Embracing the Suck, Lessons From #NASA In #Cybersecurity

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
How's it going, robert?
It's great to get you on thepodcast.
We've been working towardsgetting this thing scheduled for
quite some time now.
At this point, I'm reallyexcited for our conversation.

Speaker 2 (00:10):
Same same.

Speaker 1 (00:11):
Sorry, it's taken a few attempts to get here, but
glad we finally made it peopleto do like hour long calls like
this during the summer because,like all of our conferences kick
off you know april, may timeframe and they go all summer

(00:31):
long, especially if you startdoing like b-sides conferences
and everything else right, likethat's all the time.

Speaker 2 (00:39):
It's uh do you enjoy the conference?

Speaker 1 (00:43):
thing, you know DEF CON, right, I don't like all the
vendor stuff.
All the vendor stuff.
You're just getting sold allday long and it's really
frustrating.
So I'd rather go to like DEFCON or a B-Sides conference.
You know something that's wayless vendory Substance You're

(01:04):
looking for the substance, rightyeah.
Yeah, I'm not looking to besold something.
You know I went to RSA a coupleof years ago and I hope I never
go back.

Speaker 2 (01:13):
Yeah, I haven't been to an RSA conference since, uh,
the last one was before COVIDhappened and uh, honestly I
gotta say I don't miss it at all.

Speaker 1 (01:23):
But honestly, I got to say I don't miss it at all.
Yeah, I went to the one.
I think it was like the one in2021, right when they came back
from COVID or whatever, and itwas like a super spreader event.
Like you know, I only walkedthe vendor floor maybe two times
and I was done Like one day Idid half of the room and then

(01:46):
the next day I did the otherhalf of the room, and it was
just, it was just pointless forme to be there.

Speaker 2 (01:52):
honestly, yeah, I've always found the best times at
RSA are when you get people tomeet you at places outside of
the Moscone center.
You know you can get into me,like a cool coffee shop or one
of the hotel lounges.
I just always felt that thatwas where the real action
happened at RSA.

Speaker 1 (02:11):
Yeah, yeah, that's what I would prefer, honestly,
right, like, if I'm going tomake the trip out to California,
I already don't like goingthere.
Right, like, might as well,like, show me around a little
bit, you know, take me to arestaurant or something.
I don't want to meet you at theconference room, you know.
Right, right, because I thinkit provides a lot of value for

(02:54):
people to hear everyone'sbackground and say, maybe I have
a similar background, right,and if he did it, maybe I can do
it too, right, so what doesthat look like for you?
Yeah?

Speaker 2 (03:04):
So you know, my background in the cyber is a
strange one.
I started off as ahorticulturalist out of all
things right which is plants, ifyou're not familiar and when I
graduated I started working foran environmental company that
was doing a lot of irrigationsystems in Southern California,
san Diego mainly and they werein the process of moving all the

(03:26):
irrigation systems from analogto digital.
So, of course, being one of thefresh guys out of college, they
were like hey, can we send youto some computer classes to
learn how to make these swaps onour behalf?
And so I just kind of fell intotechnology.
You know, a lot of my trainingin college was in the field of
science, obviously, but therewas a lot of design aspects,

(03:49):
which, surprisingly, has ledinto where I'm at today.
Right, so from those initialtechnology classes that I was
jumping into in the mid-90s towhere we are today, I have found
that I continue to pull back onthings that I learned in
college, like in the School ofAgriculture.
I went to Virginia Tech.
Horticulture is in the Schoolof Agriculture.
You have to spend a lot of timein economics classes, because

(04:12):
small business finance economicsis a big part of agriculture
and you have to understand howthat works.
So a lot of the economicprinciples I've applied into the
job that I have now and what wedo at X Analytics.
So it's actually worked out ina really sort of strange way.
You could never sort of predictthis path, but even the way
like viruses propagate isn't toodissimilar.

(04:33):
How plants propagate right theway that viruses work in the
plant system isn't uncommon.
How viruses work in thecomputer systems.
So there's all these strangecorrelations that I have found
from where I started to whereI'm at today that you know again
, you can never sort of plan apath like this, but I have found
to take advantage of everylittle bit of knowledge that I

(04:55):
have and combine it in a uniqueway that really sort of created
the career that I have in frontof me.

Speaker 1 (05:02):
That's really fascinating.
You know I've done over 200episodes and horticulture is not
one of those backgrounds thatI've gotten.
You know I've had opera singerson.
I've had, you know, cyberwarfare mercenaries on Musicians
, probably, right, yeah, yeah,it's really interesting.
You know, you said that whenyou were in school, right,

(05:25):
studying horticulture, you hadto study economics as well.
Is that because maybe theindustry in horticulture or
agriculture overall is moresmall business focused?
Right, like, you're not goingto go work for.
You know a really large company, right, like here in technology
, you can go work for Apple orGoogle.
You know a household largecompany right, like here in

(05:46):
technology, you can go work forApple or Google.
You know a household nameworldwide, right, but maybe in
that industry it's more commonto go the small business route.
Is that like what it is, or isthere another reason behind it?
I think that's part of it.

