Episode 1: College, Exec Comp, and New CISOs
Welcome, everybody, to the sealed security podcast. My name is Justin Liebling, and I'm joined by Rick Yocum and Joe Wynne. We're glad to have you here. We're doing a little bit different format where we're doing more conversational base in around interesting security topics while having a little sip of, some good refreshments and everything. So with this, type of format, what we're aiming to do is just get into, you know, good discussions, maybe some arguments along the way.
Justin Leapline:We're also looking to kind of learn. Some of us would be more familiar than others on certain topics. But no matter what, we're just looking to have a really good conversation, and we've been friends for many years and everything. So it's been quite a while. So, but to start off with, I figured what we'd do is just kind of introduce ourselves.
Justin Leapline:Since this is episode 1, we'll go through and just give a little bit of background and history and just start from there. Rick, you wanna start us off? Sure. So, hey, guys. It's great introducing myself to you.
Justin Leapline:I know. But I'm Rick Yocum.
Rick Yocum:Yeah. So I've been doing security and compliance stuff for, like, 20 ish years. Okay. I actually, started the my the high school I went to hired me to do computer stuff, which was pretty cool.
Justin Leapline:After you hacked them.
Rick Yocum:Wow. There's a little bit. A little bit.
Rick Yocum:I think there was a bit of, hey. This kid likes computers. Let's harness this energy
Rick Yocum:towards something less destructive than breaking everything.
Justin Leapline:Isn't that all the boys? Like, you have to direct them to something worthwhile. Yeah.
Rick Yocum:So there was a little bit
Justin Leapline:of shenanigans upfront, and then
Rick Yocum:a lot of me stopping other people's shenanigans, That's cool. So yeah. And then went to Duquesne. Did kinda like a combo IT business degrees. After that worked for Deloitte for a handful years, both on the audit side and then on the kind of security consulting side.
Rick Yocum:Okay. Then I moved to Del Monte where I worked with that security program for probably 5 or 6 years. Fast forward to the federal home mortgage bank system doing compliance stuff for a year. Then global GRC director for Black Box Network Services for a handful of years. And then my good friend, I don't know if you know him Justin Leipline, introduced me to this company called TrustedSec and that's where I
Justin Leapline:am today. Okay. Great. Yeah. Joe you wanna go?
Joe Wynn:Yeah. Absolutely. So, I too went to Duquesne, and we've been friends
Justin Leapline:with the community right now. Yeah.
Joe Wynn:Yeah. We'll get in that later when we hit the topic of, you're
Rick Yocum:right here. Right.
Joe Wynn:So, yeah, I've, I currently run a cybersecurity engineering firm. And Yeah. That's not
Justin Leapline:No. We'll get to that.
Rick Yocum:Yeah. And and
Joe Wynn:but years ago, I've always kinda when I was a kid, it was like, you know, I want to have a company. But did I really even know what that meant? I had no idea. And so I went through everything and had an affinity for computers in in middle school and high school as well. I remember one time I was sitting there writing this stuff on a piece of paper and my 8th grade teacher came over and asked me what I I was doing.
Joe Wynn:And I was writing basic code by hand so I could later go home and type it in on my Texas instruments, TI 99 4 a. And I was just gonna draw a picture of, like, a Santa Claus. So I still remember that. And so that kind of was like my first having fun with figuring out that I really enjoy computer stuff. That's a cool memory.
Joe Wynn:And I always liked the idea of, like, spy movies and making things do what you don't want to do, like lock picking.
Justin Leapline:You
Joe Wynn:open it up without a key and all this stuff. So I always enjoyed that and got into high school, just kept learning more and more about computer stuff. Went to Duquesne for I wasn't gonna go for computer science, but I was gonna go for physics and engineering eventually and ended up having my, yeah, my, my comp sci teacher for one of my classes talked me into switching over because I was, you know, I would I took to it. I'm not a coder now, but I did okay then. Mhmm.
Joe Wynn:So I just started working while in Duquesne for a for the computer department. And all kinds of cool stuff you can figure out on campus and also opportunities to make things work in the way they shouldn't work. So, you know, hypothetically, you can even pipe a microphone from a computer on one side of campus to the speaker of 1 another side of campus. So
Rick Yocum:I remember working in the computer labs at Duquesne. A lot of opportunities to both do and shut down shenanigans that
Justin Leapline:you do. Yeah.
Rick Yocum:So that
Joe Wynn:was, that was cool. So I got out of Duquesne, got a job and I worked there for, like, 20 years. Kinda went up through the ranks of being on the help desk to doing sysadmin stuff.
Justin Leapline:That's what we do. Rebate admin stuff. Yeah.
Joe Wynn:Yeah. Eventually. And, that was I was probably there for, like, 10 years by that time.
Justin Leapline:Yeah. Probably. Yeah.
Joe Wynn:And so, but nobody was there didn't even have, like, a specialized security department. It was just something people did Yeah. The best they could. And so things have come along, and eventually I was able to, create a one man shop and move out of, like, traditional IT into still an IT, but it was a security department. Yeah.
Joe Wynn:And then was able to grow that up. Sarbanes Oxley was the trigger for them, the one to invest in it. So then eventually, you know, got a
Justin Leapline:If that's security time the rigor that we have to go through today for regulation and compliance.
Rick Yocum:Right. At the time, it was
Rick Yocum:it was a Peter of pitchforks and fire.
Joe Wynn:Right? Absolutely. And and that stuff was crazy back then, but there was no, like, control frameworks that people were trying to intentionally follow.
Rick Yocum:Yeah. Yeah. So standard like like what are these
Justin Leapline:access control reviews? I have no idea.
Joe Wynn:Right. Yeah. An audit meant, you know, a deep audit meant Anderson Consulting coming in and running some stuff on your Nobel server. I remember that.
Justin Leapline:I'm like, why
Joe Wynn:are we paying this much money? How do we do this ourselves? Let's just do this. Right. And so anyway, so that's how, you know, kinda got into official security and then kinda grew up from there.
Joe Wynn:And after working there for a while, got recruited away, went to another company for a year, and kinda started thinking back about how I always wanted to start a company.
Justin Leapline:Yeah.
Joe Wynn:And, like, what am I gonna do? How am I gonna do this? And so the, you know, the piece I had to figure out is, well, how do I leave and also go do that and get it started? And I started a company called WinSecure. It was just me.
Joe Wynn:And then name. Yeah. That's
Rick Yocum:a really good name.
Joe Wynn:And, and then eventually, we, I met up with my cofounder John Ziola, and we formed CISO. And I met him during, b sides, Pittsburgh organization meetings. And so, which which you're on now.
Justin Leapline:Yeah. Yeah.
Joe Wynn:And anyway, so long story shorter as, kinda always always doing something security related Yeah. And finally got into leadership and then wanted to really bring that to other companies and companies that can't afford the luxury I had of being able to build a, you know, dozen people or so team. And that was a lot of fun. So now we can do that for lots of companies that just can't do it.
Justin Leapline:Yeah. And then you don't have the all the politics above you to do some of the stuff. You still have to report to the customer, but sometimes it's a little less on, like, if you think it's the right way, you just kinda
Joe Wynn:And sometimes, sometimes you don't have customers anymore, that you choose to hire.
Justin Leapline:Right. Exactly.
Rick Yocum:And you
Justin Leapline:go find a voice. So So alright. My turn. So, yeah, so I started off I think tinkering in around, high school. So, my dad actually started up an ISP.
Justin Leapline:He was the first one here in north of Pittsburgh called FYI Networks, and I remember he turned our garage into basically an Internet service provider hub. We had a t one line in 1992 coming into our house, you know, kind of thing, when everybody was hearing modems. So, like, we had this t one line coming in, and it was blazing fast. There really wasn't stuff out on the internet, but it was really fast, you know, for us, that 1.44 megabytes, you know, type of thing. But, yeah, he, he set up a Internet service provider right at our house, and it was really exciting to actually see him kind of start that, grow that, get a little you know, he got a lien on the house, a loan to, you know, do this thing and everything.
