Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Innovating Cyber Attack Simulations and Tossing Boring Tabletops with Kailee Miner!
131 Plays3 months ago
Tabletop exercises, a necessary evil or just a compliance snoozefest? This week, Kailee Miner sits down to talk about how she's revolutionizing cyber threat readiness training to make boring TTXs a thing of the past.
In this episode:
🥱 Why traditional tabletop exercises often fail to engage participants
🎭 How realistic simulations improve readiness vs. dry PowerPoint presentations
💰 Why companies should invest in communication skills for technical experts, not just certifications
💪 Building resilience through hands-on experience, not just theoretical scenarios
———
⭐️ Submit your questions for our AMA episode! ⭐️
Send your questions to [email protected] with “AMA” in the subject line.
No subject is off the table! Win prizes if we take on your question with our mystery guest host!
Recommended
Transcript
Creative Uses of Deep Fakes
00:00:00
Speaker
We do a slew of things from video content creation, deep fakes. We do fake calling in, pretending to be the board of directors. We do um yeah interactive polling, crazy shit. like it's and we try It's almost like a production that's being run on the back end. Oh, this is so fun. That's awesome. Yeah, yeah it's really cool. so um Right now, actually, we're working with a large financial institution and they want to run a deep fake of their CEO. But yeah, it's just like the the realm in which we operate in is much less around process and much more around giving you some real life, tangible experience that can translate into you and into helping you respond to a true cyber attack.
Introducing the Hosts and Guest
00:00:49
Speaker
Welcome back to Bare Knuckles and Brass Tax, the cybersecurity podcast that tackles the human side of the industry, making cyber suck less by talking about trust, respect and all the rest. I'm George K with the vendor side. And I'm George A, a Chief Information Security Officer.
00:01:06
Speaker
And today our guest is Kaylee Miner, big four consultant in cyber with a specialty in cyber simulation, which is like a practice she basically built from scratch. What a powerhouse.
00:01:20
Speaker
She is absolutely a powerhouse. Rarely do we get to meet someone who's carved out their own niche and basically trade within the cyber profession. And she's leading the way with a bunch of innovative methodology. She is taking the boring TTX, throwing it out the window. She's throwing in deepfakes. She's throwing in AI.
Kaylee Miner's Career Journey
00:01:42
Speaker
She's throwing gamification. She's bringing the value to the customers today. And I am amazed that we managed to get her on the show.
00:01:50
Speaker
Yeah, I mean, you know what I think when I hear TTX? Yawn. That's what I hear. But ah yeah, this is really cool, the way that they're running people through, you know, even the technical IOCs, putting the SOC analysts into their own tech environment to do real time simulations. And we also talk about critical skills that she thinks technical operators need to hone and also the difference between sponsors and mentors, which is a distinction that marks her career and her subsequent rise. So without further ado, we're turning it over to Kaylee Miner.
00:02:30
Speaker
Kaylee Miner, welcome to Bare Knuckles and Brass Tax. Thank you so much for having me, George. It's really a pleasure to be here. Absolutely. So you are a skilled practitioner, but you're also a consultant and working for the big four, which means you're technically a vendor, which means the CISO gets first crack. So I will turn it over to George A to get us started. Well, hello, Kaylee. It's been a little while. How are you? I'm good. I'm good. How long has it been, man? Like, uh,
00:03:02
Speaker
since we saw each other in person. I think it was like June, wasn't it? Must have been. Yeah. nice It was summertime. And I think I ah recall having like six or seven espresso martinis in all the day. So pretty cool it was a good time. Shout out to Zach for organizing that where he was. Oh, jo yeah. I have to email him back, by the way. Thank you for reminding me. You're very youre welcome. You're very welcome.
Building a Cyber Threat Readiness Practice
00:03:29
Speaker
On to the show.
00:03:30
Speaker
um Like look, so you are working at a big four, you run a practice and and anyone that knows consulting at all knows that that's actually a really huge deal in one's career to get to that point. um It's pretty much knock on the door, a partner and it's, it's.
00:03:46
Speaker
It's pretty darn cool to see someone doing something innovative and kind of on the cutting edge of like what's the accepted version of cyber lines of business. But talk to us about the importance of resilience in the face of resistance when you know you've got a good idea because you know you had a good idea when you wanted to start this. Like what kind of pushback did you face along the way and how did you turn the tables on it?
