February 24, 2025 • 35 mins
By exploring the complexities of cybersecurity in a law firm, we gain insight into the unique challenges faced by small teams managing sensitive data. Tim Thornsberry, Director of Information Security at Steptoe & Johnson, shares his experience navigating these waters with limited resources.
• Introduction of Tim Thornsberry and his role at Steptoe & Johnson
• The unique cybersecurity challenges faced by law firms
• Managing threat detection with a small security team
• Embracing automation and AI in cybersecurity
• The value of generalist skills versus specialization in cybersecurity
• Advice for professionals in small security teams
Thank you for joining us! Feel free to connect with us on social media and share your thoughts.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Augusto Barros (00:04):
Hello and welcome to another episode of
SiemTalks, the podcast on manytopics around cybersecurity by
Securonix.
I am your host, Augusto Barros,and today we have Mr.
Tim Thornsberry, the Directorof Information Security at
Steptoe Johnson.
I have many interesting thingsto discuss with Tim and just for
(00:29):
us to begin, I will ask him tointroduce himself and tell us a
little more about what SteptoeJohnson is kind of, what type of
business it is and his role inthat organization.
Hello, tim.
Tim Thornsberry (00:44):
Hello, good morning.
How are you?
Augusto Barros (00:46):
I am good, so kind of tell us a bit more about
Stepton Johnson, your rolethere and kind of what keeps you
awake at night there.
Tim Thornsberry (00:56):
So, as you said , I'm Tim Thornsberry, director
of Information Security here atStepton Johnson.
I've been with Steptoe a littleover three years now.
I came on board as just asecurity analyst and then took
over the director role withinjust the last year.
(01:16):
I've been in the role for ayear now a little over a year.
We are a national law firm.
We have multiple offices acrossthe United States and we are
constantly improving oursecurity.
We end up talking to people ororganizations like in industries
(01:48):
like financial institutions,healthcare, manufacturing.
Augusto Barros (01:52):
There are very often in the news when we see
breaches on all this stuff orkind of when we think about
potential threat campaigns oranything.
Right, of course, when weimmediately think about banks,
right Kind of the cybercriminals trying to get money,
right Kind of fraudulenttransactions from a bank or kind
of stealing kind of hugeamounts of kind of private
(02:14):
information from healthcareinsurance companies, for example
.
But I'm curious about thecybersecurity environment and
the challenges in a law firm.
So what would be normally kindof the major concerns, kind of
the threat models that you haveto keep in mind when protecting
(02:38):
kind of a law firm?
Tim Thornsberry (02:40):
So well that right.
There is kind of what keeps meup at night Working for a law
firm.
We have multiple practiceshandling multiple types of data,
so adhering to all thestandards and guidelines and
stuff like that is a challengebecause we handle so much.
(03:00):
So that would be the challenge.
Yeah, we're not limited to justfinancial data or HIPAA
information.
We kind of spread it across allareas.
Augusto Barros (03:15):
Perfect.
And one thing that I oftennotice about law firms and even
the large ones like Steptoe Ithink that you have almost 20
offices around the country right, and usually kind of for law
firms, kind of say, the ITfootprint is not as large as
when you look at some of theother industries that I
(03:38):
mentioned before.
Right, it's a more leanpresence, let's say kind of from
the internet point of view andkind of how much technology is
used as part of the business,and that naturally points to
smaller security teams than kindof some of these other
industries.
So I wonder is this additionalchallenge for you right To have
(04:01):
to keep up in terms ofcybersecurity efforts and
managing risk with a smallcybersecurity team?
Tim Thornsberry (04:10):
Yes, for example, like when I came on
board, I was the first securityanalyst to come on board.
The role of cybersecurity waskind of spread throughout the IT
department so they realizedthat they needed to adapt and
grow.
So we are constantly doing that.
(04:31):
I brought on another securityanalyst to help me grow it and,
of course, the assistance of theSecuronix SIEM.
It is a challenge being small,but I think leadership and the
culture is starting to realizethat no one is safe in the
(04:53):
cybersecurity realm, so theyneed to do a better job of
managing it and providing theright resources to do that the
right resources to do thatPerfect.
Augusto Barros (05:06):
And one thing I noticed with organizations that
usually would have a more leanIT environment is that they
often rely heavily on managedsecurity service providers,
especially for the threatdetection and response part,
like on security monitoring etcetera.
And as far as I understand,you've been doing or you've been
running that practiceinternally right.
As far as I understand you'vebeen doing or you've been
(05:26):
running that practice internally.
Tim Thornsberry (05:27):
right, we do use some managed service
providers, but of course withthat managed part you know the
cost starts to climb.
So you kind of got to balancethat act between how much you
(05:48):
want to managecybersecurity-wise or IT-wise in
general and how much you wouldlike to bring in-house.
So it's not always feasible togo to the managed route, but
sometimes that's the best optionto do it when you're a thin
team.
Augusto Barros (05:57):
Right.
And when we have many thingsin-house and with a small team,
one of the common barriers isthe skill set, because we're
looking at governance, risk andcompliance, risk management,
application security, dataclassification, security
policies, and then we also startgetting into the realm of the
(06:20):
technology, so hardening andpatch management.
Then when you look kind of onthe core of what I normally kind
of pay attention to, right kindof due to where Securonics is,
the threat detection,investigation and response part,
right, so it is a very diverseand broad skill set required to
cover all the bases, right kindof from a cybersecurity point of
(06:41):
view how do you manage that?
I imagine that there areprobably two routes to do it.
I think one is really relyingmore on service providers, so
you can offload some of thosefunctions you do not have that
skillset to the service provider.
Or then there is thealternative of having very
(07:04):
capable resources, right Kind ofthat, have kind of a very broad
skillset and to cover all thosebases.
But that type of resource isnot very easy to find in the
market, right?
And when you find people withthat kind of skillset, they can
be quite expensive, right?
So how do you handle thatchallenge?
Tim Thornsberry (07:25):
You're exactly right.
Skill set is a challengebecause I would say my
background is more the broadscope of things.
I wouldn't say I'm specializedmore in one thing than the other
, Also for my fellow teammate.
So maintaining the knowledgebase and stuff like that is
(07:49):
continuous.
It never stops.
It's always changing as well,so it makes it even more
difficult to keep up with it.
But we still employ or notemploy, but task out some help
with our networking side andstuff like that.
But it is for us a group effortto ensure our overall IT
(08:16):
infrastructure and compliance.
Yeah, the training is ongoing.
I would like to havespecialized people but you know,
once you start gettingspecialized then you start going
down a narrow pathway and theyonly do certain tasks.
