Breaking Into Cybersecurity: From ER Tech to IT Expert, Exploring the Zero Trust Framework, and the Power of Networking

1 00:00:00
Speaker 1: How's it going, sam?

00:00:00
It's really good to finally have you on the podcast here.

00:00:03
I'm really excited for our conversation today.

00:00:06
I think it'll be an interesting one.

00:00:08
Speaker 2: Joe, I'm looking forward to it as well.

00:00:09
Man, Thank you very much for including me.

00:00:12
Speaker 1: Yeah, absolutely so, sam.

00:00:14
You know I always start everyone off with telling their

00:00:17
background.

00:00:18
You know, I think it gives a lot of good context to my

00:00:21
audience, and my audience is coming from, you know, many

00:00:24
different backgrounds.

00:00:25
So I know some of them are wondering right, how is there a

00:00:29
space for me in IT?

00:00:30
Is there a space for me in security?

00:00:31
And they may be coming from a non-technical based background.

00:00:36
So what's?

00:00:37
Speaker 2: your story.

00:00:38
You know I originally my first adult job.

00:00:41
You know you have your high school jobs I.

00:00:43
Then you get into the real world and I worked in a hospital

00:00:47
.

00:00:47
I was an emergency room technician for well seven and a

00:00:50
half years and a couple different hospitals and did a

00:00:54
lot of you know, crazy stuff, a lot of great stories.

00:00:57
I usually like to say they're better told over adult beverages

00:00:59
, so we'll spare your listeners that conversation today.

00:01:03
But I got into technology and cybersecurity kind of, you know,

00:01:07
through different relationships that I had and found doors that

00:01:11
opened and walked through them and really fell in love with the

00:01:14
space.

00:01:14
I think you know, for anyone who's listening that's looking

00:01:17
forward to a career in technology or in cybersecurity,

00:01:21
please, please, join up.

00:01:22
We need your help.

00:01:24
We need your specific background.

00:01:25
Everybody's bringing their own unique point of view and

00:01:29
perspective and the more diversity I have, we think,

00:01:32
looking at these problems that we're all facing, every company

00:01:34
is facing, the better off we're going to be.

00:01:36
There's a lot of great experience that is coming from

00:01:40
outside of the tech and cyber world that I think is really

00:01:44
necessary, really needed today.

00:01:48
Speaker 1: Yeah, wow, that's a very interesting background.

00:01:50
I mean, what made you go from being an ER tech into, you know,

00:01:55
this crazy world of security?

00:01:57
Speaker 2: You know I mean the real answer is I was working on

00:01:59
the front lines of healthcare, you know, 40 plus hours a week

00:02:04
and unfortunately it does not pay super great.

00:02:07
We will divert away from that conversation because I think

00:02:11
that's a big structural conversation there.

00:02:13
However, you know, my family was growing and I needed a way

00:02:16
to provide for them and, again, I had mentors and people that I

00:02:19
knew that kind of connected me to different places and ended up

00:02:22
getting different jobs.

00:02:23
And it wasn't that I sought out to end up in cybersecurity, it

00:02:27
just kind of happened.

00:02:28
That was just the path that unfolded before me in my career

00:02:32
and I kind of found hey, I haven't a fit any for it.

00:02:35
I have a.

00:02:35
I like to communicate and I like to solve big problems.

00:02:39
I like to take big, complex ideas and help make them very

00:02:41
simple to understand, and it just kind of felt like a good

00:02:45
fit and it's been a lot of fun ever since.

00:02:47
It's kind of one of those things you realize how much you

00:02:49
enjoy it once you start doing it , if that makes any sense at all

00:02:53
.

00:02:54
Speaker 1: Yeah, I think that makes a lot of sense.

00:02:56
You know, was there any skills that you learned as a ER tech

00:03:01
that kind of translated into the world of security or your

00:03:05
current role?

00:03:06
Speaker 2: You know, in the emergency room every day is

00:03:11
different in a lot of ways, and I think that's very appropriate

00:03:14
for a security role, because every day is going to be

00:03:17
different.

00:03:17
Now there are some big pieces that are roughly the same and

00:03:21
you know, some nights we would have would be like out tonight's

00:03:23
the chest pain night Everyone that's coming in has a chief

00:03:25
complaint of chest pain and you would notice little themes.

00:03:29
And if you've ever worked in a hospital, the full moon is a

00:03:33
real phenomenon.

00:03:34
Obviously it happens every 28 days.

00:03:36
We know that, but it does somehow impact emergency

00:03:40
services.

00:03:42
Weird stuff happened on full moon, so you knew that happening

00:03:44
, but it was always different.

00:03:46
There was, there was a uniqueness to what it is that

00:03:48
you were doing and you never really knew the challenge that

00:03:52
you would be facing until you showed up for your shift.

00:03:54
And so, similarly, in the cyber security world, you don't

00:03:57
really know what's going to happen.

00:03:59
You can have some good ideas.

00:04:00
You obviously things happen cyclically.

00:04:02
You know big pieces, but you have to adapt, you have to

00:04:06
overcome, you have to innovate, you have to change and continue

00:04:09
trying and growing, and so I think some of those, those

00:04:12
skills, have transferred over.

00:04:14
Speaker 1: Huh, yeah, that's, that's really interesting.

00:04:17
You know, recently I ran into a situation where I was on a call

00:04:21
just trying to get teams to, you know, resolve

00:04:25
vulnerabilities in the cloud right, just kind of make our

00:04:28
environment more secure Basic things that I figured you know

00:04:32
everyone would kind of be on board with, especially because

00:04:34
this isn't our first meeting, and you know they had a huge

00:04:39
problem with it, like completely through a wrench in my entire

00:04:43
day.

00:04:43
It was like man, like why did they?

00:04:44
Why did they give me so many issues about it?

00:04:47
Like I had to go hear a backstory and, you know, get

00:04:50
some background on the on the issue and whatnot, because it

00:04:53
was just it was throwing me off by so much.

00:04:57
And now here I am revamping the entire process, creating custom

00:05:01
reports and all this other stuff to help out the teams, right,

00:05:05
and you know I'm a, I'm a security engineer right.

00:05:08
At the end of the day I don't necessarily, you know, need to

00:05:13
do that or spend my time on it or whatnot, but it's different.

00:05:16
You know, every day is different.

00:05:18
The day before that I was talking about, you know,

00:05:21
securing a firewall right, or securing a network right.

00:05:25
Speaker 2: Right right.

00:05:28
Speaker 1: I think that's what.

00:05:29
That's what keeps you know myself, and you know people like

00:05:33
yourself keep coming back right , Because it's always different.

00:05:36
Speaker 2: Yeah, well, and again , you have to adapt and overcome

00:05:38
, like you, something that is obvious to you hey,

00:05:41
vulnerabilities and cloud applications or cloud access,

00:05:44
like, yeah, we should probably do something about it and we can

00:05:47
right, like, there's things you can do to solve for that.

00:05:50
It should be a no brainer, but unfortunately there are others

00:05:53
that they do not see the world the same way that you do.