00:04:11
Speaker
Yeah, great question. I think maybe just for those that don't know me, I'll give a bit of a background of how I came to be where I am today and kind of my journey through it all. um So by trade, I mean, I started as in business doing my BCOM. So if you can imagine, not very much of a technical background, even though I did study management of information systems, which I think it was that at the time,
00:04:39
Speaker
um And right under the gate, I started in IT consulting, and you know throughout my career, I think, and I'll talk to this a bit later, but the relationships that I made along the way, both in school and in my career, have kind of hit me on ah on an upward trajectory. And so somebody that I met in at McGill,
00:05:02
Speaker
um she started her career in cybersecurity and back in Montreal. So I went to Washington DC, started my career in IT t consulting there, and then wanted to come back home to Montreal. And I reached out to her and I said, Hey, you know,
00:05:17
Speaker
Do you have any job posting? She was working at Deloitte and she said, actually, I think you would really love cybersecurity. And I said, all right, well, I'm all about learning new things. Let's, let's go. And so she introduced me to the realm of cybersecurity. And that was nearly 10 years ago and I've started my career doing that. So started in, in strategy mostly then transitioned into identity and access management strategy and then implementation.
00:05:46
Speaker
did a lot of did some OT security as well. But ah through it all, um I really found a passion for helping organizations prepare for cyber attacks. And a lot of the things that I was doing in cybersecurity felt a little bit abstract to me. But when I got to see organizations and and the C-suite come together to respond to a cyber attack, it felt real. And it really contextualized and and made it more tactile in a sense of everything that we were doing and and why it was important.
00:06:18
Speaker
um So flash forward, I'm now at EY, senior manager, and I lead our cyber threat readiness practice nationally. So I, um you know, I service a multitude of clients across all industries across Canada. I lead a team of 10 individuals internally.
00:06:37
Speaker
um And yeah under our portfolio of services, we do cyber threat simulations, um which is not necessarily, and not the same thing as a tabletop exercise. ah We also do playbooks plan building. We do trainings of all kinds all the way up to the board. um And then we also do after action review. So after organizations have been hit by cyber attacks, we come in, assess, you know, how they could have responded better in the future ah to cyber attacks.
00:07:07
Speaker
So that's me. And when you ask me, I know that was a mouthful, but when you ask me what some blockers were or some things that I had to overcome, I think I'd actually like to switch that question if I can.
00:07:23
Speaker
The floor is yours. Go ahead. Thanks, George. ah So, you know, I always i consider myself a positive person and I always like to look at the glass half full. So instead of blockers, if you don't mind, I'd actually like to talk about the things that helped catapult my career to where it is today. A hundred percent. Let's do that. Yeah. Sounds more fun, right? ah So.
00:07:49
Speaker
The number one thing, and I mentioned it a bit before, is relationships. I don't know about you guys, um but for me, the people that have entered my life and who I almost you know have a deep relationship with and have either prove myself in some sense in terms of the value that I bring, or somehow we click and then we end up talking further down the line, like George and I, you know, we met at that CISO dinner and now we're here on this podcast. And I think the relationships that you make along the way in your lifetime help change the course of the direction of your career or can, um, yeah, we talk about relationships all the time. Okay. Talk about generally,
00:08:36
Speaker
why they should be valued more than they are. But tell me more. Tell me more. Well, you know, like if you look at the modern sales model, it essentially treats George as a abstraction. Like he is a lead. He's a number somewhere. He's a thing to be transacted with. um And if you look at it in the long term, as he has said on the show many times,
00:08:57
Speaker
he has taken multiple vendors to different shops, right? So the value of that relationship can, if you wanted to do that, it can be quantified as lots, the total lifetime value of that relationship is greater to that company than if they just sort of treat him as like this one and done transaction to be one.
00:09:16
Speaker
yeah The other thing too, I think should be stated is in our show, ah George has been very adamant about raising the point that they're not soft skills, they're vital skills. And I think what's what's most important I believe in the end of the day is the relationships, whether it's with your teammates, your colleagues, other executives up the chain. um You know, if you don't have those vital skills, you could be the most technical person in the world and I just don't think there's a place in this industry for you today.
