Artwork for podcast Security by Default
Why Cybersecurity Fails Without Trust: The Human Side of Defense | JC Vega
Episode 3012th May 2026 • Security by Default • Joseph Carson
00:00:00 00:37:20

Share Episode

Shownotes

This podcast episode elucidates the critical importance of effective communication and leadership within the realm of cybersecurity. We engage in a profound discussion with JC Vega, who shares his extensive background in both operational security and cybersecurity, emphasizing the necessity of translating complex technical concepts into relatable business language. We explore the pivotal role of leaders in fostering a secure organizational environment, underscoring that cybersecurity is not merely an IT concern, but an enterprise-wide imperative that encompasses every facet of an organization's operations. The conversation further delves into strategies for empowering champions within organizations to advocate for security practices, thus ensuring that everyone understands the significance of their roles in safeguarding the enterprise. Ultimately, we aspire to convey that a collaborative, informed approach is essential in navigating the complexities of today's security landscape, thereby enhancing both individual and organizational resilience.

In this episode, cybersecurity expert JC Vega shares insights on effective communication, leadership, and risk management in cybersecurity. He emphasizes the importance of translating technical concepts for business leaders, building trust, and fostering community to enhance organizational resilience.

keywords

cybersecurity, leadership, risk management, communication, trust, community, organizational resilience, cybersecurity education

keytopics

  • Translating cybersecurity for non-technical audiences
  • Building champions within organizations
  • The importance of trust and verification in security
  • Cybersecurity as an enterprise survival issue
  • Leveraging AI and technology responsibly

sound bites

"Validate and verify, don't just trust."

"Train like it's a Super Bowl."

"Leave a link, build a community."

Chapters

00:00 Introduction to Cybersecurity Leadership

02:34 Translating Cybersecurity for Non-Technical Audiences

05:13 Building a Team of Champions

08:02 Understanding Business Impact and Risk

10:39 The Role of AI in Cybersecurity

12:58 Cybersecurity as an Enterprise Survival Problem

15:21 The Importance of Ecosystem Relationships

18:00 Trust and Zero Trust in Cybersecurity

20:28 Continuous Learning and Community Engagement

resources

Cyber Cannon Project - https://cybercannonproject.org/

B-Sides Conferences - https://www.bsidescon.org/

LinkedIn Profile of JC Vega - https://www.linkedin.com/in/jcvega/

Takeaways:

  • The podcast emphasizes the necessity of translating complex cybersecurity concepts into practical business language for effective communication.
  • I believe that strong relationships with champions within organizations are crucial for cybersecurity success and operational resilience.
  • Our discussion highlights the importance of understanding the operational goals of various stakeholders to better address their cybersecurity needs.
  • We advocate for the continuous evolution of skills and knowledge within the cybersecurity field through collaboration and community engagement.

Transcripts

Speaker A:

Hello, everyone.

Speaker A:

Welcome back to another episode of the Security By Default podcast.

Speaker A:

I'm the host of the show, Joe Carson, and it's great to be back here with you all again.

Speaker A:

Favorite time of the week?

Speaker A:

Favorite time is to get to talk to so many amazing people and people that I really admire and look up to in order to help me become knowledgeable, to give me lessons, and to really kind of help make the world a safer place, which is my passion.

Speaker A:

We live in a bit of a world of chaos, and this podcast is all about bringing clarity and visibility and making sense out of the chaos that's there.

Speaker A:

So welcome to the podcast.

Speaker A:

JC Vega, do you want to give the audience a bit of a background about yourself, your origin story, how you got into the industry, and some fun things about yourself?

Speaker B:

Sure.

Speaker B:

Well, thanks for having me, Joe.

Speaker B:

You're one of my favorite people I like to interact with.

Speaker B:

Every time I'm out and about, I always look for where is Joe Carson so that I could connect with him.

Speaker B:

And you should, too.

Speaker B:

So.

Speaker B:

So with my background, it's an interesting background.

Speaker B:

Like everybody who's been in cybersecurity for more than 20 or 30 years, you did not start in cybersecurity.

Speaker B:

I started somewhere else.

Speaker B:

I started in operations and security, both in law enforcement as well as in the Army.

Speaker B:

And a lot of the times when I was doing the operational side of security, I was also geeking on the side.

Speaker B:

And so at one point, the military said, we need people who are technically smart but.

Speaker B:

But also understand operations.

Speaker B:

So cybersecurity picked me and said, we need to teach you everything about cybersecurity.

Speaker B:

So after many, many years of study and practice, here's where I am now.

Speaker B:

Advising and putting to practice 30 years of experience to enable organizations and individuals to live a more secure, have a more secure operation and live a more secure life.

Speaker A:

Fantastic.

Speaker A:

And that's what this, this episode's all about is, is really that leadership side of things is.

Speaker A:

And, you know, how to communicate, how to advise what's.

Speaker A:

What's the make, motivate people to take action.

Speaker A:

And so for me, you know, that's one of the great things and sometimes that we've been missing in this industry for so long, we always used to take it from a very technical aspect of things.

