Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Duty, Burnout, and Redefining Security Team as Digital First Responders with JR Cunningham
108 Plays19 days ago
JR Cunningham, CISO at Nuspire, joins the show to talk about why cybersecurity isn't just another IT job - mentally, it's more like being a first responder.
George K and George A talk to JR about:
π€ Why we should consider cyber teams like first responders (not just IT staff)
π΅βπ« The unique mental health challenges of incident response
πͺ Building cultures where defenders can actually take care of themselves
π§ Why your IR plan needs to consider the human element
π¬ "The higher up you go in security, the more you get the sh*t kicked out of you. Most professions get easier - ours gets harder."
Security leaders - how are you building support systems for your defenders?
ββββ
πβ‘οΈBECOME A SHOW SUPPORTER
https://ko-fi.com/bareknucklesbrasstacks
For as little as $1 a month, you can support the show and get exclusive member benefits, or send a one-time gift!
Your contribution covers our hosting fees, helps us make cool events and swag, and it lets us know that what we're doing is of value to you.
We appreciate you!
Recommended
Transcript
Cybersecurity: Duty Beyond IT
00:00:00
Speaker
And at some point it clicked for me that we weren't just IT people that that had a slightly different job. The job that we were doing was much more aligned with how We think about first response right now we don't run into burning buildings we don't get shot out on the streets or or anything like that. I'm so not to take anything away from first responders but when you look at the DNA of a cyber practitioner especially when you get into the leadership you know aspects of cyber see shows and directors of security or compliance whatever maybe.
00:00:33
Speaker
There's more than that. It's a desire to protect. It's a sense of duty. It's an obligation. It's a, I will get up and answer the phone at three o'clock in the morning when the bad thing happens. And it starts to tip towards the the first response and and duty mentality as opposed to the I'm going to do my job and get paid and and play with technology.
Introduction to the Podcast
00:01:00
Speaker
Yo, yo, yo, it's the show. This is Bare Knuckles and Brass Tax, the cybersecurity podcast that tackles the human side of the industry. We're talking trust, respect, and all the rest. I'm George K. with The Vendor Side. And I'm George a A., Chief Information Security Officer. And today, our guest is JR Cunningham, CISO at Newspire, which is an MSSP. And we talk a little bit about MSSP, but we really got into the weeds here on burnout and an idea of treating frontline cybersecurity defenders as first responders. The analogy isn't perfect, but we try to get into the psychological aspects, the planning, how you manage the stress, and of course, trying to prevent the burnout in the first place.
00:01:42
Speaker
Yeah, I mean, look, I gotta be honest with you, JR is an absolutely great salt of the earth type person. I think of all of our guests, i I have to say, you know, the guy is just genuine.
Leadership and Integrity in Cybersecurity
00:01:54
Speaker
He's sincere. He really connects with you when you talk to him. And he's clearly an expert at what he does, which, you know, it goes without saying. But I think this episode really speaks to more him as a character.
00:02:06
Speaker
him as a person with integrity and as a true leader who brings out the best in people around him, not just the people that work with him, really had a great time talking to JR. So we got three decades worth of JR's experience compressed into just over half an hour. There's a lot here for practitioners, for executive leaders, and for their teams. So let's turn it over to JR. JR Cunningham, welcome to Bear Knuckles and Brass Tax.
00:02:33
Speaker
Well, thanks so much for having me. It's a pleasure to be here. You guys are very well known in our space, and and we respect you very much for the content that you produce. ah Loved your last podcast. you know the The topic of empathy is a big deal for ah for us, and and it was ah it was a great show. So it's a privilege to be here. Thanks for
Burnout and Stress Management in Cybersecurity
00:02:50
Speaker
inviting me. Appreciate it. Absolutely. We're pleased to have you. um You are a friend of the show because you are a friend of Maria's and anyone who's a friend of Maria's is a friend of ours. um You are CISO at New Spire. So this is kind of a conundrum for our rules. Typically CISO means I get first crack, but you're with a vendor, which kind of means the CISO gets first crack. So, but he's sitting in a car recording off an AirPods in a hotspot. So I'm going to do the first question anyway, because I was here first.
