Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Play next
Best of! Zero Trust, the Death of Whitepapers, AI Model Compromise, and more! image

Best of! Zero Trust, the Death of Whitepapers, AI Model Compromise, and more!

S2 E53 ยท Bare Knuckles and Brass Tacks
Avatar
128 Plays4 months ago

This week we're featuring a Best Of edition, packed with the gold from episodes past. We were away at Black Hat last week, and we're gearing up for the start of Season 3!

This episode features:

  • Dr. Chase Cunningham on Zero Trust
  • Sarah Breathnach on why whitepapers need to go
  • Chas Larios are connecting with practitioners
  • Adrian Wood on the securing the ML development pipeline
  • Mari Galloway on breaking into cyber
  • Reanna Schultz on life in SOC
Recommended
How to Get a CISOโ€™s Team on Board and Cultivating Community with Cecil the CISO! image
How to Get a CISOโ€™s Team on Board and Cultivating Community with Cecil the CISO!
S3 E18 ยท Bare Knuckles and Brass Tacks
00:42:36ยท5 days ago
Do It Scared! The Journey from Pentesting Novice to Conference Speaker with Michelle Eggers image
Do It Scared! The Journey from Pentesting Novice to Conference Speaker with Michelle Eggers
S3 E17 ยท Bare Knuckles and Brass Tacks
00:37:51ยท12 days ago
Duty, Burnout, and Redefining Security Team as Digital First Responders with JR Cunningham image
Duty, Burnout, and Redefining Security Team as Digital First Responders with JR Cunningham
S3 E16 ยท Bare Knuckles and Brass Tacks
00:39:52ยท19 days ago
From 1.6 GPA to Global Cyber Leader, How to Tell the Story of Your Skills with Andrew Owlett image
From 1.6 GPA to Global Cyber Leader, How to Tell the Story of Your Skills with Andrew Owlett
S3 E15 ยท Bare Knuckles and Brass Tacks
00:40:24ยท26 days ago
Veterans Day Panel: Cyber Journeys, Skills Transition, and Lessons Learned image
Veterans Day Panel: Cyber Journeys, Skills Transition, and Lessons Learned
S3 E13 ยท Bare Knuckles and Brass Tacks
01:00:32ยท1 month ago
Cyber Workforce Development & Cybercriminal Psychology with Andrรฉanne Bergeron, PhD image
Cyber Workforce Development & Cybercriminal Psychology with Andrรฉanne Bergeron, PhD
S3 E13 ยท Bare Knuckles and Brass Tacks
00:23:05ยท1 month ago
Truly Understanding Your Customer to Get Product-Market Fit with CEO & Co-Founder Ofer Klein image
Truly Understanding Your Customer to Get Product-Market Fit with CEO & Co-Founder Ofer Klein
S3 E12 ยท Bare Knuckles and Brass Tacks
00:33:28ยท1 month ago
Episode 100! AMA with the George and Guest Host Amber DeVilbiss image
Episode 100! AMA with the George and Guest Host Amber DeVilbiss
S3 E11 ยท Bare Knuckles and Brass Tacks
01:03:06ยท1 month ago
Redefining Sales as a โ€œGiving Professionโ€ to be Proud of with Lauren Palmer image
Redefining Sales as a โ€œGiving Professionโ€ to be Proud of with Lauren Palmer
S3 E10 ยท Bare Knuckles and Brass Tacks
00:40:55ยท1 month ago
LIVE from SecureWorld Denver: Radical Transparency - Closing Keynote image
LIVE from SecureWorld Denver: Radical Transparency - Closing Keynote
S3 E9 ยท Bare Knuckles and Brass Tacks
00:47:14ยท2 months ago
The Importance of Soft Skills in Cybersecurity and Business with Evgeniy Kharam image
The Importance of Soft Skills in Cybersecurity and Business with Evgeniy Kharam
S3 ยท Bare Knuckles and Brass Tacks
00:29:58ยท2 months ago
George K Gets Deepfaked in Real Time Video! Preparing and Training for New Threats with Aaron Pritz! image
George K Gets Deepfaked in Real Time Video! Preparing and Training for New Threats with Aaron Pritz!
S3 E7 ยท Bare Knuckles and Brass Tacks
00:37:06ยท2 months ago
Life Lessons Learned in Creative Work and the Power of Partnership, with Alissa & Mel Knight! image
Life Lessons Learned in Creative Work and the Power of Partnership, with Alissa & Mel Knight!
S3 E6 ยท Bare Knuckles and Brass Tacks
00:40:55ยท2 months ago
How to Scale Success in Cyber with Serial Entrepreneur Stuart McClure (Recorded Live at GoSec 2024) image
How to Scale Success in Cyber with Serial Entrepreneur Stuart McClure (Recorded Live at GoSec 2024)
S3 E4 ยท Bare Knuckles and Brass Tacks
00:33:00ยท2 months ago
Down with Boring B2B: How to Stand Out in Cyber with Torqโ€™s CMO Don Jeter image
Down with Boring B2B: How to Stand Out in Cyber with Torqโ€™s CMO Don Jeter
S3 E4 ยท Bare Knuckles and Brass Tacks
00:38:53ยท2 months ago
Breaking Mental Health Stigmas with CISO Ben Howard: Suicide Prevention Month image
Breaking Mental Health Stigmas with CISO Ben Howard: Suicide Prevention Month
S3 E3 ยท Bare Knuckles and Brass Tacks
00:42:33ยท3 months ago
Innovating Cyber Attack Simulations and Tossing Boring Tabletops with Kailee Miner! image
Innovating Cyber Attack Simulations and Tossing Boring Tabletops with Kailee Miner!
S3 E2 ยท Bare Knuckles and Brass Tacks
00:45:16ยท3 months ago
LIVE from SquadCon: Future Proof Your Career with Cyber Threat Intel Techniques image
LIVE from SquadCon: Future Proof Your Career with Cyber Threat Intel Techniques
S3 E1 ยท Bare Knuckles and Brass Tacks
00:32:56ยท3 months ago
Season 3 coming soon! image
Season 3 coming soon!
S3 ยท Bare Knuckles and Brass Tacks
00:01:57ยท3 months ago
Why So Many Founders Fail at Talking About Their Own Product, with Elliot Volkman & Doug Landis! image
Why So Many Founders Fail at Talking About Their Own Product, with Elliot Volkman & Doug Landis!
S2 E52 ยท Bare Knuckles and Brass Tacks
00:58:49ยท4 months ago
Transcript