So for us, being a small team,having a broad skill set is
(08:41):
invaluable for us.
Augusto Barros (08:42):
So yeah, and it is interesting to see that right
, because we very often seedebates about cybersecurity
careers right and sometimes Ibelieve the professionals have
the impression that they need tospecialize right or to get very
deep into certain areas rightof the cybersecurity realm kind
(09:03):
of very quickly to allow them tohave a fast and probably a
sustained career progression.
But there's still a lot of roomfor generalists, and I think the
organizations and probably theprofile of your group, for
example, it's a perfect exampleof that.
A generalist is very importantbecause you have to cover
(09:27):
multiple bases and there's nopoint of having someone that is
highly specialized indisassembling or reverse
engineering Android malware ifyou still need to look at all
those other things like patchmanagement and the security
policies and so on.
You need more of a broadcoverage than actually kind of a
deep one.
(09:47):
But what happens if you needkind of that deeper view right?
How do you prepare to handlesituations where you may need,
for example, a deeperinvestigation, more advanced
skills in incident response orinvestigation, for example?
(10:07):
How do you handle thosesituations?
Tim Thornsberry (10:12):
Well, if they, for example, if they were needed
in like a expedited fashion, wewould probably outsource to
many of the reputable vendors oranything like that to bring on
that specialized skill set forthe duration of it.
If it's more of a planningphase approach, we would
(10:35):
probably provide the resourcesto get the proper training to
not necessarily direct someonedown a focused skill set path,
but to bring that knowledge ontotheir general basis.
Yeah, so we would try to findthe resources depending on the
situation.
(10:55):
It doesn't always work likethat.
Sometimes you're learning onthe fly, but it is what it is.
Augusto Barros (11:03):
Let me try to bring the conversation now to a
little closer to the SIEM space,because one of the things that
I find interesting is seeing aSIEM being used by an internal
security group and have a verysmall number of resources.
Very often we haveconversations where we say that
(11:24):
you need a lot of people to runand properly get value from a
SIEM.
But I think on your case youhave a small team and you're
getting value from it.
So what is the secret?
How you can get value from acomplex security component like
a SIEM with a small number ofresources?
Tim Thornsberry (11:44):
security component like a SIEM with a
small number of resources.
My best example would be findsomething that has a lot to
offer out the box.
It might not be everything youneed or it might be overkill of
what you need, but somethingthat you don't have to spend
(12:05):
countless hours on worryingabout the implementation and the
setup.
Something you want to look for,something with a small team.
You want to look for somethingthat you can manage more
efficiently and fine tune,rather than going through the
whole setup process Because,like you said, some require tons
(12:26):
of resources and there's othersthat are pretty much plug and
play and you're more worried orconcerned about the fine tuning
and adjusting it to yourorganization rather than a full
scale build of it.
It makes it easier when youfind what fits your organization
(12:47):
best.
Augusto Barros (12:48):
Perfect, yeah and that's a very good point,
because I remember havingconversations about SIEM with
professionals right out ofanother field, other industries
and larger organizations, andmany times they will tell me I
don't care about theout-of-the-box content that
comes from the SIM right or thecontent that the vendor provides
.
The first thing we do here,when we got the SIM in, is to
(13:11):
disable everything or removeeverything and start our
dashboards from scratch, buildour own content, et cetera, but
that requires a lot of effort togo to-.
Tim Thornsberry (13:20):
Yeah, they're gonna be.
They must have the resources tohandle that.
Augusto Barros (13:27):
Right, right.
But then you look right and nowI'm talking to someone in our
organization where thatout-of-the-box content is
actually what enables you to getvalue from the solution.
So it is interesting to see howthere are such diverse
expectations, right kind of,from the solution and of course
I can see how some organizationswill opt for different products
(13:49):
depending on their needs.
From the automation side, Ithink since I started tracking
SIEM, we had some basicautomation that was part of the
solutions, and then we saw theconvergence with UEBA and then
later we start seeing theconvergence with SOAR.
(14:10):
I believe that at that pointthe SIEMs started to become more
capable of automation, kind oftaking actions after a certain
condition or a certain incidentkind of happens or a certain
type of alert.
So for your specificenvironment, how much automation
helps you managing kind ofthreats in a way that doesn't
(14:34):
require you to increase thenumber of resources?
Tim Thornsberry (14:39):
Yeah, so greatly, I would say the
automation component of itgreatly assists in the overall
managing of it, like I said.
Well, as most people or aseveryone in the cybersecurity
field says, don't stick with theout-of-the-box stuff.
Uh, always change up settingsand stuff like that and you do
(15:04):
once with that out-of-the-boxstuff.
It gives you that baseline towork with, the automation
baseline to work with.
You don't have to worry aboutbuilding rule sets, you just got
to worry about fine-tuning them.
The automation piece of it isgreat and everyone's throwing AI
(15:25):
out there nowadays and it isbeneficial in assisting with
that automation.
So I can't still fully trust ityet, as we've been seeing with
the news articles of the recentnew ai that just came out.
But yeah, automation is a greathelp, especially when you don't
(15:45):
have like a designated sock tosit there and just look at it
non-stop.
So perfect.
Augusto Barros (15:54):
Yeah, and I think we.
I think we reached that recordin the podcast that we touched
the AI topic in 15 minutes in.
I think this is the record.
I believe it's been all overthe news, the last couple of
days.
I know I'm normally going to tryto bring that later because it
usually hijacks the conversation.
I mean, we spend all the timewith that.
But now that we are therealready, let me get in From a
(16:16):
threat point of view.
How do you think that AI willaffect the threat scenario that
you have to deal with at Steptoeand Johnson?
Tim Thornsberry (16:27):
Well, from utilizing AI for a cybersecurity
standpoint, I think it canincrease the speed of
correlation and potentiallyreduce the risk of false
positives and stuff like that.
From an outside perspective,worrying about AI, it's the
unknown, it's the lack ofknowledge for the end users
(16:51):
using it, the potential for dataleakage and stuff like that.
So it's a double-edged swordright now.
I would say.
Augusto Barros (16:59):
Right, yeah, we, I can.
We've been seeing multiplereports, right, of kind of AI
being used by threat actors.
There's still a lot of say,expectations that kind of these
technologies will be used bythreat actors in certain manners
.
Some of the most concernedprofessionals or researchers
will say, oh, they already usingit is now in full blown mode.
(17:21):
I am probably kind of one ofthe more conservative ones.