Justin Leapline:And it was really cool. I remember, you know, we had 10 modems at first, you know, and he started off, you know, remembering being so excited when first one came in, like, we have one customer dialed in. That's everything. And within, I think, months, it got to, we have one open. Nope.
Justin Leapline:It's, it's a good it's gone. And it was always that battle of expanding, and then over all the modem wars, you know, like the the V 90, the X52, you know, all the there were different models and depending on who, like, was it Dell or, you know, Commvac. They had different modems that they sold.
Rick Yocum:So this
Joe Wynn:was a t one of phone lines, not a t one of network or Yeah.
Justin Leapline:T one was a direct line coming in, but it was 1.44 megabytes. I think it was the speed and everything. It was a direct line, you know, with that. But we were serving customers through modem, so they were dialing in through their POTS lines Oh, to connect. To get out.
Justin Leapline:And then the pipe out was that t one line, and everything. So but we've got to obviously be on the t one line. Yeah.
Joe Wynn:All those phone lines plus the t one line. Exactly. Okay.
Justin Leapline:Yep. Yep. But, yeah, it was really cool. It definitely left an impression on me. Just, you know, the, you know, the successes and struggles that having your own company and everything.
Justin Leapline:I I remember sitting in we didn't have AC until I was like 16, 17 years old, and remember the first few months they didn't have like a machine to do letters. So we were all there licking, you know, the envelopes to put all the bills in to all the customers. Family mail room. Oh, yeah. It was it was child labor at its best, type of thing, and we're just all pouring down sweat.
Justin Leapline:We could have probably just used our sweat to, like, seal it.
Joe Wynn:There you go. So youwarbill.com? Newwarbill.com.
Justin Leapline:Yeah. Exactly. Right? But yeah. So, and out of high school, like, I had some programming classes like C plus plus actually, Mars Area High School had that, growing up and everything.
Justin Leapline:And I went to intern that company, but didn't go to college. I went to intern a company and they're like, oh, yeah, you're pretty good, like, with this. And they offered me a job, you know, with that. And I still remember I had the letter somewhere. It was like $22 a year, like, was my first salary job, and I was so excited.
Justin Leapline:A 1000000, zillion dollars. Yeah. I'm like, yeah, right. That's I forget what the hourly rate was, but it was a little bit above what I was making at that point. But now I'm looking at that like $22.
Justin Leapline:I'm not sure I'd do a project for it enough. But, yeah, so and kind of went up through programming, but it was around 2,002. You know, I was basically doing some introspection on like whatever I want to do, you know, like I'm doing this programming job. And I really like security because it's the constant challenge of it, you know, just that kind of it's not you do it once and done. It's always trying to keep up with the bad guys and all that stuff and everything.
Justin Leapline:So, I decided to go then make a switch to, security, and I had that decision, like, do I go to college or go to a certification route? And I decided to go the certification route. 1, it's faster and cheaper, you know, type of thing, but also it was less time. So, I was like, well, I won't waste anything doing this. And I got my CEH and my CIS, you know, way back in the day and then went into consulting a little bit at that first and then came back and I did GRC at Diebold.
Justin Leapline:I ran the security program at giftcards.com before they got sold off, and then went to trusted sec, because I'm good friends with Dave Kenny, and he needed somebody from, you know, the PCI, GRC world and everything at the time. Only Alex Hammerstone was, there. It was great. I was there, I don't know, 5 years or something like that. I have to look at LinkedIn, you know, to figure out his history.
Justin Leapline:Yeah. Yeah. Yeah. Same. But yeah, and then a few years ago, I wanted to kind of break on my own.
Justin Leapline:You know, I started up at PISQI. I really wanted to bring kind of the GRC tooling market to small to midsize organizations. It's been way longer than what I wanted it, to be. Just trying to struggle your, you know, do the consulting and the development because I've had some developers here and there, but it's still, you know, a lot on my shoulders and everything. Sure.
Justin Leapline:But yeah, that's where I'm at today, doing some consulting, helping customers out, and it is what it is.
Joe Wynn:That's awesome. Yeah.
Justin Leapline:So why don't we dive into some topics here?
Joe Wynn:Well, I know we're gonna talk about one topic, but you brought something up in your intro. So maybe we just switch right to that. And it's the career. Is college worth it? Wanna hop into that one first?
Justin Leapline:Sure. No. No? Okay. Slightly biased into this, but there are so many topics nowadays that you really don't need a college degree on.
Justin Leapline:You honestly need more of an apprenticeship into it to like, you still need the experience and the actual real world with that. And even like, I've hired several college graduates and they come to like work for me and I almost have to retrain them, you know, to get to learn what the job is and everything. I remember specifically, I think it was from Pitt, I heard somebody and one of my questions from an interview is tell me what you think the biggest threat to organizations are right now from just a holistic perspective, and it's meant to be an open ended question just to see where their mind at. And I forget when this was late like, it was, like, 2015, 2014, 2015, and he answered, slammer worm like worms and everything. I'm, like, worms?
Justin Leapline:Like like, what do you mean worms? So, like, that's, like, mid 2000. It's like, oh, we just learned about them in school. I'm like, really? Like, that's not a thing anymore.
Joe Wynn:So that wasn't the right answer.
Justin Leapline:Yeah. Yeah. In an open ended nothing's wrong answer, that was wrong.
Rick Yocum:No wrong answers, but there are some not great
Justin Leapline:answers. Yeah. But it just goes to show the curriculum was way outdated from that. So, you almost have to kind of retrain. It's like, hey, the email is a bigger threat than, you know, than, you know, than any worm nowadays, you know, type of thing.
Joe Wynn:And we should talk about threads later and what the biggest ones are.
Justin Leapline:Oh, okay. Let's go
Joe Wynn:back to arms. Yes. So so it's so with respect to college or jump right into it, what's some pros for going to college?
Justin Leapline:So I think there are some, academic learning that you have to do to go through that. So you can't get out of college to become a lawyer. You can't get out of college to become a doctor. Those are licensed things that require degrees into that. Now, you could do an argument of whether a degree is actually, you know, word like you need a degree to actually do that.
Justin Leapline:Like I've made the argument before that like a general MD, like your local office and everything like that, that could be an apprenticeship. Like what do they do? They go through like my throat hurts. Okay. I'll swab you and throw it in a test, and, yeah, you got strep.
Justin Leapline:You know? So doctor prescribed whatever. You know? Or something really hurts, let me refer you to a specialist. Like, that's all they're doing.
Justin Leapline:And you can
Joe Wynn:do that on video call now.
Justin Leapline:Yeah. It's probably They're essentially an operator.
Joe Wynn:It's probably just a, you know, a deep fake It's just AI? AI now doing
Justin Leapline:it too.
Joe Wynn:You have to go
Justin Leapline:through a doctor.
Rick Yocum:Right. Yeah.
Justin Leapline:And and so I guess, you know, into that context there, you know, you can have an argument whether it is you know, that's required, but you need that.
Joe Wynn:It's legally required now.
Justin Leapline:Exactly. You need
Joe Wynn:it that kind of level of training.
Justin Leapline:Right. Right. Now Obviously, you know, somebody going into open heart surgery, like, they better have training at the Wazoo, you know, type of thing. I'm not putting myself on the table. You know?
Rick Yocum:But you did you ran yourself through a series of, like, focused studies when you knocked out all those search. I
Justin Leapline:mean, yeah. And Barnes and Noble was my friend. If I didn't know a topic, I went to go buy a book and learn it, you know, that type of thing. Yeah. You can't just stay still and say, okay.
Justin Leapline:I'm not gonna get educated. Like, there are almost like that personal MBA or whatever they call where it's like,
Rick Yocum:well, I'm just gonna, you know, go read all the MBA books.