Speaker A:

We used to try and try to explain technical complexity to those who were basically driving the car or those who were steering the business and making critical decisions financially, and that sometimes it didn't work very well.

Speaker A:

And we did need to bring in those with.

Speaker A:

With knowledge that can really translate those properly into what does it mean for the business, what does it mean for the employees or the actually industry?

Speaker A:

So it's great that the industry looked at people who could actually do that proper translation to really make sense of, you know, all of these technical complexities.

Speaker A:

Do you want to give kind of.

Speaker A:

So what's, what's some of the best ways, what's some of your best practices or tips that you use in order to translate?

Speaker A:

How do you approach it?

Speaker A:

If you're speaking to somebody who knows nothing, let's say, about cybersecurity, what, what's the, what's the pro approach that you take?

Speaker B:

You know that that's a, a great.

Speaker C:

Question because that is one of the roles of a cyber security professional.

Speaker C:

It's to meet your customer, your public, your audience, where they are, not bring them to your side of it.

Speaker C:

And so with that, when I'm speaking with different audiences, depending if it's a board or, you know, an elder who is a victim of fraud, I don't talk cybersecurity, I talk risk.

Speaker C:

I talk operational goals.

Speaker C:

The goals of the company, how to protect yourself from this particular type of threat that uses the Internet, that uses your own tools against you.

Speaker C:

And I help them to navigate that.

Speaker C:

But it all translates back to what is it that you're trying to accomplish for them, what is it that they want?

Speaker C:

And using my skillset and my background and my expertise, how do I leverage that to achieve their goals?

Speaker C:

And it's never just cybersecurity.

Speaker C:

There's multiple aspects.

Speaker C:

There's physical security, there's behavior, there's best.

Speaker B:

Business practices and such.

Speaker B:

So again, I, I try to stay.

Speaker C:

Away from the word cyber.

Speaker C:

I try to stay away from any technical experience because if they learn the technical aspect of cybersecurity, it is not.

Speaker B:

Going to make them any soon.

Speaker A:

Absolutely.

Speaker A:

I think it's really coming down to is really understanding about what's their motivation, how do they get measured successfully?

Speaker A:

Because I don't, I don't think we're going to make everyone in the world a cybersecurity professional.

Speaker A:

I don't think that's what our goal or aim to do is, is to make bring everyone up to that level.

Speaker A:

It's really to understand about what things do they do, how do they perform their job, what's the risky parts of that job.

Speaker A:

And then how do we put, you know, embed cybersecurity into behind the scenes so it doesn't have to be so complex.

Speaker A:

In the foregr, there was a lot.

Speaker B:

Covered in that last question you have there.

Speaker B:

So let me break it down in a couple of pieces.

Speaker B:

First of all, who cares?

Speaker B:

Who are your champions?

Speaker B:

Who are the people that the message is going to resonate with?

Speaker B:

That's what I call your champions.

Speaker B:

Within your organization or within your ecosystem, those are the people that you want to enable, you want to empower, because they're going to be the messengers of whatever it is you're trying to do.

Speaker B:

Now, what I'm telling you is not something that's unique to CyberSecurity.

Speaker B:

It's Leadership 101.

Speaker B:

You find those that the message resonates with and empower them to bring the rest of the team along.

Speaker B:

Because you can't do it all as a leader.

Speaker B:

So that's.

Speaker B:

That's part of it, is find who your champions are within your organization, both above and below you.

Speaker B:

If the chairman of the board is not a champion, it's going to be a lot harder to convince that board to take action.

Speaker B:

If the CEO is not a champion, it's going to be a lot harder.

Speaker B:

But if they are, it's going to be a priority for the organization.

Speaker B:

But that goes down to every part of the organization.

Speaker B:

Another thing I look at is who in that ecosystem can help you.

Speaker B:

And they're not just IT people.

Speaker B:

They're people who are involved with the general goal of keeping the business running.

Speaker B:

It could be the cfo, it could be the operations officer.

Speaker B:

So don't think of this as an IT and cybersecurity problem that the IT people have to solve.

Speaker B:

So that's a part about building that team champions, that team of leaders within the organization.

Speaker B:

Another part is the tone and the language you use.

Speaker B:

Again, I talk cybersecurity.

Speaker B:

I talk.

Speaker B:

What is it that I'm protecting?

Speaker B:

I'm protecting the business, protecting the operation.

Speaker B:

I'm protecting your assets.

Speaker B:

I'm protecting your lifestyle.

Speaker B:

I am not doing any of this so that I can secure the computer.

Speaker B:

None of it is to secure the computer.

Speaker B:

Securing the computer is an important part of that.

Speaker B:

But my end state is not to have a secure computer.

Speaker B:

It's to have a secure operation that is less vulnerable and more resilient in case an attack does manifest.

Speaker B:

So that's another aspect.

Speaker B:

Explain the why is this is what I'm doing so you can do this.

Speaker B:

Not the how necessarily by locking down your computer.

Speaker A:

What is that?

Speaker A:

What's the what's the outcome of that?

Speaker A:

What.

Speaker A:

What is the.