00:05:55
It does not make them wrong, bad or or terrible, it's just

00:06:00
now.

00:06:00
You have to adapt and overcome and make sure that you're giving

00:06:02
them the information that they need.

00:06:03
And you're right, it does, it keeps you, keeps you fresh, it

00:06:06
keeps you moving, gives you something to talk about with

00:06:09
your family at the end of the day, that they just will not

00:06:11
understand.

00:06:11
And it just it does, it keeps, it, keeps it going.

00:06:16
Speaker 1: Yeah, absolutely so.

00:06:18
You know your transition into security.

00:06:21
You know how did you manage the learning curve of security that

00:06:25
you know we have.

00:06:27
That's a mate right that everyone has to go through, no

00:06:29
matter what Right.

00:06:30
How did, how did you tackle that?

00:06:32
How long did it take you to feel, you know, actually like

00:06:36
comfortable in the role in the industry?

00:06:39
Speaker 2: I looked at it.

00:06:40
I had some really fantastic mentors and people that helped

00:06:43
me along and I think, if you can hit your, hit your wagon to

00:06:47
those people that know what they're talking about.

00:06:49
One of my first jobs when I got into technology was as a sales

00:06:53
person.

00:06:53
I was a sales sales manager for , for a technology company and I

00:06:59
had a just world class engineer that I worked with.

00:07:02
I mean, this man was incredibly smart and every opportunity I

00:07:06
got I would pick his brain and ask him questions or we'd walk

00:07:09
out of a meeting and help me understand why that's a big deal

00:07:11
to this client, that, why is their system like this?

00:07:14
Or kind of getting into the, into the weeds of it.

00:07:17
And the other piece I think is having a very broad knowledge

00:07:22
about a lot of things I think is actually very useful.

00:07:24
I think there's a there's a rush to hyper specialize in

00:07:27
security and in technology in general and I don't know that

00:07:30
that's it's.

00:07:32
It's needed.

00:07:32
Obviously we have to have specific experts and domain

00:07:34
expertise, but I think having a broad knowledge, being able to

00:07:38
articulate what it is you know what's the difference between a

00:07:41
SIM and a SOAR, what's the difference in an XDR versus, you

00:07:45
know, a VM scanner, being able to understand kind of the, the

00:07:50
building blocks of the functional pieces that go into

00:07:53
kind of a defense in depth posture, I think then gives you

00:07:56
you can ask great questions and better questions that continue

00:07:59
to expand your learning and knowledge.

00:08:01
And so I just I just went as wide as I possibly could quickly

00:08:05
and ask and then just continue to ask questions from there.

00:08:10
Speaker 1: Yeah, you bring up a really good point.

00:08:11
You know I I talk to a lot of people that are trying to get

00:08:14
their start right and the the biggest question that I get is

00:08:20
you know, what do I specialize in?

00:08:21
What should I learn?

00:08:22
You know the best and all this sort of stuff, and this has come

00:08:25
from people that have little to no experience.

00:08:29
And I started my career in a very dynamic role.

00:08:33
You know, I learned across probably six or seven different

00:08:37
domains of security.

00:08:39
I managed those technologies all at the same time while I was

00:08:42
learning them, and that's really you know where I cut my teeth,

00:08:47
so to speak, and that's where I, like, made the most progress,

00:08:51
because when you pigeonhole yourself, right, it's kind of

00:08:54
assuming that you have those building blocks.

00:08:56
You know, like now I'm in cloud security, right, and people

00:08:59
would think that, oh yeah, you're specialized in the cloud

00:09:03
and whatnot and you know everything in the cloud, right,

00:09:06
which is true, but a part of that is also knowing data

00:09:10
security and endpoint security.

00:09:12
And you know where I learned endpoint security is in that

00:09:14
role where I did eight different things, right, because I

00:09:17
specialized in it.

00:09:18
You know, learning how to get logs out of the cloud or maybe

00:09:21
keeping them in the cloud and doing a sim around it and doing

00:09:25
some threat, you know, analyst stuff around it.

00:09:28
Like I learned all of that because I was doing a bunch of

00:09:31
different things and all of that is a part of cloud security,

00:09:35
right?

00:09:35
Like I would not be in cloud security if I did not have that

00:09:38
experience.

00:09:39
Speaker 2: Oh, it's out of percent and I think, like I

00:09:42
think there's a lot that happens in the job market, especially

00:09:44
for cybersecurity professionals, where we expect a lot out of

00:09:48
people that are getting started, and I think we have to change

00:09:51
that mentality very quickly.

00:09:53
On the job training is really some of the best that you can.

00:09:57
I mean, you've probably worked in roles where you've hired a

00:09:58
new person and they may have, you know, they have all the

00:10:02
intangibles that you're looking for.

00:10:03
You know good work ethic, they get along with the team well,

00:10:05
they have an ability to learn, but they don't necessarily.

00:10:09
Even if they come in with good certifications, you're still

00:10:12
going to have to teach them your processes, your tools.

00:10:15
You know, maybe they specialized when learned on one

00:10:18
tool, but you're actually using a competitor.

00:10:20
There's still a lot of on the job training that's already

00:10:22
happening.

00:10:22
That needs to happen.

00:10:23
So why not accept people that have maybe a little less

00:10:26
certification, a little different background?

00:10:29
You're going to teach them anyways.

00:10:30
Might as well, bring folks in and get them started.

00:10:34
Last I checked, we have a severe shortage of cybersecurity

00:10:38
professionals and so if we can just maybe widen our reach just

00:10:42
a little bit, bring folks in, let them get started.

00:10:45
Let them learn, pair them with competent mentors who have been

00:10:48
around the block a little bit, and then let's see what happens.

00:10:53
Speaker 1: Yeah, you know, I feel like that security shortage

00:10:56
is almost self-imposed, you know, because it one.

00:11:01
It doesn't make sense because there's so many applicants, for

00:11:04
you know, every job, I mean, even if you just go on LinkedIn,

00:11:07
you can see how many people have applied.

00:11:09
The biggest issue that I ran into, even personally when I was

00:11:13
getting into security, was, you know, I had my security plus, I

00:11:17
was getting my masters in cybersecurity, but people would

00:11:20
get hung up on the fact that, oh , I didn't have experience with

00:11:23
with Splunk, right?

00:11:25
Well, splunk is like $10 a minute.

00:11:27
How am I going to pay for that?

00:11:30
Like, do you want to tell me how I can pay for that?

00:11:32
You know?

00:11:32
And then, even when they had a free version of it and I

00:11:36
deployed it in my home lab and did everything with it, right?

00:11:41
People still didn't accept that.

00:11:42
They're like, oh well, it's different from enterprise.

00:11:44
Okay, like, what do you want me to do?

00:11:47
Like, I can't.

00:11:48
I can't go buy carbon black, right?

00:11:50
I can't go buy bit nine, I can't go buy any of these

00:11:53
solutions.

00:11:54
You know, I'm a poor college graduate trying to get into this

00:11:58
industry.

