Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:10):
Welcome back to Simply SolvingCyber.
This is Aaron Pritz, and todaywe are joined with a few
different guests and I will letGeorge introduce us.
George (00:19):
Welcome to a very special podcast event.
We've called it the podcasttrifecta.
We have in the house and behindthe mics, the hosts from bare
knuckles and brass tacks.
I'm George K with bare knuckles.
We have Alan Alford with thecyber ranch podcast, and we have
(00:40):
Aaron Pritz and Cody rivers ofsimply solving cyber.
Why are we here?
We are here because we got abone to pick.
with October, also known asCybersecurity Awareness Month.
So we're going to start with ahistory lesson.
We're going to air somegrievances.
And then we are issuing achallenge to the community.
(01:02):
So stay tuned as we embark onthis adventure.
Alan, I'm going to turn it overto you, resident historian.
Catch us up on the origins ofCybersecurity Awareness Month.
Well, if you go to csa.
gov slash cybersecurity dashawareness dash month.
You will find out that since2004, the president of the
(01:25):
United States and Congress havedeclared the month of October to
be cybersecurity awarenessmonth, the whole premise behind
this, what got it all startedwas we had a populace in general
who weren't.
caught up with cybersecurityneeds, right?
And so the idea was thegovernment was going to try to
kind of poke people a little bitand get them, get them heading
down the cybersecurity rabbithole, if you will, and give them
(01:45):
some basic prompts.
And if you go to that websitetoday, there are in fact, four
basic prompts still there.
And I love them.
Use strong passwords in apassword manager, turn on multi
factor authentication, recognizeand report phishing, and update
your software.
Pretty good tips for the novice,pretty good tips to sort of
baseline a cybersecurityposture, if you will.
(02:07):
And so I think the origins ofthe whole thing are not bad.
I don't think they're bad,they're bad necessarily in their
own right, but I think that whatwe've seen is an evolution.
And I think we've got, um...
Some challenges now with how weapproach Cybersecurity Awareness
Month, both as practitioners andas vendors.
Uh, everyone knows I, I've beenon both sides of that fence and,
(02:28):
and I don't know if any of usare doing it right.
George, what is your take onthis as a practitioner?
Yeah, thanks Alan.
Um, I can, I can tell you this,since I got into this industry
in like 2016, uh, I find itcompletely insufferable.
And the reason why is because,like, just, you know, real talk
about it, guys, like, there's noawareness month for secure
(02:52):
operations, right?
You're either building asecurity culture or you're not.
Um, and, you know, it's notjust, it's not like Christmas,
it's not Advent, we don't get acalendar, we open a piece of
chocolate every day for like,oh, cool, my password doesn't
suck.
Like, that's not how this thingworks.
Um.
I think what it's turned intoand actually what it was, even
when I started an industry workin sec ops, um, it's just an
(03:16):
occasion for marketers to have areason to have a theme to be
extra annoying when they'retrying to push pitch.
That's, that's literally whatit's an industry to industry
thing, because if you talk toanyone else in like the normal
world of.
People who have normal jobs thatdo things and gives them
calluses in their hands, theydon't give a shit about cyber
awareness month.
(03:37):
The fuck does that even mean?
Right?
It's just something that's likeweird to us.
Um, and again, you know, like I,I treat it more like it's, it's
the, a Hallmark holiday forcyber sellers, right?
It's like Mother's Day andFather's Day kind of thing,
right?
Which, you know, respect to ourmoms and pops, it's, yeah, like,
(03:57):
and again, so it's, it's one ofthose things that I think it
could be done better.
Um, you know, and I was saying,like, the reality is you should
be working to build andreinforce a security first
culture at your organization allyear round.
Um, You don't want people tocare about their cyber hygiene
for one month of the year andthen go back to using 1, as
their passwords for the rest ofthe year, or just having the
(04:19):
same password across theirentire enterprise.
Um, I, I really, I'd beinterested to see though what
Aaron and Cody have to say as aformer client side
practitioners.
And you guys are now working inthe consulting game, whereas I
started in the consulting gameand I'm now a client side CISO.
We like to do things backwards.
So, yes.
(04:43):
Awesome.
So a couple of things, I dothink that there's some big
opportunities and some bigchallenges here.
I think, first of all, I agreewith you on, and George, I think
this is your, your passion,bailiwick, and I won't steal all
of your thunder on the marketingand sales size.
Absolutely.
It's a usurped holiday for extraspam marketing.
(05:04):
And I don't know that that's thespirit of awareness, which is
not helping cybersecurity peopleunderstand the basic commodity
awareness things.
It's to help non educated endusers that are not it people and
not cybersecurity.
If they don't already know thebasics to maybe get more
(05:26):
interested in it, but I thinkwe're missing the, get more
interested in it because we'respraying them with.
Extra phishing messages andextra, you know, before proof
point SAS awareness toolmodules, it's really just not
making that much of adifference.
Now, I will say, let me take astep back when I was on the
(05:47):
practitioner side and, um, Iguess was unlucky or lucky
enough to be at a very largefortune 500 organization that.
Had a very public insider threatarrest with the FBI.
And, you know, it come to Jesusmoment with, uh, the workforce
needing to do something verydifferent than relying on it
(06:09):
buried in the literal andproverbial basement to quote
unquote, protect them.
Um, so I think for me with afront row seat to that and
trying to drive, okay, how do wemake cybersecurity and more
specifically insider threat?
Something that scientists andmarketers and all of them can
(06:29):
play their role.
Cause like my front row seatlearning was, Hey, there were
good it controls in place,systems were locked down insider
threat wise.
You got credentialed people thathave legitimate access that are
doing things either andcompromising the company.
And the only way to getunderneath that is to help
(06:52):
people understand what yourcrown jewels are.
And.
How to know if something feelsoff in an interaction and so on
and so forth.
So bottom line, I guess I was,I'm going to go with lucky
enough to experience that andhave a lot of senior leadership
support for doing some reallyprovocative and significant and
(07:13):
avant garde things.
In the awareness space thataren't commodity.
So I, I like, I like to jokewith clients now on the other
side of the table that I'llnever see that level of budget
again.
And I may, and I hope that thecompanies that we work with
don't get to that same level ofbudget from the perspectives
that we did, which was we got tothrow a lot of money at a
(07:34):
problem.
But we try to, you know, now Itry to recreate like, how can
you do it more economically withsome innovative methods that
aren't spraying out more whitenoise?
So I'll leave it at that.
Turn it over to Cody.
Who's kind of come from the techside and, you know, had the
pleasure, I think, of, ofjoining some kind of big, large
(07:55):
corporation awareness things,and maybe share some of those
tactics or.
Innovative approaches thataren't the things that I think
Alan, you alluded to that justdon't work or, uh, George, a,
you know, things that, you know,are annoying and, and let's
separate the marketing side andGeorge, we'll get back to you on
the marketing side becausethat's a whole different bone to
pick.
(08:15):
Yeah.
Good.
Yeah, no, absolutely.
And like, we always say likeawareness, like done right.
Is it's a comprehensive, likeyear round program.
You know, like you leverage itwith other business initiatives
within the business, you know,if you want, if your goal is
going to be cultural change,you've got to involve the
culture and the movement versusto your point, just like
spraying them with, you know, asimple, a simple video or some
(08:38):
phishing or password, you know,but we've seen things like, you
know, building championsprograms, getting other, you
know, functional areas involvedin the business, getting them
educated.
Um, you know, you see like thecharacter and the branding, you
know, building campaigns that goyear round that are going to tie
more into like, you know, infosec initiatives.
But again, getting out of the,the, the fund, the fundamentals
(09:00):
and kind of Aaron's point thatthe commodity things,
departmental challenges,gamification.
Um, but a lot of those things,you create the intrinsic driver
within the culture, you know,why does this matter to me
outside of at work or at homewith grandma with, with cousins?
Um, and that's what we've kindof seen work a lot, a lot
better.
That's, you know, to get thatcultural change versus you sign
(09:21):
a check for a piece of software,you know, it's usually a high
number.
You don't see the change youwant, the tool goes away, you
spent money, no results, noone's happy, you know, and then
you're kind of left, you know,hold the bag.
