February 23, 2024 • 29 mins
Discover the unexpected synergies between spy craft and cybersecurity as Shawnee Delaney, ex-intelligence operative and CEO of Vaillance Group, shares her thrilling escapades and invaluable insights. Her experience, including a thwarted attempt to help capture Osama bin Laden due to miscommunication, offers a unique lens through which we examine the human elements essential to protecting national and organizational assets. Shawnee's anecdotes not only captivate but also elucidate the critical role empathy and understanding motivations play in managing insider risks.
Tackling the underestimated threat of insider risks, our conversation with Shawnee reveals the foundational pillars of creating a culture of cybersecurity awareness. We expose the vulnerabilities that lie within organizations, often overshadowed by the focus on external threats. Shawnee, drawing from her extensive background, advises on the establishment of an insider risk program, highlighting the importance of a dedicated manager and the strategic communication necessary to engage employees without invoking fears of intrusive surveillance.
As we shift our attention to the cultivation of future cybersecurity talent, Shawnee imparts wisdom for those embarking on or exploring a career in this dynamic field. She stresses the vast opportunities that look beyond technical expertise, weaving in the significance of human psychology and intelligence. Moreover, in a surprising twist, we pull back the curtain on a former Disney performer's journey, exploring the art of preserving Disney's magic, the power of networking, and the cultivation of professional relationships that can unlock doors in ways you never imagined.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:10):
All right.
Thanks for tuning in to SimplySolving Cyber.
I'm Aaron Prince and I'm CodyRivers, and today we're here
with Shawnee Delaney, CEO fromViance Group, which means
courage and bravery.
I just learned that in French.
I'm very impressed.
How's?
It going Shawnee.
How are you doing?
Speaker 2 (00:27):
today.
I'm good Thanks for having me.
Speaker 1 (00:30):
Good, Well, we're excited to hear your story.
I know Cody and I got a previewat the HISAC in the fall I
guess it was late November.
But I don't want to steal anyof your thunder, so I'm just
going to go right into the firstquestion, which is give us your
story and I know it's aninteresting story into cyber and
take it away.
Speaker 2 (00:47):
Yeah, I probably have a little bit of an unusual
background getting into cyber.
So I was the black sheep of myfamily and I decided at a very
young age that I was going to bea spy when I grew up.
So I doggedly pursued thisdream.
I ended up working for theDefense Intelligence Agency.
I was CIA trained down at thefarm.
(01:10):
If you watch the movies, youknow what the farm is.
But yeah, so I did that forabout eight and a half years and
I liked to joke.
You guys saw my keynote, but Iliked to joke that I used to
steal secrets for a living andnow I help people protect their
secrets, which is actually very,very true.
So I did that.
I stood up inside our threatprograms for major Fortune 500
companies.
I had left government, wentinto private sector and then I
(01:32):
missed government, I missed themission.
So I went back and I worked forHomeland Security for a while
in their industrial controlsystems Cyber Emergency Response
Team, which I don't know if itwas the name or what, but that
program didn't last very long.
Speaker 1 (01:45):
So I did that for a while, went back into private
sector and then, about I don'tknow five years ago, stood up my
own consulting firm, All right,let's start with how does one
at a young age become a spy, orwhat do you put on your youth
development plan to go in thatdirection?
Speaker 2 (02:01):
Yeah, I think I probably put actor.
Speaker 1 (02:04):
What is probably some good traits.
Speaker 2 (02:06):
Well, yeah, I did.
Actually, when I was younger, Idid theater very begrudgingly.
I got dragged into it because Iwas a really shy kid, but those
are skills that you use whenyou are conducting clandestine
operations Because you areliving a cover right.
I was an alias when I wasmeeting with sources and assets,
so all of that acting actuallyreally came in handy.
Speaker 1 (02:25):
Yeah, no, that's true .
So I know we heard a fantasticstory of kind of one of your
cool missions at the HISAC.
But before we pivot into cyber,give us one of your best
stories as a spy and maybe drawsome correlations to how those
tactics were useful in the cyberside or the corporate side of
(02:45):
your life.
Speaker 2 (02:46):
If you know me, you know I have more stories than
anyone you've ever met in yourlife.
Speaker 1 (02:51):
Hard.
Right, You've got to pick yeah.
Speaker 2 (02:53):
I think probably the most well-known one is I was
very, very close.
I had an incredible asset whowas close with Osama bin Laden
and I was very close to beingthe one to say this is where he
is.
There was some majormiscommunication going on
between the intelligenceorganizations I was working with
, between my source and betweenmy interpreter, and I kind of
(03:15):
joke that this is like mybiggest success because I
recruited this guy who, I mean,how many white Western chicks
can say they recruited like theright hand man to Osama bin
Laden, but they misunderstoodwhere he was saying Osama was,
and so I woke up a few weekslater, probably three weeks
later.
I woke up and on CNN and said,you know, osama's caught in a
(03:37):
bot-a-bot and I was like, oh myGod, that's what he was saying.
Wow, I was like, oh, close, butno cigar.
Speaker 1 (03:45):
Yeah, in any parallels, like I'm just
reflecting on that point of likehuman communication and
translation, I worked atinternational companies and
tried to get awareness messagesout and like just silly
accidental translation companymistakes, that one thing that
you think would translate fairlyeasy turns into something
that's accidentally offensive ornot funny.
(04:08):
What are your thoughts on kindof?
I mean that probably happenedall throughout the spy game, but
how do you drop those learningsfrom what you experienced in
the field?
Speaker 2 (04:16):
I think really the bottom line is and this is for
any company that employs humans,which is all of you right- Link
, link yeah.
Every person is different andevery situation is different.
Every investigation isdifferent.
So every time I was running aclandestine asset or trying to
work with a developmental sourceto recruit them, you had to
(04:38):
figure out their motivations andvulnerabilities.
And really it's the same thingin your companies your employees
all have unique motivations andvulnerabilities and you have to
figure out what those are andyou have to encourage those as
well and you have to push peoplealong and you do need that
positive deterrence as well asthe negative deterrence.
(04:59):
But it's finding that balance.
So, with that said kind oflooking at your organization,
culture is so, so critical andit is the same thing in
espionage.
In that arena too, culturematters, understanding people
matters and I'll add, above allelse, empathy matters.
I mean, like the story I justtold you, and I told you a tiny,
(05:21):
tiny nutshell.
There's a podcast out theresomewhere where I tell the whole
story.
But having empathy is critical,right, you have to empathize
with what people are goingthrough, no matter what it is in
their life, and I think that alot of C-suite sit up there and
they look down and people arenumbers and you can't do that
and that's where that humanfactor comes in and when people
(05:43):
need to realize that that is Imean insider risk is your
biggest risk.
You have all these people withaccess, all these trusted
business partners, all thesevendors.
So what are their motivations?
What are their vulnerabilities?
Are those changing?
Yes, they're changing every day, depending on their personal
situations.
Speaker 1 (05:59):
Yeah, yeah.
What do you say to the I wouldsay stereotypically, the more
technical cyber leaders that youknow, I've heard you know
fairly senior leaders say we'renever going to fix the human,
like humans are going to alwaysmake mistakes.
I'm not going to fund awareness, we're going to just get as
many tools to take the thoughtpattern out of it.
What would your counterpoint tothem be, based upon what you
(06:21):
were just saying?
Speaker 2 (06:22):
Yeah, I think that's BS really when you're talking
about humans, right?
Like I just said, everyone.