Justin Leapline:Well, and that's what was it, Goodwill Hunting, when he gets in it. It's like, you know, there's 2 certain days. 1, you're gonna realize that you wake up and you could have had, you know, your entire education for a dollar 50 late charges, you know, with that, which is true, you know, like there's nothing needed to be sitting in a classroom. I mean, I think and we've had losses from the educational system. I think it was really there to test you from a reason standpoint, and we've really lost that.
Rick Yocum:Ability to execute logic and patterns
Justin Leapline:to think through. Yeah. And, go up against adverse challenges of your thought process, you know, and I don't think that's really there anymore. Like, it's not that you're challenging, you have to defend yourself or make up good arguments on a premise or a thesis or whatever it is. Like that's what I think college was like a 100 years ago, you know, type of thing where they basically made you sharp and honed on utilizing the knowledge that you had you know, come up and defend it well.
Justin Leapline:Now it's more of, like, can you regurgitate it right, you know, kind of thing.
Joe Wynn:Well, very interesting is a 100 years ago, the only place to go to collaborate like that was either university or the bar. Mhmm. And and so you couldn't just get online and have a meaningful discussion Or the information. Discourse on anything. But today, you know, you can you can have those without having to go to Right.
Joe Wynn:To school.
Rick Yocum:I I will say, what going that what the degree did for me had very little to do with the degree itself and a lot more to do with, some professors and relationships with them who I still maintain relationships with. Yep. And other students who I'll pull on not necessarily for anything related to my degree. Right? But if I have a weird question on government stuff, I have a friend who is in Pali sci and I'll ask you all that weird question about government stuff.
Rick Yocum:There are things like that. The other thing that's probably
Justin Leapline:more important. Of relationships is really what you're Yeah.
Rick Yocum:The social aspect of it. Mhmm. Because I think a lot of people, that part of their lives, if you take kind of a typical route in terms of where when you
Justin Leapline:go to school Yeah.
Rick Yocum:You're at the you're in these sort of formative years and a lot of people are out of the home for the first time or partially out of the home for the first time, all that stuff. So I think there's some can be some good stuff there. But from a career perspective, what it did was I think it it got me the internship at Deloitte, which to a large extent for me was that formative apprenticeship, you know, truly through the ringer for the first bunch of years. And and that's what helped sharpen my thinking. And I don't know that I would have naturally got, like, say, that internship had I known I don't think he
Justin Leapline:would have at the time he went because Deloitte was, like, 4 year degree. Right. In fact, I I experienced that. You know, it was I graduated 1999.
Rick Yocum:Yep.
Justin Leapline:And when I was trying to hop around, like, I was getting stuff like, oh, yeah. You're well qualified, but you forgot to put your college degree on your resume.
Joe Wynn:I didn't forget about it. Yeah.
Justin Leapline:Yeah. Yeah. It's like, oh, well, it's required, you know, type of thing. But I
Rick Yocum:wonder if it's a but I wonder if that's changed now. Right?
Justin Leapline:I don't I wonder if it has. Yeah. At least for a lot of tech jobs. Every position that I hire for, I throw that degree out the out the window and everything. Now it might be a good, like tie breaker, you know, type of thing.
Justin Leapline:Like, people are basically equal and one's on the college, one hasn't.
Rick Yocum:And then I want to
Justin Leapline:know, like, what did you do with those years? Right?
Rick Yocum:Yeah. That would be my question.
Justin Leapline:That's true. But I'm looking for anything that'd be a tiebreaker at that point. But there's usually never, like, a one for 1, you know. There's good quality and bad, you know, or worse qualities. I wouldn't say bad, you know, but yeah.
Rick Yocum:And I agree with you, and I wanna hear your thoughts on this too. But, like, me me having had hired a number of people in the past, when I'm advising people on hiring practices, I basically tell them the same thing you do. I said, look, if your HR department will let you do it Mhmm. Right, Get rid of the degree requirement or potentially certification requirements because there's a lot of people out there that are potentially super skilled. Now you need to have some education.
Rick Yocum:You need to be good at the thing. Right? But you don't necessarily need just this one thing or just this other thing or this combination of things to do the job. And I actually think a lot of people that are super good or super driven and have good brains but just haven't had that experience yet and could get there very quickly aren't given opportunities because there's kind of these artificial barriers that don't really serve anyone.
Justin Leapline:So Yeah. Yeah.
Joe Wynn:No. Actually, I agree with all of that. And, I wanna get to the cons of of going to college as well in a second. But you know well just to sum up some of those things well rounded. I don't know that I've encountered people who haven't gone and immerse themselves in, like, that college environment.
Joe Wynn:It drives a more social interaction they wouldn't have otherwise gotten. That's not applies to everybody. Right. Like, you'll just go up to anybody in any place and just start talking to them. So experienced
Justin Leapline:a number of college parties, and I've never went to college.
Rick Yocum:See? Yeah. Yeah. They'll let you in. Yeah.
Rick Yocum:Right. They'll let you in.
Joe Wynn:And, opportunities to collaborate. You were hitting on that that you never would have gotten any other place. And in some places, just some jobs require it.
Rick Yocum:Yeah.
Joe Wynn:But the other part is, unless you're a unicorn, and I was doing a little bit of, like, superficial research on this before, we got here, was, you know, higher earning potential. Unless you're but I I think there's unicorns out there who, will do that. When you look across the general Yeah. Populace, I think people who come out of college will get a higher level. They'll they'll won't hit a certain signal.
Joe Wynn:Other people
Rick Yocum:You'll yeah. That that that early start at a higher thing, assuming you make the jumps at regular intervals
Rick Yocum:Right.
Rick Yocum:Is gonna get you to a higher place overall, potentially. Yeah.
Joe Wynn:But that leads into my first con.
Justin Leapline:Well, especially the government. They have a very strict, you know, qualification hiring process. And they're
Rick Yocum:not a small employer.
Justin Leapline:You know, they aren't Like, 1 fifth of the economy or something
Joe Wynn:like that. Also get capped at a salary range there really fast. So you've got to go to college, which costs a ton. Plus if you go to the government job, then Mhmm. Yeah, you may not get as high of an earning potential.
Joe Wynn:And then what happens during those 4 years? So a great argument for not going to college is it costs a ton and you can actually be earning during those 4 years. Absolutely. So if you can find yourself into how do you become that unicorn who doesn't need to go to college to still get the job? I'm thinking, like, entrepreneur level person.
Justin Leapline:Right.
Joe Wynn:Now you kind of break that, that mold. What do you think?
Rick Yocum:I think that's probably true, but it's probably also true that we are all weirdos and that we've been doing, like, IT and security stuff, like, almost from the jump. And I do think there's probably a large number of people that try a thing in college and then go, this isn't for me. Well, to to an extent, you know, that that I think that was your host for me. Right? Right.
Joe Wynn:Well, even before the jump, like, you were saying in high school and in high school, we all took, like, some sort of computer stuff. Well, nobody else was.
Rick Yocum:Because there's people like, oh, yeah. I'm going into biomed and then all of a sudden, now I'm gonna do landscaping instead or whatever. Right? It happens all the time because people start doing the formal training and whatever that discipline is and then they shift. So, yeah, I could see that
Justin Leapline:A promise of money and then they're like, I can't do 8 hours of business either way.
Rick Yocum:You could theoretically figure that out doing the actual work too, potentially.
Justin Leapline:That's the argument for apprenticeship. Yeah. You know, like, that's a low risk tryout. Right. And you don't have to sign up for college to do that.
Justin Leapline:I mean, most college, you spend 2 years just doing general courses and then you start getting into whatever your elective degree is, you know, type of thing. The apprenticeship is like, okay, do I like it or not, you know, and then you can drop out with the like, and you get paid. You know? Like Right?