Challenges with Zero Trust Architecture

00:00:11
Speaker
All right. So I'm going to take advantage of this fact that you're another practitioner. So I'm going to nerd out for a sec because we got enough nerds to listen to us. And George always talks about better ways to sell. And I'm like, oh, cool. Another practitioner. Let's talk about how bullshit our job is. Let's talk about some of the challenges around architecture and implementation for Zero Trust. I'm a Zero Trust shop, by the way. So like I deal with this every fucking day. Thanks, Chase. I'm sorry. I apologize.
00:00:38
Speaker
So all it takes is one core tool not being SSO compatible, and you're left with a massive gap in your model, essentially. I mean, cost can be a hell of a problem too. Like as legacy applications and upfront migration upgrades can be an absolute drownage on a budget. ah Really, you just it's death by tech debt if you decide to go to ZTNA route when you already have ownership buy-in for it.
00:01:04
Speaker
Now, if you're not some fancy, unicorn, beautiful, fucking secure by design shop that builds its infra with security in mind, if those exist, like please fucking someone put their hand up. And you are in fact trying to play tech debt catch up as most the enterprises are. How do you overcome the resource and timeline challenges necessary to make those changes when it comes to architecting your IT infra within the ZT framework?

Aligning Zero Trust with Organizational Goals

00:01:31
Speaker
Oh, it's a really good question. So the first question I would ask back, right, if I put my ah consultant hat on, because that's like what I do now for, you know, the feeble amount of dollars I give to my kids for the stupid shit they buy, is really like, where are you in your current zero trust instantiation? And most organizations would say, I'm not totally sure. Okay, well, that's number one, let's figure out where we actually are. Then the second thing I would really ask is, you talked about tech debt and budget and those other issues.
00:02:00
Speaker
Let's see if we have things that you're using currently that are redundant or reciprocal and are not actually going to benefit you in the context of removing the adversary's ability to be successful. So ah most organizations I've talked with or do workshops with, they've got like two or three of the same sort of thing solving the same sort of problems and they're eating each other's tail. So start figuring out which one is really going to do what you needed to do, not make the users miserable, and then begin working your way from there. The other thing that I would say is is if you're really engaging on a ZT plan, then that's great. Where on the ZT plan do you want to combat the adversary, right? You're an army guy. where I want to meet them at the door. Where is the door to meet them at? If it's on the internet, okay, we need like browser isolation and things like that. If the door is, I'm okay with that compromise because it's going to happen and I'm going to live with them until they get inside my network, that's a micro segmentation thing.
00:02:56
Speaker
So really, it's it's it's all about your org, it's all about your strategy, it's about the technologies that you've allocated, and then it's about placing your controls around that. And lastly, policy engine, policy engine, policy engine. Like that is what makes this whole thing work. And if you're not crafting it and using it correctly, you have no hope of ever achieving a zero trust

