team the space to be able to do those things.

I couldn't agree more.

And it's the whole reason if you're listening this far into the podcast, you'll get a little tip.

We've got some new shows coming out next year and one of them that I'm working on is tentatively called the Final act and it's actually focused exactly on that Brian, or sorry, Eric, which is, you know, the same person.

Those of us, back to the old fart reference, you know, those of us who are later, who are later in our career in that final, in our final act in organizations reflecting on the changes, the things we wish we knew when we were young, how we've, you know, the urgency of, of what we do and the impact that we've had and how we want to, how we want to make sure we leave that legacy behind.

And what legacy do we want to leave behind?

And we're also going to pivot and have, you know, some folks that are in middle roles today help inform us on the things they would like for, like to see us do before we leave those chairs.

Because in the information security world and in the tech world as a whole, you know, those of us in the 30, 35 year category, we grew up, we, this industry grew up with us.

We were the lobster boiled along with the water.

And so I think it's a great opportunity to reflect on that.

So look for that show after the first of the year.

And, and I think it, it bodes nicely with this.

We didn't actually plan this.

This, it just happened serendipitously.

But I think that's a, it's a really great topic and what I'm really excited to dive into with guests from around the industry.

Doesn't that imply that we plan any of these?

Oh, don't give away the secret sauce.

But guys, unfortunately we are out of time.

Thank you, Brian.

Thank you, Eric, or thank you, Eric and thank you, Brian.

Whichever one of you is Eric and whichever one of you is Brian.

I don't know anymore or maybe I just don't give a.

And thanks to you, the listener who I very much do give a about.

And I'm so glad that you were, you're part of this, part of this journey and part of this family.

We're glad to be back on a regular schedule.

We may or may not record next week for Thanksgiving in the US but we will certainly be back two weeks further on.

And if you have any thoughts, questions, if you think we're full of it, if you think we're full of it or you think that, that we need to know about something else or a topic you'd like to see us cover, send us a mail to security debateistillingsecurity.com Also, we are working on sponsorships.

Next year we're going to do more with sponsorships to help grow the network.

If you happen to listen to this and you're interested in sponsoring, send us an email to sponsors distillingsecurity.com that sponsors with an S@distillingsecurity.com thanks again for joining us.

We'll see you again on the next Great security.

Sam.