Are you ready to explore the world of cybersecurity through a new lens? Buckle up as we voyage through the captivating journey of Sam, a former emergency room technician who successfully transitioned into the realm of IT and cybersecurity. His unconventional path—marrying his medical background with a passion for problem-solving—proves that with an adaptable mindset, anyone can find their place in this dynamic industry.
In our enlightening discussion, we emphasize the importance of fostering a broad knowledge base within cybersecurity, challenging the inclination to become hyper-specialized. We highlight the potential pitfalls of limiting oneself to a single domain, which can obstruct a holistic understanding of the vast security landscape. Moreover, we address the current job market's unrealistic demands on those starting their cybersecurity career and propose that embracing diversity in backgrounds and experiences could be a solution to the industry's talent crisis.
As we delve deeper, we examine the Zero Trust Framework, spotlighting the necessity of creating an authorized user list coupled with rigorous logging and reporting. You'll hear firsthand about Sam's experience with his product, Cyolo, a tool innovatively designed to tackle unique user access challenges. We then swagger onto the subject of auditability within organizations, and how manufacturing companies maintain security on outdated systems. We wrap up with the vital topic of networking, shedding light on how disagreements and connections can bolster your knowledge and understanding in the cybersecurity field. Tune in for a riveting episode packed with insights, experiences, and wisdom from the ever-evolving, riveting world of cybersecurity.
This podcast focuses on explaining the fascinating ways that science and engineering...
Listen on: Apple Podcasts Spotify
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, sam?
00:00:00
It's really good to finally have you on the podcast here.
00:00:03
I'm really excited for our conversation today.
00:00:06
I think it'll be an interesting one.
00:00:08
Speaker 2: Joe, I'm looking forward to it as well.
00:00:09
Man, Thank you very much for including me.
00:00:12
Speaker 1: Yeah, absolutely so, sam.
00:00:14
You know I always start everyone off with telling their
00:00:17
background.
00:00:18
You know, I think it gives a lot of good context to my
00:00:21
audience, and my audience is coming from, you know, many
00:00:24
different backgrounds.
00:00:25
So I know some of them are wondering right, how is there a
00:00:29
space for me in IT?
00:00:30
Is there a space for me in security?
00:00:31
And they may be coming from a non-technical based background.
00:00:36
So what's?
00:00:37
Speaker 2: your story.
00:00:38
You know I originally my first adult job.
00:00:41
You know you have your high school jobs I.
00:00:43
Then you get into the real world and I worked in a hospital
00:00:47
.
00:00:47
I was an emergency room technician for well seven and a
00:00:50
half years and a couple different hospitals and did a
00:00:54
lot of you know, crazy stuff, a lot of great stories.
00:00:57
I usually like to say they're better told over adult beverages
00:00:59
, so we'll spare your listeners that conversation today.
00:01:03
But I got into technology and cybersecurity kind of, you know,
00:01:07
through different relationships that I had and found doors that
00:01:11
opened and walked through them and really fell in love with the
00:01:14
space.
00:01:14
I think you know, for anyone who's listening that's looking
00:01:17
forward to a career in technology or in cybersecurity,
00:01:21
please, please, join up.
00:01:22
We need your help.
00:01:24
We need your specific background.
00:01:25
Everybody's bringing their own unique point of view and
00:01:29
perspective and the more diversity I have, we think,
00:01:32
looking at these problems that we're all facing, every company
00:01:34
is facing, the better off we're going to be.
00:01:36
There's a lot of great experience that is coming from
00:01:40
outside of the tech and cyber world that I think is really
00:01:44
necessary, really needed today.
00:01:48
Speaker 1: Yeah, wow, that's a very interesting background.
00:01:50
I mean, what made you go from being an ER tech into, you know,
00:01:55
this crazy world of security?
00:01:57
Speaker 2: You know I mean the real answer is I was working on
00:01:59
the front lines of healthcare, you know, 40 plus hours a week
00:02:04
and unfortunately it does not pay super great.
00:02:07
We will divert away from that conversation because I think
00:02:11
that's a big structural conversation there.
00:02:13
However, you know, my family was growing and I needed a way
00:02:16
to provide for them and, again, I had mentors and people that I
00:02:19
knew that kind of connected me to different places and ended up
00:02:22
getting different jobs.
00:02:23
And it wasn't that I sought out to end up in cybersecurity, it
00:02:27
just kind of happened.
00:02:28
That was just the path that unfolded before me in my career
00:02:32
and I kind of found hey, I haven't a fit any for it.
00:02:35
I have a.
00:02:35
I like to communicate and I like to solve big problems.
00:02:39
I like to take big, complex ideas and help make them very
00:02:41
simple to understand, and it just kind of felt like a good
00:02:45
fit and it's been a lot of fun ever since.
00:02:47
It's kind of one of those things you realize how much you
00:02:49
enjoy it once you start doing it , if that makes any sense at all
00:02:53
.
00:02:54
Speaker 1: Yeah, I think that makes a lot of sense.
00:02:56
You know, was there any skills that you learned as a ER tech
00:03:01
that kind of translated into the world of security or your
00:03:05
current role?
00:03:06
Speaker 2: You know, in the emergency room every day is
00:03:11
different in a lot of ways, and I think that's very appropriate
00:03:14
for a security role, because every day is going to be
00:03:17
different.
00:03:17
Now there are some big pieces that are roughly the same and
00:03:21
you know, some nights we would have would be like out tonight's
00:03:23
the chest pain night Everyone that's coming in has a chief
00:03:25
complaint of chest pain and you would notice little themes.
00:03:29
And if you've ever worked in a hospital, the full moon is a
00:03:33
real phenomenon.
00:03:34
Obviously it happens every 28 days.
00:03:36
We know that, but it does somehow impact emergency
00:03:40
services.
00:03:42
Weird stuff happened on full moon, so you knew that happening
00:03:44
, but it was always different.
00:03:46
There was, there was a uniqueness to what it is that
00:03:48
you were doing and you never really knew the challenge that
00:03:52
you would be facing until you showed up for your shift.
00:03:54
And so, similarly, in the cyber security world, you don't
00:03:57
really know what's going to happen.
00:03:59
You can have some good ideas.
00:04:00
You obviously things happen cyclically.
00:04:02
You know big pieces, but you have to adapt, you have to
00:04:06
overcome, you have to innovate, you have to change and continue
00:04:09
trying and growing, and so I think some of those, those
00:04:12
skills, have transferred over.
00:04:14
Speaker 1: Huh, yeah, that's, that's really interesting.
00:04:17
You know, recently I ran into a situation where I was on a call
00:04:21
just trying to get teams to, you know, resolve
00:04:25
vulnerabilities in the cloud right, just kind of make our
00:04:28
environment more secure Basic things that I figured you know
00:04:32
everyone would kind of be on board with, especially because
00:04:34
this isn't our first meeting, and you know they had a huge
00:04:39
problem with it, like completely through a wrench in my entire
00:04:43
day.
00:04:43
It was like man, like why did they?
00:04:44
Why did they give me so many issues about it?
00:04:47
Like I had to go hear a backstory and, you know, get
00:04:50
some background on the on the issue and whatnot, because it
00:04:53
was just it was throwing me off by so much.
