Ready for an unexpected journey? Meet Mike, a cyber security expert with a background as diverse as the challenges he tackles every day. Starting with an early passion for computers, through studying geology and anthropology, and finally landing in the world of IT, Mike's story is a testament to the value of curiosity and mentorship. We dig deep into his hacking escapades, the lessons learned, and how a knack for problem-solving morphed into a career securing our digital world.
Mike opens up about the human risk element in cybersecurity, drawing fascinating comparisons between convenience store hold-ups and elaborate cyber attacks. He gives us a sobering reminder - the most secure computer is one that never gets powered on. Technology and security advancements are making it tougher for hackers, but Mike warns of the ever-present risk of human vulnerability. Even the smallest of betrayals can bloom into massive security breaches.
Wrapping up, Mike shines a light on the comprehensive cybersecurity services offered by his organization. Ranging from risk assessment, regulatory compliance, to incident response and digital forensics, they've got IT security covered from all angles. He emphasizes the significance of trust in his client relationships and unveils ambitious growth plans for the next few years. Whether a tech enthusiast or an IT professional, this conversation is packed with insights and practical advice to help you navigate your way in the ever-evolving world of IT security.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
1
00:00:00
Speaker 1: How's it going, mike?
00:00:00
It's really good to finally have you on the podcast.
00:00:03
I mean, I think that we've been trying to schedule this thing
00:00:06
for a while now.
00:00:07
I'm very excited for our conversation.
00:00:09
Speaker 2: Yes sir, thanks for having me, joe.
00:00:11
Speaker 1: Yeah, absolutely so.
00:00:12
Mike.
00:00:13
How about we start with your background?
00:00:15
What interested you about IT, or even just security overall,
00:00:21
that made you want to go down this rabbit hole of security?
00:00:25
Speaker 2: Sure Well, I think my passion for computers started
00:00:28
at a young age.
00:00:29
I was able to get my hands on a couple of computers, my
00:00:33
neighbor's computer and my parents finally bought me a
00:00:35
computer.
00:00:35
I programmed my own door alarm to keep my sister out of my
00:00:38
closet and taking my sweatshirts and stuff using a computer, a
00:00:43
dot matrix printer and a car alarm.
00:00:44
But then, just understanding, I wanted to get into the computer
00:00:49
field pretty early.
00:00:50
I liked programming, I liked problem solving.
00:00:53
I took every computer class I could in school.
00:00:56
Ironically that was not my first degree in college.
00:00:58
My first major in college was actually geology and then
00:01:01
anthropology and then back to computers, initially computer
00:01:05
science.
00:01:05
Then, realizing I didn't want to program device drivers, I
00:01:09
changed my major from an engineering degree to more of a
00:01:12
computer business degree.
00:01:13
Then at the same time I'm pretty involved with doing some
00:01:16
contract work for the government to do intelligence type work
00:01:21
which really exposed me to the threat and the threat actor
00:01:25
criminal side of cyber, where the risks are and where people
00:01:28
are vulnerable, companies are vulnerable.
00:01:30
Then working a lot of actual criminal cyber cases over the
00:01:34
years led me back to school to get a graduate degree in
00:01:37
criminal justice and then also to teach In addition to being a
00:01:41
cyber guy.
00:01:42
I've been in IT and cyber for almost 30 years now.
00:01:45
I've also been a college professor teaching computer
00:01:48
science, cyber, the criminal justice side of forensics and
00:01:52
some other things for about 23 years now.
00:01:54
Speaker 1: Wow, it sounds like to me you had a bit of a hacker
00:02:01
mentality, getting into it right , even from a young age.
00:02:05
Do you look back on it and see it as that as well?
00:02:08
Did you potentially even maybe recognize that at the time when
00:02:13
you were doing all that and going through everything?
00:02:16
Speaker 2: Not initially.
00:02:16
I think it's common with people that are curious about
00:02:19
technology and programming and what can computers do and how do
00:02:24
I get into that stuff?
00:02:26
The Tim the Toolman Taylor version of cyber.
00:02:29
But I definitely was.
00:02:31
I was a tinkerer, which is really what a hacker is.
00:02:35
How do I get this thing to do more than or something different
00:02:39
than it was designed to do?
00:02:41
Being able to get a computer and a dot matrix printer to
00:02:44
actuate a bolt on my closet door so that only I knew the code
00:02:47
and my sister couldn't steal my stuff?
00:02:49
That's an example of a hack, a lot of those similar to people
00:02:53
that are just curious.
00:02:55
You don't always understand or recognize the implications of
00:02:58
your hack, of your modification or the things you're doing until
00:03:02
there is a consequence.
00:03:03
There is a reckoning, if you will.
00:03:05
I did one day have a reckoning.
00:03:08
I was faced to ride my bike to the mall where there was a radio
00:03:13
shack and access to I think they had three or four computers
00:03:17
, three or four different computers there.
00:03:19
I would take my programming knowledge that I learned from
00:03:22
this magazine subscription I had and some other things that I
00:03:25
learned books I read.
00:03:26
I would go to radio shack and try out my programming skills.
00:03:31
One day I wrote a loop a programming loop that messed up
00:03:36
their computer and they asked me never to come back to that
00:03:39
radio shack.
00:03:39
That was kind of my eye-opener, that, hey, I can actually do
00:03:44
damage and I need to be more responsible.
00:03:46
I learned that at a young age, growing up in a military family.
00:03:51
When you get in trouble there's adjudication.
00:03:54
Let's talk about what you did and the consequence.
00:03:58
I was very aware that at least at that point that I did
00:04:02
something wrong and I needed to be more responsible with the
00:04:05
things I was doing.
00:04:07
Speaker 1: Yeah, that makes sense.
00:04:08
Can we talk a little bit about your degree changes?
00:04:13
What made you want to go into geology and anthropology?
00:04:16
The reason why I ask is because I remember when I was in high
00:04:21
school and trying to get into college was the biggest feat
00:04:26
that I had ever tried to accomplish.
00:04:29
I was then trying to decide what major to go down, what area
00:04:35
to specialize in, and thinking I can't change or I can't go
00:04:40
somewhere completely different down the line If I felt that
00:04:44
this wasn't for me, which almost sunk me.
00:04:47
Thankfully I changed from pre-med and went into criminal
00:04:54
justice.
00:04:54
What was your thought process?
00:04:56
Because it sounds like to me that's way out of left field.
00:04:59
I never would have expected that.
00:05:01
I would have expected criminal justice as your bachelor's
00:05:04
before geology and anthropology, or at least attempting that
00:05:09
there were several factors that led me down those paths.
00:05:12
Speaker 2: I'm currently working on my doctorate and my
00:05:15
dissertation is on cyber workforce development.
00:05:17
One of the gaps that I've come to well I've known, but the
00:05:22
research is actually supporting is that there's one of the
00:05:25
problems with cyber workforce development and this is probably
00:05:28
consistent with other fields as well is there really aren't
00:05:32
enough mentors.
00:05:33
There aren't enough people to help educate or even have the
00:05:38
conversation with those that want to get into a particular
00:05:41
field.
00:05:41
What do I do with these skills that I have?
00:05:44
What kind of job would I be good at based on the things I
00:05:47
know and can do?
00:05:48
With regard to cyber, I wanted to do something with computers
00:05:53
and not really knowing what these different jobs in cyber or
00:05:56
IT really were like.
00:05:58
What is the day in the life of a network administrator or an
00:06:02
engineer or a cyber person or a programmer?
00:06:05
Had I learned about the programming part of that, I
00:06:09
probably would have never approached the computer science
00:06:12
engineering degree at all.
00:06:14
I didn't care to take five years of math learning, number
00:06:18
theory and all these things.
00:06:20
That's not real applicable to the job I wanted.
00:06:23
But back to your first question about geology and anthropology.
00:06:26
I am kind of a rockhound.
00:06:28
I like crystals and gems and different types of rocks.
00:06:32
I'm always kicking around rocks and looking at fossils.
00:06:35
I have a pretty cool collection .
00:06:37
But at the same time my mother was a college professor and I
00:06:41
went to school where she taught.
00:06:43
I got an academic scholarship there reduced tuition because
00:06:47
she was an employee, but they had a really cool geology
00:06:50
program.
00:06:51
We went around on field trips to look at dinosaur bones and
00:06:56
digging the dirt around Texas and Oklahoma and Arkansas.
00:06:59
That was just something cool that I like to do be outside,
00:07:04
treasure hunt, problem solve.
00:07:06
Here's this thing how old is it ?
00:07:08
What's it made of?
00:07:08
That analytical stuff really fit my personality.
00:07:12
But then I got a scholarship to play football at a small school
00:07:16
in Kansas and they had a computer science program but not
00:07:20
enough people signed up for it to make a class.
00:07:23
The class would have been in the basement of a building, I
00:07:26
think it was only going to be two of us and a professor, so
00:07:28
the class didn't make.
00:07:29
So I had to take other courses until the class could recruit
00:07:34
more students and those other courses ended up being
00:07:37
anthropology.
00:07:38
I learned about every bone in the body.
00:07:39
I learned about how to tell someone's diet by their teeth,
00:07:44
how old they are because of the cracks in the skull and the
00:07:47
length of the bones, whether they were muscular.
00:07:51
If it was a female pelvis you could tell in general,
00:07:54
especially the older ones, how many kids they may have had,
00:07:57
based on different angles of bones.
00:07:59
Is it male or female?
00:08:00
Ethnicity based on eye sockets and nose and this kind of thing.
00:08:04
So again, pretty fascinating and kind of that problem solving
00:08:07
analytic alignment with my personality.
00:08:09
But after my football career was over and I came back to
00:08:12
Texas, I really had to get serious about what I wanted to
00:08:15
do for a living.
00:08:16
I started being pretty independent at that point and I
00:08:19
needed to get serious.
00:08:20
So I was computer science for about a semester here in Texas
00:08:26
at UT Arlington.
00:08:27
I was able to have pretty good conversations with some advisors
00:08:31
and some people in industry that talked to me about cyber
00:08:34
jobs and that really opened my eyes and helped me refocus from
00:08:38
an engineering program into more of a business technology
00:08:42
leadership career path, which is where I ended up.
00:08:46
Speaker 1: Hmm, yeah, it's a.
00:08:47
You know it's an interesting journey, you know, like it.
00:08:50
Uh, I feel like when you're younger you always feel like
00:08:54
it's going to be a straight line , and if it's not a straight
00:08:57
line I'm messing up.
00:08:58
You know, I remember when I was in college I tried to do
00:09:01
pre-med first and along with pre-med you have to take, you
00:09:05
know, calculus, I think like calculus two or something like
00:09:08
that, and I chose to take anthropology.
00:09:11
I was miserable with anthropology.
00:09:13
Like I could do the labs, the labs were fine with me, but
00:09:18
sitting through those lectures the battle was staying awake for
00:09:21
me.
00:09:21
You know that's my personality, right, but it was a very
00:09:25
interesting time.
