Are you ready to explore the world of cybersecurity through a new lens? Buckle up as we voyage through the captivating journey of Sam, a former emergency room technician who successfully transitioned into the realm of IT and cybersecurity. His unconventional path—marrying his medical background with a passion for problem-solving—proves that with an adaptable mindset, anyone can find their place in this dynamic industry.
In our enlightening discussion, we emphasize the importance of fostering a broad knowledge base within cybersecurity, challenging the inclination to become hyper-specialized. We highlight the potential pitfalls of limiting oneself to a single domain, which can obstruct a holistic understanding of the vast security landscape. Moreover, we address the current job market's unrealistic demands on those starting their cybersecurity career and propose that embracing diversity in backgrounds and experiences could be a solution to the industry's talent crisis.
As we delve deeper, we examine the Zero Trust Framework, spotlighting the necessity of creating an authorized user list coupled with rigorous logging and reporting. You'll hear firsthand about Sam's experience with his product, Cyolo, a tool innovatively designed to tackle unique user access challenges. We then swagger onto the subject of auditability within organizations, and how manufacturing companies maintain security on outdated systems. We wrap up with the vital topic of networking, shedding light on how disagreements and connections can bolster your knowledge and understanding in the cybersecurity field. Tune in for a riveting episode packed with insights, experiences, and wisdom from the ever-evolving, riveting world of cybersecurity.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
How's it going, sam? It's really good to finally have you on the podcast here. I'm really excited for our conversation today. I think it'll be an interesting one.
Speaker 2:Joe, I'm looking forward to it as well. Man, Thank you very much for including me.
Speaker 1:Yeah, absolutely so, sam. You know I always start everyone off with telling their background. You know, I think it gives a lot of good context to my audience, and my audience is coming from, you know, many different backgrounds. So I know some of them are wondering right, how is there a space for me in IT? Is there a space for me in security? And they may be coming from a non-technical based background. So what's?
Speaker 2:your story. You know I originally my first adult job. You know you have your high school jobs I. Then you get into the real world and I worked in a hospital. I was an emergency room technician for well seven and a half years and a couple different hospitals and did a lot of you know, crazy stuff, a lot of great stories.
Speaker 2:I usually like to say they're better told over adult beverages, so we'll spare your listeners that conversation today. But I got into technology and cybersecurity kind of, you know, through different relationships that I had and found doors that opened and walked through them and really fell in love with the space. I think you know, for anyone who's listening that's looking forward to a career in technology or in cybersecurity, please, please, join up. We need your help. We need your specific background. Everybody's bringing their own unique point of view and perspective and the more diversity I have, we think, looking at these problems that we're all facing, every company is facing, the better off we're going to be. There's a lot of great experience that is coming from outside of the tech and cyber world that I think is really necessary, really needed today.
Speaker 1:Yeah, wow, that's a very interesting background. I mean, what made you go from being an ER tech into, you know, this crazy world of security?
Speaker 2:You know I mean the real answer is I was working on the front lines of healthcare, you know, 40 plus hours a week and unfortunately it does not pay super great. We will divert away from that conversation because I think that's a big structural conversation there. However, you know, my family was growing and I needed a way to provide for them and, again, I had mentors and people that I knew that kind of connected me to different places and ended up getting different jobs. And it wasn't that I sought out to end up in cybersecurity, it just kind of happened. That was just the path that unfolded before me in my career and I kind of found hey, I haven't a fit any for it.
Speaker 2:I have a. I like to communicate and I like to solve big problems. I like to take big, complex ideas and help make them very simple to understand, and it just kind of felt like a good fit and it's been a lot of fun ever since. It's kind of one of those things you realize how much you enjoy it once you start doing it, if that makes any sense at all.
Speaker 1:Yeah, I think that makes a lot of sense. You know, was there any skills that you learned as a ER tech that kind of translated into the world of security or your current role?
Speaker 2:You know, in the emergency room every day is different in a lot of ways, and I think that's very appropriate for a security role, because every day is going to be different. Now there are some big pieces that are roughly the same and you know, some nights we would have would be like out tonight's the chest pain night Everyone that's coming in has a chief complaint of chest pain and you would notice little themes. And if you've ever worked in a hospital, the full moon is a real phenomenon. Obviously it happens every 28 days. We know that, but it does somehow impact emergency services.
Speaker 2:Weird stuff happened on full moon, so you knew that happening, but it was always different. There was, there was a uniqueness to what it is that you were doing and you never really knew the challenge that you would be facing until you showed up for your shift. And so, similarly, in the cyber security world, you don't really know what's going to happen. You can have some good ideas. You obviously things happen cyclically. You know big pieces, but you have to adapt, you have to overcome, you have to innovate, you have to change and continue trying and growing, and so I think some of those, those skills, have transferred over.