Securing Different Environments

00:03:18
Speaker
instantiation. It's just not possible to do it at that scale like you're talking about without technology to make this possible.
00:03:24
Speaker
Yeah, but then, you know, your your differentiation, like when you're looking at your employee environment versus your production environment, it's two separate conversations. I mean, we can have a whole fucking show on Siam and the production environment. yeah I'm just talking about like right now, securing the employee environment, but do you... Do you find you get as many clients being like, hey, how do we secure our production environment and fucking ZT as you do? People are just being like, cool. So how do I keep my employees from absolutely fucking it up? Yeah. Well, most of them honestly are not even educated enough to ask that question you just asked right there. They're usually going like, how do we be zero trust? And I'm going. whoa
00:04:03
Speaker
What do you mean for ZT? Yeah. So like are we talking about your people? Are we talking about prod? Are we talking about dev? like there's There's not a lick and stick sticker for zero trust. We got to figure out what you want to solve for first. Oh, Chase, my heart hurts for you. Oh, yeah, dude. Welcome to my misery. This is why like sometimes ah the great thing about it is I've gotten really good at firing clients because now I just feel like you're your stupidity is not worth my time in misery so I'll just find someone else. yeah call I swear to God I had a call today with somebody that I'm doing a consulting gig with and the lady that runs the org she's like well should we have 2FA on stuff and I was like what the what?

Need for Security Education

00:04:45
Speaker
I was like
00:04:46
Speaker
the Come back to me. Come back to me when you catch up to 20. Yeah, I just kind of was like, I couldn't help myself. I was like, Is that a serious question? She goes, Yeah, I just said, but Cool. We are. Yeah, I pretty much just felt like a hanger or and he got dropped on my shorts, but whatever.
00:05:09
Speaker
All right, Sarah, so you've written and talked about a lot of misconceptions in modern

Modernizing Cybersecurity Marketing

00:05:16
Speaker
SaaS marketing. I i think we are in the midst of a sea change in terms of like how marketers approach therere their prospects and their customers.
00:05:26
Speaker
And you've also talked about valuing, for example, incorrect metrics at conferences and marketing teams running you know full tilt at full 100 percent capacity and over. So I guess I don't want to take each of those in turn, but I kind of want to get your general assessment of the cybersecurity marketing landscape today. Like, what is going wrong since this is the bare knuckles portion of the show? And then we'll we'll get into the the actionable recommendations later.
00:05:56
Speaker
Sure, I think I have ah an interesting perspective as a marketer who kind of evolved their career into cyber. I did not start in cyber, so I've got other industries to compare this to. And from my perspective, cybersecurity is very trade show heavy and it's very lead gen orientated. So from my perspective, it's rather old school versus other industries I've worked in that have been very progressive, very brand orientated, very digital marketing orientated.
00:06:28
Speaker
So I think there is a challenge there where there's a disconnect between the way that buyers want to buy solutions versus the way that vendors are are selling and marketing their solution to potential buyers.
00:06:43
Speaker
God, I love that you say that and because one, it validates my own feelings, but two, because I have heard from other CMOs about how much they look sort of what they say over the fence. They look at other industries for their cues because kind of the echo chamber of cyber is, as you say, like event, event, event, lead list, lead list, download white paper, form fill, you know, and it feels very, shall we say, 2017. Yeah, or earlier. I was going to say, it's ah absolutely useless, that whole cycle, by the way. I mean, I don't remember the last time I've downloaded a marketing style white paper for anything. So I do wish we'd stopped getting those pushed on us. I say that as a CISO.
00:07:31
Speaker
Yeah, of course, there are there are fundamentals like, and and my interpretation of this might be different to yours, but, you know, most companies, ah I would say probably all companies still need a website. They still need a message. They still need a logo and a slogan and collateral for the sales team and marketing team ah to to, you know,
00:07:55
Speaker
make sure the pitch or whatever they're communicating about the company is consistent. So I think all of those fundamental things will exist. um I hope white papers and that kind of collateral begins to not be fundamental things that every company needs because they're so, you know, Georgie, just to let you know, they're extremely painful for us.
00:08:18
Speaker
on the marketing side to create and update constantly, probably as painful as they are for you know you and your colleagues to