Yeah, Alan, I love that there'sthe federal government
involvement and stay safeonline.
But my, you know, the last fewyears, and I think you pointed
it out, like, it's the same fourtopics re skinned with a
(09:45):
different variant, but it'sphishing, it's basics, it's all
the stuff that is the lowestlevel.
And I think people.
One either don't care that's thestuff that they've got every
month already You got to hitthem with something different.
You got to hit them withsomething that Resonates with
their family or within the jobfunction that they're in.
And they're like, Oh, wow, I getit now.
(10:07):
And, and I think too, we weretalking the other day, actually
yesterday about that, but it'slike, we'll give you the same
old thing with fishing orransomware or something, but
nothing on reporting concerns.
So here's all the things thatcould go wrong, but let's not
tell you what to do.
If something happens, who toreport it to the company that's
tailored to the organization.
Yeah, the sas tool doesn't tellyou that out of the box.
(10:27):
That takes a little extra workto like is it an email box?
Is it a phone number?
Is it a slack account?
Yeah, it's a comment box in thebasement and just fill out a
three by five card.
It's like we're talking now likeactions on incident response
processes, like part of securityawareness.
If we're going to have asubstantive conversation talks
(10:48):
about.
What happens when this scenariooccurs?
There's an entire industry ofTTX now, which part of it, which
is, I think I consider a subsetof security awareness training.
And I think the biggest problemI was talking to another CISO a
few days ago, and I was justlike, man, are you not finding
that you're spending most ofyour time really just.
Reworking and building processproblems across the company.
(11:10):
Like we're not even doing likesecurity anymore.
It's now about like, how do weguide different functional
groups to not making a mistakeor how do we give them the right
protocol?
So if something happens, theyknow what to do and they don't
just freak out and not sayanything.
Yeah.
Yeah, I love that George.
Go ahead, Alan.
(11:31):
All you.
I was just going to say, I'mdeconstructing the phrase
Cybersecurity Awareness Month.
All of us picked on month.
Everybody thought a month ain'tenough, right?
All of us agree oncybersecurity, and all of us are
challenging the ideas ofawareness and what those might
be, right?
Is awareness simply putting someposters on a wall?
Is awareness marketing spam?
(11:51):
Is awareness that deep seatedneed to really figure out the
cyber implications of whatyou're doing, right?
And so, Now we're evenchallenging cybersecurity
itself.
To George's point, I'm apractitioner, right?
I've been a CISO five times.
I find myself very often doingnot cybersecurity work as part
of my quote unquote awareness,right?
So, so it's almost like allthree of the words in
(12:13):
Cybersecurity Awareness Montharen't hitting the mark anymore.
Right.
Words.
Yeah.
And, and Georgia, I was going tosay like the whole, like finding
business challenges, like I'vedone tons of cybersecurity
technical assessments.
I find very few organizationsthat are doing business process
assessments, but when we dothem, we found that the find
(12:35):
that there's more ahas and more,Oh shit.
It doesn't control this risk forme.
I'm handling stuff in PowerPointand word and unstructured data.
And it's going over email andit's going over other channels,
mobile devices, chats.
And until you trace the datathrough a business process and
(12:56):
pick your critical ones, likestart at the top of the pyramid,
you are just handling thecommodity level stuff.
You're not getting in at theside note, when you review the
business processes, Alan, toyour point, you actually add
business value.
I've had assessments where it'slike, Hey, did you know that out
of 20 different touch points onthis, only five are needed.
(13:16):
And it's never been challengedover years.
Oh crap.
We just saved a million dollarsbecause there's waste.
So like, that's it.
That's like the cybersecuritypractitioners dream.
If you can add dollars and centsvalues and, you know, fix some
security things, that's a winwin, but I think a lot of groups
are born out of it.
(13:37):
And they're doing it systems andlet's stay in our lane.
Let's stay in our lane.
Go where the risk is.
Go where the data is.
Find your crown jewels.
I'm still surprised that I walkinto companies and ask them,
what are they protecting?
And they're like, I can't evenarticulate the business that
they're in.
Right.
It's crazy to me.
We're, we're, we're talkingabout ultimately needing more
(13:57):
than cybersecurity, more thanawareness, and more than a
month.
Let me ask you guys this then.
How do you define the ROI?
On a security awareness trainingprogram.
We're back to the ROI onawareness period, right?
And I've got, I've got a rantI've given about this before.
There's a famous blog out therethat picks on a certain
demographic of people.
(14:17):
And one of the, one of thesubjects of the blog is this
idea of raising awareness thatwe've all embraced as this big,
critical, meaningful thing.
I can raise awareness aboutcancer, but that doesn't mean
I'm doing the research to fightit and destroy it.
I'm just selling t shirts andbracelets, right?
And, and there's a certainamount of that for cybersecurity
awareness with me too, that,that we're.
We're talking about it.
(14:39):
We're not doing something aboutit.
We're talking about it.
And so the ROI on awareness ingeneral, to me, the only
cybersecurity awareness that hasa measurable metric that you can
actually demonstrate has animpact to the bottom line is if
you're doing anti phishingtraining and you're reporting
not on the negative stuff, buton the positive reporting rates.
If I have a thousand fake phishemails come through my shop.
(15:01):
And when I started my awarenesscampaign, two people clicked a
report and said, Hey, this lookslike a phish.
And by the end of that reportingcycle and the end of the
awareness campaign, a hundredpeople have clicked and said,
it's a phish.
There's some demonstrableprogress.
I don't know if there's anyother ROI on awareness that I
can point to.
(15:23):
Yeah.
I, we do a lot of metrics andreporting projects in general,
to your point.
I think if you're not measuringeverything you're doing and
figuring out if it's working ornot, you should stop doing it.
I see a lot of these metricsthat we're measuring a lot of
things, but there's no decisionsbeing made on that.
So I think specifically toawareness, every, every
(15:45):
workforce intervention thatyou're doing, whether it's
champions or, you know,marketing type campaigns that go
out to employees or creativevideos that are trying to catch
people's attention, whether it'smeasuring impressions.
Or engagement, like are peopleresponding to it if you're
gamifying it with it indepartment and saying, Hey,
(16:05):
let's pit departments againsteach other.
Look for the actions we'retrying to drive behaviors on and
measure the volume of like, howmany times are we doing it?
I think it's not always dollarsand cents or ROI from like a CF
what the CFO would be concernedabout.
But it's, are you getting thebehaviors that you want to see?
(16:26):
And are you, are you sustainingthose?
Not like, uh, I just did it onceand then I'm going back to my
same old, same old.
Right.
I did my awareness campaign.
I'm going to bed now.
That's right.
Check that box.
Cecil is sleeping.
And I, and I would say too, thebehavior change from a
standpoint of getting otherfunctions involved.
So with like, with like thechampions program, you've got
(16:46):
someone in.
Finance or operations who beforeit was like, great.
I have been postsec don't care.
I'm not worried about, you know,our risks.
Once you, you show them from astandpoint, what the crown
jewels are, what risks do theyown, there's a lot more aptitude
and a lot more, uh, you know,uh, movement from their side to
be involved and say, okay, if Iown this risk, okay, now I'm as
(17:08):
going as an ally to this CISOasking for additional dollars in
budget to help fix the risksthat I own InfoSec can resolve.
But I think you get moremotivation from the business,
you know, leaders, if they are,if they are educated and aware
of what their crown jewels are,the risks they own and the
threats to those things, you'regoing to get them, you know, a
little more open to, to talkswith the CISO with InfoSec to
(17:30):
address those and, and, and havesome movement.
Um, I guess I am the odd one outon this recording.
I am on the vendor side and Ifeel very seen at the level of
vitriol directed at vendors.
But I wanted to chime in to say,when I got into InfoSec and
(17:55):
people were saying, Oh, weshould do something around cyber
security awareness.
I will tell you as the relativeoutsider, my initial take was,
why would we do that?
Aren't they InfoSecprofessionals?
Like, why would I try to teachCISOs, the idealized target
buyer who we can debate whetherthat's true or not, like what
(18:16):
ransomware is like, don't theydeal with this shit every day?
Like, I think they're kind oftired of it.
And yet the whole.
Uh, competitor Twitter feed atthe time it was Twitter was all
of that.