00:09:45
Speaker
Wow. That's a strong statement. We only do strong statements. I love it. I love it um no i couldn't agree more. I always tell my team, you know, i we spend so much time together, more time together than with our own family. So if you don't love the people that you work with,
00:10:05
Speaker
It makes work really mundane. Like you could be doing the shittiest job, but if you're doing it with the people that you really want to stand by and be in the trenches with, it makes it fun. And then you look back on those times and you're like, wow, we we did it and it was amazing. And then you're stronger as your relationship is stronger from the things that you overcame.
00:10:26
Speaker
Yeah, absolutely. Yeah.
Importance of Robust Cybersecurity Processes
00:10:29
Speaker
So yeah, the the first thing I think that really catapulted my career is the people that were there and the relationships that I built, the first one being you know the girl that helped me and introduced me to the cyber world. um But then there's the whole concept of having mentors and sponsors. And I think there's a couple of others. I think it's coach and advisor. But if I look at my past throughout the course of my of my career, there's been a couple of main sponsors.
00:11:05
Speaker
And for those that don't know, the main like the difference between a mentor and a sponsor, you could have mentors that you know kind of teach you things, but the sponsors are the ones that are going to be talking about you behind closed doors when you're not in the room. And you really want those people in your court to be saying all the good things about what you're doing and why they're advocating for you and believing in you and what you bring to the business.
00:11:32
Speaker
And I was very fortunate enough in my career to have a couple of very, um you know, strong men and women that spoke very highly behind and very highly of me behind closed doors. Nice. yeah oh Yeah, we have we've covered mentor and sponsor and we'll come back to that. um But I'm glad that you you brought that up. So My next question was going to be about food security and OT, but I'm actually going to change it because you said something that's more interesting. So you just talked about relationships, right? And the Holy Trinity and cyber is people process technology. So let's move on down that track to process. Sure.
00:12:13
Speaker
This is the bare knuckles portion of the show, the airing of grievances. You have a privileged position in so far as you see preparation at a high executive level, whether it's trying to get stakeholder buy in. Why is this important? Why do we go to this exercise playbook building? And then, as you said, after action report. So after things went sideways. Indeed.
00:12:36
Speaker
With that kind of 360 view of things, uh, curious to get your ideas around sort of the state of process in a lot of companies. Like my personal feeling is that we're over indexing on technology and just sort of hoping we can tech our way through the problem. Um, but I know companies that have had incidents because they have multiple EDRs and one of them is sending alerts to an inbox that's no longer monitored.
00:13:07
Speaker
yeah yeah and did its job is it like yeah Yeah, no one was monitoring it. I can't tell you how many um after action reviews we've, well, you know, I can, I can name a couple where that happened.
00:13:22
Speaker
um a couple of monitoring tools. One was misconfigured ah in ah in a recent one that I just did. One was misconfigured. The other one had MS Defender set up, but no one was monitoring it. So the threat actor was able to get into the environment through OT um and actually transverse into the IT t environment because there was not much network segmentation. um And then all hell broke loose, ransomware was deployed, and we had a multi-month crisis.
00:13:54
Speaker
so So, yeah. So what do you think is, I don't know what my question is here. How do we, unfun yeah. How do we unfuck this process problem? Like, is it a lack of attention to process? Is it a lack of awareness as to like how foundational it is toward enabling the technology? Like what is the, the, the misstep, I guess, when it comes to process?
00:14:21
Speaker
You know, I don't... it It goes back to what you were saying, right? It's the Trinity. So you can have technology without process and you can't have process without people. So it's in it goes in that in that triangle. um In my world, just because I deal with resilience and making sure organizations are prepared to handle cyber attacks,
00:14:46
Speaker
not having a premeditated plan going into a cyber attack. I mean, there there are some, you know, ah you what is it called when a football? throw Oh, Hail Mary. Yeah, Hail Mary. And somehow they come out and it's okay. But more times out of not, if you don't have a plan that you've that you've practiced and now you have some muscle memory on that plan or playbooks, um we see clients fail when responding to cyber
Engaging Cyber Training Exercises
00:15:18
Speaker
attacks. And the you know there's catastrophic issues that come up with recovery times. There's financial consequences, reputational consequences, um amongst other things. So, I mean, when it comes time to not
00:15:37
Speaker
you know and talking about that process piece, I think it's extremely important. But also, if you have a process, but it's not being practiced by the people, then it just lives on a shelf and it collects dust. So you have to have all three to make make the magic happen in an organization. Yeah, the nails on the head and kind of segues into what I'm going to ask you about. So let's talk about security culture and training for a sec.