Speaker 2 (06:00):
You know, virginia Tech is one of the few
land-grant universities in thecountry.
That's where I went to school.
Virginia Tech is one of the fewland-grant universities in the
country.
That's where I went to school.
Virginia Tech and VirginiaTech's really built on the
foundation of many of thefounding fathers of our country,
and something that I think alot of people don't understand
about the founding fathers isthat many of them were part of

(06:20):
this Enlightenment philosophyEven Catherine the Great of
Russia, right, she was in thisenlightenment philosophy, which
was to intersect science,technology, math and the arts
together and Virginia Tech.
In order to graduate, at leastat the time that I graduated,
they wanted to make sure thatyou were well-rounded by the
time you completed yourfour-year degree, and so that

(06:43):
well-roundedness include thatyou had to be part of the arts,
you had to be part of science,you had to be part of technology
, you had to be part ofmathematics and obviously for me
in my field, some of themathematics led directly into
economic classes micro andmacroeconomics, but I think on
the big picture too, if you alsothink about agriculture

(07:05):
agriculture, especially you livein chicago, right?
Agriculture has been somethingthat's been traded on the
chicago stock exchange for along time, and so I just think
there's a direct associationbetween how agriculture works
and how the stock market works.
And obviously you're right, alot of at least historically, a

(07:25):
lot of the farms, a lot of thehorticulture businesses, the
nurseries, were small businesses.
Today that's changed a lot.
Right, they're part of megacorporations, but back in that
time, absolutely, they were partof small businesses.
So, having that foundation infinance, having that foundation,
understanding how to balancethe books in an organization,
pay your liabilities, but thenalso weaving it all into the

(07:46):
bigger picture of macro andmicroeconomics which is
something that was part of thephilosophy of Virginia Tech at
the time I hope it's still there.
I have a strange feeling it'sprobably not there anymore, but
I hope it's still there.

Speaker 1 (07:58):
Yeah, I really feel like everyone should take some
economics classes.
You know either in high schoolor you know in college, right
like, because that thatinformation is so much more
valuable than like learning.
You know how to write a paper inenglish class, like I mean

(08:20):
honestly it really is, andthat's coming from someone
that's getting their PhD right.
Like you can learn the thingsof like how to write a paper
properly through a couple, acouple drafts you know you have
a patient professor.
It's like, oh okay, you need tostructure it like this, you
need to use this terminology orwhatever it might be right.
Like you can learn those thingsreally on the fly.

(08:41):
But economics, I find myself,you know, I grew up in a in a
poor family, right, I mean, wedidn't realize that we were poor
, but, you know, looking back onit was like, wow, we were, we
were pretty poor and so, like,money wasn't money wasn't
discussed.
Of like how it works right, howit can work for you and against

(09:02):
you, of how you know thesethings all, all, all matter
Right, and like that.
That was the most challengingpart for me when I became an
adult.
I had to, then, you know, learnthat right and teach that to
myself, and that took me.
It took me a couple of yearsactually to to actually, you

(09:24):
know, learn it how you'resupposed to, like, actually know
it Like, oh no, this is what abad loan looks like.
You know, my very first.
I look back at my first, myfirst car that I bought Right.
I should have I never.
Should have leased it.
I should have financed it Right.
Should put more money down onit Right.
Should have accepted the insaneinterest rate that I got

(09:46):
because it was my first ever carloan and whatnot.
All of those things.
I had no clue that they wereRight.

Speaker 2 (09:56):
But I do feel like you have to learn through those
mistakes, and sure you couldlearn some of that academically,
but sometimes I think the bestopportunity for learning is the
mistakes that we've made.
And clearly you've made thosemistakes so you probably
wouldn't approach a car loan inthe same way.
You know what I mean, becauseit stuck are learned in real
life, especially in the fieldthat we're both in is that you

(10:18):
can read about something, youcan learn about something
through a lecture, but until youactually experience it
firsthand, I don't think itreally sticks you know what.
I mean Like it doesn't reallyresonate in how you make

(10:38):
decisions moving forward.

Speaker 1 (10:40):
Yeah, especially for me.
you know how I learn is by doingright, and if I don't,
understand that something is iswrong, or you know, like it
shouldn't be a certain way,right, I don't, I don't realize
it until until I do it.
You know, like I think abouteven like my current, like like

(11:03):
my sports car that I have, right, again, it was a bad situation
and I learned, oh, I can't gointo it.
You know, excited, right, likeI have to be a better salesman.
When I'm excited about the car,I'm like a closet car guy, you
know, and so, like I just likestarted getting into cars and
the guy showed me, you know, theright, like he knew exactly

(11:27):
what he was doing.
Obviously he does it for aliving, and so it's like I got
to learn this lesson again, or Igot to learn it a different way
, you know, but the same samething in technology, and there's
, there's so many people outthere that are afraid to mess up
, you know, and like I talkabout it on my podcast a lot

(11:47):
right, when I was fresh out ofcollege, I mean I very
embarrassingly like destroyed abank's database of our products.
Right, just very inadvertently,very innocently, you know, ran
the wrong command, had too highof privileges and permissions
that I should have had, right,and I went and destroyed their

(12:09):
database and I'm sitting herelike man.
I just started this job, I'mabout to get fired, like this is
terrible, you know?
Yeah, but the VP gave me theopportunity to learn through
that mistake.
He's like well, you know, Ihired you because I knew that
you would make mistakes, andwhen you did make them, I knew
that you would solve them.

(12:30):
Right, what a great boss,though, right?
Right, not many people aregoing to give you that
opportunity, and that's probablywhy people are so worried about
making mistakes now.
Right, because they don't wantto get fired, but you have to
make the mistakes to reallylearn it.

Speaker 2 (12:49):
This is.
This is one of the things thatI find fascinating and and for
some colleagues, that you and Ihave that overlap I have these
discussions with them and and,uh, I always struggle,
especially for somebody that'snew at a cso they don't want to
share their findings directlywith their boss or bosses, and,

(13:10):
whether that's the CEO orcorporate directors or whoever
it happens to be, there's thishesitance like well, I know,
that's my cyber risk condition,but I really don't want to share
it.
And I find that to be thestrangest thing.
It'd be like a CFO saying well,we know what our tax rate is,
but I'm not going to share itbecause there's going to be an

(13:30):
adverse reaction to it.
You know, the CFO is just goingto share it, right.
Or if the sales numbers came inpoorly for the quarter, the CFO
is just going to share thatrevenue went down right Because
sales numbers came in poorly.
It is what it is, and I find itso odd in the world of cyber
that there's this hesitation toshare the reality of the
circumstance.

