All Episodes

January 10, 2024 25 mins
Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Aaron (00:01):
Get ready to simplify cyber in three, two, one.
Thanks for tuning in to simplysolving cyber.
I'm Aaron Prince

Cody (00:17):
And I'm Cody rivers.

Aaron (00:19):
and today we're here with Jim Wales.
He is actually a seniorcybersecurity consultant at
reveal risk.
So we know Jim well, but we areexcited to get you to know him.
So Jim has an interestingbackground.
We're going to meet him here ina second, but he started out at
the.
I am PD, actually before that,military service and
intelligence and all sorts ofcool things.

(00:41):
I won't steal all of histhunder, uh, but pivoted into
cyber and applied a lot of thoseskills and we're excited to
unpack that and more.
Jim, how are you doing today?

Jim (00:50):
I'm good, thanks for having me here today guys.
Looking forward to the chat.

Aaron (00:53):
Awesome.
Well, we like to start out onthe show, kind of getting a
little bit of a backstory onkind of how you came into cyber
and, some of your.
Outside of cyber experience andhow you've connected the dots
and applied that.
So.
So, without further ado, whydon't you tell us your founding
story and, uh, we might havesome questions along the way.

Jim (01:13):
Okay.
Like a lot of, career changersthat I've talked to, that have
gotten into cyber along the way,it kind of almost fell into it
accidentally.
And it was never my intention toget into, to tech or cyber.
I played around with a lot oftechnology when I was a kid.
My, my dad was a guy that kindof saw the value of it, early on
and bought us a home computerand played around a lot with

(01:33):
that when I was a kid, but neverreally got deep into tech.
I got into the military and,worked in, intelligence and then
got into law enforcement.
Um, and my military intelligenceexperience led me into, working
in intelligence, in lawenforcement.
And, the way that I fell intocyber with that was that I, we
had a lot of information that wewere trying to make sense of and

(01:55):
organize and share in a, in anefficient way.
And so I started doing someresearch trying to figure out
how to do that.
And I stumbled into databasesand I thought, okay, I can
understand what this is andrealize I need to build and
learn how to manage a database.
So I started trying to figureout how to do that.
And again, I didn't have astrong tech background, so I
didn't really know a whole lotabout it.

(02:16):
So I went to the, to the guysthat I knew that were the
biggest techie guys that I, wasaware of and that I was friends
with and they worked in thedigital forensics unit with the
police department.
So yeah, I went over there and Istarted talking to those guys
and said, Hey, I need to learnhow to do this.
And they started helping me out.
And I ended up going over thereprobably two or three times a
week.
And I probably turned into a bitof a pest after a while.

(02:40):
And eventually, I think they gottired of me going over there and
bothering them for all the helpthat I was asking for with
building a database.
And they decided they were goingto put me to work.
So they said, Hey you seem likeyou've got some aptitude for
this technology stuff and we'vegot an opening coming up on our
team.
Why don't you come over here?
So I put in for that job and Iended up, getting into, digital
forensics, with the policedepartment.

(03:01):
I did that for about seven yearsand, through that process, found
out that I really enjoytechnology, and the.
The marriage between technologyand people through that, I
decided I wanted to continue towork in cyber security.

Aaron (03:14):
Jim, just to back up to digital forensics and I know and
assumed when I met you and westarted talking about this.
You've seen, I know you've seena lot of like really bad stuff,
but through that and forensicsand being able to unpack,
evidence and all of that, you'vedone a lot of really good things
by, taking pretty scary peopleoff the street.
Can you talk a little bit moreabout that?

(03:35):
And I know when we've talked,you've talked about explaining
technical mumbo jumbo to jurorsand judges and how that really
correlates a lot in cyber totelling the story.
To business partners or users orexecutives say more about that.

