Episode 10: Navigating Budget Cuts, Talent Shortages, and Cybersecurity Resilience
Alright. Welcome to Distilled Security podcast episode 10. My name is Justin Leapline. I'm here with Rick and Joe, and thank you for joining us. Today, we got a very interesting lineup.
Justin:One of the topics that I'm actually really eager to talk about here is what do you do when you're facing cuts, you know, within an organization? Obviously, in the news, we're hearing a lot about Doge, you know, several cuts within the federal government going on. But it's not just the federal government. It's organizations are cutting back. They're seeing spending cutting back.
Justin:I know quite a few, organizations that have let go resources or tighten up budgets and everything. And, you know, from us as security professionals, leaders, you know, within the industry, how do you make sure that doesn't impact your organization? Obviously, you're trying to tilt the line. You know? You're not responsible for revenue, you know, with that and try to go along with it.
Justin:But are there certain steps that we can do to help the organization make sure they don't falter from, you know, the cuts that they're making and everything? Yeah. You
Rick:wanna take first crack?
Joe:Well, first, I would say that it's definitely gonna affect the organization. It's gonna create risk. And so it's all about we talk about this every every episode, risk management. And so, I I was thinking about how all the reliance on even if your company isn't affected by the cuts, if your company's not getting cut. But with the federal government cutting resources, which resources or programs in the government does your company rely on for security?
Joe:I was actually, talking to some DHS CISA people, and they have a lot of programs that people take companies take advantage of. And if there's an impact for those resources and those programs aren't as available, that's another factor as well, which I don't think we were originally, we were originally talking about, but that's what I was thinking about.
Justin:Well, that's a good thing. I wonder how I mean, those resources are nice that you can kinda rely on. But is it a reliance, you know, type of thing? It's definitely an optimization. You know, if they have templates or guidance documents that are producing, they're gonna be better than what they had, you know, prior or, you know, took time to produce themselves, you know, in that
Rick:I mean, I definitely know some organizations that rely on those and similar resources for some important control attestations associated with threat monitoring and things like that, I think. Gotcha. So I I I think there's some instances where I don't know if they're, like like, major key controls, but certainly, like, you know, places where you used to be able to evidence clearly and now you might need to figure something else out.
Justin:Yeah. Yeah.
Rick:That's a good point.
Joe:Yeah. So back to the question is Yeah. How are companies? So let's say you are responsible for security at your company, and let's take a perspective. Your company is letting some people go, but you're still there.
Joe:How do you manage that risk? What are your thoughts?
Justin:Yeah. So one of the things I'd like to do, you know, in with this of kinda tightening the belt and everything, I mean, with any program, security optimizations can happen, you know, into that. You get a little bloated, implemented too many tools along the way. It's not fully optimized, you know, to into that. There's a lot of internal projects that, you know, can go resource only that you can get a lot of strides and to do.
Justin:Very much
Rick:tools get better.
Justin:Yeah. Exactly. So, I mean, do you have all the tooling, you know, built into your single sign on, you know, that would take, you know, advantage of your, you know, Microsoft, you know, three sixty five active directory? Okay. Let's bring them on board and get everybody on the same thing.
Justin:Are are do we have a good lick of our perimeter, our vulnerability management, our patch management? I mean, we've been laxed, you know, in a little bit. Let's refocus on that. Let's get rid of all those, you know, you know, unpatched systems that are just, you know, out of service or something like that. Those are, like, good projects to kinda bring up that we've been kicking down that, you know, takes more resources and not really capital budget, you know, that would come out of that.
Joe:Sounds like a conversation we had in episode nine where we talked about budgets and optimizing and automation. Yeah.
Rick:Mhmm.
Joe:So let's you know, I what I'm hearing is can we automate some things and make up for so we don't have an increased set of risks because we're not compromising the processes we're doing. Can how do we get more done with the same people that are left?
Justin:Yeah. Exactly.
Joe:Okay.
Justin:Another thing I'd I'd you know, getting back to core principles, you know, into that, really looking at, like, what must the lights stay on. You know? So if you have Right. Cash cow, government contracts, or compliance initiatives that just can't falter because of the impact of your customer, you know, relationships, those are ones that you need to just watch very carefully. So if there's resources being cut that, you know, just strain too much and it's gonna be a problem, that's where you have to, like, put added controls and added oversight.