Speaker 1:Huh, yeah, that's, that's really interesting. You know, recently I ran into a situation where I was on a call just trying to get teams to, you know, resolve vulnerabilities in the cloud right, just kind of make our environment more secure Basic things that I figured you know everyone would kind of be on board with, especially because this isn't our first meeting, and you know they had a huge problem with it, like completely through a wrench in my entire day. It was like man, like why did they? Why did they give me so many issues about it? Like I had to go hear a backstory and, you know, get some background on the on the issue and whatnot, because it was just it was throwing me off by so much.
Speaker 1:And now here I am revamping the entire process, creating custom reports and all this other stuff to help out the teams, right, and you know I'm a, I'm a security engineer right. At the end of the day I don't necessarily, you know, need to do that or spend my time on it or whatnot, but it's different. You know, every day is different. The day before that I was talking about, you know, securing a firewall right, or securing a network right.
Speaker 2:Right right.
Speaker 1:I think that's what. That's what keeps you know myself, and you know people like yourself keep coming back right, Because it's always different.
Speaker 2:Yeah, well, and again, you have to adapt and overcome, like you, something that is obvious to you hey, vulnerabilities and cloud applications or cloud access, like, yeah, we should probably do something about it and we can right, like, there's things you can do to solve for that. It should be a no brainer, but unfortunately there are others that they do not see the world the same way that you do. It does not make them wrong, bad or or terrible, it's just now. You have to adapt and overcome and make sure that you're giving them the information that they need. And you're right, it does, it keeps you, keeps you fresh, it keeps you moving, gives you something to talk about with your family at the end of the day, that they just will not understand. And it just it does, it keeps, it, keeps it going.
Speaker 1:Yeah, absolutely so. You know your transition into security. You know how did you manage the learning curve of security that you know we have. That's a mate right that everyone has to go through, no matter what Right. How did, how did you tackle that? How long did it take you to feel, you know, actually like comfortable in the role in the industry?
Speaker 2:I looked at it. I had some really fantastic mentors and people that helped me along and I think, if you can hit your, hit your wagon to those people that know what they're talking about. One of my first jobs when I got into technology was as a sales person. I was a sales sales manager for, for a technology company and I had a just world class engineer that I worked with. I mean, this man was incredibly smart and every opportunity I got I would pick his brain and ask him questions or we'd walk out of a meeting and help me understand why that's a big deal to this client, that, why is their system like this? Or kind of getting into the, into the weeds of it.
Speaker 2:And the other piece I think is having a very broad knowledge about a lot of things I think is actually very useful. I think there's a there's a rush to hyper specialize in security and in technology in general and I don't know that that's it's. It's needed. Obviously we have to have specific experts and domain expertise, but I think having a broad knowledge, being able to articulate what it is you know what's the difference between a SIM and a SOAR, what's the difference in an XDR versus, you know, a VM scanner, being able to understand kind of the, the building blocks of the functional pieces that go into kind of a defense in depth posture, I think then gives you you can ask great questions and better questions that continue to expand your learning and knowledge. And so I just I just went as wide as I possibly could quickly and ask and then just continue to ask questions from there.
Speaker 1:Yeah, you bring up a really good point. You know I I talk to a lot of people that are trying to get their start right and the the biggest question that I get is you know, what do I specialize in? What should I learn? You know the best and all this sort of stuff, and this has come from people that have little to no experience.
Speaker 1:And I started my career in a very dynamic role.
Speaker 1:You know, I learned across probably six or seven different domains of security.
Speaker 1:I managed those technologies all at the same time while I was learning them, and that's really you know where I cut my teeth, so to speak, and that's where I, like, made the most progress, because when you pigeonhole yourself, right, it's kind of assuming that you have those building blocks. You know, like now I'm in cloud security, right, and people would think that, oh yeah, you're specialized in the cloud and whatnot and you know everything in the cloud, right, which is true, but a part of that is also knowing data security and endpoint security. And you know where I learned endpoint security is in that role where I did eight different things, right, because I specialized in it. You know, learning how to get logs out of the cloud or maybe keeping them in the cloud and doing a sim around it and doing some threat, you know, analyst stuff around it. Like I learned all of that because I was doing a bunch of different things and all of that is a part of cloud security, right? Like I would not be in cloud security if I did not have that experience.
Speaker 2:Oh, it's out of percent and I think, like I think there's a lot that happens in the job market, especially for cybersecurity professionals, where we expect a lot out of people that are getting started, and I think we have to change that mentality very quickly. On the job training is really some of the best that you can. I mean, you've probably worked in roles where you've hired a new person and they may have, you know, they have all the intangibles that you're looking for. You know good work ethic, they get along with the team well, they have an ability to learn, but they don't necessarily. Even if they come in with good certifications, you're still going to have to teach them your processes, your tools. You know, maybe they specialized when learned on one tool, but you're actually using a competitor.
Speaker 2:There's still a lot of on the job training that's already happening. That needs to happen. So why not accept people that have maybe a little less certification, a little different background? You're going to teach them anyways. Might as well, bring folks in and get them started. Last I checked, we have a severe shortage of cybersecurity professionals and so if we can just maybe widen our reach just a little bit, bring folks in, let them get started. Let them learn, pair them with competent mentors who have been around the block a little bit, and then let's see what happens.
