Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Building Teams, the Quantum Future, Outsourcing, and So Much More!
73 Plays4 hours ago
Vivek Khindria, longtime CISO, joins the show and he brought the heat. We talk building security teams, quantum computing timelines, and why your board doesn't want to hear about firewall rules.
George K and George A talk to Vivek about:
- Why betting on business people and teaching them security > hiring tech nerds who can't talk to humans
- Why enterprises must start the conversation around crypto agility now with the quantum computing future ahead
- Your board wants to hear about "resilience," not your latest pen test results
- How to balance outsourcing vs maintaining in house talent
Vivek's been around the block and back, knows his stuff, and isn't afraid to call out nonsense. Plus he talks about why most security leaders are burning out and what to actually do about it.
This is the kind of conversation that makes you better at your job, not just better at using buzzwords.
Recommended
Transcript
Introduction and Guest Announcement
00:00:06
Speaker
Welcome back to another episode of bare knuckles and brass tacks of the cybersecurity and technology podcast that tackles the human side of things. I am George K on the vendor side.
00:00:17
Speaker
And I'm George a A, chief information security officer. And today our guest is Vivek Kindria and he is a big time former CISO from up north in Canada out of the Toronto scene.
00:00:31
Speaker
ah Most notably, just retired a CISO of Loblaws, which, correct me if I'm wrong, George, is like the giant Safeway or giant food of Canada. It's basically like our biggest multi-franchise retailer in Canada.
Episode Topics Overview
00:00:45
Speaker
Yeah. Well, dude's worked in banks. He's worked in everything and he's got loads of experience, including building his own firewalls ah back in the 90s. So this was an incredible. company What didn't we cover in this episode? There's a quantum policy. What the hell? You know, for a end of the long workday for all three of us, this was kind of gold.
00:01:05
Speaker
Because we went from human side, we and talked about quantum, we talked about AI, we talked about the board.
Insights on Talent Cultivation and Diversity
00:01:12
Speaker
ah We talked about some really, really Canadian perspective on defense policy and defense spending and its implications onto like cyber consultants, which I think was like so niche and shout out to everyone in my early career.
00:01:25
Speaker
ah But this was unexpectedly a real good time. Yeah, it was ah really coherent. And also, I know I said AI, I know I said quantum, but none of it was bullshit.
00:01:37
Speaker
Like it was like super, super applied. was amazing. Anyway, we're going to stop raving about it. It's time for you to listen. Let's get into it. Vivek, welcome to the show.
00:01:49
Speaker
Thank you, George. Excited to be here. Awesome. Well, you are on the CISO side. So that means by rules of the show, I get first crack. We will start in a logical place. You have a storied career.
00:02:02
Speaker
You've held many CISO gigs a long time in the industry. So I would normally ask you about your journey, but I kind of want to flip the script and ask you about how you think about cultivating talent, right? It strikes me that over the course of your career, you have built and maintained many teams and You've planned for succession. You've done that several times over.
00:02:25
Speaker
um There's a lot of conversation around so-called talent shortage, talent pipeline. The job market is kind of wackadoo right now. So how do you as a leader think about hiring? And I'll leave you the space there to to tackle that question.
00:02:40
Speaker
Okay, jump right into the tough ones. You know, diversity has many dimensions. You know, it's not just about male, female and different perspectives, but it's also mindset.
00:02:52
Speaker
And so, you know, building a cyber team, you need builders, you You need people that are from the communities you're targeting, people that understand the business. But you also need some of the traditional mindsets that will build policies, be able to audit, build those checklists, and be able to tell stories.
00:03:13
Speaker
right So you've got to look at your team and say, what do you got and what don't you have? So there's some great assessments out there, like Working Genius, And also CliftonStrengths, which can highlight what you've got. And then you start to look at what you need.
00:03:27
Speaker
Now, there's another dimension in this in that, you know, no team is going to stay put. And if you are actually a good leader, your team is going to make moves every 18 months to two years max.
00:03:40
Speaker
And so building career pipelines means you also need to create space for junior people to come in that you can grow so that over time you're actually harvesting your garden and feeding up your roles and people get to know the company, they get to know the processes.
00:03:57
Speaker
so you know it's ah It's a very complex question. It's almost like running a philharmonic orchestra when you start saying about hiring, because you need to look at it with so many lenses of diversity, so many lenses of experience so that you can build the pipelines.
00:04:14
Speaker
But I'll say one thing that's really important is, you know you'd think about taking a security person and teaching them about the business. versus taking someone that understands the business and teaching them security.
00:04:27
Speaker
You need a mix of those. And I will bet more often on taking someone from the business and teach them security, because guess what? They're going to understand the language. They're going to understand the risk appetite of where this ship needs to go.
00:04:40
Speaker
Now, you can't have all people like that because there is some technical dimensions to security that you just can't you can't skip steps and do shortcuts
Diverse Mindsets in Cybersecurity
00:04:47
Speaker
on. But you know when you start to look at how you balance your team, ah you need to consider all of those factors.