Rick Yocum:Well, can
Joe Wynn:I ask you a question that I was asked just today? I was talking to somebody, another professional executive, another company, and he said, schools, college is leaving out. My, he said his son's roommate is coming out with a security degree. Yeah. What should you do?
Joe Wynn:And this is always a perplexing answer because you think you went to school for all these years in cybersecurity. You should come out and get a job in cybersecurity.
Rick Yocum:I know.
Joe Wynn:But I wanna know who's hiring a job in cybersecurity for an entry level person coming right out of college. No.
Justin Leapline:I don't care what you're doing.
Rick Yocum:The vast majority of people are starting to help.
Justin Leapline:Is that an overnight SOC, position? That was one
Joe Wynn:of the things I said. There's companies that'll hire you to be a SOC analyst so you can figure things out. And and part of the answer I gave was relating it to, you know, would you hire somebody who's never lived in a house nor build a house to come and put a home security system in? They'd have no idea. No concept.
Joe Wynn:Right?
Justin Leapline:Mhmm.
Joe Wynn:So would you bring somebody into your company and have them jump right in? Well, if it's a PNC level, cybersecurity team with 100 and 100 of of of people, well, then there's probably a place for somebody to come in because they actually have the Right. The training program
Justin Leapline:Yeah.
Joe Wynn:The apprenticeship program. And so it's built into the companies. You can get the companies to do that, but I'm not gonna be able to bring somebody in right out and make them super productive right away. But Right. Have you seen too much of that?
Justin Leapline:And that's the thing. Like, yeah, smaller companies, they can't afford bad employee not even necessarily Inexperienced. Well, it could be bad and or inexperienced because even if you're like you know, an employee that doesn't do anything, you can mix into a larger crowd and not have that much of an impact. It really it depends on your immediate manager to kind of supervise, but it comes down to the culture with that. But, yeah, if you're with a small company, a team of 10 people, and somebody's not pulling their weight, it's very apparent, you know, like it's like, I've asked this person 3 times to do this, and they haven't done it yet, you know, type of thing.
Rick Yocum:Well, experience on the job also means a couple different things. Right? Like, there's these core security skill sets. Right? Maybe a bunch of nontechnical patterns and then, like, some technical knowledge that supports that and all that, and that's fantastic.
Rick Yocum:But, also, like, what I think someone right out of school, even if they have a security degree, they don't know how to be an employee yet. Yeah. Right? And I actually think, like, security is one of those jobs that it requires this different positions are different, but many of the jobs require some level of interpersonal and communication skills in addition to the the the technical skills. And if you've never done the work thing really before in a corporate environment or professional environment, there's actually this whole other layer of learning you have to do at the same time that could potentially be super challenging.
Rick Yocum:Right? And so I actually think the people that I have hired that had, like, low to no security experience, they came from, like, PMO or not for profits or things like that. And so they actually had all the, like, how to be a great employee stuff
Rick Yocum:Mhmm.
Rick Yocum:Nailed down. And I was like, oh, okay. I just need to show you some security stuff. Right.
Joe Wynn:That was easy. Understand how the world works a little bit.
Justin Leapline:Yeah. Exactly. Exactly. I was working with a client, client earlier on, and, they have a culture of meetings, you know, 9 to 5 meetings, wall to wall, and everything like that. And, you know, I was onboard doing a long term project, and I blocked off my calendar, you know, when you know, don't schedule stuff during this time and everything.
Justin Leapline:And, of course, you know, the invites go out, you know, and I had a Friday blocked, and they threw it on. And I did not like, I declined it. I gave a reason, like, hey. I'm at a conference today, and, you know, I can't do a meeting. While at the conference, I get the ping.
Justin Leapline:Like, why aren't you on this meeting? You know? I'm like, what do you mean? Like, I declined it, and it was blocked too before it was scheduled. Like, but, again, go to, like, the I they didn't check for busy or they didn't care, you know, type of thing, and then the decline and how it was somehow my responsibility.
Justin Leapline:You know, go into like there's an etiquette there. You know, it's an underlying etiquette to that, you know. So are
Joe Wynn:you saying that's attributed because that person didn't have experience with, like, the way things ought to work?
Justin Leapline:Or didn't care, you know, type of thing. But, you know, that we have a normal etiquette, like, you check they're free busy. You try to avoid lunch. You try you know, there's You don't schedule stuff at 4 o'clock on a Friday. But these are my kids.
Rick Yocum:You know? But insecurities is one of those things. It typically makes things more difficult in some way, shape, or form. Right? It's it adds friction intentionally.
Rick Yocum:Yeah. Right? It can solve some things, but that's a a bunch of different conversations. But if you're in that position where you're like, hey. I need to slow down the business a little or make sure people are doing things safely or tell someone, no.
Rick Yocum:You just can't do this. Mhmm. It helps if they don't hate you for a whole bunch of unrelated reasons already. Yep. Setting up meetings on Fridays or whatever.
Rick Yocum:Right?
Rick Yocum:Right.
Joe Wynn:Yeah. Good. So as we wrap up this topic and let's could we give some advice? And the advice is if you're going into college or you're coming out of high school and you want to get into cybersecurity, it actually just there's probably 2 different answers. If you're going into college for cybersecurity, you just got accepted at one of the great programs.
Joe Wynn:What should you be doing along the way that makes you hireable or somebody wants to hire you as you're graduating?
Justin Leapline:Network. So go to the conferences, all the free the chief conferences, meet people, invite them to LinkedIn as soon as you meet them, start to get your network kind of, up there and everything. If you graduate or come to graduate or just you're now looking for a job and you've met somebody and you've had a good impression on them, you will get an interview. Yeah. You know, whether you get the job or not will be another thing, you know, in the interview, but you will get an interview through relationships, you know, with that, so that's one thing I always tell, you know, with mentors and graduates is like, you know, just getting a degree is not enough.
Justin Leapline:You've got to work to get those, you know, relationships and conferences are perfect for that, you know. Just introduce yourself, hey, I'm giving you a little bit of backstory, you know, could I hit you up if I have any questions, like look to them and say, hey, I'd love to get your perspective on the security industry. Where do you think I should be focusing on and just kind of build a relationship from there.
Joe Wynn:That's great. What do you have, Ed?
Rick Yocum:I would say, and I actually think I don't think there's anything I could say that would be more important than networking, so I'm gonna throw that out first. But as a secondary thing, I'd say find a secondary topic of focus that you also study or that's important
Justin Leapline:to you. Plan.
Rick Yocum:No. But as a to relate things. Right? So, like, I did, like, IT and security, Sloan plus accounting stuff. So one of my superpowers right out of school was, oh, yeah.
Rick Yocum:I can talk to all these finance people and their ERP, you know, about security because I speak that language too. Right? And it could be anything. It could be health, and now you're talking to doctors. It could be whatever.
Rick Yocum:It could be hospitality, and you're talking to hotel owners.
Joe Wynn:Like That's a fantastic idea. I didn't even think of that one.
Rick Yocum:It's just it's just find a secondary domain of study so that if you really wanna do security, you're, like, carving out an initial niche. And you don't have to stay in that niche, but you're always gonna fall back to certain the relationships in that niche or patterns that you get from that niche. Because I'll also say, every time I, like, find myself thinking about something new, I'm like, oh, how does this apply to security? Right? Yeah.
Rick Yocum:And so you'll do that too as part of these other studies. So that's what I'd say. Study study a secondary thing even if your core interest is security.
Joe Wynn:Yeah.
Justin Leapline:Yeah. Just real quick on that. One of the things I thought was really cool, it was last year or the year before coin Coinbase was hiring a whole bunch of people, and they had a number of things that was guaranteed to get you a job, and one of it was if you're anyway titled with chess, you like if you're a FIDE master, international master, or obviously a grand master, but like if you're anyway titled, you get an interview, you know, like we we want an interview. Like, how you think. It's like and that gives you, like, secondary skill, like and that's a very Yeah.