Yes, right, if you're lookingto generating kind of some good
fission content using deep fakes, kind of for identity hijacking
, right, and kind of trying todo the social engineering with
AI technologies like that, Ithink, yes, that's already
something that is becomingcommon.
(17:42):
But when you look into, forexample, using AI to find new
vulnerabilities or AI to controlthe flow of an attack, I think
that's still something that it'sprobably possible.
We're probably going to seethat, but it's still far from
becoming kind of a day-to-dayconcern.
Now, one thing that youmentioned I think that's
(18:04):
probably kind of more it'scloser to our day-to-day
headaches, right that is the useof certain AI technologies by
users, then the data leakage andso on by users, then the data
leakage and so on.
How do you see a security grouplike yours going to try to
(18:24):
control or prevent data leakageby users trying to use those
tools in their day-to-day.
I think it is very close towhen we start seeing cloud
things and even the GoogleOffice type of thing and then
kind of Microsoft kind of movingalso kind of to Microsoft 365,
suddenly, kind of all our kindof Office tools kind of went out
(18:45):
to the cloud.
So those that were concernedabout data going to the cloud,
right kind of they suddenly gotdesperate, right, because now,
kind of the tool set that youuse to generate, to manipulate
et cetera, now kind of the toolset that he used to generate, to
manipulate et cetera, data isin the cloud.
So it's very hard to keepthings entirely contained in
your own kind of physicalenvironment.
(19:06):
But we are experimenting thesame thing with AI, right.
So how, with the lessonslearned from the cloud push from
the past, how can we, kind of agroup like yours, try to better
control the flow of informationto?
Tim Thornsberry (19:23):
those systems.
I would say the ultimatechallenge with using AI is how
do you control it or contain it,and understanding what you're
putting into it, how it's beingused, and I think that starts
with the end users.
For us, it's end userunderstanding, training, having
(19:47):
good procedures in place on howpeople use it, policies, stuff
like that but ultimately itboils down to what's the AI
doing with your information whenyou put it in there.
There are some emerging AIcompanies out there that are
(20:07):
providing containerized AI orgiving you the option to manage
how your data or what how ituses your data to learn, if you
want it to use your data tolearn and make it public or
whatnot like that.
Augusto Barros (20:24):
Like I said, it ultimately boils down to how do
you control it or how do youmanage it, and I think that
aspect of it is growing andgetting better of it is growing
and getting better, and I cansee right kind of from the law
firm side, we're soon going tostart seeing the agentic AI
(20:46):
capabilities trying to be usedkind of to build like lawyer
assistants, right kind of.
That will work right kind of onbehalf of lawyers and clerks
and so on.
So are you prepared right Causeyou're having kind of that
small army of agentic AI on yourside, kind of getting access to
documents and sensitive contentand working kind of as right
(21:10):
Kind of in a similar way aspeople in the office, and then
you are having to figure outkind of what is it doing, kind
of where the information isgoing to, et cetera.
Right, it seems like kind ofalmost like a nightmare scenario
for a security organization.
Tim Thornsberry (21:25):
It is.
It is Like right now we'relimiting the use of it.
We're exploring options networksecurity and endpoint security,
restricting what they haveaccess to, trying to just limit
that exposure.
We are, like I said, exploringoptions.
(21:47):
I would say it's in its initialphases for 2025, but, like I
said, it all boils back down toensuring there's a good
understanding of what AI is andwhat it's capable of and,
ultimately, how it's used.
Augusto Barros (22:08):
Right, yeah, fun times ahead for sure Like it's
becoming more prominent.
Tim Thornsberry (22:19):
So it's one of those things you either get out
ahead of it now or you're goingto be behind the curve.
Augusto Barros (22:25):
It may not be the case that kind of things are
happening right now, but theywill happen soon, right?
So we need to work in advanceso we are prepared when they
happen, right?
Tim Thornsberry (22:34):
Correct.
Augusto Barros (22:37):
Tim, let me ask you I think I have a standard
question right, kind of for allthe guests here at the podcast.
We very often look intocybersecurity and we are pretty
good in finding things that arenot working or not doing what we
would expect them to do blameusers or blame certain pieces of
(22:58):
technology, etc.
But what I like to ask is whatis working?
If I had to ask you what do youthink the cybersecurity
community or the cybersecurityindustry currently does well,
what would you point as what weare successful at?
What do you become good at incybersecurity?
Tim Thornsberry (23:19):
As a tool set or knowledge skill set.
Augusto Barros (23:23):
It can be any.
You can see a process, apractice or maybe even a class
of tool or solution, but wheredo you think we are doing?
Tim Thornsberry (23:32):
well, so EDR is great, I'd say.
One place to improve because itkind of goes along with the AI
and stuff like that is emailsecurity, but I would say that's
one area that can improve.
The phishing campaigns aregetting more sophisticated and
(23:57):
one thing that we've been seeingas a challenge that I'd like to
see get better is the use ofreputable domains and stuff
being used for malicious reasons, and that's a hard thing to
stop with email security rightnow.
Augusto Barros (24:15):
Right, but I think you are pointing to things
that we have to improve, right.
But if you had to point tosomething that you believe, oh,
we are in a good state or we'redoing a good job, right, what
would that be?
Tim Thornsberry (24:26):
I would say endpoint detection.
Augusto Barros (24:28):
Endpoint detection.
Tim Thornsberry (24:29):
Right yeah, With things constantly changing
and evolving, I feel it's in agood state and it's doing a
wonderful job at preventing alot of stuff.
Augusto Barros (24:43):
And you know it is from an historical
perspective.
It's very nice to see itbecause about, let's say,
probably about 10 years ago.
Right, we were in a stage whereif we had to ask where endpoint
security was, the responseswouldn't be good.
Right, there was a time wherethe solutions that we were using
(25:04):
were probably going to bereferred to as antivirus, right,
or anti-MAUR Gartner will callright, the endpoint protection
platforms.
But we were not happy with them.
Right, they were getting bloatedby adding a lot of things like
kind of oh device, like aremovable device management, and
personal firewall, anti-spyware, all those things, and malware
(25:29):
was still kind of quitesuccessful in getting in right
kind of the endpoints andexecuting and kind of elevating
privileges and doing whateverright kind of malware was trying
to do at that time.
Then we started seeing theemergence of the EDR
technologies, almost like kindof a bandaid to try to address
things that the endpointsecurity tools were not doing.
(25:51):
And we after that, right thatEDR starts to become so strong
as a component of yourcybersecurity architecture that
the end of ended up becomingincorporated again into those
big endpoint security packages,but it improved them in a way
that today, like you're saying,we have the perception that we
(26:12):
are doing a good job on theendpoint security.