00:04:54
Speaker
I love it. Actually, you're the first person to say diversity of mindset. We've had diversity of experience and that's interesting to me. But um yeah, you know you know, like security groups always get painted into a corner about the office of no.
00:05:08
Speaker
That's just one mindset, right? There's plenty of security leaders that have the office of go. They want to build. They want to try things, but do it safely. And so getting a balance of that is really the magic.
Quantum Computing and Security Implications
00:05:22
Speaker
Nice. All right. Over to you, George. Yeah, I would agree with that. And hello, my friend. Good to see you again. George, long time no see. Like 24 hours. like You know what's funny? It's like we've been circling around the Toronto scene for a couple of years now. And like up until the last year, I just like...
00:05:41
Speaker
We never run into each other and then we reach like just see each other everywhere. And that's just like how small this whole cyber industry thing is. So I have to give a nod to a legitimate friendship. And I really appreciate you coming on and and joining the show on like very short notice.
00:05:55
Speaker
I just I had to take advantage of the opportunity. You were like right in front of me. So. um Not a problem. Not a problem. so i want Good conversations. oh It's yeahs those good conversations we've had, you know, that ah really enticed me to come.
00:06:10
Speaker
So let's do it. Yeah. Like no word of lie, George. Like he was ah messaging me on signal that morning and we got into an entire like deep dive on like, how do we like solve the OT security problem generally in Canada? I'm just like, I am barely a coffee in, sir. I don't know. But I want to get your opinion on something important from a technology standpoint.
00:06:36
Speaker
There was a recent headline that's been going around some open source channels so saying that China has finally broken RSA encryption with a quantum computer. Right.
00:06:47
Speaker
They've apparently um i still need to do some research and and cooperate, see if it's true. lot of open source coming out now saying that China has actually broken it. Where do you see the state of post-quantum computing and adoption?
00:07:02
Speaker
We'll start in Canada, but at least like in the Western world. And how far away are we from you know achieving that point of catastrophic risk that people have always been kind of saber rattling about when it comes to quantum?
00:07:16
Speaker
Great question. I mean, i can't comment on the China thing because there's all kinds of red herrings all over the place. And, you know, maybe there's like an exceptional case where they did manage to crack it. Small key, lots of clues.
00:07:29
Speaker
You know, who knows? But that's not important. What's important is... is ah you know we have one of the top centers globally on quantum computing risk in Waterloo.
00:07:40
Speaker
like just It's a bike ride from my house. And Michael Mosca, he's revered around the world with his theorems and his projections. So I did recently attend a special quantum meeting in Ottawa, and Michael Mosca was presenting his his thoughts.
00:07:56
Speaker
And conservatively, you know the data is indicating somewhere in that five to seven year range, we will have commercially viable quantum computers, which means nation states could have it slightly before that.
00:08:11
Speaker
Now, those numbers are not factoring in the added benefit of AI helping. So I have to think about a couple of things. you know First of all, where we don't want to overseer just on quantum computing because AI is going to be cracking encryption without quantum computing. It's going to be cracking encryption with just classical computers.
00:08:35
Speaker
And AI is going to help that. So there's there's like an acceleration that AI is going to bring just to deprecating existing encryption algorithms and key sizes that we need to be able to pivot on.
00:08:46
Speaker
So crypto agility is a thing. that organizations need to get their head around. And I've been in a number of large organizations. And as we've stood up our quantum readiness programs, you know it takes a year or two to inventory all your ah search, your keys, your encryption algorithms, and then dig into your third parties, dig into your software.
00:09:08
Speaker
Then it takes years to pivot. So a really focused organization, large enterprise, needs to bank about five years to make that journey. And if we're saying it's five years away, that means if you haven't started now building your inventory of your algorithms, starting to push, starting to put it into your contracts with your suppliers so that they have a roadmap if they're not ready today, then you're going to be in trouble.
Industry Concerns About Quantum Computing
00:09:33
Speaker
Now, the RSA crack is is an important comment that you're making because, you know, there's some confusion about what quantum computers are going to do. Now, there's a mathematical um algorithm, Shor's algorithm, that really is how quantum computers are cracking asymmetric encryption.
00:09:53
Speaker
So when we encrypt things, there's key pairs, and then there's symmetric encryption where you just have one key. Now, this is not affecting symmetric encryption necessarily. for now, because all of the fear is leveraging Shor's algorithm with quantum computing to impact asymmetric encryption, which includes RSA.
00:10:13
Speaker
So when you have bulk data, it's often encrypted with symmetric encryption. So that store and decrypt later threat, because China's been harvesting data, um that's symmetric encryption.
00:10:26
Speaker
Where asymmetric encryption is used is in the key exchange, in the authentications. And so NIST has published, it was draft, and now it's actually published, what are the algorithms that will be acceptable for authentication, key exchange, and digital signatures?