Speaker A:

Yes.

Speaker A:

What's.

Speaker A:

What's.

Speaker A:

If.

Speaker A:

If that computer wasn't running, what's the impact of the business because of that.

Speaker B:

That's exactly right.

Speaker B:

And then it becomes.

Speaker B:

What's.

Speaker B:

What's the priority of that?

Speaker B:

And how do you.

Speaker B:

So now, now we're talking at the very high level, at the operational level.

Speaker B:

If that computer is down for a day, the cfo, the chief financial officer, will probably tell you exactly how much it's going to cost.

Speaker B:

Not if the computer's down, but.

Speaker B:

But if the operation is down for a day, it doesn't matter if it's the computer.

Speaker B:

It doesn't matter if it's a piece of equipment failed.

Speaker B:

Understand that.

Speaker B:

And they understand how to fix that.

Speaker B:

If you tell them what you What.

Speaker B:

What the possibilities are and what the outcome may be and what the alternative is if you don't fix it.

Speaker B:

The fear, uncertainty and doubt, the fud.

Speaker B:

It didn't work when we were learning how to drive.

Speaker B:

It doesn't work today.

Speaker B:

Many people around us still speed.

Speaker B:

Many people around us still break the law when they're driving.

Speaker B:

It doesn't work.

Speaker B:

But you had an excellent point.

Speaker B:

But when it happens to you, when you get that ticket, or if you're paying insurance for a family and somebody in that family gets that ticket, boy, it's really going to matter then.

Speaker B:

And those are individuals who are going to get it.

Speaker B:

But you have to reinforce the behaviors.

Speaker B:

This behavior will have this outcome.

Speaker B:

This behavior may have a negative outcome.

Speaker B:

The idea is what is the desired behavior that you're looking for?

Speaker B:

And so what's important for that is that.

Speaker B:

Notice I didn't say protecting your computer is the goal.

Speaker B:

That is not the goal.

Speaker B:

The goal is to protect your business, to protect your assets, to protect your lifestyle, to give you the ability to.

Speaker B:

We call it freedom of maneuver.

Speaker B:

To do what you need to do as a business without having your IT infrastructure, your unsecure infrastructure holding back your operation.

Speaker B:

But there's a couple key terms you want to use at certain levels.

Speaker B:

So at the board, you want to use a term fiduciary duty.

Speaker B:

That means it's your.

Speaker B:

It's your specific responsibility.

Speaker B:

And you could be held liable if you don't take the prudent measures to do something, to prevent.

Speaker B:

To know it, where you know something is, has a high likelihood of happening and has a high impact and you choose to ignore it, you can be held accountable for that.

Speaker B:

And there's a.

Speaker B:

A lot of talk recently on bringing that type of expertise at a very senior level of organizations, but I'm sure we'll get into that.

Speaker A:

Absolutely.

Speaker A:

Yeah.

Speaker A:

It kind of resonates a lot with me because some of my most biggest champions in a lot of executives was the CFO because they understood the financial quantifiable risk approach.

Speaker A:

And they were actually some of the best people to help me translate technical IT issues into quantify quantifiable risk because they're able to do the maths.

Speaker A:

And I think that's what's crucial as well.

Speaker A:

The other one that was a big champion was operations.

Speaker A:

You know, when you're talking about new downtime because they are measured by basically the uptime of the services that they're providing.

Speaker A:

And any type of downtime had a financial impact to their business.

Speaker A:

So, so for me, looking at those, it was the two biggest champions to be able to help translate into what you're doing into that business outcomes.

Speaker A:

And that's crucial that, that's because that's ultimately it's, it's.

Speaker A:

You're absolutely right.

Speaker A:

And I remember years ago talking to the Estonian government, we were selling them, you know, next generation, you know, firewalls and EDR and stuff.

Speaker A:

And they said, well, you'd like, you know, you know, we were talking about software defined networks.

Speaker A:

That was the big topic at the time.

Speaker A:

And they said, no, we do services, we look at everything from a service and they do that whole supply chain, you know, what is that total service end to end and what's all the critical components of that service.

Speaker A:

And that was the big thing was that, you know, it's not just about this individual piece of software or piece of hardware, hardware application.

Speaker A:

It's how do all of those interact to deliver a service to the citizen.

Speaker A:

And that was the big thing.

Speaker A:

It was, for me, it was a big realization about that.

Speaker A:

I'm not in the world of protecting IT systems anymore.

Speaker A:

It's in the world of protecting businesses and society.

Speaker A:

And that's how we should be actually, you know, measuring.

Speaker A:

And I really kind of.

Speaker A:

You're absolutely.

Speaker A:

On how you communicate is so vital.

Speaker A:

And I think absolutely when it gets to responsibility, executives do really need to think about, you know, and it's important to get sign off as well.

Speaker A:

They need to be involved.

Speaker A:

They can't just delegate security decisions to a ciso.

Speaker A:

Otherwise the CISO becomes accountable.

Speaker A:

They need to delegate it and be responsible at the executive level as well.

Speaker B:

No, that's absolutely right.