(13:51):
And I think it gets to whatyou're saying, where people
don't feel like they can makemistakes.
By the way, I don't think thecyber risk condition is a
mistake of the CSO.
But there's this natural sortof like feeling can't share that
because it's a reflection ofwho I am, or I can't make a
mistake because it's areflection of who I am and I
think that in itself is a hugemistake in our overall industry.

Speaker 1 (14:14):
Yeah, yeah, it's, it's an unfortunate consequence
of I feel like punishing tooharshly, right?
Right, I feel like punishingtoo harshly, right?
You know?
I remember when I was workingfor a credit bureau and they had
the culture on the securityteam was, you know, if you cause
an outage, you're done by theend of the day, right?

(14:36):
There was people that causedoutages, you know, in the middle
of the night during a changewindow, sure, and they were let
go by the morning.
Wow, what about?
Like?

Speaker 2 (14:49):
somebody running a vulnerability scan, which is a
requirement that could cause anoutage.
Same.

Speaker 1 (14:56):
Do not let it go down .
You know, and that was just theculture, and that was a
terrible culture because therewas a lot of pressure with it,
right.
And one day, you know oursolution we had just recently
upgraded it and our solutioncreated an outage.
That was was quick, it wasquickly contained, but the

(15:19):
damage was very significant.
It took us, you know, a week orso to to actually recover from
the damage.
That it did Nothing technicallywent down, but you know, it was
in a state where, you know,you're resetting 10,000 service
accounts and you're resetting,you know, 40,000 other accounts,

(15:40):
right, and all that sort ofstuff.
And you know, my intern was theone that made the mistake.
It wasn't even a mistake, itwas a business as usual test.
The product literally had abreak in it that we didn't know
about.
You know, she did the job thatshe was supposed to do, she did
everything that she was supposedto do and it caused this issue,

(16:01):
right, and she was nervousabout reporting it because she
immediately thought, okay, thisis my last day here, I'm not
even out of college, this is mylast day here, I'm screwed.
This is off to a terrible startfor my career and my boss, or
my boss's boss actually.
He tasked me with doing anon-the the spot, like forensic

(16:25):
analysis of what happened whodid what?
Because his boss was going tosay did you fire whoever did it
right?

Speaker 2 (16:32):
so that was the first .

Speaker 1 (16:33):
Yeah, that was the first question he was going to
get, and so he tasked me withthat and I showed the proof that
it was her and he startedwalking away and I had to stop
him mid like, literally midstride to you know, firing her,
and say, hey, this wasn't herfault.
Like this is what happened theproduct, you know, broke the

(16:54):
product.
Let us down, right, this vendor, let us down.
It wasn't her fault, she dideverything that she normally
does.
I mean she did it two days ago,right before the upgrade, did
everything that she normallydoes.
I mean she did it two days ago,right before the upgrade.
And but, like, it brings meback because that that culture,
that mentality, like reallycarries forward in a significant
way.
I remember, when fast forwardinga bit, every time I find like a

(17:18):
glaring vulnerability or aglaring hole in an environment,
I now don't really care, right,right, like, if, right, if I,
well, I don't care in terms oflike telling people about it
because I'll, I'll find theissue.
And then, like, my cso will askme, you know the question well,
what did you find?

(17:38):
I was like well, do you wantthe full detail?
You want like a, you know, acherry-picked version of it?
Right, and you know he'll,he'll ask for, like the whole
truth and whatnot, and I'll belike, okay, I, I found all of
this.
You know, I found this stuffthat we've been, you know,
hiding under the rug, or I foundthese dead bodies over here,
like we need to figure this out.
You know, make that sort ofthing but, and that's just my

(18:00):
mentality, right, but, but, andthat's just my mentality, right.
But I know other people thatwent through that same incident
that I went through, and nowthey're in a situation where
they constantly feel underpressure to not mess up.

Speaker 2 (18:13):
Yeah, you know it's a strange thing because I, in the
story that you gave, alwaysthink does that hold true for
other departments in thebusiness?
No-transcript.
But at the same time, there aremistakes made in marketing,

(18:34):
there are mistakes made in sales, there's mistakes made in
product development and productexecution, there's mistakes made
in how the CFO and theaccounting team does their job.
And ultimately, it's always toget to the truth, right, it's
always to learn from pastmistakes and it's always to try
to figure out how do we solveour problems and get better.
And the reality is that abusiness is always a series of

(18:55):
problems that need to be solved,right, nothing's perfect in
business, all considering theworld's changing around you,
right, at the same time.
And so, you know, I just getthis sense that IT and cyber is
in this unique position insideof corporations today, where the
other departments just kind ofoperate differently, almost

(19:20):
organically, in a way where theycan adapt and maneuver and make
mistakes and overcome mistakes.
I find it very strange, and soI don't know if it's
self-inflicted, you know, asit's a culture thing, or if it's
a real thing.
And sometimes I think it'sself-inflicted, right, it's the
culture inside those departmentsthat continue just to
perpetuate that, and I'm not sosure that it's that same feeling

(19:42):
sits with the CEO, or sits withthe corporate directors of the
business, who are risk takers bydefault, right.

Speaker 1 (19:50):
Yeah, I, you know, I think it is.
It's a bit twofold.
I think it is the culturewithin security and the
mentality that we're all taught,right.
I mean like you're taught.
You're taught this not even inschool, you're taught it from
peers.
Right On this side of security,you have to be right every
single time, 100 percent of thetime, and that one time that

(20:13):
you're not right it could leadto the entire company being
breached and us being out of ajob.
Right, like, having thatmentality means that you're
having a no-fail mentality,right, and then I kind of go
back to, like NASA's mentalityof no-fail Right, and what that
means for them is, no, we'regoing to fail.