00:10:42
Speaker
So those are ready to go now, and people are able to move on that. I think all of the three key hyperscalers, the CSBs, they're already quantum ready on their platforms.
00:10:52
Speaker
Now it's just really getting all of the SaaS services, all of the third-party software. And then you know most enterprise have somewhere between 20% and 40% of their software homegrown, and those things will need to be addressed.
00:11:06
Speaker
This is a follow-up for that. What type of organizations would you say should be paying attention this message? Because if I'm, for example, running, you know, like a local credit union, or if I'm running a mom and pop shop selling some kind of retail goods, I might not, even ah even if I'm part of a retail chain, that's a small mid-sized retail chain, I may not be thinking about why should I care about this quantum computing thing.
00:11:31
Speaker
And it seems more of a critical infrastructure problem. So to talk about quantum, it's like, why should I care? What, in your opinion, are the industries that should care and why so?
00:11:44
Speaker
Well, you know, it goes back to the Jesse James quote. You know, why does he rob banks? Because that's where the money is, right? Now, money in today's term is not just cash. It's not just gold.
00:11:55
Speaker
It's Bitcoin. And it's also data. Data is money. So where do we have data? Where do we have money? That's where they're going to But back to your question, who should care? I think shops that are small and medium sized that largely buy their software, right?
00:12:09
Speaker
They just need to pivot to making sure their contracts and their suppliers have a roadmap. No big deal, right? That that should be happening. But in the medium size to large, where shops have developed their own software, they're the ones that are going to have to do you know roll up the sleeves and do some hard work.
00:12:26
Speaker
Now, they where they purchase software or it's a SaaS service, Those are, again, contract issues that just need to be managed as part of third-party risk management, and that will happen. So I think really the attention is about, hey, have you made your own software?
00:12:41
Speaker
Now, there's one more bucket. You're small and medium size. You've made your own software, but you know what? You're not going to fix it. You're going to move to SaaS. Right. Again, you don't have to worry about it.
00:12:53
Speaker
So I think you need to take a look at a few dimensions there in terms of the risk. But, you know, it was funny during Y2K, you know, a lot of countries prepared for it and some didn't.
00:13:03
Speaker
um I think Italy did said they're not going to do anything and there was no impact for them. So, you know, yeah this is not a Y2K thing. So if anyone is thinking that, hey, you know, nothing big is going to happen, this is not a Y2K thing.
00:13:17
Speaker
And we
Communicating Quantum Preparedness
00:13:18
Speaker
see adversaries, you know, waiting to exploit this. So, you know, at the case in point, you know, these news articles, some are true and some are not, you know, was it RSA actually cracked or not?
00:13:29
Speaker
I can't say, but I can tell you a lot of people are interested in doing that. And we know there's been a lot of data that's encrypted, that's been collected, And so it's a journey that all of these nation states and threat actors are going to be on once one quantum computing becomes viable. Now, the other data point I want to give you is everyone might be thinking, oh, you know, we know about a quantum computer. Here's how we build the chip.
00:13:53
Speaker
Here's how we cool it. We cracked error correction because we have lots of qubits. And we've also cracked scaling because with the property of entanglement, we can put lots of so No, no, no.
00:14:04
Speaker
It's actually even more exciting than that. There are dozens of companies that have completely different technologies on how they're building their quantum chips. Microsoft, Google, D-Wave, Quantum Nordique in Quebec.
00:14:18
Speaker
ah there There are tons of companies, and Canada is a hotbed in this. So actually programming a quantum computer is actually different. The gates are different at that microcode level.
00:14:29
Speaker
So there's actually going be a shortage of quantum computers Computing programmers, if somebody wants to kind of lay some bets for two, three years out, that that will be a hot ticket as well. Shout out to Bruno Couillard and Bruno4A. Over to you, George.
00:14:43
Speaker
Yeah, wow. There's a lot to unpack there. It strikes me as you have a mind that is very forward-looking.
00:14:56
Speaker
However, while while we... cogently prepare for this inevitability. And we are sort of in the heady space of AI right now.
00:15:10
Speaker
I wonder how are you, as a CISO, start communicating this to a board in a way that it does not feel like science fiction, right? So there are so many problems that we have not solved in the present, right? Even just like static code app sec, let alone model exploitation as teams chain together models to put AI into things, right?
00:15:35
Speaker
um And then this quantum problem. And i I bring this up because when I asked you about hiring, you said my favorite word, which is storytelling. So, yeah, I guess I want to leave that space for you because this conversation that you're having with us is the stuff that we live for.
00:15:50
Speaker
But how are you going to communicate this type of need for investment and resource to a board that's just like always either looking at headlines about ransomware or phishing or just looking behind or anyway, there's the floor.