Jim (03:54):
so a big part of the job when you work as a digital
forensics analyst, especially inlaw enforcement, as I did, is
being able to take these highlytechnical concepts and make them
understandable to people likeother investigators,
prosecutors, judges and juriesthat may not have a lot of
experience technical acumen,they don't that's not something

(04:16):
that they work with every day.
And these are pretty foreignconcepts and you do work in a
lot of technology.
When you are working in digitalforensics, you have to have a
deep understanding of hardware,the operating systems and file
systems that you're workingwithin, and how you extract
information out of those systemsand how you do it in a
forensically sound way.

(04:36):
To protect the data so that itcan be used as evidence.
And you have to be able toexplain how all of that happens
to somebody who really doesn'tunderstand the technology.
So you end up working a lot oftimes in a lot of analogy and
that's something that I was ableto take that skill set, and then
bring that over to more of the,Consulting seat or, even the

(04:57):
corporate seat of cybersecurityand take those concepts and use
that to talk to people, withindifferent businesses to say,
you've got this technologystack, and, here's how you want
to apply this.
but then also here's the waythat you can change the behavior
of some Of your workforce andhow they approach the technology
and to understand that you can'tsolve all those problems just by

(05:19):
buying a tool and pushing abutton.
You have to be able to have thatconversation and communicate
clearly to your workforce.
This is what the technology isdoing and how to work with it.
and not getting too deep intothe weeds technologically so
that it's understandable forthem and they understand why it
matters.
So being able to take that skillset from forensics and being
able to take those technicalconcepts there and break that

(05:40):
down has lent itself very wellto being able to work in a lot
of the programs that worked inwith our clients, especially a
lot of the awareness programsthat we've done.

Cody (05:49):
Yeah.
So that's kind of my nextquestion really is like talking
about the translation of whenyou first got into cyber and the
years on the force and digitalforensics and taking information
that people need to know thatmay not work or know that
information, in other parts oftheir life and business.
But in that moment, they have toknow how to stay safe.
So if we translate to Jim of2022 thinking about that, what

(06:13):
are some of the engagementsyou're seeing?
Some projects that are showingthe most transformation within
organizations.

Jim (06:20):
The one that comes to mind, at first, it's a, pharma
company, that we've worked with.
And you'll probably, between 30and 40, 000, uh, employees
globally.
And we've done a lot of workwith their awareness program,
that has been really impactful.
Being able to take a look atwhere they were when they
started and what their folksneeded to have an understanding

(06:41):
of and kind of do an evaluationof, where's the low hanging
fruit where we can get some easywins.
Um, but then where are also someof their biggest risks.
And taking a, take an evaluationof that.
It's like, where are they mostvulnerable and how can we, Take
their program and, build it sothat it addresses those issues.
But then one of the other thingsthat I think has been a big win

(07:04):
with that particular company,and something that we have had
success with also, with othercompanies that we've done this
with as well, is.
And this is a phrase I like touse a lot is to meet them where
they are so I think it'simportant to try and put
yourself in the shoes of thatend user of that everyday
Employee, you know that um thatis either working in front of a

(07:25):
computer or working on anassembly line somewhere Trying
to say, you know, well, whatwould I see?
If I were that person coming towork every day, and if somebody
is trying to show me someinformation or give me some
information about how I can bemore secure, and working with
information.
How do you get that message tothose folks?

(07:45):
And how do you get it to him ina way that they're going to be
receptive to that?
They may even enjoy seeing, andyou know that they're going to
be able to see because noteverybody works in front of a
computer every day.
So we've done a lot of thingswith developing champions
programs and building those outso that we actually have people
that are liaisoning with thecyber security group.

(08:08):
But they actually work withinthe job functions, that we're
trying to reach.
So now we've got that personthat can help to bridge that
gap.
And it's a great conversationpiece between, with those
champions, between cybersecurityand those, those other areas
within the business, becausethen they can tell the folks in
cybersecurity, this is what weneed, or this is what we don't

(08:28):
understand, or this is where, wehave some confusion.
And that's great insight for thecyber security folks, because
then they can get some insighton where they can cater the
training and how they can tweakthat to make it more impactful
for these end users who they'retrying to get them to change
their behavior.
So those have been huge.
Great wins there.