Value-Led Content Strategies

00:08:26
Speaker
consume. So I hope that's not fundamental for much longer. Are you saying that that the white papers have turned into intellectual cough syrup? We all hate the medicine. Yeah. I interviewed a product marketing candidate during the week and she said it. I was like, how do you feel about you know white papers? And she goes, they're a necessary evil.
00:08:48
Speaker
so I had a list of things that you know I was thinking about joining this podcast. like What are the things that I could leave other marketers with to think about like how do they make this shift? What are some tangible things that don't cost a dime that they can start doing today? Mind if I give you that list real quick? Yeah, do it.
00:09:06
Speaker
All right, all right. So I started making the list and I was thinking about like, how can we change as an industry, start respecting cybersecurity buyers more, make this pivot and build that trust that we need. Number one thing you can do is start using a security subject matter expert in your content.
00:09:24
Speaker
You know, it's hard to learn cybersecurity as a marketer. I completely get that. But you need to be creating value-led content. And that means you need to figure out a way to create extremely snackable, consumable content with a subject matter expert who can actually teach your audience something new, a new way to solve the problem, saving time in their day-to-day life, whatever it may be. So partner with a subject matter expert in your content.
00:09:51
Speaker
Number two, if you are ah everyone is on LinkedIn, all of these vendors are on LinkedIn, don't use your LinkedIn profile or your company profile just to you know do promotional stuff like attend this webinar, hey, we're at RSA, do this, do that. Instead, use it as a value-led platform where you are Taking information that you learn and you're learning out loud, you're getting your founder, you're getting your, you know, your leaders on your team to post constantly about what you're learning so that everybody else can understand what you're going through and maybe learn something new from you as well. So I think that value, that approach to content is critical.
00:10:30
Speaker
ah But that also means getting your CEO and and the security experts at your company to start posting so that everyone can learn from you and and we can you know elevate the industry as a whole. yeah Think long and hard about the content that you have. If you just have gated e-books on your website and then you throw someone into a three email three email nurture sequence, you're you're doing it wrong. that's That's outdated. So think about the friction of your content and try to ungate it so that you can, not that you have to ungate everything, but try to ungate it so that you can create a frictionless process, especially so that security experts and security practitioners can
00:11:11
Speaker
you know, binge on your content and learn from what you're doing and determine if it's a real fit or not. Save their time, save your time. um ungate your product tours. Like when I, I don't know why this is, but the amount of vendor vendors websites that I go to on their homepage where it's just a bunch of fluff and language. And I, I can't even see a demo of the product. There's no video, there's no product walkthrough. Like people are afraid, people are afraid. The number one excuse is like, I don't want the competitor to see our product. I was like, y'all come. It's just, it's a market. Like they're not going to buy your UI. No, it's every time I hear that, I'm like, that's not a thing, guys. Just just get it out there. It's not. like it's It's all about execution right and and executing faster than your competition. But i if you're if all you're focused on is what your competition is doing, then you're not focused on the right thing. You should be focused on your buyers enabling them as much as you possibly can and making their life better instead of just replicating something that some other vendor has already done. right
00:12:14
Speaker
um Write your homepage copy for clarity, ah not

Engaging with Security Communities

00:12:19
Speaker
cleverness. I mean, i've I've posted quite a bit about this on LinkedIn, just the the messaging that we do. And I get it because a lot of cybersecurity marketers have been in the industry for a long time. They're going from vendor to vendor to vendor.
00:12:32
Speaker
They're all saying the exact same thing. It's high level, hyperbole. It's cringe-worthy. And there's a reason why we have Reddit threads from security practitioners and ESOs, lighting, marketing, and sales tactics like that on fire. But but get get to really good detailed messaging. i Fletch PMM is a group that I follow on LinkedIn. They have really good lessons on this topic. So go follow them and and hear that out.
00:12:56
Speaker
um I think conducting regular interviews with security personas in your ICP, you know I got the benefit of working at services companies where I could work with them side by side and really understand where they're coming from. If you don't have that luxury, listen to things like this podcast or Audience First with Danny and what she's doing. ah Get out there and talk to the security community. Be a part of the community. Don't just write blank stuff from your your work from home office and never get out there and understand what your buyers are looking for. And then capture the the right data. I i am a data-driven CMO and i I