00:16:04
Speaker
I always find when I run training simulations or GTXs, there's a portion of the room that just won't seem to get overly engaged, no matter how dynamic or exciting you're trying to make. What do you mean, man? Yeah, George, are you cannibalizing the conversation though? That's the question. I will speak back or speak right now. but I will say, how do you, Kaylee, deal with the issue of buy-in for a TTX or a similar attack exercise when you're going into it? And then as you're delivering it, if you're noticing that eyes are starting to fade, how do you get them back in the game? Yeah, ah I love that question. So I'll tackle the first one. um You know, I think there's a different,
00:16:58
Speaker
I think when I started my in my career doing cyber threat readiness, there wasn't as much demand. I think as we started to to grow, I mean, my team is now constantly busy and we're we're even now trying to hire more people to meet the demand. um But I think it's just because of um regulations that have been put out and and such. But I will also say,
00:17:23
Speaker
that the reason or the the but the whole buy-in piece, having an independent review from an organization that has seen the way that other organizations within the same industry or writ large respond to cyber attacks and giving you that perspective of how they think you're assessing or how they think you're responding is um it's extremely important. And I think um boards are now demanding it more
Nation State Threats and Cybersecurity
00:17:52
Speaker
and more. you know How are my teams going to be able to respond to this if there's a Black Swan event? I want to make sure that
00:18:00
Speaker
my my the business is able to operate in some capacity and and I'm not losing shareholder value. I'm not plummeting the stock price. um So these are top concerns that we're seeing from them. And then it all it trickles all the way down to OT.
00:18:20
Speaker
The o IT t folks are now seeing like you know OT for those, sorry, operational technology folks. We need to make sure that they understand that if systems go wrong, if they they catch us and they see that the troubleshooting is not working, we want them to make sure that the next reaction is, is this a cyber attack?
00:18:42
Speaker
because that's not there. It hasn't been, um I mean, it it's it's a young kind of concept, I would say. So we're now having to train those folks and there's buy-in from OT all the way up to the board right now um into line or to have that visibility to make sure that we have the capacity and knowledge to respond to a cyber incident.
00:19:07
Speaker
Follow up. Do you yeah have a do you have a sense that your clients understand the degree to which they may or may not be in the crosshairs of nation state actors? I had this idea that a lot of people before ah Russia, Ukraine,
00:19:27
Speaker
understood that to be more the realm of like sensitive industries and like, especially like after JBS, like the lines between ransomware and state actor is blurring. You know, sometimes there are proxies, sometimes, uh, APTs use ransomware as an obfuscation tool.
00:19:46
Speaker
But I, it, it seemed like people were like, well, you know, China's not really after us or, you know, Iran's not really going to go after us, but the adversary will go after any critical part and just to create forr chaos. So I guess, do they have a sense that like, Oh, I am a legitimate target now.
00:20:03
Speaker
It's funny that you ask that it had just come up in conversation these past couple of weeks. um and and the free I guess the pre-existing connotation is that no, for a lot of industries, you know if I'm not government, if i'm if I don't have critical infrastructure, then I'm not a i'm not a target for a nation state.
00:20:25
Speaker
It is changing, I will say. you' youre You hit the nail on the head there. um With all of our cyber simulations that we do, we always go through an exercise of understanding their threat landscape, which includes who the threat actors are that could target that organization.
00:20:43
Speaker
um I read an interesting article most recently for a for in food manufacturing, um which was that nation state is now targeting the food manufacturing industry and they're using ransomware um just because it has it can make ah or it it can have implications for the way that a country is run. And so when you think about it that way, and we're bringing that these concepts to and the clients that we work with, they're kind of a little bit taken aback.
00:21:17
Speaker
um The threat landscape is always changing, this we know, but the the sophistication of attacks now that are targeting clients across the board, or you know it's it's ever increasing, so it's interesting. Yeah, it's great, but I also am cognizant I derailed the last question, which was, how do we make tabletop exercises not suck? Yes, how do we make tabletop exercises not suck?