00:09:25
And you know you bring up computer engineering.
00:09:28
As you know, I don't want to learn five semesters of math and
00:09:33
I don't want to code in these obscure languages and whatnot.
00:09:36
I actually had a friend in college that he took calculus
00:09:39
with me and he was a computer science student and we were
00:09:44
talking about what he had to do and I mean the level of math
00:09:48
that you would have to go to, like you might as well just get
00:09:52
a bachelor's in that math, because there's so much of it.
00:09:55
It's like, okay, you're two classes away from getting a
00:09:58
bachelor's in there, like theory classes.
00:10:00
It's not even the in-depth stuff that you've been learning
00:10:05
and you know we talked about, like the coding languages that
00:10:09
he was learning, and it was coding languages that were dead
00:10:12
or dying, like foundational languages, and he's like, yeah,
00:10:16
I'm never going to use any of this.
00:10:18
It's more of a thought process, and I mean he spent all of his
00:10:22
time on it, like he didn't really go out that much, he
00:10:24
didn't hang out with friends a whole lot.
00:10:27
Right, it was a lot of studying and so I was like, man, I do not
00:10:31
want to go down that path.
00:10:33
And so I landed on criminal justice, and thankfully, you
00:10:38
know, because I found the coursework to be very
00:10:41
interesting, I found it to be fairly easy, which was a nice
00:10:45
change from pre-med trying to learn chemistry and fail it not
00:10:51
as bad as others, right?
00:10:52
So you're ahead of the curve, which was the craziest thing to
00:10:55
me.
00:10:55
You get a 30% on a test and that's an A.
00:10:58
With the curve, it's like I clearly, I clearly do not
00:11:03
understand these topics and you're giving me an A.
00:11:08
Speaker 2: That is common and I'm right there with you.
00:11:11
I did have to learn seven programming languages when I was
00:11:15
in that computer science program.
00:11:17
I did kind of develop the same thought around not just
00:11:23
programming languages but that upper level math.
00:11:25
Really it's just designed, in my opinion.
00:11:27
It's designed to help you approach and solve problems in
00:11:32
different ways.
00:11:33
It teaches you different tools for approaching a problem, maybe
00:11:36
some some, some shortcuts, some ways to analyze a problem, but
00:11:40
really you're going to get to the same answer as just shorter
00:11:43
math than well in some cases a shorter math.
00:11:45
Some of that calculus is front and back page or multiple pages.
00:11:49
But yeah, it's just that's kind of where I ended up with what
00:11:53
the math was.
00:11:54
It's just this is just teaching me different ways of problem
00:11:56
solving.
00:11:57
Some of this is just ridiculous .
00:11:58
In fact.
00:11:59
I remember I remember sitting in a in a calculus, an upper
00:12:02
level calculus class, and I was doing well on all the daily work
00:12:05
and I actually tutored other students on some of the homework
00:12:09
and things.
00:12:09
But when I got to the test I just blanked and there were it's
00:12:13
like four.
00:12:13
You have two hours to solve four problems.
00:12:16
I mean, that's, that's indication number one.
00:12:18
You might be in the wrong room.
00:12:19
But I remember on one particular test I actually wrote
00:12:23
my professor and apologizing for not knowing how to do this
00:12:26
problem and that hopefully it doesn't reflect on his ability
00:12:30
to teach.
00:12:30
It's really just my ability to sit for this test, and so I did
00:12:34
a one page apology note for that question.
00:12:38
Speaker 1: Wow, yeah, like you know, calculus wasn't even so
00:12:43
for me.
00:12:43
I enjoyed calculus right, like I always think that if I
00:12:48
wouldn't have landed on criminal justice I would have actually
00:12:50
gotten a bachelor's in math because I enjoyed it so much.
00:12:53
The problem was that same semester I was also taking
00:12:58
chemistry and physics, and either of those classes are like
00:13:02
learning two different languages of how to solve
00:13:04
problems.
00:13:05
And you know, I mean chemistry isn't even like, isn't even
00:13:09
English as far as I'm concerned, and so I really didn't have
00:13:13
that much time to study for calculus.
00:13:15
But thankfully I was in this advanced study class or whatever
00:13:19
it was, where the first day the professors like these are going
00:13:24
to be the most difficult calculus problems you'll ever
00:13:28
encounter, and so when you get the final, it's going to be,
00:13:31
it's going to be nothing for you .
00:13:32
And you know I didn't believe them, because you know you hear
00:13:36
that sometimes and it's just not true, but 100% it was true.
00:13:41
I got to the final.
00:13:42
I didn't study at all.
00:13:43
There was five questions.
00:13:44
I whizzed right through it and I ended up getting like 80, 90%
00:13:49
on it.
00:13:49
Like I scored well above everyone else and it was pretty
00:13:53
easy.
00:13:53
I was the first one done in this lecture room of like 250
00:13:57
people.
00:13:57
So I wonder, you know, I probably would have gotten a
00:14:02
bachelor's degree if I didn't convince myself.
00:14:04
My only path forward was criminal justice.
00:14:06
Speaker 2: Being the first one done in a large room like that
00:14:09
is kind of unsettling also.
00:14:11
Speaker 1: Oh, yeah, I mean I was done so quick.
00:14:13
I looked up and no one else was done and I was like, oh wait, I
00:14:17
must have messed something up, like I had to mess something up.
00:14:20
So I checked it over for like quite a while and I'm like I
00:14:24
don't know.
00:14:25
I mean I answered everything.
00:14:26
But yeah, you know, it was fantastic, I enjoyed it.
00:14:30
I'm always tempted to go back just for a couple couple classes
00:14:34
and math.
00:14:35
This is me, though.
00:14:37
So you ended up getting a IT business administration degree.
00:14:42
Do you think that that set you apart and prepared you for your
00:14:47
career in IT in different ways than what computer engineering
00:14:52
or computer science would have?
00:14:54
And the reason why I ask that question is because, you know, I
00:14:58
feel like too often people go into IT thinking, okay, it's
00:15:02
going to be, you know, all technical, it's going to be
00:15:05
hands-on keyboard at all times, and I'm going to have to be a
00:15:08
developer and things like that, right.
00:15:10
Well, there is this other option it's IT with business
00:15:14
administration.
00:15:15
I have a friend that actually got his master's in it, and it
00:15:18
sounds like that could be a different path.
00:15:20
Is that true, or what was that like?
00:15:23
Speaker 2: You're right, and so just to back up a little bit
00:15:25
while I was working on my well, you back up even further.
00:15:28
I've got an associate's degree in math, because I really like
00:15:32
math too.
00:15:32
But then when I was working on my undergraduate it was an
00:15:35
information systems degree out of the business school at the
00:15:40
University of Texas at Arlington .
00:15:42
But because it incorporated so many computer courses and I did
00:15:46
have some programming courses completed, I was able to select
00:15:50
whether I wanted the degree to say bachelor's of business or
00:15:53
bachelor's of science, and so I selected bachelor's of science.
00:15:57
So my degree is actually out of the business school but it's a
00:15:59
bachelor of science and information systems.
00:16:01
But I had to learn all the business stuff.
00:16:03
I took business law, ethics, marketing was one of the
00:16:08
electives.
00:16:08
I took money and banking, business stuff.
00:16:10
But the time going to school for the undergraduate degree I
00:16:15
also had my own computer business.
00:16:17
So for six years I had a consulting company where I would
00:16:21
teach companies how to use Microsoft office and do
00:16:24
spreadsheets.
00:16:25
And I also did basic computer maintenance, network cabling,
00:16:31
troubleshooting, cleaning keyboards, upgrading computers,
00:16:35
that kind of stuff, and so I had exposure to the hardware part
00:16:39
of it.
00:16:39
I was building some experience running my own business being a
00:16:43
consultant, customer service, doing my own accounting and
00:16:47
financial forecasting and having to buy equipment and this kind
00:16:50
of thing.
00:16:51
And then I got my degree and wanted a corporate job and at
00:16:54
the time, even back then, probably at equally or maybe
00:16:57
even more so than today there was that requirement for an
00:17:01
undergraduate degree or some unreasonable amount of job
00:17:05
experience in order to get hired .
00:17:07
And so as soon as I graduated I think I graduated in August,
00:17:12
but I was applying for jobs over the summer so in July I was
00:17:17
selected for a job as an IT auditor.
00:17:20
I've never heard of that position.
00:17:22
I knew what an auditor was, but I didn't know what an IT
00:17:25
auditor was, and so a lot of the interview questions were around
00:17:30
my familiarity with hardware and technology, but really they
00:17:34
focused mostly on my ability to go research and find the answers
00:17:38
.
00:17:38
And if I don't know the answer, how good am I at collaborating
00:17:41
and asking for help and this kind of thing?
00:17:44
So I started that job and that was definitely a business side
00:17:50
job.
00:17:50
My job was to go into a company .
00:17:53
So I worked for a $5 billion telecom big international
00:17:56
telecom company and my job was to ensure that the technology
00:18:02
departments and people and things that the business relies
00:18:05
on was following company policy and regulatory standards, and
00:18:10
are there any weaknesses or risks that could impact the
00:18:13
operations or the finances or the reporting of the company?
00:18:16
So I learned quite a bit, not just from a well, what's this
00:18:21
audit thing and how do I become an auditor?
00:18:23
And it has its own disciplines and procedures and things you
00:18:27
have to follow quality and documentation.
00:18:29
All this good stuff.
00:18:30
But there was a very strong and critical component of customer
00:18:34
service and diplomacy and tact, because back in the day when an
00:18:38
auditor showed up, it was because someone was trying to
00:18:40
get you fired.
00:18:41
So they're here to find the problem with me so that they can
00:18:46
justify firing me.
00:18:47
Or you know, you're taking time away from a job I already don't
00:18:51
have enough time to do to answer your questions, so you're
00:18:54
putting me behind, and so audit had a bad reputation and so you
00:18:59
had to come at that very diplomatically.
00:19:01
I'm here to help.
00:19:02
You say you don't have enough time in the day to do your job.
00:19:05
Well, maybe I can highlight that in my report and maybe we
00:19:08
can get you some part-time help or figure out a way to help you
00:19:11
do your job better, more effectively type of thing.
00:19:13
So that taught me quite a bit soft skills communications,
00:19:17
report writing.
00:19:18
I had to do presentations to the board, and it was during that
00:19:21
time at that telecom that I realized that one of the biggest
00:19:24
risks to this $5 billion telecom is they had zero
00:19:27
security from a network perspective.
00:19:30
They had a firewall guy that looked at firewall alerts and
00:19:32
rules, but nobody looked at the company as a whole to figure out
00:19:36
where bad things could happen or maybe they are already,
00:19:38
Nobody knows.
00:19:39
And so I worked with my boss in the audit department to talk
00:19:42
through that and we actually came to the consensus that we
00:19:45
need to do a presentation to the board about the need for a
00:19:48
cybersecurity specific group.