00:04:57
And now here I am revamping the entire process, creating custom
00:05:01
reports and all this other stuff to help out the teams, right,
00:05:05
and you know I'm a, I'm a security engineer right.
00:05:08
At the end of the day I don't necessarily, you know, need to
00:05:13
do that or spend my time on it or whatnot, but it's different.
00:05:16
You know, every day is different.
00:05:18
The day before that I was talking about, you know,
00:05:21
securing a firewall right, or securing a network right.
00:05:25
Speaker 2: Right right.
00:05:28
Speaker 1: I think that's what.
00:05:29
That's what keeps you know myself, and you know people like
00:05:33
yourself keep coming back right , Because it's always different.
00:05:36
Speaker 2: Yeah, well, and again , you have to adapt and overcome
00:05:38
, like you, something that is obvious to you hey,
00:05:41
vulnerabilities and cloud applications or cloud access,
00:05:44
like, yeah, we should probably do something about it and we can
00:05:47
right, like, there's things you can do to solve for that.
00:05:50
It should be a no brainer, but unfortunately there are others
00:05:53
that they do not see the world the same way that you do.
00:05:55
It does not make them wrong, bad or or terrible, it's just
00:06:00
now.
00:06:00
You have to adapt and overcome and make sure that you're giving
00:06:02
them the information that they need.
00:06:03
And you're right, it does, it keeps you, keeps you fresh, it
00:06:06
keeps you moving, gives you something to talk about with
00:06:09
your family at the end of the day, that they just will not
00:06:11
understand.
00:06:11
And it just it does, it keeps, it, keeps it going.
00:06:16
Speaker 1: Yeah, absolutely so.
00:06:18
You know your transition into security.
00:06:21
You know how did you manage the learning curve of security that
00:06:25
you know we have.
00:06:27
That's a mate right that everyone has to go through, no
00:06:29
matter what Right.
00:06:30
How did, how did you tackle that?
00:06:32
How long did it take you to feel, you know, actually like
00:06:36
comfortable in the role in the industry?
00:06:39
Speaker 2: I looked at it.
00:06:40
I had some really fantastic mentors and people that helped
00:06:43
me along and I think, if you can hit your, hit your wagon to
00:06:47
those people that know what they're talking about.
00:06:49
One of my first jobs when I got into technology was as a sales
00:06:53
person.
00:06:53
I was a sales sales manager for , for a technology company and I
00:06:59
had a just world class engineer that I worked with.
00:07:02
I mean, this man was incredibly smart and every opportunity I
00:07:06
got I would pick his brain and ask him questions or we'd walk
00:07:09
out of a meeting and help me understand why that's a big deal
00:07:11
to this client, that, why is their system like this?
00:07:14
Or kind of getting into the, into the weeds of it.
00:07:17
And the other piece I think is having a very broad knowledge
00:07:22
about a lot of things I think is actually very useful.
00:07:24
I think there's a there's a rush to hyper specialize in
00:07:27
security and in technology in general and I don't know that
00:07:30
that's it's.
00:07:32
It's needed.
00:07:32
Obviously we have to have specific experts and domain
00:07:34
expertise, but I think having a broad knowledge, being able to
00:07:38
articulate what it is you know what's the difference between a
00:07:41
SIM and a SOAR, what's the difference in an XDR versus, you
00:07:45
know, a VM scanner, being able to understand kind of the, the
00:07:50
building blocks of the functional pieces that go into
00:07:53
kind of a defense in depth posture, I think then gives you
00:07:56
you can ask great questions and better questions that continue
00:07:59
to expand your learning and knowledge.
00:08:01
And so I just I just went as wide as I possibly could quickly
00:08:05
and ask and then just continue to ask questions from there.
00:08:10
Speaker 1: Yeah, you bring up a really good point.
00:08:11
You know I I talk to a lot of people that are trying to get
00:08:14
their start right and the the biggest question that I get is
00:08:20
you know, what do I specialize in?
00:08:21
What should I learn?
00:08:22
You know the best and all this sort of stuff, and this has come
00:08:25
from people that have little to no experience.
00:08:29
And I started my career in a very dynamic role.
00:08:33
You know, I learned across probably six or seven different
00:08:37
domains of security.
00:08:39
I managed those technologies all at the same time while I was
00:08:42
learning them, and that's really you know where I cut my teeth,
00:08:47
so to speak, and that's where I, like, made the most progress,
00:08:51
because when you pigeonhole yourself, right, it's kind of
00:08:54
assuming that you have those building blocks.
00:08:56
You know, like now I'm in cloud security, right, and people
00:08:59
would think that, oh yeah, you're specialized in the cloud
00:09:03
and whatnot and you know everything in the cloud, right,
00:09:06
which is true, but a part of that is also knowing data
00:09:10
security and endpoint security.
00:09:12
And you know where I learned endpoint security is in that
00:09:14
role where I did eight different things, right, because I
00:09:17
specialized in it.
00:09:18
You know, learning how to get logs out of the cloud or maybe
00:09:21
keeping them in the cloud and doing a sim around it and doing
00:09:25
some threat, you know, analyst stuff around it.
00:09:28
Like I learned all of that because I was doing a bunch of
00:09:31
different things and all of that is a part of cloud security,
00:09:35
right?
00:09:35
Like I would not be in cloud security if I did not have that
00:09:38
experience.
00:09:39
Speaker 2: Oh, it's out of percent and I think, like I
00:09:42
think there's a lot that happens in the job market, especially
00:09:44
for cybersecurity professionals, where we expect a lot out of
00:09:48
people that are getting started, and I think we have to change
00:09:51
that mentality very quickly.
00:09:53
On the job training is really some of the best that you can.
00:09:57
I mean, you've probably worked in roles where you've hired a
00:09:58
new person and they may have, you know, they have all the
00:10:02
intangibles that you're looking for.
00:10:03
You know good work ethic, they get along with the team well,
00:10:05
they have an ability to learn, but they don't necessarily.
00:10:09
Even if they come in with good certifications, you're still
00:10:12
going to have to teach them your processes, your tools.
00:10:15
You know, maybe they specialized when learned on one
00:10:18
tool, but you're actually using a competitor.
00:10:20
There's still a lot of on the job training that's already
00:10:22
happening.
00:10:22
That needs to happen.
00:10:23
So why not accept people that have maybe a little less
00:10:26
certification, a little different background?
00:10:29
You're going to teach them anyways.
00:10:30
Might as well, bring folks in and get them started.
00:10:34
Last I checked, we have a severe shortage of cybersecurity
00:10:38
professionals and so if we can just maybe widen our reach just
00:10:42
a little bit, bring folks in, let them get started.
00:10:45
Let them learn, pair them with competent mentors who have been
00:10:48
around the block a little bit, and then let's see what happens.
00:10:53
Speaker 1: Yeah, you know, I feel like that security shortage
00:10:56
is almost self-imposed, you know, because it one.
00:11:01
It doesn't make sense because there's so many applicants, for
00:11:04
you know, every job, I mean, even if you just go on LinkedIn,
00:11:07
you can see how many people have applied.