Enhancing Cyber Simulations
00:21:46
Speaker
And have you guys have done a tabletop exercise before? Yeah. i've I've been through a handful in this guy, this cat man. Okay. Why does it suck? interest re play it suck yeah the back the fuck Back to you.
00:22:04
Speaker
Well, I would say okay there is the style of TTX that are like gamified, which I think are actually cool as hell. And I love them and I've done a bunch of those and they're really like basically they take like the dice roll of like D and&D like Dungeons and Dragons. But it's like placed in the scenario of a cyber event.
00:22:24
Speaker
So like you don't know how the event's going to go. And it's kind of like a choose your own adventure book, but people are living the life exercise. So if you roll the dice and you get above a certain number, a certain set of actions will happen and you get below a set of number, certain set of actions will happen. And everyone has to take a dice roll. So everyone has to actively participate in the exercise. That was brilliant. And I wish more exercise to do that. It's called cyber gamified. You can look them up. They're amazing.
00:22:53
Speaker
um Otherwise, TTXs are horribly boring because they're they're procedural. that Well, no, they're they're essentially like an in-room version of a PowerPoint presentation that lasts all day. like like You go through the thing and someone's either reading the scenario out to you or like you're seeing it on a screen, but either way, there's nothing like real about it. Nothing like feels real about it. You're just being put through a hypothetical scenario and you might not even be playing the role that you have with the company in that scenario.
00:23:27
Speaker
So we're like, okay, well, how's this logic works? I don't even know. Like if I'm in charge of operations and I get put in the role of like systems engineer. Like, no. so yeah it's a movie the yeah right for sure I think the the issue is we, like George was talking about earlier in in this episode, we overprescribed things and we create way too much process. And then we try to put that into our TTXs and it just completely disengages people. If we're not having them engaged and thinking and participating, no simulation exercise is going to get the attention and the buy-in that it needs.
00:24:05
Speaker
Yeah, i'm I'm going to I'm going to do what I usually do, which is turn to soccer as my analogy. Is that your go to? Yes, that is my go to. My family is from Brazil. It is our religion. um So I coach a lot of kids and I will see other coaches sort of, you know, they're looking up drills for that age group or whatever, and they're running through cones and whatever.
00:24:30
Speaker
I only give my kids drills that simulate things that they're going to see in a game because my fear is that you just become very good at the drill.
00:24:41
Speaker
Yes. And then you don't actually know what to do. Like George said, if it's scripted and you're kind of walking through it, that's like not the level of spontaneity that's going to come in this case in a soccer game. Like the pass is going to go wrong. It's not going to, you know, and like, how do you adapt to that? I'm trying to teach the kids, here are your core skills and how you can use them to adapt as the circumstances change in real life.
00:25:06
Speaker
Uh, because I can't create like the perfect game for you. Like it's never gonna go according to plan. Um, anyway, that's like, uh, that's my experience of table tops. Cause I, I have felt like, Oh, we're all getting very good at this tabletop exercise, so but maybe not like the real thing. Yep. I hear you. I hear you. I think.
00:25:30
Speaker
I think that's very true for a lot of tabletops, right? But when we transition it to be more of a simulation, there are elements that are baked in that make it a little bit more real.
00:25:43
Speaker
um Number one is understanding your environment so that when the scenario that is crafted, it lands true to the controls you have, the types of threat actors that are coming after you, what kind of threat you would be dealing with down to the TTPs that that threat actor might be deploying to make sure that it follows that same route. But on top of that,
00:26:09
Speaker
what we aim to do is have breakout rooms. So to George, your point, you're not playing that operations manager. You aren't playing your actual role and whomever is a SOC lead or a SOC analyst, we send them off into a room to go do a lab that uses the tool that they use within your organization. So for example, yeah, so that they're analyzing you know, alerts that are being generated by a soft or a seam, and then they're having to come forward with what they saw. And then that then proceeds, if this is of course the more technical element, but then that helps move the simulation in the right way.
00:26:56
Speaker
When we think about more of the on the crisis side I mean we do a slew of things from video content creation deep fakes, we do fake calling in pretending to be the board of directors we do.
00:27:10
Speaker
um Yeah, interactive polling, crazy shit. like it's we try It's almost like a production that's being run on the back end. Oh, this is so fun. That's awesome. Yeah, yeah it's really cool. so um Right now, actually, we're working with a large financial institution here in montreal or sorry no in in Canada, not in Montreal, um and they want to run a deep fake of their CEO.
