June 16, 2025 • 37 mins
Trench Leadership: A Podcast From the Front is humbled to have been named #5 in the Top 20 for Best Canadian Leadership-themed podcasts for 2025.
What happens when rockets are landing near your Middle Eastern manufacturing facility, and you discover IBM mainframes from the 1980s running your critical systems? For cybersecurity leader Ian Patterson, CEO of Plurilock, this wasn't a hypothetical scenario but a real crisis requiring immediate action. As Ian explains, "We never have as much data as we would like to make a decision... being able to act and continue moving in the right direction with limited information ultimately allows momentum to continue."
This episode explores the importance of professional networks in leadership, what Ian calls the "camaraderie between CEOs" and what military leaders know as the "Chiefs Network." These relationships prove crucial when facing unprecedented challenges, reminding us that effective leadership isn't about having all the answers but knowing where to find them.
Perhaps most fascinating is how cybersecurity has evolved beyond technical challenges to encompass complex regulatory and legal considerations. The field's rapid growth has created an estimated 4 million unfilled positions globally—a number that has doubled in recent years.
Join us for this eye-opening discussion about leadership on the digital frontlines.
Trench Leadership: A Podcast From the Front is humbled to have been named #5 in the Top 20 for Best Canadian Leadership-themed podcasts for 2025.
Connect to Trench Leadership:
YouTube: https://www.youtube.com/channel/UCYnaqOp1UvqTJhATzcizowA
Trench Leadership Website: www.trenchleadership.ca
LinkedIn: https://www.linkedin.com/company/trench-leadership-a-podcast-from-the-front/?viewAsMember=true
Are you looking for a podcast editor/producer? Do you enjoy the quality of the show? The editor of Trench Leadership, Jennifer Lee, is taking new clients. Reach out at https://www.itsalegitbusiness.com.
Reviews are the best way for the show to know what is working, what needs improvement, and what to talk about in the future.
If you have a topic that you're passionate to hear more about, feel free to reach out at simonk@trenchleadership.ca to connect and share your ideas.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Simon (00:07):
I would like to begin this episode by acknowledging
that I am located in Ottawa,Ontario, Canada, and I am
privileged and honoured to liveand learn on the unceded,
unsurrendered territory of theAnishinaabe Algonquin Nation.
Glen (00:24):
Hello, you're listening to Trench Leadership
From the Front, a show foremerging leaders from all
professions to hear from otherleaders who have led from the
front, made the mistakes, hadthe triumphs and are still
learning along the way.
Produced by Jennifer Lee at,"t's a Legit Business, a podcast
(00:44):
launch and management company.
And now here's your host, simonCardinal.
Simon (00:55):
Hi everyone and welcome to another episode of Trench
Leadership (00:58):
A Podcast From the Front.
And, as everyone is aware, Ilove talking to guests.
I love speaking with everyone,I love hanging out, I love
getting to meet everyone andmaking those connections.
It's what really gets me going.
And I especially love talkingto fellow Canadians and that is
why today is extra special forme because, as I've begun the
journey of re-recordingeverything, I get to talk to
(01:19):
another Canadian in what Ibelieve to be the beautifulest I
don't know if that's a realword, but we'll go with it the
most beautiful city in all ofCanada Victoria, British
Columbia.
Ian L.
Patterson, hey Ian, how's itgoing out that way?
Ian L. Paterson (01:32):
Simon, it's well.
First of all, thank you forhaving me.
We're trying to keep a lid onhow nice Victoria is.
It's getting popular enough asit is.
You know, it's funny.
Actually, most of the time whenI'm talking to somebody on a
Zoom or a Teams call or whatnot,you start with pleasantries hey
, how you doing, where are youfrom?
I used to actually not sayVictoria, I used to just say
Vancouver, because I figure, ifyou're in Singapore or if you're
(01:54):
in Sydney, Australia, or ifyou're in London, Victoria is
too small of a city you haven'theard.
And yet it's actually one ofthose cities that everybody
either has been to once in theirlife or wants to go to once in
their life.
So it's actually become quite aquite an interesting calling
card.
Uh to, uh to, to include aspart of, as part of my identity.
Simon (02:12):
Oh, that's amazing.
I'm so I'm happy to hear thatI, that city is just incredible.
That is where I went and did mymaster's degree and, uh, it's
just, there's just somethingabout the vibe and the feel of
that city.
It's unless you've been there,there's no way to know, but it's
, it's incredible.
So, yeah, I love it.
Well, thanks, thanks so muchfor coming out today.
And, and before we get into themeat of things, I'm wondering
(02:33):
if you wouldn't mind taking afew minutes and just let us, let
us learn about Ian.
Who is Ian?
Ian L. Paterson (02:39):
Well, I appreciate that.
I mean, my background is maybea little bit different than most
.
I started way back, whichactually is starting to the
years are starting to accrue themore that I think about it but
I started really just assomebody who was passionate
about learning and passionateabout technology.
(03:00):
About technology, I didn't domuch academically and certainly
did not go down the typical goget a university degree and kind
of know what you were wantingto do ahead of time, etc.
In hindsight I don't know,maybe things would have turned
out differently had I done that,but I was really just focused
(03:22):
on building my skills andlearning myself.
And so in my first real job interms of the career was working
for a venture-backed companydoing e-commerce analytics, and
my role specifically within thatorganization was to help very
large enterprises make betterdecisions using data.
(03:42):
So it was great.
It was a lot of fun, learned alot.
This was in sort of the 2010sera, back when e-commerce was
first having its really big boom.
Got to meet a lot of people, doa lot of interesting things, a
ton of learning, both on the job, intentionally and also perhaps
(04:02):
unintentionally.
So I got to see a lot of howbusiness worked, perhaps not
always learning about what youshould do.
In some cases, it was learningwhat you shouldn't do.
That company eventually wasacquired and fast forward a few
years to get to Plurilock, andwe started actually as what I
(04:26):
thought was going to be a datacompany, and so you know again,
kind of going back to that dataand analytics background.
Plurilock very quickly, though,became a cybersecurity company.
It happened to be that we wereanswering cybersecurity
questions using data, and thenone thing led to another.
We started doing a lot of workwith the US federal, US Army and
(04:47):
US Department of Defence.
That exposed me and us.
It was a small team at thattime, but exposed us to really
the real world, and what I meanby that is, naively, going into
our first couple of customerengagements, I actually thought
I believed the marketing hype.
I believed that everybody wasalready totally secure.
(05:08):
AI technology was widelydeployed, everything was
top-notch, and they just neededanother edge, and what I came to
find out was, in fact, nobodyhas their stuff together.
Everything is disorganized.
In particular, the most largeinstitutions in the world, both
public sector and private sector, struggle with basic things
(05:29):
like understanding how manydevices they have or they own,
and I can tell you a funny storyabout that keeping things up to
date, even making sure thetechnology was from the same
decade, and I can tell youanother story about that.
And so very quickly it becamequite clear that for us to have
impact and create value for ourcustomers wasn't necessarily by
(05:51):
just bringing a new widget thatwas bigger, shinier, faster, et
cetera, but in fact sometimes itwas doing things that were more
people related or processrelated, and so Plurilock today,
or process related, and soPlurilock today.
We do a lot of different things, but the area of the business
that I'm most passionate aboutis a team called Critical
Services, and Critical Servicesis where we're providing very
(06:14):
high-end cybersecurity work forsome of the most consequential
organizations in the world.
So our mission is to safeguardcritical infrastructure in order
to preserve democracy, and theway that we're doing that is
through a cybersecurity lens.
So, Simon, happy to kind of diginto some of those or maybe
tell you some stories about someof our work, which might
(06:34):
actually be fine, surprising,but that's where I've come from
in a nutshell.
Simon (06:40):
Well, thanks so much for that time.
I love the background and thediversity and yet staying within
the same type of of mindset andand field.
It's interesting how we're allable to move around and get into
these different spots and dothe different things.
That we go because quite often,as a new leader, that the more
often than not we're promotedinto these positions not based
(07:00):
off of our proven leadershipskill set, but our proven
technical skill set, and thenall of a sudden we're in doing
something else that we might notnecessarily be ready to do, for
whatever reason, and that'sokay, because we were talking
about it before we startedrecording that we're expecting a
lot of times leaders will putthese ideas in themselves that
there's an expectation, aself-imposed expectation, that
(07:22):
we need to have all the answersbefore we get going, when in
fact, you had said it but the 20, we might have the 20, 30%
knowledge to be able to go forthand yet still still produce and
what we have to do that.