Speaker B:

And one thing that when I look at organizations or organizational structure, where the CISO lies in that hierarchy varies by organization.

Speaker B:

And we can argue back and forth on where is the right place for that individual and that expertise.

Speaker B:

And there's plenty of right ways and wrong ways to do that.

Speaker B:

But the most important part of that is that that individual should have a direct line to the senior leadership when it's necessary to use.

Speaker B:

Because if it's not established in advance, you're going to have a hard time influencing a decision.

Speaker B:

It doesn't mean you always have to have that face to face.

Speaker B:

But it should be at a regular cadence.

Speaker B:

That is builds enough trust in your assessment and your evaluation where they will take you seriously.

Speaker B:

And that's the part that I say you respond at the speed of trust.

Speaker B:

In a crisis, you respond at the speed of trust.

Speaker B:

If I need you and I don't trust you, I may be hesitant in how react where in our space, time really does matter.

Speaker B:

And delaying decisions can have a significant impact.

Speaker B:

Which brings us to, you know, the hot term of the day.

Speaker B:

AI.

Speaker A:

Yep.

Speaker B:

AI is a fantastic tool that is accelerating innovation.

Speaker B:

And if you're not using it, you are likely falling behind your competitors.

Speaker B:

And no matter what you do, if you're secure and non competitive, you're, you're going to, you're going to, you're not going to exist.

Speaker B:

That being said, AI is also accelerating the attacker.

Speaker B:

So you have to take both into account as the organization is making these decisions to use AI, you have to communicate to them what the risk of that is at the pace that they're doing and they, what they have to account for.

Speaker B:

And AI is not a magic box anymore.

Speaker B:

There are things, there's a lot of controls you can put in place to protect your organization.

Speaker B:

There's a lot of best business practice that have emerged and the idea is that you as a security person have to bring that risk up to the level of the decision makers so that they have the right information and that it, the risk they're accepting matches their risk appetite.

Speaker B:

And so those two have to converge.

Speaker B:

But you notice when I talked about risk, I talked about fiduciary responsibility.

Speaker B:

I'm not talking about cyber, even though in my background it's all cyber.

Speaker B:

What I can add to the fight to protect them, to allow them to provide them the COVID to allow them to accelerate the business.

Speaker B:

But these conversations are happening in parallel.

Speaker B:

I just happen to be the cybersecurity part of that.

Speaker B:

But I also have to work with my partners because cybersecurity is not an unlimited budget.

Speaker B:

If you have an unlimited budget, I want your job, I want to be in that.

Speaker B:

But there are limits to what you can do both in time and money and how it's going to impact the operation.

Speaker B:

So the idea Is you have to work with your partners across your organization and they have to see cybersecurity is providing them a competitive advantage.

Speaker B:

We mentioned the cfo, we mentioned the operations team.

Speaker B:

One that I like to bring in is the CRO, the chief revenue officer and the business development team and the marketing team.

Speaker B:

So what distinguishes my product or my service from my competitors?

Speaker B:

I'd like to think that my security posture, all things being equal, you're accepting less risk from me than you are from a competitor.

Speaker A:

Absolutely.

Speaker A:

When you can think about it as well as, you know, for organizations choosing their next, you know, partner regarding technology, they want to make sure that whatever their lifespan is, whether that's a three year or five year or seven year, and even a lot of, you know, in the big industries and things like shipping and others, that could be 15, 20 years that you're going to enter in a partnership and you want to make sure that that organization can sustain and has resiliency built in.

Speaker A:

So they will be around for that 5, 7, 15 years.

Speaker A:

So I think, you know, showing that they have thought about, you know, security as a resiliency and the ability to maintain operations for a long time, that's something that shows a competitive advantage.

Speaker A:

You know, we look at the recent incident with Jaguar Land Rover and the financial impact, and not even to that organization and stopping production, but also to the point where it was even the community, the suppliers, those who were living day to day, you know, providing food for the employees, transportation, parts, and that whole disruption, I think it ends up actually having a massive impact, even a significant impact to the entire UK economy.

Speaker A:

So it really shows that when your services are running, there is massive dependencies, supply chain.

Speaker A:

And that having a secure, by, by design and by default approach can actually provide you a competitive advantage when it goes to new negotiations.

Speaker A:

Contract and being a supplier, you bring.

Speaker B:

Up two great points there.

Speaker B:

One of them is that security is not an IT problem, it's an enterprise survival problem, meaning you have to look at the enterprise and that includes your ecosystem and that includes your suppliers.

Speaker B:

And another part of that is that the systemic cyber risk means that the weakest partner can be your biggest threat.

Speaker B:

So you have a vested interest to examine what are all the connections that can impact your operation.

Speaker B:

We used to use a term, I'm sure it's still used in operations in the military.

Speaker B:

We say you have your area of responsibility.

Speaker B:

That is the area on a map or a particular task that you have complete control over.

Speaker B:

You are responsible and accountable for everything that happens in your area of responsibility.

Speaker B:

But you also have your area of interest.

Speaker B:

Your area of interest is much larger than that.

Speaker B:

That's all.