Speaker 1:Yeah, you know, I feel like that security shortage is almost self-imposed, you know, because it one. It doesn't make sense because there's so many applicants, for you know, every job, I mean, even if you just go on LinkedIn, you can see how many people have applied. The biggest issue that I ran into, even personally when I was getting into security, was, you know, I had my security plus, I was getting my masters in cybersecurity, but people would get hung up on the fact that, oh, I didn't have experience with with Splunk, right? Well, splunk is like $10,000 a minute. How am I going to pay for that? Like, do you want to tell me how I can pay for that? You know? And then, even when they had a free version of it and I deployed it in my home lab and did everything with it, right?
Speaker 1:People still didn't accept that. They're like, oh well, it's different from enterprise. Okay, like, what do you want me to do? Like, I can't. I can't go buy carbon black, right? I can't go buy bit nine, I can't go buy any of these solutions. You know, I'm a poor college graduate trying to get into this industry.
Speaker 2:Because so you hire somebody? Oh, they came from a Q radar background, like they're not using Splunk, but they came from wait. Good, great, if you're gonna have to teach them Splunk anyways, see, might as well take something that has an aptitude, a willingness to learn, a good attitude, a work ethic. You know skills that are really the intangibles that go a lot further in the cybersecurity market. Then, oh, you know how to input fields and edit data tables in Splunk. Or you know here's how you import X. Good grief, like we got a you're right, self-inflicted wounds here.
Speaker 2:But you think about it too, like you know, I think would make fantastic cybersecurity engineers or people, folks coming out of the service industry. I mean, you want to talk about high pressure, high volume, crazy work. You know, talk to a server who's got 10 tables, all of them who are needing certain things and they're running around trying to make sure they're all taken care of. Okay, do they have cybersecurity experience? No, but do they have a great attitude? Do they know how to do customer service? Can they learn? Do they work quickly? Are they personable? Like those skills will go a lot further in a cybersecurity team role than you know. Your CISSP, perhaps not saying that's not important, please don't miss here. I'm not saying that's not important. Please train, learn, get certifications, advance, do all those things, but folks getting started off, I think it's far more important to have some of the intangibles.
Speaker 1:Oh for sure. I mean, there's no debating that in my mind. Even you know, like the certifications are great they, but they're they should be used to validate the knowledge that you have not. Not, you know, gain more knowledge necessarily and rely on that to get a job or anything like that. Like you know, they're really just validating the knowledge that you have and it's okay to build up that knowledge while you're studying for the cert. But if you're, you know, a server trying to get your CISSP, it's like okay, well, you're not even in the industry, they're not going to issue it.
Speaker 1:You know, and I always recommend to people you know that want to get into security get into help desk first.
Speaker 1:You know, because in help desk depending at least depending on the company, you know, you could pick up the phone and someone is just automatically yelling at you right off the bat.
Speaker 1:Right, that's a high stress situation for me, you know, until I got used to it, I mean that was that was like panic attacks and whatnot, Like I'd have to get off the call, go for a walk, try to de-stress somehow, you know, and go back to my desk and lo and behold, you know, the same person is calling me back with a new issue and they're just as angry, if not angrier. You know and I got to deal with that right and that those are skill sets that you only learn in those types of jobs. You know same thing with you know servers and really anyone in the service industry. You're having to deal with other people and it's such a such a wide variable of what could be happening right Like I've been on calls when you know someone. Someone told me that they were going to like a, like a Renaissance fair or like a. It was like a medieval convention right, where everyone like dresses up in, you know, the clothing of that time period those jobs for like a week and whatnot.
Speaker 1:And I couldn't believe that this person was telling me this right and at the time you know I'm very early on in my career I mean I just I couldn't believe Right like how she was talking about how she's going to be churning butter right for the next week and how she's so excited for it. And it was so extraordinarily difficult for me to not laugh on the phone and I couldn't. I couldn't mute myself Because this is an active conversation. I was supposed to be actively troubleshooting her issues. It was the most complex like situation you know that you could imagine, because it's like okay, I got a zone her out, I need to focus on this problem, relay information back, try to zone her out more. And it didn't help that I had several other colleagues on the call too, because I was the escalation point and they were all a muted laughing like you know I could see them. I was just like guys, walk away. Yeah, you know.
Speaker 2:But what a great scope. In a cybersecurity right, like if you're dealing with an incident, there's a lot of noise. You have to tune it out, focus, parse, look, just describe, report out. I mean think of any tabletop or any incident that you've ever ran or been a part of. That is essential skills. I mean you know your, your certifications are less important than your ability to prioritize, focus, report, get feedback, work with a wider team and and really get it solved. So I mean I think I love how you're thinking about this. This is, this is a fantastic conversation.