Every day, our priorities arechanging.
Maybe you have a sick loved oneall of a sudden.
I have a dear friend whose momjust died two days ago.
Right, you don't know what'sgoing to happen today.
You don't know what's going tohappen tomorrow.
So the thing is, with trainingand awareness, you are building
(06:43):
the foundation.
If we're building a house, thatis the foundation for
everything you are buildingabove it.
If you don't have enterprisewide awareness as to what the
threats are and how us asemployees could actually
contribute or make it worse,you're going to have a problem.
You can have all the tools inthe world, but if you don't have
(07:04):
people saying, oh shoot, I'mrecognizing that someone over
there on my team is actingdifferent and I understand now
that that could be a red flagfor something nefarious.
And I need to report that ifyou don't instill those
behaviors of that good musclememory and that good cyber
hygiene, those tools are goingto do you no good, really.
Speaker 3 (07:27):
Yeah, and you get some great points there.
So, going back a little bit tothe transfer from clandestine
operative recruiting high levelintelligence agents in other
countries and what you're doingnow with inside a risk air nigh
and reveal risk as a whole, twoare very strong on the pillar of
people in process and so Ithink inside a risk party your
(07:48):
presentation we saw was aboutlike don't wait until something
bad happens to start building aprogram, and so I think, kind of
talk through us about whatyou're seeing as far as a good
strategy, because a lot of timesI talk to folks about awareness
programs and there's like Idon't know where to start.
I don't know how much it'sgoing to cost out of the people
for it.
Or I came in with leadership toAaron's point earlier that this
(08:09):
is an important thing to eveninvest in.
So what are you seeing rightnow with your clients in the
market?
Speaker 2 (08:14):
Yeah, the same, really, when you think about it,
and I think Ponaman just cameout with their report for 2023,
and they found in their report Ithink it was like almost 92% of
organizations, they'reinvesting their security budget
in external threats.
But the thing is, over half ofthese organizations recognize
(08:35):
that social engineering andother attempts like that are
actually the leading cause ofall of those outside attacks.
Right, so they know it.
I talk to people every day inmy business who know they need
an insider risk program orinsider threat program, whatever
you want to call it.
But, like you said, they don'tknow where to start, and I think
what a lot of people don'trealize is that you probably
(08:56):
have good bones already and youprobably have tools and
processes and people that youcould pull from and not have to
reinvent the wheel.
Now I really really think thatyou need a program manager for
that program.
I really really believe thatyou need to make this a
transparent program.
I really believe in marketingand branding of this program and
(09:18):
the mission of the program theright way, so that people don't
think big brother's spying on me.
They're watching me all thetime.
Instead, it's we're here tohelp you.
We want to keep you and yourfamily safe.
It's all in how you sell it toyour employees to get that buy
in.
And then also creating aworking group, creating a
steering committee above that,where you have people from every
(09:40):
single stakeholder.
That's kind of what I likeabout it is you're working with
everyone across the company,right, and so you're building
those relationships.
You're teaching all of thesegroups that gosh.
When something interestinghappens in an HR or someone's
put on a performance review or aPIP or something, maybe they
should let the investigationsteam know and the insider threat
team know, or maybe they shouldbe monitoring with the IT
(10:01):
security team.
So bringing all those peopletogether, sometimes it's a
hurdle, but it's doable.
I've done it, I've seen it,I've seen it all the time.
Speaker 3 (10:09):
Well, and the thing I do I see a lot too is even
looking back at what is insiderrisk and insider threat.
I think a lot of folks rightaway think that, well, it's a
spy or my company or someone'syou know, corporate espionage.
So we don't have I trusteverybody, we're a small company
, we have a good culture, so wedon't have anyone trying to spy
on our company and exfiltrate IPor secrets, which is a real
thing and there is a lot ofcases that go on.
(10:31):
But give us a little insighttoo about the different kinds of
insider threat and risk.
Speaker 2 (10:36):
Yeah, that's a great question because that, to your
point, that's what a lot ofpeople think theft of IP or
espionage, and that's it.
I've had cases where, like Istill feel bad for this manager,
there was a manager, heremployees who she was very close
with.
They were friends.
Two of her employees werecommitting fraud I mean massive
amounts of fraud and when shefound out she was crying on my
(10:57):
shoulder saying but how couldthey do this to me?
And I said they weren't doingit to you, they were trying to
survive.
Right, this is right.
Before COVID they didn't makeany money, they were external
employees, they weren'tfull-time employees, so they
didn't have that loyalty.
So there are a lot of thingsthat happen in people's lives.
They're not doing it to thecompany.
Speaker 3 (11:17):
I think one thing you also mentioned too, like the
difference from unintentionaland intentional and the power of
the awareness programs andbuilding the education, and like
strengthening yourunintentional insider risk which
then drives security and buildsmaturity to the intentional
insider risk.
Speaker 2 (11:32):
Yes, yeah, and I think basically I like to put it
in a pyramid, if you have thatgraphic.
So at the bottom of thatpyramid is the unintentional,
the negligent.
That could be someone who makesa mistake, which is the vast
majority of cases.
That could be someone whothinks well, I'm not doing
anything bad and I know I'm notsupposed to do that according to
policy, but I'm going to do itanyway.
(11:52):
You know, a lot of people aredoing things just to do their
job.
They're trying to find aworkaround.
They're not trying to bemalicious, but that's
compromising.
Whatever you know, ip, whatever.
There's a whole bunch ofoptions.
The next category is thecompromised insider.
Those are basically themalicious actors who are feeding
off of those negligentemployees and stealing
(12:13):
credentials and things like that.
The next category, the top ofthat pyramid, would be the
malicious actors.
Luckily that's the smallestcategory.
Now the thing is, when we talkabout training and awareness and
investment, you can train awayheavily that negligent and that
compromise those two categories,the big base of that pyramid.
You can bring awareness, wherepeople stop doing dumb things
(12:34):
because now they know, oh shoot,I shouldn't do that.
But people are going to argueand this is totally true, you're
never going to train awaymalicious insiders.
If I am set on stealing IP orcommitting workplace violence,
I'm going to do it.
My training is not going tomatter, but by training
everybody else, you now haveeyes and ears everywhere where
they understand the importanceof reporting, they understand
(12:56):
what red flag indicators thereare, they understand when
someone's pattern of behaviorhas changed and they know how to
report.
Speaker 1 (13:03):
Yeah, they see something, say something, like
if people don't know that that'spart of their job.
They're not going to do it.
So we've talked a little bitabout awareness and the
connection to Insider.
Talk to us and I know weactually both had some
experiences in pharmaceuticalsand Insider threat experiences
and programs.
Where do you get started?
Like when you're coming into anew company, talk about how you
(13:24):
help them get over the hump of,as Cody mentioned, we don't know
if we need it, and then two tostart building the building
blocks of the program.
What do you do first?
How do you evaluate what theneeds are?
Speaker 2 (13:35):
Yeah.
So the first thing I say topeople is well, do you employ
humans?
The answer is yes, then youhave insider risk.
100% of your employees are yourinsider risk.
That's the risk of someonemaking a mistake, of someone
being human.
The insider threat is whensomeone that's right of boom
(13:55):
instead of risk is left of boom,as we say.
So what we do when we come inand I really like this process
is I've basically broke it downinto four phases.
The first phase is doing aninsider threat vulnerability
assessment I like to call it ahuman risk assessment and in
that you can look at what is theground truth of that
organization, because you couldthink your culture is great, you
(14:17):
could think you've got all thegovernance and all the tools,
but really when interviewingevery stakeholder it could be an
absolute nightmare and I'veseen that.