AI Security Vulnerabilities

00:13:38
Speaker
do think it's important to be able to articulate and have data at your fingertips. That way if someone comes in and pushes you to go back to the outdated 2015 model of like lead gen, MQLs, MQLs and put you on that hamster wheel, you can articulate
00:13:53
Speaker
why this is the right approach and take kind of a data-driven approach to explaining what your strategy is. So those would be my my quick quick advice that doesn't really cost money. It's just a mindset shift.
00:14:34
Speaker
Like if we peel back the terminology around AI, it's really just like so much of what, like you said, is being built, is being built off of a lot of open source models, especially on hugging face, like with a gigantic repo of, and if you can compromise it at that layer, you're basically writing these packages in, into very complex and connected, interconnected systems.
00:14:59
Speaker
You know, and so ah i I mean, let's be honest, like we have trouble with basic app sex still, right? and then you're like let's But let's really look at this like for what it is. Like ah what I'm trying to get to is the specific threat vector.
00:15:14
Speaker
right So if you're actually trying to build defenses with the redundancy, right you have to figure out like where specifically we are our weakest, like where is um our our attack surface, if you will, to actually get infected with a malicious model.
00:15:33
Speaker
And that's kind of like if you're speaking the language of CIOs, which you know at the end of the day, most CISOs have to report to a CIO. And as you're architecting your infrastructure, you have to kind of you know get the blessing of the CIO before you start putting in additional controls and that kind of thing.
00:15:49
Speaker
So i'm I'm trying to bring the conversation to like the CISO level where, hey, how are we going to be potentially compromised by this emerging common problem? Because we all our organization are all rushing headfirst into ah developing proprietary AI models and machine learning enhanced everything. So how are we going to protect against the most common, I suppose,
00:16:14
Speaker
the most common vectors of compromise given the fact that there are still not many recorded cases of you know model poisoning having been published about.
00:16:27
Speaker
Right, right. And yeah, I think i think that's key because like the the model poisoning attacks, whilst many of them are highly practical and quite easy to do, um we don't see a lot of them. um But the the malicious models are out there, the ones that may be backdoor by a hacker as an info stealer secret still or stealer or a command and control framework.
00:16:53
Speaker
When those detonate in your environment, they're going to detonate on number one, very powerful systems because it takes a powerful system to run most models, right? Those powerful systems typically exist in a special enclave within your business known as like the machine learning pipeline, um machine learning development environment, different languages used.
00:17:18
Speaker
Those systems are part of an interconnected network of systems that have enormous data access within your business. Because if you're doing machine learning, you're not doing it on like random public data. That doesn't give you any competitive advantage. You're doing it on the data that makes your business your business. It gives you competitive advantage.
00:17:44
Speaker
So when you're talking to a CIO, I think it's important to explain to that, like we we are bringing in untrusted content to learn from our business's competitive advantage. And we are bringing in random things from the internet and we are not vetting them before we do so. We're just double clicking on them.
00:18:07
Speaker
and just yeahp building building software packages around them. So i there's been some conversation around AI bill of materials, you know analogy to software bill of materials. Do you see that as a viable exercise? I mean, S-bombs are not the easiest thing even today. That's why I was trying to say, like if it's hard to do basic app sec, well, you know I fear like the complexity that comes with linking up a lot of models together is even more um yeah difficult. Yeah. there are There are not many recorded instances of SBOM stopping malware attacks in applications, to my knowledge. ris that That is a thing that allows you to respond to an attack.
00:18:54
Speaker
that has happened, and it is good practice to have an inventory of what you've got, right? That's a good idea. So yes, we do need AI Bill of Materials, which currently isn't a standard. There are a number of competing frameworks, and I think OWASP have one supported by Cyclone DX that will probably win out if I had to guess.
00:19:18
Speaker
ah But that alone is not going to like give you the malware protection that we're talking about. You actually need to like have the capability to look at what you're about to double click.
00:19:32
Speaker
Yeah. All right. So I want to take a step out of the practical build question and get your just general take on the conversation around these AI threats and vulnerabilities. Do you feel like the attention is in the right place? Do you feel like it's a lot of theory? I mean, I feel like your research is close to the bone. And the reason I want to ask is I feel like the conversation is kind of a lot of what-if-ism, but I also want to hear how you're reading the news, how you're ingesting that conversation.

