Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Zero Trust Strategy vs. Silliness, Leadership, and Deepfakes with Dr. Chase Cunningham!
140 Plays1 year ago
Dr. Chase Cunningham, aka Dr. Zero Trust, joins the show to talk Zero Trust credibility, the state of leadership in cyber, and more!
George K and George A talk to Chase about:
⚓️ His unlikely journey from Navy engineer to cybersecurity expert
🛡️ The evolution and future of the zero trust model in combating modern threats
📚 Insights from his latest book on leadership
🏎️ And perhaps a new land speed record for the number of f-bombs in a BKBT episode…
🧨 In the Teardown: George A tells you just how much money a bad demo experience can cost you (Hint: it’s a lot).
Recommended
Transcript
Introduction and Guest Introduction
00:00:11
Speaker
Yo, yo, yo, it's the show. This is Bare Knuckles and Brass Tax, the cybersecurity podcast that tackles the messy human side of cyber. That is human relationships. That is trust. That is vendors. That is customers. And I'm George Kay with the vendor side. And I'm George A., a Chief Information Security Officer.
00:00:30
Speaker
And today, our guest is none other than Dr. Chase Cunningham, aka Dr. Zero Trust himself. What an episode.
00:00:42
Speaker
Indeed, we actually talked to him about the very framework that has been the bane of our existence but is such a necessary evil to all of us in security. He co-founded it and he is still an absolute beauty. He's a real expert and he understands both from the client side and on the seller side how to actually have substantive conversations and how to sell this thing down, not only to your practitioners, but to your boards and talking about ROI.
00:01:10
Speaker
Chase knows all, Chase covers all. Yeah, this one is legit for both the practitioners and the vendors. The vendors, you are going to learn where and how you can actually talk about zero trust with credibility instead of just slapping it on everything. Practitioners, you get into some nerdy questions with him, George, about infra, IT architectures. There's a lot of juice in here. He packed it in. It was a blast.
00:01:38
Speaker
You know, we're all salty dogs on this episode, so this might set a new land speed record for the number of curses per sentence, but we're here for that energy. Whiskey and gin, brother. Chase was a good one. This will be a great episode, folks.
Origin Stories in Cybersecurity
00:01:55
Speaker
Dr. Chase Cunningham, a.k.a. Dr. Zero Trust, welcome to Bare Knuckles and Brass Tax. Hey, thanks for having me on here. I got to give me one of those hats, man. I love those things.
00:02:04
Speaker
Oh yeah, we'll get one in the mail to you. So you have a very storied career. I think most people know it if they're paying attention. But just in case they don't, what's the two to five minute origin story for how you got into this crazy industry?
00:02:20
Speaker
So two to five minute really like the long and short of it is most people can't really say that they are just blessed by being around other people and stumbling into good opportunities. Literally, that's the entirety of my life and everything. So the way that I actually got into cyber specifically was I actually joined the Navy as a diesel engineer and I wasn't doing anything on diesel systems because that's just how the military works, right? You join it and they stick you in something else.
00:02:47
Speaker
Long story short, we had this piece of shit, piece of equipment that Lockheed Martin gave us that was computer controlled and it didn't work right. Now, I knew what the settings were supposed to be, but no one ever listened to me because I was a lower enlisted guy, right? I was like an E4, so I didn't give a shit what I said. Anyway, it was always my responsibility to fix this freaking thing. So I got fed up with it. We're literally out in the middle of the Atlantic Ocean one night. I had enough. I snuck up to the chief engineer's state room and stole the laptop that was used to configure this thing while I knew he was on watch.
00:03:17
Speaker
And then I came back down in the engine room and I changed the settings and reconfigured it and everything worked great. Technically, what I did was criminal in nature in the military, like it's a big time no-no, like huge no-no. I thought I was going to Leavenworth. And while I'm doing this, the cyber warfare at the time, cryptologic officer for the ship is walking around at two o'clock in the morning because I don't know, he didn't have anything better to do.
00:03:40
Speaker
And as God is my witness like I'm standing here in the engine room holding his laptop and I look over and I see him and he looks at me and we like lock eyes and he just goes and shakes his head and I was like oh fuck like this is this is it I'm going to Leavenworth. Fast forward a couple days later he comes down he knocks on my uh my engine room door and he's like do you like doing this? I said no sir it sucks I'm quitting as soon as I can.
00:04:05
Speaker
And he goes, all right, do you want to do something else? And that's literally how I transitioned into this because they put me through testing. I blew that out of the water. And then I went and did all the stuff with the Navy, which translated NSA, which led to Forrester, which led to all these other things. So when I say I'm just a bumbling moron that happens to get lucky, that's what I mean. Like, it's the truth.
Zero Trust Framework: Evolution and Challenges
00:04:27
Speaker
Oh, you know, bubbling moron with a PhD, but a startlingly similar origin story to George, please tell yours, because this is amazing, these accidental run-ins. I was a fucking moron. I was in the artillery at the time. I actually just rejoined an infantry unit. I was sitting out doing a confirmation act of a thing. We're in some fucking hole in the ground in like Northern Ontario.
00:04:51
Speaker
and Team America World Police had like just come out the year before. Yeah, an Arabic speaker. So I'm telling the boys, I'm like, boys, Durga Durga is not fucking Arabic. That's just not a real fucking thing. And I was like, just giving them like a little tidbits of like just some Arabic translations. And I had a sergeant at the time who rolled around who was actually a PsyOps guy. And he was like, hey, what's that? And I was like,
00:05:19
Speaker
It's Arabic. He's like, you've been doing this the whole time? And I was like, yeah, it's in my last name. Hold on. It's right here. And then fucking they looked at my docs and apparently I was like, it somehow just flew over everyone's head. We're in two major Middle Eastern conflicts. Never realized, dude, that's been working for you for two and a half years speaks Arabic.