Cody (08:49):
So I'm thinking of things like, you know, awareness is
kind of a growing topic or humanrisk is another way that people
are saying it nowadays.
But what's the key challengesyou're saying?
Cause a lot of people I say,there's no before or proof point
or there's like basic trainingthat people send out.
But what are some keychallenges?
And like, how have you overcamethem, within like larger
awareness programs?

Jim (09:08):
Yeah, so first of all, I'm a big fan of no before and proof
point and what they do.
I think that they put out greatcontent.
So I definitely don't want tothrow any shade on those
programs at all.
I think they're, they add greatvalue.
But there is the problem withjust the same kind of repetitive
training over and over again.
Where, If you get a, a companywhere you've got a requirement

(09:29):
where they get, one hour ofsecurity training annually,
right?
And that's what you do is find aone hour video and you mandate
that the workforce watches thatonce a year.
You've got their attention,however much of it you're going
to get for that one hour out ofthe year.
You can check that box, forcompliance to say, well, we've
done that, but what's thelasting impact of that for that

(09:51):
workforce?
And are you really making theworkforce more secure?
Those programs like proof point,like no before, they, they've
got additional stuff that youcan put those shorter videos out
and the other tools that theyhave.
But a lot of those, I think, aremore geared toward people who
are able to, sit in front of acomputer every day as they do
their work, and not everybodydoes that, we've seen situations

(10:12):
where you've got, folks that arepart of a major sales force, and
most of them are, the roadwarriors.
They're doing everything off oftablets and off their phones.
They're spending a lot of timein the car and how having
meetings in person face to face,they're not sitting, for 78
hours a day in front of a laptopor a desktop and able to engage
in that kind of training aseasily and they don't want to.

(10:34):
So finding ways to reach them,with short bits of information
like blog articles, likeinfographics, and especially if
there are things, that go alongwith the company branding.
And then if you have thecapability To build some
branding into your securityprogram that just levels
everything up because then itbecomes recognizable, something
like a character that you usecertain terms that you use that

(10:56):
are Only for your securityprogram that when people see
them, it rings that bell forthem.
And makes them think about thesecurity program.
Those little things that you canadd to that program and then you
use those for these quick littlebits of information.
You send out the infographicsabout certain topics, password
security, like informationclassification and then you also

(11:16):
include those in short blogarticles.
That you can send out via email,or you can embed those in
newsletters that can be sentout, as part of a larger
communication to the workforce.
But just building that so thatyou get more of that constant
drip of contact with yourworkforce about security rather
than just here's your hour oncea year.

(11:37):
And then they're going to needthose little reminders and as we
all know that work and security,the threats change, and
sometimes you have an old onethat comes back.
One that comes to mind, is theQR codes, when COVID first
started and, everybody wasworried about touching things,
and rightly so QR codes, becamevery in vogue.
You go to a restaurant, youdidn't get a menu anymore.

(11:57):
You could scan a QR code at thetable and there was concern
around there about people.
Attaching malicious code orsending people to malicious
sites via the QR code.
And then it seemed to die offfor a little bit as people got
more used to it.
And now recently there's beennews that's making a resurgence.
Sometimes what's old becomes newagain.
So you have to have thatconstant communication going on
from security to the workforceto keep them, aware of what's

(12:21):
current.
Cause things change.

Aaron (12:23):
You guys know why that resurged?
It was a quick way to bypassMicrosoft safe links.

Jim (12:28):
That's right.
Yeah.