Did you experience those typesof things as you were getting
along into the profession?
Ian L. Paterson (07:39):
Yeah, I mean, I think I think as leaders, we
never have enough data, or letme rephrase that we never have
as much data as we would like tomake a decision.
There's very rarely a decisionwhere you have perfect
information.
There's always some amount ofinformation asymmetry I'm
thinking about like negotiations, for instance there's always an
(08:00):
information asymmetry.
But even just in regular day,you know, do you do X or do you
do Y?
Well, it'd be nice if you knewall of the ramifications if you
chose X versus Y.
You don't always necessarilyhave all of that information,
nor do you have the time or theresources to go to go run those
things totally to ground.
So, uh, so being able to uh, toact and and continue moving, uh
(08:24):
in the right direction withlimited information, to try and
get more information perhaps, somaybe not taking a huge
consequential decision, maybeyou can make a smaller decision
to get you a little bit forward.
Continue to advance Ultimatelyallows momentum to continue, and
I think where things reallystart to slow down or get stuck
(08:46):
in the mud is when you're justyou're frozen.
I don't know.
Someone once said that it wasan Eisenhower quote that said
the best decision is the rightdecision followed by the wrong
decision, followed by nodecision, really meaning, as
long as you do something, it'sbetter than doing nothing.
Simon (09:03):
Oh yeah, otherwise you end up in the paralysis of doing
nothing and that becomes aproblem and it actually destroys
that momentum that you had beenspeaking about, and I would
like to talk more about that.
What do you think is a way fornew leaders to ensure they are
driving forward with thatmomentum, and what happens if
they feel like that paralysismight be coming up?
Ian L. Paterson (09:22):
Well, I think one of the things you can do is
you can turn to the peoplearound you I mean, oftentimes
you are not the smartest personin the room, you don't have the
most experience, but somebodyelse in the organization does,
or maybe somebody else outsideof the organization does, and so
being able to call on thoseresources and being okay with
you not having necessarily allthat information, but if you can
(09:44):
collect that information,that's crucial.
I mean, one of the things thatwe did at Plurilog very early on
is we went way overboard onrecruiting the absolute best
leaders, advisors, mentors,board directors and industry
counsel that we possibly could,and we sometimes joke that every
company talks about having aworld-class team.
I actually think we possiblycould, and we sometimes joke
(10:04):
that, you know, every companytalks about having a world-class
team.
I actually think we have one,and even from very early on,
we'd recruited the formerdirector of the NSA and Director
of National Intelligence,Admiral Mike McConnell, who
served as our lead independentdirector, and we just we have an
amazing team of people aroundus.
For exactly that reason, wedon't always necessarily have
the answers ourselves.
(10:25):
Other people might, though, andbeing able to to to lean on that
team um has has certainly beencrucial for us and in in our
success.
Um, and also for me personally,uh, being able to to call on
those people for advice.
I mean, one of the uh, perhapsone of the surprising things is
is, um, we have, we have, uh,we're, we're fortunate enough
that we have several viceadmirals who serve in some
(10:48):
capacity in our ecosystem and,more often than not, when I call
them asking for help, it's notabout cybersecurity, it's not
about signals, intelligence oranything that they've spent 40
or 50 years in a career orcryptology 40 or 50 years of
their career focus on.
It's actually about leadership.
It's about people.
(11:08):
It's about managing a team,leading an organization, because
they've been there and donethat.
Simon (11:15):
And that's okay to not have that information.
I think that's often somethingthat gets missed when people are
new to leadership roles or thesecond or third tier in whatever
their career path is.
Is that expectation to to havethose answers?
That's just not a thing.
We're just not able to do that.
Uh, at my level, my rank level,I'm a Master Warrant Officer and
I'm in the position of asimilar to a Chief Warrant
(11:37):
Officer's role and the networkthat I have we we call it the
chiefs network, and it's a wholebunch of the chiefs, the
different squadron chiefs,throughout the wing that I work
at the base, in the Canadianterms and uh, anytime we have a
question, we just fire that outto this mass email and and it is
.
And often I've talked about thechief network with different
people throughout the last fewyears and often what the
(11:59):
response will get back is oh you, everyone must be talking super
high level, like, like, how doyou fix the, this major problem
in the air force?
And I'm like well, no, moreoften than not it's hey, listen,
how do I, where do I find this,this boot claim for someone to
be able to reimburse their boots, because, even though I've been
in the military for a long time.
I don't know where everythingis, and we all, we, we track
(12:20):
these things down and that'swhat keeps that momentum going
forward is being willing toadmit that we don't know
everything.
Do you have any thoughts onthat at all?
Ian L. Paterson (12:29):
So there's a similar camaraderie between
other executives in particularother CEOs or other founders.
There's a unique relationshipthat we have to one another
because there's very few otherstakeholders just in the
ecosystem who have that set ofshared experiences, shared
worldview, shared experiences.
In the unique position, even ifit's a different company, a
(12:51):
different industry, a differentbusiness model, et cetera, there
are certain pressures that anexecutive or CEO would have and
there's significant camaraderie.
And so it's funny.
I've never heard of the ChiefsNetwork and I suspect most
people probably haven't heardthat there's a secret cabal of
Canadian tech CEOs.
But there absolutely is andit's phenomenal and it's
(13:12):
actually one of the one of thebest groups that I have come to
find.
So so, Simon, I'm both enviousof your Chiefs Network and I
imagine you probably have themost hilarious jokes in there
that will never see the light ofday.
Simon (13:28):
Oh, I tell you some of the, some of the stories that we
were accounting with each otherwas like what they like?
No, there's, that didn't happen.
And yeah, yeah it is, and it'shilarious to hear about it.
Like you said, there's funstories and it's just.
It's amazing and it's also areminder to me that people are
people, are people, that justbecause we get to certain levels
of our career paths doesn'tmake us any different than
(13:49):
anything else.
Quite often, in the role that Ihave, we, we fly at 412 squadron
, we fly four corporate jets andwe, we use those to move
members of parliament, thegovernment, the prime minister
predominantly, and one of thethings I like to remind everyone
in the squadron is that eventhe prime minister poops, like
everyone, has to go in thatairplane and use the washroom,
(14:10):
and that's okay, because everyone of us does that.
These things happen becausepeople are people, are people,
and regardless of your CEO or ifyou're the prime minister or
the outgoing prime minister inthis case, so you just never
know, yeah it.
I am curious, though, as we'retalking about these different
types of things earlier you hadtalked about some stories about
(14:31):
different things that had goneon in the side in the industries
.
Do you have anything that mightconnect the cooperation and the
collaboration that needs to gettogether between all the
different information paths andall those different types of
things?
Ian L. Paterson (14:44):
Well, I think I mean there's a lot of stories.
I mean I think I was actuallytalking to one of our customers
earlier today, so this one iskind of fresh in my mind.
This is a customer that we'vebeen working with for over a
year, but it started with afrantic text message on a Friday
night.
It was a customer they'republicly traded, they're based
(15:06):
in the United States, but theyhave global operations.
Customer they're publiclytraded, they're based in the
United States, but they haveglobal operations.
And there was a frantic textmessage saying hey, does anybody
have experience on a verystrange and somewhat unorthodox
pairing of technologies?
The technologies don't actuallymatter, but it's just, you know
, it's two types of technologiesthat you don't usually find
together from an enterprise ITperspective.
(15:28):
And so I reached out and saidwell, yes, we've done a little
bit of work there.
As it turned out, this was alarge manufacturing company and
they had operations overseas andin particular, the operations
large manufacturing operationswere in the Middle East.
(15:48):
You know, large manufacturingoperations were in the Middle
East and in their manufacturingsite, which was responsible for
hundreds of millions of dollarsof revenue, there were quite
literally rockets landing in theneighborhood that this facility
was in.
So not only that, but also ithappened to be the financial hub
for a lot of their accountingsystems, and so they were
(16:10):
struggling and they were askingfor help.
What I found interesting aboutthat was that we got involved
and we mobilized a team.
We mobilized very, very quickly.
I mean, I think by Saturdaymorning we had a proposal and by
Saturday night, our people werebasically starting to work,
which, in theory, for a nine tofive desk job, is not typically
(16:32):
what you would expect from theprivate sector.
But what I found interesting isthat, as we got into that
engagement, we unearthedtechnology from the 2020 era,
from the 2010 era, from the 2000era, from the 1990 era and from
the 1980s era, and so weactually found technology that
was so old that I remember mydad talking about you know, this
(16:53):
specific type of IBM mainframe,and not only did this customer
have one IBM mainframe from the1980s, it turned out they had
three.