Speaker 1:Yeah, absolutely. You know that's another thing. You know that that people don't really understand right. I'll give you an example. A Little bit earlier out of my security career there was a major incident, but the giant incident, where this solution basically rotated 40,000 accounts In the environment one. It wasn't even configured to rotate all those accounts, it was only rotating, supposed to rotate, you know, like 2,500 or 3,000, whatever might have been. A Bug occurred in the system and it rotated everything all at once. You know we came within Maybe six or 12 devices or accounts of being locked out of the entire environment and having to call.
Speaker 1:Microsoft Dang. That that's literally the situation. So in the midst of that, I'm not only directing traffic, I'm not only getting, you know, my team to get the right people in the organization because they, they're all new, they're brand new in security. They have no clue what's going on. They assume everyone's getting fired at the end of the day. Right, I assumed I was getting fired at the end of the day, but I knew I had to keep working. Yep, you know, and in that situation you have to zone in, and then you know I would hear my manager's voice. You know, give me an update. It's like give me five minutes.
Speaker 1:Like that's your update. Give me five minutes and then I'll have an update. And you know, five minutes later I would chime in to him like on the call, just cut everyone off, be like this is the status, this is what's going on, is what I'm doing next. You know, and yeah, like go right down the line of, then he's managing traffic upwards and sideways and then my team is managing traffic to all other. You know technical people, but if I didn't have the ability to slow down, Right and identify.
Speaker 1:Okay, this is a major issue right now. We need to waste no more time on anything else. Everyone needs to drop everything Right then I spent 30 seconds and just directed traffic like you're in charge of this. You're in charge of this, you go, handle this. You know, if I didn't do that, that incident would have been much more severe because I had to have someone Go to very specific people in the company and say you know, don't log off. Like, you need to say logged in, no matter what if it says you know, change your password, do not change your password. You know all those different things. If I didn't protect the company like that, we would have been a news story on CNN within a couple hours. You know, right that would not have been.
Speaker 2:Good, yeah, no joke, yeah, that would have been that. That's not the kind of thing you want your name tied to.
Speaker 1:Yeah, yeah, that would not. That's a good way to end a career before it starts, you know. Yeah, so you know, sam talked to me about your current role, your current company. What are, what are you doing now? What are you guys specializing in? What services do you provide?
Speaker 2:So I work as the director of product marketing for a company called C O O Security and it's CY OLO. It's because you only live once and we focus on those situations and scenarios where user access Could cause enormous damage to the business and you've been a part of incidents, right? You just described on so well like this was an enormous Problem to the business. Something went wrong and the entire team is now responding to try and get it fixed, and we find that there are usually Things that could happen. You know, here's a good example.
Speaker 2:If you are a company that manufactures cookies, you have assembly lines and product lines and all sorts of things. They have all these machines that are mixing and making it. Just the complexity is enormous. If that cookie production line shuts down for 30 seconds, you're losing money. 60 seconds a lot more money. A minute, you know two, three, five, ten, twenty minutes Any amount of time that that production line is not working is enormous damage to the business. To make that more complex, those devices are usually Maintained or have service contracts with the company that made the device and they have remote technicians that will, you know, use of Some phone line or VPN or some tunnel to get into the system to talk to that device and now all of a sudden we're risking the shutdown of the cash production engine of the company.
Speaker 2:So user access could cause enormous damage to the business. We're specialists in that and so we perform a high level of authorization, or basically got to identify every user, make sure that they're authorized to only very specific, very limited things that they should be accessing and working with, and then keeping all of the Logs and reporting. If that sounds familiar, it should. It's. Frankly, it's the summation of the zero trust framework.
Speaker 2:We want to make sure we identify every user and know exactly who they are and they're not some generic, you know account. We want to make sure we have a very fine-grain limitation, what it is that they are allowed to access. We like to think of it as, instead of building out the denialists you know, if you go through a firewall or you have all the denialists, you have your ACLs and all that kind of stuff let's build out an allow list, and that's gonna be a lot smaller. Let's build the allow list instead of the denialist so that they only can access the specific tools or resources they need to do their job. And then, finally, we got to make sure we monitor everything. All the reporting, all the logging, all of the data from these connections should be, should be available and should be able to be scrutinized for all the different purposes, and so that's what seal it, as we specialize in high risk access.
Speaker 1:Yeah, that that is. You know, that's an aspect that I feel Is often overlooked a lot of the times in organizations, you know can. Can I ask you this what was this, the? Was this product, this solution, was this the bread and butter of what the company was kind of founded on and created for, or was it kind of bolted on? And I? I ask this because, as a security professional, I can tell right, within probably 30 minutes of working with a solution of, if this is a conglomerate of 10 other solutions kind of bolted together with some really strong duct tape, right, or if this was, you know, solely built for this solution.