It was like all this one on onestuff.
So to your point, Alan andGeorge, it sort of like mutated
from what would these cybersecurity companies be doing to
(18:38):
basically educate their ownfamilies, the general public,
and, and somehow got distortedinto like, let's direct that
fire hose at the buyer, eventhough it literally makes no
sense other than the fact thatit has the word cyber in it.
Yeah, George, I would say now onthe, you know, we're consulting,
(19:01):
um, and we, we have a pretty bigsocial focus.
Like our thing is like contentmarketing and give back and like
put some stuff out there thathelps others.
But I would say like our, oursocial media person that
coordinates everything for us,like gave us safe, you know,
stay safe online info.
And it's like, Hey, here's thesame stuff.
(19:21):
Let's come up with some stuff.
And I actually, to be honest,after prepping for this
conversation, I'm like, we arenot going to give any basic
information.
Now I will say some of our, ourfollowers are small business
leaders and we do some specificprograms tailored to that.
So I do think like, depending onthe company.
If your target market is abroader audience, that's not a
(19:44):
cyber security professionalthat's buying your tool, you
know, there may be still somevalue, but you look at some of
these very large, hard technicaltooling companies, and they're
only selling B2B to cyberprofessionals.
So like, yes, they're not goingto influence, you know, Joe.
You know, uh, small businessthat just happens to be coming
(20:06):
across their feed and like, Oh,I should pay attention.
Right.
So, uh, out of a perversecuriosity.
My question to you all is, canyou name, like, the most
annoying or cloyingcybersecurity awareness month
marketing that you've gotten?
Has anything stand out in recentmemory of, like, why are you
(20:27):
sending this to me?
Can't think of one inparticular, but mine is always
like, you know, what's the costif you don't do it?
Like the age old, you know, fearmongering, do this, or...
You know, or, or, or, or loseyour job.
Oh, I got one that, and it's noteven just a, for the awareness
(20:47):
month thing.
It happens all year round.
Every once in a while, somemarketing person or some BDR
will take a recent breach orcompromise that occurred and
basically send you theequivalent of, you don't want
that to happen to you.
Right.
And it's like, I got friendsthat work there, like, yeah, you
(21:08):
know, that place that's on fireby us and you won't be on fire.
Just like, yeah.
By the way, those are my friendsburning.
Right.
I love that one.
My, my favorite one of all thecybersecurity awareness month,
specific ones, the bullshit thatthey send you.
And I get to say bullshit onthis show.
I like that.
Um, they send you what lookslike a decent free package to
(21:31):
distribute to your users.
In other words, they're notinsulting me to see so they know
it's my users we're talking toand they know it's cyberscreen
awareness month.
Here's this great plethora oftips and tricks and then you
actually watch the material,look at the slides or watch the
little video or whatever it isand there's two things wrong.
Number one, they're giving badadvice and number two, it turns
into a hardcore sales pitch atthe end.
Oh, the bait and switch.
(21:51):
The bait and switch, right?
But on top of that, it's badadvice.
Like vendors that are coming tome saying, share these materials
with your users and they'llparticipate in Cybersecurity
Awareness Month thanks to ourfree stuff that we're not
charging you for.
And then it's like, you know,make sure you write your
password on a sticky note.
Do you guys think it's GTP?
(22:14):
Like, as marketers find thecheat code to, you know, come up
with materials.
Do we think it's going to bemore mindless dribble?
Yes.
Yeah.
Marketing, unfortunatelydefaults to early adoption of
automation technologies to dobad things faster in general, in
the, in the main, a lot ofMarTech, like all the.
(22:36):
outreach, email automation isjust do the bad thing, but do it
at like massive volume, massivescale.
Um, and that's also in thiseconomic environment where
you've seen a lot ofcontraction, a lot of merger
acquisition, a lot of business,there's going to be a desperate
play there.
And I, Think that's why we wantto help change that.
(22:57):
So we'll take a break here.
We have aired our grievances,but we're not here to admire the
problem.
We have a gauntlet to throw downto the industry, and we will
reveal that when we come back.
Okay, and we are back.
All right, gents, uh, we talkedoffline about what could we do
(23:19):
to change this behavior thatwe've talked about and we've
come up with two challengesbecause I think it's two fold.
So for the marketers, I'll takethat.
So for the vendors, I want tocome to you and say the
challenge for October is to notdo what everyone does, right?
(23:42):
Stand out, don't send 101marketing shit to people who do
cyber year long, day in, dayout, right?
So to that end, I would like tosee you take on this challenge
of what we are calling CyberCommunity Month, right?
And I want to see vendors.
(24:05):
Using this time to contribute tothe cyber community at large.
And the challenge is to come upwith a program that does that,
and to share it with the hashtagCyber Community Month, and we'll
be watching.
And, uh, we have some prizesthat we're putting together.
We're pooling our resourcesamong our networks and friends.
But, as an example, Maybe yousponsor something for your
(24:31):
customers to bring their parentson and you could teach them
about vishing.
You could teach them about voicecloning, which is really on the
rise against senior citizens.
Extend it outside of yourimmediate customers.
And what could you bring totheir families, to their
friends, to the community, howcan you give back?
Um, so that is the challenge tovendors.
(24:54):
Uh, Alan, I want to turn it overto you.
What is a challenge that we canissue to the client side, to
the, to the people who are alsotired of doing something heavy
in October and not year round?
All right.
So practitioners, I think we'vetalked about cybersecurity
awareness and month.
And I think we've, we've kind ofgotten in lockstep a little bit
(25:15):
about where we want to head withthat.
I think ultimately what we needto do is the same thing we're
asking the vendors to do.
I want to involve community.
I want to see you guys goingback to your vendors and pushing
for, and I know some vendorswill do this.
Hey, that EDR I'm paying for,how about you give me my clients
to my home users for free?
Let my employees use their ADRclient on their systems at home
for free.
Let's work that into the nextdeal we ink, right?
(25:38):
Um, let's, let's do the samething the vendors are doing.
Let's, let's reach out to momand dad and buddy and sis,
right?
Let's not just go to ouremployees and hang the posters
on the wall and do the usual BSin the break room.
Let's actually cybersecuritymatter.
To the human beings who work forus, remembering first and
foremost that they are in facthuman beings, and they have
(25:59):
relatives, and they have elderlyparents, perhaps, or they have
little kids, perhaps, or theyhave middle kids, perhaps.
Any and all of us can be doingsomething to outreach to those
folks.
We do this all day long.
We breathe it.
We live it.
We don't even think twice aboutit.
The whole point of CybersecurityAwareness Month when it started
was there's a massive populacewho doesn't breathe it like we
(26:19):
do.
So let's give them that freshbreath this month.
Yeah, I want to turn it over toyou, George A, because I also
think it's been my experiencethat a lot of InfoSec
professionals want to do that,as we all know.
Time is at a premium.
Teams are getting downsized, domore with less, and I think that
(26:39):
they just don't feel like theyhave the freedom to get out of
the chair to take, you know, thehour lunch break to go read at
their kids school or whatever.
So, George, you know, I know youhave some thoughts here about
how that helps professionaldevelopment.
Want to give you a moment therein some space to talk about
that.
Yeah, thanks, George.
(27:00):
So I think again, when we talkabout, um, Like getting involved
with the community and, and howyou frame this, how you sell
everything, unfortunately,unless you're working at a pure
public sector shop, uh, italways boils down to the ROI for
the business or how's it goingto benefit the business and in
the framing that I would.
(27:20):
Look at is our communityreputation as an organization
improves when we go out and weactually talk about what we do,
and we actually give it contextand we educate people.
Right?
I think going to schools.
Going to, even if you go tocommunity centers, if you go to
places where, you know, there'skids who, um, you know, there
(27:44):
are places where there's kidswith learning disabilities or
kids who really aren't doing toowell on the normal educational
track, and they're oftentechnical or vocational schools,
right?
A job like cybersecurity isperfect for them because they're
probably neurotypical.
They're misunderstood.
Right.
They get shown this new thing.
It's cool.
It's, it's, it's teachable.
(28:05):
It's learnable.
A real person is actuallyshowing it to them.
And it's not some crazy thingthey see in a movie.