They didn't necessarily knowthey had three, but it was
through our investigation, ourvery rapid investigation, that
we were able to go kind ofunearth things and realize that,
hey, you know, it was thevirtual equivalent of literally
(17:15):
pulling a cable and seeing whereit went.
But we used our offensivecybersecurity capabilities to
kind of poke around the networkand we found, as I say, not one
but three IBM mainframeshappened to not even be at their
location, but there was abackup somewhere else.
So the interesting thing wasjust how varied the technology
was, and it kind of reinforcesmy point that I was saying
(17:39):
earlier about most organizationsare struggling.
They don't have everything,they don't have everything put
together properly, they don'thave the right people,
necessarily, they don't have theright processes and they don't
have the right technology andkind of everybody's in that same
boat.
I can tell you another companythat we were working with I gave
(17:59):
you the example Some companiesdon't even know how many assets
they have.
Like how many computers doesyour company own?
Seems like kind of a basicquestion.
And in one case yeah, so in onecase we were.
This was a fortune 1000 sizedorganization.
The estimate by the best andbrightest within the company,
who all had different parts ofthe overall puzzle, the estimate
(18:22):
was off by about 100%.
You know, we were thinking thatit was going to be like 40,000.
That turned out to be closer to80,000, depending on how you
counted, and then it mightactually be north of 100,000.
So that's the scale of thetypes of problems that exist.
And so then you ask the chiefinformation security officer,
who typically is our customer doyou have all that secure?
(18:44):
And they're like, have whatsecure?
I don't even know whatcomputers I own to be able to
secure.
So talk about making decisionswith an absence of information.
I mean, this is something thatleaders have to do every single
day and we see it.
We see it in our customersregularly.
Simon (19:01):
Yeah, and I wonder about that.
I love that example of thatbecause things had to get done,
things needed to be secured, butwhat do we do?
What do we do?
What do leaders do?
How do they figure these thingsout?
Do you have any type of adviceon how they might be able to
move forward with something kindof similar to that?
Ian L. Paterson (19:18):
I think being willing to be wrong is one and
being willing to kind of looklike a fool.
I mean, for that first examplewe'll stick with that one for
sake of argument.
I mean, we came up with threecourses of action and so for the
military viewers or listenersyou might kind of hear some
echoes of traditional tactics.
(19:40):
But we had three courses ofaction, and one of the courses
of action was we were going togo in completely hands-off,
remotely, we're going to go doour thing, and there were some
pros and cons to that.
One of the courses of actionwas actually to charter a jet
and to physically exfiltrate atleast one rack, possibly
(20:01):
multiple, out of the country andget it to a place of safety.
Now, on its face, that scenarioseems quite ludicrous.
That like why on earth wouldyou do this?
There's all kinds of problems.
I mean this is gear from, as Imentioned, this is gear from the
1980s.
That's not necessarily going tosurvive or move right, but we
were at least willing to throwout an idea.
(20:23):
That seemed kind of crazybecause the problem that was
presented to this client wasactually existential.
I mean, they were, and stillare, a publicly traded
organization and had the wrongset of circumstances occurred,
it would have potentially beengame over for that entire
company, and so you have to bewilling to look a bit foolish
(20:46):
and potentially come up withcrazy options to be able to find
the right option that you canthen execute on.
Glen (20:55):
Oh, hello there.
It's Glen, the voiceover artist, and if you're hearing me, that
means we're at the midpoint ofthis episode.
Are you considering startingyour own podcast?
Are you confused or overwhelmedand don't know where to start?
Well, Jennifer at "t's a LegitBusiness is a podcast wizard who
(21:16):
can help you get started,provide advice, consultation and
help you along the way.
Trench Leadership has beenusing it's a Legit Business for
over a year and Jennifer offerspersonalized service, catering
to the podcast's unique needsand desires, truly hearing
Simon's requests and beinginstrumental in realizing Trench
(21:36):
Leadership's vision for eachepisode.
If you want to get started,contact Jennifer at jennifer at
itsalegitbusinesscom and she'llhelp you realize your dreams.
Trench Leadership is alwaysstriving to improve our content
and provide valuable insightsfor leaders across all
professions, and to do this,your feedback is crucial.
(21:59):
So drop us a note at simonk attrenchleadershipca and let us
know what's working and what canbe improved.
And now back to the show.
Simon (22:12):
Yeah, and that's absolutely correct.
I know in my career, when I wasa new leader, a new master
corporal it's the first formallevel of leadership in the
Canadian military I would comeup with these wild ideas and
they'd be like people would belooking at me kind of funny,
like what are we doing here?
And then when you sit back andyou have a moment to think about
it, well, maybe there'ssomething there, but maybe there
isn't.
But at least throwing it outthere is, is it's important to
(22:35):
get that out there and then kindof go from there, because you
never know, you never reallyknow what, which way the people
are going to go.
And and I do wonder about that,because when we're throwing
those things out there there'sthere's a lot of ego talk.
Is we've been speaking about inall of this, in that don't be
afraid to make a movementwithout having the information,
don't be afraid to look like afool, don't be afraid to do this
, don't be afraid to do that.
(22:55):
How can we harness that fear tobe able to do what we need to
do?
Because there is still thatexpectation that as a leader,
we're going to get the thingsdone.
So what do you think about that?
Ian L. Paterson (23:08):
I think you're right.
I think also the idea ofbreaking it down into smaller
decisions can at least help youkeep moving faster.
So, in that case we came upwith the three courses of action
, we presented them to theclient and we actually didn't
necessarily decide on any ofthem in that point of time.
We, collectively with theclient, agreed that we would
(23:32):
start doing some discovery.
We were going to advance allthree courses of action and try
and get some more information tomake a better decision on which
option should we pursue.
And so we were able to keepgoing.
We were able to actually keep asmany options open for as long
as possible, and it led to asuccessful outcome.
I mean we were able to.
(23:52):
So the punchline of that storyis we were actually able to move
the majority of the data to thecloud in again like a
completely Frankenstein networkconfiguration.
That probably shouldn't haveworked, but it mostly did.
It was completely outside ofwhat the technology that we used
was designed to be used for.
You know it was very much aduct tape and bailing wire type
(24:16):
of scenario, but it got the jobdone.
But all the way through we wereat least keeping options open
to say if things escalated, ifthe threat to the physical
facility got to a certain point,then one of these other courses
of action could be pursued.
Simon (24:35):
And that flexibility is, I can't even stress how
important being in thoseleadership roles and being
flexible to being open to otherways of doing things, even when
a COA has been assigned orchosen, being open to going
another direction, that's okay.
That's all part of the game ofbeing in charge, and and and
that flexibility to go forward.
(24:56):
It's.
It's tough.
Do you have any fun storiesabout that at all?
Or?
Ian L. Paterson (24:59):
Well, uh, what was interesting about that
specific course of action?
I mean, we kept it on the tablefor as long as the airspace
remained open, uh, and so wewere.
We were, we had real-timevisibility into the no TAMs and
we were waiting for, you know,at a certain point that window
was going to close.
And so it was one of the keydecision points for the client
because, again, we were advisors, effectively, you know, they're
(25:20):
helping them and we were doingthe work as well, but ultimately
it was their company and theirdecisions was whether to engage
that option, engage that optionbefore the airspace closed.
Now, thankfully, things workedout, but it was certainly one of
(25:41):
the key decisions I thinkthrough that full engagement was
at what point do you just ripthe bandaid off and say, great,
we're, that's it.
You know, we've done as much aswe can.
From a virtual perspective, wejust have to physically
exfiltrate this stuff out of thecountry, um, while while the
option was still there, um, andthen, at a certain point, that
option, uh, you know, was takenoff the table.
Simon (26:00):
Yeah, I mean, and what do you do?
I mean you just figure outanother way to go.
It's challenging.
I am so in your field and wehad we've spoken a lot about
that flexibility and I'm justcurious about if we could shift
a little bit and talk about thecommunication aspect of that,
because that would seem that inthe field, in the career path,
that everyone having to talktogether about the same
(26:21):
information but everyone's alsotrying to, I would imagine, keep
their own information.
How does that sharing work?
Is that a thing, or am I evenon the right path?
Ian L. Paterson (26:33):
No, it's definitely a thing I mean with
cybersecurity.
In some respects it is goodguys versus bad guys.
It is organizations that arejust trying to go accomplish
their mission.