Justin Leapline:Analytical cut. You you have to study for that, you know, type of thing. You have to look at both sides of the, you know, the fence to, you know, come up with a plan. So they're taking that skill and saying, hey. These people have a base of that, and maybe they'd work well, you know, in, the crypto industry.
Rick Yocum:But yours.
Joe Wynn:Yeah. Well, I I still wanna I'm still fixated on you said because it ties back to something I was thinking about earlier as well. But it's the you don't just do security because it's a thing to do. You do security because you're securing something. What is that something?
Joe Wynn:And that's where we're getting to. And so some of my advice today to that person was, you know, it's just like computers now. Everybody needs to know how to use computers. So I think as people come out of school, everybody should understand core concepts for security. You know, what was it 50, 60 years ago?
Joe Wynn:If you wanted a letter typed, your secretary would listen to you talk about what it would be. The executive wouldn't sit down in front of a typewriter and type it out. But now executives sit down and type their own stuff. Yeah. And so because now everybody needs to know how to use computers.
Joe Wynn:So I'm seeing everybody needs them to understand core basic security concepts and then apply it to their area.
Rick Yocum:Yeah.
Joe Wynn:But the other things I would say that if you are a if you're starting college now, several things I would do to be hired coming out with a cybersecurity degree is, 1, before you get to college, set up your LinkedIn and start bragging about everything you're doing. That means you have to do some things to brag about. So don't just go to the conferences, but I tell people just submit to a talk. Eventually Mhmm. You might get a talk.
Joe Wynn:There, you'll find the right menu. Yeah. Get up on stage and speak about something. What do you speak about? So I was listening to a different podcast today, and they were talking about, well, writer's block.
Joe Wynn:And people have these things they don't know what to write about. That's because they're trying to sit down to write intentionally to write. No. Go do something that you think is interesting and then write about that because people like you will do that.
Justin Leapline:You know, like, give me a nap song to write about somebody and give you, you know, all the bullet points there. You know?
Joe Wynn:Oh, sure. Sure. But still, agree.
Rick Yocum:We could talk about something that stumped you. And then, okay, now you're past being stumped whether you succeeded or failed, and then write about that.
Rick Yocum:Right.
Justin Leapline:Yeah. And do a talk about it. Yeah. I saw a b sides, Harrisburg talk where a gentleman, he was pretty new and everything, but he talked about how he learned and shared that out on LinkedIn and how it got an audience out
Joe Wynn:of hacking 1?
Justin Leapline:No. Oh, a Derral. Yeah. It's a Derral one and everything. Yeah.
Justin Leapline:And it was, like, really cool. He'd said, like, I came at it as a novice, but I shared my experience. He went into, you know, did some, like, bug bounty stuff for a bunch of different, websites and everything and talked about how he got stuck and how he got passed on stuff and how he, did a number of things, which led to other networks, which led to, you know, eventually his career into the industry. Yeah.
Joe Wynn:So you talk about some things. You go to the meetups and the networking. Yep. The networking again. And you start logging all this stuff.
Joe Wynn:So if you're an interviewer and you're looking at 2 different candidates, they both have 4 year college degrees in cybersecurity. During college, one of them interned at a bunch of places, wrote some papers, got published on whatever because it's not difficult to get stuff published. You can self publish. Mhmm. Has them a couple recorded talks.
Joe Wynn:All of a sudden, you have that person and the other person who just has a a great degree. Right. What are you gonna hire?
Justin Leapline:I I'd actually throw in a wrench into that. Uh-huh. You got somebody with college degree just with that and somebody with no college degree with all that stuff.
Joe Wynn:Absolutely. That's why I clarified
Rick Yocum:Yeah.
Joe Wynn:Because I knew that you would go there, and I would a 100% agree with you. Yeah.
Rick Yocum:You know what it sounds like too? And I've never thought about it this before this way before, but it's almost like, 2 kids in art school. Right? And one of them is building their portfolio
Rick Yocum:Mhmm.
Rick Yocum:And the other one, you know, whatever. They're throwing it out or burning it.
Rick Yocum:It. Mhmm.
Rick Yocum:Right? And they get to the end of art school, and they're like, oh, you wanna be an artist? Okay. Why would we hire? You know, here's all my stuff.
Rick Yocum:I'll show you all my stuff. And the other one's like, I can draw you something now. Okay. What do you want?
Justin Leapline:I'm pretty good.
Joe Wynn:Yeah. That's really good. So the concept of build a portfolio Build a portfolio. Yeah. Network and document your portfolio in your LinkedIn because that's what all the business people are gonna look at when they're doing hiring.
Rick Yocum:Yeah. Cool. Secondary thing.
Justin Leapline:And secondary thing.
Joe Wynn:Learn a secondary thing. Yeah. I I think that's cool. I like that. So here we we plugged b sides a little bit.
Joe Wynn:Let's officially plug b sides.
Justin Leapline:Okay. Yeah. That's all.
Joe Wynn:So, I think this might come out before b sides, but b sides is on, July 12th at the Rivers Casino. We have a number of people who are organizers. We'll get you hooked up to be an organizer one day. No. No.
Justin Leapline:I've I've talked a number of times but yeah. No.
Joe Wynn:There are many organizations. Did you submit a talk this time?
Justin Leapline:I run the lobby con. Okay. I make sure What are you making sure? Care position. I make sure everybody's behaving in the lobby.
Joe Wynn:I never seen somebody go to more conferences and never see a talk.
Rick Yocum:Yeah. But I'm
Joe Wynn:just kidding. You've seen Slack. Have you submitted a talk? I haven't. No.
Joe Wynn:Talks, submissions closed last week, and I know I was just reviewing a couple of the, a couple of the, CFP submissions and some I was looking at were AI related, respect to some open source testing tools and, how to do, like prompt engineering security.
Justin Leapline:Okay.
Joe Wynn:There's some some talks I looked at, that were good for developers. So your hardcore developers. And I was reading this thing, you know, like, well, that's a little bit above my coding level. So I'm sure people understand it, but I was on a verge. And then there were some hardware hacking including cars and medical devices in the ones I've read.
Justin Leapline:Oh, okay. That would be that's a good group of diverse
Joe Wynn:I only looked at 10 of them, and I think there were, like, 20 to 30 submissions, maybe more.
Rick Yocum:Maybe more. Okay. That's a lot of submissions.
Justin Leapline:Let's see Cool. Yeah. What's the is it, like, 15, 20? How many are you accepting?
Rick Yocum:3 tracks. About 16. 2016. Yeah.
Joe Wynn:Yeah. About 2 tracks of, 8. That's right. Okay. Got it.
Joe Wynn:Yeah. So do you see any other topics that jumped in mind in this submission? I think
Rick Yocum:I think maybe we saw some very similar ones.
Joe Wynn:Okay.
Rick Yocum:I think there are a couple, a couple less technical, more like governance ones that
Joe Wynn:I saw from other stuff.
Rick Yocum:Yeah. Yeah. Yeah. And there there are a couple, even sort of, like, entry level 1 on 1 things that I think were really good.
Joe Wynn:Oh, really? I didn't get to see that.
Rick Yocum:Yeah. There were 2
Joe Wynn:of those that
Rick Yocum:that I
Joe Wynn:There's something for everybody. Yeah. Yeah. Yeah. Yeah.
Joe Wynn:It's awesome. So besides, it starts around, show up around 8 in the morning and prepare to go. If if you're like us, you might prefer to go until 2 AM.
Justin Leapline:Yeah. Exactly. Yeah. Cookie table Should definitely go. Yeah.
Rick Yocum:Cookie table was a major topic recently too. Uh-huh.
Joe Wynn:I'm excited about that. Yeah. Yeah. If you're, from Pittsburgh, you know what a cookie table is.
Justin Leapline:At the weddings. And if
Rick Yocum:you're not, come find out.
Justin Leapline:Yeah. It's not a big mystery. It's it's it's in the name. Alright. So what's next?