00:11:09
The biggest issue that I ran into, even personally when I was
00:11:13
getting into security, was, you know, I had my security plus, I
00:11:17
was getting my masters in cybersecurity, but people would
00:11:20
get hung up on the fact that, oh , I didn't have experience with
00:11:23
with Splunk, right?
00:11:25
Well, splunk is like $10 a minute.
00:11:27
How am I going to pay for that?
00:11:30
Like, do you want to tell me how I can pay for that?
00:11:32
You know?
00:11:32
And then, even when they had a free version of it and I
00:11:36
deployed it in my home lab and did everything with it, right?
00:11:41
People still didn't accept that.
00:11:42
They're like, oh well, it's different from enterprise.
00:11:44
Okay, like, what do you want me to do?
00:11:47
Like, I can't.
00:11:48
I can't go buy carbon black, right?
00:11:50
I can't go buy bit nine, I can't go buy any of these
00:11:53
solutions.
00:11:54
You know, I'm a poor college graduate trying to get into this
00:11:58
industry.
00:12:00
Speaker 2: Because so you hire somebody?
00:12:01
Oh, they came from a Q radar background, like they're not
00:12:03
using Splunk, but they came from wait.
00:12:05
Good, great, if you're gonna have to teach them Splunk
00:12:07
anyways, see, might as well take something that has an aptitude,
00:12:09
a willingness to learn, a good attitude, a work ethic.
00:12:13
You know skills that are really the intangibles that go a lot
00:12:16
further in the cybersecurity market.
00:12:18
Then, oh, you know how to input fields and edit data tables in
00:12:22
Splunk.
00:12:22
Or you know here's how you import X.
00:12:24
Good grief, like we got a you're right, self-inflicted
00:12:28
wounds here.
00:12:28
But you think about it too, like you know, I think would make
00:12:31
fantastic cybersecurity engineers or people, folks
00:12:35
coming out of the service industry.
00:12:36
I mean, you want to talk about high pressure, high volume,
00:12:40
crazy work.
00:12:40
You know, talk to a server who's got 10 tables, all of them
00:12:44
who are needing certain things and they're running around
00:12:48
trying to make sure they're all taken care of.
00:12:49
Okay, do they have cybersecurity experience?
00:12:51
No, but do they have a great attitude?
00:12:54
Do they know how to do customer service?
00:12:55
Can they learn?
00:12:56
Do they work quickly?
00:12:57
Are they personable?
00:12:58
Like those skills will go a lot further in a cybersecurity team
00:13:03
role than you know.
00:13:04
Your CISSP, perhaps not saying that's not important, please
00:13:08
don't miss here.
00:13:09
I'm not saying that's not important.
00:13:10
Please train, learn, get certifications, advance, do all
00:13:14
those things, but folks getting started off, I think it's far
00:13:17
more important to have some of the intangibles.
00:13:19
Speaker 1: Oh for sure.
00:13:20
I mean, there's no debating that in my mind.
00:13:22
Even you know, like the certifications are great they,
00:13:26
but they're they should be used to validate the knowledge that
00:13:29
you have not.
00:13:30
Not, you know, gain more knowledge necessarily and rely
00:13:34
on that to get a job or anything like that.
00:13:36
Like you know, they're really just validating the knowledge
00:13:39
that you have and it's okay to build up that knowledge while
00:13:41
you're studying for the cert.
00:13:42
But if you're, you know, a server trying to get your CISSP,
00:13:46
it's like okay, well, you're not even in the industry,
00:13:48
they're not going to issue it.
00:13:50
You know, and I always recommend to people you know that want to
00:13:54
get into security get into help desk first.
00:13:57
You know, because in help desk depending at least depending on
00:14:00
the company, you know, you could pick up the phone and someone
00:14:04
is just automatically yelling at you right off the bat.
00:14:07
Right, that's a high stress situation for me, you know,
00:14:10
until I got used to it, I mean that was that was like panic
00:14:13
attacks and whatnot, Like I'd have to get off the call, go for
00:14:16
a walk, try to de-stress somehow, you know, and go back
00:14:19
to my desk and lo and behold, you know, the same person is
00:14:22
calling me back with a new issue and they're just as angry, if
00:14:25
not angrier.
00:14:26
You know and I got to deal with that right and that those are
00:14:29
skill sets that you only learn in those types of jobs.
00:14:32
You know same thing with you know servers and really anyone
00:14:35
in the service industry.
00:14:36
You're having to deal with other people and it's such a
00:14:41
such a wide variable of what could be happening right Like
00:14:45
I've been on calls when you know someone.
00:14:48
Someone told me that they were going to like a, like a
00:14:52
Renaissance fair or like a.
00:14:54
It was like a medieval convention right, where everyone
00:14:58
like dresses up in, you know, the clothing of that time period
00:15:03
those jobs for like a week and whatnot.
00:15:06
And I couldn't believe that this person was telling me this
00:15:10
right and at the time you know I'm very early on in my career I
00:15:13
mean I just I couldn't believe Right like how she was talking
00:15:18
about how she's going to be churning butter right for the
00:15:21
next week and how she's so excited for it.
00:15:24
And it was so extraordinarily difficult for me to not laugh on
00:15:28
the phone and I couldn't.
00:15:29
I couldn't mute myself Because this is an active conversation.
00:15:33
I was supposed to be actively troubleshooting her issues.
00:15:36
It was the most complex like situation you know that you
00:15:41
could imagine, because it's like okay, I got a zone her out, I
00:15:45
need to focus on this problem, relay information back, try to
00:15:48
zone her out more.
00:15:49
And it didn't help that I had several other colleagues on the
00:15:52
call too, because I was the escalation point and they were
00:15:55
all a muted laughing like you know I could see them.
00:15:59
I was just like guys, walk away .
00:16:02
Yeah, you know.
00:16:04
Speaker 2: But what a great scope.
00:16:05
In a cybersecurity right, like if you're dealing with an
00:16:07
incident, there's a lot of noise .
00:16:09
You have to tune it out, focus, parse, look, just describe,
00:16:15
report out.
00:16:15
I mean think of any tabletop or any incident that you've ever
00:16:18
ran or been a part of.
00:16:19
That is essential skills.
00:16:22
I mean you know your, your certifications are less
00:16:25
important than your ability to prioritize, focus, report, get
00:16:31
feedback, work with a wider team and and really get it solved.
00:16:35
So I mean I think I love how you're thinking about this.
00:16:38
This is, this is a fantastic conversation.
00:16:41
Speaker 1: Yeah, absolutely.
00:16:42
You know that's another thing.
00:16:44
You know that that people don't really understand right.
00:16:49
I'll give you an example.
00:16:51
A Little bit earlier out of my security career there was a
00:16:54
major incident, but the giant incident, where this solution
00:16:58
basically rotated 40 accounts In the environment one.
00:17:03
It wasn't even configured to rotate all those accounts, it
00:17:07
was only rotating, supposed to rotate, you know, like 2 or
00:17:10
3, whatever might have been.
00:17:12
A Bug occurred in the system and it rotated everything all at
00:17:16
once.
00:17:16
You know we came within Maybe six or 12 devices or accounts of
00:17:22
being locked out of the entire environment and having to call.