Challenges in Consulting and Resilience
00:27:33
Speaker
and so Now, we're having to procure all these licenses to make sure that we're ah risk adverse when creating this deep thick of their CEO saying stuff. um But yeah, it's just like the the realm in which we operate in is much less around process and much more around giving you some real life, tangible experience that can translate into you, into helping you respond to a true cyber attack.
00:28:00
Speaker
Kelly makes cyber training. Cool. That's awesome. i do I do. Thanks man. Nice. So, um, okay. Last question before the break. Um, again, airing of grievance has talked to us a little bit about challenges, right? Consulting comes with a lot of baggage. You are a practitioner. You got technical skills, but.
00:28:20
Speaker
You know, sometimes people view consultants as scams because they're sales or you're just trying to pick my pocket, sell me another service. You also have to win over partners. If you've got new ideas, I want to stand up this service. They're like, no, we don't need it. I don't know what what's going on there. Like what part of your career path has has included that? Yeah. Um, I mean my whole career, really. Which is crazy. um No, you know, I think when I fell in love with doing tabletops, which then transitioned into being the simulations that it is today, a lot of partners told me, you can't build a career just doing tabletops. And I was like, oh, yeah, well, watch me.
00:29:04
Speaker
Like, i I took that and I was just, I kind of, andm I'm fixated, i had a I was fixated on a vision that I had for what this could be for EY and for any organization really. And I know George and I had chatted about this a bit earlier um another time, but I consider myself a highly resilient person. Actually, one of my favorite quotes is by Rocky Balboa. It's like, it's not about how hard you hit, it's about how hard you get hit and keep going.
00:29:38
Speaker
um Yeah, and so I think over time people you know kept telling me you can't build a career of doing this, you can't build a career of doing this, you can't and I just kept going. um Partners,
00:29:51
Speaker
regardless of all the partners that said you can't do it, I still had the the select few that were still sponsoring me behind closed doors. And so, um yeah, just fixated on that vision, making sure that you believe in yourself and that you're resilient when when shit gets hard, like you still pick up and you still keep going.
00:30:12
Speaker
um
00:30:16
Speaker
Hey listeners, if you can believe it, we are fast approaching episode 100 of Bare Knuckles and Brass Tax. And what that means is an Ask Me Anything episode with us, George K and George A, in the hot seat with a guest host.
00:30:33
Speaker
And you have to believe it's going to be as awesome as you think it's going to be. We have survived 100 episodes together. We've had the good times. We've had the bad times. We've had the confusing times. But this show just keeps on rolling. And we are looking to you, audience, to give us the questions for this AMA.
00:30:53
Speaker
That's right. So send your questions into bareknucklespodatgmail.com with AMA and the subject line. Instructions are also in the show notes. But all topics are on the table. You want to know about us. You want to know about the future of cyber. You want to know what trends we're seeing. ah You just want to know what my favorite color is. Whatever the fuck you want to ask, we're here to answer it. Ask George about his hat collection. But either way, send us questions today.
00:31:23
Speaker
number Kelly, you absolutely have broken ground and have kind of carved out this entire career niche in the cyber field, being a full-time training specialist. I'm still blown away by this. Thanks. But I have to ask you.
00:31:44
Speaker
as the market changed As the market changes and as clients need to change with it, how have you adapted your practice to keep your offerings relevant beyond just using the deep fakes and that kind of thing? like How are you actually speaking to the salient point of your of your you know I would say not your MVP, but just your value prop to your clients to be like, Hey, we're not just throwing this on as a line item to an omnibus contract. You're going to get value out of this. You're going to get more value than what you're going to pay us. How do you keep on that button? So I think it's twofold. Um, the first thing that, you know, our, at least our team and I think EY generally speaking, right? Um, it's w w
00:32:33
Speaker
At the end of the day, it's all about quality for us. um It's baked into the way that we operate. so The value that we that we provide, it's not just some run of the mill type of service. like You're getting the Ritz Carlton or the, you know, the four seasons of tabletop exercises or simulations and playbooks and plans. And you know, there's a detailed scrutinized view that comes with, kind you know, running with us.