If you're a government agencyor if you're a private sector
company, you're just trying togo build that widget and you're
trying to keep out the bad guyswho want to do you harm or steal
(26:54):
your intellectual property ordeploy ransomware, and so to a
certain extent, you do pair upwith other I mean even your
direct competitors, or what'scalled threat intelligence,
(27:15):
cyber threat intelligencebecause if you share with your
peer and your peer shares withyou, then potentially you can
get a heads up If there'ssomething that's going to happen
.
Maybe they hit somebody elsefirst.
If you know about it, then youcan take action and you can
protect yourself.
But, as you know, with any typeof intelligence, with any type
of data, right, how far do youshare it?
And the farther you share it,potentially, you know, the less
valuable it becomes.
(27:36):
That is a whole, I'd say,subfield within cybersecurity.
It's very, very active and itis, you know.
I think it's an area where, forthe most part, things are
pretty clear cut in terms ofwhat do you share with who when,
et cetera.
(27:57):
I think where it gets a bitdicey is actually post-incident.
So if you think about, you knowleft of boom is trying to
prevent something from happening.
Right of boom is after anincident has occurred and that
could be data theft, it could beransomware, et cetera.
Data theft, it could beransomware, et cetera.
What ends up becomingchallenging right of boom is
that you now have otherstakeholders who have a say
(28:17):
about what you want to share orcan share.
So things like regulators,privacy commissioners, privacy
agencies, federal laws, industrynorms are all going to dictate
what you're allowed to share,what you should share.
Industry norms are all going todictate what you're allowed to
share, what you should share,what you must share in some
cases, and so some of theflexibility there goes away
(28:39):
right of boom, and so it's oneof the reasons that you want to
try and stay left of it as muchas you can.
But it's becoming much moreprescribed, whereas maybe 10, 20
(29:04):
years ago it was still a bit ofthe Wild West.
You know, if you get hacked, ifthere was a data breach, you
didn't have as many stakeholdersdemanding certain things and
then prohibiting you from sayingcertain things, whereas you do
now, so it's been a much morecomplicated environment that,
frankly, you have to get a lotmore lawyers involved to be able
to navigate successfully.
Simon (29:14):
I know very, very little about this world, so my mind is
blown about the fact that in thecybersecurity world, we're
talking about bringing inlawyers to make sure the
information is kept secret.
That's not how I envision it atall.
I admit that I'm 50 years old,so when you're talking about IBM
computers from the 80s, Iremember the movie War Games
with Matthew Broderick and andeverything was like lightning
(29:34):
fast.
I had a Commodore 64 and and Iremember my mind being blown
playing the first Ghostbustersgame and it was like like very
clearly little rectangles andlittle squares moving and I
couldn't believe there was morethan one color.
And now how?
And so there was none.
There was none of this cybersecurity because it just didn't
exist.
And now here we are.
We're talking about how thisinformation can get taken and
(29:57):
instead of, I guess in my mind,the fight of it, of these, these
cyber warriors in thebackground going at it, it's in
hiring a, an army of lawyers togo and protect it.
It's not how I envisioned allthat would go.
Ian L. Paterson (30:08):
Well, hopefully it's an not, or?
I mean, I don't think hiring anarmy of lawyers is going to
keep you safe.
But listen, I mean mostorganizations have personally
identifiable information PII.
A lot of companies havepersonal health information PHI.
These are effectively regulatedpieces of data and there are
rules and laws around whatyou're allowed to disclose and
(30:29):
what you must disclose and whatyou must not disclose, and then
there are penalties if you getit wrong.
So you know, that's just kind ofa that's just the world that we
live in.
I think where it becomes reallycomplicated and really
challenging, especially forlarger organizations, is that
you have to be compliant witheffectively every jurisdiction
for which you have a nexus for.
So if you're a big company andyou have 10,000 people around
(30:51):
the world and you have customersaround the world and your
internet traffic traversesvarious places, then you
potentially have a bunch ofdifferent places that you now
have to be aware of, what therules and laws are, and also
make sure that you're trackingthat on a regular basis, because
(31:11):
this stuff is is changing quitea bit so, from a leader's
perspective, and with all thechanges that are happening
rapidly and quickly, I I'mbrought back to the idea of of
how things are happening soquickly.
Simon (31:25):
How can a leader, if they're in one of these roles
and things are happening so fast, how can they they remain ahead
of the game?
How can they keep that momentumgoing and still have some of
that information if theinformation is changing so often
?
Ian L. Paterson (31:38):
Well, I think so asking for help, I think is
is one of the big ones.
There's this.
So this whole industry is sobig that you can't keep track of
it.
No one person can keep track ofall of it, and and you have to
you have to understand what yourportion of it is and then arm
yourself with relationships andadvisors and people and
stakeholders and consultants andemployees, et cetera, to fill
(31:59):
in the rest.
You know that's really the onlything you can do.
Cybersecurity, to your point, ismuch more complicated and it's
much more in-depth, and it'salso become quite
professionalized.
You know, compared to 20 yearsago, when information security
was was you actually could keepmost of it all up in your head,
you know, now it's now it's muchmore complicated.
(32:21):
The flip side to that, though,is that complexity is actually
creating a lot of opportunityfor people to get into the
industry.
Cybersecurity has some estimate4 million jobs unfilled, vacant
right now because there's notenough qualified people who can
go do that work.
That number has increased fromsomething like 2 million cyber
jobs a handful of years ago, soit's definitely a growing
(32:45):
industry and it's an area that Ifrequently talk to people about
as a source of opportunity.
I mean, if you want to go intoa growing field and one that has
a lot of opportunity forspecialization, cyber is
definitely a great industry toconsider.
Simon (33:09):
Well, that's a fantastic point.
In the military, we've actuallycreated an entire trade
revolving around that because werecognize the importance of the
role that cybersecurity has inactual security and non-physical
security that we experience.
So it's there and it's notgoing away.
(33:29):
The internet is a provensuccess.
It's not going away there andit's not going away Like the
internet is a proven success.
It's not going away.
Before we sign off, I'm justcurious Is there if anyone would
like to hear more from you, toreach out?
Are there any ways that wecould do that?
And and also, I feel it'simportant to point out that
you're also a podcast host, soif you want to take a moment and
talk about that, that now'syour chance.
Ian L. Paterson (33:47):
I appreciate that opportunity.
I mean I'm I'm pretty easy tofind.
I'm Ian L Patterson.
I'm mostly active on LinkedIn,so you're welcome to follow me
there.
The newer podcast that welaunched, also a YouTube series,
is called Code and Country, andwe're exploring the
intersection of nationalsecurity and cybersecurity.
We've been very fortunate inthe guests that we've spoken to
(34:10):
so far.
It includes some of the peoplethat I already mentioned on this
podcast, but also Sammy Curry,who was formerly the head of the
Canadian Centre forCybersecurity, now the senior,
most official for cybersecurityfor the Government of Canada,
Director General Chris Lynham,who runs cybercrime at RCMP, as
(34:31):
well as others both in theUnited States and amongst our
allies.
Beth Sizeland was the formerCOO at GCHQ in the UK and she
was also Deputy NationalSecurity Advisor to the British
Prime Minister.
So it's been a very interestingseries and we've got quite a
few more very interesting showscoming up.
(34:52):
So Code and Country is the nameof that one, and if you're
interested in hearing more aboutPlurilock, which is the company
that I run, it's plurilockcomslash IR short for Investor
Relations.
It's usually the best way forpeople to stay up to speed on
what we're up to.
Simon (35:09):
Fantastic and, of course, we'll have links to all those
things inside our show notes.
And, ian, this has been anabsolute pleasure.
I always love speaking to otherCanadians and I always love
speaking to other Canadiansabout topics that I know nothing
about, because I've learnedquite a bit.
Thank you so much for your timetoday and it's been a real
pleasure and I'm looking forwardto the next time we get to chat
.
Ian L. Paterson (35:29):
Thanks, Simon, and next time I see one of those
challengers in the air I willbe thinking about you.
Simon (35:33):
Sounds like a great plan.
Take care, my man, cheers.
Well, that's another episodefrom the front, and in this
episode we spoke with IanPatterson, a podcast host,
another fellow Canadian and anexpert in all things
cybersecurity, and we talkedabout how it's important for
leaders to understand thatpeople are important, but so is
the process.
(35:54):
We also need to understand thatthe momentum that the leader
brings to the team to keepthings going forward.
It does not necessarily meanthat we have to have all the
answers, and if we don't haveall the answers, all we need to
do is talk to our peers, talk tothe others around us and if we
have to ask for help.