00:05:44
Speaker
And so I ended up in, same way as you, ended up in Second World, got the clearances and the probe up my ass and the fucking polygraph, all that shit, so. Yep, Psyche Vals and all the other fun stuff. They're like, he speaks Arabic. Let's get him out of the hole in the ground and put him in a much hotter, worse hole in the ground. Yeah.
00:06:05
Speaker
Well, really, really love that trip down memory lane. But yeah, let's get started. But I'm going to cheat and say that you're a practitioner because you are. So I'm going to go first, just out of spite. So you are Dr. Zero Trust. You are famously one of the co-creators of the Zero Trust Extended Network framework that is much ballyhooed.
00:06:30
Speaker
I would be remiss as a marketer if I did not ask you, this is the bare knuckles portion of the show, airing of grievances. It's best of us. What do you think about what has happened to Zero Trust?
00:06:45
Speaker
I mean, when it first really got like formalized and we had that kind of like first RSA, that was like zero trust everything. I mean, where you couldn't even go to the shitter and not see ZT. It was beyond the pale, like it was bonkers and et cetera, et cetera. I think now we've we've kind of come over the hype cycle of it and we're at the stage of practicality. The government's invested two billion dollars. The Australian government's moving the whole ZT like we've
00:07:12
Speaker
We've bridged the gap and that was my fear, honestly, was that it was going to get marketed so hard that people would just go, this is completely retarded and we'll just move on past it and it's not a real thing and it's just going to die on the vine. And I was going to be the asshole sitting there holding the bag going, well, this didn't work. When in reality, luckily, because of a whole bunch of really good people, it's gotten to a very good stage and we have
00:07:33
Speaker
investment and opportunity and a market created and all this stuff. So we're at a stage where zero trust is a thing and it's not going away, which is great. The vendor side of it, you know, I used to get irritated and lose some sleep about it and bitch and moan and whatever. But I mean, the good thing is
00:07:52
Speaker
Every six months, there's going to be some new shiny object that they'll go chase. So as long as the strategy side and the actual usage around ZT survive, that's fine. That's my only real worry is that people don't understand. It's really just strategy. I don't give a shit what you call it. But if you just apply strategy correctly based on the bad guys side, you'll do better. That's what we wanted it to come out with. We just had to have a cool name for it because
00:08:21
Speaker
If you don't have a cool name in stuff, nothing matters. I mean, no one remembers, you know, you could say super cyber security strategy and people be like, what the fuck is that? They would go away. Whereas if you're like zero trust, that's got some, you know, half to us. Yeah. I did that. Okay. That's my, that's my world combat voice. So yeah, I like it. I dig it. I like the perspective that you could get really twisted up about how cliche it's become in marketing. But as long as you see real world,
00:08:51
Speaker
action in terms of architecture and network design, then they're cool with it. But cool. It's a thing. It's a real thing. So that's good. Sweet. All right. So I'm going to take advantage of this fact that you're another practitioner. So I'm going to nerd out for a sec because we got enough nerds to listen to us. And George always talks about better ways to sell. And I'm like, oh, cool. Another practitioner. Let's talk about how bullshit our job is.
00:09:17
Speaker
Let's talk about some of the challenges around architecture and implementation for Zero Trust. I'm a Zero Trust shop, by the way, so I deal with this every fucking day. Thanks, Chase. I'm sorry. I apologize.
00:09:29
Speaker
So all it takes is one core tool not being SSO compatible. And you're left with a massive gap in your model, essentially. I mean, cost can be a hell of a problem too. Like as legacy applications and upfront migration upgrades can be an absolute drownage on a budget. Really, it's death by tech debt if you decide to go to ZTNA when you already have ownership buy-in for it.
00:09:54
Speaker
Now, if you're not some fancy, unicorn, beautiful, fucking secure-by-design shop that builds its infra with security in mind, if those exist, like please fucking someone put their hand up, and you are in fact trying to play tech catch up as most enterprises are, how do you overcome the resource and timeline challenges necessary to make those changes when it comes to architecting your IT infra within the ZT framework?
00:10:21
Speaker
Oh, it's a really good question. So the first question I would ask back, right, if I put my consultant hat on, because that's like what I do now for, you know, the feeble amount of dollars I give to my kids for the stupid shit they buy, is really like, where are you in your current zero trust instantiation? And most organizations would say, I'm not totally sure. Okay, well, that's number one, let's figure out where we actually are. Then the second thing I would really ask is, you talked about tech debt and budget and those other issues.
00:10:50
Speaker
let's see if we have things that you're using currently that are redundant or reciprocal and are not actually going to benefit you in the context of removing the adversary's ability to be successful. So most organizations I've talked with or do workshops with, they've got like two or three of the same sort of thing solving the same sort of problems and they're eating each other's tail. So start figuring out which one is really going to do what you need it to do, not make the users miserable, and then begin working your way from there. The other thing that I would say
00:11:19
Speaker
is if you're really engaging on a ZT plan, then that's great. Where on the ZT plan do you want to combat the adversary, right? You're an army guy. I want to meet them at the door. Where is the door to meet them at? If it's on the internet, okay, we need like browser isolation and things like that. If the door is, I'm okay with that compromise because it's going to happen and I'm going to live with them until they get inside my network, that's a micro segmentation thing.