It's not some NCIS nonsense.
It's actually something that youcan fucking do and you can have
a good life with it.
Right.
If we talk about this as a, as abridge to build our communities
is this is something that we canactually educate people.
(28:27):
We can improve the cyberhygiene.
of the people around us and alsoimprove our corporate
reputations by being out thereand being like, Hey, we care
about the community.
We can do this.
Right.
Um, I think you get a lot moresupport.
And again, George, you kind ofhit the nail on the head.
We're so busy because if we'renot actually monitoring and
(28:49):
managing the operationourselves, there are umpteen
different projects from adevelopmental roadmap
standpoint, cleaning up techdebt.
If you're part of a CICDpipeline, you're basically
providing security advice forevery single new product that's
coming out, uh, within thatsprint cycle or within that PI.
So, you know, you have to kindof decide, like, are you going
(29:09):
to choose to make the time to dothe thing?
Right.
And, and I think of it, youknow, Outside of, um, let's say
in a completely differentcontext, non cyber related, um,
I like to, you know, like once amonth or whatever, I like to go
and, uh, serve the homeless,right?
First Sunday of the month.
Um, they're, they're the onlyreason why realistically that I
(29:31):
do it.
Um, I do it as like a bit of ahumbling exercise, uh, my part
of my ethnic community, we, wedo it as a group, but I think
it's important that no matterhow good you're doing in life,
you have to connect with people.
And you have to kind of seepeople at their most raw.
And it's the same thing whenyou're dealing with a group of
kids, you know, George, I knowyou did the thing at your kid's
school.
Your kids are absolutesuperstars.
(29:51):
We're all going to work for themsomeday.
Believe me, George is geniuses.
That's a really good example oflike a super positive, like fun
experience.
The real work is actually goinginto a school, dealing with kids
who might be a little bittroubled.
And giving them an opportunityto see a new chance at having a
life for themselves.
And I see that as like whatcyber and cyber awareness can
(30:13):
do, even if they don't want todo it for work.
At least understanding how tooperate safely on their phone
and on the internet to not bepreyed after.
Right.
To have their data be secure.
These are the simple things.
It's empowering people to defendthemselves and be more capable
online because at the end of theday, on a personal security
level, on a safety level from,you know, sexual predators or
(30:35):
people who want to elicitviolence or drug dealers on the
level of just knowing how tooperate in a growingly more.
Digital or digitized economy.
I should say people need to knowhow to get the most out of their
tools out of their devices Andnot just spend money getting the
newest thing or whateverbothering their parents about it
or whatever they have to doThat's where I see, you know,
(30:56):
and sorry if it sounds like abit of ramble guys But it's how
you actually frame the businesscase for support for going out
into the community And justbring the cyber hygiene and
cyber narrative to people whohave nothing to do with your
business and nothing to do withgenerating revenue for you.
That's actually going to be thething that gives your business
community longevity years afteryou're gone.
(31:21):
And George, Katie, your firstquestion, you know, how do you
find the time we're all busy?
Yeah, I'm a CISO.
In fact, I'm a multiple CISO nowwith kind of a combination of
CISOing and consulting and allthe things I'm doing.
I'm busy.
Doesn't matter.
It doesn't take a lot of time.
It doesn't.
I spent a couple of hours overthe course of a month putting
together a cyber educationprogram for a Girl Scout troop.
(31:42):
Just took me a couple of hoursto do it.
I spent about an hour puttingtogether for a presentation to,
I kid you not, a group ofkindergartners called how to be
a hacker took me about an hourto write it and 30 minutes to
present it to a room full ofkindergartners and they loved
it.
They ate it up.
Um, time is not really theproblem.
Prioritization is the problemand to George's point, there's
(32:03):
things you can do to give backthat are far bigger than any
dollar and cent bottom linething.
We're only talking about alittle bit of time here.
I know so many good companies inthis community that do so many
things that have programs whereit's like, Hey, one day a year,
we're all going to go volunteersomewhere where you get a free X
days a year of volunteer time togo volunteer to wherever you
want to volunteer.
There's companies have tons ofthese kinds of programs.
(32:24):
We just haven't rolled cyberinto that same mindset.
That's all that's missing.
Bingo.
Totally.
Cody, do you want to talk aboutthe board you're on and how
we've connected that into Georgeand George's, uh, call for
action here?
Yeah.
Yeah, absolutely.
And I think it's going to lineup well, so i'm going to board
for a Nonprofit called kidsvoice and what they do is
(32:45):
they're an indiana company andthey represent kids in the court
of law and custody battle soDemographic spans from income
across the board, low income,privileged, you know, all
different kinds of income, butthe lawyers and these, these,
uh, representatives are the kidslawyers.
And so it's a non profit.
They handle a lot of data.
They do a lot of, um, they dolike a couple thousand kids a
(33:07):
year just in the Marion County,which is the central county in
Indianapolis, Indiana.
And so what we're doing thisyear is since, you know, I'm on
the board for them and I workwith reveal or real risk is
we're going to do kind of a teamday where our company is going
to go on site with them and dokind of like a, um, workshop
with, with their employees,teaching them some cyber
(33:27):
hygiene, helping them with somecrown jewel assessment and
helping them with the kind of amonitoring.
A fundamental roadmap of likewhere the program is today.
What are some key things to do?
Um, but all pro bono, so itdoesn't, doesn't help us from
any standpoint of oversight,revenue standpoint, something we
give back.
Um, one of our employees,myself, I'm involved with it.
Aaron's wife as well as avolunteer for the organization.
(33:47):
Um, but to your point, kind ofgoing out in the community.
Improving it.
They're doing phenomenal things.
They don't have, you know, theCSO or the budget to go do, you
know, security stuff there.
So just a time we can use, uh,Alan, to your point, you know,
we can use our, our talent, uh,to go and enrich and invest our
talent and time into someindividuals doing some amazing
(34:07):
things with community, um, keepthem safe.
And then in turn, protectthousands of kids.
You know, in rough situationsacross, you know, central
Indiana.
So it's, to your point, liketime, talent and that
investment's gonna, you know,Metcalf's law, right?
Two goes to four, goes to eight,goes to 16.
So it's gonna multiply outquicker than if I were write,
you know, a couple thousandcheck to, to a fundraiser.
(34:28):
Yeah.
And I would argue that our teamwill be better even if you
didn't care about thephilanthropical part of it,
which we, we do.
Our team will be better forgoing into work like that and
figuring out how to stretch 0 tosomething or something where
they're not going to get a hugebudget to buy all the greatest
tools.
Like how do we use our brains toinnovate in that space?
(34:52):
You know?
Yeah, that's, that's perfect.
Um, all right.
Well, I, I think we shouldprobably wrap there.
So thank you everyone forjoining and to the listeners.
We will have more details onsocial, but the gauntlet has
been thrown.
And the prizes are going to befat.
(35:12):
Yeah, they're going to beamazing.
We got, we're really wellconnected, I think, enough to
get you some good swag andincentivize.
Uh, some really creative ideas.
So as Aaron said, what can youdo to get creative?
Well, let's take that out.
So vendors, what can you do togive back to the community of
cybersecurity professionals,clients, and customers?
(35:33):
What can you do to empower yourcybersecurity employees to get
out there in the community?
Yeah, it's gonna be reallyexciting.
Um, but this is the first I hopeof many of these challenges.
Maybe we can get, get it doneevery year.
The prizes will get bigger.
Um, but yeah, thank you everyonefor joining us.
What's the hashtag, George?
Let's end on the hashtag.
What's that?
Oh, there you go.
Yeah.
Good marketing, Aaron.
(35:54):
You got to end with the call toaction.
So we want to see this.
We want to see it on socialhashtag cyber community month.
We want to see great stories,share them widely, and, and
we'll share them as well.
So, uh, yeah, thanks forlistening.
Thanks for joining and let'smake October way better than it
(36:15):
has been historically.
Relevant.
Hey, let's make the whole themeof our show, let's make it less
shitty.
It's off.
Making October suck a littleless since 2023.
Great work with you guys.
By the way, this is an awesomeshow.
I hope we get to do work withyou guys again.
Likewise.
Appreciate it.
(36:35):
Thanks for the invite.