That's not a sign of weaknessas a leader.
That's a sign of strength thatwe don't have all the answers
(36:16):
and that all we truly care aboutis succeeding for ourselves,
for our team members and for theorganization.
Thanks for tuning in andremember leadership without
passion limits the depth of yourvision.
Glen (36:29):
Be sure to join us next week with your host, Simon
Kardynal, for another episode ofTrench Leadership: A Podcast
From the Front, produced by,"It's a Legit Business Music
provided by Ashamal of Music.
Never miss an episode byfollowing us wherever you get
your podcasts.
While you're there, pleaseconsider leaving us a review and
(36:52):
rating podcasts.
While you're there, pleaseconsider leaving us a review and
rating.
Hint.
We love five stars and let usknow what topics you would like
to hear about.
I would like to begin this episode by acknowledging
that I am located in Ottawa,Ontario, Canada, and I am
privileged and honoured to liveand learn on the unceded,
unsurrendered territory of theAnishinaabe Algonquin Nation.
Glen (00:24):
Hello, you're listening to Trench Leadership
From the Front, a show foremerging leaders from all
professions to hear from otherleaders who have led from the
front, made the mistakes, hadthe triumphs and are still
learning along the way.
Produced by Jennifer Lee at,"t's a Legit Business, a podcast
(00:44):
launch and management company.
And now here's your host, simonCardinal.
Simon (00:55):
Hi everyone and welcome to another episode of Trench
Leadership (00:58):
A Podcast From the Front.
And, as everyone is aware, Ilove talking to guests.
I love speaking with everyone,I love hanging out, I love
getting to meet everyone andmaking those connections.
It's what really gets me going.
And I especially love talkingto fellow Canadians and that is
why today is extra special forme because, as I've begun the
journey of re-recordingeverything, I get to talk to
(01:19):
another Canadian in what Ibelieve to be the beautifulest I
don't know if that's a realword, but we'll go with it the
most beautiful city in all ofCanada Victoria, British
Columbia.
Ian L.
Patterson, hey Ian, how's itgoing out that way?
Ian L. Paterson (01:32):
Simon, it's well.
First of all, thank you forhaving me.
We're trying to keep a lid onhow nice Victoria is.
It's getting popular enough asit is.
You know, it's funny.
Actually, most of the time whenI'm talking to somebody on a
Zoom or a Teams call or whatnot,you start with pleasantries hey
, how you doing, where are youfrom?
I used to actually not sayVictoria, I used to just say
Vancouver, because I figure, ifyou're in Singapore or if you're
(01:54):
in Sydney, Australia, or ifyou're in London, Victoria is
too small of a city you haven'theard.
And yet it's actually one ofthose cities that everybody
either has been to once in theirlife or wants to go to once in
their life.
So it's actually become quite aquite an interesting calling
card.
Uh to, uh to, to include aspart of, as part of my identity.
Simon (02:12):
Oh, that's amazing.
I'm so I'm happy to hear thatI, that city is just incredible.
That is where I went and did mymaster's degree and, uh, it's
just, there's just somethingabout the vibe and the feel of
that city.
It's unless you've been there,there's no way to know, but it's
, it's incredible.
So, yeah, I love it.
Well, thanks, thanks so muchfor coming out today.
And, and before we get into themeat of things, I'm wondering
(02:33):
if you wouldn't mind taking afew minutes and just let us, let
us learn about Ian.
Who is Ian?
Ian L. Paterson (02:39):
Well, I appreciate that.
I mean, my background is maybea little bit different than most
.
I started way back, whichactually is starting to the
years are starting to accrue themore that I think about it but
I started really just assomebody who was passionate
about learning and passionateabout technology.
(03:00):
About technology, I didn't domuch academically and certainly
did not go down the typical goget a university degree and kind
of know what you were wantingto do ahead of time, etc.
In hindsight I don't know,maybe things would have turned
out differently had I done that,but I was really just focused
(03:22):
on building my skills andlearning myself.
And so in my first real job interms of the career was working
for a venture-backed companydoing e-commerce analytics, and
my role specifically within thatorganization was to help very
large enterprises make betterdecisions using data.
(03:42):
So it was great.
It was a lot of fun, learned alot.
This was in sort of the 2010sera, back when e-commerce was
first having its really big boom.
Got to meet a lot of people, doa lot of interesting things, a
ton of learning, both on the job, intentionally and also perhaps
(04:02):
unintentionally.
So I got to see a lot of howbusiness worked, perhaps not
always learning about what youshould do.
In some cases, it was learningwhat you shouldn't do.
That company eventually wasacquired and fast forward a few
years to get to Plurilock, andwe started actually as what I
(04:26):
thought was going to be a datacompany, and so you know again,
kind of going back to that dataand analytics background.
Plurilock very quickly, though,became a cybersecurity company.
It happened to be that we wereanswering cybersecurity
questions using data, and thenone thing led to another.
We started doing a lot of workwith the US federal, US Army and
(04:47):
US Department of Defence.
That exposed me and us.
It was a small team at thattime, but exposed us to really
the real world, and what I meanby that is, naively, going into
our first couple of customerengagements, I actually thought
I believed the marketing hype.
I believed that everybody wasalready totally secure.
(05:08):
AI technology was widelydeployed, everything was
top-notch, and they just neededanother edge, and what I came to
find out was, in fact, nobodyhas their stuff together.
Everything is disorganized.
In particular, the most largeinstitutions in the world, both
public sector and private sector, struggle with basic things
(05:29):
like understanding how manydevices they have or they own,
and I can tell you a funny storyabout that keeping things up to
date, even making sure thetechnology was from the same
decade, and I can tell youanother story about that.
And so very quickly it becamequite clear that for us to have
impact and create value for ourcustomers wasn't necessarily by
(05:51):
just bringing a new widget thatwas bigger, shinier, faster, et
cetera, but in fact sometimes itwas doing things that were more
people related or processrelated, and so Plurilock today,
or process related, and soPlurilock today.
We do a lot of different things, but the area of the business
that I'm most passionate aboutis a team called Critical
Services, and Critical Servicesis where we're providing very
(06:14):
high-end cybersecurity work forsome of the most consequential
organizations in the world.
So our mission is to safeguardcritical infrastructure in order
to preserve democracy, and theway that we're doing that is
through a cybersecurity lens.
So, Simon, happy to kind of diginto some of those or maybe
tell you some stories about someof our work, which might
(06:34):
actually be fine, surprising,but that's where I've come from
in a nutshell.
Simon (06:40):
Well, thanks so much for that time.
I love the background and thediversity and yet staying within
the same type of of mindset andand field.
It's interesting how we're allable to move around and get into
these different spots and dothe different things.
That we go because quite often,as a new leader, that the more
often than not we're promotedinto these positions not based
(07:00):
off of our proven leadershipskill set, but our proven
technical skill set, and thenall of a sudden we're in doing
something else that we might notnecessarily be ready to do, for
whatever reason, and that'sokay, because we were talking
about it before we startedrecording that we're expecting a
lot of times leaders will putthese ideas in themselves that
there's an expectation, aself-imposed expectation, that
(07:22):
we need to have all the answersbefore we get going, when in
fact, you had said it but the 20, we might have the 20, 30%
knowledge to be able to go forthand yet still still produce and
what we have to do that.
Did you experience those typesof things as you were getting
along into the profession?
Ian L. Paterson (07:39):
Yeah, I mean, I think I think as leaders, we
never have enough data, or letme rephrase that we never have
as much data as we would like tomake a decision.
There's very rarely a decisionwhere you have perfect
information.
There's always some amount ofinformation asymmetry I'm
thinking about like negotiations, for instance there's always an
(08:00):
information asymmetry.
But even just in regular day,you know, do you do X or do you
do Y?
Well, it'd be nice if you knewall of the ramifications if you
chose X versus Y.
You don't always necessarilyhave all of that information,
nor do you have the time or theresources to go to go run those
things totally to ground.
So, uh, so being able to uh, toact and and continue moving, uh
(08:24):
in the right direction withlimited information, to try and
get more information perhaps, somaybe not taking a huge
consequential decision, maybeyou can make a smaller decision
to get you a little bit forward.
Continue to advance Ultimatelyallows momentum to continue, and
I think where things reallystart to slow down or get stuck
(08:46):
in the mud is when you're justyou're frozen.
I don't know.
Someone once said that it wasan Eisenhower quote that said
the best decision is the rightdecision followed by the wrong
decision, followed by nodecision, really meaning, as
long as you do something, it'sbetter than doing nothing.