Speaker 2:Yeah, so I would. I would like to argue that it we did build it purposefully for this, because our founder Is a former CISO, the chief information security officer. He was the first CISO of the Israeli Navy word, israeli company, wow and so he had all the weapon systems and IT systems and all the things that were, you know, in the Navy, and that was his, that was his role in the in the Navy. So then after that, he transitioned into private industry and worked for a global manufacturing company when he had users that were in a non-friendly country, that were contracting with his, with his current company, that needed to access critical pieces of data or lines or whatever it was. These users were also contracting with their competitors and you think about like what a mess, right, like you have these people that are Not friendly and could shut your business down. So how do you build security for that environment?
Speaker 2:And that was the genesis of the CIO lo solution Building it for again, these situations where we have to users that need to connect to applications or resources, and then the policies that connect all of that together. So he partnered with a couple of guys he knew that were ethical hackers at large companies, and so it's really fun. We get into like these, like company meetings, and we'll have, like you know, the CISO perspective with our, with our founder, one of our founders. Then the other two founders are like arguing from like the hacker perspective, like I'm going to break in this way, and he's like, no, we're going to block you this way. So it's just really fun, like dichotomy, which is very healthy, I think, in a security tool. And so no, it was purpose built for solving those specific issues.
Speaker 1:That's perfect. You know, I, I, I worked with a other solution, Um, that you know. To be completely honest, I wouldn't even consider them a competitor I know you guys probably do, Unfortunately, I have that experience with them, Um but it was just so miserable when I got to that section of their product, Because you know that there's like 10 other things that this tool does right. This is one of 10, look, quite literally one of 10. And you know, building that out, deploying applications into it, like deploying servers and endpoints into it, it was terrible. I, it was absolutely terrible. It was the worst experience I've ever had doing security. I hope to never touch that solution again, Like literally, when I'm interviewing, I asked them do you have?
Speaker 2:this solution in your environment.
Speaker 1:And if they say yes, I'm like, all right, I'm sorry, I just I won't work in an environment that has that solution.
Speaker 2:Cause as soon as they find out right.
Speaker 1:Cause, as soon as they find out that I have experience, they're like oh, you're the SME, like you got it. Like oh, I do not want that job ever again.
Speaker 2:Unfortunately, that's a reality, right, like, security tools can be hard on security teams and that's that shouldn't be the case. So you guys already overworked, you have more on your plate than really should be there. We talked about the shortage of people that are working in these roles, so you don't have enough human power to get after the job. Um, but the other side is, security tools should be easy for end users to also use. Like the best security tools are the ones that end users comply with. Like you can sit there and have the greatest thing and all the policies are so beautiful and you know, everything's just, oh, it's amazing. But these users, like, they're not malicious, they're smart, they, they will get around whatever you have in place If it is blocking them from easily doing their job.
Speaker 2:I think of one client that I knew of. They had, um, there was a research institution where their principal investigators you know the women and men who are doing high level, advancing humanity style research was they were sending trial data over iCloud because, right, and I know let's maybe not do that, right, that's not very, that's not secure. Just in case you're listening, icloud has got a lot of great features. That's not one use case that it should handle.
Speaker 2:We should not purpose bill for that. Right, there are other ways to do it, but it was not easy. It was not something that these again, these people are experts and they're field of research, not cybersecurity, so they don't think of. I got to keep this data safe and secure. They're thinking I have to collaborate with my colleague over here because they need to look at this and we need to discuss and we need to, you know, publish, um, so those are the realities.
Speaker 2:Like the tools have to be fundamentally workable for cybersecurity professionals, cause if you're going to, if you have to open a support ticket every time you want to add something or change something, like that is just a waste of your time. And if a user is just going to get around it because it's not supporting their existing workflows, also a waste of the cybersecurity team's time, cause they have deadlines, just like we do. They have big projects and big meetings and their bosses are putting pressure on them to get stuff done, just like the cyber teams are. It's not that different. They're not malicious, they're just trying to get their work done.
Speaker 1:Yeah, it's a really good point. You know it's, um, it's interesting being in security, right? Because we have a different mindset from everyone else. Um, most of the time at least, you know, we have the mindset of how do I break this, how do I get around this, how do I do this, right? And then you know there's a group of us that say, okay, let's do it. And then there's a hopefully a much larger group that says how do we protect against it? You know, um, like I recall earlier out of my career where my manager basically said, oh, this solution is going to, you know, block all data exfiltration. You know you'll, well, no one will ever get around this thing and whatnot.
Speaker 2:And I was like, okay, like I took that as a personal challenge because I knew Hold my beer, let's go. Yeah, yeah, right.
Speaker 1:I knew he didn't know the solution that well and I knew that he also didn't know the technical implications behind it and whatnot. And so, literally 30 minutes later, I pull up my computer and I called them over and I said, hey, like you know that expensive solution that we just spent a couple million dollars on, yeah, I want to show you how I just got around it and you can go check and see if there's any alerts on my device. Yeah, and like I showed him, he goes what? Like? Who's even going to think like this? I'm like, if this messes with someone's productivity, they are going to find a way to do it. This is a Google search away. That's all that.
Speaker 2:This is yeah.