(20:34):
We're going to fail incontrolled ways, right, we're
going to fail in as manycontrolled ways as we possibly
can.
We're going to think ofliterally every single thing
that can go wrong and we'regoing to try and prepare for it.
And then having you know thecoding in a way where I think
it's like it's like faulttolerant or error tolerant

(20:56):
coding I mean, it's probably adifferent term, right, I'm not a
developer so I don't know itoffhand, but it's this type of
coding that, even when errorshappen in the code, the critical
systems are still runningbecause they're all segmented
out and they're so wellprotected from each other that
there's no you know there's nostopping the engine before you
want to stop it.

(21:17):
Right, there's no stopping thenavigation before you reach your
destination or whatnot.
And those things, those thingsall matter.
Right, and they're applicablein our world too.
Right, because you have to.
You have to approach securityfrom the mentality of if this
endpoint were to be breached.
Well, what's the blast radiusof that right?

(21:39):
Are we giving up everythingbecause someone clicked on an
email, or are we giving up 1%?

Speaker 2 (21:47):
Yeah, you know, Joe, to dig into that.
Take NASA, right.
I mean, obviously, if you go tothe race to the moon, right, no
, red moon, right, John FKennedy, they made a lot of
mistakes.
They couldn't get rockets tolaunch.
Unfortunately, astronauts losttheir lives in that process
through testing, right, but itwas, you know.

(22:07):
And then we almost lost Apollo13 on its mission to the moon.
Thankfully they got them back,but there was a lot of mistakes
that were made in the race tothe moon.
But they learned a lot throughthose mistakes, right.
And now you're right, we're inthis age of NASA, especially
like from the two shuttleexplosions right in the 80s, and

(22:30):
I think the last one was in the90s, where they became really
risk adverse 80s, and I thinkthe last one was in the 90s,
where they became really riskadverse.
But then, all of a sudden, allthe successes and progress and
NASA stopped as a result ofbeing risk adverse, Right, Like
it had to take a company likeSpaceX, Elon Musk, to sort of
fuel them and perpetuate theminto the future, which even
SpaceX was on the verge ofdisaster because they couldn't

(22:52):
get their rockets to work Right.
And so feel that all greatthings happen through failure.
You have to be willing to failand you know there's all sorts
of concepts in engineering likefail fast, right, so that you
learn from it.
But you know to dig into cyber.
I find this interesting because, Joe, I'm not sure if you're
familiar with what we do, but wehelp organizations understand

(23:16):
their cyber risk condition butthen, ultimately, we help give
them options so that they candecide what to do with that
condition.
We basically simplify cyberrisk management for them.
But what I really wanted to getinto was that I'm analyzing tons
and tons of data on a regularbasis related to losses inside
of cyber.
And you know the losses reallyaren't that bad.

(23:39):
Sure, nobody wants a loss tohappen, right, they don't want a
data breach situation or aransomware situation.
But if you really look at thefull volume of all things that
have happened, it's really notthat bad, right.
I mean, take the biggest IToutage in the history of IT,
which was CrowdStrike this pastsummer.
No outage has ever been assystemic as that outage.

(24:02):
And you know, in the Fortune1000, just over a quarter
percent of the Fortune 1000 weredirectly impacted by that
outage.
Of course, you know we hearabout Delta, right?
They lost half a billiondollars from that outage, but in
the big scheme of things,companies continue to go on,
right.
I mean, think about it Like outof the Fortune 1000, did any of

(24:24):
those 250 or so go out ofbusiness because of the
CrowdStrike outage?
No, they've continued, right,Even CrowdStrike in themselves,
themselves who caused the outage.
Their stock took a hit, butclearly CrowdStrike's on full
recovery mode right now.
They'll probably shake this offTwo years.
We'll be like, oh, whateverhappened with that CrowdStrike

(24:45):
outage and we'll be laughingabout it, right?
Yeah, the largest finesinflicted on data breaches go to
Meta, right?
Facebook.
One of those fines alone was $5billion.
Sure, some companies would becrushed by a $5 billion fine,
but Meta continued on, right.
The only real damage that I seeis happening to small and medium

(25:08):
businesses.
Right, when they not the largecorporations, but when small and
medium businesses have too manyevents cyber being part of
those events that take placetogether in a short period of
time, do they tend to be in asituation where they can't
recover?
Obviously, is it where you liveLincoln College, Lincoln
University right After COVID andthen the ransomware incident,

(25:31):
they just had to shut theirdoors.
Right, that was a universitythat was open for, I think, more
than 100 years and just had toshut their doors right.
That was a university that wasopen for, I think, more than 100
years and they had to closetheir doors right.
So you do see thosecircumstances, but generally
it's compounded situations.
It's not just the cyber eventall by itself.
The reason I bring this up isyou can fail in cyber Most
organizations can fail in cyber,have an incident, deal with the

(25:55):
consequences of it.
It's not ideal, right?
Sometimes it's bad forshareholders, but you can deal
with the consequences of it andcontinue to move on.
It's not detrimental, it's notcatastrophic to the business and
I think if more people realizethat, then maybe this culture
that you and I are talking aboutwould start to correct itself.

Speaker 1 (26:15):
Yeah, that is, that's really fascinating, because
that culture is very differentin, like you said, in other
parts of the business.
Right, right, I mean for you tobe the CEO of really any
company.
You're, you're, you got like afew screws loose, you know, like
talk about sure, about pressure, talk about stress and risk,

(26:38):
you know, yeah, um, and thoseguys are typically like very,
very big risk takers in someways, you know, and they have to
be right, that's the only way abusiness will survive, because
that's how they got there playit safe, you'll just eventually
evaporate as a business yeah,that's how they got there, you
know, that's the only way, like,and with you know, elon musk,

(27:01):
right like, I mean, he has beteverything that he has owned
several times over.
You know he's.
He's not even worried to do itanymore, you know right, which
is.
It's a lesson that everyone canreally learn from.