00:19:51
And so I put that together and pitched it to the board and they
00:19:53
told me that I was the one that was going to make it happen.
00:19:56
So that was my first foray into a formal cyber job.
00:20:00
I built that company's first cyber team and eventually even
00:20:04
incorporated physical security, doing executive protection and
00:20:08
flight travel threat and risk planning.
00:20:10
A lot of stuff happened, some of experience at that telecom,
00:20:14
but that's what got me into like a true cyber position role and
00:20:18
I haven't looked back since.
00:20:20
Speaker 1: Hmm, yeah, you bring up a lot of different
00:20:24
interesting things.
00:20:26
You know part of it is the ability to do your own research
00:20:31
and find your own solutions without potentially having to
00:20:36
escalate a problem or reach out to other people and whatnot.
00:20:39
Right?
00:20:39
And I remember earlier on in my career I was interviewing for a
00:20:44
job and question came up how would you solve a problem that
00:20:47
you don't know anything about, that you don't understand?
00:20:50
My first answer was I'm going to go to Google.
00:20:53
You know I'm going to go to Google.
00:20:54
I'm going to look it up, see what other people are
00:20:57
encountering with it, how they're resolving it.
00:20:59
Try that.
00:20:59
If it doesn't work, I'm going to ask a colleague and the
00:21:03
hiring manager was actually very against me saying I'm going to
00:21:06
go to Google.
00:21:06
Right, this is mid 2000s, right ?
00:21:11
So, like Google was established, google was something that you
00:21:14
would use to resolve problems and whatnot.
00:21:17
And he was very against it and didn't hire me because of that.
00:21:21
I thought to myself, like well, if you're not going to hire me
00:21:23
because of that small little thing, then I won't.
00:21:27
I probably don't want to work for you.
00:21:28
And two, you're not very forward thinking if I can't even
00:21:33
use the internet to solve a problem you know.
00:21:35
Like how am I supposed to write you?
00:21:37
You want me to go into a log file and try and decrypt what
00:21:40
Microsoft is saying about an error message.
00:21:43
That is dug into this thousands of lines of log file, like it
00:21:48
doesn't make any sense, you know .
00:21:50
And another thing that you bring up you sold the incident
00:21:55
response or kind of disaster recovery process to the board
00:22:00
and it just reminds me of a time when you got to be careful what
00:22:03
you ask for, because you're going to be faced with doing
00:22:06
that work and I didn't quite understand that.
00:22:10
Until you know, I was working for a company as application
00:22:14
specialist, I was trying to get into security, and so I
00:22:16
understood the security part you know pretty well, for where I
00:22:19
was at right, I was the only one at the company with a security
00:22:22
mind that cared about it and whatnot.
00:22:24
And I pitched it to my VP like hey, we should really actively
00:22:29
be securing this application a lot better.
00:22:31
This is how we can do it.
00:22:32
You know, look at all these vulnerabilities that I found and
00:22:34
everything like that.
00:22:35
And I mean his only response was like you know what?
00:22:38
You're completely right, you should do that.
00:22:40
And I was like wait a minute, so I have to do everything else
00:22:44
too.
00:22:44
And he goes oh yeah, you gotta do your normal day job stuff,
00:22:47
and now you gotta do this security stuff that you want to,
00:22:50
you want to explore.
00:22:50
When I was thinking of like, oh , let's get you know, yeah, a
00:22:54
bunch of people around this to work on this, from different
00:22:56
teams and different perspectives , is like no, you're, you're
00:22:59
doing it, you know, so you gotta be gotta be careful with that.
00:23:04
Speaker 2: Certainly, I know.
00:23:05
Completely agree with that.
00:23:07
Speaker 1: Yeah, absolutely.
00:23:09
So fast forward a little bit when you were working for the
00:23:13
government and looking at the different unique Types of
00:23:16
attacks and learning about them and whatnot.
00:23:18
What were some of those unique attacks, at the time at least,
00:23:22
that maybe you didn't see in the Private sector, where they, you
00:23:28
know, solely unique to the government?
00:23:31
You know, what I would think of is, you know, nation-state
00:23:34
attacks and whatnot like.
00:23:35
Was there unique things like that?
00:23:37
Or was it kind of dispersed in a way where, yeah, it was
00:23:41
targeting public and private Infrastructure and things like
00:23:45
that?
00:23:46
Speaker 2: Well, a lot of the work that that I did was on the
00:23:49
the human side of intelligence.
00:23:51
So a lot of the tactics I used and a lot of the scenarios I was
00:23:56
involved with were all more social engineering Getting
00:24:00
getting places you shouldn't be obtaining, information You're
00:24:03
not meant to have, utilizing people and processes to you know
00:24:08
stepping stones to subvert or circumvent security controls
00:24:13
mostly physical, but ultimately, you know, there were some, some
00:24:17
technical controls that you needed to get through or get
00:24:20
passed in order to get information.
00:24:21
So that was kind of my foray Into cyber.
00:24:25
It was understanding a lot of the human risk involved with the
00:24:29
technical Controls that are put in place to protect stuff,
00:24:33
because it's still people that configures it, implements it,
00:24:36
runs it, has access to it, and so that was a huge perspective
00:24:40
and learning experience for me.
00:24:42
I think, unlike others that get into cyber, they learn all the
00:24:45
technical stuff first.
00:24:46
I was able to have the experience of learning all the
00:24:50
human risk first, which I think gives me a little bit different
00:24:55
perspective when talking about risks to clients and companies,
00:24:59
because you can get rid of all your technology, I mean if you,
00:25:01
if you're able to, but you're still having to do business with
00:25:04
people, and people are always your biggest risk, your biggest
00:25:07
weakness.
00:25:07
And then you give people access to your technology and so you
00:25:11
know it just gets worse.
00:25:13
I think the the joke about the the most secure computer is the
00:25:16
one that that you don't turn on or plug in, it's in case in
00:25:19
cement and it's dropped in an ocean somewhere, but then you
00:25:22
can't use it.
00:25:23
And I think that's the paradox with With security is the more
00:25:27
secure something is, the less usable it is, and I kind of joke
00:25:31
that that's why convenience stores are robbed More than
00:25:33
banks, because security is really just a hindrance, it's
00:25:37
not an absolute.
00:25:37
If something was absolutely secure, you couldn't use it.
00:25:40
So you've got to find the balance, and that's something
00:25:43
that I think that experience with the intelligence
00:25:46
contracting work I did really helped me understand sooner than
00:25:50
later.
00:25:50
Hmm.
00:25:52
Speaker 1: Yeah, that's different.
00:25:52
That's a different approach than what you normally hear.
00:25:55
You know, you normally hear about people going down the
00:25:58
technical side rather than the human side.
00:26:00
I've actually never done the the human part of it, but you
00:26:05
know, I was talking to Jim Lawler from from the CIA, and he
00:26:11
was talking about how technology and, you know,
00:26:16
security-minded governments and organizations are getting really
00:26:19
, really good at security.
00:26:21
So the likelihood of a cyber attack actually being pulled off
00:26:26
against Someone that is very much prepared for it is very low
00:26:31
.
00:26:31
Actually, it's lower than what we would think.
00:26:34
And the most vulnerable part is the people part, like you said,
00:26:38
right, you can secure a system.
00:26:40
You can air gap it by powering it off and unplugging the thing
00:26:44
from the network, right, and now you have a whole bunch of
00:26:46
sensitive data that's secured Unless you have physical access,
00:26:50
and that, unless part is the people part, you know, and so it
00:26:56
.
00:26:56
It turns into a very interesting problem to have.
00:26:59
And I remember when I was working with the government a
00:27:03
few times and you know one of the people that I was talking to
00:27:07
, I brought up that part, right, because to me, an outsider, I'm
00:27:12
saying to myself well, how in the world are these people
00:27:15
getting bought off?
00:27:16
How are they selling secrets and whatnot?
00:27:19
Like that's?
00:27:19
It doesn't make any sense to me .
00:27:22
And he said if someone can find out that you work for the
00:27:26
government at a certain facility , right, they start to do their
00:27:30
own checks into you.
00:27:30
They start looking up your credit report, they start seeing
00:27:34
where your debt lies and you know if you're going to make
00:27:37
enough money to actually pay off that debt within a reasonable
00:27:40
amount of time.
00:27:40
And they start you off very small.
00:27:43
They say, hey, you know, just give me a name of someone that
00:27:46
works at your facility and I'll give you 10 grand to pay off
00:27:49
your medical bills.
00:27:50
You know, and they snowball you like that, where you get
00:27:54
comfortable with getting the money, you don't feel like
00:27:56
you're betraying anything, when in all actuality it's building
00:28:01
up to a larger betrayal.
00:28:02
Right, you may have not betrayed very much by just
00:28:05
giving a name, right.
00:28:07
But now they know one more person that works there and
00:28:11
they're going to be targeted and things like that, right.
00:28:13
And so the human part I feel like I don't want to say it's
00:28:18
evolving, but I want to say it's becoming more prevalent because
00:28:21
of the need to actually go down that path where we have, you
00:28:27
know, secured our networks to the point where it's like, yeah,
00:28:29
this is really secure in most cases and the only thing left is
00:28:36
actually, you know, buying these people off and giving them
00:28:39
money to live an easier life while they're betraying their
00:28:42
country.
00:28:42
Is that what you saw as well, kind of.
00:28:46
Speaker 2: Not so much on the recruitment side.
00:28:49
Mostly what I saw and the things that I did was to try and
00:28:54
figure out to kind of the nth degree you're really playing out
00:28:57
and kind of mind mapping, almost all the relationships
00:29:01
between you know what's the target and everything involved
00:29:05
with that.
00:29:05
So, for example, if you've got an air gap machine that's got
00:29:09
the prize data on it, well, where is that machine, what
00:29:13
facility?
00:29:14
What are the controls around that physically?
00:29:16
Who are the people that have access to that thing?
00:29:20
What are the procedures for them to get access to it?
00:29:23
What kind of work did they do with this machine?
00:29:26
What are their hours?
00:29:27
Who are they related to or work with?
00:29:29
Where do those people live?
00:29:31
Who are their neighbors?
00:29:32
Do they have kids?
00:29:33
Where do they go to school?
00:29:34
And, to your point, everything about their lives, their credit,
00:29:37
their criminal history, their clearances, the car they drive,
00:29:41
how much they owe on stuff, where's their family?
00:29:44
Do they have online social media?
00:29:46
Where do they eat lunch, all those things give you kind of an
00:29:51
attack surface in relationships so that you can start to plan
00:29:55
out.
00:29:55
All right, so I need to compromise the home network of
00:29:59
Bobby down the street, because Bobby plays with Jim's son, john
00:30:04
, and you know they're both pretty active on mobile devices.
00:30:09
They have phones and tablets and you know the likelihood that
00:30:12
you know Bobby's home network because his dad's a school
00:30:16
teacher.
00:30:17
You know I'm able to compromise that to get malware on Bobby's
00:30:20
tablet that he takes over to John's house and you know kids
00:30:23
are always like, hey, can I join your wireless?