So it's very interesting to seeright on these let's say 10, 15
years time maybe how ourexpectations or our reality in
endpoint security have changedin this way where we now see it
doing a far better job than itwas doing before.
(26:34):
Right.
Tim Thornsberry (26:34):
Yeah, and I'll just put a thought out there,
just something to consider,maybe get some feedback on.
I think endpoint is a greattool, or endpoint detection, but
now that we're moving to thecloud and things are not being
done so much on endpoints, howis that shaping up for endpoint
(26:56):
detection?
Augusto Barros (26:57):
Yeah, that's curious, right, Because every
time they start getting good atsomething we move away from that
thing, Right?
You know, I remember I was aGartner at that time when the
pandemic hit us right, and Iwould have calls with companies
that were just finishing or kindof working through their
implementation of networkdetection and response or
(27:18):
network traffic analytics things, and they said, well, okay,
what should we do now?
I said, well, do you haveanyone working in your office?
And I said no.
So what type of traffic are youmonitoring with these things?
And there was nothing, becausesuddenly, kind of all the
traffic that those devices,those technologies, were
supposed to monitor was nowoutside the environment where
those technologies were deployed.
(27:39):
So it was kind of a sadsituation where they had gone
through all the effort ofputting that instrumentation in
and then the traffic was notthere anymore.
The traffic moved somewhereelse.
And I think what you describedabout the endpoint is similar.
You may not have endpoints toinstall EDR anymore and I think
(28:04):
and that kind of may even kindof sound like in my commercial
plug for Securonix, but I thinkthat applies to any SIEM.
That's why SIEMs are still outthere and strong, because the
SIEM is almost immune to thesechanges.
Of course we need to be able toingest data from new telemetry
(28:24):
sources et cetera.
Edr, for example, became one ofthe most common data sources
for SIEM, but the SIEM becauseof its nature of being neutral,
right to environments et ceteraevery time that you have a shift
like this, as long as you'reable to direct the telemetry
from those new environments, newtechnologies, to the SIEM, you
(28:45):
are still able to have a certainlevel of monitoring, a certain
level of threat detectioncapability being done by the
SIEM right.
So what do you think about kindof that right, the SIEM role,
considering all these changes,kind of in where the data is,
where the users are working on,etc.
Tim Thornsberry (29:05):
Yeah, now everything is shifting to.
They call it cloud security now.
So feeding the SIEM with thecloud security is extremely
beneficial.
Yeah, because it's that singlepane of glass and now you're
feeding this in with EDR cloudsecurity and it's correlating
(29:27):
those events.
So, yeah, it's extremelybeneficial.
Augusto Barros (29:33):
You mentioned the single pane of glass.
I think for so many times somevendors are going to try to sell
that idea that it became almostlike something bad to say.
If you say, oh, we want tobecome the single pane of glass,
you see the customer roll intheir eyes, but I think the same
remain as a foundationalcomponent of cybersecurity
(29:56):
architectures.
What is actually?
It is, if not the single paneof glass, it is the main pane of
glass for most organizationsout there and I think that's why
we end up seeing thisstickiness factor where, as I
say, SIM refuses to die.
It may evolve a lot, but Ithink its role as the main pane
(30:17):
of glass and this very strongdata gravity it has, like kind
of organic signals from all overthe place, he ends up being
making kind of it kind of a veryimportant component of secure
architectures yeah, andespecially with small teams.
Tim Thornsberry (30:31):
some people, some organizations have the
resources to set someone infront of their edr console or
their SIM console or you knowwhatever other security console
they may be using, networkwhatever.
But for a small team who handlemultiple roles and tasks and
(30:52):
projects, if you have that oneplace that you can go to to at
least start looking, it's a hugebenefit, because then it
drastically reduces your timefrom switching to multiple
consoles trying to correlateevents and stuff like that.
So for a small team, I'd sayextremely beneficial, but for
(31:15):
the larger ones, if they havethe resources you know it's
endless for them Perfect.
Augusto Barros (31:24):
So, tim, we're getting close here to our time.
I want to first kind of thankyou again for joining us here on
the podcast.
But I also want to ask you thefinal question here Can I afford
other people just getting intheir jobs, kind of as in charge
for very small to very smallsecurity teams?
Sometimes it's a single job,it's a single person job kind of
(31:47):
in many places out there.
So if you could give just onepiece of advice for them, what
would that be?
Tim Thornsberry (31:55):
Oh boy, If they're just getting into
cybersecurity.
I'd say learn as much aspossible If they're already
established.
Go into an organization with anopen mind.
Don't go in with the mindset oh, I'm going to change everything
that's already in place toimprove it or establish it.
(32:19):
Learn the organization, learnthe current infrastructure,
their security posture and getthat base, foundational
knowledge of it, and then findthe gaps and then start
(32:43):
improving from there.
If you go in with the idea of afull-sale change, it's not
always met with the bestintentions, Having an open mind
and having a good understanding.
Augusto Barros (32:53):
Right, yeah, I think that's kind of quite
important and I think,especially the people that are
probably in their early stagesof their career in cybersecurity
is sometimes they are sofocused on cybersecurity itself
that it's almost like they'retrying to make the organization
work for security, while intruth, right, and it's the other
(33:16):
way around right, and we areenabling the business.
We're not trying to make thebusiness be a cybersecurity
organization right, kind of wewant to be and that's kind of
probably kind of where manypeople have difficulty in
understanding Like we want to beinvisible.
If we could be fully invisibleand transparent, right, and
people do not realize that weare there, that would be the
(33:39):
ideal work.
Right, kind of protecting theorganization without them
realizing we are there.
We know that's not possible.
Sometimes our controls will beor will bring a certain level of
disruption, but I think that'sthe beauty of thing, right, kind
of trying to do things beingthe least, bringing the least
possible disruption or frictionto the business, while kind of
keeping risks under control.
Tim Thornsberry (34:08):
Yeah, and you don't have to try to reinvent
the wheel.
The frameworks and the policiesmay be in place or they might
be lacking some.
So, yeah, you got to understandwhere those gaps are and work
from there instead of oh, we'retearing everything down and
we're going to build it back up.
Augusto Barros (34:22):
That's right, tim.
I'd like to thank you again forcoming to the podcast.
It was a really kind of funconversation.
Thank you, I hope to have youhere again sometime.
Tim Thornsberry (34:33):
Yes, thank you for having me.
I appreciate it.
Augusto Barros (34:35):
All right, and let's keep having fun.