Speaker 2 (27:16):
I think yeah you know , do you watch bill maher at all
on hbo?
Not very much.
You know, I like to tune in,not every week, but every now
and again.
You know, have a glass of wineon friday night, tune in just to
see what's happening, see whathis guests are saying.
But he does repeat somethingquite often on the show where,
when people on a show are risktakers, they're taking a chance,

(27:36):
they're being bold, regardlessof everybody hates their opinion
or not.
He always celebrates theirboldness and he always says that
he believes that for the peoplethat are bold and make bold
decisions, it will always workout in the end for them.
And and I think there's truthto that statement, you know,
like I really do, I think thatyou know, in general, if you're

(28:00):
bold and determined, youcontinue to have that motivation
to move forward, it will workout for you.
It's not, it's the people whogive up, it's the people that
are afraid of making decisions.
That indecision that I thinkgenerally leads to dire
consequences.

Speaker 1 (28:14):
Yeah, yeah, that is, that's very true.
You know, and like when,whenever, you know, whenever
people are making like a careerchange, right, or they're trying
to, just for for sake of this,this podcast, you know they're
trying to get into cybersecurityfrom something else.
I mean, that takes a level ofboldness to think I don't know

(28:35):
anything about this area and I'mgoing to get into it.
You know, like that, that, thatreally that takes some guts and
you're doing it, joe right,You're doing it.

Speaker 2 (28:45):
You know you started this and now you're doing it and
you've done, would you say theother day, like more than 200
episodes already, right?
So that's the boldness, right?
That's what I'm talking about.

Speaker 1 (28:57):
Yeah, Well, you know, I also look at it.
I remember when I was decidingto do the podcast or not, right,
I was looking at it from theangle of, well, what happens if
I'm like 60 or 70 years old?
And I look back, well, I regretnot doing it and I thought that
I would.
You know, because I likeconnecting with people.

(29:18):
You know me and you like we'll,we'll be talking, you know,
fairly regularly, right, Likeonce a year, like we'll talk and
see how each other is doing.
Now, without this platform,that wouldn't be possible at all
in any way, shape and form,right, Like I would be nervous
to even just reach out to you.
But now I don't care who I'mreaching out to, I'll reach out

(29:39):
to them, you know, Right right.
Which, yeah, I totally wouldregret it.
And I have a personal rule too,where if that answer is yes, I
will regret it, then Iabsolutely must do it and there
is nothing that can stop.
Same thing with when I wastrying to get into security.
I thought I could be successfulat it.

(30:00):
Right, I didn't know howsuccessful I would be at it, but
I knew that if I didn't try Iwould regret it.
And so then, like by default, Iliterally had to give it
everything that I had, and Icouldn't stop until I gave
everything, and I was.
I was just about to stop too,Like I gave it everything that I

(30:21):
had and I was just about tostop.

Speaker 2 (30:22):
And then I go and I get two offers in the same day,
like, okay, there's somethinghere, that's the boldness, right
, that's what, that's the reward.
It just it, just it's kind oflike magic, right.
It just it works out.
It happens.
You know, I feel like too, likewhen you're right at the bottom
is when sometimes, the bestthings happen.
Right, like right when you'reready to lose everything or

(30:43):
you're ready to give up, but youjust have that little bit of
perseverance.
I feel like that's always where, like, those amazing things
happen, is at that bottom where,like those amazing things
happen.

Speaker 1 (30:58):
It's at that bottom.
Yeah, yeah, it's.
It's interesting how I havefound that when I go to you know
new levels.
It's like a new level ofanxiety too.
Right, like you know, my, mywife and I, we we built our
first house.
Right, this is our first house.
I'm in it right now, our firsthouse.
We built it, which is no small.

Speaker 2 (31:19):
That's a hard thing to do, by the way.

Speaker 1 (31:21):
Yeah, it's no small feat.
I don't think that we reallyrealized that, right, we were
trying to buy but buying didn'treally make sense because the
market was so inflated at thetime.
Right, because the market wasso inflated at the time, right,
you're going to spend $700,000for literally the house that I
have right now, and then you'regoing to be spending another
$250,000, fixing it up, makingit livable and whatnot.

(31:46):
It just didn't make any sense.
And when we finally moved inhere, we obviously reached a new
level together, you know, with,with getting the house and
whatnot.
But then I had like a new levelof anxiety, right, like
something I that like crippledme for like a week.
You know, it was just like I'mso nervous I don't know if I can

(32:08):
make this, make this payment.
You know, what did I do here?
Like I'm, I'm a failure justgoing through all of this stuff
and I had a.
I had to stop myself.
I think I actually had a friendthat like stopped me and was
like, hey, you know, like you'refine, it's going to be okay,
it's new, it's different, butyou're going to get used to it.
And now you know it's totallydifferent.

(32:29):
Like I'm not even, I'm not evenworried about it.
I'm more frustrated that mymailbox is crooked as hell that.
I put in than than anything else.

Speaker 2 (32:38):
Right, but you've relaxed into it.
Yeah, yeah, yeah.

Speaker 1 (32:42):
It's going to be uncomfortable in the beginning,
you know, but as you get used toit, as you get used to that
level, um, you know it getseasier.
I think that's something thatpeople forget about, or they
miss often.