00:33:06
Speaker
um And then the second piece is we're always heavily investing in new ways of of operating. Right now we're in the midst of obtaining an AI tool to help us you know um generate injects quicker. ah Clients are always asking for us to do things faster, cheaper, better, stronger, whatever it is. So how do we then create a strategy um and a vision for us to be able to meet the the requests of our clients and so um The answer right now at least we're coming to is through automation and through AI and so a lot of the videos that we're generating right now are done through AI a lot of um Even like the playbooks and plans building that we're trying to do where we're figuring out ways on how to automate them um so that
00:33:56
Speaker
Actually, it was just a conversation I was having today, you know, flip plans, they're so long. And you have to like read through all of those things. And sometimes you don't even pick them up in the midst of an incident, because it's just so frickin long. um So how here is this 300 page yeah man on how to use the fair extinguisher while the and building is on fire? Yeah, yeah, good luck. Good luck, right? So how do we then make that document?
00:34:23
Speaker
livable and live so that you know um you're clicking on a link, you know perhaps you're dealing with ransomware, so then you click on ransomware and it auto-populates some actions that you can take right off the bat to respond to a ransomware event, for example, um which which kind of stakeholders you need to notify, et cetera.
Communication and Leadership in Cybersecurity
00:34:44
Speaker
I'm just speaking at large. so Yeah, the answer is through, you know, technology and, and making sure that we can deliver better quality and cheaper for our clients so that, you know, they're not having to budget out a lot for what we're able to give them in terms of quality. So.
00:35:10
Speaker
Yeah, I will. I'll say I'll do the call back to the first part of the episode, which is the technology that's enabling you to and and process. OK, I'll just be that person. All right. So what are the skills that you would recommend technical people, technical practitioners and experts, engineers hone? Let me set it up for a second.
00:35:40
Speaker
As George said, you could be technical, super deep in the weeds and go out and get every cert that you want. But if you have trouble communicating, right? So like my belief is I don't want to take up this time. You saying these are the certs in this order because I pretty much believe they're going to go get them anyway, because it's like something they want to do. But like, what are the things that you think are not being talked about that they should hone?
00:36:09
Speaker
Yeah, I love this question. um I, you know, it's my own personal belief, ghost hurts, right? But um anyone can read a book and do a test. But then how do you communicate whatever it is that you've learned to audiences across the board?
00:36:32
Speaker
My, it's my own personal belief that if you wanted to get training, go do some leadership training, go. There's this, um, I think it's called, I haven't done it, but it's called toast. ds so toster Yeah. Toastmasters. That's the one. Um, I've heard a lot of people really love doing that. Um, and it's just a ah matter of being able to communicate whatever it is that you need to to the right audience and speak with passion and and be able to convey a story that is compelling. And so if you're able to do that and really have a conversation and understand the people and what that you're speaking with and um convey a message to them, that is, you know, um interesting. I think that's where the magic happens.
00:37:21
Speaker
Nice. Yeah. Yeah. I, uh, put a post out today. I'm trying to get some people hired because I hate seeing talent squandered, but, um, one of them is a very analytical threat hunter, but she also happens to be an amazing communicator. So I, I described her as, uh, an engineer's brain armed with a diplomat's tongue. So I love that. Yeah. That's amazing. That's like a double threat yeah triple.
00:37:48
Speaker
By the way, in our in our little getting people hired game, because George and I are both trying to help our friends, getting people hired is the whole theme this summer. I got my friend hooked up with Eseldine, so hopefully you guys are up. So I got the one last week. There you go. Nice. I have some friends that want to get hired. and Maybe I'll send them to you guys.
00:38:06
Speaker
oh All right. so You really have have done a number on what the future of training looks like. And, and you know, I was just ah just um kind of joking with George about it. And I was saying that you're leading a quiet revolution, part of the pun that even knows the history of Quebec in and how cyber training is done and conducted. um What do you think is the is the future of corporate cyber training? And do you think we'll soon see a day where cyber hygiene is taught in elementary school? Wow. Wow.
00:38:42
Speaker
So the answer is yes, I do think, I'm gonna answer your last question first. So do I think that it'll be taught in elementary school? I actually already know of one of my colleagues who went to visit, it wasn't elementary school, it was high school. um And they did a cyber- High school High school.
00:39:03
Speaker
Yeah, which I thought was wild. um they They did a cybersecurity project and he went in and gave some, he I think he ended up um having to help them with their project or to give some guidance and then um eventually rate their projects, if I'm not mistaken. But just understanding that that's already happening at the high school level.