Aaron (12:29):
People would pull up the phone.
So it was very interesting.
We saw that blip after COVIDcause people were using them,
but then they stayed in use andthen the threat actor found that
it was a backdoor.
Jim, I want to ask you onequestion.
We kind of skipped over it inyour background and how you've
connected the dots between.
Not only forensics, but, policeforce and law enforcement in

(12:50):
general.
And I like to think about,awareness as you got to
understand the things you wantpeople to do, but help them a
little bit understand.
The threat actor, the cybercriminal, the bad guy, the bad
girl for to be inclusive andJim, I know from our actually
was a lunch you Cody and I thinkanother guy and I had about a
year ago, you gave us some blastfrom the past about some of the

(13:12):
undercover work where obviouslywhen somebody is undercover, you
pose as a bad guy to infiltrate.
The dealers and get to thesuppliers.
Sorry, I didn't mean to do the21 Jump Street reference there.
Nick will be proud.
But anyway, talk to us aboutsome of the skills and things
you had to do to accomplishhuman deception in that role and

(13:35):
maybe how we can understand moreabout.
A malware engineer, a threatactor that is sending out
phishing or vishing or smishingor the other 10 ishings,

Cody (13:45):
Take us into the mind of a bad actor, Jim.

Aaron (13:48):
without revealing your persona, that is, it is locked
down.
So we don't unveil your doublelife.

Jim (13:54):
Yeah.

Cody (13:55):
Jim Hales.
What was his undercover name?

Jim (13:58):
So yeah, I and you're right, Aaron.
I did breeze over that.
But, in my time that I worked incriminal intelligence, for the
police department, I did do somecovert work and, as part of
that, you use a lot of the samesocial engineering techniques.
that get used by, by cyberthreat actors.
And It's a part of what we didwas, just looking the part, you

(14:22):
show up somewhere and youshouldn't look like you're
supposed to be there.
And this is more of a physicalsecurity kind of issue.
But a lot of them a lot of themcross, even into the more of the
digital.
If you craft an email tosomebody, and you do so in a way
that you you use language that,conveys that you're expecting an
action or you're expecting ananswer, that is more powerful

(14:45):
than one that is crafted to bemore of a request.
And just, using those kinds oftools, adding urgency, one of
the techniques that I used tolike to use, if I was trying to
get into somewhere because wewould do physical security
assessments.
One of the techniques I wouldenjoy using, sometimes it was
always a little fun, was to bein a hurry and generally, have

(15:07):
something that I, that made meless likely to be interrupted.
Usually it was a cell phone.
So if I was having a heatedconversation on a cell phone and
was dressed to appear like Ishould be in the area,
especially if I looked like Iwas somebody in a position of
authority sometimes wearing asuit and tie, would help,
sometimes dressing up incoveralls, to make it look like

(15:30):
I was working on somethingtechnical that somebody didn't
understand.
So they just wanted to let me godo my thing and not get in my
way.
Little things like that.
And understanding the socialengineering, aspect of human
nature and what makes peopleuncomfortable.
And, also what makes peoplecomfortable.
Those are all techniques that weused then, that I used then, and

(15:51):
techniques that I see used bythreat actors, and things that I
now, with my knowledge of that,try to make people more aware
of, and point out things like,Creating a sense of urgency,
coming from a position ofauthority, all of those things
that, make people less likely tochallenge someone, and try to
raise awareness of those so thatnow those become red flags.

Cody (16:13):
Jim, and I think about too, so to your first point, I
agree, because I get a text aweek from a number that's not
Aaron Pritz that says AaronPritz that needs me to buy him
Amazon cards immediately becausehe's in a company we can't talk.

Aaron (16:24):
doing that.
Stop doing that.

Cody (16:26):
Well, I said 1, 000 is my limit.
I won't go a dollar over.
So far we're staying with thisthing of them living on the
corporate credit card, but yousaid another thing to that I
wanted to think about was likehuman risk is important and
awareness for programs andkeeping the company safe.
But let's just pretend there's aworld where not every employee
cares about the security attheir company.

(16:47):
Okay.
I know this has probably neverhappened in, business, but in
that scenario, what are youseeing as far as helping them to
understand the importance ofthis for them personally,
outside of just the goodcorporate ethos or corporate
governance?
Yeah.