00:11:46
Speaker
So really, it's all about your org, it's all about your strategy, it's about the technologies that you've allocated, and then it's about placing your controls around that. And lastly, policy engine, policy engine, policy engine. That is what makes this whole thing work. And if you're not crafting it and using it correctly, you have no hope of ever achieving a zero trust instantiation. It's just not possible to do it at that scale like you're talking about without technology to make this possible.
00:12:15
Speaker
Yeah. But then, you know, your differentiation, like when you're looking at your employee environment versus your production environment, it's two separate conversations. I mean, we can have a whole fucking show on Siam in the production environment. Oh, yeah. I'm just talking about like right now securing the employee environment. But do you do you find you get as many clients being like, hey, how do we secure our production environment and fucking ZT as you do people or just be like, cool. So how do I keep my employees from absolutely fucking it up?
00:12:44
Speaker
Yeah, well, most of them honestly are not even educated enough to ask that question you just asked right there. They're usually going like, how do we do zero trust? And I'm going, well, what do you mean for ZT? Yeah. So like, are we talking about your people? Are we talking about prod? Are we talking about dev? Like there's, there's not a lick and stick sticker for zero trust.
Cybersecurity Startups: Leadership and Culture Critique
00:13:04
Speaker
We got to figure out what you want to solve for first.
00:13:06
Speaker
Oh, Chase, my heart hurts for you. Oh, yeah, dude. Welcome to my misery. This is, you know, this is why I like sometimes the great thing about it is I've gotten really good at firing clients. Now I just feel like your stupidity is not worth my time in misery. So I'll just find someone else. I swear to God, I had a call today with somebody that I'm doing a consulting gig with. And the lady that runs the org, she's like, well, should we have two FA on stuff? And I was like, what the what? I was like,
00:13:38
Speaker
Come back to me when you catch up to 2019. Yeah, I just kind of was like, I couldn't help myself. I was like, is that a serious question? She goes, yeah. I just said, hmm. Cool. Yeah, I pretty much just felt like a hanger and he got dropped down my shorts, but whatever.
00:14:00
Speaker
I definitely want to make a Zero Trust sticker that says Zero Trust, and then below it, it says, do not lick and stick. It's scratch and sniff. That's right.
00:14:12
Speaker
Okay. Well, let's turn our attention to some other topics and ideas. So you recently came out with a book, I want to say it was April on leadership. So again, we're in the airing of grievances. So I was going to give you the space to talk about like, what do you see as the state of leadership, that big broad umbrella term in cyber today? Do you see improvements? Do you see pitfalls? Do you see legacy problems?
00:14:39
Speaker
I mean, in general, what I see is we've got this space that is still one of the only ones that's getting money dumped into it by the VCs. And I don't know how these VCs particularly come up with the idea of let's dump a bunch of money into this company because somebody created a piece of technology, they should be the CEO. Like, that's the issue. Most of the folks that are
00:14:58
Speaker
you know, I'm being general here. So don't don't send me dead cats in the mail. But I'm just saying in general, the folks that I meet, like, you may have created a really cool piece of technology, you might have been a badass 8200 or whatever else. But should you actually be the CEO leading the company because there's a whole lot of things CEOs do that have nothing to do with tech and those things. So most of the time, those folks wind up
00:15:22
Speaker
hating the role that they're in. They don't want to be there. And other than the fact that they get to put a little gold star on their title as I was a CEO of a tech firm that got a bunch of money, they're not there for any reason. They're not there to serve their employees. They're not there to take care of their customers. They're just there because that was something that they thought they needed to do. And it's bad. Like it sucks for the employees. It sucks for their customers. They're usually unhappy fucking pricks. And it just goes sideways from there. So like to me, that's the biggest
00:15:52
Speaker
issue that we have is that we've created this culture where founders become leaders because of the fact that they were there when the doors open that's that doesn't work in any other industry but for here in cyber for some reason it happens all the time the only other thing i want to say.
00:16:08
Speaker
is keyboard warriors are the worst leaders you could ever have. Like I wrote that in my book a little chapter about this guy that was running his mouth at me blah blah blah and I said what's your address because I know he lives near me and he's like what and I was like what's your address. He goes why would I give you my address. I said because if you're gonna run your mouth the way you're running your mouth we're gonna do it in the front yard.
00:16:27
Speaker
And then his approach changed, right? Like, if you're going to keep running your mouth at me like this, I'll beat your ass in the front yard, and then we'll see how you talk. Because don't be a keyboard warrior. Just don't. It's not good leadership. It doesn't impress anybody. It makes you a fucking pog. Like, don't do those things.
00:16:45
Speaker
Yeah, to your point about the role responsibilities versus the title, there's also a big gap when you go from like C to Series A and then for our listeners, the gap between Series A and B is
00:17:02
Speaker
a chasm is messy because yeah you start trying to operationalize you start to scale and you go from like founder led sales which i think like the technical operator i want to show you my my tech baby that i created and why it's so awesome and that's great in the seed that's great maybe part of the a i know companies where the series c ceo is still involved in deals and
00:17:29
Speaker
much to the chagrin of their sales team, they might be messing it up because they're causing a whole bunch of friction. You can't build a business in a scalable fashion if you've got somebody trying to duck in and out and just too many cooks in the kitchen. You have to graduate into a different role. Now you are a business leader and you have to create a culture and company.