Speaker 2 (32:54):
Yeah, it's almost like you have to accept, right
your own reality and and justcontend with it for whatever it
is.
Joe, I have a special needsdaughter.
She's gonna be 20 on sunday, bythe way, well, and uh, you know
she's one of those kids that,um, after she was, the doctors
are like telling you she'sprobably not going to make it

(33:16):
Right, and we heard thatthroughout her childhood.
Of course, the doctors werewrong, but she's with me all the
time.
I take care of her.
She's with me all the time andI get these people who come up
to me and they're like oh, youknow, god bless you or you're
such an amazing dad.
I don't even think about it thatway.
I think about it as that's myreality and I accepted it very

(33:40):
early on.
I didn't fight with it, Iwasn't angry about it and, of
course, like back when Oliviawas younger, people would ask
like are you angry?
Do you wish that you knew soyou could have aborted the child
?
And I'm like, no, like I'm, I'mhappy, like this was a gift in
my life, and so I thinkperspective the point I'm trying

(34:01):
to get to is I thinkperspective allows us to really
operate in a way that is normaland anxiety free and allows us
to really find the joy and thebeauty in the things that we're
doing, like.
I personally love cyber risk,right, I enjoy the things that
we're doing.
Like.
I personally love cyber risk,right.
I enjoy the space that we're in.
I love being a father to Olivia.
I have two other children too,and I love being a father to

(34:21):
them.
It's all different, every oneof those circumstances is
different, but I just acceptthem for what they are and love
them, and it allows me to justoperate with a certain amount of
peace and anxiety-free attitude.
That could be totally differentif I was full of anxiety, right
Like.
If I was angry and anxiety,then I'm not good to them, I'm

(34:45):
not good at my job, I'm not goodto anybody, but interestingly,
there's a lot of people, I think, that focus more on the
negative than the positive, andpart of it maybe, is a little
Buddha-like, but you just sortof have to, I think, let go of
the suffering, right Like justlet go of it, right of.

Speaker 1 (35:21):
oh you know, do you wish that you would have known
that unknown or whatever mighthave been right?
yeah, it's like you know peopleare or they're, they're coming
at it from.
I don't know about that unknownin my life.
I don't know how that's goingto change me.
I don't know how that's goingto change me.
I don't know how that's goingto impact everything else around
me.
You know and yeah it's that's areally incredibly tough

(35:42):
situation.
You know, like, like you, youmentioned that.
You know doctors were tellingyou that.
You know she wasn't going tolast very long and whatnot.
And you know, I think back when, when, when my first kid I only
have one kid right now, butwhen my first kid was born, she
had a pneumothorax right and oneof the doctors one of the

(36:03):
doctors I really didn't like.
I didn't trust her.

Speaker 2 (36:06):
I had, I had some, didn't like either of them.
Makes you feel better?

Speaker 1 (36:09):
Yeah, I really did not like her and I met her for
maybe 20 minutes, right, andthat was the last time I ever
saw her or spoke to her.
And I mean, like literally, youknow, I just tore into this
person because they were, youknow, they were treating my kid
almost like a, like anexperiment, right, and I'm
sitting here.

(36:29):
I'm like you guys.
You guys literally don'tunderstand who you're dealing
with.
Like I can reverse engineerthis thing on the fly.
You can't like, you literallycan't tell me that you don't
know when she's going to run outof morphine, for instance.
Right, right, there should beno shortage of morphine in this

(36:51):
room, like I and I literallysaid, from this day forward, I
expect her to be a bag ofmorphine until she's discharged
sitting there and if she needsit, she gets it immediately.
Yeah.

Speaker 2 (37:04):
You don't want to see your daughter in pain, right?

Speaker 1 (37:06):
Right, yeah, she's what alive for three days and
she's in, you know, excruciatingpain.
And I told you know I guessthere was a benefit to what I
went through younger, right,because my sister, my sister,
went through renal failure,right, and I ended up donating
my kidney to her.
She's fine today, she's livinga great life and whatnot.

(37:28):
Totally fine, but seeing how,seeing how my mom had to
navigate right this world, aswe're not a wealthy family,
we're a poor family, right, mydad actually, in fact, a few
months beforehand, lost his job,you know, and so that was an
extraordinarily stressful time.
But my mom learned, and Ilearned in return is that, in

(37:52):
that situation, the socialworker and the nurse actually
have the most power.
In that situation, right, ifyou want a doctor removed, if
you want a team removed, or ifyou want them transferred to
another unit, or whatever it isthose two people, they're tasked
with making it happen, nomatter what.
And so you know, in thissituation, right, when that

(38:13):
doctor was basically trying touse my kid as an experiment, you
know, when it's a relativelyminor issue that she was going
through, right, it was apneumothorax, a little hole in
the lung she had.
You know, she was a little bitearly, right, so they just had
to wait for it to heal.
You know it wasn't likeanything crazy, but for a new

(38:36):
parent that's extraordinarilystressful.
Scary, yeah, super scary.
That was by far the most scaredI've ever been in my life, by a
long shot.
But going through everythingthat I went through, I just went
to the nurse and I said I don'twant that doctor ever seeing my
kid again.
If she's in this room, she'sseeing other kids, she's not
allowed to cross this thresholdof the room and she's not
allowed to have any input.

(38:56):
And they literally said well,what if she's the only one?
I'm like you better call insomeone else.
Like I don't, I don't care, sheis not allowed to touch my kid,
she's not allowed to treat mykid, and I was very clear with
them.
I was like I want only thesethree nurses to be on her
nursing team, right?
So we know the nurse during theday, we know the nurse in the
afternoon, we know the nurseduring the day, we know the
nurse in the afternoon, we knowthe nurse at night.

(39:17):
And that doctor is not allowed.
And it was done right,everything that I requested was
done.
But if I went and started afight with that doctor.
Now they're going to haveproblems with me.
You know, and I can't evenremember how I got down this
path right, but it's thatunknown that you kind of have to
dive into and embrace.

(39:38):
That's when you actually makethe real progress.
That's when you actually makethe real change in your life and
everyone else's life.

Speaker 2 (39:47):
I agree with that.
If you were to think back onthat Joe, that particular doctor
, do you think part of it wasattitude like yeah 100.