Welcome back to Simply SolvingCyber.
This is Aaron Pritz, and todaywe are joined with a few
different guests and I will letGeorge introduce us.
George (00:19):
Welcome to a very special podcast event.
We've called it the podcasttrifecta.
We have in the house and behindthe mics, the hosts from bare
knuckles and brass tacks.
I'm George K with bare knuckles.
We have Alan Alford with thecyber ranch podcast, and we have
(00:40):
Aaron Pritz and Cody rivers ofsimply solving cyber.
Why are we here?
We are here because we got abone to pick.
with October, also known asCybersecurity Awareness Month.
So we're going to start with ahistory lesson.
We're going to air somegrievances.
And then we are issuing achallenge to the community.
(01:02):
So stay tuned as we embark onthis adventure.
Alan, I'm going to turn it overto you, resident historian.
Catch us up on the origins ofCybersecurity Awareness Month.
Well, if you go to csa.
gov slash cybersecurity dashawareness dash month.
You will find out that since2004, the president of the
(01:25):
United States and Congress havedeclared the month of October to
be cybersecurity awarenessmonth, the whole premise behind
this, what got it all startedwas we had a populace in general
who weren't.
caught up with cybersecurityneeds, right?
And so the idea was thegovernment was going to try to
kind of poke people a little bitand get them, get them heading
down the cybersecurity rabbithole, if you will, and give them
(01:45):
some basic prompts.
And if you go to that websitetoday, there are in fact, four
basic prompts still there.
And I love them.
Use strong passwords in apassword manager, turn on multi
factor authentication, recognizeand report phishing, and update
your software.
Pretty good tips for the novice,pretty good tips to sort of
baseline a cybersecurityposture, if you will.
(02:07):
And so I think the origins ofthe whole thing are not bad.
I don't think they're bad,they're bad necessarily in their
own right, but I think that whatwe've seen is an evolution.
And I think we've got, um...
Some challenges now with how weapproach Cybersecurity Awareness
Month, both as practitioners andas vendors.
Uh, everyone knows I, I've beenon both sides of that fence and,
(02:28):
and I don't know if any of usare doing it right.
George, what is your take onthis as a practitioner?
Yeah, thanks Alan.
Um, I can, I can tell you this,since I got into this industry
in like 2016, uh, I find itcompletely insufferable.
And the reason why is because,like, just, you know, real talk
about it, guys, like, there's noawareness month for secure
(02:52):
operations, right?
You're either building asecurity culture or you're not.
Um, and, you know, it's notjust, it's not like Christmas,
it's not Advent, we don't get acalendar, we open a piece of
chocolate every day for like,oh, cool, my password doesn't
suck.
Like, that's not how this thingworks.
Um.
I think what it's turned intoand actually what it was, even
when I started an industry workin sec ops, um, it's just an
(03:16):
occasion for marketers to have areason to have a theme to be
extra annoying when they'retrying to push pitch.
That's, that's literally whatit's an industry to industry
thing, because if you talk toanyone else in like the normal
world of.
People who have normal jobs thatdo things and gives them
calluses in their hands, theydon't give a shit about cyber
awareness month.
(03:37):
The fuck does that even mean?
Right?
It's just something that's likeweird to us.
Um, and again, you know, like I,I treat it more like it's, it's
the, a Hallmark holiday forcyber sellers, right?
It's like Mother's Day andFather's Day kind of thing,
right?
Which, you know, respect to ourmoms and pops, it's, yeah, like,
(03:57):
and again, so it's, it's one ofthose things that I think it
could be done better.
Um, you know, and I was saying,like, the reality is you should
be working to build andreinforce a security first
culture at your organization allyear round.
Um, You don't want people tocare about their cyber hygiene
for one month of the year andthen go back to using 1, as
their passwords for the rest ofthe year, or just having the
(04:19):
same password across theirentire enterprise.
Um, I, I really, I'd beinterested to see though what
Aaron and Cody have to say as aformer client side
practitioners.
And you guys are now working inthe consulting game, whereas I
started in the consulting gameand I'm now a client side CISO.
We like to do things backwards.
So, yes.
(04:43):
Awesome.
So a couple of things, I dothink that there's some big
opportunities and some bigchallenges here.
I think, first of all, I agreewith you on, and George, I think
this is your, your passion,bailiwick, and I won't steal all
of your thunder on the marketingand sales size.
Absolutely.
It's a usurped holiday for extraspam marketing.
(05:04):
And I don't know that that's thespirit of awareness, which is
not helping cybersecurity peopleunderstand the basic commodity
awareness things.
It's to help non educated endusers that are not it people and
not cybersecurity.
If they don't already know thebasics to maybe get more
(05:26):
interested in it, but I thinkwe're missing the, get more
interested in it because we'respraying them with.
Extra phishing messages andextra, you know, before proof
point SAS awareness toolmodules, it's really just not
making that much of adifference.
Now, I will say, let me take astep back when I was on the
(05:47):
practitioner side and, um, Iguess was unlucky or lucky
enough to be at a very largefortune 500 organization that.
Had a very public insider threatarrest with the FBI.
And, you know, it come to Jesusmoment with, uh, the workforce
needing to do something verydifferent than relying on it
(06:09):
buried in the literal andproverbial basement to quote
unquote, protect them.
Um, so I think for me with afront row seat to that and
trying to drive, okay, how do wemake cybersecurity and more
specifically insider threat?
Something that scientists andmarketers and all of them can
(06:29):
play their role.
Cause like my front row seatlearning was, Hey, there were
good it controls in place,systems were locked down insider
threat wise.
You got credentialed people thathave legitimate access that are
doing things either andcompromising the company.
And the only way to getunderneath that is to help
(06:52):
people understand what yourcrown jewels are.
And.
How to know if something feelsoff in an interaction and so on
and so forth.
So bottom line, I guess I was,I'm going to go with lucky
enough to experience that andhave a lot of senior leadership
support for doing some reallyprovocative and significant and
(07:13):
avant garde things.
In the awareness space thataren't commodity.
So I, I like, I like to jokewith clients now on the other
side of the table that I'llnever see that level of budget
again.
And I may, and I hope that thecompanies that we work with
don't get to that same level ofbudget from the perspectives
that we did, which was we got tothrow a lot of money at a
(07:34):
problem.
But we try to, you know, now Itry to recreate like, how can
you do it more economically withsome innovative methods that
aren't spraying out more whitenoise?
So I'll leave it at that.
Turn it over to Cody.
Who's kind of come from the techside and, you know, had the
pleasure, I think, of, ofjoining some kind of big, large
(07:55):
corporation awareness things,and maybe share some of those
tactics or.
Innovative approaches thataren't the things that I think
Alan, you alluded to that justdon't work or, uh, George, a,
you know, things that, you know,are annoying and, and let's
separate the marketing side andGeorge, we'll get back to you on
the marketing side becausethat's a whole different bone to
pick.
(08:15):
Yeah.
Good.
Yeah, no, absolutely.
And like, we always say likeawareness, like done right.
Is it's a comprehensive, likeyear round program.
You know, like you leverage itwith other business initiatives
within the business, you know,if you want, if your goal is
going to be cultural change,you've got to involve the
culture and the movement versusto your point, just like
spraying them with, you know, asimple, a simple video or some
(08:38):
phishing or password, you know,but we've seen things like, you
know, building championsprograms, getting other, you
know, functional areas involvedin the business, getting them
educated.
Um, you know, you see like thecharacter and the branding, you
know, building campaigns that goyear round that are going to tie
more into like, you know, infosec initiatives.
But again, getting out of the,the, the fund, the fundamentals
(09:00):
and kind of Aaron's point thatthe commodity things,
departmental challenges,gamification.
Um, but a lot of those things,you create the intrinsic driver
within the culture, you know,why does this matter to me
outside of at work or at homewith grandma with, with cousins?
Um, and that's what we've kindof seen work a lot, a lot
better.
That's, you know, to get thatcultural change versus you sign
(09:21):
a check for a piece of software,you know, it's usually a high
number.
You don't see the change youwant, the tool goes away, you
spent money, no results, noone's happy, you know, and then
you're kind of left, you know,hold the bag.