Simon (09:03):
Oh yeah, otherwise you end up in the paralysis of doing
nothing and that becomes aproblem and it actually destroys
that momentum that you had beenspeaking about, and I would
like to talk more about that.
What do you think is a way fornew leaders to ensure they are
driving forward with thatmomentum, and what happens if
they feel like that paralysismight be coming up?
Ian L. Paterson (09:22):
Well, I think one of the things you can do is
you can turn to the peoplearound you I mean, oftentimes
you are not the smartest personin the room, you don't have the
most experience, but somebodyelse in the organization does,
or maybe somebody else outsideof the organization does, and so
being able to call on thoseresources and being okay with
you not having necessarily allthat information, but if you can
(09:44):
collect that information,that's crucial.
I mean, one of the things thatwe did at Plurilog very early on
is we went way overboard onrecruiting the absolute best
leaders, advisors, mentors,board directors and industry
counsel that we possibly could,and we sometimes joke that every
company talks about having aworld-class team.
I actually think we possiblycould, and we sometimes joke
(10:04):
that, you know, every companytalks about having a world-class
team.
I actually think we have one,and even from very early on,
we'd recruited the formerdirector of the NSA and Director
of National Intelligence,Admiral Mike McConnell, who
served as our lead independentdirector, and we just we have an
amazing team of people aroundus.
For exactly that reason, wedon't always necessarily have
the answers ourselves.
(10:25):
Other people might, though, andbeing able to to to lean on that
team um has has certainly beencrucial for us and in in our
success.
Um, and also for me personally,uh, being able to to call on
those people for advice.
I mean, one of the uh, perhapsone of the surprising things is
is, um, we have, we have, uh,we're, we're fortunate enough
that we have several viceadmirals who serve in some
(10:48):
capacity in our ecosystem and,more often than not, when I call
them asking for help, it's notabout cybersecurity, it's not
about signals, intelligence oranything that they've spent 40
or 50 years in a career orcryptology 40 or 50 years of
their career focus on.
It's actually about leadership.
It's about people.
(11:08):
It's about managing a team,leading an organization, because
they've been there and donethat.
Simon (11:15):
And that's okay to not have that information.
I think that's often somethingthat gets missed when people are
new to leadership roles or thesecond or third tier in whatever
their career path is.
Is that expectation to to havethose answers?
That's just not a thing.
We're just not able to do that.
Uh, at my level, my rank level,I'm a Master Warrant Officer and
I'm in the position of asimilar to a Chief Warrant
(11:37):
Officer's role and the networkthat I have we we call it the
chiefs network, and it's a wholebunch of the chiefs, the
different squadron chiefs,throughout the wing that I work
at the base, in the Canadianterms and uh, anytime we have a
question, we just fire that outto this mass email and and it is
.
And often I've talked about thechief network with different
people throughout the last fewyears and often what the
(11:59):
response will get back is oh you, everyone must be talking super
high level, like, like, how doyou fix the, this major problem
in the air force?
And I'm like well, no, moreoften than not it's hey, listen,
how do I, where do I find this,this boot claim for someone to
be able to reimburse their boots, because, even though I've been
in the military for a long time.
I don't know where everythingis, and we all, we, we track
(12:20):
these things down and that'swhat keeps that momentum going
forward is being willing toadmit that we don't know
everything.
Do you have any thoughts onthat at all?
Ian L. Paterson (12:29):
So there's a similar camaraderie between
other executives in particularother CEOs or other founders.
There's a unique relationshipthat we have to one another
because there's very few otherstakeholders just in the
ecosystem who have that set ofshared experiences, shared
worldview, shared experiences.
In the unique position, even ifit's a different company, a
(12:51):
different industry, a differentbusiness model, et cetera, there
are certain pressures that anexecutive or CEO would have and
there's significant camaraderie.
And so it's funny.
I've never heard of the ChiefsNetwork and I suspect most
people probably haven't heardthat there's a secret cabal of
Canadian tech CEOs.
But there absolutely is andit's phenomenal and it's
(13:12):
actually one of the one of thebest groups that I have come to
find.
So so, Simon, I'm both enviousof your Chiefs Network and I
imagine you probably have themost hilarious jokes in there
that will never see the light ofday.
Simon (13:28):
Oh, I tell you some of the, some of the stories that we
were accounting with each otherwas like what they like?
No, there's, that didn't happen.
And yeah, yeah it is, and it'shilarious to hear about it.
Like you said, there's funstories and it's just.
It's amazing and it's also areminder to me that people are
people, are people, that justbecause we get to certain levels
of our career paths doesn'tmake us any different than
(13:49):
anything else.
Quite often, in the role that Ihave, we, we fly at 412 squadron
, we fly four corporate jets andwe, we use those to move
members of parliament, thegovernment, the prime minister
predominantly, and one of thethings I like to remind everyone
in the squadron is that eventhe prime minister poops, like
everyone, has to go in thatairplane and use the washroom,
(14:10):
and that's okay, because everyone of us does that.
These things happen becausepeople are people, are people,
and regardless of your CEO or ifyou're the prime minister or
the outgoing prime minister inthis case, so you just never
know, yeah it.
I am curious, though, as we'retalking about these different
types of things earlier you hadtalked about some stories about
(14:31):
different things that had goneon in the side in the industries
.
Do you have anything that mightconnect the cooperation and the
collaboration that needs to gettogether between all the
different information paths andall those different types of
things?
Ian L. Paterson (14:44):
Well, I think I mean there's a lot of stories.
I mean I think I was actuallytalking to one of our customers
earlier today, so this one iskind of fresh in my mind.
This is a customer that we'vebeen working with for over a
year, but it started with afrantic text message on a Friday
night.
It was a customer they'republicly traded, they're based
(15:06):
in the United States, but theyhave global operations.
Customer they're publiclytraded, they're based in the
United States, but they haveglobal operations.
And there was a frantic textmessage saying hey, does anybody
have experience on a verystrange and somewhat unorthodox
pairing of technologies?
The technologies don't actuallymatter, but it's just, you know
, it's two types of technologiesthat you don't usually find
together from an enterprise ITperspective.
(15:28):
And so I reached out and saidwell, yes, we've done a little
bit of work there.
As it turned out, this was alarge manufacturing company and
they had operations overseas andin particular, the operations
large manufacturing operationswere in the Middle East.
(15:48):
You know, large manufacturingoperations were in the Middle
East and in their manufacturingsite, which was responsible for
hundreds of millions of dollarsof revenue, there were quite
literally rockets landing in theneighborhood that this facility
was in.
So not only that, but also ithappened to be the financial hub
for a lot of their accountingsystems, and so they were
(16:10):
struggling and they were askingfor help.
What I found interesting aboutthat was that we got involved
and we mobilized a team.
We mobilized very, very quickly.
I mean, I think by Saturdaymorning we had a proposal and by
Saturday night, our people werebasically starting to work,
which, in theory, for a nine tofive desk job, is not typically
(16:32):
what you would expect from theprivate sector.
But what I found interesting isthat, as we got into that
engagement, we unearthedtechnology from the 2020 era,
from the 2010 era, from the 2000era, from the 1990 era and from
the 1980s era, and so weactually found technology that
was so old that I remember mydad talking about you know, this
(16:53):
specific type of IBM mainframe,and not only did this customer
have one IBM mainframe from the1980s, it turned out they had
three.
They didn't necessarily knowthey had three, but it was
through our investigation, ourvery rapid investigation, that
we were able to go kind ofunearth things and realize that,
hey, you know, it was thevirtual equivalent of literally
(17:15):
pulling a cable and seeing whereit went.
But we used our offensivecybersecurity capabilities to
kind of poke around the networkand we found, as I say, not one
but three IBM mainframeshappened to not even be at their
location, but there was abackup somewhere else.
So the interesting thing wasjust how varied the technology
was, and it kind of reinforcesmy point that I was saying
(17:39):
earlier about most organizationsare struggling.
They don't have everything,they don't have everything put
together properly, they don'thave the right people,
necessarily, they don't have theright processes and they don't
have the right technology andkind of everybody's in that same
boat.
I can tell you another companythat we were working with I gave
(17:59):
you the example Some companiesdon't even know how many assets
they have.
Like how many computers doesyour company own?
Seems like kind of a basicquestion.
And in one case yeah, so in onecase we were.
This was a fortune 1000 sizedorganization.