Cyber security is hard, butit's fun right.
Tim Thornsberry (34:45):
Very much so.
Augusto Barros (34:46):
It's an ever-evolving world and it never
gets stagnant.
Perfect, Okay, Thank you, Tim.
Thanks everyone for listeningand stay tuned for the next
episode of Simple Talks.
Thank you.
Hello and welcome to another episode of
SiemTalks, the podcast on manytopics around cybersecurity by
Securonix.
I am your host, Augusto Barros,and today we have Mr.
Tim Thornsberry, the Directorof Information Security at
Steptoe Johnson.
I have many interesting thingsto discuss with Tim and just for
(00:29):
us to begin, I will ask him tointroduce himself and tell us a
little more about what SteptoeJohnson is kind of, what type of
business it is and his role inthat organization.
Hello, tim.
Tim Thornsberry (00:44):
Hello, good morning.
How are you?
Augusto Barros (00:46):
I am good, so kind of tell us a bit more about
Stepton Johnson, your rolethere and kind of what keeps you
awake at night there.
Tim Thornsberry (00:56):
So, as you said , I'm Tim Thornsberry, director
of Information Security here atStepton Johnson.
I've been with Steptoe a littleover three years now.
I came on board as just asecurity analyst and then took
over the director role withinjust the last year.
(01:16):
I've been in the role for ayear now a little over a year.
We are a national law firm.
We have multiple offices acrossthe United States and we are
constantly improving oursecurity.
We end up talking to people ororganizations like in industries
(01:48):
like financial institutions,healthcare, manufacturing.
Augusto Barros (01:52):
There are very often in the news when we see
breaches on all this stuff orkind of when we think about
potential threat campaigns oranything.
Right, of course, when weimmediately think about banks,
right Kind of the cybercriminals trying to get money,
right Kind of fraudulenttransactions from a bank or kind
of stealing kind of hugeamounts of kind of private
(02:14):
information from healthcareinsurance companies, for example
.
But I'm curious about thecybersecurity environment and
the challenges in a law firm.
So what would be normally kindof the major concerns, kind of
the threat models that you haveto keep in mind when protecting
(02:38):
kind of a law firm?
Tim Thornsberry (02:40):
So well that right.
There is kind of what keeps meup at night Working for a law
firm.
We have multiple practiceshandling multiple types of data,
so adhering to all thestandards and guidelines and
stuff like that is a challengebecause we handle so much.
(03:00):
So that would be the challenge.
Yeah, we're not limited to justfinancial data or HIPAA
information.
We kind of spread it across allareas.
Augusto Barros (03:15):
Perfect.
And one thing that I oftennotice about law firms and even
the large ones like Steptoe Ithink that you have almost 20
offices around the country right, and usually kind of for law
firms, kind of say, the ITfootprint is not as large as
when you look at some of theother industries that I
(03:38):
mentioned before.
Right, it's a more leanpresence, let's say kind of from
the internet point of view andkind of how much technology is
used as part of the business,and that naturally points to
smaller security teams than kindof some of these other
industries.
So I wonder is this additionalchallenge for you right To have
(04:01):
to keep up in terms ofcybersecurity efforts and
managing risk with a smallcybersecurity team?
Tim Thornsberry (04:10):
Yes, for example, like when I came on
board, I was the first securityanalyst to come on board.
The role of cybersecurity waskind of spread throughout the IT
department so they realizedthat they needed to adapt and
grow.
So we are constantly doing that.
(04:31):
I brought on another securityanalyst to help me grow it and,
of course, the assistance of theSecuronix SIEM.
It is a challenge being small,but I think leadership and the
culture is starting to realizethat no one is safe in the
(04:53):
cybersecurity realm, so theyneed to do a better job of
managing it and providing theright resources to do that the
right resources to do thatPerfect.
Augusto Barros (05:06):
And one thing I noticed with organizations that
usually would have a more leanIT environment is that they
often rely heavily on managedsecurity service providers,
especially for the threatdetection and response part,
like on security monitoring etcetera.
And as far as I understand,you've been doing or you've been
running that practiceinternally right.
As far as I understand you'vebeen doing or you've been
(05:26):
running that practice internally.
Tim Thornsberry (05:27):
right, we do use some managed service
providers, but of course withthat managed part you know the
cost starts to climb.
So you kind of got to balancethat act between how much you
(05:48):
want to managecybersecurity-wise or IT-wise in
general and how much you wouldlike to bring in-house.
So it's not always feasible togo to the managed route, but
sometimes that's the best optionto do it when you're a thin
team.
Augusto Barros (05:57):
Right.
And when we have many thingsin-house and with a small team,
one of the common barriers isthe skill set, because we're
looking at governance, risk andcompliance, risk management,
application security, dataclassification, security
policies, and then we also startgetting into the realm of the
(06:20):
technology, so hardening andpatch management.
Then when you look kind of onthe core of what I normally kind
of pay attention to, right kindof due to where Securonics is,
the threat detection,investigation and response part,
right, so it is a very diverseand broad skill set required to
cover all the bases, right kindof from a cybersecurity point of
(06:41):
view how do you manage that?
I imagine that there areprobably two routes to do it.
I think one is really relyingmore on service providers, so
you can offload some of thosefunctions you do not have that
skillset to the service provider.
Or then there is thealternative of having very
(07:04):
capable resources, right Kind ofthat, have kind of a very broad
skillset and to cover all thosebases.
But that type of resource isnot very easy to find in the
market, right?
And when you find people withthat kind of skillset, they can
be quite expensive, right?
So how do you handle thatchallenge?
Tim Thornsberry (07:25):
You're exactly right.
Skill set is a challengebecause I would say my
background is more the broadscope of things.
I wouldn't say I'm specializedmore in one thing than the other
, Also for my fellow teammate.
So maintaining the knowledgebase and stuff like that is
(07:49):
continuous.
It never stops.
It's always changing as well,so it makes it even more
difficult to keep up with it.
But we still employ or notemploy, but task out some help
with our networking side andstuff like that.
But it is for us a group effortto ensure our overall IT
(08:16):
infrastructure and compliance.
Yeah, the training is ongoing.
I would like to havespecialized people but you know,
once you start gettingspecialized then you start going
down a narrow pathway and theyonly do certain tasks.
So for us, being a small team,having a broad skill set is
(08:41):
invaluable for us.
Augusto Barros (08:42):
So yeah, and it is interesting to see that right
, because we very often seedebates about cybersecurity
careers right and sometimes Ibelieve the professionals have
the impression that they need tospecialize right or to get very
deep into certain areas rightof the cybersecurity realm kind
(09:03):
of very quickly to allow them tohave a fast and probably a
sustained career progression.