Speaker B:

It's everything that can impact your area of responsibility.

Speaker B:

So if you think about your supply chain is.

Speaker B:

It's not just a physical supply chain.

Speaker B:

How it can be interrupted is where is the software that is connecting with my software?

Speaker B:

So it's pushing risk across on an automated level also that.

Speaker B:

That's the software.

Speaker B:

Now the data, how is the data being stored?

Speaker B:

How is the data being shared?

Speaker B:

Are my suppliers or my partners putting me at risk?

Speaker B:

And so there's a lot of things you can do with that also.

Speaker B:

But the idea is that you're taking this from a perspective of your organization is already compromised.

Speaker B:

Design it as if it is, and now take the necessary measures to mitigate that risk so that you are more resilient, that in the face of an attack, you will survive the attack.

Speaker B:

If you focus most of your resources on prevention.

Speaker B:

And then the breach happens, the incident occurs, and you spent very little on the resilience and recovery.

Speaker B:

That's like you spent all the money up to protect your, your town from the dam and the dam breaks and you have no recourse.

Speaker B:

So you have to have the levies built in all along the way as if you are already compromised.

Speaker B:

And that leads to the idea of, I don't like this part of our industry.

Speaker B:

It's how we've kind of.

Speaker B:

It is the right way to do it.

Speaker B:

I don't like it though, how we look at trust.

Speaker B:

Trust is something you earn.

Speaker B:

Trust is something that's built over many handshakes, over many cups of coffee and tea and all those things that you do.

Speaker B:

And it takes one incident to break it and then you lose it all.

Speaker B:

But we look at trust as zero trust.

Speaker B:

As we don't trust anything, we don't trust anyone.

Speaker A:

And so very, very secure approach here.

Speaker B:

I am telling.

Speaker B:

I'm trying to build trust with you, trying to build trust with you.

Speaker B:

And we say we don't trust anybody, which is actually the right way to do it.

Speaker B:

It's just bad marketing.

Speaker A:

I agree.

Speaker A:

I hate the term.

Speaker A:

You know, I prefer to, you know, think of it as, it's about zero assumptions.

Speaker A:

You're assuming that certain security controls have not been satisfied.

Speaker A:

So therefore you want to verify that the controls are in place.

Speaker B:

I use validate and verify.

Speaker B:

Yep, it's validation and verification.

Speaker A:

Because you, you, when you take zero trust to the executive team or anyone who's in business, they're like, what they think of it more of a As a per, you know, as a friction, you're going to stop them from being able to do their job.

Speaker A:

You know, it's great from a security terminology and what we're actually doing with it, but absolutely a marketing term.

Speaker A:

It's horrible.

Speaker B:

And that's, that's, that's for us cyber people to talk about.

Speaker A:

Yes.

Speaker B:

You don't talk about it.

Speaker B:

So it's a poor choice of words because it communicates a message where a lot of half those people or most of those people receive their job based on trust.

Speaker A:

Yes.

Speaker B:

So they had to trust somebody or somebody trusted them.

Speaker B:

But that doesn't take away from that idea.

Speaker B:

If you got to validate and verify every I say entity, because it's not just every person, it's every process, every exchange, every data transfer.

Speaker B:

You have to make sure that the right action is taking place by the right entity in the right environment at the right time.

Speaker B:

You have to put all that together and you can't assume if, because if one of those pieces is unsecure, then you just compromise the entire system.

Speaker B:

And back to your area of interest and your area of responsibility.

Speaker B:

Think beyond your own organization.

Speaker B:

What, what can impact your organization and what I challenge people to do whenever I have a, a one on one or, or a meeting or some type of consulting gig.

Speaker B:

That's one of the things we, we finish with is who is in your ecosystem, who's in your area of interest.

Speaker B:

When is the last time you spoke with them, when is the last time you reached out to them?

Speaker B:

That includes your, your suppliers, that includes your vendors, that includes the people who are selling your product, that includes law enforcement, that includes your building manager.

Speaker B:

All of these things that may impact your operation.

Speaker B:

When is the last time you had a face to face with them?

Speaker B:

Do you have, how quickly can you summon them and how fast will they respond?

Speaker B:

And like I said earlier, you respond at the speed of trust.

Speaker B:

If you don't develop that in advance, you are not going to be their priority.

Speaker B:

You are not going to be in their area of interest.

Speaker B:

And you want to make sure that you are in their area of interest as well.

Speaker A:

Absolutely.

Speaker A:

It reminds me of kind of a story from years ago doing a penetration test for a ship management company.

Speaker A:

So a company responsible for managing the ship logistics and manifests.

Speaker A:

And they had a leasing agreement with a building company who basically so they had offices, they didn't own the offices, but they had leased from the vendor and they were going through, they wanted to be more energy efficient, so they wanted to appear more green.

Speaker A:

They went to the, the, the supplier said, we need you to be more of energy efficient.

Speaker A:

We want to get these standards, we want to go back and we want to have a message that we are a green company.