00:30:25
And so now you know Bobby's at John's house and he's on their
00:30:29
home network and it's his dad that works with the guy at the
00:30:33
lab and so if I can compromise their home network and then put
00:30:37
some malware on something that dad takes to work, now I'm
00:30:41
introducing, you know malware to work.
00:30:44
Or you know something that collects information for that
00:30:47
next phase of my attack but maybe introduces it to coworkers
00:30:50
and then eventually it makes its way into that air gap
00:30:54
network.
00:30:54
Or you know, doing enough reconnaissance, and maybe they
00:30:57
post who their vendors are and the types of work they do and I
00:31:00
just show up and pretend to be you know a contractor and here's
00:31:04
what my work order.
00:31:05
I already know what the work orders look like and social
00:31:08
engineer my way into the building, which maybe it's an
00:31:11
adjacent room, and one of the things that we have is if I can
00:31:14
touch it, I can own it.
00:31:15
So you can, you can encrypt it, you can chain it to a desk.
00:31:20
You can do all these great things, but if I can touch that
00:31:24
device, if I can physically interact with it, then all of
00:31:27
your technical controls go out the window.
00:31:30
Speaker 1: Yeah, that's a really good point.
00:31:31
So, you know, is this kind of where the experience with
00:31:36
working with the government Is that where you started to go
00:31:41
into your work with Black Swan, and what are you doing at that
00:31:45
company?
00:31:45
What is that company, how are you guys operating and what do
00:31:48
you specialize in?
00:31:49
Speaker 2: Well, I've actually, I've worked with a number of
00:31:52
companies over the years Telecom , financial, you know some of
00:31:55
the biggest banks.
00:31:56
I was the director of threat and vulnerability management
00:31:58
with Pricewaterhouse doing consulting and instant response.
00:32:01
But along the way I always had this entrepreneurial itch and so
00:32:06
I've had several technology companies over the years and the
00:32:09
last two have been cyber specific and at Black Swan,
00:32:13
which is the most recent and the most successful, we are a full
00:32:18
lifecycle cybersecurity company, so we help organizations
00:32:22
understand the need for cyber, how to design and develop
00:32:27
cybersecurity programs.
00:32:28
So that's policies, procedures, the right people, skills,
00:32:32
partners, vendors, coverage, technology and a lot of that's
00:32:36
based on the risk specific to that organization, so we can
00:32:40
help them through that risk assessment process as well.
00:32:42
We help them ensure that they're compliant with
00:32:45
regulatory requirements like credit cards or health or
00:32:49
financial data, or if they're a publicly traded company all
00:32:53
these different compliance regulations or if it's just a
00:32:57
best practice, standard certification like ISO 27001, or
00:33:02
helping them get their SOC2, type 2 type, accounting based
00:33:07
certifications.
00:33:07
And then, naturally, out of both of those initial
00:33:11
engagements, you've got these opportunities to improve.
00:33:13
There's a gap you don't have the right people, you don't have
00:33:15
the right technology, you don't have any policies and
00:33:17
procedures.
00:33:18
You don't even know kind of where you want to start and
00:33:21
where you want to be that maturity roadmap.
00:33:23
So we can assist them with remediation and training,
00:33:28
developing custom or putting a process in place to do scheduled
00:33:32
, automated training.
00:33:33
And then from that obviously you want to test, you want to
00:33:36
make sure all that stuff is effective and not just a point
00:33:39
in time but throughout the year or year over year.
00:33:42
So we do those traditional assessments as well, whether
00:33:45
it's an audit or a network security assessment or a
00:33:49
penetration test, and we do that on buildings as well.
00:33:52
So part of again, if I can touch it, I can own it.
00:33:55
So you can invest a lot in cyber protection, but if your
00:34:00
physical security is lacking, then you've misallocated, at
00:34:05
least misproportioned, your security.
00:34:08
So we do physical security assessments, also trying to get
00:34:12
into buildings where we shouldn't, trying to get to
00:34:15
restricted areas of a facility where important stuff is,
00:34:18
whether it's documents or technology, and then along the
00:34:21
way testing the security awareness and response of the
00:34:24
people and then giving them recommendations for improving
00:34:29
both the technical side and the people side.
00:34:31
And then, in the event that there isn't incident, we have an
00:34:34
incident response team where we help manage a data breach or a
00:34:38
theft of a laptop or an employee that stole data.
00:34:41
And then part of that naturally is forensics, so being able to
00:34:45
do digital forensics and support that incident response
00:34:48
investigation.
00:34:49
But then also, if it ever goes to court, we do expert testimony
00:34:52
.
00:34:52
And then at the core of our business, we have a 24 seven
00:34:56
fusion center where we monitor client networks, user behavior,
00:35:01
device behavior 24 hours a day.
00:35:03
We're all US, based out of North Texas, we're all US
00:35:08
employees.
00:35:09
All the data stays in the US and then we call it a fusion
00:35:13
center because all of those things that I mentioned from
00:35:15
start to finish are available to people 24 hours a day, in
00:35:19
addition to a lot of threat intelligence that we collect
00:35:22
from government agencies and vendors and other sources.
00:35:27
Speaker 1: That's really interesting.
00:35:28
I mean, that's a pretty expansive business that you've
00:35:31
built.
00:35:31
Do you ever point to any one experience in your career that
00:35:37
really prepared you for what you're doing now?
00:35:39
Or is it kind of a conglomerate of the experience that you've
00:35:45
had throughout your career, you know, kind of coming together
00:35:47
and culminating With this company?
00:35:50
Speaker 2: Well, I think there's a lot and there's several parts
00:35:53
to it.
00:35:53
So a lot of what got us to where we are are the
00:35:57
relationships that we developed over the years.
00:36:00
So having relationships with people that are auditors, having
00:36:04
relationships with people that are hackers and educators and
00:36:07
forensics, and having the experience of building a fusion
00:36:10
center and knowing how to staff it and build the culture of the
00:36:13
company that supports like-minded individuals that
00:36:18
have that passion not just for protection but also
00:36:21
collaboration and teaching others, is one thing.
00:36:23
So over the years, building those relationships and becoming
00:36:27
friends and professional acquaintances with just a large
00:36:32
number of awesome people is part of it.
00:36:34
The other part, and one of the reasons that we have services
00:36:38
that fill that full life cycle, is the struggle that I've seen
00:36:42
both on the corporate side, as the consumer of services, but
00:36:45
also on the provider side, where a customer or a vendor isn't
00:36:50
the single phone call.
00:36:52
A lot of organizations when they have a problem, they've got
00:36:56
to figure out five or six different service providers or
00:37:00
vendors to call to help solve one problem.
00:37:03
And then on the provider side, on the professional services
00:37:08
side, there's a struggle with working with a client and your
00:37:13
service doesn't satisfy enough of the objectives of the problem
00:37:19
.
00:37:19
And so what we wanted to do with our organization is not
00:37:23
only be the one phone call.
00:37:25
So we have an 800 number.
00:37:26
It's 855-BLACKS-1.
00:37:28
So you can call us 24 hours a day for whatever your problem is
00:37:32
.
00:37:32
Technology cyber flat tire is kind of our joke, but the idea
00:37:36
was give clients one phone call to an organization they can
00:37:42
trust and they know that we're here to help them fix whatever
00:37:46
problem, that is, even if that doesn't involve us.
00:37:49
So back to the flat tire joke.
00:37:51
We say you can call us if you have a flat tire.
00:37:54
We're not going to be the ones to show up and fix your tire or
00:37:58
tow your car, but if we're the ones you called, we'll be on the
00:38:02
phone with you and help coordinate the tow truck, the
00:38:06
AAA, whoever it is that needs to get there to help you fix that
00:38:09
tire.
00:38:09
And so, similarly, on the IT side or the technology side,
00:38:14
clients call us because a network broke or somebody stole
00:38:18
something or they need to know who we know that we trust that
00:38:23
does some XYZ thing.
00:38:25
They know they can call us and we'll figure out the right
00:38:28
solution and get them in touch with the right people.
00:38:32
Speaker 1: That's a really interesting business.
00:38:33
Where do you envision that going and growing in the next 18
00:38:39
to even 36 months?
00:38:40
Speaker 2: Well, that's something that we've put a lot
00:38:42
of thought into just recently.
00:38:45
We do enough to keep us busy, but we're always looking for
00:38:49
opportunities to expand the value, and some of the value
00:38:53
that we've seen most recently is in that traditional IT support
00:38:59
area.
00:39:00
We need to buy new computers or build a new network, or
00:39:03
troubleshoot problems with printers and wireless access, or
00:39:07
we need help managing our Office 365 environment.
00:39:10
So those aren't things that our organization currently does
00:39:14
directly.
00:39:14
If someone asked us for that help, we would point them to a
00:39:18
partner that we trust, but we seem to be getting a lot more
00:39:21
interest in that area.
00:39:22
So we've started talking through the idea of growing
00:39:25
through acquisition of some of these complimentary type
00:39:29
services, and so maybe acquiring or partnering more closely with
00:39:33
merging with some of those traditional IT support vendors,
00:39:37
so that they've already got relationships and adding value
00:39:41
to organizations with the services they provide, which are
00:39:45
just naturally augmented by what we do, and vice versa.
00:39:49
Whenever we're providing our cyber services, very often we
00:39:53
find some of these technical things that need to be fixed or
00:39:55
implemented or changed, and again, that's not something that
00:39:59
we typically do.
00:40:00
We would partner with someone else to do that, and so those
00:40:03
kind of managed IT services and skills would naturally
00:40:09
complement the things that we do and the problems that we
00:40:11
typically find.
00:40:12
Speaker 1: That's really interesting.
00:40:15
Well, Mike, we're unfortunately running out of time here.
00:40:20
I really try to honor my commitment time-wise.
00:40:25
When I say it's an hour-long interview, it's an hour-long
00:40:30
Before I let you go.
00:40:31
How about you tell my audience where they can find you if they
00:40:34
wanted to potentially reach out to you or connect with you, and
00:40:38
then where they can also find your company?
00:40:40
Speaker 2: Certainly so.
00:40:41
I'm on LinkedIn.
00:40:42
I also have a Twitter account, but you can find me on LinkedIn.
00:40:46
I'd love to connect and collaborate with people,
00:40:50
especially on the education side .
00:40:51
If you need help mentoring or finding a career path, I'd be
00:40:54
happy to help.
00:40:55
We also have an intern program at Black Swan and it's
00:40:58
blackswann-cybersecuritycom.
00:41:02
Our phone number is 855-BLK-Swan.
00:41:06
Reach out Contact at blackswann-cybersecuritycom,
00:41:11
which is also a form on the website.
00:41:13
But we're here to help and educate and collaborate.
00:41:16
Happy to connect with anyone.
00:41:19
Speaker 1: Awesome, and I'll put all of those links and sources
00:41:23
in the description, of course.
00:41:24
Well, thanks everyone.