Justin:Obviously, from a a a GRC governance perspective, that's one of our primary roles is to be that added eyes, you know, over the process. But when you're losing people left and right, sometimes, you know, those especially manual controls fall through the cracks, so you need to build in process to make sure that when you're doing less than a whole another conversation on SOC two or something like that. But if somebody's doing some access reviews and we let them go and nobody picks that up, all of a sudden, we're gonna have a number of, you know, deficiencies coming out of out of our next assessment. You know?
Rick:It's a really good tie. So I had three things with
Justin:Yeah. Yeah.
Rick:With this topic. And it's such a good tie into the first one, which is, like, it I take it back to inventories. Right? So, so OIT actually counsels organizations through this as we like
Joe:help out.
Rick:So I have a comp not a plug, but kind of plug. You can plug it.
Justin:Yeah. It's a plug.
Rick:So OIT is Optimize It. It's a company I have that helps organizations do outsourcing stuff. So whether it's displacing an existing provider or, helping a company transform how its labor works and potentially displacing active employees. Right? So we help leaders think through some of these things.
Rick:And one of the things, and it really ties into your like, the what's important question Is it to me, with my security background, I think that it's an inventory problem. Right? It's an inventory of activities at the end of the day. Yeah. In so many organizations, it sounds so simple just like an inventory of servers or inventory of network devices.
Rick:But we all know that it's, like, deceptively simple, and it's hard to actually get right. And activities are particularly hard because if you think about it in terms of, like, you might have two types of leaders. Right? Really, really good leaders. Well, how do they operate?
Rick:Well, they typically delegate activities or empower employees so they can do a bunch of stuff without being babysat. Well, when employees are doing a bunch of stuff without being babysat, there's the potential for you not for a leader not necessarily to know some of the tactical things that are going on there. Right? The alternate's the opposite's also true. If you have a particularly bad leader, maybe they babysit a lot, but they're kind of a bad leader.
Rick:They might not have everything figured out. They might not know everything that's going on just because they don't know. So inventories of, like, what employees are doing essentially are deceptively hard to get right. And, honestly, the only magic for this that I know is, like, that sort of management by walking around thing where you just need to talk to people, have those relationships, and understand, like, hey. What's what's what are people working on?
Rick:And so if you're thinking your company's starting to get close to a a riff or something like that, one of the things that we definitely advise is, like, hey. Have those conversations, exercise those relationships, make sure you're talking to people about what's going on, what's not so great. Like, the communication part is key because if you don't have that inventory, ultimately, what's gonna happen, and this gets to what you were saying in terms of the risk of controls failing and stuff like that. Right? People are gonna be working on something.
Rick:They don't necessarily need leadership's help to do it, but then it gets lost.
Justin:Yeah.
Rick:Right? And and people get missed in a riff and they go, oh, crap. This critical contract that relies on these controls, well, we stopped doing x y z two months ago when Tony left or whatever it is.
Justin:I had somebody. I'm not gonna name which company I work for at the time, but I was on vacation Yeah. And we had cutbacks. Yeah. And somebody on my team got cut without, even talking to me.
Justin:And I had some words at the time. Sure. Sure. But I went up to the CEO, and I was like, hey. They're doing some critical processes.
Justin:Now we can't do this stuff, you know, type of thing. And they're like, well, I didn't know they were doing that. I was like and, of course, I was like, I gave you a report every two weeks of everything we're doing from a security team. Yeah. You know, type of thing.
Justin:Like, I don't know how I it could be more clear, but, you know, now we're we're at risk, and then we went and hired another person. You know? Yeah.
Rick:And there's a second like There's a secondary trap here too, which is to say if an org if executive leadership in organization has already made the decision, we have to make cuts. There's a natural inclination to be like, well, okay. But why would we spend more time and effort talking to these like, it's not gonna change our decision. We have to do this financially, or we have to do this strategically, or whatever. It's like, no.
Rick:No. No. No. You're not talking to them to try and change the decision. You're talking to them because you need to understand what the fallout's gonna be regardless of the decision's the same.
Rick:Like, it's a risk management thing. Yeah.
Joe:Yeah. Yeah. So it sounds like you've guys, and I like when you plug the company because it it shows some credibility here with your expertise, and that's, that's helpful. I've been through this. Yeah.