00:12:00
Speaker 2: Because so you hire somebody?

00:12:01
Oh, they came from a Q radar background, like they're not

00:12:03
using Splunk, but they came from wait.

00:12:05
Good, great, if you're gonna have to teach them Splunk

00:12:07
anyways, see, might as well take something that has an aptitude,

00:12:09
a willingness to learn, a good attitude, a work ethic.

00:12:13
You know skills that are really the intangibles that go a lot

00:12:16
further in the cybersecurity market.

00:12:18
Then, oh, you know how to input fields and edit data tables in

00:12:22
Splunk.

00:12:22
Or you know here's how you import X.

00:12:24
Good grief, like we got a you're right, self-inflicted

00:12:28
wounds here.

00:12:28
But you think about it too, like you know, I think would make

00:12:31
fantastic cybersecurity engineers or people, folks

00:12:35
coming out of the service industry.

00:12:36
I mean, you want to talk about high pressure, high volume,

00:12:40
crazy work.

00:12:40
You know, talk to a server who's got 10 tables, all of them

00:12:44
who are needing certain things and they're running around

00:12:48
trying to make sure they're all taken care of.

00:12:49
Okay, do they have cybersecurity experience?

00:12:51
No, but do they have a great attitude?

00:12:54
Do they know how to do customer service?

00:12:55
Can they learn?

00:12:56
Do they work quickly?

00:12:57
Are they personable?

00:12:58
Like those skills will go a lot further in a cybersecurity team

00:13:03
role than you know.

00:13:04
Your CISSP, perhaps not saying that's not important, please

00:13:08
don't miss here.

00:13:09
I'm not saying that's not important.

00:13:10
Please train, learn, get certifications, advance, do all

00:13:14
those things, but folks getting started off, I think it's far

00:13:17
more important to have some of the intangibles.

00:13:19
Speaker 1: Oh for sure.

00:13:20
I mean, there's no debating that in my mind.

00:13:22
Even you know, like the certifications are great they,

00:13:26
but they're they should be used to validate the knowledge that

00:13:29
you have not.

00:13:30
Not, you know, gain more knowledge necessarily and rely

00:13:34
on that to get a job or anything like that.

00:13:36
Like you know, they're really just validating the knowledge

00:13:39
that you have and it's okay to build up that knowledge while

00:13:41
you're studying for the cert.

00:13:42
But if you're, you know, a server trying to get your CISSP,

00:13:46
it's like okay, well, you're not even in the industry,

00:13:48
they're not going to issue it.

00:13:50
You know, and I always recommend to people you know that want to

00:13:54
get into security get into help desk first.

00:13:57
You know, because in help desk depending at least depending on

00:14:00
the company, you know, you could pick up the phone and someone

00:14:04
is just automatically yelling at you right off the bat.

00:14:07
Right, that's a high stress situation for me, you know,

00:14:10
until I got used to it, I mean that was that was like panic

00:14:13
attacks and whatnot, Like I'd have to get off the call, go for

00:14:16
a walk, try to de-stress somehow, you know, and go back

00:14:19
to my desk and lo and behold, you know, the same person is

00:14:22
calling me back with a new issue and they're just as angry, if

00:14:25
not angrier.

00:14:26
You know and I got to deal with that right and that those are

00:14:29
skill sets that you only learn in those types of jobs.

00:14:32
You know same thing with you know servers and really anyone

00:14:35
in the service industry.

00:14:36
You're having to deal with other people and it's such a

00:14:41
such a wide variable of what could be happening right Like

00:14:45
I've been on calls when you know someone.

00:14:48
Someone told me that they were going to like a, like a

00:14:52
Renaissance fair or like a.

00:14:54
It was like a medieval convention right, where everyone

00:14:58
like dresses up in, you know, the clothing of that time period

00:15:03
those jobs for like a week and whatnot.

00:15:06
And I couldn't believe that this person was telling me this

00:15:10
right and at the time you know I'm very early on in my career I

00:15:13
mean I just I couldn't believe Right like how she was talking

00:15:18
about how she's going to be churning butter right for the

00:15:21
next week and how she's so excited for it.

00:15:24
And it was so extraordinarily difficult for me to not laugh on

00:15:28
the phone and I couldn't.

00:15:29
I couldn't mute myself Because this is an active conversation.

00:15:33
I was supposed to be actively troubleshooting her issues.

00:15:36
It was the most complex like situation you know that you

00:15:41
could imagine, because it's like okay, I got a zone her out, I

00:15:45
need to focus on this problem, relay information back, try to

00:15:48
zone her out more.

00:15:49
And it didn't help that I had several other colleagues on the

00:15:52
call too, because I was the escalation point and they were

00:15:55
all a muted laughing like you know I could see them.

00:15:59
I was just like guys, walk away .

00:16:02
Yeah, you know.

00:16:04
Speaker 2: But what a great scope.

00:16:05
In a cybersecurity right, like if you're dealing with an

00:16:07
incident, there's a lot of noise .

00:16:09
You have to tune it out, focus, parse, look, just describe,

00:16:15
report out.

00:16:15
I mean think of any tabletop or any incident that you've ever

00:16:18
ran or been a part of.

00:16:19
That is essential skills.

00:16:22
I mean you know your, your certifications are less

00:16:25
important than your ability to prioritize, focus, report, get

00:16:31
feedback, work with a wider team and and really get it solved.

00:16:35
So I mean I think I love how you're thinking about this.

00:16:38
This is, this is a fantastic conversation.

00:16:41
Speaker 1: Yeah, absolutely.

00:16:42
You know that's another thing.

00:16:44
You know that that people don't really understand right.

00:16:49
I'll give you an example.

00:16:51
A Little bit earlier out of my security career there was a

00:16:54
major incident, but the giant incident, where this solution

00:16:58
basically rotated 40 accounts In the environment one.

00:17:03
It wasn't even configured to rotate all those accounts, it

00:17:07
was only rotating, supposed to rotate, you know, like 2 or

00:17:10
3, whatever might have been.

00:17:12
A Bug occurred in the system and it rotated everything all at

00:17:16
once.

00:17:16
You know we came within Maybe six or 12 devices or accounts of

00:17:22
being locked out of the entire environment and having to call.

00:17:25
Microsoft Dang.

00:17:27
That that's literally the situation.

00:17:29
So in the midst of that, I'm not only directing traffic, I'm

00:17:33
not only getting, you know, my team to get the right people in

00:17:36
the organization because they, they're all new, they're brand

00:17:39
new in security.

00:17:40
They have no clue what's going on.

00:17:42
They assume everyone's getting fired at the end of the day.

00:17:46
Right, I assumed I was getting fired at the end of the day, but

00:17:48
I knew I had to keep working.

00:17:50
Yep, you know, and in that situation you have to zone in,

00:17:55
and then you know I would hear my manager's voice.

00:17:57
You know, give me an update.

00:17:58
It's like give me five minutes.

00:18:00
Like that's your update.