Speaker 2:No, it's a hundred percent right Cause, again, you're just trying to do your job. If you're an end user, you're not thinking about, you know a lot of things other than I got work to do, or you're you know I got to get home to my family or you know whatever. That is like, the pressures of everyday life. That's what's exploitable. And really the human element is by far the weakest link in the cybersecurity chain. It is easily the most sensitive. We like to say around here at COLO like hackers, don't break in. They log in because it's so easy to compromise credentials. There are so many attack vectors that are literally causing users to be compromised. And then now they have a, they have access. So controlling and managing that access is hyper critical and it gets more critical. The more sensitive, the more impactful to the business, the the thing the user has access to. Yeah.
Speaker 1:You know you bring up an interesting point. You know I have a policy where I don't click on links, right Fair. I don't care if you send them to me on my work device, On my personal device, it doesn't matter to me. If you want me to click on it, you better message me or tell me, you know, in another way, saying like hey, I just sent you this. You should probably click on it.
Speaker 2:We're doing MFA for links, is what you're doing really, you're multi-factor, authenticating that the link is legitimate. Yeah, that's fantastic. Yeah, yeah.
Speaker 1:You know, I did a training course this past weekend and I expected I had to sign a like a liability waiver or whatever it was, which is fine, but I never got it Right. So I show up to this course and they're like, hey, you never signed your waiver. I was like, okay, well, I never got it. And they're like, oh, we texted it to you. I was like, okay, so, from a number that I do not know, just texted me a link and that's literally the only thing that they sent me. They only sent me a link. Like, dude, you know what I do for a living, I am not clicking on that thing.
Speaker 1:I literally, I literally looked at the message and I was like not today, say it in, and I deleted the message. Exactly yeah, Like come on yeah.
Speaker 2:You've got to be better than that. That's, I mean. That's, yeah, I mean. Unfortunately, the fishing and the smishing and all that stuff is getting better and so they're, you know, sending a single link from a number. You don't know. Maybe that actually would be considered more legitimate now, because they're actually getting a little bit better and, you know, the conversational AI is getting better at writing stuff that makes sense. But yeah, I still get a lot of great text messages, a lot of great text messages from my CEO, because he's in a meeting and he needs me to reply right away. And, um, yeah, those immediately get filed in the dumpster. Yeah, it was really interesting.
Speaker 1:You know, I went to Germany last year and before Germany I was talking to someone that I'm, I'm a, I'm a part of this advisory board and I was talking to the CEO of this board about potentially coming to France to go and do a talk and whatnot, right, but we never really nailed it down, so I never did the talk, and so it looked exactly like him, like his number was 100% spoofed. It came up in my phone as him because I have his number saved Yep, Yep. And he said, like you know, hey, are you available? You know, I have something I need you to do. Okay, whatever You're like, I'll, I'll handle it. I was at the bar at the time of all places, right, um, in Germany, because that's what you do, absolutely yeah. And and I'm not sure if you're- going to be able to do that.
Speaker 1:The next message that he sends is I need, like you know, 30 gift cards. I'm like, all right.
Speaker 2:I get it now. Yeah, I see this. All right, I've seen this one before, yeah, but I, I mean it's so, it's so easy for the criminals to do things that users would trust. I mean, if I got a number of a text from someone that is in my contact list that I know that I've I've communicated with before and they said, hey, you know, can you help me out with something? Of course I'm going to be more responsive to that.
Speaker 2:Um, you know, I don't answer my phone if it's not a number that's really saved in my contacts, because it's either someone trying to sell me something or or or worse, and but it's so it's so easy for that to be done today that really, cybersecurity has to evolve away from like we got to take a little bit of the burden off of users because you know, at the end of the day, like again, they're busy, they got projects, they got jobs, they got things they're worried about that are outside of what we're concerned with. So we have to take the control a little bit away from them or not rely on them because, okay, great, so you did a phishing training, you got everybody enrolled in that, and that's fantastic. You should do that, absolutely should do that. But you went from 10% compliance, you know, or 10% click the link, to 4% that click the link Celebrate as a big win. That's amazing. You still have 4% of your company that are clicking bad links, like that's still a problem that is not fully gone away.
Speaker 2:So if we can take the security from that, the users need to do something or be good to. Our tools are going to account for the fact that the user is not going to be right 100% of the time and it's going to build those layers of control and compensation into the access that they're being given. You know, obviously access should be different if they're working from home than if they're working in the office or if they're somebody that's not a part of your company but it's a third party or a contractor, whomever. You should have a lot of different levels and we should have a lot of different ways to validate.
Speaker 2:One of the other things that happens a lot in companies is they'll have like okay, so say it's like one like file server or something, to get into that file server. There's one username and one password and there's 100 people that are logging into that file server because it's got something that they need right. They're all using the one username and the one password. Well, how do I differentiate between, you know, susan and Bill? I have no idea, because all I'm seeing is that they put in username and password. We need to have tools that can differentiate, that. They can help us with that, or just, you know, beyond just password vaulting that password and stuff, but making it a way that we could get better detail on what users are doing, to take the need for them to be great and put it into some of the security tools that we are using.