00:16:06
Speaker
This is the million dollar question right now with every CISO. And I can tell you, I've been presenting to boards for many years. I've recently completed My board of director program with DeGroote School of Business, ah Professor Michael Hartman runs a great program, simulations, learning. We went deep.
00:16:26
Speaker
And my whole reason for doing this was to infiltrate boards, become part of the boards and help change the culture from the inside out. Now, to engage the boards, we actually have to stop talking about cyber. Oh,
00:16:41
Speaker
You know, they actually don't want to hear about it. They don't want to hear firewalls. They want hear about patching. They don't want to hear about APT29, et cetera, cetera. What they do want to hear about is resilience.
00:16:54
Speaker
And I love resilience because it's such a broad word. We can put psychological safety in there. We can put human resilience in there. But and it's an umbrella where I can put cyber, AI and quantum in there.
00:17:07
Speaker
Because what is resilience, right? Resilience is you can take a hit. You can take a hit and if you fall down, you get back up and you can take a hit, you fall down, you get back up and you learn and adapt.
00:17:20
Speaker
So, wow, that covers everything, right? So boards love to hear about resilience because banks have liquidity requirements. They need to be back up in two days. So resilience needs to equal two days for the minimum viable services, critical services for bank. So every company can say what I should be able to say, what are your minimum viable services? What are your critical services? What do you need to get up first?
00:17:45
Speaker
And how fast do you need to get them up? Then the technologists have to come along and say, how do we make that happen?
Storytelling in Security Strategy
00:17:51
Speaker
Well, you know, if I have 40 terabyte database, it's not going to restore in two hours.
00:17:57
Speaker
Right. but and And I'm not going to be able to do a lot in parallel. So some of this has to be tabletopped and simulated and practiced. But, you know, what the boards love to hear is resilience.
00:18:09
Speaker
They love to hear about benchmarking. How do we compare to other companies? They love to hear, hey, we did a tabletop and we learned X. Hey, you know what? We did a failover and we learned Y. And boards love that.
00:18:24
Speaker
It's the story, right? The best story wins. That's the book by Lund, you know, the Pixar guy, L-U-H-N. it's ah It's a great book. But I think, you know, theres there's another book that relates to this called The Shortest Hour, right, by Ian Walsh.
00:18:38
Speaker
Mm-hmm. And it's about most CISOs get 15 minutes a quarter when they're talking to the board. So add that together. That's like the shortest hour in the world to talk about everything, right? Impossible to cover your cyber program.
00:18:51
Speaker
So most boards, it's like you did your pen test, tick. ah You have a CISO, tick. ah Your maturity went from 2.8 to 2.9, tick. And that's it. That's all the boards want to do, right?
00:19:02
Speaker
So we got to pull them in more and make this conversation about human assets, right? um How is AI impacting our labor force? How is our resilience going to come to bear when we face this?
00:19:15
Speaker
If the mission of our company is to serve food and medicine or the mission of our company is to make sure payroll gets to our people so they can buy stuff, um that mission has to execute. And what kind of outage are we willing to tolerate?
00:19:28
Speaker
So underneath that is all cyber. It's all AI. It's all quantum. But the board wants to hear that. And, that you know, and I think if we can paint a story and where we learn from other incidents and say, you know, so-and-so got hit and this is what happened to them. And if that same thing happened to us in our current state, this is what likely would have happened.
00:19:50
Speaker
Those are great stories. Yeah. And also working with your CFO to just put a cost on it. Like if we are down, this is how much it costs us per hour. Yeah. Yeah.
00:20:01
Speaker
Exactly. You know, and I think sometimes it can swing both ways. You know, if you had a day where everyone was going to do bad trades on the trading floor, an outage might actually save you money. But, you know, you can't assume the worst. so So I think the CFO is like the safeguard.
00:20:16
Speaker
Right. When all when all the money runs out, all budgets are exhausted. The CFO may have some extra say and extra money. But the first place to start is the business. And the business has to buy in.
CISO Resilience and Well-being
00:20:28
Speaker
And this is where another part of the story is, you know, we can go in and say, hey, we need an identity management program. And I worked in a major bank. They're actually missing a whole team on that. And I showed them and we built it.
00:20:40
Speaker
But, you know, it was more compelling to say when we onboard people, Sometimes it takes 27 days before they get all their privileges. What if I make that two hours?
00:20:52
Speaker
What does that productivity mean to the business? Now, underneath, it's identity management and provisioning and deprovisioning and entitlements. don't have to say any of that. right bang on i just I just talk about how do I help the business win?
00:21:04
Speaker
How do I help the business go faster? How do I help the business stay safe? How do I enhance the business brand? But underneath it, it's all the security stuff that I wanted to do anyways.
00:21:15
Speaker
But it's framed with the business strategy, framed in the business language. And full circle back to your first question, I need a mix of people in my team that can talk to the business, sit with the business and be able to build those stories.