The thing with that also isimportant is it's looking at
morale, it's looking at cultureand it's looking at what you're
doing right.
So when you take that report,then you can build off your
program from that report and youcan understand what you need to
(14:40):
really focus on, what you needto improve, especially related
to like process or governance,and then kind of how to take it.
So those are the first two.
You know, the human riskassessment, the governance
building the program, and thefirst phase is everyone's
favorite trading and awareness,because again, you need that
foundation Right.
Speaker 1 (14:58):
What would you say and I've had this in many
different companies to anexecutive could be a CIO or a
CEO that said we'remanufacturing but we don't
really have IP, we don't havethe crown jewels, we're not an
R&D focused company, we're amanufacturing delivery company.
What would your comments be tothat?
Speaker 2 (15:18):
Yeah, actually there is a major tech company and the
CEO made an announcement toeveryone in a huge meeting and
this lasted for years, like themorale effect.
It affected morale for years,where he said we have no IP, we
have no trade secrets, we havenothing to protect and he was
absolutely incorrect, by the way.
So my comeback to that would bedo you have anything within
(15:41):
your business, within your datasets, within your emails, within
your knowledge base, that wouldhelp a competitor?
Because if the answer is yes,then you have intellectual
property, you have trade secrets.
Do you have processes that arespecial and unique to you?
Yeah, probably.
Then you might want to protectthose things.
Speaker 3 (15:59):
One thing I see, too is to your point of supply chain
right, are you a door to abigger fish?
So why I may not be interestedin what you house I mentioned in
the keys that you have to othercompanies and to back doors.
That's why we see a lot ofthings on third party risk,
which is a different topic for adifferent day, but a lot of
times I think, when you'relooking at what are people
interested in from the outsideto then solicit my employees to
(16:22):
get access to, I think that isoften undervalued or
underestimated.
Speaker 2 (16:25):
Absolutely.
Do you want to be on the frontpage of the New York Times?
Probably not.
Speaker 3 (16:30):
Reputational risk.
I think Aaron says it's greatwhen the four options for risk
and one's transfer and Aaronalways says you can share the
risk, you can't transfer therisk because, yes, you can
probably offset some of thefinancial damage, but
reputational damage isreputational damage, so you
can't transfer that risk.
Aaron, do you want to take yourthunder there?
But I love that you say that oncertain calls and I think it's
(16:50):
very valid because I think someof the tech focused people think
I'm good, I got this, I'll getsome cyber insurance and then
I'm good, risk transfer andthey'll look around my plate.
Speaker 2 (16:59):
Yeah, and I think also like throw in social media
in the court of public opinion.
That could be pretty nasty andeven if the direction and the
opinion is completely off base,it's really hard to change that
narrative when social media isjust fueling it.
Speaker 1 (17:15):
I think all three of us.
It's fair to say that we alllove coaching people.
Obviously, we wouldn't be inconsulting if we weren't but
Shawnee talk about coaching newtalent into cyber.
What advice would you have forlisteners that are maybe just
getting into the field orthinking about getting into the
field?
What's your advice for them,knowing what you know, this far
(17:35):
into your career?
Speaker 2 (17:36):
Yeah, just do it.
Go ahead, Cody.
Speaker 3 (17:39):
Actually added that too, because I have.
I've been to a lot of entrylevel people and cyber and they
always ask me I'm not in thetech and tools by life cyber,
what else is out there?
So that's what just Aaron said.
I think that'd be supervaluable, for hopefully my
mentees are listening to thispodcast, but I think they'd be
very grateful to hear.
Speaker 2 (17:55):
Yeah say, I do a ton of mentoring as well and I am
constantly pitching out insiderthreat and here's why.
So, first of all, this is afield that is in cybersecurity,
but it's really that humanfactor overlying.
If you think about all thephishing emails, it takes
someone's finger to click thatlink right.
That's the human angle.
So when you're looking at thisrealm, I am not techie.
(18:18):
I have a master's incybersecurity.
I hated doing my labs, I hatedcracking passwords, right.
But you can do psychology.
You can do industrial,organizational psychology,
behavioral psychology, forensicpsychology all this applies.
You can have a law enforcementbackground, like me.
You can have an intelligencebackground.
You know I used to steal yoursecrets.
(18:39):
Now I can help you protect them.
Right, cyber IT.
The cool thing about this isthere's so much in this realm.
Understanding people'smotivations, understanding why
people do things, is really key.
Digital forensics like they're.
Really I could tick a ton ofboxes and, like I said earlier,
every case is different andthat's the fun thing is figuring
(19:00):
out why.
Why did they do it?
How did they do it?
You know for the people outthere that, like all the drama
crime shows and CSI, whateverit's this kind of stuff and it's
a lot, a lot of fun.
I'll also add network your assoff, like seriously.
Leverage LinkedIn, leveragepeople you know.
Ask them who they know.
Ask them if there's anyone youcould meet or be introduced to
(19:23):
in the field.
Find a way to get to.
Yes, a lot of times people areapplying to roles as newbies, as
being green, and they'restruggling to get in, even
though we've got a deficit ofhundreds of thousands of
positions just in the US.
Keep pushing.
Don't take no for an answer.
Find a workaround.
Take a different role in acompany you really really find
(19:46):
appealing or whatever, and thenlearn constantly.
Learn.
Take every class you can andinside our threat, there's a ton
of free training availablethrough the government.
There's paid training also, andall of them are very, very
interesting.
Each one.
You're going to learn somethingdifferent, but work every case
you can, at any level you can,just to learn all the different
(20:08):
processes around these things.
Speaker 1 (20:11):
Cool, yeah, I went through the FBI Citizens Academy
this last fall and I'd seenthem before, but some of the
videos that they put togetherdramatically reenacted but all
about corporate espionage andinsider threat and some ways
that you wouldn't think that itwould have happened in
industries that you wouldn'tthink that they were targeted.
But yeah cool stuff.
Speaker 2 (20:28):
Yeah, absolutely.
And I think like to one of yourearlier questions too, when we
were talking about what isinsider risk and insider threat.
People need to really recognizethat it's such a wide scope of
what it entails.
Right, it can be workplaceviolence.
It can be an interofficerelationship gone bad.
It can be bad publicity onsocial media or media leaks.
(20:49):
There's a lot of differentstuff under that umbrella.
Speaker 3 (20:52):
Yeah, I think to cap on that as well too.
Looking at new professionals, alot of my mentees say, well, I
don't have three or five yearsof experience in this or in that
.
I'm like do you have problemsolving?
Do you have people, do you haveleading projects?
Do you manage a budget?
Those are things that are very,very tied to cyber related,
that aren't so technical.
But I say work on the story andI think to your point, learning
(21:14):
what insider risk is.
I get it and an idea of whatthat is and then take your skill
sets, match those and kind ofput that in your resume as you
reach out to people.
Speaker 2 (21:21):
Exactly.
Speaker 1 (21:22):
We just started working with a new client that
has almost every tool that youcould want to have, no dedicated
cyber talent, all run byinfrastructure, and they're just
turning stuff on and we're likelet's take a step back here.
We need to think about peopleprocess, what you're going to do
with the results.
Yeah, yeah, the tool activedoesn't mean that you are
capable of taking theintelligence or whatever it's
(21:44):
spitting out and turning thatinto a risk reduction.