00:18:00
Give me five minutes and then I'll have an update.

00:18:02
And you know, five minutes later I would chime in to him

00:18:06
like on the call, just cut everyone off, be like this is

00:18:08
the status, this is what's going on, is what I'm doing next.

00:18:11
You know, and yeah, like go right down the line of, then

00:18:14
he's managing traffic upwards and sideways and then my team is

00:18:18
managing traffic to all other.

00:18:19
You know technical people, but if I didn't have the ability to

00:18:24
slow down, Right and identify.

00:18:27
Okay, this is a major issue right now.

00:18:28
We need to waste no more time on anything else.

00:18:31
Everyone needs to drop everything Right then I spent 30

00:18:34
seconds and just directed traffic like you're in charge of

00:18:37
this.

00:18:37
You're in charge of this, you go, handle this.

00:18:39
You know, if I didn't do that, that incident would have been

00:18:44
much more severe because I had to have someone Go to very

00:18:47
specific people in the company and say you know, don't log off.

00:18:51
Like, you need to say logged in , no matter what if it says you

00:18:55
know, change your password, do not change your password.

00:18:57
You know all those different things.

00:19:00
If I didn't protect the company like that, we would have been a

00:19:03
news story on CNN within a couple hours.

00:19:05
You know, right that would not have been.

00:19:07
Speaker 2: Good, yeah, no joke, yeah, that would have been that.

00:19:10
That's not the kind of thing you want your name tied to.

00:19:14
Speaker 1: Yeah, yeah, that would not.

00:19:15
That's a good way to end a career before it starts, you

00:19:19
know.

00:19:19
Yeah, so you know, sam talked to me about your current role,

00:19:27
your current company.

00:19:28
What are, what are you doing now?

00:19:30
What are you guys specializing in?

00:19:32
What services do you provide?

00:19:34
Speaker 2: So I work as the director of product marketing

00:19:37
for a company called C O O Security and it's CY OLO.

00:19:41
It's because you only live once and we focus on those

00:19:45
situations and scenarios where user access Could cause enormous

00:19:50
damage to the business and you've been a part of incidents,

00:19:53
right?

00:19:53
You just described on so well like this was an enormous

00:19:56
Problem to the business.

00:19:57
Something went wrong and the entire team is now responding to

00:20:01
try and get it fixed, and we find that there are usually

00:20:05
Things that could happen.

00:20:06
You know, here's a good example .

00:20:08
If you are a company that manufactures cookies, you have

00:20:12
assembly lines and product lines and all sorts of things.

00:20:14
They have all these machines that are mixing and making it.

00:20:18
Just the complexity is enormous .

00:20:20
If that cookie production line shuts down for 30 seconds,

00:20:25
you're losing money.

00:20:26
60 seconds a lot more money.

00:20:28
A minute, you know two, three, five, ten, twenty minutes Any

00:20:32
amount of time that that production line is not working

00:20:34
is enormous damage to the business.

00:20:36
To make that more complex, those devices are usually

00:20:42
Maintained or have service contracts with the company that

00:20:45
made the device and they have remote technicians that will,

00:20:49
you know, use of Some phone line or VPN or some tunnel to get

00:20:54
into the system to talk to that device and now all of a sudden

00:20:58
we're risking the shutdown of the cash production engine of

00:21:03
the company.

00:21:04
So user access could cause enormous damage to the business.

00:21:07
We're specialists in that and so we perform a high level of

00:21:11
authorization, or basically got to identify every user, make

00:21:15
sure that they're authorized to only very specific, very limited

00:21:18
things that they should be accessing and working with, and

00:21:21
then keeping all of the Logs and reporting.

00:21:23
If that sounds familiar, it should.

00:21:25
It's.

00:21:25
Frankly, it's the summation of the zero trust framework.

00:21:28
We want to make sure we identify every user and know exactly who

00:21:31
they are and they're not some generic, you know account.

00:21:34
We want to make sure we have a very fine-grain limitation, what

00:21:38
it is that they are allowed to access.

00:21:40
We like to think of it as, instead of building out the

00:21:42
denialists you know, if you go through a firewall or you have

00:21:44
all the denialists, you have your ACLs and all that kind of

00:21:47
stuff let's build out an allow list, and that's gonna be a lot

00:21:51
smaller.

00:21:51
Let's build the allow list instead of the denialist so that

00:21:54
they only can access the specific tools or resources they

00:21:57
need to do their job.

00:21:58
And then, finally, we got to make sure we monitor everything.

00:22:01
All the reporting, all the logging, all of the data from

00:22:06
these connections should be, should be available and should

00:22:09
be able to be scrutinized for all the different purposes, and

00:22:12
so that's what seal it, as we specialize in high risk access.

00:22:18
Speaker 1: Yeah, that that is.

00:22:19
You know, that's an aspect that I feel Is often overlooked a

00:22:26
lot of the times in organizations, you know can.

00:22:30
Can I ask you this what was this, the?

00:22:33
Was this product, this solution , was this the bread and butter

00:22:37
of what the company was kind of founded on and created for, or

00:22:40
was it kind of bolted on?

00:22:41
And I?

00:22:41
I ask this because, as a security professional, I can

00:22:48
tell right, within probably 30 minutes of working with a

00:22:51
solution of, if this is a conglomerate of 10 other

00:22:55
solutions kind of bolted together with some really strong

00:22:58
duct tape, right, or if this was, you know, solely built for

00:23:02
this solution.

00:23:05
Speaker 2: Yeah, so I would.

00:23:06
I would like to argue that it we did build it purposefully for

00:23:09
this, because our founder Is a former CISO, the chief

00:23:12
information security officer.

00:23:13
He was the first CISO of the Israeli Navy word, israeli

00:23:18
company, wow and so he had all the weapon systems and IT

00:23:21
systems and all the things that were, you know, in the Navy, and

00:23:24
that was his, that was his role in the in the Navy.

00:23:26
So then after that, he transitioned into private

00:23:30
industry and worked for a global manufacturing company when he

00:23:34
had users that were in a non-friendly country, that were

00:23:37
contracting with his, with his current company, that needed to

00:23:42
access critical pieces of data or lines or whatever it was.

00:23:45
These users were also contracting with their

00:23:50
competitors and you think about like what a mess, right, like

00:23:52
you have these people that are Not friendly and could shut your

00:23:54
business down.

00:23:55
So how do you build security for that environment?

00:24:01
And that was the genesis of the CIO lo solution Building it for

00:24:07
again, these situations where we have to users that need to

00:24:09
connect to applications or resources, and then the policies

00:24:10
that connect all of that together.

00:24:13
So he partnered with a couple of guys he knew that were

00:24:17
ethical hackers at large companies, and so it's really

00:24:20
fun.

00:24:20
We get into like these, like company meetings, and we'll have

00:24:23
, like you know, the CISO perspective with our, with our

00:24:25
founder, one of our founders.

00:24:26
Then the other two founders are like arguing from like the

00:24:29
hacker perspective, like I'm going to break in this way, and

00:24:31
he's like, no, we're going to block you this way.