Securing Machine Learning Environments

00:20:07
Speaker
yeah Yeah, so in my role, I have to care a lot about the new AI threats because of like our businesses' products and what we're doing with them. So I i do have to do um spend a lot of time in that world as well. And the amount of like practical attacks that we're seeing right now in that AI specific security space like the prompt injection space is currently like reasonably low. um And the potential impact of some of those attacks is in our use cases is less severe than if someone was to do like a malware attack of one of the models in use itself. That will change over time as the systems get deeper embedded and have access to more automations.
00:21:01
Speaker
So i think I think you have a lot of people that are like looking looking ahead, which is a good thing. And much of the conversation is very forward looking. But there are still some like security fundamentals that we need to think about and we need to build. um Another example is once you get inside a company's and ML pipeline,
00:21:25
Speaker
many of the most popular tools for facilitating inference as in the running of the models and the computation of things. Do not even support authentication. beautiful So they're just it's just, you're in and then you're just in, right? Because they they're not designed as part of the security onion. they're there They were designed as if they run in a special enclave that no one gets unauthorized access to.
00:21:52
Speaker
That is an interesting take. Maybe the legacy there is of running models for research and not in practical... I don't

Cybersecurity Job Market Challenges

00:22:03
Speaker
know. I feel like if something was carried over from research and no one bothered to check its application in a business setting where it might be closer to things to do. That's 100% the case. You've got a lot of and For a long time, and ML was quite experimental, right? And there were a lot of cases where it's like, will and ML solve this for our business? We won't know until we try, and then we spend time experimenting. Whereas nowadays, you have a lot more production use cases, and it's kind of expected that you have production use cases across the board.
00:22:37
Speaker
The biggest thing I think is no offense to the employers, but take some offense is getting employers to be like, okay, we'll take a chance on you, right? um We've got some talented folks that I've met that have been trying to find jobs for like a year and a half.
00:22:55
Speaker
And it's like, why? I don't understand. Is it because they don't know how to interview? Or is it because the companies are just not hiring folks, even though they say they're hiring folks? That's been the biggest thing, because I get it all the time. I can't find work. I can't find work. I can't find work. And I'm like, how do we have 3.9 million jobs or however many jobs are open at this point? But people still can't find work. Yeah, I remember changes on the daily. Right. Is it 3.5? Is it 3.2? What is it? And why is it a thing?
00:23:24
Speaker
right I don't understand why we have this number. I went to CyberSeek's website and there's like 2,500 open cybersecurity rules in Las Vegas alone. Why? We've got plenty of people that can do this work. There's plenty of organizations like CyberJitsu that have folks that can do the stuff you need. What's the problem? What's the holdup? I find, particularly in the new generation,
00:23:52
Speaker
A lot of them seem to have a sense of entitlement about ah promotion, right? So they somehow land a job and they pass their probationary period and maybe they do like a month or two of like decent work, like but nothing's wrong with them, but maybe they're not necessarily exceptional, but hey, they're doing good work. Then they come to you and say, I want a promotion, I want a raise and all this.
00:24:17
Speaker
And i I feel like this generation up and coming seems to lack a sort of mental toughness and resilience that is not so much, ah you know, It's not so much just like a endemic of like folks who come from marginalized communities. I just mean in general, a lot of us more older folks in our thirties and forties, things are just tough. Like things are just tough. Like when I, when I came in and just about every job, I got training like a year or so into the job. If I got training, other than that, it was like, you got help files, you got Google, figure it So like you you do that with like kids now and I say kids, but they're in their mid twenties, right? They're graduates in school and they're super smart. They're walking computers. They can look stuff up for you faster than we could. Great. They got a library in their pockets, but there's a certain a certain amount of substance and character that's missing. One, do you also find that? And two, how do we how do we reverse that? How do we toughen them up?
00:25:26
Speaker
um Yes, there's definitely a lack of toughness in the industry um for those coming in. But that sense of entitlement, I think probably comes from us older folks.
00:25:39
Speaker
We, we've, we've o spicy answer do it we constantly say, you know, shoot your shot and show what you've been working on. And, you know, once you get the certification, you're entitled to a $20,000 raise, but we don't tell them the other parts of that. It's like, yeah, you get the certification, but you still got to do the work behind it to get that promotion of that raise. So I think a little bit of that is on us that.
00:26:10
Speaker
We're kind of telling them that you don't have to do all of those extra things that we did to be successful and to get those promotions and races. I was going to say, I think that's particularly true of the parasitic bootcamp marketing, like the like you know six weeks and six figure cybersecurity career break in yeah exactly right after you pay us 30 grand. You took a loan out to pay that. like it's It's not quite that realistic. I want to know how many hours of that bootcamp are dedicated to like
00:26:43
Speaker
building your resume and demonstrating value in a job, like the the actual job acquisition skills, which are very different than yeah the exercises. Yeah, no, for sure. that's That's an excellent example of that. And I think for the way we combat that is we have to we have to show the ugly side of what it is that we do. me We have to let them know, like,
00:27:10
Speaker
Yeah, we may not have gotten to the promotion in the first year. You won't either. But here's the things you can do to put yourself in a position to be promotion ready. Right. Like to be raised ready. What do you what things are you doing? Right. You don't have to read a help file. I i hate that terminology so much with the passion.
00:27:30
Speaker
um but it's the truth. We have to read help files. Somebody told me that once they said, go read the help file and how we customize stuff in our environment. And I just looked at him and they said, cool, got it. And then re-engineered the entire system because he didn't want to help me. And this was at a job in Las Vegas. So um I think it's- I just rebuilt it. Now you read the help file. Now you read the help file. um I think it definitely starts with the folks that are pushing the narrative of
00:28:01
Speaker
You do this training, you do this one thing, you get this six figure job and you're golden. We got