Speaker 1 (39:58):
Yeah, because she was the only one that was just like
openly smiling at me as she wassaying what she was going to do
.
You know, like there was likeno empathy, right, and I'm
sitting here, I understand youmay have a positive personality,
right, but there is six otherdoctors that see my kid every

(40:21):
single day and none of themapproach me in that manner.
Right, like when my sister wassick and she had dozens of
doctors, none of them approachedus that way.
Right, it was very serious,concise, to the point, very
exact about what was going on.
There was no questions aboutwhat was going on and what was

(40:41):
going to happen.
There was none, right, and itwas.
It was totally her, her, herattitude.
Because as soon as, as soon asshe approached me from that way,
I was like, oh yeah, she ain't,she is not ready to handle my
kid because she's not ready tohandle me, because I am not.
I'm not going to be all likejolly with you, like no, get out

(41:03):
of the room, let the adults.
Let the adults handle it, youknow.

Speaker 2 (41:07):
Yeah, yeah, you know, you know it's interesting.
And to tie it back to to cyber,you know, I think this is a this
is part two of like the mistakethat a lot of the vendor and
the consulting community makes.
They want to talk at the CSO orthey want to talk at the
security people.
And I see some people that areout there that are big voices

(41:28):
and you know they're always likeCISOs should get fired for this
, or or they say, like you know,they just need to get in line
and adapt and you know, and Idon't think any of that's useful
, I think it's all like thatdoctor you're referring to,
right, it's just like that sortof like, and they're just
alienating the community, and Ithink we are in a place where

(41:49):
there needs to be morecompassion, right, we're in a
place where there needs to bemore of like I'm relating to you
your job sucks, right, like itsucks, it's hard and you know,
mainly you're responsible for aproblem that you partially own,
right, lots of other people ownthe problem and maybe you know,
like, if people learn from yourexample and approach others in

(42:13):
the field with that sort ofgrace and empathy, then I think
we would see incredible changesand maybe some of that
frustration and that anxietythat's prominent in our
community would start to go awaya little bit.
You know, it's just everybodybeing a little bit nicer with

(42:36):
each other and relating to eachother, and yeah, I'd love to see
that personally yeah, you knowit's.

Speaker 1 (42:42):
It's fascinating when you approach insecurity, when
you approach things from thelike customer obsessed mentality
.
Yeah, right, you're, you're notlooking to get through whatever
the end user is talking aboutso that you can prescribe them a
solution.
Right, You're not like beingsolution oriented in that way,

(43:06):
but you're more focused onactually hearing them out.
Right, ask people.
When I'm about to ask somethingof someone, right, I ask them.
Well, why don't you tell me whyit is this way?
Right, Because I'm probablymissing something here.
You know, why was it like this20 years ago or whatever?

(43:26):
It is right.
And learning what the decisionswere, why they made it, the
evolution of a system or youknow a domain and the
environment and whatnot right,Coming at it from that
perspective also opens up therecipient of what you're going
to say.
Right, Like the recommendations, because there was many times

(43:49):
when there's been many timeswhere people will be very
attached to a system or you knowa part of the network that's
critical.
Right, Because they feel like,hey, I really contributed to the
success of the IT team here atthis company and it's going to,
you know, be like this forever.
Right, Well, when you'remeeting them in the middle there

(44:09):
and saying, hey, you know, youcreated a great system, you
created a great environment,like it's top of the line for
sure.
You know, 10 years ago it wastop of the line.
Right Now, with different youknow, advents of like zero trust
and whatnot, we shouldrestructure it just a little bit
, make it even better.

(44:30):
Right, it's really great.
We're just making it a littlebit better and and it fits our
future endeavors right, that'show you approach it.
But if you approach it from theperspective of, oh, you're
wrong.
This is an antiquatedtechnology, You've already lost
them.
You've already lost them.
You're going to entrench themand they're never going to.

Speaker 2 (44:50):
You want to hear a great story.
Over the weekend I was havingan issue with one of my websites
.
It's hosted on the Wix platformand it was a weird issue I
couldn't figure out, like whatwas going on.
Normally I can sort of figurethose things out and fix them on
my own.
And so I reached out to thesupport channel, and the support
channel is normally aphone-based channel.
You can get a human on thephone, but on the weekends it's

(45:13):
through messaging, right?
It's a messaging platform andthis woman over on the support
team at Wix she picks up and shestarts interfacing with them.
She's like by the way, thankyou so much for helping me on a
Saturday morning.
And then we just started thisnice dialogue back and forth
with each other and it got to apoint where she said you know,

(45:34):
bob, normally I have to elevatethis to somebody higher up than
me, but I really want to helpyou and I think I know how to
help you with your problem andI'm not going to elevate it.
But let's try something.
And so she gave me this thingto try.
She walked me through it stepby step.
We got through it.
It actually fixed the problemright, but normally that would
have been escalated to somebodyelse.

(45:54):
I would have had to wait forsomebody else to contact me
later in the day.
But I think that politeness,that polite exchange between the
two of us, a little bit ofgratitude.
She was probably like you knowwhat, I'm going to help this guy
and she did and it was great.
My experience with WIC supportwas outstanding and I just feel

(46:14):
like those little things matterto your point.
You know what I mean.
Those little pleasantriesmatter.
We're all humans at the end ofthe day.
We all want to be thanked forthe work that we're doing.
We all want to feel good aboutwhat we're doing.
One of the reasons I lovehorticulture is because it has a
lot of instant gratification.
You plant a bunch of plants ina field.
You get to see what you justdid.

(46:35):
Right, it looks great, thefield's been tilled, you can go
back and see the perfectlystraight lines.
So I love instant gratification.
But I think most of us reallyin general want instant
gratification and the thingsthat we do um and add in some
pleasantries and I think all ofa sudden you got this success
thing happening yeah.

Speaker 1 (46:55):
Yeah, absolutely.
Well, you know, Robert, youknow I apologize, we didn't
really dive into X Analytics,but why don't you, why don't you
tell my audience, you know, alittle bit like an overview of
like what you guys do, what youspecialize in, yeah sure, and
how you help other companies?