Jim (17:05):
Working in government and, I didn't always like my employer
every day.
But I always liked my friends.
And I always thought about thepeople that I worked with and
enjoyed working with them.
I always had people that I caredabout.
And that's something that Itried to when I'm working with
these awareness programs, I tryto focus on if the subject
matters is correct for it.

(17:27):
I try to humanize it and try toget people to think about if
you're supposed to be concernedabout the security of the
information at the company thatyou work at.
Well, why?
You know, and, most of the timepeople think, it's because of
the bottom line because thecompany wants to make money and,
and, that's just greedy and Itry to get people to, to back
away from that sometimes andthink about, this is where you

(17:49):
work, right?
This is your place of employmentand it's also the place of
employment for these otherpeople that you work with that
you care about.
And by protecting theinformation, That is owned by
the company.
You're protecting yourself, butyou're also protecting all these
folks that you work with.
If you get a major data breachand it's very costly for the
company that you work for.

(18:11):
Well, somehow that's got to bepaid for and that puts a company
at risk and that risk can leadto you.
potentially to job losses.
And by protecting theinformation that you work with,
you're protecting not only yourjob, but the job of everybody
that you work with.
Not only are you protecting it,you're helping the company that

(18:32):
you work for to thrive.
So maybe there's going to bemore opportunities for you in
the future.
Maybe there's going to be moreopportunities for the people
that you care about that youwork with in the future.
It really is about the peopleand trying to get people to
change that mindset from it'sabout the bottom line to it's
about the people that you workwith and around.

Cody (18:50):
Yeah.
Great.
I mean, all the great points andlove the background and the
transition into what you'redoing now, so two things here.
1.
I always like to say for ourlisteners and for our career,
our fellows that are listenersare early in their career.
What advice does Jim of todaywould tell Jim of, 10, 15 years
ago, just getting into theindustry.

(19:11):
What do you know now?

Jim (19:12):
Um, so I think the first tip is to, don't assume that
cyber is all about technology.
It's not, it's about people.
Technology plays a big part, buttechnology, enables information
security.
It really is about the way thatpeople work with information.
And the processes andprocedures, and having those

(19:34):
right, tools help to make thateasier.
The technology helps to make iteasier.
The technology enables us to dothings with less effort and do
things faster.
But really it's aboutinformation and the way that
people interact with it.
So you don't really have to besuper technical, and that was an
assumption that I made that Iknow a lot of other people have
made, being kind of a jobchanger into cyber, um, thinking

(19:57):
that you have to be supertechnical and you don't, because
it really is, it's more about,about people and processes, the
technology helps to make ithappen, it really, does, but it
doesn't have to be supertechnical all the time.

Cody (20:09):
So now flipping that looking into the future, this is
Jim talking to him in five or 10years down the road.
What areas do you think willcontinue to improve the most?
So based off kind of thencurrent and then future.

Jim (20:23):
sO future me, when I have those conversations with future
me things that, that I think canbe most impactful are things
like organizational changemanagement, and getting, more
experience with that.
Learning how organizations, Getthat information across to the
workforce so that they can getthat organizational change made.
A lot of these companies,they're not tugboats, they're

(20:44):
battleships and it takes a longtime to turn them, it takes a
lot of effort to get that doneand, developing a plan for that,
so that you can get thatinformation, yeah.
Organized in the right way andfigure out what's a schedule
that you can develop to put thatinformation out so that you can
get that consistent behaviorchange.
That's a that's something that,I'm concentrating on personally.