00:17:25
Microsoft Dang.
00:17:27
That that's literally the situation.
00:17:29
So in the midst of that, I'm not only directing traffic, I'm
00:17:33
not only getting, you know, my team to get the right people in
00:17:36
the organization because they, they're all new, they're brand
00:17:39
new in security.
00:17:40
They have no clue what's going on.
00:17:42
They assume everyone's getting fired at the end of the day.
00:17:46
Right, I assumed I was getting fired at the end of the day, but
00:17:48
I knew I had to keep working.
00:17:50
Yep, you know, and in that situation you have to zone in,
00:17:55
and then you know I would hear my manager's voice.
00:17:57
You know, give me an update.
00:17:58
It's like give me five minutes.
00:18:00
Like that's your update.
00:18:00
Give me five minutes and then I'll have an update.
00:18:02
And you know, five minutes later I would chime in to him
00:18:06
like on the call, just cut everyone off, be like this is
00:18:08
the status, this is what's going on, is what I'm doing next.
00:18:11
You know, and yeah, like go right down the line of, then
00:18:14
he's managing traffic upwards and sideways and then my team is
00:18:18
managing traffic to all other.
00:18:19
You know technical people, but if I didn't have the ability to
00:18:24
slow down, Right and identify.
00:18:27
Okay, this is a major issue right now.
00:18:28
We need to waste no more time on anything else.
00:18:31
Everyone needs to drop everything Right then I spent 30
00:18:34
seconds and just directed traffic like you're in charge of
00:18:37
this.
00:18:37
You're in charge of this, you go, handle this.
00:18:39
You know, if I didn't do that, that incident would have been
00:18:44
much more severe because I had to have someone Go to very
00:18:47
specific people in the company and say you know, don't log off.
00:18:51
Like, you need to say logged in , no matter what if it says you
00:18:55
know, change your password, do not change your password.
00:18:57
You know all those different things.
00:19:00
If I didn't protect the company like that, we would have been a
00:19:03
news story on CNN within a couple hours.
00:19:05
You know, right that would not have been.
00:19:07
Speaker 2: Good, yeah, no joke, yeah, that would have been that.
00:19:10
That's not the kind of thing you want your name tied to.
00:19:14
Speaker 1: Yeah, yeah, that would not.
00:19:15
That's a good way to end a career before it starts, you
00:19:19
know.
00:19:19
Yeah, so you know, sam talked to me about your current role,
00:19:27
your current company.
00:19:28
What are, what are you doing now?
00:19:30
What are you guys specializing in?
00:19:32
What services do you provide?
00:19:34
Speaker 2: So I work as the director of product marketing
00:19:37
for a company called C O O Security and it's CY OLO.
00:19:41
It's because you only live once and we focus on those
00:19:45
situations and scenarios where user access Could cause enormous
00:19:50
damage to the business and you've been a part of incidents,
00:19:53
right?
00:19:53
You just described on so well like this was an enormous
00:19:56
Problem to the business.
00:19:57
Something went wrong and the entire team is now responding to
00:20:01
try and get it fixed, and we find that there are usually
00:20:05
Things that could happen.
00:20:06
You know, here's a good example .
00:20:08
If you are a company that manufactures cookies, you have
00:20:12
assembly lines and product lines and all sorts of things.
00:20:14
They have all these machines that are mixing and making it.
00:20:18
Just the complexity is enormous .
00:20:20
If that cookie production line shuts down for 30 seconds,
00:20:25
you're losing money.
00:20:26
60 seconds a lot more money.
00:20:28
A minute, you know two, three, five, ten, twenty minutes Any
00:20:32
amount of time that that production line is not working
00:20:34
is enormous damage to the business.
00:20:36
To make that more complex, those devices are usually
00:20:42
Maintained or have service contracts with the company that
00:20:45
made the device and they have remote technicians that will,
00:20:49
you know, use of Some phone line or VPN or some tunnel to get
00:20:54
into the system to talk to that device and now all of a sudden
00:20:58
we're risking the shutdown of the cash production engine of
00:21:03
the company.
00:21:04
So user access could cause enormous damage to the business.
00:21:07
We're specialists in that and so we perform a high level of
00:21:11
authorization, or basically got to identify every user, make
00:21:15
sure that they're authorized to only very specific, very limited
00:21:18
things that they should be accessing and working with, and
00:21:21
then keeping all of the Logs and reporting.
00:21:23
If that sounds familiar, it should.
00:21:25
It's.
00:21:25
Frankly, it's the summation of the zero trust framework.
00:21:28
We want to make sure we identify every user and know exactly who
00:21:31
they are and they're not some generic, you know account.
00:21:34
We want to make sure we have a very fine-grain limitation, what
00:21:38
it is that they are allowed to access.
00:21:40
We like to think of it as, instead of building out the
00:21:42
denialists you know, if you go through a firewall or you have
00:21:44
all the denialists, you have your ACLs and all that kind of
00:21:47
stuff let's build out an allow list, and that's gonna be a lot
00:21:51
smaller.
00:21:51
Let's build the allow list instead of the denialist so that
00:21:54
they only can access the specific tools or resources they
00:21:57
need to do their job.
00:21:58
And then, finally, we got to make sure we monitor everything.
00:22:01
All the reporting, all the logging, all of the data from
00:22:06
these connections should be, should be available and should
00:22:09
be able to be scrutinized for all the different purposes, and
00:22:12
so that's what seal it, as we specialize in high risk access.
00:22:18
Speaker 1: Yeah, that that is.
00:22:19
You know, that's an aspect that I feel Is often overlooked a
00:22:26
lot of the times in organizations, you know can.
00:22:30
Can I ask you this what was this, the?
00:22:33
Was this product, this solution , was this the bread and butter
00:22:37
of what the company was kind of founded on and created for, or
00:22:40
was it kind of bolted on?
00:22:41
And I?
00:22:41
I ask this because, as a security professional, I can
00:22:48
tell right, within probably 30 minutes of working with a
00:22:51
solution of, if this is a conglomerate of 10 other
00:22:55
solutions kind of bolted together with some really strong
00:22:58
duct tape, right, or if this was, you know, solely built for
00:23:02
this solution.
00:23:05
Speaker 2: Yeah, so I would.
00:23:06
I would like to argue that it we did build it purposefully for
00:23:09
this, because our founder Is a former CISO, the chief
00:23:12
information security officer.
00:23:13
He was the first CISO of the Israeli Navy word, israeli
00:23:18
company, wow and so he had all the weapon systems and IT
00:23:21
systems and all the things that were, you know, in the Navy, and
00:23:24
that was his, that was his role in the in the Navy.
00:23:26
So then after that, he transitioned into private
00:23:30
industry and worked for a global manufacturing company when he
00:23:34
had users that were in a non-friendly country, that were
00:23:37
contracting with his, with his current company, that needed to
00:23:42
access critical pieces of data or lines or whatever it was.
00:23:45
These users were also contracting with their
00:23:50
competitors and you think about like what a mess, right, like
00:23:52
you have these people that are Not friendly and could shut your
00:23:54
business down.
00:23:55
So how do you build security for that environment?