Effective Vendor Communication

00:28:08
Speaker
to change that. We can't keep, we can't keep pushing that because that's that's true for some, but not for all. Oh, I have my notes in the questions as process first technology. So it's going to take me a minute to get there, but let's go on this weird journey together.
00:28:24
Speaker
Why not? i like my right here All right. So we have been talking a lot about vendors and the vast majority, I think of vendors in the system. I don't really know the, the cut of, you know, technology solutions versus service providers. But I think in the main, we tend to over index on technology, even though we say people process technology, right? yeah So.
00:28:50
Speaker
I guess what is the the clearest way that you can give insight to vendors on how to talk about process? Because when they say buy this new tool, it's never just like I bought the thing and I stuck it in my environment, right? Like there's a success plan for like, what does it look like a hundred days out? That's a process. Right. And I guess I want to give you the platform to give a clear insight into the sock life. Like, look, man, if I'm.
00:29:22
Speaker
signing on to bring this in. And you just kind of ghost after the S.O.W. is signed. Like you're missing probably a large part of the equation in this relationship. So so what advice would you give them on that process side? And I'll and i'll give you a one cue just to give your mind context. Alert fatigue. Alert fatigue.
00:29:44
Speaker
Well, I'll come back to alert fatigue, because I can answer that with this. But when you were talking, George, originally, I instantly thought, how does it integrate, right? We have them, we have SOAR, we have firewalls, we have web application, firewalls, i ideas, IPs, you name every single acronym, you know, a business probably has it enabled at some point. So when a vendor comes to me, and they're like, hey, we have this, and going to alert fatigue already, right? Is that duplicating my analyst work with an existing product?
00:30:15
Speaker
How is this going to integrate? What is the difference? Is this going to play nice with my sim? Am I going to have to you know create custom APIs and scripts in the background? you know Is this going to be more work for my analyst? Do they have to like go through you know the woods and through the river to get to the alert and the console, you know, they're gone after three seconds, right? They're already annoyed with this product. So how does it integrate with the current environment that I have set up or the current culture and the learning structure I have? It was a very, very long way.
00:30:46
Speaker
Um, kind of reminded me a bit when we're talking about vendor shopping. I don't know if you guys have ever heard the same word vendor shopping, similar to dating in 2024 where you'll like go out, you kind of meet for 30 minutes and then someone goes to someone at some point and then you're like, well, that was fun. So then you go to the next vendor, you know, yes.
00:31:09
Speaker
i work and I work in the dating space. I make the power all the time that this is just dating, but like with a different climax. ah Just a quick follow up. You had joked you know about donuts, t-shirts, steak dinners, stuff like that.
00:31:27
Speaker
Now, this raises a good point also. What is your advice to vendors to kind of break free of the CISO addiction is what I'll call it. Like how would they engage again with the community that is largely using the tooling, not just signing the checks or even championing the cause to the CFO? Like how do they start to build that relationship with your frontline team, you, you know, your equivalent in another organization. Yeah. um And again, and kind of going back to the dating method, right? Which one works best? um Calling me on my phone and asking for the CSO absolutely is not the approach.
00:32:11
Speaker
I'm not even kidding. I've had like three to four of those today. They're like, hi are do you work directly with the CSO? And I'm ah like, yes, I am the CSO. And they're like, oh, now that I have five minutes, and I just like click, I'm like, no, we're not doing it. But to me, and at least like with some of my team members, um we like to be engaged in the community. And I have this saying where ah cyber is such a great field to be in because we all learn and grow from one another and it's so true right because we get our information from threat researchers or defense people and stuff like that and some of my best relationships I've had with sales and vendors is that conferences, or even things like a happy hour that's hosted locally, or sometimes they go to a local security event that's going on in my community, they're like, Oh, hey, I worked for so and so and you're like, Hey, I know this technical person that works in that company. And then it's just, you have a bridge of a relationship already established. yeah So knowing someone or even just like
00:33:13
Speaker
physically being somewhere or even in a Discord chat. There's so much out there, right? Just being able to connect and just be involved. And I always feel bad for our salespeople sometimes. I feel like they have to go above and beyond, ah pass an email these days to even get ahold of someone that's even interested.