Yeah, Alan, I love that there'sthe federal government
involvement and stay safeonline.
But my, you know, the last fewyears, and I think you pointed
it out, like, it's the same fourtopics re skinned with a
(09:45):
different variant, but it'sphishing, it's basics, it's all
the stuff that is the lowestlevel.
And I think people.
One either don't care that's thestuff that they've got every
month already You got to hitthem with something different.
You got to hit them withsomething that Resonates with
their family or within the jobfunction that they're in.
And they're like, Oh, wow, I getit now.
(10:07):
And, and I think too, we weretalking the other day, actually
yesterday about that, but it'slike, we'll give you the same
old thing with fishing orransomware or something, but
nothing on reporting concerns.
So here's all the things thatcould go wrong, but let's not
tell you what to do.
If something happens, who toreport it to the company that's
tailored to the organization.
Yeah, the sas tool doesn't tellyou that out of the box.
(10:27):
That takes a little extra workto like is it an email box?
Is it a phone number?
Is it a slack account?
Yeah, it's a comment box in thebasement and just fill out a
three by five card.
It's like we're talking now likeactions on incident response
processes, like part of securityawareness.
If we're going to have asubstantive conversation talks
(10:48):
about.
What happens when this scenariooccurs?
There's an entire industry ofTTX now, which part of it, which
is, I think I consider a subsetof security awareness training.
And I think the biggest problemI was talking to another CISO a
few days ago, and I was justlike, man, are you not finding
that you're spending most ofyour time really just.
Reworking and building processproblems across the company.
(11:10):
Like we're not even doing likesecurity anymore.
It's now about like, how do weguide different functional
groups to not making a mistakeor how do we give them the right
protocol?
So if something happens, theyknow what to do and they don't
just freak out and not sayanything.
Yeah.
Yeah, I love that George.
Go ahead, Alan.
(11:31):
All you.
I was just going to say, I'mdeconstructing the phrase
Cybersecurity Awareness Month.
All of us picked on month.
Everybody thought a month ain'tenough, right?
All of us agree oncybersecurity, and all of us are
challenging the ideas ofawareness and what those might
be, right?
Is awareness simply putting someposters on a wall?
Is awareness marketing spam?
(11:51):
Is awareness that deep seatedneed to really figure out the
cyber implications of whatyou're doing, right?
And so, Now we're evenchallenging cybersecurity
itself.
To George's point, I'm apractitioner, right?
I've been a CISO five times.
I find myself very often doingnot cybersecurity work as part
of my quote unquote awareness,right?
So, so it's almost like allthree of the words in
(12:13):
Cybersecurity Awareness Montharen't hitting the mark anymore.
Right.
Words.
Yeah.
And, and Georgia, I was going tosay like the whole, like finding
business challenges, like I'vedone tons of cybersecurity
technical assessments.
I find very few organizationsthat are doing business process
assessments, but when we dothem, we found that the find
(12:35):
that there's more ahas and more,Oh shit.
It doesn't control this risk forme.
I'm handling stuff in PowerPointand word and unstructured data.
And it's going over email andit's going over other channels,
mobile devices, chats.
And until you trace the datathrough a business process and
(12:56):
pick your critical ones, likestart at the top of the pyramid,
you are just handling thecommodity level stuff.
You're not getting in at theside note, when you review the
business processes, Alan, toyour point, you actually add
business value.
I've had assessments where it'slike, Hey, did you know that out
of 20 different touch points onthis, only five are needed.
(13:16):
And it's never been challengedover years.
Oh crap.
We just saved a million dollarsbecause there's waste.
So like, that's it.
That's like the cybersecuritypractitioners dream.
If you can add dollars and centsvalues and, you know, fix some
security things, that's a winwin, but I think a lot of groups
are born out of it.
(13:37):
And they're doing it systems andlet's stay in our lane.
Let's stay in our lane.
Go where the risk is.
Go where the data is.
Find your crown jewels.
I'm still surprised that I walkinto companies and ask them,
what are they protecting?
And they're like, I can't evenarticulate the business that
they're in.
Right.
It's crazy to me.
We're, we're, we're talkingabout ultimately needing more
(13:57):
than cybersecurity, more thanawareness, and more than a
month.
Let me ask you guys this then.
How do you define the ROI?
On a security awareness trainingprogram.
We're back to the ROI onawareness period, right?
And I've got, I've got a rantI've given about this before.
There's a famous blog out therethat picks on a certain
demographic of people.
(14:17):
And one of the, one of thesubjects of the blog is this
idea of raising awareness thatwe've all embraced as this big,
critical, meaningful thing.
I can raise awareness aboutcancer, but that doesn't mean
I'm doing the research to fightit and destroy it.
I'm just selling t shirts andbracelets, right?
And, and there's a certainamount of that for cybersecurity
awareness with me too, that,that we're.
We're talking about it.
(14:39):
We're not doing something aboutit.
We're talking about it.
And so the ROI on awareness ingeneral, to me, the only
cybersecurity awareness that hasa measurable metric that you can
actually demonstrate has animpact to the bottom line is if
you're doing anti phishingtraining and you're reporting
not on the negative stuff, buton the positive reporting rates.
If I have a thousand fake phishemails come through my shop.
(15:01):
And when I started my awarenesscampaign, two people clicked a
report and said, Hey, this lookslike a phish.
And by the end of that reportingcycle and the end of the
awareness campaign, a hundredpeople have clicked and said,
it's a phish.
There's some demonstrableprogress.
I don't know if there's anyother ROI on awareness that I
can point to.
(15:23):
Yeah.
I, we do a lot of metrics andreporting projects in general,
to your point.
I think if you're not measuringeverything you're doing and
figuring out if it's working ornot, you should stop doing it.
I see a lot of these metricsthat we're measuring a lot of
things, but there's no decisionsbeing made on that.
So I think specifically toawareness, every, every
(15:45):
workforce intervention thatyou're doing, whether it's
champions or, you know,marketing type campaigns that go
out to employees or creativevideos that are trying to catch
people's attention, whether it'smeasuring impressions.
Or engagement, like are peopleresponding to it if you're
gamifying it with it indepartment and saying, Hey,
(16:05):
let's pit departments againsteach other.
Look for the actions we'retrying to drive behaviors on and
measure the volume of like, howmany times are we doing it?
I think it's not always dollarsand cents or ROI from like a CF
what the CFO would be concernedabout.
But it's, are you getting thebehaviors that you want to see?
(16:26):
And are you, are you sustainingthose?
Not like, uh, I just did it onceand then I'm going back to my
same old, same old.
Right.
I did my awareness campaign.
I'm going to bed now.
That's right.
Check that box.
Cecil is sleeping.
And I, and I would say too, thebehavior change from a
standpoint of getting otherfunctions involved.
So with like, with like thechampions program, you've got
(16:46):
someone in.
Finance or operations who beforeit was like, great.
I have been postsec don't care.
I'm not worried about, you know,our risks.
Once you, you show them from astandpoint, what the crown
jewels are, what risks do theyown, there's a lot more aptitude
and a lot more, uh, you know,uh, movement from their side to
be involved and say, okay, if Iown this risk, okay, now I'm as
(17:08):
going as an ally to this CISOasking for additional dollars in
budget to help fix the risksthat I own InfoSec can resolve.
But I think you get moremotivation from the business,
you know, leaders, if they are,if they are educated and aware
of what their crown jewels are,the risks they own and the
threats to those things, you'regoing to get them, you know, a
little more open to, to talkswith the CISO with InfoSec to
(17:30):
address those and, and, and havesome movement.
Um, I guess I am the odd one outon this recording.
I am on the vendor side and Ifeel very seen at the level of
vitriol directed at vendors.
But I wanted to chime in to say,when I got into InfoSec and
(17:55):
people were saying, Oh, weshould do something around cyber
security awareness.
I will tell you as the relativeoutsider, my initial take was,
why would we do that?
Aren't they InfoSecprofessionals?
Like, why would I try to teachCISOs, the idealized target
buyer who we can debate whetherthat's true or not, like what
(18:16):
ransomware is like, don't theydeal with this shit every day?
Like, I think they're kind oftired of it.
And yet the whole.
Uh, competitor Twitter feed atthe time it was Twitter was all
of that.