The estimate by the best andbrightest within the company,
who all had different parts ofthe overall puzzle, the estimate
(18:22):
was off by about 100%.
You know, we were thinking thatit was going to be like 40,000.
That turned out to be closer to80,000, depending on how you
counted, and then it mightactually be north of 100,000.
So that's the scale of thetypes of problems that exist.
And so then you ask the chiefinformation security officer,
who typically is our customer doyou have all that secure?
(18:44):
And they're like, have whatsecure?
I don't even know whatcomputers I own to be able to
secure.
So talk about making decisionswith an absence of information.
I mean, this is something thatleaders have to do every single
day and we see it.
We see it in our customersregularly.
Simon (19:01):
Yeah, and I wonder about that.
I love that example of thatbecause things had to get done,
things needed to be secured, butwhat do we do?
What do we do?
What do leaders do?
How do they figure these thingsout?
Do you have any type of adviceon how they might be able to
move forward with something kindof similar to that?
Ian L. Paterson (19:18):
I think being willing to be wrong is one and
being willing to kind of looklike a fool.
I mean, for that first examplewe'll stick with that one for
sake of argument.
I mean, we came up with threecourses of action and so for the
military viewers or listenersyou might kind of hear some
echoes of traditional tactics.
(19:40):
But we had three courses ofaction, and one of the courses
of action was we were going togo in completely hands-off,
remotely, we're going to go doour thing, and there were some
pros and cons to that.
One of the courses of actionwas actually to charter a jet
and to physically exfiltrate atleast one rack, possibly
(20:01):
multiple, out of the country andget it to a place of safety.
Now, on its face, that scenarioseems quite ludicrous.
That like why on earth wouldyou do this?
There's all kinds of problems.
I mean this is gear from, as Imentioned, this is gear from the
1980s.
That's not necessarily going tosurvive or move right, but we
were at least willing to throwout an idea.
(20:23):
That seemed kind of crazybecause the problem that was
presented to this client wasactually existential.
I mean, they were, and stillare, a publicly traded
organization and had the wrongset of circumstances occurred,
it would have potentially beengame over for that entire
company, and so you have to bewilling to look a bit foolish
(20:46):
and potentially come up withcrazy options to be able to find
the right option that you canthen execute on.
Glen (20:55):
Oh, hello there.
It's Glen, the voiceover artist, and if you're hearing me, that
means we're at the midpoint ofthis episode.
Are you considering startingyour own podcast?
Are you confused or overwhelmedand don't know where to start?
Well, Jennifer at "t's a LegitBusiness is a podcast wizard who
(21:16):
can help you get started,provide advice, consultation and
help you along the way.
Trench Leadership has beenusing it's a Legit Business for
over a year and Jennifer offerspersonalized service, catering
to the podcast's unique needsand desires, truly hearing
Simon's requests and beinginstrumental in realizing Trench
(21:36):
Leadership's vision for eachepisode.
If you want to get started,contact Jennifer at jennifer at
itsalegitbusinesscom and she'llhelp you realize your dreams.
Trench Leadership is alwaysstriving to improve our content
and provide valuable insightsfor leaders across all
professions, and to do this,your feedback is crucial.
(21:59):
So drop us a note at simonk attrenchleadershipca and let us
know what's working and what canbe improved.
And now back to the show.
Simon (22:12):
Yeah, and that's absolutely correct.
I know in my career, when I wasa new leader, a new master
corporal it's the first formallevel of leadership in the
Canadian military I would comeup with these wild ideas and
they'd be like people would belooking at me kind of funny,
like what are we doing here?
And then when you sit back andyou have a moment to think about
it, well, maybe there'ssomething there, but maybe there
isn't.
But at least throwing it outthere is, is it's important to
(22:35):
get that out there and then kindof go from there, because you
never know, you never reallyknow what, which way the people
are going to go.
And and I do wonder about that,because when we're throwing
those things out there there'sthere's a lot of ego talk.
Is we've been speaking about inall of this, in that don't be
afraid to make a movementwithout having the information,
don't be afraid to look like afool, don't be afraid to do this
, don't be afraid to do that.
(22:55):
How can we harness that fear tobe able to do what we need to
do?
Because there is still thatexpectation that as a leader,
we're going to get the thingsdone.
So what do you think about that?
Ian L. Paterson (23:08):
I think you're right.
I think also the idea ofbreaking it down into smaller
decisions can at least help youkeep moving faster.
So, in that case we came upwith the three courses of action
, we presented them to theclient and we actually didn't
necessarily decide on any ofthem in that point of time.
We, collectively with theclient, agreed that we would
(23:32):
start doing some discovery.
We were going to advance allthree courses of action and try
and get some more information tomake a better decision on which
option should we pursue.
And so we were able to keepgoing.
We were able to actually keep asmany options open for as long
as possible, and it led to asuccessful outcome.
I mean we were able to.
(23:52):
So the punchline of that storyis we were actually able to move
the majority of the data to thecloud in again like a
completely Frankenstein networkconfiguration.
That probably shouldn't haveworked, but it mostly did.
It was completely outside ofwhat the technology that we used
was designed to be used for.
You know it was very much aduct tape and bailing wire type
(24:16):
of scenario, but it got the jobdone.
But all the way through we wereat least keeping options open
to say if things escalated, ifthe threat to the physical
facility got to a certain point,then one of these other courses
of action could be pursued.
Simon (24:35):
And that flexibility is, I can't even stress how
important being in thoseleadership roles and being
flexible to being open to otherways of doing things, even when
a COA has been assigned orchosen, being open to going
another direction, that's okay.
That's all part of the game ofbeing in charge, and and and
that flexibility to go forward.
(24:56):
It's.
It's tough.
Do you have any fun storiesabout that at all?
Or?
Ian L. Paterson (24:59):
Well, uh, what was interesting about that
specific course of action?
I mean, we kept it on the tablefor as long as the airspace
remained open, uh, and so wewere.
We were, we had real-timevisibility into the no TAMs and
we were waiting for, you know,at a certain point that window
was going to close.
And so it was one of the keydecision points for the client
because, again, we were advisors, effectively, you know, they're
(25:20):
helping them and we were doingthe work as well, but ultimately
it was their company and theirdecisions was whether to engage
that option, engage that optionbefore the airspace closed.
Now, thankfully, things workedout, but it was certainly one of
(25:41):
the key decisions I thinkthrough that full engagement was
at what point do you just ripthe bandaid off and say, great,
we're, that's it.
You know, we've done as much aswe can.
From a virtual perspective, wejust have to physically
exfiltrate this stuff out of thecountry, um, while while the
option was still there, um, andthen, at a certain point, that
option, uh, you know, was takenoff the table.
Simon (26:00):
Yeah, I mean, and what do you do?
I mean you just figure outanother way to go.
It's challenging.
I am so in your field and wehad we've spoken a lot about
that flexibility and I'm justcurious about if we could shift
a little bit and talk about thecommunication aspect of that,
because that would seem that inthe field, in the career path,
that everyone having to talktogether about the same
(26:21):
information but everyone's alsotrying to, I would imagine, keep
their own information.
How does that sharing work?
Is that a thing, or am I evenon the right path?
Ian L. Paterson (26:33):
No, it's definitely a thing I mean with
cybersecurity.
In some respects it is goodguys versus bad guys.
It is organizations that arejust trying to go accomplish
their mission.
If you're a government agencyor if you're a private sector
company, you're just trying togo build that widget and you're
trying to keep out the bad guyswho want to do you harm or steal
(26:54):
your intellectual property ordeploy ransomware, and so to a
certain extent, you do pair upwith other I mean even your
direct competitors, or what'scalled threat intelligence,
(27:15):
cyber threat intelligencebecause if you share with your
peer and your peer shares withyou, then potentially you can
get a heads up If there'ssomething that's going to happen
.
Maybe they hit somebody elsefirst.
If you know about it, then youcan take action and you can
protect yourself.
But, as you know, with any typeof intelligence, with any type
of data, right, how far do youshare it?
And the farther you share it,potentially, you know, the less
valuable it becomes.
(27:36):
That is a whole, I'd say,subfield within cybersecurity.
It's very, very active and itis, you know.
I think it's an area where, forthe most part, things are
pretty clear cut in terms ofwhat do you share with who when,
et cetera.
(27:57):
I think where it gets a bitdicey is actually post-incident.
So if you think about, you knowleft of boom is trying to
prevent something from happening.
Right of boom is after anincident has occurred and that
could be data theft, it could beransomware, et cetera.
Data theft, it could beransomware, et cetera.