Speaker A:

So the building supplier or the building, you know, who was doing the lease went and they installed lots of smart meters and smart LEDs and bulbs and you know, so things that would be more energy efficient, that would turn off, shut off, you know, based on motion, based on people in the office, based on different times.

Speaker A:

And they created a vulnerability.

Speaker A:

So, and ultimately, so it was interesting kind of when you get into that, the dependency that, you know, one is it was their initiative but by not having that relationship about the actions they were taken to become more energy efficient that end up their supplier, their leasing company became a massive risk for their environment because it meant that attackers could simply just jump onto the light bulbs, onto their network and have access.

Speaker A:

So it really means that you have to have an understanding about a good relationship.

Speaker A:

And I think it's important.

Speaker A:

One of the things, you know, I will say that we are, we're only as secure as the social sphere that we have around us.

Speaker A:

And with the social sphere, it means that we have to understand those risks that you know, remember even a large organization transportation, they give the employees antivirus software and password managers for their home machines and their family members because they knew that actually security just didn't start from the office and didn't start with their employees laptops, but it started with their family.

Speaker A:

And that's that same concept is understand your area of interest, as you say, the social sphere is where security starts and stops.

Speaker B:

Now.

Speaker B:

That's absolutely right.

Speaker B:

So one of the largest contracts for antivirus that I was a part of was for the U.S. army.

Speaker B:

And those licenses extended to the household because a lot of the work that people do is they do it at home and they bring it into work.

Speaker B:

And at that time, I don't know what it's like today.

Speaker B:

You didn't have the luxury of everybody having a computer, a personal computer.

Speaker B:

So it was a, it was a bring your own device environment or you stayed at work all day, which we did anyway.

Speaker B:

But the idea is that you extended that security and it wasn't for the sake of protecting the family, it was for the sake of protecting the work environment, the operational environment.

Speaker B:

And that was an operational cost that was necessary because we know how the behavior is like.

Speaker B:

And it was, it's going to be too difficult to change the behavior.

Speaker B:

Instead you put those safeguards and the way people are already what they're already doing, just like a university, you know, that puts in the sidewalks all over to connect the campus.

Speaker B:

The best execution of that that I've seen is first they see where the trails are being formed by the students, then they put the sidewalks over that.

Speaker A:

Absolutely.

Speaker B:

Instead of trying to direct the students onto sidewalks, you put the sidewalk where they're already going.

Speaker C:

Yes.

Speaker A:

You actually put it with a habit.

Speaker A:

The habits, as you're trying to embed security into their cultural DNA, which is a lot looking at what the habits of people have.

Speaker C:

That's right.

Speaker A:

So question, bring it all together.

Speaker A:

What, what's some of the.

Speaker A:

Where do you get your resources to stay up to date, stay knowledgeable?

Speaker A:

Because this is always an evolving industry.

Speaker A:

Is there any books that you read or conferences that you go to that are very valuable events?

Speaker A:

You also have the Weed weekly meetup, which is our monthly meetup, which is.

Speaker B:

The weekly meetup every Wednesday night.

Speaker B:

So when I bring executives together, practitioners, executives, influencers, senior people, and they're part of the field on national cybersecurity.

Speaker B:

And we talk shop in a non vendor environment.

Speaker B:

And the idea is what should we be, what should we all know?

Speaker B:

And we do it in a very light format to replicate the meetups that happen at conferences because that's where you really get to exchange information and talk to your peers about what they, what they are seeing out there.

Speaker B:

So we took that concept of after a conference, after a great presentation or not, not, you go to the hallway with your friends and peers and you talk about what they really liked and didn't like about that, where they were right, where they were wrong, without being critical of the topic.

Speaker B:

The topic was a conversation starter.

Speaker B:

And so the idea is we bring that on the.

Speaker B:

On our weekly Wednesday from there.

Speaker B:

I also am part of a book club, the Cyber Canon Project.

Speaker B:

We evaluate books, cybersecurity books, and then we come up with a list of.

Speaker B:

These are the top cybersecurity books that everybody should read.

Speaker B:

So I do a lot of reading and I do a lot on Audible as well.

Speaker B:

So I do it to them because I don't get anything for that.

Speaker B:

But the idea is I was just going, I'll go through at least a book a month, sometimes two.

Speaker B:

And I'm picking different subjects.

Speaker B:

And don't be afraid to pick a book up.

Speaker B:

You start reading it and you say I don't like it and put it down and go to another.

Speaker B:

That's part of the process.

Speaker B:

And what we do with the Cyber Canon is we do that for you and we say this is a must read book if you're in the discipline, or this is a niche book if you're in this part of the discipline.

Speaker B:

So there's two sources.

Speaker B:

I'm a news junkie.

Speaker B:

I have my, my alerts set up key terms on different projects I'm working on and different organizations I'm following so that if they come up in the news, I get a feed for that.

Speaker B:

I go to podcasts like yours that I'm able to get value deeper insight than just a cursory discussion on this topic.

Speaker B:

That's, that's a two minute read it.

Speaker B:

You get deeper insight on a podcast than you would on just reading an article.

Speaker B:

And then with the book, like I said, it's even greater.