It was like all this one on onestuff.
So to your point, Alan andGeorge, it sort of like mutated
from what would these cybersecurity companies be doing to
(18:38):
basically educate their ownfamilies, the general public,
and, and somehow got distortedinto like, let's direct that
fire hose at the buyer, eventhough it literally makes no
sense other than the fact thatit has the word cyber in it.
Yeah, George, I would say now onthe, you know, we're consulting,
(19:01):
um, and we, we have a pretty bigsocial focus.
Like our thing is like contentmarketing and give back and like
put some stuff out there thathelps others.
But I would say like our, oursocial media person that
coordinates everything for us,like gave us safe, you know,
stay safe online info.
And it's like, Hey, here's thesame stuff.
(19:21):
Let's come up with some stuff.
And I actually, to be honest,after prepping for this
conversation, I'm like, we arenot going to give any basic
information.
Now I will say some of our, ourfollowers are small business
leaders and we do some specificprograms tailored to that.
So I do think like, depending onthe company.
If your target market is abroader audience, that's not a
(19:44):
cyber security professionalthat's buying your tool, you
know, there may be still somevalue, but you look at some of
these very large, hard technicaltooling companies, and they're
only selling B2B to cyberprofessionals.
So like, yes, they're not goingto influence, you know, Joe.
You know, uh, small businessthat just happens to be coming
(20:06):
across their feed and like, Oh,I should pay attention.
Right.
So, uh, out of a perversecuriosity.
My question to you all is, canyou name, like, the most
annoying or cloyingcybersecurity awareness month
marketing that you've gotten?
Has anything stand out in recentmemory of, like, why are you
(20:27):
sending this to me?
Can't think of one inparticular, but mine is always
like, you know, what's the costif you don't do it?
Like the age old, you know, fearmongering, do this, or...
You know, or, or, or, or loseyour job.
Oh, I got one that, and it's noteven just a, for the awareness
(20:47):
month thing.
It happens all year round.
Every once in a while, somemarketing person or some BDR
will take a recent breach orcompromise that occurred and
basically send you theequivalent of, you don't want
that to happen to you.
Right.
And it's like, I got friendsthat work there, like, yeah, you
(21:08):
know, that place that's on fireby us and you won't be on fire.
Just like, yeah.
By the way, those are my friendsburning.
Right.
I love that one.
My, my favorite one of all thecybersecurity awareness month,
specific ones, the bullshit thatthey send you.
And I get to say bullshit onthis show.
I like that.
Um, they send you what lookslike a decent free package to
(21:31):
distribute to your users.
In other words, they're notinsulting me to see so they know
it's my users we're talking toand they know it's cyberscreen
awareness month.
Here's this great plethora oftips and tricks and then you
actually watch the material,look at the slides or watch the
little video or whatever it isand there's two things wrong.
Number one, they're giving badadvice and number two, it turns
into a hardcore sales pitch atthe end.
Oh, the bait and switch.
(21:51):
The bait and switch, right?
But on top of that, it's badadvice.
Like vendors that are coming tome saying, share these materials
with your users and they'llparticipate in Cybersecurity
Awareness Month thanks to ourfree stuff that we're not
charging you for.
And then it's like, you know,make sure you write your
password on a sticky note.
Do you guys think it's GTP?
(22:14):
Like, as marketers find thecheat code to, you know, come up
with materials.
Do we think it's going to bemore mindless dribble?
Yes.
Yeah.
Marketing, unfortunatelydefaults to early adoption of
automation technologies to dobad things faster in general, in
the, in the main, a lot ofMarTech, like all the.
(22:36):
outreach, email automation isjust do the bad thing, but do it
at like massive volume, massivescale.
Um, and that's also in thiseconomic environment where
you've seen a lot ofcontraction, a lot of merger
acquisition, a lot of business,there's going to be a desperate
play there.
And I, Think that's why we wantto help change that.
(22:57):
So we'll take a break here.
We have aired our grievances,but we're not here to admire the
problem.
We have a gauntlet to throw downto the industry, and we will
reveal that when we come back.
Okay, and we are back.
All right, gents, uh, we talkedoffline about what could we do
(23:19):
to change this behavior thatwe've talked about and we've
come up with two challengesbecause I think it's two fold.
So for the marketers, I'll takethat.
So for the vendors, I want tocome to you and say the
challenge for October is to notdo what everyone does, right?
(23:42):
Stand out, don't send 101marketing shit to people who do
cyber year long, day in, dayout, right?
So to that end, I would like tosee you take on this challenge
of what we are calling CyberCommunity Month, right?
And I want to see vendors.
(24:05):
Using this time to contribute tothe cyber community at large.
And the challenge is to come upwith a program that does that,
and to share it with the hashtagCyber Community Month, and we'll
be watching.
And, uh, we have some prizesthat we're putting together.
We're pooling our resourcesamong our networks and friends.
But, as an example, Maybe yousponsor something for your
(24:31):
customers to bring their parentson and you could teach them
about vishing.
You could teach them about voicecloning, which is really on the
rise against senior citizens.
Extend it outside of yourimmediate customers.
And what could you bring totheir families, to their
friends, to the community, howcan you give back?
Um, so that is the challenge tovendors.
(24:54):
Uh, Alan, I want to turn it overto you.
What is a challenge that we canissue to the client side, to
the, to the people who are alsotired of doing something heavy
in October and not year round?
All right.
So practitioners, I think we'vetalked about cybersecurity
awareness and month.
And I think we've, we've kind ofgotten in lockstep a little bit
(25:15):
about where we want to head withthat.
I think ultimately what we needto do is the same thing we're
asking the vendors to do.
I want to involve community.
I want to see you guys goingback to your vendors and pushing
for, and I know some vendorswill do this.
Hey, that EDR I'm paying for,how about you give me my clients
to my home users for free?
Let my employees use their ADRclient on their systems at home
for free.
Let's work that into the nextdeal we ink, right?
(25:38):
Um, let's, let's do the samething the vendors are doing.
Let's, let's reach out to momand dad and buddy and sis,
right?
Let's not just go to ouremployees and hang the posters
on the wall and do the usual BSin the break room.
Let's actually cybersecuritymatter.
To the human beings who work forus, remembering first and
foremost that they are in facthuman beings, and they have
(25:59):
relatives, and they have elderlyparents, perhaps, or they have
little kids, perhaps, or theyhave middle kids, perhaps.
Any and all of us can be doingsomething to outreach to those
folks.
We do this all day long.
We breathe it.
We live it.
We don't even think twice aboutit.
The whole point of CybersecurityAwareness Month when it started
was there's a massive populacewho doesn't breathe it like we
(26:19):
do.
So let's give them that freshbreath this month.
Yeah, I want to turn it over toyou, George A, because I also
think it's been my experiencethat a lot of InfoSec
professionals want to do that,as we all know.
Time is at a premium.
Teams are getting downsized, domore with less, and I think that
(26:39):
they just don't feel like theyhave the freedom to get out of
the chair to take, you know, thehour lunch break to go read at
their kids school or whatever.
So, George, you know, I know youhave some thoughts here about
how that helps professionaldevelopment.
Want to give you a moment therein some space to talk about
that.
Yeah, thanks, George.
(27:00):
So I think again, when we talkabout, um, Like getting involved
with the community and, and howyou frame this, how you sell
everything, unfortunately,unless you're working at a pure
public sector shop, uh, italways boils down to the ROI for
the business or how's it goingto benefit the business and in
the framing that I would.
(27:20):
Look at is our communityreputation as an organization
improves when we go out and weactually talk about what we do,
and we actually give it contextand we educate people.
Right?
I think going to schools.
Going to, even if you go tocommunity centers, if you go to
places where, you know, there'skids who, um, you know, there
(27:44):
are places where there's kidswith learning disabilities or
kids who really aren't doing toowell on the normal educational
track, and they're oftentechnical or vocational schools,
right?
A job like cybersecurity isperfect for them because they're
probably neurotypical.
They're misunderstood.
Right.
They get shown this new thing.
It's cool.
It's, it's, it's teachable.
(28:05):
It's learnable.
A real person is actuallyshowing it to them.
And it's not some crazy thingthey see in a movie.