00:03:18
Speaker
So I'm just it's not even a question, really. It's just to give you. Sorry, George. It's just to give you a platform because we had a bunch of questions and then we kind of threw them out because when we were doing the scheduling, this topic of burnout, this topic of um cyber defenders as front line or something. Anyway, we got into it in the email and we're like, this is much more interesting than what we had planned. So we're going to go with that. So JR bare knuckles portion of the show, airing of grievances. Let's start with just giving you the space to talk about this idea of how we conceive of our frontline defenders.
00:03:58
Speaker
Sure, sure. Well, thank you for the question. I appreciate it. It's something I'm pretty passionate about, you know, almost three decades into this profession, and I'm very passionate about it. It's it's not a job for me. It's the work of my life. It's it's my vocation. And know when I look at the landscape and and I look at my peers, we see a lot of a lot of the folks who have been at this for 15, 20, 25, 30 years.
Evolution and Challenges of Cybersecurity
00:04:24
Speaker
ah They're beat up. You know, they're tired.
00:04:27
Speaker
ah they they They feel like, and in and the data supports the notion that and are the world actually isn't safer and more secure now than it was 20 or 30 years ago. you know Breaches are bigger, more expensive, more common, more frequent ah you know than than they were when we all got started. right so we we we are living in an era where we have kind of the first generation of practitioners that do this thing that didn't even have a name when we started, right? I mean, if you think about it, you know, before we called it cyber, ah we called it information assurance. Before that, we called it information security. And before that, it was like, hey, somebody find an IT guy to protect this stuff for us. Right. And and so, you know, we we um were at the part of the journey of our profession where the first generation of practitioners
00:05:17
Speaker
um Are either retired or I mean in some cases gone, right? I mean Kevin Mitnick's passing away was a real reality check of like Oh, you know the OGs of our space or we're getting older, right? And and when you look at these folks, um you know, we're we're beat up um Our children never knew what Memorial Day Labor Day the 4th of July Christmas Thanksgiving holidays, you know ah are supposed to be like because we were always working those those holidays and at some point it clicked for me that We weren't just
Protective Instincts vs. IT Focus
00:05:48
Speaker
I.T. people that that had a slightly different job. The job that we were doing was much more aligned with how we think about first response. Right. Now, we don't run into burning buildings. We don't get shot at on the streets or or anything like that.
00:06:03
Speaker
um So not to take anything away from first responders, but um I've never met a state trooper that didn't have to work 4th of July or Labor Day or Memorial Day, Christmas, et cetera. And and you know when when you look at kind of what drives a person into the cybersecurity space, a lot of IT t people get into IT t because they really love technology. And that's a great reason to get into IT. When you look at the DNA of a cyber practitioner, especially when you get into the leadership you know aspects of cyber CISOs and directors of security or compliance, whatever it may be,
00:06:33
Speaker
There's more than that. It's a desire to protect. It's a sense of duty. It's an obligation. It's a, I will get up and answer the phone at three o'clock in the morning when the bad thing happens. And it starts to tip towards the the first response and and duty mentality as opposed to the, I'm going to do my job and get paid and and play with technology.
00:06:56
Speaker
So that's really kind of the heart of why I'm passionate about this. I think I didn't come into the profession thinking about it this way, but as time has gone on and I look at all these wonderful people that do cybersecurity for a living, like there's something different about these people and it's not about their knowledge or skills. Cyber people in general are extremely technical in nature, very knowledgeable. ah Generally, cyber people know a little bit about a lot of things and a lot about some things.
00:07:21
Speaker
ah One day you wake up, you're a lawyer. The next day you're ah an incident responder. The next day you're a sysadmin.
Institutionalizing Care and Support
00:07:27
Speaker
The next day you're a network engineer. You know, it's a really fascinating profession in that regard.
00:07:33
Speaker
But there's a sense of obligation and duty, you know, protection that that that comes with it that I think makes us a little bit different. And it causes burnout because we don't take the Fourth of July off. We, we you know, we we we don't put our phone. I don't know what do not disturb means on a phone. I could never do that. Right. Well, yeah yeah i think ri like better yeah I think in those same professions, you can see.
00:07:56
Speaker
a hero or a martyr complex by a different name. Like those professions have yeah had time to acclimate to, you know, supervisors being like, do you need, because you've begin to make bad decisions. It begins to get dangerous for your teammates. Um, and so I think you're right. And in terms of maturity, we're sort of like dealing with a lot of the effects, but we haven't really gotten into like the process or change to, to manage it.