Speaker B:

And then the one on one interaction or the face to face interaction on the weed RAM is another.

Speaker B:

And I also take formal courses.

Speaker B:

If there's something that, for instance, I've taught databases, I ran databases, I've worked with large data sets.

Speaker B:

And sometimes what you learned 20 years ago, 10 years ago, starts to drift into new knowledge.

Speaker B:

And so now it's, you know, data analysis, data science.

Speaker B:

I don't say I'm a data analysis, a data analyst or data scientist, but I do work in that field.

Speaker B:

So I'll take a course on that to sharpen my terminology so I understand it better.

Speaker B:

And so in this field you have to be a lifelong learner.

Speaker B:

In fact, if you have any kind of certification, it's an absolute requirement for you to do it.

Speaker B:

And no one's going to tell you what to do.

Speaker C:

But I just gave you about five.

Speaker B:

Examples that are part of my weekly ingest of information and also give it back.

Speaker B:

That's the big thing is with some of these forums I do a lot of speaking to a lot of groups and I give them back the knowledge so that they, not everyone has the time to keep up with everything.

Speaker B:

So you have to rely on trusted individuals, back to that word, trusted individuals who are going to sift through the noise to get you the signal, the right information that's relevant to your organization now.

Speaker B:

And you have to maintain a trusted network because if you see something and you hear something and you need to say something, sometimes you want to validate that.

Speaker B:

And I have lots of people on speed dial that I'll call and say, have you seen this?

Speaker B:

What about this?

Speaker B:

How are you seeing this?

Speaker B:

And that network also is a trusted network and you're a part of my network.

Speaker B:

It's something that we go, you mentioned conferences, I the top conferences out there as far as quality and number of people is one that happens in San Francisco in the spring and one that happens to.

Speaker B:

That happen in Las Vegas in the summer.

Speaker B:

And there's a lot of other niche audiences.

Speaker B:

One of my favorite ones is event called Corncon of all places, Davenport, Iowa.

Speaker B:

But it brings a lot of the top people to a very niche conference where I'm not competing with 20,000 people for the attention of these security professionals.

Speaker B:

Those are located everywhere.

Speaker B:

If you're.

Speaker B:

And if you don't have a conference near you start it.

Speaker B:

We started a B sides conference here in southwest Florida, where I'm at, because for 100 miles away there was no security conference around us.

Speaker B:

So everywhere had.

Speaker B:

We had to drive three hours, two hours to get to a conference.

Speaker B:

So we brought it, we created our own.

Speaker B:

So B sides is another thing that I'll champion for that.

Speaker B:

And those are global, Worldwide.

Speaker C:

Yes.

Speaker B:

So you got your conference, you got your reading, you got your study, you have your news feeds, you have your networks.

Speaker B:

And then create that trusted network, bring it together so that you could exchange knowledge.

Speaker B:

I look at it this way.

Speaker B:

When you need that team, you want to train like it's a Super Bowl.

Speaker B:

Think of incident response.

Speaker B:

You want to train like it's a Super bowl where it took a 2, 3, 4 year cycle of preparedness to get your organization ready to be the champion of your sport.

Speaker B:

You want your incident response team to be that prepared.

Speaker B:

And if you're not looking at it that way, the alternative, it's a pickup game that you had on the playground when you were a kid where whoever was on the field at that time, that's the team that you're going to play with.

Speaker B:

And the best play you have is take 10 steps, turn around, I'm going to throw the ball at you.

Speaker B:

It is not synchronized, it's not coordinated, is not rehearsed.

Speaker B:

And you didn't take into account all the planning that could have taken place and identify where the weaknesses in your organization are and address those throughout the year.

Speaker A:

Absolutely.

Speaker B:

So train like you fight.

Speaker B:

Fight like you train and you will have a better outcome.

Speaker A:

That advice is the top advice I've, I've heard.

Speaker A:

It's.

Speaker A:

You're absolutely spot on.

Speaker A:

It is all about community.

Speaker A:

It's all about investing yourself, learning, continuous learning.

Speaker A:

This industry evolves and changes, the world changes and we have to stay on top of it.

Speaker A:

And I think one of, one of the things I just re emphasized, one of the things you mentioned is there's also give back.

Speaker A:

One of the things I always find is that I go to lots of trainings and receive and try to stay on top.

Speaker A:

I do a lot of capture the flag events, gamification, but I also give training and when I'm giving training, it really forces me to go so deep and so, you know, into the details to make sure I have enough information to pass on the knowledge to others and even to the point where I do in the capture the fly gamification side, I also do these periodic walkthroughs of my own experiences and what I find when I was doing those.

Speaker A:

And I think giving back is such a critical thing in this industry because it means that we can't do this alone.

Speaker A:

We have to do it as a team.

Speaker A:

This is one industry where it is a team sport and we all have to come together.

Speaker A:

We all have our unique skills and expertise and knowledge and we all bring it together.

Speaker A:

And hopefully collectively as the community, we make the world a safer place, starting with the companies and the people around us in that social sphere and then bringing it global.