00:17:50
Speaker
And most of them don't want to do that. And they're stuck there. And they're just they just become these like miserable, brilliant jerks that no one really wants to deal with. And if I had a nickel for every time when I was doing a work where somebody was like, you're going to meet our founder, he's he's a little bit interesting, but he's got a great, you know, mine for the technology. I was like, OK, so this guy's an asshole. Cool. Let's move on. That's that's that's the coded language there. So do you think they should just be like the CTO? Should they be in charge of just the tech versus
00:18:19
Speaker
I mean, I would just my suggestion would be that they should just be something other than the leader of the company, because that's not what their skill set is. That's not if they really looked in the mirror. That's not what they want to do. They want they want their company to be worth a whole bunch of money so they can exit and go buy a Lambo or whatever they do with all that cash. But they're they're not there because they want to like
00:18:42
Speaker
Care for their people and grow the company, the business way and those types of things. And I know somebody would say, well, that's it's not that way everywhere. I'm just talking in generalities, but it just it just is like it's a problem and it's corrosive. And you see it all the time because, like you said, companies will get towards C round or whatever. And then the founder is holding on by their fingernails because they want to be the CEO and it gets ugly.
00:19:09
Speaker
Yeah. Yeah. Yeah. Like I find like lately I've been. I've been fighting of late. I'm really getting tired and sufferable of of dealing with these guys that are coming up with these solutions, quote unquote solutions that literally are just being built to be acquired. Like they just want to get acquired. So they're not doing anything. They're not they're not solving any problems. I went on a fucking tangent on our buddy Ross's LinkedIn the other night.
00:19:38
Speaker
I was just like, come up with something that's actually important because all these new startups are boring as fuck. I don't care. Or it's just like one tiny piece of the security stack. I help you integrate this thing with this thing. And I'm making this because one day Cloud Slayer will acquire me.
00:19:58
Speaker
Because I know Palo Alto Networks needs this. That's basically right. Yes. And those dudes are bullshit. So I'm just like, man, I'm I'm I feel you. I'm just a lot of anger and I'm trying to stay appropriate for the show. But thank you for saying it. The state of the startup culture insecurity is boring. It's cheap. And these dudes are just out for a quick buck and everyone fucking knows it.
00:20:24
Speaker
I remember it was RSA, I want to say it was RSA 2022. The whole back wall was like passwordless, niche vendors. And I was like, what was this like a theme? And then the next year, like, no, no one, no one there.
00:20:42
Speaker
Yeah. Yeah. I mean, it's it's the pump. And like every time I see a founder who's got like seven exits, I'm like, you're a sadist, man. Like you're like your kids must hate you or whatever. Like just quit and go do something else. Give me a million dollars. You'll never fucking see me again. Like I'm gone, bro.
00:21:02
Speaker
Yeah, bro, I'm going to ban down by the river. My needs are so cheap that it would be like a million to me is that I'm a farm kid. A million to me is like one of the fucking lottery. So, you know, seven exits, nine exits. You you need a different hobby.
Future Threats: Deepfakes and Data Security
00:21:20
Speaker
Yeah, you need to spend some time with the kids. Yeah, the kids that hate you. Yes. The ones that you've already ostracized.
00:21:29
Speaker
So not shit on sales leaders for once per second. I just want to ask this because I have a lot of friends that are practitioners that actually do deal with ZD quite a bit. So I really wanted to focus on that. Where do you see the evolving nature of the threat landscape taking the Zero Trust framework in the next five years? I imagine when you first built it,
00:21:53
Speaker
You didn't exactly have things like, say, deepfakes and data model poisoning in the bad guy bingo card at the time you made it. So where do you see this thing going and how do you see it evolving to handle the new threats? Yeah. So, I mean, the real deal of it is the majority of what we think of as far as like technical exploitation and those types of things, they're fundamental. If you look at the I like the Verizon DBIR and the Mandian entrance report to me, those are biblical references. Every year when they come out, I worship them at the altar of cyber.
00:22:22
Speaker
And like that is if you look at that the history tells us what the same things are the same problems are that happened for year over year over year over year and people wonder how to solve this problem. So if they apply the concepts and strategies and talk about ZT to those issues which still plague us all it will take care of those things. It just is what it's built into zero trust. Now the other stuff you're talking about as far as
00:22:43
Speaker
deep fakes and some of the really innovative ways that people are manipulating through the processes around how we leverage technology. That's a different animal in a whole bunch of different ways. And I am honestly more worried. Like I'm not concerned about exploitation. I'm not worried about fucking hacks and ransomware or whatever. That's just whatever. I am
00:23:04
Speaker
Honestly, as an American, as a citizen of the world, I'm concerned genuinely about deep fakes and stupidity of humans and those types of things and what are going on. And there is no, no matter what reality defender one at fucking RSA, there's no really good way to stop this thing and put the genie back in the bottle. So to me, I don't have a solid answer for that one right now. And it is extremely concerning to be perfectly frank.
00:23:29
Speaker
Yeah. I mean, language is the operating system of human society and we are highly visual creatures. So the fact that, you know, I've been tracking deep fake shallow fake stuff for awhile and I was telling people, you know, in 2019, I want to say there was a trend micro report on a deep fake phone call that did wire fraud to an energy subsidiary in the UK. That was written as like.