Speaker 1:Hmm, yeah, that's um, that makes a lot of sense. You know I have a personal policy where you know I I attempt to make security as easy as possible while remaining as secure as possible. And uh, I was working for a company and I just heard it. You know, I heard this conversation between two network engineers right, and the lead said oh, you just tell that in the course switch. And you know you already have the credentials and whatnot.
Speaker 1:And I turned around and I'm like I'm sorry, I'm sorry, I must have misheard you. You must have meant to say SSH, yeah. And he's like no, we tell that around here. And I was like why don't we use SSH? And he goes there's no need for that level of security. I'm like it's a core switch. He goes yeah, but no one's going to breach our perimeter. I was like, okay, but we have a flat network. So, literally, like I could get into our core switch, yeah, like just by hearing what you just said, I could get in with a legit authentication, right. And you know it went even farther to saying like, okay, well, does everyone have their own login? You know that needs access. And goes oh, no, we just use the same account. Why would we have different accounts Like? So we have no audit ability on our core switch?
Speaker 2:Thank you, right, so yeah, so when, when somebody did change that one config, but, like you know whatever in the supervisor or whatever, that now the entire network is down, how will you know what they did? How will you have any idea of, like, well, let's just go look through the packet capture and see if we happened to capture that one session. That were things changed like. Good luck.
Speaker 1:Yeah, that's impossible. I couldn't believe that companies still do that. You know I'm sure you guys see that all the time of companies still doing that, especially in a manufacturing environment where you're manufacturing you know millions of things, potentially a day or a week. You know you need that line up and running. You know it's probably easier to just set it up simply rather than, you know, having a com, a more complex environment than what it already is.
Speaker 2:Because the other thing is is a lot of these devices? They're not. So network switches right, you know those are changed out whatever 10 years or so you typically go through the life cycle on. A device in a manufacturing line is built to last for like 20 or 30 years. They're not changing them out like this, not like because again, you shut that down for any length of time and the company is not producing the goods and services that make the money. So you put you put something in. If you build a new production line, you're wanting it to last for 20, 30 years.
Speaker 2:There are still operating systems running core components of you know thinking about energy distribution or you know wastewater treatment or manufacturing oil and gas, like all these different verticals. They're running like Windows XP and that's a fairly recent you know OS for some of them. So you have these systems that you know you wouldn't want to touch with a 10 foot pole but are still. They're not going anywhere. So they use, you know VPN is a good connection methodology and I think VPN is a not good connection methodology today. I think we should avoid it and move away from it, but they're still using that as a methodology to get in. Ssh is like amazing, like we should, absolutely. But they're using, like you know, these VNC protocols, are using a lot of RDP, and RDP with all of its wonderful flaws and quirks, like that's how they're connecting into these systems.
Speaker 2:And then add to the fact like, okay, so you, you know, schneider, schneider Electric built that one device, or Yocogawa, or Honeywell, or you need to name the company that built the device that's running, and they have a technician, is a. Hey, you know, we're going to save ourselves a couple of bucks so I don't have to fly here. Next time I'm going to put a little jump server in the network and connect it out. It's going to phone home and now I can just sit there and do that for my computer and my in my home office Makes a ton of sense. But now there's this really random internet connection that's coming out of this environment that you know, god knows who can access it.
Speaker 2:Right, it's just a reality. So, right, there is a lot of those best practices of convenience. So whatever we do to help secure it has to be non intrusive, to the point where we can still allow it, enable users to get the, because, absolutely, your network team should be able to access their core switch Like they absolutely need to. There's million reasons why they should be able to do that, but we just want to do it in a way that is one, secure and it has, you know, the telemetry that we need and the reporting that we need, so that you can point the finger squarely at bill and say, bill, you did this, roll it back quickly. Could we got to get the? You know, we can only work around that one core switch for so long.
Speaker 1:Right. So it sounds like, potentially, you know where you start with. Your product is even a culture change internally at organizations, because you kind of need that shift in mentality. You need that shift in action for your not necessarily for your solution to be, you know, working effectively and whatnot, but really for the organization to build trust, for them to, you know, understand like, hey, this is how we're going to secure it. Do you do you, potentially, you know, help your, help your customers, you know, identify that within their organization and help them kind of change that perception.
Speaker 2:In some ways I'm. What I'm finding is that there are a lot of clients that I have really done a lot of hard work internally to help that culture shift happen. And so you know, obviously the world is what it is today, the pressures are what they are today and you know, executive leaders, board level leaders, they're all pushing down, you know, because they're concerned about it now, for whatever reason now, like where were you 10 years ago? But you know we're concerned about it now. That has obviously what you measure is what people tend to do. So now they're looking at it, measuring it, and there's there's costs, risk costs, operational costs associated with it. So the business is taking notice. So we're finding that a lot of that shift is happening internally, for everyone maybe not, but for a lot of companies and specifically in verticals like manufacturing, like oil and gas.