Joe:I was at a company that for years before I got recruited away, We were going through an IT. I let a lot of people go. Mhmm. And that happened over time. One of the things that I found is because of the stuff I put together, the security team was one of the last to be impacted.
Joe:Because they did some of the things you guys are talking about, and I can share that. Your inventory is much like what ITIL calls a, you know, part part of the process inventory for a CMDB, and I called it a security management framework, which, I might have mentioned this before.
Justin:Yeah. I think the last episode. Yeah.
Joe:And the security management framework was simply, what are your main functions? What are the processes that carry those out? How critical are they?
Justin:You know?
Joe:Yeah. What's the, priority of it? How frequently does it happen? Is it on demand, or is it, event driven?
Rick:Yep.
Joe:Or, you know, or is it on a schedule? When it happens, then what you're talking about is how many hours does somebody take? And you take all of that and you figure out your your bandwidth needs, and then you tie those processes to back to, like, I just talked about this earlier today with somebody. Every cy every risk, cyber risk, does it matter, is a business risk.
Rick:Yeah.
Joe:Yep. So how does it impact the business? Yep. So if I have advice for security leaders, it's please, please, please figure out how to write your cyber risks in the terms of business risk.
Rick:Yep.
Joe:And focus on that. And then, you know, just just thinking through the, the whole process of, you know, it becomes risk management.
Justin:Mhmm.
Joe:And so, you know, had had you had any inkling there was gonna be that people were gonna be doing this while you were away, you might have been able to purposely share
Justin:Right.
Joe:Your, well, these are the impacts. Right. This is the processes that can't be done. And by the way, my job isn't to accept this risk. That's your job as a c level executive
Justin:Right.
Joe:To accept this risk, but I'm gonna tell you what this risk is.
Justin:Right. Exactly. Yeah. And that's at the end of the day. I mean, that's our role and responsibility is to express it.
Justin:Like, I I, you know, mentored, you know, younger security leadership. And one of the things I I say very commonly is, you know, your role is to educate the risk and the consequences thereof to the best of your knowledge. If you've done that and feel you've done that well, I don't care. I had this one saying, with the founder. You could throw PII in the middle of the street.
Justin:I'm gonna tell you all the reasons why not to do that and why that's a bad idea. But if I feel I've done a good job, I'm not gonna lose sleep if you choose to do it anyways. I might not work here soon after because I don't wanna deal with the consequences of that, you know, type of thing. But I'm not gonna lose any sleep knowing that I, you know, gave you the best, information to make that decision, you know, type of thing.
Rick:So I think I I think that's huge strategically. Tactically, there's probably a couple other things to be thinking through as well. Right? So if you're an organization that hasn't done rifts in the past, like, you might wanna think about doing a tabletop centered on that. Like, it's the operational cadence of letting a whole bunch of people go at once is totally different than the onesie twosies that that happen over time.
Rick:And so if you don't have those lines of communication with HR, and frankly with legal, with privacy kind of cleared, you know, you might end up stubbing your toe on some things that you don't wanna do. Right?
Justin:And, actually, this goes into a good point that some of the stuff I've gone through this a couple of times, you know, obviously, in my, career. One of the things I like to do, and I'll even spend my own money on this, is I'll take my team out to lunch Yeah. And or dinner drinks, you know, a little bit more frequently. Because when this happens, there's a cup cultural, you know, separation. People are down.
Justin:People are seeing their friends that are leaving. People are more worked. You know? Now they have that they have to pick up the slack for other people, you know, not being there and everything like that. That's a
Joe:great point. You gotta manage the morale after.
Justin:Yeah. Because the last thing you wanna do is spin to hire again or, you know, lose more people because their buddy that they worked for for years got fired, and now they went to another job that's hiring like crazy, and then they bring them over. You know, that type of thing.
Rick:And and that's absolutely true. And even it's not as important as that point, but another side point of that too is, you know, if people are personally, right, have a personal relationship with you that they'll carry forward beyond, you know, the the organization, I've seen people do some pretty silly stuff if they as they exit an organization. Right? Stuff that required Oh, yeah. Incident response and stuff like that.
Rick:Well, if they know that you're the security guy that's gonna have to deal with all that stuff or whatever, frankly, even if they're bummed out or unhappy or whatever, there's a much smaller chance that they do do some silly stuff.