What ends up becomingchallenging right of boom is
that you now have otherstakeholders who have a say
(28:17):
about what you want to share orcan share.
So things like regulators,privacy commissioners, privacy
agencies, federal laws, industrynorms are all going to dictate
what you're allowed to share,what you should share.
Industry norms are all going todictate what you're allowed to
share, what you should share,what you must share in some
cases, and so some of theflexibility there goes away
(28:39):
right of boom, and so it's oneof the reasons that you want to
try and stay left of it as muchas you can.
But it's becoming much moreprescribed, whereas maybe 10, 20
(29:04):
years ago it was still a bit ofthe Wild West.
You know, if you get hacked, ifthere was a data breach, you
didn't have as many stakeholdersdemanding certain things and
then prohibiting you from sayingcertain things, whereas you do
now, so it's been a much morecomplicated environment that,
frankly, you have to get a lotmore lawyers involved to be able
to navigate successfully.
Simon (29:14):
I know very, very little about this world, so my mind is
blown about the fact that in thecybersecurity world, we're
talking about bringing inlawyers to make sure the
information is kept secret.
That's not how I envision it atall.
I admit that I'm 50 years old,so when you're talking about IBM
computers from the 80s, Iremember the movie War Games
with Matthew Broderick and andeverything was like lightning
(29:34):
fast.
I had a Commodore 64 and and Iremember my mind being blown
playing the first Ghostbustersgame and it was like like very
clearly little rectangles andlittle squares moving and I
couldn't believe there was morethan one color.
And now how?
And so there was none.
There was none of this cybersecurity because it just didn't
exist.
And now here we are.
We're talking about how thisinformation can get taken and
(29:57):
instead of, I guess in my mind,the fight of it, of these, these
cyber warriors in thebackground going at it, it's in
hiring a, an army of lawyers togo and protect it.
It's not how I envisioned allthat would go.
Ian L. Paterson (30:08):
Well, hopefully it's an not, or?
I mean, I don't think hiring anarmy of lawyers is going to
keep you safe.
But listen, I mean mostorganizations have personally
identifiable information PII.
A lot of companies havepersonal health information PHI.
These are effectively regulatedpieces of data and there are
rules and laws around whatyou're allowed to disclose and
(30:29):
what you must disclose and whatyou must not disclose, and then
there are penalties if you getit wrong.
So you know, that's just kind ofa that's just the world that we
live in.
I think where it becomes reallycomplicated and really
challenging, especially forlarger organizations, is that
you have to be compliant witheffectively every jurisdiction
for which you have a nexus for.
So if you're a big company andyou have 10,000 people around
(30:51):
the world and you have customersaround the world and your
internet traffic traversesvarious places, then you
potentially have a bunch ofdifferent places that you now
have to be aware of, what therules and laws are, and also
make sure that you're trackingthat on a regular basis, because
(31:11):
this stuff is is changing quitea bit so, from a leader's
perspective, and with all thechanges that are happening
rapidly and quickly, I I'mbrought back to the idea of of
how things are happening soquickly.
Simon (31:25):
How can a leader, if they're in one of these roles
and things are happening so fast, how can they they remain ahead
of the game?
How can they keep that momentumgoing and still have some of
that information if theinformation is changing so often
?
Ian L. Paterson (31:38):
Well, I think so asking for help, I think is
is one of the big ones.
There's this.
So this whole industry is sobig that you can't keep track of
it.
No one person can keep track ofall of it, and and you have to
you have to understand what yourportion of it is and then arm
yourself with relationships andadvisors and people and
stakeholders and consultants andemployees, et cetera, to fill
(31:59):
in the rest.
You know that's really the onlything you can do.
Cybersecurity, to your point, ismuch more complicated and it's
much more in-depth, and it'salso become quite
professionalized.
You know, compared to 20 yearsago, when information security
was was you actually could keepmost of it all up in your head,
you know, now it's now it's muchmore complicated.
(32:21):
The flip side to that, though,is that complexity is actually
creating a lot of opportunityfor people to get into the
industry.
Cybersecurity has some estimate4 million jobs unfilled, vacant
right now because there's notenough qualified people who can
go do that work.
That number has increased fromsomething like 2 million cyber
jobs a handful of years ago, soit's definitely a growing
(32:45):
industry and it's an area that Ifrequently talk to people about
as a source of opportunity.
I mean, if you want to go intoa growing field and one that has
a lot of opportunity forspecialization, cyber is
definitely a great industry toconsider.
Simon (33:09):
Well, that's a fantastic point.
In the military, we've actuallycreated an entire trade
revolving around that because werecognize the importance of the
role that cybersecurity has inactual security and non-physical
security that we experience.
So it's there and it's notgoing away.
(33:29):
The internet is a provensuccess.
It's not going away there andit's not going away Like the
internet is a proven success.
It's not going away.
Before we sign off, I'm justcurious Is there if anyone would
like to hear more from you, toreach out?
Are there any ways that wecould do that?
And and also, I feel it'simportant to point out that
you're also a podcast host, soif you want to take a moment and
talk about that, that now'syour chance.
Ian L. Paterson (33:47):
I appreciate that opportunity.
I mean I'm I'm pretty easy tofind.
I'm Ian L Patterson.
I'm mostly active on LinkedIn,so you're welcome to follow me
there.
The newer podcast that welaunched, also a YouTube series,
is called Code and Country, andwe're exploring the
intersection of nationalsecurity and cybersecurity.
We've been very fortunate inthe guests that we've spoken to
(34:10):
so far.
It includes some of the peoplethat I already mentioned on this
podcast, but also Sammy Curry,who was formerly the head of the
Canadian Centre forCybersecurity, now the senior,
most official for cybersecurityfor the Government of Canada,
Director General Chris Lynham,who runs cybercrime at RCMP, as
(34:31):
well as others both in theUnited States and amongst our
allies.
Beth Sizeland was the formerCOO at GCHQ in the UK and she
was also Deputy NationalSecurity Advisor to the British
Prime Minister.
So it's been a very interestingseries and we've got quite a
few more very interesting showscoming up.
(34:52):
So Code and Country is the nameof that one, and if you're
interested in hearing more aboutPlurilock, which is the company
that I run, it's plurilockcomslash IR short for Investor
Relations.
It's usually the best way forpeople to stay up to speed on
what we're up to.
Simon (35:09):
Fantastic and, of course, we'll have links to all those
things inside our show notes.
And, ian, this has been anabsolute pleasure.
I always love speaking to otherCanadians and I always love
speaking to other Canadiansabout topics that I know nothing
about, because I've learnedquite a bit.
Thank you so much for your timetoday and it's been a real
pleasure and I'm looking forwardto the next time we get to chat
.
Ian L. Paterson (35:29):
Thanks, Simon, and next time I see one of those
challengers in the air I willbe thinking about you.
Simon (35:33):
Sounds like a great plan.
Take care, my man, cheers.
Well, that's another episodefrom the front, and in this
episode we spoke with IanPatterson, a podcast host,
another fellow Canadian and anexpert in all things
cybersecurity, and we talkedabout how it's important for
leaders to understand thatpeople are important, but so is
the process.
(35:54):
We also need to understand thatthe momentum that the leader
brings to the team to keepthings going forward.
It does not necessarily meanthat we have to have all the
answers, and if we don't haveall the answers, all we need to
do is talk to our peers, talk tothe others around us and if we
have to ask for help.
That's not a sign of weaknessas a leader.
That's a sign of strength thatwe don't have all the answers
(36:16):
and that all we truly care aboutis succeeding for ourselves,
for our team members and for theorganization.
Thanks for tuning in andremember leadership without
passion limits the depth of yourvision.
Glen (36:29):
Be sure to join us next week with your host, Simon
Kardynal, for another episode ofTrench Leadership: A Podcast
From the Front, produced by,"It's a Legit Business Music
provided by Ashamal of Music.
Never miss an episode byfollowing us wherever you get
your podcasts.
While you're there, pleaseconsider leaving us a review and
(36:52):
rating podcasts.
While you're there, pleaseconsider leaving us a review and
rating.
Hint.
We love five stars and let usknow what topics you would like
to hear about.
Popular Podcasts
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Clay Travis and Buck Sexton Show
The Clay Travis and Buck Sexton Show. Clay Travis and Buck Sexton tackle the biggest stories in news, politics and current events with intelligence and humor. From the border crisis, to the madness of cancel culture and far-left missteps, Clay and Buck guide listeners through the latest headlines and hot topics with fun and entertaining conversations and opinions.