Justin Leapline:Yeah. What's a good topic here?
Joe Wynn:I don't know. We we we threw around, Microsoft, started to do some stuff where they, they started to create these physicians, deputy CISOs, and are tying them to a lot of development. And the CEO made a statement that security is gonna be above everything else for priority. I read that in one of the articles. You suggested article.
Joe Wynn:What what comes to mind?
Justin Leapline:Yeah. So, I mean, just to kinda set up, the little bit of backdrop here. So, you know, Microsoft got breached. You know, their email servers were breached and everything like that, and then CISA decided to basically investigate them because Microsoft does a lot of government work, you know.
Rick Yocum:And agencies specifically, they
Justin Leapline:were were there were agencies that were notified that those emails were being read. Exactly. So there was an investigation, and then CISA basically came out and had a report that basically said, Microsoft, do you know security? You know, like, Clifton thing. It wasn't good for them, you know, so they were scrambling to, you know, kind of respond to that.
Justin Leapline:But I thought it was really interesting to your point where, you know, they made a number of announcements, and one of the things that really caught my eye was the that they're tying performance compensation to security for their executives and everything, which they didn't say specifically what, you know, that was kind of left up to there, but I thought that was interesting from a compensation perspective. 1, I thought, you know, how are you going to measure that? You know, that would be fairly hard to get specific metrics. I mean, you have to get very specific of your time dollars to it, you know. Like is it you get 0, you get money, you get, you know, like one incident on you, you get less, you know, like how does that even work, you know, from that perspective?
Justin Leapline:And then 2, you know, I was talking with some other, executives, and they were saying like, yeah, if it's tied to my bonus pay, I'm definitely making sure I'm hitting those marks. Right.
Rick Yocum:Yeah. The compliance part of me says, oh, man. That could go wrong in so many ways. Right. Right?
Rick Yocum:Because to your point, like, how do you quantify it? Okay. Is it based on incidents? That's kind of a weird metric. Is it based on, like, the, you know, 1 to 5 score that you get from consulting agency on this framework that you're supposed to align to?
Rick Yocum:Okay, well now you're setting up some very bad feedback loops and unintended consequences. Because guess what? Now my money is tied to XYZ. Where maybe I would, initially be like, okay. Well, I'm gonna kind of leave this be fully independent.
Rick Yocum:Right? Well, now I might be interested in exerting some pressure to make sure the score is what I want it
Justin Leapline:to be. Right. Right? So I there's a lot
Rick Yocum:of, like, conflict of interest alarms that start going off in my head when it's like, hey. Your responsibility is security, but also you're gonna get measured on how good the security is. It's like, well, you should actually get measured on how honest you are about the security is as opposed to, like, that number. So maybe it'll be measured different ways, but if it's done poorly, it could be really bad.
Justin Leapline:Right. And, you know, I just thought of something like one of the things, with this compensation, what if you're low on resources? And you said, like, I I don't have the resources to do what you need me to do. How many times, you know, have, you know, visitors say that, and then they get popped anyways or, you know, with that? It's like but I told you, like, I didn't have the resources to do what you wanted me to do.
Justin Leapline:Where where does that even come down?
Joe Wynn:Yeah. Well, what, so here's a quote, from the article, and Nadella hinted the changes last week in the company's quarterly earnings call when he said the company will be putting security above all else before all other features and investments. So to me that's that's a way to begin to address that
Rick Yocum:What does
Justin Leapline:stock do for that?
Joe Wynn:Constraint. What's that?
Justin Leapline:What does stock do for that?
Joe Wynn:Well, I don't know.
Justin Leapline:I'd be curious on what investors actually thought of that. It could
Rick Yocum:be an investor thing, or it could just be just, like, competition. Okay. We're gonna ramp up features faster. Right?
Justin Leapline:Yeah. Well, I'm just curious that if they're not pushing out features is from an investor saying, but did their stop Right. Go up or down or
Rick Yocum:not lending? That's a good that's
Joe Wynn:a good question. But, you know, I would hope that, no. Did did the stock even take a hit? How much did the stock take a hit when, there was the incident?
Justin Leapline:I don't know. Yeah. But it'd be interesting. I remember years ago in, at ShmooCon, somebody did a talk, and I think the name was, like, breaches are good for you, and everything, and they basically did kind of a historical analysis of mainly the stock market and with that, and they looked at major breaches and where there were Oh, yeah. Breach I
Joe Wynn:know you're talking about.
Justin Leapline:Where they got hit, and then a year out, and most of them fully recovered, if not more
Rick Yocum:Oh, yeah.
Justin Leapline:From where they were at.
Joe Wynn:DS s it was the the shoemaker. The shoe
Justin Leapline:DSW? Yeah. DSW. DSW, Target. Like, there's a whole bunch of them that had major major breaches, and a little bit later, you know, with that who was it, Troy, Fine just did a post when, United basically came out and said, oh, yeah.
Justin Leapline:Like, they got based our, you know, our entire database. Like, 1 eighth of Americans were compromised or whatever the number was. You know? I forget what it was. And they announced this, on a, you know, a public, you know, call, and their stock went up that day.
Justin Leapline:Well, that's very interesting. Well Yeah. They're about to solve
Rick Yocum:a bunch
Joe Wynn:of Fact fact check me here, but, didn't the CEO of MGM say that their huge breach
Rick Yocum:Yeah.
Joe Wynn:Was not even material in his mind? Right.
Rick Yocum:The Target one is well,
Justin Leapline:I remember a 1000000 years ago,
Rick Yocum:it feels like, the big Target stuff. There are spirited debates about all this.
Joe Wynn:Every time you say Target, you have a drink.
Justin Leapline:I know that. But it
Rick Yocum:very much was like, it was like a mark my words. Right? Their stock's gonna be recovered in a week than it was. So yeah. But I anyway yes, please.
Rick Yocum:But I you know, my my my fear with that like, I I think the intention is good. But like many other things, if the execution is poor, it could create some really bad Yeah.
Joe Wynn:Well, usually, they bring that security executive compensation on progress toward on progress towards security goals. They're gonna install deputy chief info, info security officers in each product group and bring together teams from its major platform and product teams in engineering waves to overhaul security.
Justin Leapline:Yeah. So so it sounds more development and, you know, into their products. It could still
Rick Yocum:go anyway. Like, progress towards goals, you're gonna quantify it. There's gonna be numbers. Gonna be on slides. And if you don't hit a thing, you don't get a bonus.
Rick Yocum:Again, you're Yeah. But Yeah.
Justin Leapline:That that that's workable and that's 0
Rick Yocum:being for any
Rick Yocum:goal. But it's gonna be cultural at the end of the
Rick Yocum:day Yeah. Whether or not it works well. Absolutely. I mean, my my big takeaway is I I like it.
Rick Yocum:Financial incentives drive behavior.
Joe Wynn:And, you know, that's good. And I also like dedicating extra people. So Mhmm.
Rick Yocum:I don't know if they had
Joe Wynn:these deputy, CISOs before, but putting them in place and putting them into these groups.
Justin Leapline:They would. They would. Well, they could've announced it if they did already have it.
Rick Yocum:But It's kinda surprising to me if they didn't, that they didn't. Because, like, I mean, most super large organizations I've worked with at this point absolutely do. What and they call them different things. Yeah. The Bezos.
Rick Yocum:The Visa. Exactly. But it's like, look. You're the security chief in this area because, you know, it's it's one of the ships in the fleet, and it needs someone watching this in this specific space. Yeah.
Rick Yocum:So, yep, they didn't have it before. Kinda interesting, actually.
Justin Leapline:No? Yeah.
Joe Wynn:Well, that was a good topic. What what do you wanna hear on next?
Justin Leapline:So what do we do? You're new in a company, head of security. What do you do first? Or what do you do? Like, just start off with, you know, a game plan and everything.