So I think, cody, to your point, there's plenty of roles beyond
running the tech that are soneeded and, in my opinion, more
needed.
That's more of a deficit in themarket.
Speaker 3 (21:58):
Yeah, so, aaron, and in that same vein, this is great
.
It's almost like this isscripted.
So technology and cyber isalways critical, but, chania,
I'd love if you can give us astory about a project or
initiative within your corporatethat only exceeded through
people and process focus.
Speaker 2 (22:14):
Yeah.
So an organization that I wasworking with standing up a
program I won't name the company, but is a major, major company
they had no tools, no tech,nothing, and we're talking about
tens and tens of thousands ofemployees globally.
So the program the only thingwe had to stand up this program
(22:37):
and to get any buy-in wasthrough the processes and
through the relationships thatwe built with all the
stakeholders, kind of like whatI was alluding to earlier.
What we did was leveragingtraining and awareness.
We made very short, like30-second Hollywood style videos
just showing reenactments ofcool cases, trying to get people
.
I mean, look, we're like aNetflix nation now, right, we
(23:00):
need to be entertained.
Everyone has the attention spanshorter than a Goldfish, by the
way.
So we really focused on makingthings interactive and engaging.
We leveraged pop culture andwhat was going on in the world
the Oscars and the Emmys and theawards season movies.
We made things fun and we gotso much engagement and we
actually got people constantlyemailing the insider threat team
(23:23):
saying thank you so much fordoing this.
We brought in keynote speakersto talk about how to protect
your family at home, how do youlock down your weird Alexes and
series and all the things, yourrefrigerator and your oven
everything's connected.
Now, how do you keep yourfamily safe?
Yeah, so by doing all of that,not only did we get buy-in and
support from the employees, like, oh wow, the company really
(23:44):
cares about us, but all thestakeholders were like, oh wow,
you're not trying to step on ourtoes, you're actually here to
help.
And it worked and culturestarted shifting and we had a
really successful program, evenwithout the tools.
Speaker 3 (23:57):
Yeah, I think your point earlier about culture is
important.
Two things in that is.
I think that one a culture offear or trouble if something is
reported or something is seen isthat we've seen that go well
because they make a mistake,they pick on a fish.
They have two options.
I can report myself and maybeprobably get in trouble or get
some kind of reprimand, or I cannot say anything and hope it
(24:18):
goes under the rug and it goesaway.
One option is leads to a longertime of something you ever be
discovered or a breach going on.
The other one is hey, we foundit.
Let's focus on training andlet's educate.
I think people have a intrinsicdrive to learn and to educate or
to learn about this Because itis interesting.
What we've seen is, to yourpoint, it's a hearts and minds
campaign.
(24:39):
It's like why is this not justimportant to you as an employee
of company X?
This is important to you foryour kids, your parents, your
grandparents, your cousins,because it happens to folks in
personal and work environments.
So once you can startcorrelating that this knowledge
is transferable to another job,to a family, I think you drive
that and then the only challengeis just saying let's just come
(25:00):
up with relevant content andlike relevant messaging, so
we're not sending out 30 minutevideos of old school.
Onboarding of policies andprocedures are very important,
but it's like how do I make thisreal?
And distill it down.
And in the hearts and mindscampaign we do a lot of programs
for companies, small and large,and we have some live action,
some characters, some branding,but just some limited branding
(25:21):
on some like items and making itreal.
You get people to educate, youwant to learn about it.
And then to your point, nowthey're asking questions.
They're coming to you saying,hey, what about this idea?
They're cross functional.
So these are marketing folks orHR or finance.
This is not like your info,your info sector, your
technology people.
Speaker 2 (25:36):
Yeah, to put an espionage spin on it, because
that's what I do.
When you are trying to recruitsomeone and you're developing
that relationship with them, youhave to.
I mean, these people areputting their lives on the line
right, or their family's liveson the line.
What's in it for me is going tobe question number one.
So when organizations look atit that way and you put the
(25:57):
benefits upfront to thoseemployees, they are much more
likely to be engaged and tolearn than they are if you say
do it because we told you so.
Speaker 1 (26:07):
Kevin.
All right, I've got a couplemore questions to close us out
here.
Sean, what's your top takeawayIf you were, if speaking to all
the leaders that are on calls?
Top takeaway for insider threatif they're to do one thing, go
back to their company or theirjob, and maybe they have an
insider threat program.
Maybe they are just gettingstarted, maybe they don't have
one.
What's like the number onething that you want to leave
(26:30):
with the listeners?
Speaker 2 (26:33):
Really, the first thing that comes to mind is it
will happen to you Period.
Yeah.
And like I said earlier togetting into cyber, just do it.
Stand up a program.
You might not have a budget,you can do it with little to
nothing, but stand up a program,have people understand what it
is and start engaging with youremployees, like everything we
(26:56):
were just talking about.
It's like brand recognition,right.
Oh, there's that cool insiderthreat thing.
I think sharing case studies isreally important because if you
hear these real world storieswhich you guys heard when I was
on stage I share stories whenyou hear these stories, you're
like, oh crap, that is real, ithappened here.
It's really impactful.
Speaker 1 (27:17):
Awesome, Great segue again.
Storytelling Super important.
We've talked a lot about thatthroughout this episode.
Let's end on a personal note.
Give us a story that maybe nota lot of people that know you
know about.
I know you have a ton ofstories, both personal and
professional, but what's yourfavorite story to put yourself
out there and entertain thegroup?
Speaker 2 (27:37):
God, that's a tough one.
Speaker 1 (27:39):
I should have prepped you more, but it's not well
thought out.
Speaker 2 (27:43):
Something that tickles people a lot is that you
know, yes, I used to be a spy,but I used to work at Disneyland
.
Speaker 3 (27:51):
Disneyland or Disney World.
Disneyland the original yes,all right, yes, yeah, that was.
Speaker 2 (27:58):
I always tell people that was probably the best job I
ever had.
Yeah, because you and I usethose skills.
I went through DisneyUniversity twice because I
changed jobs.
I went from the characterdepartment to an actress and, um
, yeah, so you got to give usyour roles.
Speaker 1 (28:12):
What roles did you play or what jobs did you have?
Speaker 2 (28:15):
I'm going to ruin the magic for people.
Yeah, you can't.
So, aaron, this.
Speaker 3 (28:18):
I do know you can't say.
You can say I was friends withsomeone, yeah, but part of the
thing is, when you leave you cannever say who you are.
It's like hey.
I'm friends with so-and-so.
Speaker 2 (28:26):
Yeah, I knew Pluto, and you are really well though,
okay.
Speaker 1 (28:29):
Okay, yeah, I was going to ask if you were a
princess, a character with a bighead or a, you know, big, big
character.
Okay, all right.
Speaker 3 (28:38):
Yeah, she was good friends, good friends with them.
Speaker 2 (28:41):
Good friends, very good friends.
Speaker 3 (28:42):
Very good, awesome Hug along.
Speaker 1 (28:44):
I really appreciate you coming on the show.
This has been a greatconversation, as always.
Best of luck in your businessand really reaching your
audience and really helping toget the message out there around
insider, because you are right,just doing it and starting and
acknowledging hey, yes, we havea problem, let's figure it out.
Yes, that's really whereeveryone needs to be.
Yeah, yeah.
Speaker 3 (29:05):
And one thing too is that, to your point earlier,
shawnee, just reach out and likenetworks I know I heard you
speak and you walked us like,hey, hold on for a second.