00:24:33
So it's just really fun, like dichotomy, which is very healthy

00:24:36
, I think, in a security tool.

00:24:38
And so no, it was purpose built for solving those specific

00:24:43
issues.

00:24:44
Speaker 1: That's perfect.

00:24:45
You know, I, I, I worked with a other solution, Um, that you

00:24:50
know.

00:24:50
To be completely honest, I wouldn't even consider them a

00:24:52
competitor I know you guys probably do, Unfortunately, I

00:24:56
have that experience with them, Um but it was just so miserable

00:25:01
when I got to that section of their product, Because you know

00:25:05
that there's like 10 other things that this tool does right

00:25:08
.

00:25:08
This is one of 10, look, quite literally one of 10.

00:25:11
And you know, building that out , deploying applications into it

00:25:16
, like deploying servers and endpoints into it, it was

00:25:20
terrible.

00:25:20
I, it was absolutely terrible.

00:25:23
It was the worst experience I've ever had doing security.

00:25:26
I hope to never touch that solution again, Like literally,

00:25:29
when I'm interviewing, I asked them do you have?

00:25:32
Speaker 2: this solution in your environment.

00:25:34
Speaker 1: And if they say yes, I'm like, all right, I'm sorry,

00:25:37
I just I won't work in an environment that has that

00:25:40
solution.

00:25:41
Speaker 2: Cause as soon as they find out right.

00:25:44
Speaker 1: Cause, as soon as they find out that I have

00:25:46
experience, they're like oh, you're the SME, like you got it.

00:25:49
Like oh, I do not want that job ever again.

00:25:54
Speaker 2: Unfortunately, that's a reality, right, like,

00:25:55
security tools can be hard on security teams and that's that

00:26:00
shouldn't be the case.

00:26:01
So you guys already overworked, you have more on your plate

00:26:04
than really should be there.

00:26:06
We talked about the shortage of people that are working in

00:26:08
these roles, so you don't have enough human power to get after

00:26:12
the job.

00:26:12
Um, but the other side is, security tools should be easy

00:26:15
for end users to also use.

00:26:17
Like the best security tools are the ones that end users

00:26:20
comply with.

00:26:21
Like you can sit there and have the greatest thing and all the

00:26:25
policies are so beautiful and you know, everything's just, oh,

00:26:28
it's amazing.

00:26:28
But these users, like, they're not malicious, they're smart,

00:26:33
they, they will get around whatever you have in place If it

00:26:36
is blocking them from easily doing their job.

00:26:39
I think of one client that I knew of.

00:26:40
They had, um, there was a research institution where their

00:26:44
principal investigators you know the women and men who are

00:26:46
doing high level, advancing humanity style research was they

00:26:50
were sending trial data over iCloud because, right, and I

00:26:56
know let's maybe not do that, right, that's not very, that's

00:27:00
not secure.

00:27:00
Just in case you're listening, icloud has got a lot of great

00:27:03
features.

00:27:03
That's not one use case that it should handle.

00:27:07
We should not purpose bill for that.

00:27:08
Right, there are other ways to do it, but it was not easy.

00:27:12
It was not something that these again, these people are experts

00:27:16
and they're field of research, not cybersecurity, so they don't

00:27:20
think of.

00:27:20
I got to keep this data safe and secure.

00:27:22
They're thinking I have to collaborate with my colleague

00:27:25
over here because they need to look at this and we need to

00:27:27
discuss and we need to, you know , publish, um, so those are the

00:27:32
realities.

00:27:32
Like the tools have to be fundamentally workable for

00:27:36
cybersecurity professionals, cause if you're going to, if you

00:27:38
have to open a support ticket every time you want to add

00:27:41
something or change something, like that is just a waste of

00:27:44
your time.

00:27:44
And if a user is just going to get around it because it's not

00:27:48
supporting their existing workflows, also a waste of the

00:27:51
cybersecurity team's time, cause they have deadlines, just like

00:27:54
we do.

00:27:54
They have big projects and big meetings and their bosses are

00:27:58
putting pressure on them to get stuff done, just like the cyber

00:28:01
teams are.

00:28:01
It's not that different.

00:28:03
They're not malicious, they're just trying to get their work

00:28:06
done.

00:28:07
Speaker 1: Yeah, it's a really good point.

00:28:08
You know it's, um, it's interesting being in security,

00:28:12
right?

00:28:12
Because we have a different mindset from everyone else.

00:28:15
Um, most of the time at least, you know, we have the mindset of

00:28:19
how do I break this, how do I get around this, how do I do

00:28:22
this, right?

00:28:23
And then you know there's a group of us that say, okay,

00:28:26
let's do it.

00:28:26
And then there's a hopefully a much larger group that says how

00:28:30
do we protect against it?

00:28:31
You know, um, like I recall earlier out of my career where

00:28:36
my manager basically said, oh, this solution is going to, you

00:28:39
know, block all data exfiltration.

00:28:41
You know you'll, well, no one will ever get around this thing

00:28:45
and whatnot.

00:28:47
Speaker 2: And I was like, okay, like I took that as a personal

00:28:50
challenge because I knew Hold my beer, let's go.

00:28:52
Yeah, yeah, right.

00:28:53
Speaker 1: I knew he didn't know the solution that well and I

00:28:56
knew that he also didn't know the technical implications

00:28:57
behind it and whatnot.

00:28:58
And so, literally 30 minutes later, I pull up my computer and

00:29:04
I called them over and I said, hey, like you know that

00:29:07
expensive solution that we just spent a couple million dollars

00:29:10
on, yeah, I want to show you how I just got around it and you

00:29:13
can go check and see if there's any alerts on my device.

00:29:15
Yeah, and like I showed him, he goes what?

00:29:18
Like?

00:29:19
Who's even going to think like this?

00:29:21
I'm like, if this messes with someone's productivity, they are

00:29:25
going to find a way to do it.

00:29:26
This is a Google search away.

00:29:27
That's all that.

00:29:29
Speaker 2: This is yeah.

00:29:30
No, it's a hundred percent right Cause, again, you're just

00:29:31
trying to do your job.

00:29:32
If you're an end user, you're not thinking about, you know a

00:29:36
lot of things other than I got work to do, or you're you know I

00:29:39
got to get home to my family or you know whatever.

00:29:41
That is like, the pressures of everyday life.

00:29:44
That's what's exploitable.

00:29:45
And really the human element is by far the weakest link in the

00:29:52
cybersecurity chain.

00:29:52
It is easily the most sensitive .

00:29:55
We like to say around here at COLO like hackers, don't break

00:29:59
in.

00:29:59
They log in because it's so easy to compromise credentials.

00:30:03
There are so many attack vectors that are literally

00:30:07
causing users to be compromised.

00:30:09
And then now they have a, they have access.

00:30:12
So controlling and managing that access is hyper critical

00:30:18
and it gets more critical.

00:30:18
The more sensitive, the more impactful to the business, the

00:30:23
the thing the user has access to .