00:08:24
Speaker
Yeah, for certain. you know i Not long ago, I drove by our state patrol headquarters in in the town that I live in, and they had a barbecue grill out front, and the cops were all out hanging out with their families you know um you know in front of the grill.
00:08:37
Speaker
In those professions, they have institutionalized a lot of care for each other. You know, if you are ah a firefighter and you run across a gruesome scene, um you're going to talk to the shrink in the next 24 or 48 hours, right? um You know, they're going to make sure that that um you're taken care of.
00:08:54
Speaker
And in in our space, you know, the equivalent example or maybe not equivalent example, but an example of a similar situation would be, you know, you could work on incident for an entire week or weekend and you're exhausted. People are angry. The business is yelling at you. ah You know, money has been lost. ah You know, the bad press, whatever it may be. And it's like, OK, go home and and you know, put the kids to bed, make dinner, right? And pretend just compartmentalize your life.
Cultural Shift in Cybersecurity
00:09:24
Speaker
right yeah yeah Right. And so i yeah and I think we're starting to learn how to care for each other. Now, there are some other tangible things that that um you know we haven't quite figured out yet. Like, you know, ah most of us don't have You know, pension plans and we don't have mandatory days off and and things like that. But I think as a community, one of the things that is really uplifting for me is I've started to see practitioners do a better job of taking care of each other, encouraging each other. If you go back 20 years ago, when a breach happened, everyone went, whoa, gosh, it sucks to be that guy.
00:10:00
Speaker
ah And now when something bad happens, everyone jumps in, what can we do to help? We're here to support yeah you. know Hang in there. Don't get discouraged, you know that type of thing. If you go on LinkedIn and you look at at the outpouring of support for a CISO when a public event happens, and we've we've we've seen a lot of those even you know in 2024, the outpouring of support. And we're also, I think we're less willing to um throw rocks than than we once were. It used to be, you know hey, i'm you know I'm obviously a great practitioner because something bad didn't happen to me yesterday. and And today it's more like, Oh, something bad happened to a fellow practitioner. What can I do to help them? You know, that then, and that's a, that's a positive development, but but we have to.
00:10:43
Speaker
Well, we have to keep in mind as well, you know, like in the cases of, you know, a Joe Sullivan or a Mudge, and I respect both of them. I met both of them. You know, in Joe's case, Joe is a lawyer and arguably it's fair to say Joe should have known better. Like I i love Joe, but Joe should have known better.
00:11:01
Speaker
But I'm a practitioner commenting on another practitioner. And I'm talking to you, another practitioner, and you understand what I'm saying. In public though, especially to non-technical people, I'm not going to throw Joe under the bus. That's not a thing.
00:11:15
Speaker
there has to be some degree of solidarity between- Absolutely. I can pick on my sister, but if somebody else does, I'm going to beat their ass, right? I mean, you know that that's just, a yeah, totally totally, totally. Yeah, exactly. But I want i want to take this back to kind of a little bit more, because because I'm really excited to talk to you as a CSO of an MSSP. And we'll talk to some of the heavier stuff too later on, but you know I really want to want to look at like the
MSSP Challenges and Client Security
00:11:40
Speaker
perspective of... of Because and I started my career in the MSSB space. like I was a junior operator at CGI, which a big MSSB when I started. And I made CISO four years later somehow because you know people thought I was like not dumb enough somehow. I don't know. It's crazy. But I remember my MSSB day, so it was less than 10 years ago.
00:11:58
Speaker
So, let's talk about running internal security for a major MSSP, which yours is. um What are some of your more complex challenges? like Do you find it is an issue of funding or do you find you know getting your board on board with your plan and what you want to do?
00:12:15
Speaker
or getting your staff to actually adhere to ah your controls and your SOPs that you want to implement, knowing that you're dealing with shift workers who are working 24-7. And if you're on that mid shift and it's like two in the morning and you're exhausted and it's third mids, I'm not going to lie to you, haven't been in that position. I'm like, I don't give a fuck about this policy. I'm going to take this shortcut. right I've been there, but how do you how do you get that buy-in and that enforcement from your teams?
00:12:45
Speaker
Yeah, it's really, it's a really tricky thing because when you look at ah any good CSO is going to go through a risk management exercise, right, and try and articulate risks to the stakeholders that that you mentioned, the board, ah you know, the ownership, the the executives and in the organization.