Speaker A:

To your point, you know about not having the B sides event locally so you create one.

Speaker A:

I think that's, that's definitely the kind of the message we want to get to the, to the world out there is that if you can't get to it, start it.

Speaker C:

Absolutely.

Speaker B:

Where there's, where there's a gap, fill it.

Speaker B:

And there's resources out there.

Speaker B:

And if you want to start a conference where you're at and you need help, feel free to reach out to me.

Speaker B:

I will help you get the right speakers here.

Speaker B:

I will help you, I will give you.

Speaker B:

We, we probably have lots of notes on that and there's probably someone close to you who can really be influential and do that.

Speaker B:

Because what's unique about our discipline, one of them, it's not an IT problem, it's an ecosystem problem.

Speaker B:

So there's more to it than just it.

Speaker B:

It's very much human in the loop.

Speaker B:

And the giants of our discipline are still walking amongst us.

Speaker B:

In philosophy, they died hundreds, if not thousands of years ago in our field.

Speaker B:

They're still alive, they're still walking the earth and they're available for and typically.

Speaker A:

Always willing to be available and to help in the system where possible.

Speaker C:

Right.

Speaker B:

If you have the right mentality and you're doing it for the right reasons, they will do everything they can to support you.

Speaker B:

And I'll tell you that I did not get here alone.

Speaker B:

I was standing on somebody else's shoulders.

Speaker B:

And I always say when you reach up on that ladder.

Speaker B:

When you're climbing that ladder of success, every time I reached up, there was somebody there to grab my hand.

Speaker B:

But never forget to reach down and pull somebody up with you.

Speaker B:

Leave awake.

Speaker B:

And as you move forward, that's such.

Speaker A:

A great, great philosophy and metaphor.

Speaker A:

Absolutely.

Speaker A:

So if the audience do have questions, let's say they do want to start an event or they do want to learn more about, you know, how to communicate better, what's the best way for them to contact you?

Speaker A:

How can they reach out on LinkedIn.

Speaker B:

Or [email protected] you can reach me there.

Speaker B:

I'm sure you'll put it on your show.

Speaker A:

I'll put on the show notes as well.

Speaker A:

Absolutely.

Speaker B:

But connect me on LinkedIn, reference this podcast and we'll connect from there.

Speaker B:

Because otherwise, one thing I'll tell you for the vendors, quit cold calling us for stuff if you don't have a relationship with us.

Speaker B:

I'm going to go first to people who I trust.

Speaker B:

And if you're cold, calling me means you didn't do your homework to get into my circle of trust.

Speaker A:

Absolutely.

Speaker A:

It's about, you know, earning the trust.

Speaker A:

As you say, trust isn't just established and it's, and it's earned.

Speaker A:

Right.

Speaker B:

And it doesn't mean we, we have to be friends, best friends or anything like that.

Speaker B:

It's just that you did the homework enough to understand what my problems are.

Speaker B:

You understand how your solutions can address my issues and why you're a good choice.

Speaker B:

If you didn't do that and you start out with, I got this solution, do you have this problem?

Speaker B:

It doesn't work that way.

Speaker B:

And plus my phone blows up, so.

Speaker C:

It's not the way to contact.

Speaker A:

We have to prioritize and focus.

Speaker A:

JC it's been awesome having you on.

Speaker A:

I always, it's, it's always an honor and pleasure speaking with you and absolutely.

Speaker A:

Every time we're same events, we have to, we have to put time aside and meet up and have a good catch up, as always.

Speaker A:

So thank you for spending the time today.

Speaker B:

I'm glad to be here.

Speaker B:

The feeling is mutual.

Speaker B:

I look at you as a, as peer, I look at you as a coach, I look at you as a mentor.

Speaker B:

Most importantly, I see you as a friend.

Speaker A:

Thanks.

Speaker A:

And it's mutual.

Speaker A:

I think it's going back a long time with our good friend Dave.

Speaker A:

David Lewis put us together in one table for dinner, which was, which was a fantastic opportunity and absolutely, you're definitely a close and a great friend and I look forward to keeping meeting up in the future and even doing more of the podcast episodes together.

Speaker B:

Absolutely.

Speaker B:

We got a lot of topics we can talk about.

Speaker B:

I enjoy being with your audience here.

Speaker B:

Feel free for the audience members to reach out if you want something.

Speaker B:

If I can do it, I will.

Speaker B:

If I can't, I may know someone who can.

Speaker A:

Absolutely.

Speaker A:

It's about the community.

Speaker A:

So many thanks for being on the show.

Speaker A:

For everyone, this is the security by default podcast.

Speaker A:

Really bringing important knowledge, lessons learned, best practices and really to help you shape your career, whether you're starting, whether you're looking for your next path and journey and adventure.

Speaker A:

Hopefully this will give you some insights and some best practices to really make your world a safer place and the world that we live in safer as well.

Speaker A:

So for everyone, every two weeks, new episodes, new guests, stay safe, subscribe, share with your friends, make sure that we get the message out there.

Speaker A:

Thank you and all the best and take care.

Links

Chapters

Video

More from YouTube