00:30:25
Yeah.

00:30:27
Speaker 1: You know you bring up an interesting point.

00:30:29
You know I have a policy where I don't click on links, right

00:30:34
Fair.

00:30:34
I don't care if you send them to me on my work device, On my

00:30:37
personal device, it doesn't matter to me.

00:30:38
If you want me to click on it, you better message me or tell me

00:30:42
, you know, in another way, saying like hey, I just sent you

00:30:45
this.

00:30:46
You should probably click on it .

00:30:47
Speaker 2: We're doing MFA for links, is what you're doing

00:30:49
really, you're multi-factor, authenticating that the link is

00:30:51
legitimate.

00:30:52
Yeah, that's fantastic.

00:30:54
Yeah, yeah.

00:30:56
Speaker 1: You know, I did a training course this past

00:30:59
weekend and I expected I had to sign a like a liability waiver

00:31:03
or whatever it was, which is fine, but I never got it Right.

00:31:06
So I show up to this course and they're like, hey, you never

00:31:09
signed your waiver.

00:31:09
I was like, okay, well, I never got it.

00:31:11
And they're like, oh, we texted it to you.

00:31:13
I was like, okay, so, from a number that I do not know, just

00:31:16
texted me a link and that's literally the only thing that

00:31:19
they sent me.

00:31:20
They only sent me a link.

00:31:22
Like, dude, you know what I do for a living, I am not clicking

00:31:26
on that thing.

00:31:28
I literally, I literally looked at the message and I was like

00:31:30
not today, say it in, and I deleted the message.

00:31:35
Exactly yeah, Like come on yeah .

00:31:37
Speaker 2: You've got to be better than that.

00:31:38
That's, I mean.

00:31:39
That's, yeah, I mean.

00:31:40
Unfortunately, the fishing and the smishing and all that stuff

00:31:44
is getting better and so they're , you know, sending a single

00:31:46
link from a number.

00:31:47
You don't know.

00:31:47
Maybe that actually would be considered more legitimate now,

00:31:51
because they're actually getting a little bit better and, you

00:31:55
know, the conversational AI is getting better at writing stuff

00:31:57
that makes sense.

00:31:57
But yeah, I still get a lot of great text messages, a lot of

00:32:00
great text messages from my CEO, because he's in a meeting and

00:32:04
he needs me to reply right away.

00:32:05
And, um, yeah, those immediately get filed in the

00:32:11
dumpster.

00:32:11
Yeah, it was really interesting .

00:32:13
Speaker 1: You know, I went to Germany last year and before

00:32:17
Germany I was talking to someone that I'm, I'm a, I'm a part of

00:32:21
this advisory board and I was talking to the CEO of this board

00:32:24
about potentially coming to France to go and do a talk and

00:32:26
whatnot, right, but we never really nailed it down, so I

00:32:30
never did the talk, and so it looked exactly like him, like

00:32:34
his number was 100% spoofed.

00:32:35
It came up in my phone as him because I have his number saved

00:32:39
Yep, Yep.

00:32:39
And he said, like you know, hey , are you available?

00:32:42
You know, I have something I need you to do.

00:32:44
Okay, whatever You're like, I'll, I'll handle it.

00:32:46
I was at the bar at the time of all places, right, um, in

00:32:50
Germany, because that's what you do, absolutely yeah.

00:32:53
And and I'm not sure if you're- going to be able to do that.

00:32:57
The next message that he sends is I need, like you know, 30

00:33:00
gift cards.

00:33:01
I'm like, all right.

00:33:02
Speaker 2: I get it now.

00:33:03
Yeah, I see this.

00:33:03
All right, I've seen this one before, yeah, but I, I mean it's

00:33:11
so, it's so easy for the criminals to do things that

00:33:16
users would trust.

00:33:17
I mean, if I got a number of a text from someone that is in my

00:33:20
contact list that I know that I've I've communicated with

00:33:23
before and they said, hey, you know, can you help me out with

00:33:26
something?

00:33:26
Of course I'm going to be more responsive to that.

00:33:29
Um, you know, I don't answer my phone if it's not a number

00:33:32
that's really saved in my contacts, because it's either

00:33:35
someone trying to sell me something or or or worse, and

00:33:38
but it's so it's so easy for that to be done today that

00:33:42
really, cybersecurity has to evolve away from like we got to

00:33:46
take a little bit of the burden off of users because you know,

00:33:50
at the end of the day, like again, they're busy, they got

00:33:52
projects, they got jobs, they got things they're worried about

00:33:54
that are outside of what we're concerned with.

00:33:57
So we have to take the control a little bit away from them or

00:34:00
not rely on them because, okay, great, so you did a phishing

00:34:03
training, you got everybody enrolled in that, and that's

00:34:06
fantastic.

00:34:06
You should do that, absolutely should do that.

00:34:07
But you went from 10% compliance, you know, or 10%

00:34:12
click the link, to 4% that click the link Celebrate as a big win

00:34:17
.

00:34:17
That's amazing.

00:34:17
You still have 4% of your company that are clicking bad

00:34:20
links, like that's still a problem that is not fully gone

00:34:25
away.

00:34:25
So if we can take the security from that, the users need to do

00:34:29
something or be good to.

00:34:31
Our tools are going to account for the fact that the user is

00:34:35
not going to be right 100% of the time and it's going to build

00:34:38
those layers of control and compensation into the access

00:34:43
that they're being given.

00:34:43
You know, obviously access should be different if they're

00:34:46
working from home than if they're working in the office or

00:34:49
if they're somebody that's not a part of your company but it's

00:34:51
a third party or a contractor, whomever.

00:34:53
You should have a lot of different levels and we should

00:34:57
have a lot of different ways to validate.

00:35:00
One of the other things that happens a lot in companies is

00:35:02
they'll have like okay, so say it's like one like file server

00:35:06
or something, to get into that file server.

00:35:08
There's one username and one password and there's 100 people

00:35:12
that are logging into that file server because it's got

00:35:14
something that they need right.

00:35:16
They're all using the one username and the one password.

00:35:20
Well, how do I differentiate between, you know, susan and

00:35:25
Bill?

00:35:25
I have no idea, because all I'm seeing is that they put in

00:35:28
username and password.

00:35:28
We need to have tools that can differentiate, that.

00:35:31
They can help us with that, or just, you know, beyond just

00:35:34
password vaulting that password and stuff, but making it a way

00:35:36
that we could get better detail on what users are doing, to take

00:35:40
the need for them to be great and put it into some of the

00:35:44
security tools that we are using .

00:35:46
Speaker 1: Hmm, yeah, that's um, that makes a lot of sense.

00:35:51
You know I have a personal policy where you know I I

00:35:57
attempt to make security as easy as possible while remaining as

00:36:00
secure as possible.

00:36:01
And uh, I was working for a company and I just heard it.

00:36:06
You know, I heard this conversation between two network

00:36:11
engineers right, and the lead said oh, you just tell that in

00:36:15
the course switch.