00:24:01
And that was the genesis of the CIO lo solution Building it for
00:24:07
again, these situations where we have to users that need to
00:24:09
connect to applications or resources, and then the policies
00:24:10
that connect all of that together.
00:24:13
So he partnered with a couple of guys he knew that were
00:24:17
ethical hackers at large companies, and so it's really
00:24:20
fun.
00:24:20
We get into like these, like company meetings, and we'll have
00:24:23
, like you know, the CISO perspective with our, with our
00:24:25
founder, one of our founders.
00:24:26
Then the other two founders are like arguing from like the
00:24:29
hacker perspective, like I'm going to break in this way, and
00:24:31
he's like, no, we're going to block you this way.
00:24:33
So it's just really fun, like dichotomy, which is very healthy
00:24:36
, I think, in a security tool.
00:24:38
And so no, it was purpose built for solving those specific
00:24:43
issues.
00:24:44
Speaker 1: That's perfect.
00:24:45
You know, I, I, I worked with a other solution, Um, that you
00:24:50
know.
00:24:50
To be completely honest, I wouldn't even consider them a
00:24:52
competitor I know you guys probably do, Unfortunately, I
00:24:56
have that experience with them, Um but it was just so miserable
00:25:01
when I got to that section of their product, Because you know
00:25:05
that there's like 10 other things that this tool does right
00:25:08
.
00:25:08
This is one of 10, look, quite literally one of 10.
00:25:11
And you know, building that out , deploying applications into it
00:25:16
, like deploying servers and endpoints into it, it was
00:25:20
terrible.
00:25:20
I, it was absolutely terrible.
00:25:23
It was the worst experience I've ever had doing security.
00:25:26
I hope to never touch that solution again, Like literally,
00:25:29
when I'm interviewing, I asked them do you have?
00:25:32
Speaker 2: this solution in your environment.
00:25:34
Speaker 1: And if they say yes, I'm like, all right, I'm sorry,
00:25:37
I just I won't work in an environment that has that
00:25:40
solution.
00:25:41
Speaker 2: Cause as soon as they find out right.
00:25:44
Speaker 1: Cause, as soon as they find out that I have
00:25:46
experience, they're like oh, you're the SME, like you got it.
00:25:49
Like oh, I do not want that job ever again.
00:25:54
Speaker 2: Unfortunately, that's a reality, right, like,
00:25:55
security tools can be hard on security teams and that's that
00:26:00
shouldn't be the case.
00:26:01
So you guys already overworked, you have more on your plate
00:26:04
than really should be there.
00:26:06
We talked about the shortage of people that are working in
00:26:08
these roles, so you don't have enough human power to get after
00:26:12
the job.
00:26:12
Um, but the other side is, security tools should be easy
00:26:15
for end users to also use.
00:26:17
Like the best security tools are the ones that end users
00:26:20
comply with.
00:26:21
Like you can sit there and have the greatest thing and all the
00:26:25
policies are so beautiful and you know, everything's just, oh,
00:26:28
it's amazing.
00:26:28
But these users, like, they're not malicious, they're smart,
00:26:33
they, they will get around whatever you have in place If it
00:26:36
is blocking them from easily doing their job.
00:26:39
I think of one client that I knew of.
00:26:40
They had, um, there was a research institution where their
00:26:44
principal investigators you know the women and men who are
00:26:46
doing high level, advancing humanity style research was they
00:26:50
were sending trial data over iCloud because, right, and I
00:26:56
know let's maybe not do that, right, that's not very, that's
00:27:00
not secure.
00:27:00
Just in case you're listening, icloud has got a lot of great
00:27:03
features.
00:27:03
That's not one use case that it should handle.
00:27:07
We should not purpose bill for that.
00:27:08
Right, there are other ways to do it, but it was not easy.
00:27:12
It was not something that these again, these people are experts
00:27:16
and they're field of research, not cybersecurity, so they don't
00:27:20
think of.
00:27:20
I got to keep this data safe and secure.
00:27:22
They're thinking I have to collaborate with my colleague
00:27:25
over here because they need to look at this and we need to
00:27:27
discuss and we need to, you know , publish, um, so those are the
00:27:32
realities.
00:27:32
Like the tools have to be fundamentally workable for
00:27:36
cybersecurity professionals, cause if you're going to, if you
00:27:38
have to open a support ticket every time you want to add
00:27:41
something or change something, like that is just a waste of
00:27:44
your time.
00:27:44
And if a user is just going to get around it because it's not
00:27:48
supporting their existing workflows, also a waste of the
00:27:51
cybersecurity team's time, cause they have deadlines, just like
00:27:54
we do.
00:27:54
They have big projects and big meetings and their bosses are
00:27:58
putting pressure on them to get stuff done, just like the cyber
00:28:01
teams are.
00:28:01
It's not that different.
00:28:03
They're not malicious, they're just trying to get their work
00:28:06
done.
00:28:07
Speaker 1: Yeah, it's a really good point.
00:28:08
You know it's, um, it's interesting being in security,
00:28:12
right?
00:28:12
Because we have a different mindset from everyone else.
00:28:15
Um, most of the time at least, you know, we have the mindset of
00:28:19
how do I break this, how do I get around this, how do I do
00:28:22
this, right?
00:28:23
And then you know there's a group of us that say, okay,
00:28:26
let's do it.
00:28:26
And then there's a hopefully a much larger group that says how
00:28:30
do we protect against it?
00:28:31
You know, um, like I recall earlier out of my career where
00:28:36
my manager basically said, oh, this solution is going to, you
00:28:39
know, block all data exfiltration.
00:28:41
You know you'll, well, no one will ever get around this thing
00:28:45
and whatnot.
00:28:47
Speaker 2: And I was like, okay, like I took that as a personal
00:28:50
challenge because I knew Hold my beer, let's go.
00:28:52
Yeah, yeah, right.
00:28:53
Speaker 1: I knew he didn't know the solution that well and I
00:28:56
knew that he also didn't know the technical implications
00:28:57
behind it and whatnot.
00:28:58
And so, literally 30 minutes later, I pull up my computer and
00:29:04
I called them over and I said, hey, like you know that
00:29:07
expensive solution that we just spent a couple million dollars
00:29:10
on, yeah, I want to show you how I just got around it and you
00:29:13
can go check and see if there's any alerts on my device.
00:29:15
Yeah, and like I showed him, he goes what?
00:29:18
Like?
00:29:19
Who's even going to think like this?
00:29:21
I'm like, if this messes with someone's productivity, they are
00:29:25
going to find a way to do it.
00:29:26
This is a Google search away.
00:29:27
That's all that.
00:29:29
Speaker 2: This is yeah.
00:29:30
No, it's a hundred percent right Cause, again, you're just
00:29:31
trying to do your job.
00:29:32
If you're an end user, you're not thinking about, you know a
00:29:36
lot of things other than I got work to do, or you're you know I
00:29:39
got to get home to my family or you know whatever.
00:29:41
That is like, the pressures of everyday life.
00:29:44
That's what's exploitable.
00:29:45
And really the human element is by far the weakest link in the
00:29:52
cybersecurity chain.
00:29:52
It is easily the most sensitive .