00:13:03
Speaker
And when you look at what are the two existential ah risks to an MSSP, one of them is you become a vector for compromise into your clients. Right. That's a that is a business ending type of scenario. And the second is you become unavailable to provide services to your clients. And that could take the form of, you know, some dude with the backhoe cuts the fiber optic cable as sock. And, you know, you've got that issue, you know, and your clients are are you know not a they essentially they don't have a security program at the time i think it's it's equal parts art and science in the sense of. ah First of all you have to make short cutting policy a very difficult to do for the the people that you mentioned right we we don't want sock analyst to be able to hit the easy button.
00:13:49
Speaker
and cause one of those two risks to materialize right ah so it's some of that's technical control some of its process control but i will tell you that at least in our experience at new spire one of the greatest things that we ever did was we started with a culture of it's you are the guardian you are the security apparatus for these clients and if you start with that and and you have that culture permeate throughout everything that you do, what ends up happening is before a SOC analyst at 2am takes that shortcut or attempts to take that shortcut,
00:14:24
Speaker
They say, if I do this, am I going to put other clients at risk? Am I going to put this client at risk? Am I going to put us at risk? And and what we'll find is you know the ideal scenario is they'll press pause just long enough to ask someone else, should I do this? But I also think, too, that comes from the top down.
00:14:44
Speaker
um you know when when When we talk to our employees about what our our mission statement is, we we always start with two things. One is that we we will meet our clients where they are. They're not going to be perfect. They're not going to have perfect security. We're going to meet them where they are. And the second part of that equation is we're going to make them more secure over time by doing the right thing for them.
00:15:06
Speaker
and And sometimes that means, I'm sorry, I'm not going to solve this problem for you at two o'clock in the morning. we need to have We need to have more expertise come on board tomorrow morning and and and have a conversation with you. That's not always an easy conversation to have the next day you know with your customer, right? you When you think about what makes clients really angry at an MSSP, number one, like top of the list, is they had a pen test and you didn't see it. That that is a great way to have people be very mad at you as an MSSP.
00:15:34
Speaker
Wait, wait, hold on. Let me say this and the listeners who are working in the MSSB space, you guys know this pain. I found the highest paying most invested clients really didn't give a shit about the little things like that, but the clients that paid the least amount of services, they were off your ass over every little error and I was like, Kesko, fuck man. A hundred percent, right?
00:16:02
Speaker
Yeah. and you know So you you have those things, right? And in and actually, and it's very interesting. At some point, I don't know when this happened, but at some point, we kind of started to embrace the notion of, you know what? When a client has that type of scenario, and you're right, it's the it's generally the lesser sophisticated clients that are, ah you know, they they get a something happens and they're mad that you didn't see it and they call you.
00:16:24
Speaker
We look at that, we're like, hey, guess what? We just got a free test of our business processes, right? We just got a free test of ah you know of our own ah you know MDR, EDR system, right? So, okay, let's take that you know for the opportunity that it that it is. um But George, to your question about you know how ah How do you handle that and as a CSO? I think there's a cultural aspect of it that I just mentioned. The other thing is um you know there's there definitely is a place for technical controls around some of this, right? And and one thing we realized very early on was
00:16:59
Speaker
ah if you look at the universe of, you know, pick your favorite framework, Nest or ISO or whatever, 200 security controls, and and we look at, okay, what are the 10 that we need to be like awesome at? One of those is around privileged identity and making sure that we consider access into our clients a privilege. And so we treat that access as a privileged identity with all of the things that one would naturally do around privileged identity, right? We're going to make sure that you know We do really good MFA. We're going to make sure that we ah you know don't have credentials floating around easily. You got to check them out, you know that that kind of stuff. So I think on the technical side, on the control side, it's when you pick the controls that you need to be the the most mature in, you pick those controls that are also the controls that benefit your client.
00:17:46
Speaker
and And so that they they get a vote. I always like to say, you know, the enemy always gets a vote, right? In any security strategy, in any program, we've got to consider the threat landscape because, you know, the enemy, they they have a voice in the program. In an MSSP space, the client also has a voice in the program and their particular security considerations and risks have to be considered.
00:18:05
Speaker
A client that's a healthcare client is super concerned about a PII, whereas ah a client who is a retail client, they're all about PCI compliance and credit card stuff. But a factory is really concerned about availability. Like if the conveyor belt stops, you know we're really mad at you. Taking into account the risks that matter to them allow us to to kind of tailor the controls that we put in place to to protect them and protect us while protecting them, if that makes sense. Yeah, that makes perfect sense. um All right, well, we will take a break right there and we will be back for brass tacks.