00:36:16
And you know you already have the credentials and whatnot.

00:36:21
And I turned around and I'm like I'm sorry, I'm sorry, I must

00:36:25
have misheard you.

00:36:26
You must have meant to say SSH, yeah.

00:36:28
And he's like no, we tell that around here.

00:36:32
And I was like why don't we use SSH?

00:36:35
And he goes there's no need for that level of security.

00:36:37
I'm like it's a core switch.

00:36:39
He goes yeah, but no one's going to breach our perimeter.

00:36:42
I was like, okay, but we have a flat network.

00:36:45
So, literally, like I could get into our core switch, yeah,

00:36:49
like just by hearing what you just said, I could get in with a

00:36:52
legit authentication, right.

00:36:54
And you know it went even farther to saying like, okay,

00:36:59
well, does everyone have their own login?

00:37:01
You know that needs access.

00:37:02
And goes oh, no, we just use the same account.

00:37:04
Why would we have different accounts Like?

00:37:06
So we have no audit ability on our core switch?

00:37:10
Speaker 2: Thank you, right, so yeah, so when, when somebody did

00:37:12
change that one config, but, like you know whatever in the

00:37:15
supervisor or whatever, that now the entire network is down, how

00:37:18
will you know what they did?

00:37:20
How will you have any idea of, like, well, let's just go look

00:37:23
through the packet capture and see if we happened to capture

00:37:26
that one session.

00:37:27
That were things changed like.

00:37:28
Good luck.

00:37:30
Speaker 1: Yeah, that's impossible.

00:37:32
I couldn't believe that companies still do that.

00:37:34
You know I'm sure you guys see that all the time of companies

00:37:38
still doing that, especially in a manufacturing environment

00:37:43
where you're manufacturing you know millions of things,

00:37:47
potentially a day or a week.

00:37:48
You know you need that line up and running.

00:37:50
You know it's probably easier to just set it up simply rather

00:37:54
than, you know, having a com, a more complex environment than

00:37:58
what it already is.

00:38:00
Speaker 2: Because the other thing is is a lot of these

00:38:01
devices?

00:38:01
They're not.

00:38:02
So network switches right, you know those are changed out

00:38:05
whatever 10 years or so you typically go through the life

00:38:08
cycle on.

00:38:08
A device in a manufacturing line is built to last for like

00:38:11
20 or 30 years.

00:38:12
They're not changing them out like this, not like because

00:38:15
again, you shut that down for any length of time and the

00:38:18
company is not producing the goods and services that make the

00:38:21
money.

00:38:21
So you put you put something in .

00:38:23
If you build a new production line, you're wanting it to last

00:38:27
for 20, 30 years.

00:38:29
There are still operating systems running core components

00:38:33
of you know thinking about energy distribution or you know

00:38:36
wastewater treatment or manufacturing oil and gas, like

00:38:39
all these different verticals.

00:38:40
They're running like Windows XP and that's a fairly recent you

00:38:45
know OS for some of them.

00:38:46
So you have these systems that you know you wouldn't want to

00:38:51
touch with a 10 foot pole but are still.

00:38:53
They're not going anywhere.

00:38:55
So they use, you know VPN is a good connection methodology and

00:39:00
I think VPN is a not good connection methodology today.

00:39:03
I think we should avoid it and move away from it, but they're

00:39:06
still using that as a methodology to get in.

00:39:08
Ssh is like amazing, like we should, absolutely.

00:39:11
But they're using, like you know, these VNC protocols, are

00:39:14
using a lot of RDP, and RDP with all of its wonderful flaws and

00:39:19
quirks, like that's how they're connecting into these systems.

00:39:23
And then add to the fact like, okay, so you, you know,

00:39:26
schneider, schneider Electric built that one device, or

00:39:29
Yocogawa, or Honeywell, or you need to name the company that

00:39:32
built the device that's running, and they have a technician, is

00:39:34
a.

00:39:35
Hey, you know, we're going to save ourselves a couple of bucks

00:39:37
so I don't have to fly here.

00:39:38
Next time I'm going to put a little jump server in the

00:39:41
network and connect it out.

00:39:42
It's going to phone home and now I can just sit there and do

00:39:45
that for my computer and my in my home office Makes a ton of

00:39:48
sense.

00:39:49
But now there's this really random internet connection

00:39:51
that's coming out of this environment that you know, god

00:39:54
knows who can access it.

00:39:56
Right, it's just a reality.

00:39:57
So, right, there is a lot of those best practices of

00:40:02
convenience.

00:40:02
So whatever we do to help secure it has to be non

00:40:07
intrusive, to the point where we can still allow it, enable

00:40:11
users to get the, because, absolutely, your network team

00:40:13
should be able to access their core switch Like they absolutely

00:40:16
need to.

00:40:16
There's million reasons why they should be able to do that,

00:40:19
but we just want to do it in a way that is one, secure and it

00:40:22
has, you know, the telemetry that we need and the reporting

00:40:25
that we need, so that you can point the finger squarely at

00:40:27
bill and say, bill, you did this , roll it back quickly.

00:40:31
Could we got to get the?

00:40:32
You know, we can only work around that one core switch for

00:40:34
so long.

00:40:37
Speaker 1: Right.

00:40:37
So it sounds like, potentially, you know where you start with.

00:40:42
Your product is even a culture change internally at

00:40:45
organizations, because you kind of need that shift in mentality.

00:40:49
You need that shift in action for your not necessarily for

00:40:54
your solution to be, you know, working effectively and whatnot,

00:40:58
but really for the organization to build trust, for them to,

00:41:03
you know, understand like, hey, this is how we're going to

00:41:06
secure it.

00:41:06
Do you do you, potentially, you know, help your, help your

00:41:11
customers, you know, identify that within their organization

00:41:14
and help them kind of change that perception.

00:41:18
Speaker 2: In some ways I'm.

00:41:18
What I'm finding is that there are a lot of clients that I have

00:41:21
really done a lot of hard work internally to help that culture

00:41:24
shift happen.

00:41:25
And so you know, obviously the world is what it is today, the

00:41:29
pressures are what they are today and you know, executive

00:41:32
leaders, board level leaders, they're all pushing down, you

00:41:35
know, because they're concerned about it now, for whatever

00:41:38
reason now, like where were you 10 years ago?

00:41:40
But you know we're concerned about it now.

00:41:42
That has obviously what you measure is what people tend to

00:41:48
do.

00:41:48
So now they're looking at it, measuring it, and there's

00:41:50
there's costs, risk costs, operational costs associated

00:41:54
with it.

00:41:54
So the business is taking notice.

00:41:56
So we're finding that a lot of that shift is happening

00:42:00
internally, for everyone maybe not, but for a lot of companies

00:42:03
and specifically in verticals like manufacturing, like oil and

00:42:06
gas.

00:42:07
And then there's some regulatory pressure.

00:42:09
You know, in the United States there's some regulatory pressure

00:42:12
, especially around like nuclear energy or other energy

00:42:14
production.