(21:04):
And I think, it can be veryimpactful for, for a cyber
security awareness program is tohave a better understanding of
that.
And then some of the otherthings around, the processes
and, an interesting idea thatI've been talking to one of the
other guys that we work withabout, is the post, pen test
kind of evaluation of things andlooking at things, um, to say,

(21:26):
okay, well, you've had a pentest and these vulnerabilities
have been found and we've seensituations where, maybe there's
a certain number of servers thatare in scope, for a pen test and
vulnerabilities get found there.
And then the following year orthree years later, there's a
different set of, servers thatare within scope and then those
same vulnerabilities get found.
So we're finding the sameproblems over and over again,

(21:47):
just in different areas of thebusiness.
And the conversation came upabout, well, what's the root
cause of this?
And does it go deeper than, justa misconfiguration?
Is this something that we cantake back to the way that the
processes themselves are beingset up and are there policies
that can be changed that thenimpact the process and how

(22:07):
things get done so that ratherthan bringing a new, server or
set of servers online andsetting those up the same way
that we did in the past.
And now we're setting ourselvesup to have that same
vulnerability present.
Can we take a look back at ourprocesses and do an evaluation
of that and say, okay, let'streat the disease and not the
symptom, right?
Let's find out what the rootcause of this is, and then we

(22:29):
can do an overall processimprovement so that we don't
continue to have these going onin the future.
And we can spend less time onthose and more time
concentrating on other things toimprove the program.
So we're still, trying to buildout the idea.
But just interestingconversations that we've had
about, how do we help folks bemore secure?

Aaron (22:47):
Cool.
Quick pause.
We can edit this out.
I saw the stuff in there aboutpen testing.
Cody, do you want to Do anythingon that, uh, and then we can
trim to the best parts ofeverything or what, what, what
do you think?

Cody (23:01):
Um, let's see, Pinterest.
Yeah, I like it.
I mean, I, I, I still like the,I mean, this all trimmed out.
I still like the part about likeheavy on the awareness part
because that plays right intohis background.
So the background is translated.
And then I think the futurelooking forward about the
awareness and OCM are probablytwo biggest things, pen test.

(23:22):
And I'm not sure what the crowd,how much they know about pen
test, but it's up to you if youwant to double click into it.
But I think, I think the, the,the nuggets were in the
awareness and OCM stuff.
All right, Jim.
So I do always ask this questionto all of our guests and, feel
free to just tell us the mostintimate personal secret, you
know, that you can, so I wantto, I want to preface it, but
for, for listeners and for usout there, give us a interesting

(23:44):
fact that no one would knowgenerally about, about Jim
Wales.

Jim (23:49):
So I think 1 that most people would never really guess.
Because I think it's maybe not,as common as, a lot of others.
I was on the water ski team incollege.
I, I grew up water skiing, alot.
My dad bought a boat when wewere kids and we go out to the
lake almost every weekend.
So I started learning to skiwhen I was probably, I don't
know, five or six years old.
And, just continue to do it as ahobby, growing up and was

(24:12):
looking for something to do,when I was a young man in
college and, gravitated towardthe water ski team and did that
for a little bit and had a greattime.

Cody (24:21):
water ski team in excellent, man.
All right.
Well, thank you for sharingthat, man.
I appreciate that.
I have to see a big sometime,man.

Jim (24:30):
There were no cell phones when I was in college.
So there's not very manypictures.

Cody (24:33):
There's gotta be a Polaroid somewhere.
Well, awesome man.
Thanks again, Jim, for joiningus.
We really appreciate hearing thestory.
And love working with you andyou've done some some phenomenal
work.
So, um, Aaron, I'll let you wrapus up, but, um, yeah, Jim,
again.

Aaron (24:55):
so much more that could be applicable to cyber, military
professionals, I've helpedpeople that were in sales roles
that were in financial roles.
There's a lot of, potential tomove into cyber.
You just got to find thesynergies and really bring the
diverse ways of thinking thatmaybe a traditional tech
background person might nothave.

(25:17):
So thanks for joining the fieldand yeah, love having you on the
team.

Jim (25:21):
Well,

Aaron (25:22):
much everyone.
Have a great

Jim (25:24):
for having me.
All right.
Thanks, guys.
Advertise With Us

Popular Podcasts

United States of Kennedy
Stuff You Should Know

Stuff You Should Know

If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.

Dateline NBC

Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2025 iHeartMedia, Inc.