00:29:55
We like to say around here at COLO like hackers, don't break
00:29:59
in.
00:29:59
They log in because it's so easy to compromise credentials.
00:30:03
There are so many attack vectors that are literally
00:30:07
causing users to be compromised.
00:30:09
And then now they have a, they have access.
00:30:12
So controlling and managing that access is hyper critical
00:30:18
and it gets more critical.
00:30:18
The more sensitive, the more impactful to the business, the
00:30:23
the thing the user has access to .
00:30:25
Yeah.
00:30:27
Speaker 1: You know you bring up an interesting point.
00:30:29
You know I have a policy where I don't click on links, right
00:30:34
Fair.
00:30:34
I don't care if you send them to me on my work device, On my
00:30:37
personal device, it doesn't matter to me.
00:30:38
If you want me to click on it, you better message me or tell me
00:30:42
, you know, in another way, saying like hey, I just sent you
00:30:45
this.
00:30:46
You should probably click on it .
00:30:47
Speaker 2: We're doing MFA for links, is what you're doing
00:30:49
really, you're multi-factor, authenticating that the link is
00:30:51
legitimate.
00:30:52
Yeah, that's fantastic.
00:30:54
Yeah, yeah.
00:30:56
Speaker 1: You know, I did a training course this past
00:30:59
weekend and I expected I had to sign a like a liability waiver
00:31:03
or whatever it was, which is fine, but I never got it Right.
00:31:06
So I show up to this course and they're like, hey, you never
00:31:09
signed your waiver.
00:31:09
I was like, okay, well, I never got it.
00:31:11
And they're like, oh, we texted it to you.
00:31:13
I was like, okay, so, from a number that I do not know, just
00:31:16
texted me a link and that's literally the only thing that
00:31:19
they sent me.
00:31:20
They only sent me a link.
00:31:22
Like, dude, you know what I do for a living, I am not clicking
00:31:26
on that thing.
00:31:28
I literally, I literally looked at the message and I was like
00:31:30
not today, say it in, and I deleted the message.
00:31:35
Exactly yeah, Like come on yeah .
00:31:37
Speaker 2: You've got to be better than that.
00:31:38
That's, I mean.
00:31:39
That's, yeah, I mean.
00:31:40
Unfortunately, the fishing and the smishing and all that stuff
00:31:44
is getting better and so they're , you know, sending a single
00:31:46
link from a number.
00:31:47
You don't know.
00:31:47
Maybe that actually would be considered more legitimate now,
00:31:51
because they're actually getting a little bit better and, you
00:31:55
know, the conversational AI is getting better at writing stuff
00:31:57
that makes sense.
00:31:57
But yeah, I still get a lot of great text messages, a lot of
00:32:00
great text messages from my CEO, because he's in a meeting and
00:32:04
he needs me to reply right away.
00:32:05
And, um, yeah, those immediately get filed in the
00:32:11
dumpster.
00:32:11
Yeah, it was really interesting .
00:32:13
Speaker 1: You know, I went to Germany last year and before
00:32:17
Germany I was talking to someone that I'm, I'm a, I'm a part of
00:32:21
this advisory board and I was talking to the CEO of this board
00:32:24
about potentially coming to France to go and do a talk and
00:32:26
whatnot, right, but we never really nailed it down, so I
00:32:30
never did the talk, and so it looked exactly like him, like
00:32:34
his number was 100% spoofed.
00:32:35
It came up in my phone as him because I have his number saved
00:32:39
Yep, Yep.
00:32:39
And he said, like you know, hey , are you available?
00:32:42
You know, I have something I need you to do.
00:32:44
Okay, whatever You're like, I'll, I'll handle it.
00:32:46
I was at the bar at the time of all places, right, um, in
00:32:50
Germany, because that's what you do, absolutely yeah.
00:32:53
And and I'm not sure if you're- going to be able to do that.
00:32:57
The next message that he sends is I need, like you know, 30
00:33:00
gift cards.
00:33:01
I'm like, all right.
00:33:02
Speaker 2: I get it now.
00:33:03
Yeah, I see this.
00:33:03
All right, I've seen this one before, yeah, but I, I mean it's
00:33:11
so, it's so easy for the criminals to do things that
00:33:16
users would trust.
00:33:17
I mean, if I got a number of a text from someone that is in my
00:33:20
contact list that I know that I've I've communicated with
00:33:23
before and they said, hey, you know, can you help me out with
00:33:26
something?
00:33:26
Of course I'm going to be more responsive to that.
00:33:29
Um, you know, I don't answer my phone if it's not a number
00:33:32
that's really saved in my contacts, because it's either
00:33:35
someone trying to sell me something or or or worse, and
00:33:38
but it's so it's so easy for that to be done today that
00:33:42
really, cybersecurity has to evolve away from like we got to
00:33:46
take a little bit of the burden off of users because you know,
00:33:50
at the end of the day, like again, they're busy, they got
00:33:52
projects, they got jobs, they got things they're worried about
00:33:54
that are outside of what we're concerned with.
00:33:57
So we have to take the control a little bit away from them or
00:34:00
not rely on them because, okay, great, so you did a phishing
00:34:03
training, you got everybody enrolled in that, and that's
00:34:06
fantastic.
00:34:06
You should do that, absolutely should do that.
00:34:07
But you went from 10% compliance, you know, or 10%
00:34:12
click the link, to 4% that click the link Celebrate as a big win
00:34:17
.
00:34:17
That's amazing.
00:34:17
You still have 4% of your company that are clicking bad
00:34:20
links, like that's still a problem that is not fully gone
00:34:25
away.
00:34:25
So if we can take the security from that, the users need to do
00:34:29
something or be good to.
00:34:31
Our tools are going to account for the fact that the user is
00:34:35
not going to be right 100% of the time and it's going to build
00:34:38
those layers of control and compensation into the access
00:34:43
that they're being given.
00:34:43
You know, obviously access should be different if they're
00:34:46
working from home than if they're working in the office or
00:34:49
if they're somebody that's not a part of your company but it's
00:34:51
a third party or a contractor, whomever.
00:34:53
You should have a lot of different levels and we should
00:34:57
have a lot of different ways to validate.
00:35:00
One of the other things that happens a lot in companies is
00:35:02
they'll have like okay, so say it's like one like file server
00:35:06
or something, to get into that file server.
00:35:08
There's one username and one password and there's 100 people
00:35:12
that are logging into that file server because it's got
00:35:14
something that they need right.
00:35:16
They're all using the one username and the one password.
00:35:20
Well, how do I differentiate between, you know, susan and
00:35:25
Bill?
00:35:25
I have no idea, because all I'm seeing is that they put in
00:35:28
username and password.
00:35:28
We need to have tools that can differentiate, that.
00:35:31
They can help us with that, or just, you know, beyond just
00:35:34
password vaulting that password and stuff, but making it a way
00:35:36
that we could get better detail on what users are doing, to take
00:35:40
the need for them to be great and put it into some of the
00:35:44
security tools that we are using .
00:35:46
Speaker 1: Hmm, yeah, that's um, that makes a lot of sense.