Justin Leapline:I thought about this a lot.
Joe Wynn:Yeah. I had these conversations a lot.
Justin Leapline:Yeah. Right?
Joe Wynn:I mean, oh, you you might as well. In the, I didn't mention faculty of ions as, one of the things on the Yep. The resume now. But the, you know, ask an expert about this.
Rick Yocum:You're always getting into this. Like, I'm I'm
Justin Leapline:I'm I'm on the friends and family. Yeah. Right.
Joe Wynn:There you go. And so you jump into these conversations, but you you give us some thought. When were your what were your thoughts?
Justin Leapline:So my I mean so first off, you gotta figure out what you're dealing with, you know, going on. Actually, ideally, you should figure that out before you accept the job, you know, type of thing. There's a lot of cultural things that will shoot you in the foot, you know, coming in. So as best as you can, those are the type of questions, you know, if I'm letting don't know if I'll ever take another head of security, you know, position at a company, but in the few that I've had, those are the questions I try to get from cultural perspective. Like, would I be able to be able to do anything there?
Justin Leapline:You know? And it's a continued, like, conversation, but, you know, first thing first or, you know, kind of accommodation, you gotta figure out your current state. What are you doing? Where are you at? What's your footprint?
Justin Leapline:You know, how are you doing everything, you know, from phone and data management, batching, to compliance if it's, you know, related, all that stuff and everything. 2nd, and it you can't understate it, and I think a lot of people failed this, you've got to build the relationships. One of the things I always did was I made a slew of, meetings Yeah. Absolutely. For executives.
Justin Leapline:Mhmm. Like and I've come I've come in to say, where are your experienced parents from security? How can I help you? Here's my philosophy. I don't say no.
Justin Leapline:I'm here to help the business, you know, like, I'm gonna tell you how, not I'm not gonna tell you no, you know, type of thing. And you start building that rapport, you know, to a lot of different people. I also, in the, you know, the times I do give advice, you know, to new people with GRC and and stuff of that nature is don't be afraid to bribe. I know that's probably a bad thing, but a gift here and there or something like that builds a good bond relationship, you know. So if somebody likes bourbon Mhmm.
Justin Leapline:Give them a good bourbon, you know. I've done times where if people were filling under the weather, I'll send them a gift a gift basket with, like, with soup and all that stuff and everything. Like, those little things go a long way when you need to get something out, you know, type of thing. And that's almost more important than what you're dealing with because the roadblocks that we face is from a security perspective is often the people in process, not the techno like, the technology we can figure out and all that stuff. There's usually cheaper ways or ways that you can kind of deal with it, you know, type of thing.
Justin Leapline:But when you get an uncooperative person or, you know, a roadblock and you need a way around, it's usually getting to somebody and say, can you help me out here? Yeah. Yeah. You know, type of thing.
Rick Yocum:Yeah. So I have, like, a very similar in a lot of ways. Maybe framed slightly differently. But there's, like, 4 key things top of mind immediate. And it's, meetings with all the leaders.
Rick Yocum:Mhmm. Right? Like peers and or various bosses, dotted line or straight line to say. And it's part of, you know, getting the feel of things, but also building the relationships. 2, same thing with the team.
Rick Yocum:Right? Before I even go start digging into controls and compliance frameworks and, like, looking at these reports that came before me and stuff like that. What, man? I wanna shake hands with everybody that's on the team.
Justin Leapline:Yeah. Because that's gonna give me the best by. Yeah.
Rick Yocum:That's gonna give me the best sense of, again, building relationships, but also, like, are we good or are we not good? Right? Because if there's a couple jokers in critical positions, I'm already a little nervous about what, you know, what might be there. And maybe they surprise me, but I know there's gonna see be some places I wanna pay attention. So 2 relational things, but leaders and then people.
Rick Yocum:And then from a other tactical perspective, the 2 things I always hit first. And a little of this is steeped in when I was in Del Monte because there's a huge seasonal workforce. So we would we had to figure out pretty good ways to hire and then release, like, 16,000 people every season. So I got kinda good at access management.
Justin Leapline:Season getting the the the
Rick Yocum:Yeah. Kinda like pick and pack season. Oh, yeah. Exactly. Got it.
Rick Yocum:Exactly. Okay. So but it's paying dividends. So what I typically do from a tactical side then is it's access. I get my arms around access management and how that works almost immediately.
Rick Yocum:And if it's clean, great. I'll move on to somewhere else quickly. But that's, like, typically always the first domain. Because, also, then when you're talking about, like, the ability to, like, bribe people or just stop bad stuff, people are plugging stuff in the network you don't like. Alright.
Rick Yocum:Well, I figured out access management so I can, you know, get rid of shadow IT. All it has all these good, second order impacts. And then the second thing is finances. Right? I dig really deep into the IT and or security finances depending on the structure of everything and go, okay.
Rick Yocum:Where's the money going? Where should it be going? Because, ultimately, again, with those relationships with the leaders and getting wins quickly and stuff like that, if you can solve a couple things or start to utilize some of your resources more efficiently right away, It's gonna just help you do things down the road. So to me, it's always shake hands with everyone above you, shake hands with everyone that's working with you, Do the access stuff. Do the finance stuff.
Rick Yocum:And that's, like, a pretty good 90 day plan.
Joe Wynn:Oh, I like that. I really like the access management, pieces. Your first, like technical piece to hit in on. Yeah. Yeah.
Joe Wynn:So you're basically doing a risk assessment of the access management part. I was going to start with you to do some kind of risk assessment.
Justin Leapline:Yeah.
Joe Wynn:As you start going in part of the risk assessment, you're kinda doing it all along. So when you're talking to all the leaders, you're trying to get a sense of what what what could break. I was I was talking to somebody who came in and helped me probably 10, 11, 12 years ago now, and they just went around and said, let's go talk to the execs. Mhmm. It was for a pen test.
Joe Wynn:And
Justin Leapline:Yeah. And
Joe Wynn:it was more than a pen test. And they started looking at it and saying, well, let's go ask them. What is the one thing that can happen in this company that shuts it down? Yep. And let's start reverse engineering from them.
Rick Yocum:I would
Rick Yocum:say what what's your absolute worst Friday night slash Monday morning look like?
Joe Wynn:And why did that happen?
Justin Leapline:Yeah. Yeah.
Joe Wynn:Yeah. That's really good. So risk assessments, I I like that. And then, if you if you think about frameworks, I'm just a huger fan of ISO 27,001 that I am maybe of, some of the other ones. They're all good control sets like CIS is great control set.
Justin Leapline:They focus on this continuous improvement.
Joe Wynn:That's exactly why. Yeah. And so the first thing you do is, you know, you understand, you know, what what do you care about and who cares about it and what's the scope they care about and what's in it. And then now let's figure out what kind of risk you have with it. And as soon as you can start setting up so my first step is implement a blank risk register if there's not one already.
Joe Wynn:And get that in place and then start populating it with and I like your idea of focus on access. Figure that out and then start taking it to the leaders that you're meeting and saying, oh, so your area is this. Right? You're responsible for this line of business. Well, I was doing some access management review, and I'm finding some weaknesses in the way we do this.
Joe Wynn:And it's related to this process that happens, and even some of your people on your team have to, like, sign off on these things. Yeah. How do we, shore that up? You know what I mean? I can help you remove some of this friction Mhmm.
Joe Wynn:And to start, you know, making things more efficient, winning some friends, and fixing problems all at the same time and putting it in there. Now selfishly I would say that all 3 of us would have the same thing. If it's not us getting the job and it's you you should bring us in because the best thing that I ever did when I'm getting started is don't go it alone. Is who can come and give me an objective view? Because the moment you're in the company Right.
Joe Wynn:You're not as objective as you are when you're looking at it from the outside. Right. Go ahead.