00:23:55
Speaker
super sophisticated, one-of-a-kind, not a thing. And then the beginning of last year, mom and dad are getting deep-faked phone calls from their daughter saying they've been kidnapped. Like that's a four-year, like show me another technology that went from sophisticated threat actor to like off-the-shelf open source model that
00:24:15
Speaker
Any mom or pop threat actor could use against domestic you know regular citizens civilian look what just happened with the helicopter crash with the president of iran there was within hours of that one there were deepfakes out there that were showing like cia assets leaving country and all kinds of whatever else and i mean it and people bought it like i saw one that came out
00:24:37
Speaker
And I think within an hour and a half, something like 300,000 people had commented and liked and reposted. And it was total bullshit. But that's the risk that we're facing there. And there is no, even if you technically control it and do the things that these companies have talked about, like watermarking and digital, blah, blah, blah, whatever, you can't fix people, the hype cycle and the way that we leverage these systems now. It's just, it's concerning.
00:25:05
Speaker
With regards to deepfakes, it's hard because real things do happen. So for example, people try to deepfake saying the CIA had something to do with it. We don't know. We're not commenting on that. But we do know the CIA had something to do with a failed coup in the Congo. That really did happen. So it's like, oh, well, if that's happened in the Congo, we could easily see it happening. Yeah. You can undermine the veracity of everything. You can basically just
00:25:34
Speaker
For the record, when you throw a technical question at a guy like Chase, and Chase is like, I don't know, but I'm kind of concerned about it. I'm really bummed out. I was hoping he had an answer that I could like build policy around. This was my fucking code, bro. Yeah, we brought you on to fix this thing. Yeah, I wish I could give a good answer for that one, but I don't.
00:25:57
Speaker
Oh, you know what do you think I would love to see, though, because it hasn't happened yet is the Trump P tapes. I want a deep fake of that. Like somebody. Trump's face and deep fake him pissing all over people. I think that would be hilarious. But anyway, on that note, we will take a short break and we will be right back. Oh, my God.
00:26:23
Speaker
Hey listeners, George K here. Pride Month is just around the corner, and new pride t-shirts will be dropping in the Bare Knuckles and Brass Tech's merch store to raise money for community organizations. Profits from the Rainbow Fist and Bolt Tee will be donated to Out in Tech, and the Let Your Sparkle Shine Tee features a message written to support trans youth lifted from my own daughter's handwriting.
00:26:46
Speaker
Profits from that shirt will go to a scholarship for LGBTQ plus students pursuing cybersecurity education programs. All profits from all sales of these shirts throughout the month of June will be donated. Watch for them to drop starting June 1st. Now back to our interview with
Aligning Cybersecurity with Business Needs
00:27:04
Speaker
Dr. Chase Cunningham.
00:27:09
Speaker
All right, so now we're going to go into the brass tacks portion of the show. So we're going to try to actually solve the problems in the fuckery that we talk about. And, you know, I'm happy that you're here for this because you are a very solution oriented person. So I'm going to start off with the question that you probably hate hearing. Explaining ROI when focusing on Tet that and give me give me some good ammo beyond just our toys won't work if we don't upgrade this.
00:27:38
Speaker
Yeah. So, I mean, really the change on that question is, do you want to be a digital business? Does your business, do the leadership here want to be something that is operationally relevant and valuable? Do you value your customer's trust? Are you willing to go down for a period of time because of an oopsie? And is your competition running up your ass because of the fact that you're not able to keep up and run with the herd?
00:28:03
Speaker
That's where really the twist in this goes on like when I do workshops with people around strategy and zero trust wherever most of the time I'll kick the tech people out of the room because I want to talk to the business ranks and just be like look if you guys want to be operational you want to sell you want to do all those things.
00:28:21
Speaker
Can you do that if I just turn the Internet off? Everybody's like, no, not a thing. Can't do it. No way we can. Well, OK, then you accept that that's a reality. Let's plot plan scheme around how we can keep you operational and how we can align your budget and your entire organization to making sure that that stays the thing. And then the last side of that is.
00:28:42
Speaker
There's this concept of contested space that they have to accept. You're never going to be perfect in any CISO that comes in there and says that there's never going to be a breach and things are never going to go wrong. They're lying to you business people. What you really should say is what do we have to have to be survivable so that we are not down hard for weeks on end and have to go back to paper.
00:29:02
Speaker
that's where you align and that's where you begin the conversation around it. And I know the thoughts that are running through your head, like I can see the wheels spinning, but it's, I mean, it just has to be that way. And it sounds like a consultant answer, but it's a cold soul answer because that's what I do all day, every day with these folks. Dude, dude, hold on a sec. Do you know how many organizations I know of that raw dog without a DRP?
00:29:29
Speaker
Just straight up. Sorry, DRP is a disaster recovery plan. I know so many organizations that just don't. Oh my God. That just makes me so nervous for the entire economy. It's just like, why would you do that? Well, I'll tell you a quick story about one consulting gig I did.
00:29:46
Speaker
with this org and they said, all right, we want you to do a zero trust, blah, blah, blah, cool. And I walked in with the ransomware scenario that I have day one, minute one, walked in, dropped the scenario on the desk and say, look, everybody that's in technology, leave the room, everybody that's business leaders and sales and whatever else stay, here's the scenario, ready to go. And I just sat down and started drinking coffee and watched. And you wanna talk about like,
00:30:14
Speaker
Insanity you want I mean, it's it's something it goes sideways and you're just sitting there watching the cats like heard themselves Yeah, just turned into like the French Revolution Yeah If you uh, what's uh, if you ever seem like beyond Thunderdome, you know to to exec center one
00:30:36
Speaker
That's right. That's awesome. That's good. That's a really good way to take it down to the bone and be like, this is what we're talking about when we talk about cybersecurity. We're not talking about like switches and this, that and the other bits and bytes. We're talking about like the operational capacity of the business.