00:35:51
You know I have a personal policy where you know I I
00:35:57
attempt to make security as easy as possible while remaining as
00:36:00
secure as possible.
00:36:01
And uh, I was working for a company and I just heard it.
00:36:06
You know, I heard this conversation between two network
00:36:11
engineers right, and the lead said oh, you just tell that in
00:36:15
the course switch.
00:36:16
And you know you already have the credentials and whatnot.
00:36:21
And I turned around and I'm like I'm sorry, I'm sorry, I must
00:36:25
have misheard you.
00:36:26
You must have meant to say SSH, yeah.
00:36:28
And he's like no, we tell that around here.
00:36:32
And I was like why don't we use SSH?
00:36:35
And he goes there's no need for that level of security.
00:36:37
I'm like it's a core switch.
00:36:39
He goes yeah, but no one's going to breach our perimeter.
00:36:42
I was like, okay, but we have a flat network.
00:36:45
So, literally, like I could get into our core switch, yeah,
00:36:49
like just by hearing what you just said, I could get in with a
00:36:52
legit authentication, right.
00:36:54
And you know it went even farther to saying like, okay,
00:36:59
well, does everyone have their own login?
00:37:01
You know that needs access.
00:37:02
And goes oh, no, we just use the same account.
00:37:04
Why would we have different accounts Like?
00:37:06
So we have no audit ability on our core switch?
00:37:10
Speaker 2: Thank you, right, so yeah, so when, when somebody did
00:37:12
change that one config, but, like you know whatever in the
00:37:15
supervisor or whatever, that now the entire network is down, how
00:37:18
will you know what they did?
00:37:20
How will you have any idea of, like, well, let's just go look
00:37:23
through the packet capture and see if we happened to capture
00:37:26
that one session.
00:37:27
That were things changed like.
00:37:28
Good luck.
00:37:30
Speaker 1: Yeah, that's impossible.
00:37:32
I couldn't believe that companies still do that.
00:37:34
You know I'm sure you guys see that all the time of companies
00:37:38
still doing that, especially in a manufacturing environment
00:37:43
where you're manufacturing you know millions of things,
00:37:47
potentially a day or a week.
00:37:48
You know you need that line up and running.
00:37:50
You know it's probably easier to just set it up simply rather
00:37:54
than, you know, having a com, a more complex environment than
00:37:58
what it already is.
00:38:00
Speaker 2: Because the other thing is is a lot of these
00:38:01
devices?
00:38:01
They're not.
00:38:02
So network switches right, you know those are changed out
00:38:05
whatever 10 years or so you typically go through the life
00:38:08
cycle on.
00:38:08
A device in a manufacturing line is built to last for like
00:38:11
20 or 30 years.
00:38:12
They're not changing them out like this, not like because
00:38:15
again, you shut that down for any length of time and the
00:38:18
company is not producing the goods and services that make the
00:38:21
money.
00:38:21
So you put you put something in .
00:38:23
If you build a new production line, you're wanting it to last
00:38:27
for 20, 30 years.
00:38:29
There are still operating systems running core components
00:38:33
of you know thinking about energy distribution or you know
00:38:36
wastewater treatment or manufacturing oil and gas, like
00:38:39
all these different verticals.
00:38:40
They're running like Windows XP and that's a fairly recent you
00:38:45
know OS for some of them.
00:38:46
So you have these systems that you know you wouldn't want to
00:38:51
touch with a 10 foot pole but are still.
00:38:53
They're not going anywhere.
00:38:55
So they use, you know VPN is a good connection methodology and
00:39:00
I think VPN is a not good connection methodology today.
00:39:03
I think we should avoid it and move away from it, but they're
00:39:06
still using that as a methodology to get in.
00:39:08
Ssh is like amazing, like we should, absolutely.
00:39:11
But they're using, like you know, these VNC protocols, are
00:39:14
using a lot of RDP, and RDP with all of its wonderful flaws and
00:39:19
quirks, like that's how they're connecting into these systems.
00:39:23
And then add to the fact like, okay, so you, you know,
00:39:26
schneider, schneider Electric built that one device, or
00:39:29
Yocogawa, or Honeywell, or you need to name the company that
00:39:32
built the device that's running, and they have a technician, is
00:39:34
a.
00:39:35
Hey, you know, we're going to save ourselves a couple of bucks
00:39:37
so I don't have to fly here.
00:39:38
Next time I'm going to put a little jump server in the
00:39:41
network and connect it out.
00:39:42
It's going to phone home and now I can just sit there and do
00:39:45
that for my computer and my in my home office Makes a ton of
00:39:48
sense.
00:39:49
But now there's this really random internet connection
00:39:51
that's coming out of this environment that you know, god
00:39:54
knows who can access it.
00:39:56
Right, it's just a reality.
00:39:57
So, right, there is a lot of those best practices of
00:40:02
convenience.
00:40:02
So whatever we do to help secure it has to be non
00:40:07
intrusive, to the point where we can still allow it, enable
00:40:11
users to get the, because, absolutely, your network team
00:40:13
should be able to access their core switch Like they absolutely
00:40:16
need to.
00:40:16
There's million reasons why they should be able to do that,
00:40:19
but we just want to do it in a way that is one, secure and it
00:40:22
has, you know, the telemetry that we need and the reporting
00:40:25
that we need, so that you can point the finger squarely at
00:40:27
bill and say, bill, you did this , roll it back quickly.
00:40:31
Could we got to get the?
00:40:32
You know, we can only work around that one core switch for
00:40:34
so long.
00:40:37
Speaker 1: Right.
00:40:37
So it sounds like, potentially, you know where you start with.
00:40:42
Your product is even a culture change internally at
00:40:45
organizations, because you kind of need that shift in mentality.
00:40:49
You need that shift in action for your not necessarily for
00:40:54
your solution to be, you know, working effectively and whatnot,
00:40:58
but really for the organization to build trust, for them to,
00:41:03
you know, understand like, hey, this is how we're going to
00:41:06
secure it.
00:41:06
Do you do you, potentially, you know, help your, help your
00:41:11
customers, you know, identify that within their organization
00:41:14
and help them kind of change that perception.
00:41:18
Speaker 2: In some ways I'm.
00:41:18
What I'm finding is that there are a lot of clients that I have
00:41:21
really done a lot of hard work internally to help that culture
00:41:24
shift happen.
00:41:25
And so you know, obviously the world is what it is today, the
00:41:29
pressures are what they are today and you know, executive
00:41:32
leaders, board level leaders, they're all pushing down, you
00:41:35
know, because they're concerned about it now, for whatever
00:41:38
reason now, like where were you 10 years ago?
00:41:40
But you know we're concerned about it now.
00:41:42
That has obviously what you measure is what people tend to
00:41:48
do.
00:41:48
So now they're looking at it, measuring it, and there's
00:41:50
there's costs, risk costs, operational costs associated
00:41:54
with it.
00:41:54
So the business is taking notice.
00:41:56
So we're finding that a lot of that shift is happening
00:42:00
internally, for everyone maybe not, but for a lot of companies
00:42:03
and specifically in verticals like manufacturing, like oil and
00:42:06
gas.
00:42:07
And then there's some regulatory pressure.