00:21:29
Speaker
Nice. um You mentioned resilience there in terms of business impact, but I am also curious as somebody who works with a nonprofit for mental well-being, if you want to talk a little bit about how you maintained your own personal resilience. as We know the CISO is in the hot seat and ah faces a lot of of stress, and even we've got a lot of defenders just burning out faster than we can replace them.
00:21:55
Speaker
Yeah, you know, I get asked this question a lot because people see me active. You know, if I'm on social media, I'm snowboarding, I'm scuba diving and cycling. And, ah you know, it's I'd say first and foremost, you know, you have to think about the plane.
00:22:10
Speaker
When you're on the plane, what do they tell you? Put the mask on yourself first. Right. and And that is so important because you're setting an example for your team. But you're also the one that's going to lead the team.
00:22:24
Speaker
And you're also your kids are watching you. By the time your kids turn 12, they don't hear what you say. They only see what you do. Right. And so if you don't take care of yourself, you're setting a bad example for your kids, for your team, for society. So yeah easier said than done.
00:22:38
Speaker
So now you have to decide what are your non-negotiables. Now, for me, i get up early. i do some exercises and I meditate. That's my non-negotiable every day.
00:22:50
Speaker
Then i may do extra exercises as time permits on that. But if I miss a day because of travel or there's a, you know, an incident, um it hurts, you know, that stress starts to build and I can see it on the team.
00:23:05
Speaker
So I try to model that with the team. I try to encourage the team, take a walk, you know, and it's like I've taught many people how to skate and they say, how do you learn how skate? Put the skates on and just walk.
00:23:16
Speaker
And if you walk by the time the third lap of the rink, you're skating. And it's just like that in exercise. You know, just I've told people just go out for 15 minutes a night. And if you do that 20 nights in a row, it'll grow. And we have to fight and claw those back.
00:23:31
Speaker
We have to eat healthy. Right. And we also have to think about what we do with our eyes, you know, scrolling Instagram, watching crazy movies versus reading before bed versus talking before bed. You know, these are all things that require human connection.
00:23:46
Speaker
And that's why i think, especially in these remote access times, we have to have moments where we spend together, where we hang together and we bond and we learn. And it's at the family level.
00:23:57
Speaker
It's at the team level. It's at the company level. It's even at your supplier level. You know that you've got to make those connections because when the shit hits the fan and something's going down, which it will, you know who you can count on.
00:24:11
Speaker
Yeah. Right. You know who's actually joking and who's serious. And that is so important in the clutch. Right. To have that knowledge. And you just can't skip a step and get it.
00:24:25
Speaker
um
00:24:29
Speaker
Hey listeners, it's Pride Month and that means the annual fundraiser is back. In the month of June, all profits from all sales of Pride merch in the BKBT swag shop are donated to scholarships for students in cybersecurity, both undergrad and graduate studies.
00:24:46
Speaker
We have a whole bunch new swag. So check it out at bkbtpodcast.shop and check out the Pride and Cyber collection. Anything you buy there, we're donating profits from.
00:24:59
Speaker
And this year, we have corporate sponsors who will be matching our donation. So let's see how much we can raise. Thank you for your support. And thank you for listening.
00:25:15
Speaker
um That's just a comment on that. um I do, obviously work in the dating space, so i deal with the issue of like how human beings are connecting more and more and it's very cutting edge on the trend.
00:25:29
Speaker
And there's this emerging um trend of people who are, you know, considered possibly, you know, fundamentally lonely, having romantic relationships with AI bots.
00:25:40
Speaker
And this is like a thing. It's like a real thing that's growing all over the world. um to the point that, you know, like major publications now researching it. um And then I...
00:25:52
Speaker
I love that you spoke on the point of just go outside, touch grass, connect with people. Because I think the missing step before someone can do it in a workplace is you have to be able to do it in your personal life.
00:26:04
Speaker
Because if you never learned how to play on the playground, how are you going to handle office? How you going to handle being on ah on a dodgeball team? Anything. um I digress.
00:26:14
Speaker
But thank you for making that point. Because I think it's like the the whole point of our entire show is that statement.
Canada's Defense Spending and Consulting Impact
00:26:21
Speaker
um let's go yeah there There was a Harvard study, George, if I can just add, you know, when they looked at people that live healthy and long.
00:26:28
Speaker
And one of the factors they saw was people that had long term relationships. And it's not that you had long term relationships. It's the so what about the long term relationships. The so what to me was you can't fake it.
00:26:42
Speaker
Right. They all know you. You are you you are yourself. And people can burn a lot of mental energy trying to be something they're not. But when you're hanging with your homies and the people you went to high school with and you you just can't think it, they know who you are. You are yourself. And it's just a beautiful, relaxing feeling because you can be true to yourself. And the more we are true to ourself and acknowledge our vulnerabilities and our strengths at a team level,
00:27:11
Speaker
Everyone gets more energy. Everyone knows what to do. Everyone knows when to reach out. And I think, you know, the the piece that you hit on is that face-to-face contact builds a support system that we all need.