00:41:26
I really appreciate you listening and I hope you enjoyed
00:41:29
this episode.
Speaker 1: How's it going, mike?
00:00:00
It's really good to finally have you on the podcast.
00:00:03
I mean, I think that we've been trying to schedule this thing
00:00:06
for a while now.
00:00:07
I'm very excited for our conversation.
00:00:09
Speaker 2: Yes sir, thanks for having me, joe.
00:00:11
Speaker 1: Yeah, absolutely so.
00:00:12
Mike.
00:00:13
How about we start with your background?
00:00:15
What interested you about IT, or even just security overall,
00:00:21
that made you want to go down this rabbit hole of security?
00:00:25
Speaker 2: Sure Well, I think my passion for computers started
00:00:28
at a young age.
00:00:29
I was able to get my hands on a couple of computers, my
00:00:33
neighbor's computer and my parents finally bought me a
00:00:35
computer.
00:00:35
I programmed my own door alarm to keep my sister out of my
00:00:38
closet and taking my sweatshirts and stuff using a computer, a
00:00:43
dot matrix printer and a car alarm.
00:00:44
But then, just understanding, I wanted to get into the computer
00:00:49
field pretty early.
00:00:50
I liked programming, I liked problem solving.
00:00:53
I took every computer class I could in school.
00:00:56
Ironically that was not my first degree in college.
00:00:58
My first major in college was actually geology and then
00:01:01
anthropology and then back to computers, initially computer
00:01:05
science.
00:01:05
Then, realizing I didn't want to program device drivers, I
00:01:09
changed my major from an engineering degree to more of a
00:01:12
computer business degree.
00:01:13
Then at the same time I'm pretty involved with doing some
00:01:16
contract work for the government to do intelligence type work
00:01:21
which really exposed me to the threat and the threat actor
00:01:25
criminal side of cyber, where the risks are and where people
00:01:28
are vulnerable, companies are vulnerable.
00:01:30
Then working a lot of actual criminal cyber cases over the
00:01:34
years led me back to school to get a graduate degree in
00:01:37
criminal justice and then also to teach In addition to being a
00:01:41
cyber guy.
00:01:42
I've been in IT and cyber for almost 30 years now.
00:01:45
I've also been a college professor teaching computer
00:01:48
science, cyber, the criminal justice side of forensics and
00:01:52
some other things for about 23 years now.
00:01:54
Speaker 1: Wow, it sounds like to me you had a bit of a hacker
00:02:01
mentality, getting into it right , even from a young age.
00:02:05
Do you look back on it and see it as that as well?
00:02:08
Did you potentially even maybe recognize that at the time when
00:02:13
you were doing all that and going through everything?
00:02:16
Speaker 2: Not initially.
00:02:16
I think it's common with people that are curious about
00:02:19
technology and programming and what can computers do and how do
00:02:24
I get into that stuff?
00:02:26
The Tim the Toolman Taylor version of cyber.
00:02:29
But I definitely was.
00:02:31
I was a tinkerer, which is really what a hacker is.
00:02:35
How do I get this thing to do more than or something different
00:02:39
than it was designed to do?
00:02:41
Being able to get a computer and a dot matrix printer to
00:02:44
actuate a bolt on my closet door so that only I knew the code
00:02:47
and my sister couldn't steal my stuff?
00:02:49
That's an example of a hack, a lot of those similar to people
00:02:53
that are just curious.
00:02:55
You don't always understand or recognize the implications of
00:02:58
your hack, of your modification or the things you're doing until
00:03:02
there is a consequence.
00:03:03
There is a reckoning, if you will.
00:03:05
I did one day have a reckoning.
00:03:08
I was faced to ride my bike to the mall where there was a radio
00:03:13
shack and access to I think they had three or four computers
00:03:17
, three or four different computers there.
00:03:19
I would take my programming knowledge that I learned from
00:03:22
this magazine subscription I had and some other things that I
00:03:25
learned books I read.
00:03:26
I would go to radio shack and try out my programming skills.
00:03:31
One day I wrote a loop a programming loop that messed up
00:03:36
their computer and they asked me never to come back to that
00:03:39
radio shack.
00:03:39
That was kind of my eye-opener, that, hey, I can actually do
00:03:44
damage and I need to be more responsible.
00:03:46
I learned that at a young age, growing up in a military family.
00:03:51
When you get in trouble there's adjudication.
00:03:54
Let's talk about what you did and the consequence.
00:03:58
I was very aware that at least at that point that I did
00:04:02
something wrong and I needed to be more responsible with the
00:04:05
things I was doing.
00:04:07
Speaker 1: Yeah, that makes sense.
00:04:08
Can we talk a little bit about your degree changes?
00:04:13
What made you want to go into geology and anthropology?
00:04:16
The reason why I ask is because I remember when I was in high
00:04:21
school and trying to get into college was the biggest feat
00:04:26
that I had ever tried to accomplish.
00:04:29
I was then trying to decide what major to go down, what area
00:04:35
to specialize in, and thinking I can't change or I can't go
00:04:40
somewhere completely different down the line If I felt that
00:04:44
this wasn't for me, which almost sunk me.
00:04:47
Thankfully I changed from pre-med and went into criminal
00:04:54
justice.
00:04:54
What was your thought process?
00:04:56
Because it sounds like to me that's way out of left field.
00:04:59
I never would have expected that.
00:05:01
I would have expected criminal justice as your bachelor's
00:05:04
before geology and anthropology, or at least attempting that
00:05:09
there were several factors that led me down those paths.
00:05:12
Speaker 2: I'm currently working on my doctorate and my
00:05:15
dissertation is on cyber workforce development.
00:05:17
One of the gaps that I've come to well I've known, but the
00:05:22
research is actually supporting is that there's one of the
00:05:25
problems with cyber workforce development and this is probably
00:05:28
consistent with other fields as well is there really aren't
00:05:32
enough mentors.
00:05:33
There aren't enough people to help educate or even have the
00:05:38
conversation with those that want to get into a particular
00:05:41
field.
00:05:41
What do I do with these skills that I have?
00:05:44
What kind of job would I be good at based on the things I
00:05:47
know and can do?
00:05:48
With regard to cyber, I wanted to do something with computers
00:05:53
and not really knowing what these different jobs in cyber or
00:05:56
IT really were like.
00:05:58
What is the day in the life of a network administrator or an
00:06:02
engineer or a cyber person or a programmer?
00:06:05
Had I learned about the programming part of that, I
00:06:09
probably would have never approached the computer science
00:06:12
engineering degree at all.
00:06:14
I didn't care to take five years of math learning, number
00:06:18
theory and all these things.
00:06:20
That's not real applicable to the job I wanted.
00:06:23
But back to your first question about geology and anthropology.
00:06:26
I am kind of a rockhound.
00:06:28
I like crystals and gems and different types of rocks.
00:06:32
I'm always kicking around rocks and looking at fossils.
00:06:35
I have a pretty cool collection .
00:06:37
But at the same time my mother was a college professor and I
00:06:41
went to school where she taught.
00:06:43
I got an academic scholarship there reduced tuition because
00:06:47
she was an employee, but they had a really cool geology
00:06:50
program.
00:06:51
We went around on field trips to look at dinosaur bones and
00:06:56
digging the dirt around Texas and Oklahoma and Arkansas.
00:06:59
That was just something cool that I like to do be outside,
00:07:04
treasure hunt, problem solve.
00:07:06
Here's this thing how old is it ?
00:07:08
What's it made of?
00:07:08
That analytical stuff really fit my personality.
00:07:12
But then I got a scholarship to play football at a small school
00:07:16
in Kansas and they had a computer science program but not
00:07:20
enough people signed up for it to make a class.
00:07:23
The class would have been in the basement of a building, I
00:07:26
think it was only going to be two of us and a professor, so
00:07:28
the class didn't make.
00:07:29
So I had to take other courses until the class could recruit
00:07:34
more students and those other courses ended up being
00:07:37
anthropology.
00:07:38
I learned about every bone in the body.
00:07:39
I learned about how to tell someone's diet by their teeth,
00:07:44
how old they are because of the cracks in the skull and the
00:07:47
length of the bones, whether they were muscular.
00:07:51
If it was a female pelvis you could tell in general,
00:07:54
especially the older ones, how many kids they may have had,
00:07:57
based on different angles of bones.
00:07:59
Is it male or female?
00:08:00
Ethnicity based on eye sockets and nose and this kind of thing.
00:08:04
So again, pretty fascinating and kind of that problem solving
00:08:07
analytic alignment with my personality.
00:08:09
But after my football career was over and I came back to
00:08:12
Texas, I really had to get serious about what I wanted to
00:08:15
do for a living.
00:08:16
I started being pretty independent at that point and I
00:08:19
needed to get serious.
00:08:20
So I was computer science for about a semester here in Texas
00:08:26
at UT Arlington.
00:08:27
I was able to have pretty good conversations with some advisors
00:08:31
and some people in industry that talked to me about cyber
00:08:34
jobs and that really opened my eyes and helped me refocus from
00:08:38
an engineering program into more of a business technology
00:08:42
leadership career path, which is where I ended up.
00:08:46
Speaker 1: Hmm, yeah, it's a.
00:08:47
You know it's an interesting journey, you know, like it.
00:08:50
Uh, I feel like when you're younger you always feel like
00:08:54
it's going to be a straight line , and if it's not a straight
00:08:57
line I'm messing up.
00:08:58
You know, I remember when I was in college I tried to do
00:09:01
pre-med first and along with pre-med you have to take, you
00:09:05
know, calculus, I think like calculus two or something like
00:09:08
that, and I chose to take anthropology.
00:09:11
I was miserable with anthropology.
00:09:13
Like I could do the labs, the labs were fine with me, but
00:09:18
sitting through those lectures the battle was staying awake for
00:09:21
me.
00:09:21
You know that's my personality, right, but it was a very
00:09:25
interesting time.
00:09:25
And you know you bring up computer engineering.
00:09:28
As you know, I don't want to learn five semesters of math and
00:09:33
I don't want to code in these obscure languages and whatnot.
00:09:36
I actually had a friend in college that he took calculus
00:09:39
with me and he was a computer science student and we were
00:09:44
talking about what he had to do and I mean the level of math
00:09:48
that you would have to go to, like you might as well just get
00:09:52
a bachelor's in that math, because there's so much of it.
00:09:55
It's like, okay, you're two classes away from getting a
00:09:58
bachelor's in there, like theory classes.
00:10:00
It's not even the in-depth stuff that you've been learning
00:10:05
and you know we talked about, like the coding languages that
00:10:09
he was learning, and it was coding languages that were dead
00:10:12
or dying, like foundational languages, and he's like, yeah,
00:10:16
I'm never going to use any of this.
00:10:18
It's more of a thought process, and I mean he spent all of his
00:10:22
time on it, like he didn't really go out that much, he
00:10:24
didn't hang out with friends a whole lot.