But there's still a lot of roomfor generalists, and I think the
organizations and probably theprofile of your group, for
example, it's a perfect exampleof that.
A generalist is very importantbecause you have to cover
(09:27):
multiple bases and there's nopoint of having someone that is
highly specialized indisassembling or reverse
engineering Android malware ifyou still need to look at all
those other things like patchmanagement and the security
policies and so on.
You need more of a broadcoverage than actually kind of a
deep one.
(09:47):
But what happens if you needkind of that deeper view right?
How do you prepare to handlesituations where you may need,
for example, a deeperinvestigation, more advanced
skills in incident response orinvestigation, for example?
(10:07):
How do you handle thosesituations?
Tim Thornsberry (10:12):
Well, if they, for example, if they were needed
in like a expedited fashion, wewould probably outsource to
many of the reputable vendors oranything like that to bring on
that specialized skill set forthe duration of it.
If it's more of a planningphase approach, we would
(10:35):
probably provide the resourcesto get the proper training to
not necessarily direct someonedown a focused skill set path,
but to bring that knowledge ontotheir general basis.
Yeah, so we would try to findthe resources depending on the
situation.
(10:55):
It doesn't always work likethat.
Sometimes you're learning onthe fly, but it is what it is.
Augusto Barros (11:03):
Let me try to bring the conversation now to a
little closer to the SIEM space,because one of the things that
I find interesting is seeing aSIEM being used by an internal
security group and have a verysmall number of resources.
Very often we haveconversations where we say that
(11:24):
you need a lot of people to runand properly get value from a
SIEM.
But I think on your case youhave a small team and you're
getting value from it.
So what is the secret?
How you can get value from acomplex security component like
a SIEM with a small number ofresources?
Tim Thornsberry (11:44):
security component like a SIEM with a
small number of resources.
My best example would be findsomething that has a lot to
offer out the box.
It might not be everything youneed or it might be overkill of
what you need, but somethingthat you don't have to spend
(12:05):
countless hours on worryingabout the implementation and the
setup.
Something you want to look for,something with a small team.
You want to look for somethingthat you can manage more
efficiently and fine tune,rather than going through the
whole setup process Because,like you said, some require tons
(12:26):
of resources and there's othersthat are pretty much plug and
play and you're more worried orconcerned about the fine tuning
and adjusting it to yourorganization rather than a full
scale build of it.
It makes it easier when youfind what fits your organization
(12:47):
best.
Augusto Barros (12:48):
Perfect, yeah and that's a very good point,
because I remember havingconversations about SIEM with
professionals right out ofanother field, other industries
and larger organizations, andmany times they will tell me I
don't care about theout-of-the-box content that
comes from the SIM right or thecontent that the vendor provides
.
The first thing we do here,when we got the SIM in, is to
(13:11):
disable everything or removeeverything and start our
dashboards from scratch, buildour own content, et cetera, but
that requires a lot of effort togo to-.
Tim Thornsberry (13:20):
Yeah, they're gonna be.
They must have the resources tohandle that.
Augusto Barros (13:27):
Right, right.
But then you look right and nowI'm talking to someone in our
organization where thatout-of-the-box content is
actually what enables you to getvalue from the solution.
So it is interesting to see howthere are such diverse
expectations, right kind of,from the solution and of course
I can see how some organizationswill opt for different products
(13:49):
depending on their needs.
From the automation side, Ithink since I started tracking
SIEM, we had some basicautomation that was part of the
solutions, and then we saw theconvergence with UEBA and then
later we start seeing theconvergence with SOAR.
(14:10):
I believe that at that pointthe SIEMs started to become more
capable of automation, kind oftaking actions after a certain
condition or a certain incidentkind of happens or a certain
type of alert.
So for your specificenvironment, how much automation
helps you managing kind ofthreats in a way that doesn't
(14:34):
require you to increase thenumber of resources?
Tim Thornsberry (14:39):
Yeah, so greatly, I would say the
automation component of itgreatly assists in the overall
managing of it, like I said.
Well, as most people or aseveryone in the cybersecurity
field says, don't stick with theout-of-the-box stuff.
Uh, always change up settingsand stuff like that and you do
(15:04):
once with that out-of-the-boxstuff.
It gives you that baseline towork with, the automation
baseline to work with.
You don't have to worry aboutbuilding rule sets, you just got
to worry about fine-tuning them.
The automation piece of it isgreat and everyone's throwing AI
(15:25):
out there nowadays and it isbeneficial in assisting with
that automation.
So I can't still fully trust ityet, as we've been seeing with
the news articles of the recentnew ai that just came out.
But yeah, automation is a greathelp, especially when you don't
(15:45):
have like a designated sock tosit there and just look at it
non-stop.
So perfect.
Augusto Barros (15:54):
Yeah, and I think we.
I think we reached that recordin the podcast that we touched
the AI topic in 15 minutes in.
I think this is the record.
I believe it's been all overthe news, the last couple of
days.
I know I'm normally going to tryto bring that later because it
usually hijacks the conversation.
I mean, we spend all the timewith that.
But now that we are therealready, let me get in From a
(16:16):
threat point of view.
How do you think that AI willaffect the threat scenario that
you have to deal with at Steptoeand Johnson?
Tim Thornsberry (16:27):
Well, from utilizing AI for a cybersecurity
standpoint, I think it canincrease the speed of
correlation and potentiallyreduce the risk of false
positives and stuff like that.
From an outside perspective,worrying about AI, it's the
unknown, it's the lack ofknowledge for the end users
(16:51):
using it, the potential for dataleakage and stuff like that.
So it's a double-edged swordright now.
I would say.
Augusto Barros (16:59):
Right, yeah, we, I can.
We've been seeing multiplereports, right, of kind of AI
being used by threat actors.
There's still a lot of say,expectations that kind of these
technologies will be used bythreat actors in certain manners
.
Some of the most concernedprofessionals or researchers
will say, oh, they already usingit is now in full blown mode.
(17:21):
I am probably kind of one ofthe more conservative ones.
Yes, right, if you're lookingto generating kind of some good
fission content using deep fakes, kind of for identity hijacking
, right, and kind of trying todo the social engineering with
AI technologies like that, Ithink, yes, that's already
something that is becomingcommon.
(17:42):
But when you look into, forexample, using AI to find new
vulnerabilities or AI to controlthe flow of an attack, I think
that's still something that it'sprobably possible.