00:18:45
Speaker
Hey listeners, if you like what we do, the snark, the stories, and the big swings we take, we'd appreciate your support. With the link in the show notes, you can become an official supporter of the show. You can send us a one-time gift or sign up as a member to provide ongoing support. Memberships start for as little as $1 per month. Each membership tier comes with a unique set of benefits, including exclusive discounts to the BKBT swag shop.
00:19:12
Speaker
So really, for less than you'd pay for one cup of coffee per month, you can support the show. Use the link in the show notes. It covers our hosting fees, helps us make cool swag, and it lets us know that what we're doing is of value to you. Many thanks to recent supporters Jessica, Jason, and Maria. We'd love to have yours too.
00:19:39
Speaker
Let's talk about this because because JR, you um we had a really good email exchange kind of before we did the show and listeners like, you know, we usually have time to talk to our guests. There's a good guest research type thing we type do. um So I'll say this, since this is a very CISO, CISO perspective, and I hope, you know, if if if people want to be judgmental, then so be it. Let's put it out there.
00:20:01
Speaker
Let's talk about the struggle of being a CISO a minute because we connected on this prior to the show and I find your perspective to be both refreshing and energizing. The fact is that a lot of CISOs are looking to leave their roles and even the field in general, you know, some days myself included. yeah Like i I tell George all the time, and i i fucking I quit my job if I could.
00:20:23
Speaker
yeah The fact is that, you know, you face just as much, if not more pressure than the rest of us, because you're working at a very high power MSSP. How do you maintain such a positive and healthy attitude for all the landmines and dogfights that come to the role? Because I'll tell you, man, some days um I feel like I just get the shit kicked out of me doing this thing. we we when i And I just, yeah.
00:20:50
Speaker
Yeah. Well, I appreciate the question. ah You know, to to to the idea of getting the shit kicked out of us, I'll say this in in most other professions, the higher up you go in the organizational hierarchy, the less hard your job is and the less you get the shit kicked out of you.
00:21:09
Speaker
accept being a
Pressures and Strategies for CISOs
00:21:10
Speaker
CISO. In the security profession, the higher up in an organization you go and the higher the the longer you serve in the profession, the more you get the shit kicked out of you, right? I think that's why a lot of CISOs get to the point where they aspire to the role for their entire career,
00:21:25
Speaker
They work their way up, manager, director, senior director, VP. They become a CISO and they go, holy cow, I'm still getting the phone is still ringing. I'm still getting my butt kicked every day. The business is mad at me. By the way, I carry personal liability if something doesn't go right. So I have to make sure I'm not, um you know, getting crosswise with the law.
00:21:45
Speaker
the hackers now or even in on the game where they'll report me to the SEC if I don't you know disclose a breach in a timely way. right So it's it really is when you you know it's an act, getting moving up in this profession in the career is an act of increasingly getting the shit kicked out of you. I mean, it really truly is. And I think it's unique and ah in in all of a business or technology and in that regard with maybe the exception of being the CEO. right They're always getting beat up by everybody in an organization.
00:22:15
Speaker
ah You know, i I don't view it as a job. It's a vocation, it's my life's work. I view it ah ah as a duty that I really, truly enjoy the the work of that sucks a significant percentage of the time and the suck is worth the the joy of of the role. But I think the perspective, and and this is where a lot of of cyber practitioners get themselves in trouble. that A lot of people go into technology because they really like technology.
00:22:47
Speaker
and And, you know, they it makes them happy and and, you know, fulfilled to get a paycheck. Cyber people have that. Most cyber people really like technology, but they also carry with them a sense of duty, a sense of obligation, a sense of passion that will enable you to plow yourself into the ground if you're not careful with managing that, right? you know it's It's easy to say, I'm not gonna take today off because the world needs me to to come to work. And you know ah the the next thing you know, your mental health is is destroyed and your family and friendships are or not good relationships and and all of that.
00:23:24
Speaker
For me, viewing it again, not like an IT worker, but viewing it more along the lines of a duty bound first responder type of role allows me to say, you know what? I just can't do it today. I you know i need to i need to press pause. I need to step away.