We had a brief conversation, itwas like five minutes in San
Antonio, texas.
And here we are now.
As we've met, we have somepartnerships working up and
everything, but be bold and justask folks to talk about it
because no one has it allfigured out.
So I think everyone in theindustry likes to talk about
(29:26):
things.
Speaker 2 (29:26):
So and for that networking another tip.
Here's another espionage tidbitfor you.
People love talking aboutthemselves.
So when you are nervous or likeI don't know if I should
approach, ask someone aboutthemselves and you will open a
big old door.
Speaker 1 (29:40):
Love it On that.
Go forth and prosper.
Everyone, Ask somebody aboutthemselves and make it happen.
Thanks so much You're having me.
All right.
Thanks for tuning in to SimplySolving Cyber.
I'm Aaron Prince and I'm CodyRivers, and today we're here
with Shawnee Delaney, CEO fromViance Group, which means
courage and bravery.
I just learned that in French.
I'm very impressed.
How's?
It going Shawnee.
How are you doing?
Speaker 2 (00:27):
today.
I'm good Thanks for having me.
Speaker 1 (00:30):
Good, Well, we're excited to hear your story.
I know Cody and I got a previewat the HISAC in the fall I
guess it was late November.
But I don't want to steal anyof your thunder, so I'm just
going to go right into the firstquestion, which is give us your
story and I know it's aninteresting story into cyber and
take it away.
Speaker 2 (00:47):
Yeah, I probably have a little bit of an unusual
background getting into cyber.
So I was the black sheep of myfamily and I decided at a very
young age that I was going to bea spy when I grew up.
So I doggedly pursued thisdream.
I ended up working for theDefense Intelligence Agency.
I was CIA trained down at thefarm.
(01:10):
If you watch the movies, youknow what the farm is.
But yeah, so I did that forabout eight and a half years and
I liked to joke.
You guys saw my keynote, but Iliked to joke that I used to
steal secrets for a living andnow I help people protect their
secrets, which is actually very,very true.
So I did that.
I stood up inside our threatprograms for major Fortune 500
companies.
I had left government, wentinto private sector and then I
(01:32):
missed government, I missed themission.
So I went back and I worked forHomeland Security for a while
in their industrial controlsystems Cyber Emergency Response
Team, which I don't know if itwas the name or what, but that
program didn't last very long.
Speaker 1 (01:45):
So I did that for a while, went back into private
sector and then, about I don'tknow five years ago, stood up my
own consulting firm, All right,let's start with how does one
at a young age become a spy, orwhat do you put on your youth
development plan to go in thatdirection?
Speaker 2 (02:01):
Yeah, I think I probably put actor.
Speaker 1 (02:04):
What is probably some good traits.
Speaker 2 (02:06):
Well, yeah, I did.
Actually, when I was younger, Idid theater very begrudgingly.
I got dragged into it because Iwas a really shy kid, but those
are skills that you use whenyou are conducting clandestine
operations Because you areliving a cover right.
I was an alias when I wasmeeting with sources and assets,
so all of that acting actuallyreally came in handy.
Speaker 1 (02:25):
Yeah, no, that's true .
So I know we heard a fantasticstory of kind of one of your
cool missions at the HISAC.
But before we pivot into cyber,give us one of your best
stories as a spy and maybe drawsome correlations to how those
tactics were useful in the cyberside or the corporate side of
(02:45):
your life.
Speaker 2 (02:46):
If you know me, you know I have more stories than
anyone you've ever met in yourlife.
Speaker 1 (02:51):
Hard.
Right, You've got to pick yeah.
Speaker 2 (02:53):
I think probably the most well-known one is I was
very, very close.
I had an incredible asset whowas close with Osama bin Laden
and I was very close to beingthe one to say this is where he
is.
There was some majormiscommunication going on
between the intelligenceorganizations I was working with
, between my source and betweenmy interpreter, and I kind of
(03:15):
joke that this is like mybiggest success because I
recruited this guy who, I mean,how many white Western chicks
can say they recruited like theright hand man to Osama bin
Laden, but they misunderstoodwhere he was saying Osama was,
and so I woke up a few weekslater, probably three weeks
later.
I woke up and on CNN and said,you know, osama's caught in a
(03:37):
bot-a-bot and I was like, oh myGod, that's what he was saying.
Wow, I was like, oh, close, butno cigar.
Speaker 1 (03:45):
Yeah, in any parallels, like I'm just
reflecting on that point of likehuman communication and
translation, I worked atinternational companies and
tried to get awareness messagesout and like just silly
accidental translation companymistakes, that one thing that
you think would translate fairlyeasy turns into something
that's accidentally offensive ornot funny.
(04:08):
What are your thoughts on kindof?
I mean that probably happenedall throughout the spy game, but
how do you drop those learningsfrom what you experienced in
the field?
Speaker 2 (04:16):
I think really the bottom line is and this is for
any company that employs humans,which is all of you right- Link
, link yeah.
Every person is different andevery situation is different.
Every investigation isdifferent.
So every time I was running aclandestine asset or trying to
work with a developmental sourceto recruit them, you had to
(04:38):
figure out their motivations andvulnerabilities.
And really it's the same thingin your companies your employees
all have unique motivations andvulnerabilities and you have to
figure out what those are andyou have to encourage those as
well and you have to push peoplealong and you do need that
positive deterrence as well asthe negative deterrence.
(04:59):
But it's finding that balance.
So, with that said kind oflooking at your organization,
culture is so, so critical andit is the same thing in
espionage.
In that arena too, culturematters, understanding people
matters and I'll add, above allelse, empathy matters.
I mean, like the story I justtold you, and I told you a tiny,
(05:21):
tiny nutshell.
There's a podcast out theresomewhere where I tell the whole
story.
But having empathy is critical,right, you have to empathize
with what people are goingthrough, no matter what it is in
their life, and I think that alot of C-suite sit up there and
they look down and people arenumbers and you can't do that
and that's where that humanfactor comes in and when people
(05:43):
need to realize that that is Imean insider risk is your
biggest risk.
You have all these people withaccess, all these trusted
business partners, all thesevendors.
So what are their motivations?
What are their vulnerabilities?
Are those changing?
Yes, they're changing every day, depending on their personal
situations.
Speaker 1 (05:59):
Yeah, yeah.
What do you say to the I wouldsay stereotypically, the more
technical cyber leaders that youknow, I've heard you know
fairly senior leaders say we'renever going to fix the human,
like humans are going to alwaysmake mistakes.
I'm not going to fund awareness, we're going to just get as
many tools to take the thoughtpattern out of it.
What would your counterpoint tothem be, based upon what you
(06:21):
were just saying?
Speaker 2 (06:22):
Yeah, I think that's BS really when you're talking
about humans, right?
Like I just said, everyone.
Every day, our priorities arechanging.
Maybe you have a sick loved oneall of a sudden.
I have a dear friend whose momjust died two days ago.
Right, you don't know what'sgoing to happen today.
You don't know what's going tohappen tomorrow.
So the thing is, with trainingand awareness, you are building
(06:43):
the foundation.
If we're building a house, thatis the foundation for
everything you are buildingabove it.
If you don't have enterprisewide awareness as to what the
threats are and how us asemployees could actually
contribute or make it worse,you're going to have a problem.
You can have all the tools inthe world, but if you don't have
(07:04):
people saying, oh shoot, I'mrecognizing that someone over
there on my team is actingdifferent and I understand now
that that could be a red flagfor something nefarious.