Speaker 2:And then there's some regulatory pressure. You know, in the United States there's some regulatory pressure, especially around like nuclear energy or other energy production. There are certain things that are happening that say we, we are going to start requiring some compliance with some best practices and that can be generally helpful and I've got a lot of thoughts on, you know, the effectiveness of kind of compliance regulations. I think it's needed in some ways, but there's got to be some some things that mitigate it. So we're not finding that to be a big like. We don't have to like push people to say, hey, we need to change your culture and then you can start working with a company like us that can actually help secure. Some of that we're finding it's already there, but we are finding is that there are some very specific differences amongst teams. You know, like you described, like you listen to the network guys, they're looking at, oh, this is just the best way to do it. And as a security person, you're thinking, hey, we got to change some of these things. So you know, networking it, they speak a different language than security does, which they speak a different language entirely than the folks who run that manufacturing and the operational technology professionals. They're all speaking different languages and so it comes down to this translation that can get everybody to the same table and start working collectively to solve goals.
Speaker 2:And what we found? One of our largest customers. They're a large global snack manufacturer. They make delicious snacks. I highly recommend them. I had some the other night. It was great. They reported to us like man, this is the first tool that both OT the operational technology people and IT agree on. They went through their evaluation process and their RFP and they looked at a bunch of different stuff and both OT and IT returned with the same recommendation Like that has never happened in the history of our company that a tool could solve and bring people to the same table and same conclusion. So the cultural shift is hard but it is happening, and tools that could help bridge those gaps amongst different perspectives and different things that people care about I think will go a long ways towards supporting it.
Speaker 1:Yeah, that is very interesting. I can only imagine being in an environment that deals with manufacturing automobiles across the entire globe. Saying that everyone agrees on this solution is winning the lottery. I recently proposed a solution and it got approved, and not everyone saw it, and everyone had an opinion on what products I chose for the POC, for the RFP. And they're like, oh well, you didn't think of this, you didn't think of that. It's like, guys, I chose literally the top five people in the industry for this. What are we talking about? But that's just a simple, that's one little simple thing of a solution that we didn't even start evaluating at, we didn't even send NDAs out yet. Right, and everyone has their own opinion that they're in disagreement about the solution.
Speaker 2:Yeah, but I think, too, something I found in my career, just kind of organizationally, is and I find this within the team that I work on is the ability to disagree and commit. So, absolutely have an opinion, absolutely, let's have a disagreement and let's talk about it. Let's not just disagree in silence and not discuss it. But if you have a different perspective, we need to hear it. We want to hear it. Let's figure out where we have commonality, where we can agree. But at the end of the day, as a team, we're going to make a decision and I'm not going to get everything I'm going to want. You're not going to get everything you're going to want, but we're going to disagree and then we're going to commit Because at the end of the day, our goal should be aligned.
Speaker 2:And in cybersecurity, let's make it easy for users, let's make our company more secure, let's find very tangible ways to improve our security posture, and then let's get to work. There are a lot of ways to slice the onion. There's some really great ways. I think. There are some maybe shaky ways, but a lot of ways that people are doing it. So the ability to disagree but then get after the main job, I think is a big part of the culture change that we're looking at.
Speaker 1:Yeah, absolutely. I think it's healthy for there to be constructive criticism or everyone to have their own ideas and whatnot, but you got to find that common ground and I find it more important that security professionals are doing that and not just laying down the hammer and saying, no, we're doing it this way for this reason, or whatever you can agree on. Yeah, we need data security, we need to encrypt this data in the cloud, but how you do it is up for debate, and that's where the debate happens. That's where the discussion happens in a healthy way, of course. Yeah, I completely agree.
Speaker 1:Yeah, yeah, definitely so, sam. We're coming up on our time here and I'm very conscious of everyone's time, so how about you leave my audience with, maybe, where they could reach you if they wanted to reach out, where they can find your company? What the website is? All that good information.
Speaker 2:Yeah, absolutely so. A company I work for is COLO. It's C-Y-O-L-O and our website is COLOIO. You can find us there and read up, see what challenges we're solving and some of the things that we're doing across different industries. I think we've got a pretty unique and differentiated solution. That is. It's helpful bringing people to the same table and solving our common goals. You can find me on LinkedIn. Just search for my name, samuel J Hill. I'm pretty active on LinkedIn I try to be, at least and I love connecting with people, having conversations even the ones that disagree, and that kind of stuff. So you can find me there. And, as always, I'm just really grateful for you taking some time to hear from us, tim, and spend this time. I really enjoyed our conversation. I do a lot of podcasts. Some are like pulling teeth and this has not been that, so I'm grateful for you not taking me to the dentist today.
Speaker 1:Yeah, absolutely. I tried to not make the conversation unbearable. That's the worst when you're trying to force a conversation. Yeah, absolutely Well, thanks Sam for coming on and I hope everyone listening enjoyed this episode.