Speaker 2 (47:12):
Yeah, by the way, joe , this has been a fun
conversation, so thank you forhaving me on today.
I really appreciate it.
Yeah, absolutely.
You know, just just summarywise, with X analytics, I'll
tell you like where, where theidea came from and where we are
today.
So years ago I was in a boardmeeting for a large bank.
I was assisting the CISO in theboard meeting and and for the

(47:35):
stuff that we prepared, you know, we did a great job preparing
the materials, but it was notreceived well in the board and
it wasn't because they wereupset about the information.
They just didn't know what wewere talking about, right?
Like clearly, they had no ideawhat we were talking about, and
so I left that board meeting.
I said, you know, there has tobe a better way, there has to be

(47:57):
a way to communicate cyber in away that people can understand
and a way that they can makesound decisions from.
And so about a year later, Ileft that job that I had at the
time and joined up with somepartners at X Analytics and we
created the concept of XAnalytics and the idea was could
we build something thatsimplifies cyber risk management

(48:18):
and could we build somethingthat allows people, whether
they're novices in cyber or not,to understand what the risk
condition looks like and thenwhere they can make decisions
with ease.
Right, that was the concept,and so we achieved that concept.
We built what we wanted tobuild.
We continue to iterate it,iterate on that idea as time

(48:38):
goes on and we continue toadvance our capabilities.
But fundamentally, that's whatX Analytics is.
X Analytics is a cloud-basedplatform that helps folks
simplify cyber risk management,and the way that we do that is
we have a really simplestructure to help them build a
profile for their business.
That profile gets married withback-end data, which is

(49:01):
historical loss data, historicalthreat data, historical
probability data, and it servesup a really easy-to-understand
concept of their cyber riskcondition and they can see if
they're a NIST CSF organization,they can see what the world
looks like in this CSF.
If they're CIS CSC the criticalsecurity controls they can see

(49:22):
what the world looks like underthat context.
But then we take it further andwe weave in the elements of
governance.
We weave in the elements ofoptimized transfer, optimized
mitigation, so that, ultimately,organizations can see that the
decisions that they're making isleading to an improved outcome

(49:43):
in their overall cybersecurityposture and the goal there is to
give the CISOs a pat on theback right.
The CISOs are doing all thesewonderful things.
From the very beginning.
They can see those wonderfulthings by looking at the
difference between inherent riskand residual risk and the
current set that they're in.
But then as time goes on, theycontinue to show those trend
lines and how those trend linesare improving based on the

(50:05):
wonderful projects that they'reimplementing within their
organization.
So it's really to serve up notonly an honest perspective of
their business but also to makesure that the CSO is getting the
compliments for the hard workthat he and she are doing for
the business that they work.

Speaker 1 (50:21):
Wow, yeah, it's really.
It's interesting.
It's like providing contextright when, where, where
wouldn't normally be in a verytangible way.

Speaker 2 (50:31):
Yeah, and it's, and it's represented in a financial
lens.
Oh, and that's not the only wayyou can look at, like how much
of NIS have I achieved?
What is my NIS tier achievement?
Between one and four.
So it serves up other sorts ofmetrics that they can draw that
perspective.
But the perspective that we doput forward is a financial one,

(50:51):
right?
So they can say my cyber riskproblem is equivalent to 1% of
revenue.
Now, is that a big deal?
Maybe, maybe not right, that'sunique to every company.
But it allows them to take thatunderstanding and also compare
it to other operational risksinside the business.
So, you know, in this past year,if you're comparing your cyber
condition and it's 1% of revenue, but inflation is 7% of revenue

(51:13):
, well, you're probably going tofocus more on inflationary
problems, right?
Going back to the economic stuffthat we were talking about, if
you're dealing with a companythat has a lot of shoplifting
and if shoplifting is 5% ofrevenue, well then that's going
to be more important to thebusiness to address shoplifting
than the cyber problem.
On the other hand, if cyber isthe thing that is most

(51:33):
significant it's 2%, 3%, 4% ofrevenue then it allows you to
compare that with the otheroperational risks, to have a
very honest conversation withthe leadership, to say you know
what, maybe we need to investmore in cyber.
It's our number two or numberone problem in our company.
How would you guys like us toproceed?
Right, and that's just a veryopen and honest conversation.

(51:54):
So that's the goal.
Right Is to really sort ofsimplify it, put it in a
language and a context thateverybody in the business can
understand, compare it to otherthings that are happening in the
business and then ultimatelymake the right types of
decisions.

Speaker 1 (52:08):
Yeah, it makes a lot of sense.
It's definitely an area that'sneeded, for sure, in the
industry.
Well, you know, robert, Ireally enjoyed our conversation,
but before I let you go, howabout you tell my audience you
know where they can find you ifthey wanted to connect, and then
where they can find yourcompany if they wanted to learn
more?

Speaker 2 (52:25):
Sure, I mean, you can easily find me on LinkedIn,
robert Vecchio.
There might be more than one.
There's a doctor out of LosAngeles that also has a Robert
Vecchio name, and there's alsoan author of children's books.
So there's three of us outthere that I know of, but,
robert Vecchio, you'll see mebecause I'll have the
cybersecurity tag associatedwith my LinkedIn, and then our
web address is xanalyticscom.
It's x-analyticscom, so we'rereally easy to find Joe.

(52:50):
This has been an absolutelywonderful conversation.
Thank you so much for having meon today.

Speaker 1 (52:54):
Yeah, absolutely, I really enjoyed it.
I'll definitely have to haveyou back on you know in the
future.
Absolutely, I look forward toit.
Thank you, Joe, Awesome.
Well, thanks everyone.
I hope you enjoyed this episode.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Embracing the Suck, Lessons From #NASA In #Cybersecurity

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

All Episodes

Embracing the Suck, Lessons From #NASA In #Cybersecurity

Stuff You Should Know