We're probably going to seethat, but it's still far from
becoming kind of a day-to-dayconcern.
Now, one thing that youmentioned I think that's
(18:04):
probably kind of more it'scloser to our day-to-day
headaches, right that is the useof certain AI technologies by
users, then the data leakage andso on by users, then the data
leakage and so on.
How do you see a security grouplike yours going to try to
(18:24):
control or prevent data leakageby users trying to use those
tools in their day-to-day.
I think it is very close towhen we start seeing cloud
things and even the GoogleOffice type of thing and then
kind of Microsoft kind of movingalso kind of to Microsoft 365,
suddenly, kind of all our kindof Office tools kind of went out
(18:45):
to the cloud.
So those that were concernedabout data going to the cloud,
right kind of they suddenly gotdesperate, right, because now,
kind of the tool set that youuse to generate, to manipulate
et cetera, now kind of the toolset that he used to generate, to
manipulate et cetera, data isin the cloud.
So it's very hard to keepthings entirely contained in
your own kind of physicalenvironment.
(19:06):
But we are experimenting thesame thing with AI, right.
So how, with the lessonslearned from the cloud push from
the past, how can we, kind of agroup like yours, try to better
control the flow of informationto?
Tim Thornsberry (19:23):
those systems.
I would say the ultimatechallenge with using AI is how
do you control it or contain it,and understanding what you're
putting into it, how it's beingused, and I think that starts
with the end users.
For us, it's end userunderstanding, training, having
(19:47):
good procedures in place on howpeople use it, policies, stuff
like that but ultimately itboils down to what's the AI
doing with your information whenyou put it in there.
There are some emerging AIcompanies out there that are
(20:07):
providing containerized AI orgiving you the option to manage
how your data or what how ituses your data to learn, if you
want it to use your data tolearn and make it public or
whatnot like that.
Augusto Barros (20:24):
Like I said, it ultimately boils down to how do
you control it or how do youmanage it, and I think that
aspect of it is growing andgetting better of it is growing
and getting better, and I cansee right kind of from the law
firm side, we're soon going tostart seeing the agentic AI
(20:46):
capabilities trying to be usedkind of to build like lawyer
assistants, right kind of.
That will work right kind of onbehalf of lawyers and clerks
and so on.
So are you prepared right Causeyou're having kind of that
small army of agentic AI on yourside, kind of getting access to
documents and sensitive contentand working kind of as right
(21:10):
Kind of in a similar way aspeople in the office, and then
you are having to figure outkind of what is it doing, kind
of where the information isgoing to, et cetera.
Right, it seems like kind ofalmost like a nightmare scenario
for a security organization.
Tim Thornsberry (21:25):
It is.
It is Like right now we'relimiting the use of it.
We're exploring options networksecurity and endpoint security,
restricting what they haveaccess to, trying to just limit
that exposure.
We are, like I said, exploringoptions.
(21:47):
I would say it's in its initialphases for 2025, but, like I
said, it all boils back down toensuring there's a good
understanding of what AI is andwhat it's capable of and,
ultimately, how it's used.
Augusto Barros (22:08):
Right, yeah, fun times ahead for sure Like it's
becoming more prominent.
Tim Thornsberry (22:19):
So it's one of those things you either get out
ahead of it now or you're goingto be behind the curve.
Augusto Barros (22:25):
It may not be the case that kind of things are
happening right now, but theywill happen soon, right?
So we need to work in advanceso we are prepared when they
happen, right?
Tim Thornsberry (22:34):
Correct.
Augusto Barros (22:37):
Tim, let me ask you I think I have a standard
question right, kind of for allthe guests here at the podcast.
We very often look intocybersecurity and we are pretty
good in finding things that arenot working or not doing what we
would expect them to do blameusers or blame certain pieces of
(22:58):
technology, etc.
But what I like to ask is whatis working?
If I had to ask you what do youthink the cybersecurity
community or the cybersecurityindustry currently does well,
what would you point as what weare successful at?
What do you become good at incybersecurity?
Tim Thornsberry (23:19):
As a tool set or knowledge skill set.
Augusto Barros (23:23):
It can be any.
You can see a process, apractice or maybe even a class
of tool or solution, but wheredo you think we are doing?
Tim Thornsberry (23:32):
well, so EDR is great, I'd say.
One place to improve because itkind of goes along with the AI
and stuff like that is emailsecurity, but I would say that's
one area that can improve.
The phishing campaigns aregetting more sophisticated and
(23:57):
one thing that we've been seeingas a challenge that I'd like to
see get better is the use ofreputable domains and stuff
being used for malicious reasons, and that's a hard thing to
stop with email security rightnow.
Augusto Barros (24:15):
Right, but I think you are pointing to things
that we have to improve, right.
But if you had to point tosomething that you believe, oh,
we are in a good state or we'redoing a good job, right, what
would that be?
Tim Thornsberry (24:26):
I would say endpoint detection.
Augusto Barros (24:28):
Endpoint detection.
Tim Thornsberry (24:29):
Right yeah, With things constantly changing
and evolving, I feel it's in agood state and it's doing a
wonderful job at preventing alot of stuff.
Augusto Barros (24:43):
And you know it is from an historical
perspective.
It's very nice to see itbecause about, let's say,
probably about 10 years ago.
Right, we were in a stage whereif we had to ask where endpoint
security was, the responseswouldn't be good.
Right, there was a time wherethe solutions that we were using
(25:04):
were probably going to bereferred to as antivirus, right,
or anti-MAUR Gartner will callright, the endpoint protection
platforms.
But we were not happy with them.
Right, they were getting bloatedby adding a lot of things like
kind of oh device, like aremovable device management, and
personal firewall, anti-spyware, all those things, and malware
(25:29):
was still kind of quitesuccessful in getting in right
kind of the endpoints andexecuting and kind of elevating
privileges and doing whateverright kind of malware was trying
to do at that time.
Then we started seeing theemergence of the EDR
technologies, almost like kindof a bandaid to try to address
things that the endpointsecurity tools were not doing.
(25:51):
And we after that, right thatEDR starts to become so strong
as a component of yourcybersecurity architecture that
the end of ended up becomingincorporated again into those
big endpoint security packages,but it improved them in a way
that today, like you're saying,we have the perception that we
(26:12):
are doing a good job on theendpoint security.
So it's very interesting to seeright on these let's say 10, 15
years time maybe how ourexpectations or our reality in
endpoint security have changedin this way where we now see it
doing a far better job than itwas doing before.
(26:34):
Right.