00:10:27
Right, it was a lot of studying and so I was like, man, I do not
00:10:31
want to go down that path.
00:10:33
And so I landed on criminal justice, and thankfully, you
00:10:38
know, because I found the coursework to be very
00:10:41
interesting, I found it to be fairly easy, which was a nice
00:10:45
change from pre-med trying to learn chemistry and fail it not
00:10:51
as bad as others, right?
00:10:52
So you're ahead of the curve, which was the craziest thing to
00:10:55
me.
00:10:55
You get a 30% on a test and that's an A.
00:10:58
With the curve, it's like I clearly, I clearly do not
00:11:03
understand these topics and you're giving me an A.
00:11:08
Speaker 2: That is common and I'm right there with you.
00:11:11
I did have to learn seven programming languages when I was
00:11:15
in that computer science program.
00:11:17
I did kind of develop the same thought around not just
00:11:23
programming languages but that upper level math.
00:11:25
Really it's just designed, in my opinion.
00:11:27
It's designed to help you approach and solve problems in
00:11:32
different ways.
00:11:33
It teaches you different tools for approaching a problem, maybe
00:11:36
some some, some shortcuts, some ways to analyze a problem, but
00:11:40
really you're going to get to the same answer as just shorter
00:11:43
math than well in some cases a shorter math.
00:11:45
Some of that calculus is front and back page or multiple pages.
00:11:49
But yeah, it's just that's kind of where I ended up with what
00:11:53
the math was.
00:11:54
It's just this is just teaching me different ways of problem
00:11:56
solving.
00:11:57
Some of this is just ridiculous .
00:11:58
In fact.
00:11:59
I remember I remember sitting in a in a calculus, an upper
00:12:02
level calculus class, and I was doing well on all the daily work
00:12:05
and I actually tutored other students on some of the homework
00:12:09
and things.
00:12:09
But when I got to the test I just blanked and there were it's
00:12:13
like four.
00:12:13
You have two hours to solve four problems.
00:12:16
I mean, that's, that's indication number one.
00:12:18
You might be in the wrong room.
00:12:19
But I remember on one particular test I actually wrote
00:12:23
my professor and apologizing for not knowing how to do this
00:12:26
problem and that hopefully it doesn't reflect on his ability
00:12:30
to teach.
00:12:30
It's really just my ability to sit for this test, and so I did
00:12:34
a one page apology note for that question.
00:12:38
Speaker 1: Wow, yeah, like you know, calculus wasn't even so
00:12:43
for me.
00:12:43
I enjoyed calculus right, like I always think that if I
00:12:48
wouldn't have landed on criminal justice I would have actually
00:12:50
gotten a bachelor's in math because I enjoyed it so much.
00:12:53
The problem was that same semester I was also taking
00:12:58
chemistry and physics, and either of those classes are like
00:13:02
learning two different languages of how to solve
00:13:04
problems.
00:13:05
And you know, I mean chemistry isn't even like, isn't even
00:13:09
English as far as I'm concerned, and so I really didn't have
00:13:13
that much time to study for calculus.
00:13:15
But thankfully I was in this advanced study class or whatever
00:13:19
it was, where the first day the professors like these are going
00:13:24
to be the most difficult calculus problems you'll ever
00:13:28
encounter, and so when you get the final, it's going to be,
00:13:31
it's going to be nothing for you .
00:13:32
And you know I didn't believe them, because you know you hear
00:13:36
that sometimes and it's just not true, but 100% it was true.
00:13:41
I got to the final.
00:13:42
I didn't study at all.
00:13:43
There was five questions.
00:13:44
I whizzed right through it and I ended up getting like 80, 90%
00:13:49
on it.
00:13:49
Like I scored well above everyone else and it was pretty
00:13:53
easy.
00:13:53
I was the first one done in this lecture room of like 250
00:13:57
people.
00:13:57
So I wonder, you know, I probably would have gotten a
00:14:02
bachelor's degree if I didn't convince myself.
00:14:04
My only path forward was criminal justice.
00:14:06
Speaker 2: Being the first one done in a large room like that
00:14:09
is kind of unsettling also.
00:14:11
Speaker 1: Oh, yeah, I mean I was done so quick.
00:14:13
I looked up and no one else was done and I was like, oh wait, I
00:14:17
must have messed something up, like I had to mess something up.
00:14:20
So I checked it over for like quite a while and I'm like I
00:14:24
don't know.
00:14:25
I mean I answered everything.
00:14:26
But yeah, you know, it was fantastic, I enjoyed it.
00:14:30
I'm always tempted to go back just for a couple couple classes
00:14:34
and math.
00:14:35
This is me, though.
00:14:37
So you ended up getting a IT business administration degree.
00:14:42
Do you think that that set you apart and prepared you for your
00:14:47
career in IT in different ways than what computer engineering
00:14:52
or computer science would have?
00:14:54
And the reason why I ask that question is because, you know, I
00:14:58
feel like too often people go into IT thinking, okay, it's
00:15:02
going to be, you know, all technical, it's going to be
00:15:05
hands-on keyboard at all times, and I'm going to have to be a
00:15:08
developer and things like that, right.
00:15:10
Well, there is this other option it's IT with business
00:15:14
administration.
00:15:15
I have a friend that actually got his master's in it, and it
00:15:18
sounds like that could be a different path.
00:15:20
Is that true, or what was that like?
00:15:23
Speaker 2: You're right, and so just to back up a little bit
00:15:25
while I was working on my well, you back up even further.
00:15:28
I've got an associate's degree in math, because I really like
00:15:32
math too.
00:15:32
But then when I was working on my undergraduate it was an
00:15:35
information systems degree out of the business school at the
00:15:40
University of Texas at Arlington .
00:15:42
But because it incorporated so many computer courses and I did
00:15:46
have some programming courses completed, I was able to select
00:15:50
whether I wanted the degree to say bachelor's of business or
00:15:53
bachelor's of science, and so I selected bachelor's of science.
00:15:57
So my degree is actually out of the business school but it's a
00:15:59
bachelor of science and information systems.
00:16:01
But I had to learn all the business stuff.
00:16:03
I took business law, ethics, marketing was one of the
00:16:08
electives.
00:16:08
I took money and banking, business stuff.
00:16:10
But the time going to school for the undergraduate degree I
00:16:15
also had my own computer business.
00:16:17
So for six years I had a consulting company where I would
00:16:21
teach companies how to use Microsoft office and do
00:16:24
spreadsheets.
00:16:25
And I also did basic computer maintenance, network cabling,
00:16:31
troubleshooting, cleaning keyboards, upgrading computers,
00:16:35
that kind of stuff, and so I had exposure to the hardware part
00:16:39
of it.
00:16:39
I was building some experience running my own business being a
00:16:43
consultant, customer service, doing my own accounting and
00:16:47
financial forecasting and having to buy equipment and this kind
00:16:50
of thing.
00:16:51
And then I got my degree and wanted a corporate job and at
00:16:54
the time, even back then, probably at equally or maybe
00:16:57
even more so than today there was that requirement for an
00:17:01
undergraduate degree or some unreasonable amount of job
00:17:05
experience in order to get hired .
00:17:07
And so as soon as I graduated I think I graduated in August,
00:17:12
but I was applying for jobs over the summer so in July I was
00:17:17
selected for a job as an IT auditor.
00:17:20
I've never heard of that position.
00:17:22
I knew what an auditor was, but I didn't know what an IT
00:17:25
auditor was, and so a lot of the interview questions were around
00:17:30
my familiarity with hardware and technology, but really they
00:17:34
focused mostly on my ability to go research and find the answers
00:17:38
.
00:17:38
And if I don't know the answer, how good am I at collaborating
00:17:41
and asking for help and this kind of thing?
00:17:44
So I started that job and that was definitely a business side
00:17:50
job.
00:17:50
My job was to go into a company .
00:17:53
So I worked for a $5 billion telecom big international
00:17:56
telecom company and my job was to ensure that the technology
00:18:02
departments and people and things that the business relies
00:18:05
on was following company policy and regulatory standards, and
00:18:10
are there any weaknesses or risks that could impact the
00:18:13
operations or the finances or the reporting of the company?
00:18:16
So I learned quite a bit, not just from a well, what's this
00:18:21
audit thing and how do I become an auditor?
00:18:23
And it has its own disciplines and procedures and things you
00:18:27
have to follow quality and documentation.
00:18:29
All this good stuff.
00:18:30
But there was a very strong and critical component of customer
00:18:34
service and diplomacy and tact, because back in the day when an
00:18:38
auditor showed up, it was because someone was trying to
00:18:40
get you fired.
00:18:41
So they're here to find the problem with me so that they can
00:18:46
justify firing me.
00:18:47
Or you know, you're taking time away from a job I already don't
00:18:51
have enough time to do to answer your questions, so you're
00:18:54
putting me behind, and so audit had a bad reputation and so you
00:18:59
had to come at that very diplomatically.
00:19:01
I'm here to help.
00:19:02
You say you don't have enough time in the day to do your job.
00:19:05
Well, maybe I can highlight that in my report and maybe we
00:19:08
can get you some part-time help or figure out a way to help you
00:19:11
do your job better, more effectively type of thing.
00:19:13
So that taught me quite a bit soft skills communications,
00:19:17
report writing.
00:19:18
I had to do presentations to the board, and it was during that
00:19:21
time at that telecom that I realized that one of the biggest
00:19:24
risks to this $5 billion telecom is they had zero
00:19:27
security from a network perspective.
00:19:30
They had a firewall guy that looked at firewall alerts and
00:19:32
rules, but nobody looked at the company as a whole to figure out
00:19:36
where bad things could happen or maybe they are already,
00:19:38
Nobody knows.
00:19:39
And so I worked with my boss in the audit department to talk
00:19:42
through that and we actually came to the consensus that we
00:19:45
need to do a presentation to the board about the need for a
00:19:48
cybersecurity specific group.
00:19:51
And so I put that together and pitched it to the board and they
00:19:53
told me that I was the one that was going to make it happen.
00:19:56
So that was my first foray into a formal cyber job.
00:20:00
I built that company's first cyber team and eventually even
00:20:04
incorporated physical security, doing executive protection and
00:20:08
flight travel threat and risk planning.
00:20:10
A lot of stuff happened, some of experience at that telecom,
00:20:14
but that's what got me into like a true cyber position role and
00:20:18
I haven't looked back since.
00:20:20
Speaker 1: Hmm, yeah, you bring up a lot of different
00:20:24
interesting things.
00:20:26
You know part of it is the ability to do your own research
00:20:31
and find your own solutions without potentially having to
00:20:36
escalate a problem or reach out to other people and whatnot.
00:20:39
Right?
00:20:39
And I remember earlier on in my career I was interviewing for a
00:20:44
job and question came up how would you solve a problem that
00:20:47
you don't know anything about, that you don't understand?
00:20:50
My first answer was I'm going to go to Google.
00:20:53
You know I'm going to go to Google.
00:20:54
I'm going to look it up, see what other people are
00:20:57
encountering with it, how they're resolving it.