00:23:42
Speaker
um in in you know Maria that I work with ah you know she she would would probably vouch for every once in a while JR just disappears he's gone like you know he's out in the woods or you know he's ah he's just just woof you know where'd he go right um it's on us to to to treat the profession that way I think you know there's an attractiveness to this to being a cybersecurity practitioner ah that's almost irresistible to some people. right you know The paychecks are good. ah it's ah It's a noble profession. You get to work on a lot of really cool stuff. The project work is really cool. ah you know you you you You don't ever have to question, did I make a difference in the world today? That's just kind of part and parcel of the job. Like if you're a cyber practitioner, you made the world a better place just by waking up and coming to work in the morning.
00:24:31
Speaker
I think for me it's keeping that perspective of this is not a job. It's part of my identity. It's you know it's part and parcel to who I am and I have to to keep that in perspective and know that the idea of balance isn't necessarily always going to be there. There are always going to be extremes. ah Bad stuff doesn't happen at convenient times and good stuff doesn't happen when expected.
00:24:56
Speaker
keeping that perspective has I think allowed me over the last almost three decades to um have a realistic view of it. Now, there's a downside to that and that is I don't get the right to complain about, oh gosh, I didn't get a Saturday today, right? and and And you'll never hear me complain about that. and It's just part of the gig. And ah if ah if someone doesn't like that, it's it's kind of part of the gig, right? And I think we've,
00:25:23
Speaker
In a certain sense, back to the whole first responder analogy, in a certain sense, we have um taught the world that what we do is just part of I.T.
00:25:35
Speaker
and not, hey, you know, these folks do something on a whole different level, physically, emotionally, mentally, that that can just suck all the energy right out of you. And and we've got to take care of that. and And that means, you know, being responsible with taking time off, mental health, taking it seriously, um taking care of each other. and And we're getting better at this, I think, but, you know, gosh, the first, you know, 20 years of my career, uh, you know, that was, that was not a thing. It's like, okay, you're an it person that happens to work on firewalls and, and you know, antivirus, you know, suck it up and, you know, work on the, so come to work we've talked here do it about the CISO pain.
Building Supportive Cultures
00:26:15
Speaker
And in the earlier part of the conversation, we talked also a little bit that we touched on culture, which listeners will know is like my favorite thing. So.
00:26:25
Speaker
Uh, by way of a story, I'll get to my question, which is before we were recording, I was relating this story. So, uh, as listeners may know, I also work with mind over cyber, the nonprofit with Maria and Carlos, and we had a panel in Dallas where a CISO relayed her experience post breach. So post there was a breach. They worked through it, eventually resolved it adversary out of the system, tied it off.
00:26:54
Speaker
I think in the popular imagination, we're like, sweet, done and dusted situation handled. And she relayed how 48 hours later in the grocery store, she just collapsed into full blown panic attack, which now that we understand more about neuroscience is perfectly acceptable because that's a cortisol dump, right? Like all that stress hormone has to go somewhere. It doesn't just like and you're in the breach ends. And so you were talking about how you take care of yourself as a CISO. I think CISOs who cannot take care of themselves inevitably are going to pass that culture of sort of martyrdom. There's a fine line between the hero complex and a martyrdom complex, right? All the way down to the team. So as a executive leader,
00:27:40
Speaker
I want to give you space to talk about ways that you have seen or are seeing leaders build cultures where their teams either feel comfortable raising their hand saying like, I'm kind of like going through something right now, or I still haven't really gotten that incident out of my system. I don't know, like let's talk about the team culture instead.
00:28:02
Speaker
Sure, sure. Yeah, George, I'm deeply empathetic to this topic because I think part of it, going back to the first responder analogy, you know, if you're a cop and you shoot somebody, you're taking the next day off and someone's going to talk with you about it and and work through it with you, right? And and and work on on that night. and And I'm not comparing what we do to being a cop on the streets at all, but the i When when cyber practitioners go through these sometimes horrific incidents and and when I say a horrific incident, it's not just about the breach, right? It's also about, you know, now you have to answer to the board. You have to talk to the PR folks. You have to talk to the lawyer. You have to, you know, I mean, you're the the
00:28:43
Speaker
The context switching of being a security practice. Well, and as you said, part of your identity and we know that the mind will do whatever it can to protect identity. So if you think yeah you're a defender, there's a lot of feelings of failure. Right. There's a lot of you know stuff that you have to confront about that identity. 100 percent. Yep.