Justin Leapline:Yeah. I was just saying and also the sad thing about that, a lot of your execs won't listen to inside people. They could complain to the moon that, like, hey. We need to do something about this. And somebody outside writes a report about it, like, oh, why don't we do this yet?
Joe Wynn:Yeah. He was a consultant I was working with years ago, and they were they kept saying, I keep getting asked for the companies I'm helping. Why don't you hire why can't we hire you to come in? He goes, because the moment you hire me, I will be no longer the smartest guy here. You will think I'm the dumbest guy here.
Joe Wynn:Yeah. And I always thought that was pretty funny.
Rick Yocum:That's a good lesson for the for the anyone that might be listening that's taking that college advice, what to do in college. Just realize that, you know, one of the hardest pills to swallow is even once you get really good at security. Right? If you're on the outside. Right?
Rick Yocum:You're gonna have a lot more airtime and a lot more visibility, you know, talking to companies about their security than if you're on the inside trying to evangelize security. Mhmm. It drove me nuts when I was at, you know, at Del Monte telling people things, and then I'm internal saying the same things. Right? And but you need that secondary opinion, and then you're external again, and it's the same thing.
Rick Yocum:So it's a good lesson.
Justin Leapline:Yeah. Yeah. Yeah. I'll pick a point on you. So when you say do a risk assessment Mhmm.
Justin Leapline:Are you talking about actually looking at likelihoods of threats and impacts into that, or are you doing it more from a, like, control perspective? And I think it depends on the size of the company. Right.
Joe Wynn:I would say that there's no right answer. And I know you had another topic about
Justin Leapline:Yeah.
Joe Wynn:Should you do risk assessments?
Justin Leapline:I'm opinionated on this.
Joe Wynn:And and, We
Rick Yocum:should probably
Rick Yocum:we should spend a
Justin Leapline:whole episode Yeah. Toward the end of this one. But yeah.
Joe Wynn:Well, just just to quickly answer your question, I think having so I'm I'm starting to read measure anything in cybersecurity to get my, head much more around. You got the book of it?
Justin Leapline:No. There's a there's a
Rick Yocum:bookshop behind. Yeah.
Joe Wynn:Yeah. Get my head around how to, how to continue to improve on the way I quantify things. Mhmm. But, there is there's a nice to 27,001 news group. And one of the folks in it, and it's a Google group, and one of the people in it, is makes makes a great argument for not getting that specific at least until you're a little bit more mature.
Rick Yocum:Yeah. Right.
Joe Wynn:And the reason
Justin Leapline:That's I guess, kind of my point. You know?
Joe Wynn:That that's yeah. Exactly. Because the reason is, if you would spend a 1000 hours of collected time Yep. Coming up with something that is super detailed and at the level of like a one of your large worldwide insurance companies level of detail Mhmm. For analyzing risk or And you're not
Justin Leapline:doing a good job patching. You take a week It's just gonna echo that.
Joe Wynn:And figure it out. And you give it sure. You can't, like, add high, medium, and apples. Right? So they don't make sense, but you can start to carve a conversation of understanding what is riskier than another thing.
Joe Wynn:And at the end of the day, is it gonna drive a different major change or major output?
Justin Leapline:Right. And that's where I agree risk assessments do help. When you get to a point where you're mature enough you're trying to decide, do we invest in a new EDR solution or a WAF, or, you know, where where do where's the best place for our dollars to go, you know, into there? A risk assessment will help kind of flush that out, but if you're not doing the basics, like, it's and it may be like a gut, you know, risk assessment at that point, but we all know if you're not protecting against phishing attacks, you're not educating users, you're not patching, you're not protecting your border, you're gonna get popped eventually, you know, that type of thing. You'll probably still get popped if you do all those.
Justin Leapline:Like, that should be your kind of first goal, You know? And once you get to a good spot, then you can start divvying up or where's our dollars best to go, you know, that thing.
Rick Yocum:I always want better language in the risk space. Right? Because, like, the risk word is, like, way overloaded, and you probably see probably go see this with different clients. We see it all the time. We're, like, someone's like, I want a risk assessment.
Rick Yocum:It's like, okay. Well, what do you want? Like, the academic risk assessment? Do you actually need a controls assessment? Do you want a pen test?
Rick Yocum:Like, because risk is a whole bunch of different things, and depending on the context Right.
Justin Leapline:Because and so I I
Rick Yocum:think our language is really poor here. We're talking about a generic risk assessment. I don't know if they still use it, but there's this thing that E and Y had a a long time ago. And they they they framed it the what could go wrongs, the WCGW. WCGW.
Rick Yocum:Oh, okay. And I always loved that for, like, the initial risk assessment or the high level thing. It's like, look. I seem to know what could go wrong. Yeah.
Rick Yocum:That's the whole thing. And what are the worst things that could go wrong? Okay. Top 10. Great.
Rick Yocum:Let's focus on those.
Rick Yocum:Well, that's
Joe Wynn:a really good point. And when we do a more detailed risk assessment, the first thing we actually do is a threat assessment.
Rick Yocum:Exactly. Right.
Joe Wynn:And that's what what what what can impact you. Yeah.
Justin Leapline:Yeah. But So Yeah.
Joe Wynn:What that's good. We we should dealt we should do a whole session on risk assessments and
Justin Leapline:talk about why. Of the, methodologies and all the frameworks and everything like that.
Joe Wynn:And why not throw them all away and just do something that works?
Justin Leapline:Yeah. Right? For sure. Cool. Alright.
Joe Wynn:Is this is this a wrap?
Justin Leapline:Yeah. I think this is a wrap. Alright. This is a good hour and everything. So Cheers.
Justin Leapline:Thank you, gentlemen, for doing this. Thank you, audience, for joining us. This will be released, here, and we're aiming to do a once a month podcast. So join us next month as we dive into a number of these, topics and everything. Don't forget to, like and subscribe and comment, you know, if you really enjoyed it or you have any other topics or questions for us.
Justin Leapline:And that's a wrap. Thank you all. Bye.
Joe Wynn:You know what I think we should do on a camera? You could clip this part back in since we're all still mic'd and Yeah. Everything on is, we should how about we review with each, with each episode? Yeah. Yeah.
Joe Wynn:That's what I'm thinking. Some something, like, acknowledge what we got sitting here because and then why we picked it, the name of it Okay. And and stuff. And a few
Justin Leapline:I think it's a great idea.
Joe Wynn:Read the name, Kentucky straight bourbon and guided by wisdom and craft with knowledge.
Rick Yocum:Where is it made? I like that. Distilled in Kentucky bottled by Kentucky Owl. And I'm gonna butcher this name. I apologize for everyone who lives here and nearby here.
Rick Yocum:Lacassine, Louisiana.
Justin Leapline:Yeah. Yep. So this one I bought down in Kentucky. They don't have it in PA here and everything. Hopefully, that's not illegal.
Justin Leapline:Spoiler alert, you guys. Yeah. But, yeah. So I mean, from a notes perspective, does it say oh, okay. It's 91 almost 91%.
Justin Leapline:Yeah. 90.8% proof. This is great. I love this. Yeah.
Justin Leapline:It's nice and smooth. Yeah. Good caramel notes and everything.
Rick Yocum:And and for anyone who's listening just for the whiskey review, I would describe us as people that drink a lot of whiskey, but in no moderate to low amount about whiskey.
Rick Yocum:Oh, okay.
Joe Wynn:I think Justin knows more
Rick Yocum:than that. I would rather I definitely like the the moderate category for sure.
Justin Leapline:Yeah. Yeah. That's fair enough.
Rick Yocum:Yeah. We're not we're we're not distillers and we're not the guys that have, like, the bourbon channels that are 50 gazillion videos deep that Yep. Have distilled since they were 2 years old somehow. Right.
Justin Leapline:In the hills of West Virginia. Right.
Joe Wynn:Hey. Well, cheers again. Cheers.
Justin Leapline:Cheers, guys.
Joe Wynn:This was good. This is great.