00:39:25
Speaker
i mean I don't know about elementary school, but it's nice to see that it's at least being somewhat integrated into the curriculums in high school. Um, and apologies. The first question was, do I think that it's going to, corporate side yeah training um, yeah, I think, well, everything always changes, right? If we look at technology, there's the whole Moore's law. Everything's always exponentially growing, changing, et cetera.
00:39:54
Speaker
I think it would be stupid to think that corporate training wouldn't change. I hope that it does change to be more gamified. I cannot tell you how many times I wish I didn't have to do that training where I'm clicking through things and having to do a test at the end. Like if I were able to have more of a gamified experience when I'm doing my own cybersecurity awareness training at my job,
00:40:21
Speaker
I would love it a lot more. um How do we do that? I hope AI is the answer. I'm i'm benching on that. I don't know about you guys, but um yeah, I really hope that that is a way that we can kind of transition or or maybe even have some intelligent brains come together to think about how we can gamify and make the experience more fun.
00:40:45
Speaker
I can see where AI might also help like you iterate faster on like for sure the lag time between incident reporting, publishing TTPs to then, you know, right now it it could be like a year before you simulate that in most.
00:41:01
Speaker
enterprise. like How fast can we get to like this this type of attack app and can we simulate this in your environment that could be pretty cool? Or even leveraging AI to assess your level of aptitude or understanding of a certain subject. right if you're If you're way past understanding, oh, this this ah email is a phishing campaign, for example, let's move you up to the next threshold of understanding cybersecurity more in depth.
Authentic Sponsor Relationships
00:41:29
Speaker
Um, and I think maybe leveraging AI that way is a cool way to integrate it into training. For sure. Cool. All right. Let's close out with sponsors versus mentors. So we have talked with any guests about how they built their personal you know board of advisors, their mentors, but I want to focus on sponsors. So any brass tacks advice you have on cultivating the relationships that lead to sponsors or like how you.
00:41:59
Speaker
how you got those sponsors for yourself. Any methodology trade secrets you want to share? I wish, I wish. um You know, I just ended up following people that inspired me. I think I always tried to seek out those folks and then also trusting my gut and knowing when I really clicked with somebody that, um,
00:42:25
Speaker
that having that relationship could translate into some sort of sponsorship. Um, but I don't, you know, there's not some sort of recipe or methodology that I'm secretly cooking up in my kitchen to find another sponsor. Um, it just kind of happens that way.
00:42:42
Speaker
and what you I guess you run into those relationships like in the course of work, but maybe what I'm asking is, you know, did you spend time outside of work? Was it over lunch? Like, how did you cultivate the relationship outside of just the working on a project together?
00:43:00
Speaker
No, I mean, all of them were actually done at work, just delivering time and time again with quality and showing a ah strong interest. And I think, or I hope, i' I know I'm speaking on their behalf, but maybe they saw something in me um and believed in me and what I was trying to convey.
00:43:24
Speaker
um I did maybe go out for a coffee with them, you know, just to continue to speak and dream up the art of the possible outside of work. um But by no means was I trying to chase that. I think when you're trying to chase relationships and for something that isn't there, then it becomes artificial.
Closing and Future Topics
00:43:43
Speaker
And um yeah, there it's it's not authentic to you and it's not authentic to them. And so it really just it it falls flat. Mic drop. There's the value.
00:43:55
Speaker
up You're welcome. Kaylee, thank you so much for lending us your time and attention, especially late into the evening. ah You're very welcome. We really appreciate it. Yeah. Thank you so much for having me. And I look forward to seeing you out in the wild. Yeah. i'm a see of answer sowa man That's right. The wild we are. um All right. We will see you soon.
00:44:24
Speaker
If you liked what you heard, be sure to share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tax drop every Monday. If you're already subscribed, thank you for your support and your swagger. We'll catch you next week, but until then, stay real.
00:44:46
Speaker
All right. It's going to be great. All right. Here we go. Jesus Christ. yeah We're totally, totally, totally professionals. Yeah. I'm off the clock, yard these George. George, you look like you're having a time. I wish I had a cigar, too. Honestly, it's ah it's an 8 p.m. session here. shit I got whiskey ginger, but go on, George. All right. Here we go.