00:20:59
Try that.
00:20:59
If it doesn't work, I'm going to ask a colleague and the
00:21:03
hiring manager was actually very against me saying I'm going to
00:21:06
go to Google.
00:21:06
Right, this is mid 2000s, right ?
00:21:11
So, like Google was established, google was something that you
00:21:14
would use to resolve problems and whatnot.
00:21:17
And he was very against it and didn't hire me because of that.
00:21:21
I thought to myself, like well, if you're not going to hire me
00:21:23
because of that small little thing, then I won't.
00:21:27
I probably don't want to work for you.
00:21:28
And two, you're not very forward thinking if I can't even
00:21:33
use the internet to solve a problem you know.
00:21:35
Like how am I supposed to write you?
00:21:37
You want me to go into a log file and try and decrypt what
00:21:40
Microsoft is saying about an error message.
00:21:43
That is dug into this thousands of lines of log file, like it
00:21:48
doesn't make any sense, you know .
00:21:50
And another thing that you bring up you sold the incident
00:21:55
response or kind of disaster recovery process to the board
00:22:00
and it just reminds me of a time when you got to be careful what
00:22:03
you ask for, because you're going to be faced with doing
00:22:06
that work and I didn't quite understand that.
00:22:10
Until you know, I was working for a company as application
00:22:14
specialist, I was trying to get into security, and so I
00:22:16
understood the security part you know pretty well, for where I
00:22:19
was at right, I was the only one at the company with a security
00:22:22
mind that cared about it and whatnot.
00:22:24
And I pitched it to my VP like hey, we should really actively
00:22:29
be securing this application a lot better.
00:22:31
This is how we can do it.
00:22:32
You know, look at all these vulnerabilities that I found and
00:22:34
everything like that.
00:22:35
And I mean his only response was like you know what?
00:22:38
You're completely right, you should do that.
00:22:40
And I was like wait a minute, so I have to do everything else
00:22:44
too.
00:22:44
And he goes oh yeah, you gotta do your normal day job stuff,
00:22:47
and now you gotta do this security stuff that you want to,
00:22:50
you want to explore.
00:22:50
When I was thinking of like, oh , let's get you know, yeah, a
00:22:54
bunch of people around this to work on this, from different
00:22:56
teams and different perspectives , is like no, you're, you're
00:22:59
doing it, you know, so you gotta be gotta be careful with that.
00:23:04
Speaker 2: Certainly, I know.
00:23:05
Completely agree with that.
00:23:07
Speaker 1: Yeah, absolutely.
00:23:09
So fast forward a little bit when you were working for the
00:23:13
government and looking at the different unique Types of
00:23:16
attacks and learning about them and whatnot.
00:23:18
What were some of those unique attacks, at the time at least,
00:23:22
that maybe you didn't see in the Private sector, where they, you
00:23:28
know, solely unique to the government?
00:23:31
You know, what I would think of is, you know, nation-state
00:23:34
attacks and whatnot like.
00:23:35
Was there unique things like that?
00:23:37
Or was it kind of dispersed in a way where, yeah, it was
00:23:41
targeting public and private Infrastructure and things like
00:23:45
that?
00:23:46
Speaker 2: Well, a lot of the work that that I did was on the
00:23:49
the human side of intelligence.
00:23:51
So a lot of the tactics I used and a lot of the scenarios I was
00:23:56
involved with were all more social engineering Getting
00:24:00
getting places you shouldn't be obtaining, information You're
00:24:03
not meant to have, utilizing people and processes to you know
00:24:08
stepping stones to subvert or circumvent security controls
00:24:13
mostly physical, but ultimately, you know, there were some, some
00:24:17
technical controls that you needed to get through or get
00:24:20
passed in order to get information.
00:24:21
So that was kind of my foray Into cyber.
00:24:25
It was understanding a lot of the human risk involved with the
00:24:29
technical Controls that are put in place to protect stuff,
00:24:33
because it's still people that configures it, implements it,
00:24:36
runs it, has access to it, and so that was a huge perspective
00:24:40
and learning experience for me.
00:24:42
I think, unlike others that get into cyber, they learn all the
00:24:45
technical stuff first.
00:24:46
I was able to have the experience of learning all the
00:24:50
human risk first, which I think gives me a little bit different
00:24:55
perspective when talking about risks to clients and companies,
00:24:59
because you can get rid of all your technology, I mean if you,
00:25:01
if you're able to, but you're still having to do business with
00:25:04
people, and people are always your biggest risk, your biggest
00:25:07
weakness.
00:25:07
And then you give people access to your technology and so you
00:25:11
know it just gets worse.
00:25:13
I think the the joke about the the most secure computer is the
00:25:16
one that that you don't turn on or plug in, it's in case in
00:25:19
cement and it's dropped in an ocean somewhere, but then you
00:25:22
can't use it.
00:25:23
And I think that's the paradox with With security is the more
00:25:27
secure something is, the less usable it is, and I kind of joke
00:25:31
that that's why convenience stores are robbed More than
00:25:33
banks, because security is really just a hindrance, it's
00:25:37
not an absolute.
00:25:37
If something was absolutely secure, you couldn't use it.
00:25:40
So you've got to find the balance, and that's something
00:25:43
that I think that experience with the intelligence
00:25:46
contracting work I did really helped me understand sooner than
00:25:50
later.
00:25:50
Hmm.
00:25:52
Speaker 1: Yeah, that's different.
00:25:52
That's a different approach than what you normally hear.
00:25:55
You know, you normally hear about people going down the
00:25:58
technical side rather than the human side.
00:26:00
I've actually never done the the human part of it, but you
00:26:05
know, I was talking to Jim Lawler from from the CIA, and he
00:26:11
was talking about how technology and, you know,
00:26:16
security-minded governments and organizations are getting really
00:26:19
, really good at security.
00:26:21
So the likelihood of a cyber attack actually being pulled off
00:26:26
against Someone that is very much prepared for it is very low
00:26:31
.
00:26:31
Actually, it's lower than what we would think.
00:26:34
And the most vulnerable part is the people part, like you said,
00:26:38
right, you can secure a system.
00:26:40
You can air gap it by powering it off and unplugging the thing
00:26:44
from the network, right, and now you have a whole bunch of
00:26:46
sensitive data that's secured Unless you have physical access,
00:26:50
and that, unless part is the people part, you know, and so it
00:26:56
.
00:26:56
It turns into a very interesting problem to have.
00:26:59
And I remember when I was working with the government a
00:27:03
few times and you know one of the people that I was talking to
00:27:07
, I brought up that part, right, because to me, an outsider, I'm
00:27:12
saying to myself well, how in the world are these people
00:27:15
getting bought off?
00:27:16
How are they selling secrets and whatnot?
00:27:19
Like that's?
00:27:19
It doesn't make any sense to me .
00:27:22
And he said if someone can find out that you work for the
00:27:26
government at a certain facility , right, they start to do their
00:27:30
own checks into you.
00:27:30
They start looking up your credit report, they start seeing
00:27:34
where your debt lies and you know if you're going to make
00:27:37
enough money to actually pay off that debt within a reasonable
00:27:40
amount of time.
00:27:40
And they start you off very small.
00:27:43
They say, hey, you know, just give me a name of someone that
00:27:46
works at your facility and I'll give you 10 grand to pay off
00:27:49
your medical bills.
00:27:50
You know, and they snowball you like that, where you get
00:27:54
comfortable with getting the money, you don't feel like
00:27:56
you're betraying anything, when in all actuality it's building
00:28:01
up to a larger betrayal.
00:28:02
Right, you may have not betrayed very much by just
00:28:05
giving a name, right.
00:28:07
But now they know one more person that works there and
00:28:11
they're going to be targeted and things like that, right.
00:28:13
And so the human part I feel like I don't want to say it's
00:28:18
evolving, but I want to say it's becoming more prevalent because
00:28:21
of the need to actually go down that path where we have, you
00:28:27
know, secured our networks to the point where it's like, yeah,
00:28:29
this is really secure in most cases and the only thing left is
00:28:36
actually, you know, buying these people off and giving them
00:28:39
money to live an easier life while they're betraying their
00:28:42
country.
00:28:42
Is that what you saw as well, kind of.
00:28:46
Speaker 2: Not so much on the recruitment side.
00:28:49
Mostly what I saw and the things that I did was to try and
00:28:54
figure out to kind of the nth degree you're really playing out
00:28:57
and kind of mind mapping, almost all the relationships
00:29:01
between you know what's the target and everything involved
00:29:05
with that.
00:29:05
So, for example, if you've got an air gap machine that's got
00:29:09
the prize data on it, well, where is that machine, what
00:29:13
facility?
00:29:14
What are the controls around that physically?
00:29:16
Who are the people that have access to that thing?
00:29:20
What are the procedures for them to get access to it?
00:29:23
What kind of work did they do with this machine?
00:29:26
What are their hours?
00:29:27
Who are they related to or work with?
00:29:29
Where do those people live?
00:29:31
Who are their neighbors?
00:29:32
Do they have kids?
00:29:33
Where do they go to school?
00:29:34
And, to your point, everything about their lives, their credit,
00:29:37
their criminal history, their clearances, the car they drive,
00:29:41
how much they owe on stuff, where's their family?
00:29:44
Do they have online social media?
00:29:46
Where do they eat lunch, all those things give you kind of an
00:29:51
attack surface in relationships so that you can start to plan
00:29:55
out.
00:29:55
All right, so I need to compromise the home network of
00:29:59
Bobby down the street, because Bobby plays with Jim's son, john
00:30:04
, and you know they're both pretty active on mobile devices.
00:30:09
They have phones and tablets and you know the likelihood that
00:30:12
you know Bobby's home network because his dad's a school
00:30:16
teacher.
00:30:17
You know I'm able to compromise that to get malware on Bobby's
00:30:20
tablet that he takes over to John's house and you know kids
00:30:23
are always like, hey, can I join your wireless?
00:30:25
And so now you know Bobby's at John's house and he's on their
00:30:29
home network and it's his dad that works with the guy at the
00:30:33
lab and so if I can compromise their home network and then put
00:30:37
some malware on something that dad takes to work, now I'm
00:30:41
introducing, you know malware to work.
00:30:44
Or you know something that collects information for that
00:30:47
next phase of my attack but maybe introduces it to coworkers
00:30:50
and then eventually it makes its way into that air gap
00:30:54
network.
00:30:54
Or you know, doing enough reconnaissance, and maybe they
00:30:57
post who their vendors are and the types of work they do and I
00:31:00
just show up and pretend to be you know a contractor and here's
00:31:04
what my work order.
00:31:05
I already know what the work orders look like and social
00:31:08
engineer my way into the building, which maybe it's an
00:31:11
adjacent room, and one of the things that we have is if I can
00:31:14
touch it, I can own it.
00:31:15
So you can, you can encrypt it, you can chain it to a desk.