Tim Thornsberry (26:34):
Yeah, and I'll just put a thought out there,
just something to consider,maybe get some feedback on.
I think endpoint is a greattool, or endpoint detection, but
now that we're moving to thecloud and things are not being
done so much on endpoints, howis that shaping up for endpoint
(26:56):
detection?
Augusto Barros (26:57):
Yeah, that's curious, right, Because every
time they start getting good atsomething we move away from that
thing, Right?
You know, I remember I was aGartner at that time when the
pandemic hit us right, and Iwould have calls with companies
that were just finishing or kindof working through their
implementation of networkdetection and response or
(27:18):
network traffic analytics things, and they said, well, okay,
what should we do now?
I said, well, do you haveanyone working in your office?
And I said no.
So what type of traffic are youmonitoring with these things?
And there was nothing, becausesuddenly, kind of all the
traffic that those devices,those technologies, were
supposed to monitor was nowoutside the environment where
those technologies were deployed.
(27:39):
So it was kind of a sadsituation where they had gone
through all the effort ofputting that instrumentation in
and then the traffic was notthere anymore.
The traffic moved somewhereelse.
And I think what you describedabout the endpoint is similar.
You may not have endpoints toinstall EDR anymore and I think
(28:04):
and that kind of may even kindof sound like in my commercial
plug for Securonix, but I thinkthat applies to any SIEM.
That's why SIEMs are still outthere and strong, because the
SIEM is almost immune to thesechanges.
Of course we need to be able toingest data from new telemetry
(28:24):
sources et cetera.
Edr, for example, became one ofthe most common data sources
for SIEM, but the SIEM becauseof its nature of being neutral,
right to environments et ceteraevery time that you have a shift
like this, as long as you'reable to direct the telemetry
from those new environments, newtechnologies, to the SIEM, you
(28:45):
are still able to have a certainlevel of monitoring, a certain
level of threat detectioncapability being done by the
SIEM right.
So what do you think about kindof that right, the SIEM role,
considering all these changes,kind of in where the data is,
where the users are working on,etc.
Tim Thornsberry (29:05):
Yeah, now everything is shifting to.
They call it cloud security now.
So feeding the SIEM with thecloud security is extremely
beneficial.
Yeah, because it's that singlepane of glass and now you're
feeding this in with EDR cloudsecurity and it's correlating
(29:27):
those events.
So, yeah, it's extremelybeneficial.
Augusto Barros (29:33):
You mentioned the single pane of glass.
I think for so many times somevendors are going to try to sell
that idea that it became almostlike something bad to say.
If you say, oh, we want tobecome the single pane of glass,
you see the customer roll intheir eyes, but I think the same
remain as a foundationalcomponent of cybersecurity
(29:56):
architectures.
What is actually?
It is, if not the single paneof glass, it is the main pane of
glass for most organizationsout there and I think that's why
we end up seeing thisstickiness factor where, as I
say, SIM refuses to die.
It may evolve a lot, but Ithink its role as the main pane
(30:17):
of glass and this very strongdata gravity it has, like kind
of organic signals from all overthe place, he ends up being
making kind of it kind of a veryimportant component of secure
architectures yeah, andespecially with small teams.
Tim Thornsberry (30:31):
some people, some organizations have the
resources to set someone infront of their edr console or
their SIM console or you knowwhatever other security console
they may be using, networkwhatever.
But for a small team who handlemultiple roles and tasks and
(30:52):
projects, if you have that oneplace that you can go to to at
least start looking, it's a hugebenefit, because then it
drastically reduces your timefrom switching to multiple
consoles trying to correlateevents and stuff like that.
So for a small team, I'd sayextremely beneficial, but for
(31:15):
the larger ones, if they havethe resources you know it's
endless for them Perfect.
Augusto Barros (31:24):
So, tim, we're getting close here to our time.
I want to first kind of thankyou again for joining us here on
the podcast.
But I also want to ask you thefinal question here Can I afford
other people just getting intheir jobs, kind of as in charge
for very small to very smallsecurity teams?
Sometimes it's a single job,it's a single person job kind of
(31:47):
in many places out there.
So if you could give just onepiece of advice for them, what
would that be?
Tim Thornsberry (31:55):
Oh boy, If they're just getting into
cybersecurity.
I'd say learn as much aspossible If they're already
established.
Go into an organization with anopen mind.
Don't go in with the mindset oh, I'm going to change everything
that's already in place toimprove it or establish it.
(32:19):
Learn the organization, learnthe current infrastructure,
their security posture and getthat base, foundational
knowledge of it, and then findthe gaps and then start
(32:43):
improving from there.
If you go in with the idea of afull-sale change, it's not
always met with the bestintentions, Having an open mind
and having a good understanding.
Augusto Barros (32:53):
Right, yeah, I think that's kind of quite
important and I think,especially the people that are
probably in their early stagesof their career in cybersecurity
is sometimes they are sofocused on cybersecurity itself
that it's almost like they'retrying to make the organization
work for security, while intruth, right, and it's the other
(33:16):
way around right, and we areenabling the business.
We're not trying to make thebusiness be a cybersecurity
organization right, kind of wewant to be and that's kind of
probably kind of where manypeople have difficulty in
understanding Like we want to beinvisible.
If we could be fully invisibleand transparent, right, and
people do not realize that weare there, that would be the
(33:39):
ideal work.
Right, kind of protecting theorganization without them
realizing we are there.
We know that's not possible.
Sometimes our controls will beor will bring a certain level of
disruption, but I think that'sthe beauty of thing, right, kind
of trying to do things beingthe least, bringing the least
possible disruption or frictionto the business, while kind of
keeping risks under control.
Tim Thornsberry (34:08):
Yeah, and you don't have to try to reinvent
the wheel.
The frameworks and the policiesmay be in place or they might
be lacking some.
So, yeah, you got to understandwhere those gaps are and work
from there instead of oh, we'retearing everything down and
we're going to build it back up.
Augusto Barros (34:22):
That's right, tim.
I'd like to thank you again forcoming to the podcast.
It was a really kind of funconversation.
Thank you, I hope to have youhere again sometime.
Tim Thornsberry (34:33):
Yes, thank you for having me.
I appreciate it.
Augusto Barros (34:35):
All right, and let's keep having fun.
Cyber security is hard, butit's fun right.
Tim Thornsberry (34:45):
Very much so.
Augusto Barros (34:46):
It's an ever-evolving world and it never
gets stagnant.
Perfect, Okay, Thank you, Tim.
Thanks everyone for listeningand stay tuned for the next
episode of Simple Talks.
Thank you.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.