00:27:24
Speaker
and And that support system helps you through those tough times.
00:27:29
Speaker
I would agree with that. On a more serious note, my goodness, though, this is getting deep. um We are in Canada going to be facing some funding changes that we have never, we have not we have not seen these funding changes, I believe. 2%, 2%. A projected of believe by yess cold war level spending on defense and so us understand I live in Ottawa.
00:28:00
Speaker
Ottawa, unlike Toronto, is like DC. It's a government consulting staffing shop town. My friends in consulting are licking their lips, okay?
00:28:12
Speaker
at Just the the ah RFPs are going to be coming out, the procurement bidding. Ottawa is jiving right now because when you're in a government town, the consulting business is the capital that holds up a lot of what's going on.
00:28:26
Speaker
Okay, remember us little guys when you make it big, okay? I have to ask though, you know you've been in this game for a long time and you've seen a lot of iterations of different federal governments and policies, and especially you know ah commitment to funding or lack of commitment to funding, or you know they'll agree to fund this amazing capital program, but then they'll quietly come out with a headline saying, oh, it's indefinitely suspended, which is Canadian government speak for it's canceled.
00:28:54
Speaker
How do you see this changing? Not only the business of of, we'll say, the defense industrial sector, but you know people in cyber consulting across
AI's Role in Consulting and Defense
00:29:05
Speaker
the board. Because if you've seen the intended investments, and some of them come out on Merckx, and they they're starting to trickle out, a lot of it has to do with defense cyber.
00:29:14
Speaker
And they're looking at defending the national supply team. I like the angle you take this question on I anticipated be something about the 2% and 5% one, but the consulting angle is is good. So, okay, I got it.
00:29:26
Speaker
um Bunch of things. Number one, consulting is massively changing because of it generative AI. Okay. If there's any consultant out there that does less than three or four hours on generative AI as part of their consulting practice, they're dead. They're going to be like out of work. It's like having a team of 10 now, right?
00:29:46
Speaker
So that's number one. But that's going to make its way into the pricing model too because people are going to expect more and you know you're not going to be charging stuff and pretending you're not getting AI to help you, right? It's got to be above board.
00:29:59
Speaker
So now that's number one. Consulting is changing. Number two, Carney. is not a career politician. He is a banker on a global scale.
00:30:13
Speaker
Right? So I have full confidence that what he's proposing and budgeting and what momentum he's building actually has a good chance of surviving. And, you know, we'll we'll give our friends south of the border some credit and say they motivated us to look at new partnerships. They motivated us to look at how do we improve our own sovereign resilience.
00:30:35
Speaker
And they motivated us to ah to reach out and get other partners. And some of those partners like Cardi's has great connections with, you know, this recent Canada EU summit. Amazing.
00:30:46
Speaker
Right. The connections Canada is making for mining in Greenland. Amazing. Right. So i I have high confidence. And i think, you know, as Canada has always been respected and trusted as a peacekeeping force globally, you know, stepping up into this commitment on percentage of GDP spend in NATO.
00:31:07
Speaker
Canada showing leadership, you know, and and I think it's so important more than just the money, but they're showing leadership. So will that translate to more consulting dollars? Maybe. i don't I don't know if I can jump to that, but I know they're going to buy more stuff. They're going to do more stuff. There's probably going to be some of it's going to be AI.
00:31:25
Speaker
Some of it's going to be, you know, networks and, you know, securing our infrastructure. And some of it's going to be more sensors and some of it's going to be more training and capabilities. Um, I don't know if it's like what slice of the pie is consulting, but certainly some of it's going to be consulting.
00:31:40
Speaker
um One other piece is, you know, as the pivot happens around the tariffs on our natural resources, we need to redirect those.
00:31:51
Speaker
Right. So we're going to make more stuff. right If we're not shipping as much south, and who knows if that'll last or not, because that's going to hurt US companies.
00:32:02
Speaker
But if it does last, we need to make more stuff. So we need to ramp up that capability too. And will some of that spending be Canada's ability to build its defense industry where we sell to the world? you know I think some of that could be there too.
00:32:20
Speaker
oh That was awesome. Yeah, that was a killer response to a geopolitical. A legitimate geopolitical take. that like My friends who are at Nipsia and at Eurus right now freak out when they hear something.
00:32:34
Speaker
You know what's so cool is I'm at a moment in time because you know i've I left the corporate world and started my own company. I can actually have this conversation. Flash forward like two months ago, I couldn't have this conversation.
Outsourcing Security Functions
00:32:47
Speaker
Yeah. You know, so ah it's so it's so good to be able to talk freely. you know So there's something interesting there in terms of we've we've covered off on the hiring. We've covered off on the storytelling. You mentioned this outsourcing and, you know, consulting and using these new technologies.