It's not some NCIS nonsense.
It's actually something that youcan fucking do and you can have
a good life with it.
Right.
If we talk about this as a, as abridge to build our communities
is this is something that we canactually educate people.
(28:27):
We can improve the cyberhygiene.
of the people around us and alsoimprove our corporate
reputations by being out thereand being like, Hey, we care
about the community.
We can do this.
Right.
Um, I think you get a lot moresupport.
And again, George, you kind ofhit the nail on the head.
We're so busy because if we'renot actually monitoring and
(28:49):
managing the operationourselves, there are umpteen
different projects from adevelopmental roadmap
standpoint, cleaning up techdebt.
If you're part of a CICDpipeline, you're basically
providing security advice forevery single new product that's
coming out, uh, within thatsprint cycle or within that PI.
So, you know, you have to kindof decide, like, are you going
(29:09):
to choose to make the time to dothe thing?
Right.
And, and I think of it, youknow, Outside of, um, let's say
in a completely differentcontext, non cyber related, um,
I like to, you know, like once amonth or whatever, I like to go
and, uh, serve the homeless,right?
First Sunday of the month.
Um, they're, they're the onlyreason why realistically that I
(29:31):
do it.
Um, I do it as like a bit of ahumbling exercise, uh, my part
of my ethnic community, we, wedo it as a group, but I think
it's important that no matterhow good you're doing in life,
you have to connect with people.
And you have to kind of seepeople at their most raw.
And it's the same thing whenyou're dealing with a group of
kids, you know, George, I knowyou did the thing at your kid's
school.
Your kids are absolutesuperstars.
(29:51):
We're all going to work for themsomeday.
Believe me, George is geniuses.
That's a really good example oflike a super positive, like fun
experience.
The real work is actually goinginto a school, dealing with kids
who might be a little bittroubled.
And giving them an opportunityto see a new chance at having a
life for themselves.
And I see that as like whatcyber and cyber awareness can
(30:13):
do, even if they don't want todo it for work.
At least understanding how tooperate safely on their phone
and on the internet to not bepreyed after.
Right.
To have their data be secure.
These are the simple things.
It's empowering people to defendthemselves and be more capable
online because at the end of theday, on a personal security
level, on a safety level from,you know, sexual predators or
(30:35):
people who want to elicitviolence or drug dealers on the
level of just knowing how tooperate in a growingly more.
Digital or digitized economy.
I should say people need to knowhow to get the most out of their
tools out of their devices Andnot just spend money getting the
newest thing or whateverbothering their parents about it
or whatever they have to doThat's where I see, you know,
(30:56):
and sorry if it sounds like abit of ramble guys But it's how
you actually frame the businesscase for support for going out
into the community And justbring the cyber hygiene and
cyber narrative to people whohave nothing to do with your
business and nothing to do withgenerating revenue for you.
That's actually going to be thething that gives your business
community longevity years afteryou're gone.
(31:21):
And George, Katie, your firstquestion, you know, how do you
find the time we're all busy?
Yeah, I'm a CISO.
In fact, I'm a multiple CISO nowwith kind of a combination of
CISOing and consulting and allthe things I'm doing.
I'm busy.
Doesn't matter.
It doesn't take a lot of time.
It doesn't.
I spent a couple of hours overthe course of a month putting
together a cyber educationprogram for a Girl Scout troop.
(31:42):
Just took me a couple of hoursto do it.
I spent about an hour puttingtogether for a presentation to,
I kid you not, a group ofkindergartners called how to be
a hacker took me about an hourto write it and 30 minutes to
present it to a room full ofkindergartners and they loved
it.
They ate it up.
Um, time is not really theproblem.
Prioritization is the problemand to George's point, there's
(32:03):
things you can do to give backthat are far bigger than any
dollar and cent bottom linething.
We're only talking about alittle bit of time here.
I know so many good companies inthis community that do so many
things that have programs whereit's like, Hey, one day a year,
we're all going to go volunteersomewhere where you get a free X
days a year of volunteer time togo volunteer to wherever you
want to volunteer.
There's companies have tons ofthese kinds of programs.
(32:24):
We just haven't rolled cyberinto that same mindset.
That's all that's missing.
Bingo.
Totally.
Cody, do you want to talk aboutthe board you're on and how
we've connected that into Georgeand George's, uh, call for
action here?
Yeah.
Yeah, absolutely.
And I think it's going to lineup well, so i'm going to board
for a Nonprofit called kidsvoice and what they do is
(32:45):
they're an indiana company andthey represent kids in the court
of law and custody battle soDemographic spans from income
across the board, low income,privileged, you know, all
different kinds of income, butthe lawyers and these, these,
uh, representatives are the kidslawyers.
And so it's a non profit.
They handle a lot of data.
They do a lot of, um, they dolike a couple thousand kids a
(33:07):
year just in the Marion County,which is the central county in
Indianapolis, Indiana.
And so what we're doing thisyear is since, you know, I'm on
the board for them and I workwith reveal or real risk is
we're going to do kind of a teamday where our company is going
to go on site with them and dokind of like a, um, workshop
with, with their employees,teaching them some cyber
(33:27):
hygiene, helping them with somecrown jewel assessment and
helping them with the kind of amonitoring.
A fundamental roadmap of likewhere the program is today.
What are some key things to do?
Um, but all pro bono, so itdoesn't, doesn't help us from
any standpoint of oversight,revenue standpoint, something we
give back.
Um, one of our employees,myself, I'm involved with it.
Aaron's wife as well as avolunteer for the organization.
(33:47):
Um, but to your point, kind ofgoing out in the community.
Improving it.
They're doing phenomenal things.
They don't have, you know, theCSO or the budget to go do, you
know, security stuff there.
So just a time we can use, uh,Alan, to your point, you know,
we can use our, our talent, uh,to go and enrich and invest our
talent and time into someindividuals doing some amazing
(34:07):
things with community, um, keepthem safe.
And then in turn, protectthousands of kids.
You know, in rough situationsacross, you know, central
Indiana.
So it's, to your point, liketime, talent and that
investment's gonna, you know,Metcalf's law, right?
Two goes to four, goes to eight,goes to 16.
So it's gonna multiply outquicker than if I were write,
you know, a couple thousandcheck to, to a fundraiser.
(34:28):
Yeah.
And I would argue that our teamwill be better even if you
didn't care about thephilanthropical part of it,
which we, we do.
Our team will be better forgoing into work like that and
figuring out how to stretch 0 tosomething or something where
they're not going to get a hugebudget to buy all the greatest
tools.
Like how do we use our brains toinnovate in that space?
(34:52):
You know?
Yeah, that's, that's perfect.
Um, all right.
Well, I, I think we shouldprobably wrap there.
So thank you everyone forjoining and to the listeners.
We will have more details onsocial, but the gauntlet has
been thrown.
And the prizes are going to befat.
(35:12):
Yeah, they're going to beamazing.
We got, we're really wellconnected, I think, enough to
get you some good swag andincentivize.
Uh, some really creative ideas.
So as Aaron said, what can youdo to get creative?
Well, let's take that out.
So vendors, what can you do togive back to the community of
cybersecurity professionals,clients, and customers?
(35:33):
What can you do to empower yourcybersecurity employees to get
out there in the community?
Yeah, it's gonna be reallyexciting.
Um, but this is the first I hopeof many of these challenges.
Maybe we can get, get it doneevery year.
The prizes will get bigger.
Um, but yeah, thank you everyonefor joining us.
What's the hashtag, George?
Let's end on the hashtag.
What's that?
Oh, there you go.
Yeah.
Good marketing, Aaron.
(35:54):
You got to end with the call toaction.
So we want to see this.
We want to see it on socialhashtag cyber community month.
We want to see great stories,share them widely, and, and
we'll share them as well.
So, uh, yeah, thanks forlistening.
Thanks for joining and let'smake October way better than it
(36:15):
has been historically.
Relevant.
Hey, let's make the whole themeof our show, let's make it less
shitty.
It's off.
Making October suck a littleless since 2023.
Great work with you guys.
By the way, this is an awesomeshow.
I hope we get to do work withyou guys again.
Likewise.
Appreciate it.
(36:35):
Thanks for the invite.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com