00:42:09
You know, in the United States there's some regulatory pressure
00:42:12
, especially around like nuclear energy or other energy
00:42:14
production.
00:42:15
There are certain things that are happening that say we, we
00:42:18
are going to start requiring some compliance with some best
00:42:21
practices and that can be generally helpful and I've got a
00:42:25
lot of thoughts on, you know, the effectiveness of kind of
00:42:28
compliance regulations.
00:42:29
I think it's needed in some ways, but there's got to be some
00:42:32
some things that mitigate it.
00:42:34
So we're not finding that to be a big like.
00:42:39
We don't have to like push people to say, hey, we need to
00:42:42
change your culture and then you can start working with a
00:42:44
company like us that can actually help secure.
00:42:46
Some of that we're finding it's already there, but we are
00:42:49
finding is that there are some very specific differences
00:42:51
amongst teams.
00:42:52
You know, like you described, like you listen to the network
00:42:54
guys, they're looking at, oh, this is just the best way to do
00:42:57
it.
00:42:57
And as a security person, you're thinking, hey, we got to
00:43:01
change some of these things.
00:43:02
So you know, networking it, they speak a different language
00:43:06
than security does, which they speak a different language
00:43:08
entirely than the folks who run that manufacturing and the
00:43:11
operational technology professionals.
00:43:13
They're all speaking different languages and so it comes down
00:43:16
to this translation that can get everybody to the same table and
00:43:19
start working collectively to solve goals.
00:43:23
And what we found?
00:43:24
One of our largest customers.
00:43:25
They're a large global snack manufacturer.
00:43:29
They make delicious snacks.
00:43:31
I highly recommend them.
00:43:32
I had some the other night.
00:43:33
It was great.
00:43:34
They reported to us like man, this is the first tool that both
00:43:38
OT the operational technology people and IT agree on.
00:43:43
They went through their evaluation process and their RFP
00:43:45
and they looked at a bunch of different stuff and both OT and
00:43:49
IT returned with the same recommendation Like that has
00:43:51
never happened in the history of our company that a tool could
00:43:55
solve and bring people to the same table and same conclusion.
00:43:58
So the cultural shift is hard but it is happening, and tools
00:44:04
that could help bridge those gaps amongst different
00:44:07
perspectives and different things that people care about I
00:44:11
think will go a long ways towards supporting it.
00:44:17
Speaker 1: Yeah, that is very interesting.
00:44:19
I can only imagine being in an environment that deals with
00:44:23
manufacturing automobiles across the entire globe.
00:44:27
Saying that everyone agrees on this solution is winning the
00:44:34
lottery.
00:44:34
I recently proposed a solution and it got approved, and not
00:44:41
everyone saw it, and everyone had an opinion on what products
00:44:45
I chose for the POC, for the RFP .
00:44:48
And they're like, oh well, you didn't think of this, you didn't
00:44:51
think of that.
00:44:51
It's like, guys, I chose literally the top five people in
00:44:57
the industry for this.
00:44:58
What are we talking about?
00:45:00
But that's just a simple, that's one little simple thing
00:45:07
of a solution that we didn't even start evaluating at, we
00:45:10
didn't even send NDAs out yet.
00:45:12
Right, and everyone has their own opinion that they're in
00:45:16
disagreement about the solution.
00:45:18
Speaker 2: Yeah, but I think, too, something I found in my
00:45:20
career, just kind of organizationally, is and I find
00:45:24
this within the team that I work on is the ability to disagree
00:45:27
and commit.
00:45:28
So, absolutely have an opinion, absolutely, let's have a
00:45:31
disagreement and let's talk about it.
00:45:33
Let's not just disagree in silence and not discuss it.
00:45:37
But if you have a different perspective, we need to hear it.
00:45:40
We want to hear it.
00:45:41
Let's figure out where we have commonality, where we can agree.
00:45:44
But at the end of the day, as a team, we're going to make a
00:45:48
decision and I'm not going to get everything I'm going to want
00:45:50
.
00:45:50
You're not going to get everything you're going to want,
00:45:51
but we're going to disagree and then we're going to commit
00:45:54
Because at the end of the day, our goal should be aligned.
00:45:57
And in cybersecurity, let's make it easy for users, let's make
00:46:01
our company more secure, let's find very tangible ways to
00:46:04
improve our security posture, and then let's get to work.
00:46:09
There are a lot of ways to slice the onion.
00:46:11
There's some really great ways.
00:46:13
I think.
00:46:13
There are some maybe shaky ways , but a lot of ways that people
00:46:17
are doing it.
00:46:17
So the ability to disagree but then get after the main job, I
00:46:22
think is a big part of the culture change that we're
00:46:24
looking at.
00:46:26
Speaker 1: Yeah, absolutely.
00:46:27
I think it's healthy for there to be constructive criticism or
00:46:35
everyone to have their own ideas and whatnot, but you got to
00:46:38
find that common ground and I find it more important that
00:46:42
security professionals are doing that and not just laying down
00:46:45
the hammer and saying, no, we're doing it this way for this
00:46:48
reason, or whatever you can agree on.
00:46:54
Yeah, we need data security, we need to encrypt this data in
00:46:57
the cloud, but how you do it is up for debate, and that's where
00:47:04
the debate happens.
00:47:05
That's where the discussion happens in a healthy way, of
00:47:08
course.
00:47:08
Yeah, I completely agree.
00:47:11
Yeah, yeah, definitely so, sam.
00:47:14
We're coming up on our time here and I'm very conscious of
00:47:17
everyone's time, so how about you leave my audience with,
00:47:22
maybe, where they could reach you if they wanted to reach out,
00:47:24
where they can find your company?
00:47:26
What the website is?
00:47:27
All that good information.
00:47:29
Speaker 2: Yeah, absolutely so.
00:47:30
A company I work for is COLO.
00:47:32
It's C-Y-O-L-O and our website is COLOIO.
00:47:35
You can find us there and read up, see what challenges we're
00:47:41
solving and some of the things that we're doing across
00:47:43
different industries.
00:47:44
I think we've got a pretty unique and differentiated
00:47:46
solution.
00:47:47
That is.
00:47:49
It's helpful bringing people to the same table and solving our
00:47:52
common goals.
00:47:52
You can find me on LinkedIn.
00:47:54
Just search for my name, samuel J Hill.
00:47:57
I'm pretty active on LinkedIn I try to be, at least and I love
00:48:00
connecting with people, having conversations even the ones that
00:48:03
disagree, and that kind of stuff.
00:48:04
So you can find me there.
00:48:05
And, as always, I'm just really grateful for you taking some
00:48:08
time to hear from us, tim, and spend this time.
00:48:11
I really enjoyed our conversation.
00:48:12
I do a lot of podcasts.
00:48:13
Some are like pulling teeth and this has not been that, so I'm
00:48:19
grateful for you not taking me to the dentist today.
00:48:22
Speaker 1: Yeah, absolutely.
00:48:23
I tried to not make the conversation unbearable.
00:48:26
That's the worst when you're trying to force a conversation.
00:48:32
Yeah, absolutely Well, thanks Sam for coming on and I hope
00:48:39
everyone listening enjoyed this episode.