And I need to report that ifyou don't instill those
behaviors of that good musclememory and that good cyber
hygiene, those tools are goingto do you no good, really.
Speaker 3 (07:27):
Yeah, and you get some great points there.
So, going back a little bit tothe transfer from clandestine
operative recruiting high levelintelligence agents in other
countries and what you're doingnow with inside a risk air nigh
and reveal risk as a whole, twoare very strong on the pillar of
people in process and so Ithink inside a risk party your
(07:48):
presentation we saw was aboutlike don't wait until something
bad happens to start building aprogram, and so I think, kind of
talk through us about whatyou're seeing as far as a good
strategy, because a lot of timesI talk to folks about awareness
programs and there's like Idon't know where to start.
I don't know how much it'sgoing to cost out of the people
for it.
Or I came in with leadership toAaron's point earlier that this
(08:09):
is an important thing to eveninvest in.
So what are you seeing rightnow with your clients in the
market?
Speaker 2 (08:14):
Yeah, the same, really, when you think about it,
and I think Ponaman just cameout with their report for 2023,
and they found in their report Ithink it was like almost 92% of
organizations, they'reinvesting their security budget
in external threats.
But the thing is, over half ofthese organizations recognize
(08:35):
that social engineering andother attempts like that are
actually the leading cause ofall of those outside attacks.
Right, so they know it.
I talk to people every day inmy business who know they need
an insider risk program orinsider threat program, whatever
you want to call it.
But, like you said, they don'tknow where to start, and I think
what a lot of people don'trealize is that you probably
(08:56):
have good bones already and youprobably have tools and
processes and people that youcould pull from and not have to
reinvent the wheel.
Now I really really think thatyou need a program manager for
that program.
I really really believe thatyou need to make this a
transparent program.
I really believe in marketingand branding of this program and
(09:18):
the mission of the program theright way, so that people don't
think big brother's spying on me.
They're watching me all thetime.
Instead, it's we're here tohelp you.
We want to keep you and yourfamily safe.
It's all in how you sell it toyour employees to get that buy
in.
And then also creating aworking group, creating a
steering committee above that,where you have people from every
(09:40):
single stakeholder.
That's kind of what I likeabout it is you're working with
everyone across the company,right, and so you're building
those relationships.
You're teaching all of thesegroups that gosh.
When something interestinghappens in an HR or someone's
put on a performance review or aPIP or something, maybe they
should let the investigationsteam know and the insider threat
team know, or maybe they shouldbe monitoring with the IT
(10:01):
security team.
So bringing all those peopletogether, sometimes it's a
hurdle, but it's doable.
I've done it, I've seen it,I've seen it all the time.
Speaker 3 (10:09):
Well, and the thing I do I see a lot too is even
looking back at what is insiderrisk and insider threat.
I think a lot of folks rightaway think that, well, it's a
spy or my company or someone'syou know, corporate espionage.
So we don't have I trusteverybody, we're a small company
, we have a good culture, so wedon't have anyone trying to spy
on our company and exfiltrate IPor secrets, which is a real
thing and there is a lot ofcases that go on.
(10:31):
But give us a little insighttoo about the different kinds of
insider threat and risk.
Speaker 2 (10:36):
Yeah, that's a great question because that, to your
point, that's what a lot ofpeople think theft of IP or
espionage, and that's it.
I've had cases where, like Istill feel bad for this manager,
there was a manager, heremployees who she was very close
with.
They were friends.
Two of her employees werecommitting fraud I mean massive
amounts of fraud and when shefound out she was crying on my
(10:57):
shoulder saying but how couldthey do this to me?
And I said they weren't doingit to you, they were trying to
survive.
Right, this is right.
Before COVID they didn't makeany money, they were external
employees, they weren'tfull-time employees, so they
didn't have that loyalty.
So there are a lot of thingsthat happen in people's lives.
They're not doing it to thecompany.
Speaker 3 (11:17):
I think one thing you also mentioned too, like the
difference from unintentionaland intentional and the power of
the awareness programs andbuilding the education, and like
strengthening yourunintentional insider risk which
then drives security and buildsmaturity to the intentional
insider risk.
Speaker 2 (11:32):
Yes, yeah, and I think basically I like to put it
in a pyramid, if you have thatgraphic.
So at the bottom of thatpyramid is the unintentional,
the negligent.
That could be someone who makesa mistake, which is the vast
majority of cases.
That could be someone whothinks well, I'm not doing
anything bad and I know I'm notsupposed to do that according to
policy, but I'm going to do itanyway.
(11:52):
You know, a lot of people aredoing things just to do their
job.
They're trying to find aworkaround.
They're not trying to bemalicious, but that's
compromising.
Whatever you know, ip, whatever.
There's a whole bunch ofoptions.
The next category is thecompromised insider.
Those are basically themalicious actors who are feeding
off of those negligentemployees and stealing
(12:13):
credentials and things like that.
The next category, the top ofthat pyramid, would be the
malicious actors.
Luckily that's the smallestcategory.
Now the thing is, when we talkabout training and awareness and
investment, you can train awayheavily that negligent and that
compromise those two categories,the big base of that pyramid.
You can bring awareness, wherepeople stop doing dumb things
(12:34):
because now they know, oh shoot,I shouldn't do that.
But people are going to argueand this is totally true, you're
never going to train awaymalicious insiders.
If I am set on stealing IP orcommitting workplace violence,
I'm going to do it.
My training is not going tomatter, but by training
everybody else, you now haveeyes and ears everywhere where
they understand the importanceof reporting, they understand
(12:56):
what red flag indicators thereare, they understand when
someone's pattern of behaviorhas changed and they know how to
report.
Speaker 1 (13:03):
Yeah, they see something, say something, like
if people don't know that that'spart of their job.
They're not going to do it.
So we've talked a little bitabout awareness and the
connection to Insider.
Talk to us and I know weactually both had some
experiences in pharmaceuticalsand Insider threat experiences
and programs.
Where do you get started?
Like when you're coming into anew company, talk about how you
(13:24):
help them get over the hump of,as Cody mentioned, we don't know
if we need it, and then two tostart building the building
blocks of the program.
What do you do first?
How do you evaluate what theneeds are?
Speaker 2 (13:35):
Yeah.
So the first thing I say topeople is well, do you employ
humans?
The answer is yes, then youhave insider risk.
100% of your employees are yourinsider risk.
That's the risk of someonemaking a mistake, of someone
being human.
The insider threat is whensomeone that's right of boom
(13:55):
instead of risk is left of boom,as we say.
So what we do when we come inand I really like this process
is I've basically broke it downinto four phases.
The first phase is doing aninsider threat vulnerability
assessment I like to call it ahuman risk assessment and in
that you can look at what is theground truth of that
organization, because you couldthink your culture is great, you
(14:17):
could think you've got all thegovernance and all the tools,
but really when interviewingevery stakeholder it could be an
absolute nightmare and I'veseen that.
The thing with that also isimportant is it's looking at
morale, it's looking at cultureand it's looking at what you're
doing right.
So when you take that report,then you can build off your
program from that report and youcan understand what you need to
(14:40):
really focus on, what you needto improve, especially related
to like process or governance,and then kind of how to take it.
So those are the first two.
You know, the human riskassessment, the governance
building the program, and thefirst phase is everyone's
favorite trading and awareness,because again, you need that
foundation Right.