00:29:02
Speaker
Absolutely, absolutely. I think one of the the things culturally that has made a big difference for me and and for the the teams that that I have had the the great fortune to lead over the years is we in our profession tend to not be very good advertisers. We like to kind of work behind the curtains a little bit and not trumpet what we do. And one of the very first things I try and do with an organization, regardless of if I'm an employee of the organization or if I'm a consultant, ah which I spent most of my career doing,
00:29:31
Speaker
is advertised to stakeholders, executives, boards, et cetera, the kind of people that that that are doing this job. and And if I can socialize that these people are dedicated, passionate human beings that will rise to the occasion when called upon, but also you know are still human beings and need to be taken care of, ah that if I do that before the bad event occurs,
00:29:58
Speaker
And when I start working on things like incident response planning tabletop exercises and whatnot I factor in those human factors. I i start to to socialize the idea that these aren't robots that that, you know, are ah the devoid of emotion or or or physical need you know they ah People have to sleep, they've got to eat, they've got to blow off some steam, you know all that kind of stuff. ah in And I've had great success with being able to, if I can communicate that upfront, when the bad thing happens, being able to say, I know you really want all of this bad stuff to go away right now, but I've got some folks that need eight hours. Can can we can we go ahead and you know and do that, right?
00:30:40
Speaker
um the other The other interesting thing, I'll never forget, I walked into an organization one time and and someone stood up and and introduced himself and said, I'm just a cybersecurity analyst. And I was taken aback by that and I stopped the conversation and I said, I don't ever want to hear that word just again. You know you are a cybersecurity practitioner.
00:31:04
Speaker
you're You're not just anything. this is ah This is an awesome profession and it carries with it a certain amount of, but you know, maybe nobility is not the right word, but it carries with it a certain amount of, um you you have the right to take care of yourself. If you can kind of encourage that way of thinking in the culture, it really does two things. First of all, it stops analysis paralysis, which is almost fatal in the cybersecurity industry, right?
00:31:30
Speaker
I know that if I make a decision and it's wrong, you know I'm not going to get fired tomorrow as long as I you know make it right. um so So there's that. But it also allows a person to develop the courage to say, I just can't do it today. And and I think that's a great thing to to encourage.
00:31:49
Speaker
now Obviously, that works when you have a practitioner who truly has that ethos of, this is an important part of who I am and it's you know it's it's
Effective Role Definition in Incident Response
00:31:58
Speaker
my vocation. right as as we've You've probably seen me right and I've talked about it in the past. We definitely have a poser problem in our industry where people who shouldn't be in the profession are in the profession.
00:32:08
Speaker
They get destroyed very quickly when when things like that happen because they feel like they constantly have to grind it out And they can't raise their hand and say hey I've got a I've got a step aside here for a few minutes and catch my breath, right? But a ah real practitioner who views us for for the long term and Sometimes I liken it to if you look at some of the the running backs in the NFL who have been doing the job for a very long time They're not willing to take every single hit because they're in it for the long haul and and So sometimes they'll you know they'll they'll they'll voluntarily go down without you know getting smashed in order to to to to live to go another day. And I think we need to encourage that. And I certainly try to to encourage that with ah you know with the practitioners that ah you know to that that work with me.
00:32:54
Speaker
what are You mentioned incident response plans there, which I think we were also talking about how tabletop exercises, which is a favorite bug of air of mine lately, but also most incident response plans don't incorporate these psychological ideas. It's really just like, here's the playbook on how we're going to do this. Here's the incident. This is the thing you do. These are the steps you take, but not What is the shift schedule? ah What is the relief system? like can you Do you have any concrete advice there for how people should sound sort of like rethink the IR plan?
00:33:30
Speaker
Yeah, you know, there there is this little nugget inside the NIMS, the nyms a National Incident Management System, right? And if you go out to FEMA and you you go to their website, they have ah an incident command system series of courses you can take online, and it talks about how responders deal with incidents. And and one of the the beautiful nuggets in there is defining the roles. And and one of the things that that I've seen over the years with incident responders in cyber is,
00:33:59
Speaker
the The person who's doing the actual technical work of responding to the incident is often the person who has to update the boss, update the board, and write the report, ah you know, do do all of this different stuff. And and so it's a crushing amount of of work. And myself, even during incidents, I found myself like I'm working, especially earlier in my career, I'm working an incident and someone's tapping me on the shoulder, what's happening now? I need to call you know so and so and let them know and give them an update. And you want to just scream like, do you want me to solve the problem or do you want me to give your freaking update? like which one you know which Which one would you like? right the the When you look at how professional incident responders handle this stuff,
00:34:36
Speaker
The role of blocking the the question askers, the the the the public relations role, the the or the public affairs role is well-defined. The actual subject matter expert role is well-defined. The commander role is well-defined. And and ah incident responders, the professional ones, you know with the police, fire, EMS, military, they they tend to do a really good job at this.