00:33:05
Speaker
um ah I don't know how prevalent it is in Canada. a Trend over on this side of the U.S. is more and more security functions being outsourced, you know, either SOC as a service or even just more MSSP, just lower FTE headcount, which is why George and I.
00:33:24
Speaker
have a bone to pick with what we call the parasitic bootcamp economy, where they just promise you do this bootcamp, become a SOC analyst. It's like, that's not a job anymore. Like, so um I guess given what we've talked about geopolitical challenges, quantum AI, all the things with your CISO hat on, like, how are you thinking about your peers managing all these challenges as more of the labor for the security program you know, gets dispersed to agencies, to MSSPs, to vendors, suppliers. Like, how are we balancing that?
00:34:02
Speaker
I think there's a couple of things. You know, we've we've pivoted from the, twenty you know, 2010, it was all about best of suite. And any shop worth its salt had over 100 different security tools they had to integrate.
00:34:17
Speaker
And most of them didn't do it well. And most of them didn't get the value out of it. So from 2010 to now, I'd say 2025, Best of Suite is cool again.
00:34:28
Speaker
I kind of I doubled down on Best of Suite like seven, eight years ago before it was cool. But, you know, it it was a conscious economic decision that. I have so many cycles, headcounts, ah budget.
00:34:42
Speaker
And am I going to try to apply the 80-20 rule or am I going to get, you know, the Ferraris and the Lamborghinis and screw the rest, you know? And and I made this decision to go best of suite because I don't know if it adds value to integrate those hundred best of breed tools all the time, you know? And yeah,
00:35:02
Speaker
What we're seeing with outsourcing is three things. So ah what used to be homegrown and home assembled became SaaS. And what SaaS is getting agentic. And the agents are even writing their own code. So you know maybe by 2028, SaaS will be in trouble because people just write their own stacks.
00:35:21
Speaker
right But from a security perspective, we already had outsourced a lot. Very few people made their own firewalls. Right. I actually made one back in 92. I actually made a SIM. Yeah, I remember hearing the stories of basically programming your own antivirus, essentially.
00:35:40
Speaker
And in 1996, 98, you couldn't buy SIM. ninety nineteen ninety six ninety eight you couldn't buy a cent We made a s SIM with the SQL database. So the days are done when we're making firewalls. We're not making switches. We're not making a bunch of things. So we outsourced a lot already.
00:35:57
Speaker
And you look at some best of suites, like I'm not saying one's better or the other. I'm just giving examples like Palo Alto has one XSIM. So they're they're rolling in AI. They're integrating other things. And a lot of vendors are doing this move because companies can't do that integration.
00:36:12
Speaker
And in fact, just this week, George was at the same conference I was at, ISACA. I presented on outsourcing your sought security operations center is the most critical decision a company can make because there's so many models, right? Sock in a box, MDR, MSSP.
00:36:28
Speaker
There's so many flavors in terms of hybrid, captive, you know, and blended and staff augmentation. And you've got to somehow craft the right model for your company. And it's a moving model.
00:36:41
Speaker
um And I think, you know, skills are tough to get. Experience is tough to get. And everyone has to find a way that usually starts with some consultants to get it going.
00:36:52
Speaker
And then you bring in your crew. You got some seniors, you got some mid-experienced people, and then you start to grow your garden, hire and start to build the pipelines, exit the consultants and exit some of the outsourcing.
00:37:04
Speaker
But I think in the case of security operations, It's actually an advantage. I think there's very few companies that should not outsource the SOC because when you think of that function, 7x24, follow the sun, collecting all the threat feeds, building the cases, you know, why would each company need to repeat all that work?
00:37:26
Speaker
It's insane. So without naming any names, I'll tell you a case. There was like two companies in the same vertical, right? using the same SOC. And so this was kind of magical moment.
00:37:38
Speaker
One company got pounded with ransomware. Now, the SOC had the IOCs. They were in the incident. So they put the shield up for all their other customers.
00:37:49
Speaker
And another customer saw 15 bullets bounce off hours later. Now, look at Scattered Spider right now, how fast they're moving through UK retail. They just pivoted to so insurance insurance. Hopefully, all the insurance sector is taking those IOCs and they're actually putting up the shield on it. And we're all you know better for that sharing.
00:38:10
Speaker
you know People need to do more of that sharing. Canada has CCTX, Canada Cyber Threat Exchange. We have the CCCS. There are ways in Canada to share and to find out what's going on. But the SOC makes that happen.
00:38:24
Speaker
Right? You're never going to get you know enough skill, enough talent. I think AI is like the first chance now where we can take a lot of the toil of tier one and tier two analysts now and start to contextualize it so that we're truly augmenting a human with you know information, actionable context, pre-processed, pre-digested insights you know in a way that you know if you flash back three years, it's like,
00:38:53
Speaker
Here's three gigs of logs. Make sense of it. Like we don't do that anymore. yeah Right. So I think I think there are definitely areas to outsource, but it's not going to be like, oh, you should always outsource this.