Speaker 1 (14:58):
What would you say and I've had this in many
different companies to anexecutive could be a CIO or a
CEO that said we'remanufacturing but we don't
really have IP, we don't havethe crown jewels, we're not an
R&D focused company, we're amanufacturing delivery company.
What would your comments be tothat?
Speaker 2 (15:18):
Yeah, actually there is a major tech company and the
CEO made an announcement toeveryone in a huge meeting and
this lasted for years, like themorale effect.
It affected morale for years,where he said we have no IP, we
have no trade secrets, we havenothing to protect and he was
absolutely incorrect, by the way.
So my comeback to that would bedo you have anything within
(15:41):
your business, within your datasets, within your emails, within
your knowledge base, that wouldhelp a competitor?
Because if the answer is yes,then you have intellectual
property, you have trade secrets.
Do you have processes that arespecial and unique to you?
Yeah, probably.
Then you might want to protectthose things.
Speaker 3 (15:59):
One thing I see, too is to your point of supply chain
right, are you a door to abigger fish?
So why I may not be interestedin what you house I mentioned in
the keys that you have to othercompanies and to back doors.
That's why we see a lot ofthings on third party risk,
which is a different topic for adifferent day, but a lot of
times I think, when you'relooking at what are people
interested in from the outsideto then solicit my employees to
(16:22):
get access to, I think that isoften undervalued or
underestimated.
Speaker 2 (16:25):
Absolutely.
Do you want to be on the frontpage of the New York Times?
Probably not.
Speaker 3 (16:30):
Reputational risk.
I think Aaron says it's greatwhen the four options for risk
and one's transfer and Aaronalways says you can share the
risk, you can't transfer therisk because, yes, you can
probably offset some of thefinancial damage, but
reputational damage isreputational damage, so you
can't transfer that risk.
Aaron, do you want to take yourthunder there?
But I love that you say that oncertain calls and I think it's
(16:50):
very valid because I think someof the tech focused people think
I'm good, I got this, I'll getsome cyber insurance and then
I'm good, risk transfer andthey'll look around my plate.
Speaker 2 (16:59):
Yeah, and I think also like throw in social media
in the court of public opinion.
That could be pretty nasty andeven if the direction and the
opinion is completely off base,it's really hard to change that
narrative when social media isjust fueling it.
Speaker 1 (17:15):
I think all three of us.
It's fair to say that we alllove coaching people.
Obviously, we wouldn't be inconsulting if we weren't but
Shawnee talk about coaching newtalent into cyber.
What advice would you have forlisteners that are maybe just
getting into the field orthinking about getting into the
field?
What's your advice for them,knowing what you know, this far
(17:35):
into your career?
Speaker 2 (17:36):
Yeah, just do it.
Go ahead, Cody.
Speaker 3 (17:39):
Actually added that too, because I have.
I've been to a lot of entrylevel people and cyber and they
always ask me I'm not in thetech and tools by life cyber,
what else is out there?
So that's what just Aaron said.
I think that'd be supervaluable, for hopefully my
mentees are listening to thispodcast, but I think they'd be
very grateful to hear.
Speaker 2 (17:55):
Yeah say, I do a ton of mentoring as well and I am
constantly pitching out insiderthreat and here's why.
So, first of all, this is afield that is in cybersecurity,
but it's really that humanfactor overlying.
If you think about all thephishing emails, it takes
someone's finger to click thatlink right.
That's the human angle.
So when you're looking at thisrealm, I am not techie.
(18:18):
I have a master's incybersecurity.
I hated doing my labs, I hatedcracking passwords, right.
But you can do psychology.
You can do industrial,organizational psychology,
behavioral psychology, forensicpsychology all this applies.
You can have a law enforcementbackground, like me.
You can have an intelligencebackground.
You know I used to steal yoursecrets.
(18:39):
Now I can help you protect them.
Right, cyber IT.
The cool thing about this isthere's so much in this realm.
Understanding people'smotivations, understanding why
people do things, is really key.
Digital forensics like they're.
Really I could tick a ton ofboxes and, like I said earlier,
every case is different andthat's the fun thing is figuring
(19:00):
out why.
Why did they do it?
How did they do it?
You know for the people outthere that, like all the drama
crime shows and CSI, whateverit's this kind of stuff and it's
a lot, a lot of fun.
I'll also add network your assoff, like seriously.
Leverage LinkedIn, leveragepeople you know.
Ask them who they know.
Ask them if there's anyone youcould meet or be introduced to
(19:23):
in the field.
Find a way to get to.
Yes, a lot of times people areapplying to roles as newbies, as
being green, and they'restruggling to get in, even
though we've got a deficit ofhundreds of thousands of
positions just in the US.
Keep pushing.
Don't take no for an answer.
Find a workaround.
Take a different role in acompany you really really find
(19:46):
appealing or whatever, and thenlearn constantly.
Learn.
Take every class you can andinside our threat, there's a ton
of free training availablethrough the government.
There's paid training also, andall of them are very, very
interesting.
Each one.
You're going to learn somethingdifferent, but work every case
you can, at any level you can,just to learn all the different
(20:08):
processes around these things.
Speaker 1 (20:11):
Cool, yeah, I went through the FBI Citizens Academy
this last fall and I'd seenthem before, but some of the
videos that they put togetherdramatically reenacted but all
about corporate espionage andinsider threat and some ways
that you wouldn't think that itwould have happened in
industries that you wouldn'tthink that they were targeted.
But yeah cool stuff.
Speaker 2 (20:28):
Yeah, absolutely.
And I think like to one of yourearlier questions too, when we
were talking about what isinsider risk and insider threat.
People need to really recognizethat it's such a wide scope of
what it entails.
Right, it can be workplaceviolence.
It can be an interofficerelationship gone bad.
It can be bad publicity onsocial media or media leaks.
(20:49):
There's a lot of differentstuff under that umbrella.
Speaker 3 (20:52):
Yeah, I think to cap on that as well too.
Looking at new professionals, alot of my mentees say, well, I
don't have three or five yearsof experience in this or in that
.
I'm like do you have problemsolving?
Do you have people, do you haveleading projects?
Do you manage a budget?
Those are things that are very,very tied to cyber related,
that aren't so technical.
But I say work on the story andI think to your point, learning
(21:14):
what insider risk is.
I get it and an idea of whatthat is and then take your skill
sets, match those and kind ofput that in your resume as you
reach out to people.
Speaker 2 (21:21):
Exactly.
Speaker 1 (21:22):
We just started working with a new client that
has almost every tool that youcould want to have, no dedicated
cyber talent, all run byinfrastructure, and they're just
turning stuff on and we're likelet's take a step back here.
We need to think about peopleprocess, what you're going to do
with the results.
Yeah, yeah, the tool activedoesn't mean that you are
capable of taking theintelligence or whatever it's
(21:44):
spitting out and turning thatinto a risk reduction.
So I think, cody, to your point, there's plenty of roles beyond
running the tech that are soneeded and, in my opinion, more
needed.
That's more of a deficit in themarket.
Speaker 3 (21:58):
Yeah, so, aaron, and in that same vein, this is great
.
It's almost like this isscripted.
So technology and cyber isalways critical, but, chania,
I'd love if you can give us astory about a project or
initiative within your corporatethat only exceeded through
people and process focus.
Speaker 2 (22:14):
Yeah.
So an organization that I wasworking with standing up a
program I won't name the company, but is a major, major company
they had no tools, no tech,nothing, and we're talking about
tens and tens of thousands ofemployees globally.