Managing Team Dynamics in Cybersecurity

00:33:30
Speaker
so I mean, i guess I think that's just the reality of a change. Right. Like the generation has changed. Covid changed everything. George has said time and again. And I would tell marketers also, like, as you scale, you really have to invest those budgets in those local events, because I don't know how you you can't just like zoom your way to.
00:33:47
Speaker
a relationship. You just got to be on the ground meeting these people. I literally have a rule in my inbox at work that looks for keywords of, Hey, do you have a moment followed by like, Hey, I'm following up with my previous email. Like I literally have a rule in my inbox that captures all that frozen the trash. That's amazing.
00:34:08
Speaker
Yeah, it's like kind of kind of funny that the the big life hack in this entire sales game is just so long. I would have thought. that's what really say But um and anyway, I'll take it back to ah kind of an inside baseball sock question. When I was in the sock and and I know it's still the same way now because I mentor and and and train a lot of ah different analysts to work at different socks.
00:34:36
Speaker
um You deal with a very oftentimes intense, um we'll say competitive analyst environment. um I have personally witnessed and participated in countless shouting matches with my own colleagues and teammates about whatever the hell issue we were debating in an investigation.
00:34:59
Speaker
And it's because you you want to be right. Because ah at the end of the day, if you're dealing with analysts that have any bit of competitiveness or drive or ambition, they want to be right. They want to have the scoop. They want to get cited in the report. That's that's the game.
00:35:14
Speaker
Um, so what do you do as a team lead when a member either doesn't fit in or you got to, you got a group of analysts, two or more that just don't get along together and you need them to get along together, but they just don't. How do you as a leader deal with that situation? feels like I'm going to interview right now, George.
00:35:34
Speaker
No. ah So when I do my hiring, um and people, they do their own team hiring very, very different, right? I don't, I don't do hiring on technical skill at all. And I know that might seem wild, right? And it depends on the level, right? I'm i'm not going out hunting for someone that has all of the certifications in the book, right? You can go take a cert, but it doesn't mean that you know how to apply that cert to your day to day.
00:35:57
Speaker
amen Yeah, I believe ah Josh Fulmer from Dragos posted something on LinkedIn, and he goes, Cerce get you the interview, but not the job. And it's so true. um But with me, I look at, hey, I already have an established team, right? My team is in the performing stage right now.
00:36:16
Speaker
So if i'm hiring someone and i'm thinking about you know maybe the more sensitive person on that team because there always is regardless or not that's just weird people maybe i'm the sensitive person i probably am i don't know but how are they going to deal with that person in a high stress situation.
00:36:32
Speaker
And sometimes in my interviews, when I do it all down in my candidates, I will put that person who is typically more intense and stuff and I'll throw them in the technical portion, because I want to see how that person is going to do under pressure, or maybe they're not agreeing with, you know, that so set person and how they're going to perform in that.
00:36:52
Speaker
to me is going to be a reflection on how they're going to be going into a very high stress environment because it's more than just your team at that point. You might have directors on the call, you might have you know maybe stakeholders, and you might have you know your stepmom, I don't know. But again, all these people have different emotions and input. and um With my you know experiences and stuff like that, if I have team members that aren't really collaborating very well,
00:37:22
Speaker
i I love doing this and people can disagree or not. They're both most likely because they're so passionate about whatever it is. Okay, cool. You guys are passionate. i Awesome. Let's put you together and make a training session for the rest of the team. How can you guys put both of your different types of thinking together to output something amazing?