Joe:Some good operational things that, you made me think of these, which we're talking, as if a lot of companies have a certain level of maturity. Let's take it down to the companies that don't.
Rick:Yeah.
Joe:So, some of the things yeah. Some of the thing well, they could be. Yeah. Some of the things that companies may do poorly that they should be aware of. What is your off boarding procedure?
Joe:I
Rick:was gonna say the access cuts, absolutely.
Joe:You gotta make sure that's tight. You need to look and make sure I mean, I've experienced this. We probably all have. Who has a critical or semi critical process that's tied to an employee, that's tied to their user account,
Justin:and
Joe:it might just happen to be their Gmail account they set it up with.
Rick:That employee spun up the SharePoint site that the rest of the company now uses because it was fifteen years ago or
Justin:Or even as you were mentioning, like, those core processes that they've been doing. So is there, you know, cross training on, being able to do a process, like, at least two people can do every single process?
Rick:I'm a huge fan of, like, job rotations or, like, mini apprenticeships within an organization from department a to department b where you trade tasks and stuff. Like, it doesn't happen nearly as commonly as I think it should. It'll actually rattle a little bit into the next topic. But I think that's a really good way of of dealing with that.
Joe:One of my columns in the security management framework is who's the primary and who's the backup resource. And every day where there's a backup resource and it's blank Yeah. Make that cell red and then make sure that that becomes a risk in your Yeah.
Justin:Oftentimes in this process usually, this is where I start thinking about in hindsight. I'm like, oh, man. They're like, who's who's gonna cover this? But if you get kind of the the the winds kinda coming that, you know, cuts are coming, you know, that's a good time to review that that chart and everything.
Rick:And a couple other quick tactical things. We talked about access before. Also think about access that's not related to your SSO or or major identity systems. Right? So if you have a SaaS application that someone in the line of business pulled out a purchasing card and and bought, right, that's not connected, okay, do your processes account for that or do they not?
Rick:If you have administrative accounts in the active directory that aren't connected to, you know, your work their Workday accounts or whatever. Are are you thinking about that or are you not? Because the the automated elements of the process might not hit everything. And if you're doing a bunch of people at once, there might be a bunch of manual effort
Justin:from
Rick:the security team associated with that. And if you're not necessarily staffed to handle that, your cuts are either some are gonna get missed or they're gonna go slower. Another one that is top of mind for me too is, like, again, are you super crystal clear on your litigation hold procedures? Right? If you're letting a bunch of people go at once and there's some litigation or potential litigation
Joe:That's really good point.
Rick:That's one. And then also, like, enhanced monitoring processes. Some organizations wanna do you know, they wanna turn the dial up on monitoring of employees if they're at risk or about to leave a little bit. So think about that, and think about that with HR and privacy and all the legal and all the
Justin:Yeah.
Joe:I've been in the organization where in the past, as people were on the list, certain people who were running the data loss prevention system, those people would get put into the system over the month before
Justin:Yeah.
Joe:And just see where data's going. Mhmm.
Rick:Yep.
Justin:And do
Joe:they all of a sudden just download a whole lot of things that they normally want Yeah. Or shouldn't?
Justin:All of a sudden, salesperson asks the entire CRM Yeah. Type of thing. Right. Oh, here's
Joe:what I mean. Yeah.
Justin:Absolutely happens. Or yeah. Forwards a bunch of stuff to a Gmail address. You know?
Rick:Yeah. So and then very last thing I have, on this, it's more of a long tail strategic risk. So we talked a little bit before about, like, automation or AI, which is, I think, some of the things that might make leadership okay or more okay with, you know, terminating or or downsizing or whatever. Right? Because I think people say What?
Rick:Replace them with AI? Replacing with technology. Right? Yeah. A %.
Rick:Yeah. Yeah. Yeah. But but but the reality is and and you guys know this, but for everyone listening, the the reality is, AI is really, really good at entry level stuff. It's not really that great at decision making capabilities.
Rick:Right? So correlation analysis, awesome, but deciding, not so much.
Joe:It lacks the context.
Rick:Yeah. So you can go down that road, and you can potentially go through processes where you let people go, you replace them with technology, all that stuff. The thing to keep in mind, I think, is a long term risk is what's your talent pipeline look like, because your decision makers typically come from people that were doing the analysis years ago. Right? And if you cut that all off with technology or the majority of that off with technology, where are your next leaders coming from?