00:39:06
Speaker
I think application development can move in and out. Security engineering can move in and out. um You know, cloud engineering can move in and out. But SOC tier one. I think that with the exception of a few companies like D&D, they should move out. And I talked to all the major banks.
00:39:22
Speaker
They all have some blended model. Like nobody has a pure 100% in-house It doesn't make economic sense. And if you take away the top five banks and you just say everyone else that's like in the real world, you know, and can you afford to give up 70 headcount?
AI and SOC Operations
00:39:39
Speaker
Because if you go multi-site, seven by 24, cover off the basic technologies, the shifts, you know, you're You're talking 70 people to make that baby happen. And should one company hold all that?
00:39:51
Speaker
That's pretty expensive. Yeah. So what you're saying is it's not like in the movies with this vast bank of monitors and like mission control in any one job. It used to be. used to be. in fact, know if i'm allowed to say this, but in New Jersey, AT&T has a fantastic sock.
00:40:08
Speaker
And I love that they brought the knock and sock together. i like i did that play in my last big gig. Yeah. And it was all that. It was like Battlestar Galactica, three stories high and all. But you won't see a soft like that anymore.
00:40:21
Speaker
yeah The only time because everyone's working remote in the soft. The only time you'll see that is the showroom when they have to give the customers a tour. And it's so fake, you know. ah it's It's a joke that they need to even do that. But people want to see that there's a room full of people, there's blinky lights, and you know and the monitors on the wall, but nobody's really looking that far because they have three screens on their desk. you know So it's it's kind of funny.
00:40:46
Speaker
I think that's changed a lot. And with AI preprocessing it, you don't even need those models the way we used to do them. Yeah, I agree with you. When I came in in 2016, CGI's MSSP was exactly that. And it was very much a showroom piece. It was impressive, eh? Like entering a cruise ship.
00:41:04
Speaker
it was It felt like Star Trek. It was cool. I think the other psychological effect was you came into that room and you're like, there's no way in hell I can build this. And that's exactly what the MSSPs want you to feel like.
00:41:18
Speaker
I could never recreate this. But if they showed like, you know, six guys, that play rugby on Saturday, they're all at home and they're, you know, relaxed in their, you know, track pads and they have their monitor. If they show that picture, be like, I can make that. I want to be that guy, you know, in my track pads and working from home. So I think it's, we have to watch that, but there, you know, the, the automation is a double-edged sword.
00:41:43
Speaker
And, you know, I want to call out one thing, cause you talked about outsourcing is we have to decide what's critical for our business and our people. Yeah. If you outsource too much, you actually lose the ability to manage the outsourcer.
00:41:56
Speaker
So you actually have to have somebody that understands what you're outsourcing before you outsource it and be able to maintain that governance, maintain that oversight, maintain that skill. and And these people are going to be headhunted away, but you've got to find a way to keep them happy, keep them motivated and keep them there.
Conclusion and Call to Action
00:42:15
Speaker
And, you know, I think this is another important thing.
00:42:18
Speaker
It's not always money. um Most people will leave because of a bad manager, but it's not always money. And sometimes it's about other goals. and And once you get to know everyone one on one and understand what their personal goals are, feed it.
00:42:33
Speaker
Feed it like a fire hose, because you need to keep some people as you outsource, to keep people as you do cloud and you do SaaS. Otherwise, it's going to be tough.
00:42:44
Speaker
That is very true. And it's actually a perfect spot for us, I think, to cut it off for tonight. So yeah, we started with people. we ended with people. Yes. soliity We want us. Where can we find you before we close off ah for folks listening after the fact?
00:43:00
Speaker
I'm on LinkedIn. Vivek Kindria is a one and only account on LinkedIn. There are no name collisions, which is awesome. um You can also email me at vivek at risk embrace dot CA.
00:43:13
Speaker
And, um you know, obviously, aside from my consulting and my board work. i am I am helping Ryerson with their ELCI program. I'm helping a number of startups.
00:43:24
Speaker
So shout out to startups in Canada out there. If you are there, well, actually US too. I'm not going to hold it against them. um If you need any help or direction, happy to to jump on a call and give my two cents.
00:43:37
Speaker
Absolutely. Well, thank you, sir, for the time and attention. This was an incredible conversation. No, thank you. These are great questions. You know, I think you guys got right at the heart of the matter. And I think you are also very receptive to the human dimensions of this problem.
00:43:52
Speaker
I go on a lot of podcasts and they get stuck on the tech. And the tech is the easiest thing. 100%. Awesome. Thank you. i really enjoyed it.
00:44:05
Speaker
If you like this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tacks drop every Monday.
00:44:18
Speaker
If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review. It helps others find the show. We'll catch you next week, but until then, stay real.