00:35:00
Speaker
Yeah. when When we think about the wild, the wildfire, it's not the smoke jumper who's breathing the smoke, like briefing the press. know like Yes, exactly. There are, there are some really, really good guys that will like, and just maria remind me, like shout out to Mike Pedrick, who is an awesome dude who I absolutely love, who is a master at these CTXs, right? So absolutely he does the job well.
00:35:25
Speaker
Yeah, and it's a by the way, it's an absolute privilege to work with Mike. i I'm thankful every day that that I get to come to work and and you know with him. He's just an amazing person. I think, and Mike would would be the first to say that a lot of his approach is about that, right? If I can define the role, then I can start to chop it up a little bit and say, you know what? The smoke jumper, if you will, the person who's doing a technical response, yeah, that they only can do this for so many hours a day before they you know they need a break, right?
00:35:53
Speaker
And I think the you know we we often wait until an incident is in its, you know, 24th or 48th hour and then go, Oh, oh i've gosh, I got see these people, right? And and yeah I think, you know, the cybersecurity industry has been the biggest um contributor to the pizza industry ah in the history of mankind. And, you know, I think if we if we chop up the rules a little bit and define them well. ah And by the way, it's not just true for incident response, right? It's also true for project work.
00:36:24
Speaker
ah you know When we're doing project work, often you have a security person who is part of ah a big IT project. right Maybe we're rolling out new you know a new cloud app or we're ah you know we're doing something different with collaboration or whatever it may be. ah you know IT projects by themselves can be just crushing and we often assign a cybersecurity practitioner to an IT project and you know they get to die along with everybody else along with the project.
00:36:49
Speaker
When we define roles well, then we can start to answer the question, what do I need to do for this human being in order to make sure that they're successful at this particular thing that we've asked them to do? And by the way, we also live in a world where there's a lot of choice in a cyber profession and people can go elsewhere. I actually want my folks to come back to work for me the following morning, not someone else.
00:37:12
Speaker
And so um you know I think um defining the roles and then asking the question, OK, what does success look like? And how do I take care of the person that's actually doing the you know the work is huge. um But it manifests itself mostly in incident response. But I also think it's true and in SOC analyst roles. It's true in project work. A lot of the big, ugly, really ugly projects in cybersecurity are you know the big identity projects.
00:37:40
Speaker
big GRC projects, big compliance assessments or or you know audits, that type of thing. we've we've got to you know We've got to treat those people like they're a finite resource and and we want to we want to keep them in ah in a sustainable way, right? I really appreciate that. I really appreciate you calling out NIMS also. like I am a big believer that As you said, cyber in the grand scheme of things is relatively new, and we should feel free to beg, borrow, and steal from other disciplines that have ironed out a lot of processes and operational know-how. We don't have to invent it from scratch. um But yes, JR, we are at the end of our time. I really appreciate you taking the time to sit down with us and talk about
00:38:22
Speaker
a really heady topic, but it's top of mind. I know that from my work in the CESA Society. I know that in my work from Mind Over Cyber. I know that in the ah largely four-letter latent conversation that I keep on the regular with this guy.
00:38:39
Speaker
um but ah yeah so thank Thank you for taking the time. JR, you're the man, brother. I can't wait to meet you in person. Well, thank you. It is an absolute privilege to be here. I'm really grateful and humbled by the invite and and thanks again for having me on. I appreciate it.
00:39:00
Speaker
If you liked what you heard, be sure to share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tax drop every Monday. If you're already subscribed, thank you for your support and your swagger. We'll catch you next week, but until then, stay real.
00:39:24
Speaker
I'm the problem JR, not you. I just have to deal with our national security advisor and I just be like, yo dude, I'm sorry, I'm out of here, good to see you. Hey, national security can wait, this podcast cannot. Bro, that's it. Anyways, thanks JR, appreciate your patience, sir.