Rick:And I think that'll probably rattle into our next topic a little bit, but is a long tail risk for downsizing today. You can't if you're leaning into technology to do that, you really need to be thinking about your talent pipelines.
Joe:So do you wanna wrap this topic up? What are some takeaways people should be worried about?
Rick:Where do we start?
Joe:Yeah. I I I love the, identifying the security functions that can't be sacrificed Yep. And making sure that it's crystal clear. And then
Rick:And tied to business objectives. Yep. Right? Yep.
Joe:And then figuring out what the risks are if you lose them. I liked your idea of actually table topping some of this. In some table tops, we've done recently. We've actually, the resource might be in a room, but we say that resource can't answer any questions. They're just unavailable.
Joe:Yeah.
Rick:It's one of the injector twists.
Justin:So, yeah, they're good. I always do that on Yeah. Yeah. That's a good one. Tabletop.
Justin:Yeah. Get core people, I like, unavailable for whatever reason.
Rick:Yeah. I think table tops are good. I think just make sure you have strong relationships or if you recognize you don't have strong relationships horizontally and vertically in the organization, make make some time to build those out. Yeah. I think it's important.
Justin:Yeah. Because that's one of the things. I mean, I I think we've all seen the studies that when people leave, it's more than not the their boss that they're leaving, you know, in that you know? So if you kinda keep that and the team tight, hopefully, they'll minimize further disruptions, you know, to, you know, the organization.
Rick:But then I think walking the process and thinking about the little stuff that might go wrong in terms of access cuts or lit hold things or whatever. And then what was the other? There was one more in there.
Justin:Focusing on optimization. You know? Yeah. So things that don't require necessarily capital expense. You know?
Rick:Yeah. Into that. Yeah. But
Justin:Clean up access control. Yeah.
Rick:But it's a huge risk. I mean, there a lot of things can go wrong. Oh, it was, the security thank you for buying time for me.
Justin:It was it was the,
Rick:it was the security team. You know, again, if you're if you're gonna release a bunch of employees all at once, make sure you have the ability to actually do that operationally, like, that your access team can do that because some of that will be automated. But most organizations I work with, there's a bunch of manual stuff, and it's totally different if you're doing, like, three people in a week versus, like, oh, this is a 50 people this week. So you don't want those processes to
Joe:And it's usually not this week. It's usually Thursday or Friday.
Rick:Yeah. It's Right. It's all the bobs in.
Justin:You know? This is it all the
Rick:stuff. Right. Yeah.
Justin:What would you say you do here?
Rick:I'm a people person.
Justin:There have been so many memes this week talking about that. So I've enjoyed it all. So but, anyways, segue Yeah. Into that. You brought up about talent management, you know, at the end and make sure you have a good pipeline.
Justin:You know, we've been hearing forever about the security shortage. Before we kinda dive into some of that, do you actually believe there is a shortage in the cybersecurity industry workforce? I do. Yes?
Joe:Yes. I have examples right now. I'm we're trying to help somebody identify a resource that can properly do GRC work. Like, mid level? At an mid level engineer level.
Joe:And it's been months that they've been looking for somebody, more than months. And they they get close, but they can't find the right person. And so this ties into
Justin:However so I I also agree Yeah. With it with a little caveat.
Rick:Qualified yes is like mine.
Justin:How many applicants have you got with that role?
Joe:Oh, I think we processed over a hundred.
Rick:Yeah. Yeah.
Justin:So it's not a shortage. It's a shortage of qualified
Joe:Yes. Talent.
Justin:You know, into that.
Rick:Do you have thoughts? So whenever I, like, dissect these systemic problems, I always I always try to figure out, like, what's what's the source, what's the root because it always gives me different ideas on how it might be either long term solvable or even short term solvable. So do you have thoughts on why there's that shortage? Because I have a theory, but I wanna hear your thoughts on why first.
Justin:So I have a couple. So and I find that, yeah, as you go up in the ranks, there's less of a qualification for some of the experienced people Mhmm. With that. Because I've been doing, like, you know, some roles, especially in order to junior, you get hundreds hundreds
Rick:of applicants. Tons. And Well, so many are, like, global talent pool now. Right? To a large extent with
Justin:Well yeah. And yeah. And I often have remote, you know, allowed into that usually, like, limited within, time frame or time zone, you know, just make it convenient. But at the same time, you're getting hundreds here sorting through. Yeah.