00:42:15
There are certain things that are happening that say we, we

00:42:18
are going to start requiring some compliance with some best

00:42:21
practices and that can be generally helpful and I've got a

00:42:25
lot of thoughts on, you know, the effectiveness of kind of

00:42:28
compliance regulations.

00:42:29
I think it's needed in some ways, but there's got to be some

00:42:32
some things that mitigate it.

00:42:34
So we're not finding that to be a big like.

00:42:39
We don't have to like push people to say, hey, we need to

00:42:42
change your culture and then you can start working with a

00:42:44
company like us that can actually help secure.

00:42:46
Some of that we're finding it's already there, but we are

00:42:49
finding is that there are some very specific differences

00:42:51
amongst teams.

00:42:52
You know, like you described, like you listen to the network

00:42:54
guys, they're looking at, oh, this is just the best way to do

00:42:57
it.

00:42:57
And as a security person, you're thinking, hey, we got to

00:43:01
change some of these things.

00:43:02
So you know, networking it, they speak a different language

00:43:06
than security does, which they speak a different language

00:43:08
entirely than the folks who run that manufacturing and the

00:43:11
operational technology professionals.

00:43:13
They're all speaking different languages and so it comes down

00:43:16
to this translation that can get everybody to the same table and

00:43:19
start working collectively to solve goals.

00:43:23
And what we found?

00:43:24
One of our largest customers.

00:43:25
They're a large global snack manufacturer.

00:43:29
They make delicious snacks.

00:43:31
I highly recommend them.

00:43:32
I had some the other night.

00:43:33
It was great.

00:43:34
They reported to us like man, this is the first tool that both

00:43:38
OT the operational technology people and IT agree on.

00:43:43
They went through their evaluation process and their RFP

00:43:45
and they looked at a bunch of different stuff and both OT and

00:43:49
IT returned with the same recommendation Like that has

00:43:51
never happened in the history of our company that a tool could

00:43:55
solve and bring people to the same table and same conclusion.

00:43:58
So the cultural shift is hard but it is happening, and tools

00:44:04
that could help bridge those gaps amongst different

00:44:07
perspectives and different things that people care about I

00:44:11
think will go a long ways towards supporting it.

00:44:17
Speaker 1: Yeah, that is very interesting.

00:44:19
I can only imagine being in an environment that deals with

00:44:23
manufacturing automobiles across the entire globe.

00:44:27
Saying that everyone agrees on this solution is winning the

00:44:34
lottery.

00:44:34
I recently proposed a solution and it got approved, and not

00:44:41
everyone saw it, and everyone had an opinion on what products

00:44:45
I chose for the POC, for the RFP .

00:44:48
And they're like, oh well, you didn't think of this, you didn't

00:44:51
think of that.

00:44:51
It's like, guys, I chose literally the top five people in

00:44:57
the industry for this.

00:44:58
What are we talking about?

00:45:00
But that's just a simple, that's one little simple thing

00:45:07
of a solution that we didn't even start evaluating at, we

00:45:10
didn't even send NDAs out yet.

00:45:12
Right, and everyone has their own opinion that they're in

00:45:16
disagreement about the solution.

00:45:18
Speaker 2: Yeah, but I think, too, something I found in my

00:45:20
career, just kind of organizationally, is and I find

00:45:24
this within the team that I work on is the ability to disagree

00:45:27
and commit.

00:45:28
So, absolutely have an opinion, absolutely, let's have a

00:45:31
disagreement and let's talk about it.

00:45:33
Let's not just disagree in silence and not discuss it.

00:45:37
But if you have a different perspective, we need to hear it.

00:45:40
We want to hear it.

00:45:41
Let's figure out where we have commonality, where we can agree.

00:45:44
But at the end of the day, as a team, we're going to make a

00:45:48
decision and I'm not going to get everything I'm going to want

00:45:50
.

00:45:50
You're not going to get everything you're going to want,

00:45:51
but we're going to disagree and then we're going to commit

00:45:54
Because at the end of the day, our goal should be aligned.

00:45:57
And in cybersecurity, let's make it easy for users, let's make

00:46:01
our company more secure, let's find very tangible ways to

00:46:04
improve our security posture, and then let's get to work.

00:46:09
There are a lot of ways to slice the onion.

00:46:11
There's some really great ways.

00:46:13
I think.

00:46:13
There are some maybe shaky ways , but a lot of ways that people

00:46:17
are doing it.

00:46:17
So the ability to disagree but then get after the main job, I

00:46:22
think is a big part of the culture change that we're

00:46:24
looking at.

00:46:26
Speaker 1: Yeah, absolutely.

00:46:27
I think it's healthy for there to be constructive criticism or

00:46:35
everyone to have their own ideas and whatnot, but you got to

00:46:38
find that common ground and I find it more important that

00:46:42
security professionals are doing that and not just laying down

00:46:45
the hammer and saying, no, we're doing it this way for this

00:46:48
reason, or whatever you can agree on.

00:46:54
Yeah, we need data security, we need to encrypt this data in

00:46:57
the cloud, but how you do it is up for debate, and that's where

00:47:04
the debate happens.

00:47:05
That's where the discussion happens in a healthy way, of

00:47:08
course.

00:47:08
Yeah, I completely agree.

00:47:11
Yeah, yeah, definitely so, sam.

00:47:14
We're coming up on our time here and I'm very conscious of

00:47:17
everyone's time, so how about you leave my audience with,

00:47:22
maybe, where they could reach you if they wanted to reach out,

00:47:24
where they can find your company?

00:47:26
What the website is?

00:47:27
All that good information.

00:47:29
Speaker 2: Yeah, absolutely so.

00:47:30
A company I work for is COLO.

00:47:32
It's C-Y-O-L-O and our website is COLOIO.

00:47:35
You can find us there and read up, see what challenges we're

00:47:41
solving and some of the things that we're doing across

00:47:43
different industries.

00:47:44
I think we've got a pretty unique and differentiated

00:47:46
solution.

00:47:47
That is.

00:47:49
It's helpful bringing people to the same table and solving our

00:47:52
common goals.

00:47:52
You can find me on LinkedIn.

00:47:54
Just search for my name, samuel J Hill.

00:47:57
I'm pretty active on LinkedIn I try to be, at least and I love

00:48:00
connecting with people, having conversations even the ones that

00:48:03
disagree, and that kind of stuff.

00:48:04
So you can find me there.

00:48:05
And, as always, I'm just really grateful for you taking some

00:48:08
time to hear from us, tim, and spend this time.

00:48:11
I really enjoyed our conversation.

00:48:12
I do a lot of podcasts.

00:48:13
Some are like pulling teeth and this has not been that, so I'm

00:48:19
grateful for you not taking me to the dentist today.

00:48:22
Speaker 1: Yeah, absolutely.

00:48:23
I tried to not make the conversation unbearable.

00:48:26
That's the worst when you're trying to force a conversation.

00:48:32
Yeah, absolutely Well, thanks Sam for coming on and I hope

00:48:39
everyone listening enjoyed this episode.