00:31:20
You can do all these great things, but if I can touch that
00:31:24
device, if I can physically interact with it, then all of
00:31:27
your technical controls go out the window.
00:31:30
Speaker 1: Yeah, that's a really good point.
00:31:31
So, you know, is this kind of where the experience with
00:31:36
working with the government Is that where you started to go
00:31:41
into your work with Black Swan, and what are you doing at that
00:31:45
company?
00:31:45
What is that company, how are you guys operating and what do
00:31:48
you specialize in?
00:31:49
Speaker 2: Well, I've actually, I've worked with a number of
00:31:52
companies over the years Telecom , financial, you know some of
00:31:55
the biggest banks.
00:31:56
I was the director of threat and vulnerability management
00:31:58
with Pricewaterhouse doing consulting and instant response.
00:32:01
But along the way I always had this entrepreneurial itch and so
00:32:06
I've had several technology companies over the years and the
00:32:09
last two have been cyber specific and at Black Swan,
00:32:13
which is the most recent and the most successful, we are a full
00:32:18
lifecycle cybersecurity company, so we help organizations
00:32:22
understand the need for cyber, how to design and develop
00:32:27
cybersecurity programs.
00:32:28
So that's policies, procedures, the right people, skills,
00:32:32
partners, vendors, coverage, technology and a lot of that's
00:32:36
based on the risk specific to that organization, so we can
00:32:40
help them through that risk assessment process as well.
00:32:42
We help them ensure that they're compliant with
00:32:45
regulatory requirements like credit cards or health or
00:32:49
financial data, or if they're a publicly traded company all
00:32:53
these different compliance regulations or if it's just a
00:32:57
best practice, standard certification like ISO 27001, or
00:33:02
helping them get their SOC2, type 2 type, accounting based
00:33:07
certifications.
00:33:07
And then, naturally, out of both of those initial
00:33:11
engagements, you've got these opportunities to improve.
00:33:13
There's a gap you don't have the right people, you don't have
00:33:15
the right technology, you don't have any policies and
00:33:17
procedures.
00:33:18
You don't even know kind of where you want to start and
00:33:21
where you want to be that maturity roadmap.
00:33:23
So we can assist them with remediation and training,
00:33:28
developing custom or putting a process in place to do scheduled
00:33:32
, automated training.
00:33:33
And then from that obviously you want to test, you want to
00:33:36
make sure all that stuff is effective and not just a point
00:33:39
in time but throughout the year or year over year.
00:33:42
So we do those traditional assessments as well, whether
00:33:45
it's an audit or a network security assessment or a
00:33:49
penetration test, and we do that on buildings as well.
00:33:52
So part of again, if I can touch it, I can own it.
00:33:55
So you can invest a lot in cyber protection, but if your
00:34:00
physical security is lacking, then you've misallocated, at
00:34:05
least misproportioned, your security.
00:34:08
So we do physical security assessments, also trying to get
00:34:12
into buildings where we shouldn't, trying to get to
00:34:15
restricted areas of a facility where important stuff is,
00:34:18
whether it's documents or technology, and then along the
00:34:21
way testing the security awareness and response of the
00:34:24
people and then giving them recommendations for improving
00:34:29
both the technical side and the people side.
00:34:31
And then, in the event that there isn't incident, we have an
00:34:34
incident response team where we help manage a data breach or a
00:34:38
theft of a laptop or an employee that stole data.
00:34:41
And then part of that naturally is forensics, so being able to
00:34:45
do digital forensics and support that incident response
00:34:48
investigation.
00:34:49
But then also, if it ever goes to court, we do expert testimony
00:34:52
.
00:34:52
And then at the core of our business, we have a 24 seven
00:34:56
fusion center where we monitor client networks, user behavior,
00:35:01
device behavior 24 hours a day.
00:35:03
We're all US, based out of North Texas, we're all US
00:35:08
employees.
00:35:09
All the data stays in the US and then we call it a fusion
00:35:13
center because all of those things that I mentioned from
00:35:15
start to finish are available to people 24 hours a day, in
00:35:19
addition to a lot of threat intelligence that we collect
00:35:22
from government agencies and vendors and other sources.
00:35:27
Speaker 1: That's really interesting.
00:35:28
I mean, that's a pretty expansive business that you've
00:35:31
built.
00:35:31
Do you ever point to any one experience in your career that
00:35:37
really prepared you for what you're doing now?
00:35:39
Or is it kind of a conglomerate of the experience that you've
00:35:45
had throughout your career, you know, kind of coming together
00:35:47
and culminating With this company?
00:35:50
Speaker 2: Well, I think there's a lot and there's several parts
00:35:53
to it.
00:35:53
So a lot of what got us to where we are are the
00:35:57
relationships that we developed over the years.
00:36:00
So having relationships with people that are auditors, having
00:36:04
relationships with people that are hackers and educators and
00:36:07
forensics, and having the experience of building a fusion
00:36:10
center and knowing how to staff it and build the culture of the
00:36:13
company that supports like-minded individuals that
00:36:18
have that passion not just for protection but also
00:36:21
collaboration and teaching others, is one thing.
00:36:23
So over the years, building those relationships and becoming
00:36:27
friends and professional acquaintances with just a large
00:36:32
number of awesome people is part of it.
00:36:34
The other part, and one of the reasons that we have services
00:36:38
that fill that full life cycle, is the struggle that I've seen
00:36:42
both on the corporate side, as the consumer of services, but
00:36:45
also on the provider side, where a customer or a vendor isn't
00:36:50
the single phone call.
00:36:52
A lot of organizations when they have a problem, they've got
00:36:56
to figure out five or six different service providers or
00:37:00
vendors to call to help solve one problem.
00:37:03
And then on the provider side, on the professional services
00:37:08
side, there's a struggle with working with a client and your
00:37:13
service doesn't satisfy enough of the objectives of the problem
00:37:19
.
00:37:19
And so what we wanted to do with our organization is not
00:37:23
only be the one phone call.
00:37:25
So we have an 800 number.
00:37:26
It's 855-BLACKS-1.
00:37:28
So you can call us 24 hours a day for whatever your problem is
00:37:32
.
00:37:32
Technology cyber flat tire is kind of our joke, but the idea
00:37:36
was give clients one phone call to an organization they can
00:37:42
trust and they know that we're here to help them fix whatever
00:37:46
problem, that is, even if that doesn't involve us.
00:37:49
So back to the flat tire joke.
00:37:51
We say you can call us if you have a flat tire.
00:37:54
We're not going to be the ones to show up and fix your tire or
00:37:58
tow your car, but if we're the ones you called, we'll be on the
00:38:02
phone with you and help coordinate the tow truck, the
00:38:06
AAA, whoever it is that needs to get there to help you fix that
00:38:09
tire.
00:38:09
And so, similarly, on the IT side or the technology side,
00:38:14
clients call us because a network broke or somebody stole
00:38:18
something or they need to know who we know that we trust that
00:38:23
does some XYZ thing.
00:38:25
They know they can call us and we'll figure out the right
00:38:28
solution and get them in touch with the right people.
00:38:32
Speaker 1: That's a really interesting business.
00:38:33
Where do you envision that going and growing in the next 18
00:38:39
to even 36 months?
00:38:40
Speaker 2: Well, that's something that we've put a lot
00:38:42
of thought into just recently.
00:38:45
We do enough to keep us busy, but we're always looking for
00:38:49
opportunities to expand the value, and some of the value
00:38:53
that we've seen most recently is in that traditional IT support
00:38:59
area.
00:39:00
We need to buy new computers or build a new network, or
00:39:03
troubleshoot problems with printers and wireless access, or
00:39:07
we need help managing our Office 365 environment.
00:39:10
So those aren't things that our organization currently does
00:39:14
directly.
00:39:14
If someone asked us for that help, we would point them to a
00:39:18
partner that we trust, but we seem to be getting a lot more
00:39:21
interest in that area.
00:39:22
So we've started talking through the idea of growing
00:39:25
through acquisition of some of these complimentary type
00:39:29
services, and so maybe acquiring or partnering more closely with
00:39:33
merging with some of those traditional IT support vendors,
00:39:37
so that they've already got relationships and adding value
00:39:41
to organizations with the services they provide, which are
00:39:45
just naturally augmented by what we do, and vice versa.
00:39:49
Whenever we're providing our cyber services, very often we
00:39:53
find some of these technical things that need to be fixed or
00:39:55
implemented or changed, and again, that's not something that
00:39:59
we typically do.
00:40:00
We would partner with someone else to do that, and so those
00:40:03
kind of managed IT services and skills would naturally
00:40:09
complement the things that we do and the problems that we
00:40:11
typically find.
00:40:12
Speaker 1: That's really interesting.
00:40:15
Well, Mike, we're unfortunately running out of time here.
00:40:20
I really try to honor my commitment time-wise.
00:40:25
When I say it's an hour-long interview, it's an hour-long
00:40:30
Before I let you go.
00:40:31
How about you tell my audience where they can find you if they
00:40:34
wanted to potentially reach out to you or connect with you, and
00:40:38
then where they can also find your company?
00:40:40
Speaker 2: Certainly so.
00:40:41
I'm on LinkedIn.
00:40:42
I also have a Twitter account, but you can find me on LinkedIn.
00:40:46
I'd love to connect and collaborate with people,
00:40:50
especially on the education side .
00:40:51
If you need help mentoring or finding a career path, I'd be
00:40:54
happy to help.
00:40:55
We also have an intern program at Black Swan and it's
00:40:58
blackswann-cybersecuritycom.
00:41:02
Our phone number is 855-BLK-Swan.
00:41:06
Reach out Contact at blackswann-cybersecuritycom,
00:41:11
which is also a form on the website.
00:41:13
But we're here to help and educate and collaborate.
00:41:16
Happy to connect with anyone.
00:41:19
Speaker 1: Awesome, and I'll put all of those links and sources
00:41:23
in the description, of course.
00:41:24
Well, thanks everyone.
00:41:26
I really appreciate you listening and I hope you enjoyed
00:41:29
this episode.
Related Episodes
From NSA Security to Startup Founder: A Cybersecurity Journey
Ever thought about hacking a car or a satellite? Well, that's exactly where my conversation with cybersecurity entrepreneur, Mike, takes us this episode. We bridge the gap between the humdrum aspects of IT and network security and the truly thrilling components - think along the lines of cyber...
Navigating From Pre-Sales to Identity Fraud: A Conversation with Nir Stern
Prepare yourself for an exhilarating dialogue with Nir Stern, a man who has brilliantly navigated his way from a pre-sales career to the intriguing world of identity fraud. We kick off with an exploration of Nir's career transition, shedding light on the often overlooked world of salespeople a...
Unraveling Network Security in a Multi-Cloud World with the Founder of SNORT
Ready to uncover the mysteries of cybersecurity and IT? Today, we are joined by Martin Roesch, CEO of Netography, a self-taught cybersecurity expert who delved into this recession-proof industry . He shares his trials and triumphs, his unique approach to learning, and his insights into the balance ...