00:30:53
Speaker
Yeah, I don't care. I don't care about any of that stuff. I don't care about the products you're using. I don't care about your endpoint security thing that you bought. I don't care about your super amazing A.I. powered shanigan blah, blah, whatever. Like I want to look at this from the perspective of we need to say operational. We need to keep the electrons moving and we need to know how the business is going to operate when things go south. That's it. We'll deal with all the other stuff later. Yeah.
00:31:17
Speaker
I dig it. All right, so we got an audience question in from our friend Joel Bench, who actually works a lot with marketers on their messaging. So this is right up his alley. And he was interested in hearing your take on what are the red versus green flags in language when a vendor starts talking about zero trust as it relates to their solution. Like what's the sniff test that's like,
00:31:44
Speaker
Yes, they kind of know what they're talking about, or this is just made up nonsense. If their zero trust thought leadership is a 10 to 1 ratio on their actual customer use cases, they're full of shit. So that's one. And then on top of that, if they're unable to tell you how their org is engaging in zero trust, I would not consider even having a conversation with them.
00:32:08
Speaker
Nice. All right, cool. And then his follow-up question was, how does a company build or damage their credibility with buyers early on? We're going to get into some demos and stuff like that, but just broad strokes, how can companies improve the credibility gap?
00:32:32
Speaker
Yeah, so I mean, I think the best way to do that is to just be real about what it is that you're doing and how you're doing it and to make sure that people understand you know, the processes and the needs of the organization, not just the technology that will fall into that mix. Most folks, I don't know if people never read the book, like start with why, but they should just because that's really what you should be able to get around is like, why are you doing this CT thing?
00:33:01
Speaker
If you can't tell me why very clearly, then I think you're probably full of it. So I'd like to ask you in your experience from a leadership position, both sales or a practitioner side, how do you respond professionally when the marketing for the tool you're looking at or the vendor that you're dealing with is just plain stupid?
00:33:27
Speaker
Like it just, it's offensively stupid. How do you professionally deal with that? How do you professionally respond to it? I think you're making a giant assumption there that I am professional about it.
00:33:43
Speaker
Um, you know, it's one of those ones of, uh, I've, I usually will try and reach out to the Oregon, just kind of go, are you aware that this is totally disingenuous and that no one is going to believe a fucking word you're saying? But if you're, if you're like looking at that, it's a giant issue. So most of the time you can talk them off the ledge a little bit.
00:34:05
Speaker
But I mean, sometimes you just got to have a good laugh. There's really no other way to
Vendor Credibility and Market Dynamics
00:34:10
Speaker
do it. Like have a good laugh, take a screenshot and put it up and go, we'll be seeing this come back around in another year or something from that. I wish there was a very professional way to approach that problem. But I mean, the other issue you see with marketers is
00:34:25
Speaker
Once they get like vectored in, like they are on that glide slope and if it doesn't matter if they're going to hit the fan tail or not, like they're going to ride that some bitch till it kicks them. Even if they know that it's a bad idea. Well, so that's a good that's a good point. So I what about it? I have a questions about inertia and I'm not quite sure how to phrase this, but
00:34:50
Speaker
I think if you got a lot of people in a room by themselves, they would be like, yeah, I know we got to get demos out. I know we should open up our website with outcomes and not just the bells and whistles.
00:35:04
Speaker
But there is also, I've seen marketers AB test homepages where they do try to go after outcomes, and then they go to a security buyer and they're like, well, what are you, an EDR or whatever. So I feel like we're caught in this self-fulfilling trap where practitioners say your messaging sucks, but then they're highly responsive to the weird cliched messaging, so then that incentivizes marketers to use the cliched jargon buzzword messaging. So what's that about?
00:35:34
Speaker
fix that. I mean, most of that really goes goes wrong at the analyst firm level, to be perfectly honest, that that's where those pigeonholes come from. That's where the directors and all those acronyms we use kind of get originated. So that that part of the issue that drives things sideways. The other one is, is you're right, it is kind of this like,
00:36:00
Speaker
double-edged sword where you've got the folks that are out there that are trying to explain what the hell this stuff is, where they're also having to use acronyms and those things to get the point across to people that don't understand the space. So, you know, it's a problem, but I would also argue that if people really think that cyber is a business-related function,
00:36:23
Speaker
you would do better in your marketing to speak more along the lines of the people that are actually going to finally stroke the check to make things happen. You know, the time your CISOs and CIOs are very senior in the organization and they are influencing direct decisions, but who's going to be the org that's going to finally just go, yes, we're going to allow this to occur. We're going to allow this multi-million dollar purchase to go through. That's who you're selling to.
00:36:50
Speaker
Yeah. All right. Well, you, you brought up analyst firms and I'm eager to go there. Mr. Expleter. So from a brass tax perspective, what's your advice to marketers who are kind of on the fence about, should I engage in an analyst firm? Is I see my peers doing that? Do I need to hire? Like what's, what's that part of the article? What's the guys in my shoes? Like Oh yeah. Yeah. For sure. Same. Yeah. Yeah.
00:37:16
Speaker
Yeah, so I mean the thing that I would tell folks is like the analyst firms, there's the analysts there that are doing really good work that are trying to actually implement some sort of change. However, at the end of the day, those analyst firms, they're businesses and you have people at the back end that are account reps and salespeople or whatever else that are driving a lot of those conversations.