So the program the only thingwe had to stand up this program
(22:37):
and to get any buy-in wasthrough the processes and
through the relationships thatwe built with all the
stakeholders, kind of like whatI was alluding to earlier.
What we did was leveragingtraining and awareness.
We made very short, like30-second Hollywood style videos
just showing reenactments ofcool cases, trying to get people
.
I mean, look, we're like aNetflix nation now, right, we
(23:00):
need to be entertained.
Everyone has the attention spanshorter than a Goldfish, by the
way.
So we really focused on makingthings interactive and engaging.
We leveraged pop culture andwhat was going on in the world
the Oscars and the Emmys and theawards season movies.
We made things fun and we gotso much engagement and we
actually got people constantlyemailing the insider threat team
(23:23):
saying thank you so much fordoing this.
We brought in keynote speakersto talk about how to protect
your family at home, how do youlock down your weird Alexes and
series and all the things, yourrefrigerator and your oven
everything's connected.
Now, how do you keep yourfamily safe?
Yeah, so by doing all of that,not only did we get buy-in and
support from the employees, like, oh wow, the company really
(23:44):
cares about us, but all thestakeholders were like, oh wow,
you're not trying to step on ourtoes, you're actually here to
help.
And it worked and culturestarted shifting and we had a
really successful program, evenwithout the tools.
Speaker 3 (23:57):
Yeah, I think your point earlier about culture is
important.
Two things in that is.
I think that one a culture offear or trouble if something is
reported or something is seen isthat we've seen that go well
because they make a mistake,they pick on a fish.
They have two options.
I can report myself and maybeprobably get in trouble or get
some kind of reprimand, or I cannot say anything and hope it
(24:18):
goes under the rug and it goesaway.
One option is leads to a longertime of something you ever be
discovered or a breach going on.
The other one is hey, we foundit.
Let's focus on training andlet's educate.
I think people have a intrinsicdrive to learn and to educate or
to learn about this Because itis interesting.
What we've seen is, to yourpoint, it's a hearts and minds
campaign.
(24:39):
It's like why is this not justimportant to you as an employee
of company X?
This is important to you foryour kids, your parents, your
grandparents, your cousins,because it happens to folks in
personal and work environments.
So once you can startcorrelating that this knowledge
is transferable to another job,to a family, I think you drive
that and then the only challengeis just saying let's just come
(25:00):
up with relevant content andlike relevant messaging, so
we're not sending out 30 minutevideos of old school.
Onboarding of policies andprocedures are very important,
but it's like how do I make thisreal?
And distill it down.
And in the hearts and mindscampaign we do a lot of programs
for companies, small and large,and we have some live action,
some characters, some branding,but just some limited branding
(25:21):
on some like items and making itreal.
You get people to educate, youwant to learn about it.
And then to your point, nowthey're asking questions.
They're coming to you saying,hey, what about this idea?
They're cross functional.
So these are marketing folks orHR or finance.
This is not like your info,your info sector, your
technology people.
Speaker 2 (25:36):
Yeah, to put an espionage spin on it, because
that's what I do.
When you are trying to recruitsomeone and you're developing
that relationship with them, youhave to.
I mean, these people areputting their lives on the line
right, or their family's liveson the line.
What's in it for me is going tobe question number one.
So when organizations look atit that way and you put the
(25:57):
benefits upfront to thoseemployees, they are much more
likely to be engaged and tolearn than they are if you say
do it because we told you so.
Speaker 1 (26:07):
Kevin.
All right, I've got a couplemore questions to close us out
here.
Sean, what's your top takeawayIf you were, if speaking to all
the leaders that are on calls?
Top takeaway for insider threatif they're to do one thing, go
back to their company or theirjob, and maybe they have an
insider threat program.
Maybe they are just gettingstarted, maybe they don't have
one.
What's like the number onething that you want to leave
(26:30):
with the listeners?
Speaker 2 (26:33):
Really, the first thing that comes to mind is it
will happen to you Period.
Yeah.
And like I said earlier togetting into cyber, just do it.
Stand up a program.
You might not have a budget,you can do it with little to
nothing, but stand up a program,have people understand what it
is and start engaging with youremployees, like everything we
(26:56):
were just talking about.
It's like brand recognition,right.
Oh, there's that cool insiderthreat thing.
I think sharing case studies isreally important because if you
hear these real world storieswhich you guys heard when I was
on stage I share stories whenyou hear these stories, you're
like, oh crap, that is real, ithappened here.
It's really impactful.
Speaker 1 (27:17):
Awesome, Great segue again.
Storytelling Super important.
We've talked a lot about thatthroughout this episode.
Let's end on a personal note.
Give us a story that maybe nota lot of people that know you
know about.
I know you have a ton ofstories, both personal and
professional, but what's yourfavorite story to put yourself
out there and entertain thegroup?
Speaker 2 (27:37):
God, that's a tough one.
Speaker 1 (27:39):
I should have prepped you more, but it's not well
thought out.
Speaker 2 (27:43):
Something that tickles people a lot is that you
know, yes, I used to be a spy,but I used to work at Disneyland
.
Speaker 3 (27:51):
Disneyland or Disney World.
Disneyland the original yes,all right, yes, yeah, that was.
Speaker 2 (27:58):
I always tell people that was probably the best job I
ever had.
Yeah, because you and I usethose skills.
I went through DisneyUniversity twice because I
changed jobs.
I went from the characterdepartment to an actress and, um
, yeah, so you got to give usyour roles.
Speaker 1 (28:12):
What roles did you play or what jobs did you have?
Speaker 2 (28:15):
I'm going to ruin the magic for people.
Yeah, you can't.
So, aaron, this.
Speaker 3 (28:18):
I do know you can't say.
You can say I was friends withsomeone, yeah, but part of the
thing is, when you leave you cannever say who you are.
It's like hey.
I'm friends with so-and-so.
Speaker 2 (28:26):
Yeah, I knew Pluto, and you are really well though,
okay.
Speaker 1 (28:29):
Okay, yeah, I was going to ask if you were a
princess, a character with a bighead or a, you know, big, big
character.
Okay, all right.
Speaker 3 (28:38):
Yeah, she was good friends, good friends with them.
Speaker 2 (28:41):
Good friends, very good friends.
Speaker 3 (28:42):
Very good, awesome Hug along.
Speaker 1 (28:44):
I really appreciate you coming on the show.
This has been a greatconversation, as always.
Best of luck in your businessand really reaching your
audience and really helping toget the message out there around
insider, because you are right,just doing it and starting and
acknowledging hey, yes, we havea problem, let's figure it out.
Yes, that's really whereeveryone needs to be.
Yeah, yeah.
Speaker 3 (29:05):
And one thing too is that, to your point earlier,
shawnee, just reach out and likenetworks I know I heard you
speak and you walked us like,hey, hold on for a second.
We had a brief conversation, itwas like five minutes in San
Antonio, texas.
And here we are now.
As we've met, we have somepartnerships working up and
everything, but be bold and justask folks to talk about it
because no one has it allfigured out.
So I think everyone in theindustry likes to talk about
(29:26):
things.
Speaker 2 (29:26):
So and for that networking another tip.
Here's another espionage tidbitfor you.
People love talking aboutthemselves.
So when you are nervous or likeI don't know if I should
approach, ask someone aboutthemselves and you will open a
big old door.
Speaker 1 (29:40):
Love it On that.
Go forth and prosper.
Everyone, Ask somebody aboutthemselves and make it happen.
Thanks so much You're having me.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com