00:37:37
Speaker
And I can tell you from being an analyst, running waves and whatever, it's digital flagellation where you're trying to get stuff through. So understand that there is a pay to play is not the right way to say it, but is a, I call it manipulation of the market, if you will, based on who can pay the most to get things where they need to go. What I would suggest to people, especially that are on the CISO buyer side,
00:38:02
Speaker
is look at the MQs, look at the waves, those types of things to get you an understanding of the market itself. Like take all the rankings off of there and just toss those in the shit can. But look at the actual stuff that's written in there because the analysts work really hard to get that stuff together. There's value in that. And then I would also say look at organizations that are more non, I guess partisan might be the word, that have lots of information from
00:38:27
Speaker
users and buyers and end users like and get some of their stuff and then somewhere in the middle is where all that truth really lies. So you know analyst firms are businesses. They have quotas. There's a whole thing going on there.
00:38:41
Speaker
understand that it just is how it is, but there is veracity in some of the research that they do. And I can tell you from the people that I worked with at Forrester, a lot of the analysts genuinely really do care about the space they're in, but you're under the flag of the company you're at and they're the ones paying your bills. So, I mean, it's a thing.
00:39:07
Speaker
I mean, it's a, you know, it's a character stick. And which one are you gonna, you know, if you're the analyst, like, I prefer carrots to sticks, getting beat sucks. Cool. All right. Well, the last question I have is, I know you're also working on Demo Force, which is a company that helps develop live demo situations that users can configure on screen. You and I have gone back and forth in DMs about
00:39:36
Speaker
you know, the pre-baked demos as it were. So again, what is your advice to companies that usually feel really hesitant to do demos because let's say, I mean, genuinely startups feel scared to show off the product. They're like, well, what if our competitors like see it and then they like steal our UI or whatever. Anyway, what is the what there? Like what's the real deal?
00:40:06
Speaker
I mean, if you're if you've created something that's so earth shattering that you can't share it with people, allow them to have a look at it, then you should just stop getting in this market because you have to market and you've got to be able to put stuff out there. A demo is nothing more really than, you know, letting people get their hands on your software. And oh, by the way, there are laws against people stealing your shit and using it for whatever. And you did hire a bunch of lawyers. So feel free to use those people.
00:40:30
Speaker
The question that I would ask is for the CISO on this call, Mr. CISO, would you be more willing to buy a piece of software if the vendor would let you try it on your own terms first instead of some bullshit glorified PowerPoint video?
00:40:44
Speaker
I mean, obviously, that's the whole thing. And we may or may not have a section later on where I actually talk about, hey, if I want to see your software for a certain thing and then you demo me a fucking thing where it's a whole hour session that you don't go over the thing that I actually wanted to see, I'm going to be very, very upset.
00:41:06
Speaker
Do you know how expensive that hour is when you assemble like your team lead on and you and anyone else? I mean, that's a lot of company money for not covering the thing that you wanted to see.
00:41:18
Speaker
Um, I mean, if you're gonna, you know, if you're gonna sell people cars, which one are you more likely to buy when you go to the dealership and the dealer says, you can't drive it and you can't touch it. And oh, by the way, I want you to install the transmission before it leaves the lot. Or you go in there and you toss the keys and say, if you like it, bring it back and all the paperwork ready. Like which one, I, I would, uh,
00:41:43
Speaker
I don't know how to fix that, but I've had people say like, oh, this person just reached out and they really want a demo. And I was like, cool.
00:41:49
Speaker
go do it. And they're like, wait, we got to meet. We got to have a meeting. We got to like configure the environment or, or it's like, wait, we got to have a discovery session first. So we figure out what we should show in the demo. They just said they want the demo. That doesn't really well. Like I'm pretty sure that's still their model. I will just, we got to shout them out tines. So tines is a SOAR provider. They will give you freeware. They'll give you freeware with up to like, like three free use cases.
00:42:17
Speaker
That's fucking brilliant. It's like, cool. If you guys like us, great. We can do business. If not, here's three free. You can keep them.
00:42:24
Speaker
I respect that. Like I get respect for that. Yeah. Yeah. Well, yeah. Chase, you and I are in a in a LinkedIn chat with some others or we we learned one of the people there was saying like, yeah, our competitor has like a free trial and it's like totally destroying us. And I was like, well, why don't you just roll one out? And he's like, they're afraid that people will see the product. I'm like, OK, cool. How's that working out? Yeah. Well, then just box everything up and go home. Like, there you go.
00:42:55
Speaker
I mean, because I deal with that with folks on the demo for stuff all the time where they're like, well, our founders are afraid that someone's going to steal our IP. Like then what? I don't know what to tell you, quit, I guess. Yes. Yes.
Episode Closing and Appreciation
00:43:10
Speaker
This is, I mean, cybersecurity is a realm of probabilities. Do you want the probability where there's money or like this hypothetical probability that someone's going to tune into the demo and steal your IP?
00:43:24
Speaker
I mean, you've got lawyers, you trademark shit, you've copyrighted it, you've patented it. If I see that you stole my patented shit, I'm gonna come after you. There you go, that's what lawyers are for. Right, awesome. Well, Chase, thank you so much for taking the time out of your evening to sit with us. This was a blast. The snark was real on this one, and I love it, and I'm here for it, so thank you.
00:43:51
Speaker
Oh, you guys are awesome, man. Thank you so much for having me. And you guys, you know, you should call your the others. This is like G unit because there's two G. Yeah, we'll go with that. Well, I'll make that on something. Cool. Well, thanks, man. And we will talk soon. All right. Y'all have a good one.
00:44:16
Speaker
we look at the dumb shit that gets sent our way and we try to rip it apart because it's how we deal with the pain. So George, what shenanigans got thrown your way? All right, so I talked to you about
00:44:34
Speaker
Let's talk about demos, right? They're really important. They're really important to a sales cycle. And it's just like, you know, we all have to deal with demos any given week. I'm probably seeing at least two or three of them. Most of which, you know, I'm usually just curious what's going on. And that technology provider knows that, oh, hey, they might not be, you know, kicking our tires now. They might not be looking to sell anything now or buy anything, I should say.
00:45:01
Speaker
But they want to build that relationship. They put on a good demo and they know six months or a year from now, I might call them up. That's that's the way the game works. Some sales cycles along like that. But if you are invited to provide a demo, when you know when the prospect has told you, hey,
00:45:21
Speaker
I'm evaluating suppliers for finalist spots for a comparative POC for something we want to buy this year. And you are a fairly big player in the game and it's a fairly expensive component that you sell. Maybe just fucking maybe put your best foot forward for that fucking demo. Maybe, maybe.
00:45:47
Speaker
show me the thing that I've articulated at OIC. Yeah, from the vendor side, I will say this is the holy grail, right? We are usually optimizing for meetings. Then after meetings is how many demos can we get? How many demos get to open opportunity? And then we chase out the close.
00:46:06
Speaker
But to get a demo about a specific use case and the prospect has indicated, yo, I'm buying this year. Like this is what every vendor wants to hear. Not like, nah, sounds interesting. Then you kind of know, all right, we're going to walk into a general demo, whatever. But I need this thing. Gonna buy it. Yes. Bring the A team. So what did you get instead?
00:46:30
Speaker
I got dog shit, and even worse than that, I had costly dog shit because I brought my security operations manager on the call. I brought my fucking architecture lead on the call. I brought in the people you really want to impress with your shiny tool.
00:46:52
Speaker
It was very clear that we were given a version of a script that they had, and it was very clear that they didn't rehearse it. They didn't really practice what they wanted to feature.
00:47:07
Speaker
really, really odd thing. If you're gonna make someone stare at your fucking GUI for like 45 minutes to an hour, maybe have a GUI that actually, you know, could be intuitive might actually explains what your what your display is like, again, we're staring at the shared screen being like, all right, cool. So what are these analytics? What is what is that was going on? I just
00:47:32
Speaker
If you're going to get the opportunity, and you get pulled in and like you said George it's the holy grail of a prospecting demo opportunity like you know what the use cases, you know there's potential there that you're brought in that you could tangibly make money in a short term frame. Seriously, put your best foot forward.
00:47:53
Speaker
Not only will I never do business with you again, I have personally gone around and told every one of my CISO friends who's wanted to talk to me about it that these guys are shit. They're not worth your time. Don't look at their technology. And I guarantee you, I've lost them at least probably a good four or 5 million in business just from weaning people away from them.
00:48:16
Speaker
Dude, I don't know if we can do anything that better illustrates the cost of performing poorly than that. I mean, that is a tangible and material dollar amount. So what do I want to say here from the vendor? From the vendor side,
00:48:37
Speaker
There's a whole discipline of sales enablement. We practice, we train. Sometimes you have to certify the sales engineer. Like you're literally not allowed to go do demos until you can prove you can do X, Y, and Z. So to hear that, especially from the shop of this size strikes me as either they're just
00:48:57
Speaker
dialing it in because they're like I don't know mid-market shop they'll just but like I said hubris I don't know what it is but either way you only get a couple of these at bats and when you flail so miserably the cost is not only to you but as you have said and we have said repeatedly on the show sees those talk oh my god it's like so painful to me to hear
00:49:19
Speaker
because I feel like that entire sales team. I will say though, and this is something that speaks to the bigger problem that we've been talking about with CRO organizations, the person at that organization that got me to agree to the demo, the initial person that actually opened the sale and that impressed me, actually did a good job of actually talking about the product, they got let go of the week before, or actually the week of the demo.
00:49:48
Speaker
They got like go out for financial reasons, not for performance. So they cut the A team and they're like, put in the stringers. I'm just saying like I get it that sales organizations, you guys keep going through these cuts and going through all these job turnovers.
00:50:10
Speaker
it really actually has a consequential impact on your prospect and on your client relationships. Stop that. Stick with the people you show up to dance with. Oh, all right. Well, that does it for another edition of the teardown. I think the lessons are very clear. And we will talk to you next time.
00:50:32
Speaker
That wraps up this episode of Bare Knuckles and Brass Tax. If you liked this episode, be sure to check out our conversations with Royce Marcos and Eliza Mae Austin, where we also talk about more effective ways to build trust with practitioners. Lastly, if you like the show, if you're getting something out of it, please consider leaving a rating on Spotify or Apple podcasts. It helps others find us.
00:50:54
Speaker
New episodes of Bare Knuckles and Brass Tax drop every Monday. If you're already subscribed, thank you for your support and your swagger. If you're not, what are you waiting for? Go to wherever you get your podcasts and smash subscribe for a weekly ballistic payload of snark, insight, and laughs. We'll catch you next week, but until then, stay real. This might set a new record for, uh, death bombs, which I am totally on board with.
00:51:22
Speaker
My mom listens to every episode, and she's like, sometimes I don't understand all of the acronyms. I was like, it's okay, just let it wash over you. She's like, you guys curse a lot. I was like, this is just part of the brand, I'm sorry. I gotta be honest with you, buddy. I've been on enhanced monitoring. We've been all on moderation duty since the Netflix documentary came out last week, so my team's putting in overtime hours moderating ship. We got 30,000 new fucking users a day. I'm like three fucking jins in right now, buddy.