Justin:You know? And so you're looking at any type of experience. You know? So even if it is a junior position, like, if they majored in college for it, if they've had any internship or one, two, three years in something similar into a role, you know, type of thing. But you'll get tons, you know, that
Rick:Oh, yeah.
Justin:You know, that are just coming out of school, and it it it stinks, you know, into that. But, you know, like, I'm getting people that have been sorted into the role, you know, whereas people just want to get into the role, you know, without that. So I think we have a problem, and I I really wish that this is going way beyond our topic here. That's alright. But we need to get more into a more of an apprenticeship type thing.
Joe:Absolutely.
Justin:You know, type of thing. Like, you learn so much on the, on the job. Mhmm. In fact, I remember hiring somebody straight out of Pitt, one of these, had a curriculum. He, majored in information security.
Justin:Yep. He came in, and I was talking with some of them. We actually ended up hiring him. But one of the things that I like to ask, you know, and especially, like, junior people, is tell me right now what you think the number one threat is from a cybersecurity perspective. Open ended question.
Justin:Yeah. Not really a wrong answer. I have labeled questions as wrong answer to that, but, he came back, and I forget when this was, but he's like, oh, worms are really big. And this was, like, mid twenty teens. You know?
Justin:And I'm like, maybe back in 02/2006. Tell me now. He's like, oh, we just learned about it at at the pit. I was like
Joe:That's what they're teaching you now.
Justin:Yeah. So, I mean, there's a problem in some of the higher ed that they've, you know, put their curriculum together who knows when Yeah. You know, because it was popular, and it hasn't gotten a major refresh. And we all know, like, if you're not invested in this industry, it changes from year to year on, priorities
Joe:Absolutely.
Justin:And stuff of that nature. So I think a lot of people, like, when you're asking, like, are can you critically think? Like, I almost don't care if you're interested in security. Can you critically think through a, b, c to get to the solution of x, y, and z? Completely.
Justin:You know, type of thing. And if you have interest in it and familiarity, great. You know, that's even bonus points. But I want a critical thinker at the end of the day.
Joe:There's an Einstein quote I just recently read that's related to that.
Justin:Oh, yeah? And it's Are you related me to Einstein?
Joe:I am. Okay. Cool. And, exactly. And it's that why is, you know, college is not to teach you facts.
Joe:It's to teach you how to
Rick:Right. How to think or how
Justin:to think. Yeah. Yeah. Well, we got I could go into a big thing about this. I'll actually send you guys a video.
Justin:I maybe I'll even put it into the show notes. There's one. He used to be a principal down in Texas, but he goes over our early education
Rick:Yeah.
Justin:And how way back in the day, it used to be called forensics where we would actually evaluate problems and come up with solutions, you know, to that problems. And in the early nineteen hundreds, like Dewey and a a number of other players into it basically got it from a kinda critical thinking to memorization and regurgitation Yeah. You know, type of thing. And we've shifted our whole educational system to basically just repeat what I say.
Rick:You know, type of thing. It's actually not like that globally. There's a couple, like, podcasts I've listened to recently that that have hit on the fact that's like, yeah. In other places, what they do is they set up, whatever, intellectual boxing arenas, essentially, right, to teach you how to fight collaboratively. Right?
Rick:So argue about a thing and get to a good place. And that's a completely different skill set than have you memorized these facts.
Joe:Yeah. What's the OSI model?
Justin:Yeah. Right.
Rick:Right. Yeah. That was
Justin:one of the things. Actually, this guy, you know, that he brought this out. They used to do forensics on, like, American history. They would have two students. This is in fourth grade.
Rick:Yeah.
Justin:They would have two students get together and say, you know, the, the Boston tea party where they threw the tea over into the boat. Was that a good thing or a bad thing?
Rick:Right. Right.
Justin:Now you take pro. Now you take con. Because Exactly. If you actually look at that, you're destroying somebody else's property. That could be a con, you know, into that.
Justin:And the pro could be like, well, there was an unfair tax, so there had to been, you know, some type of
Rick:Right. Right.
Justin:Right. You know,
Joe:we do that at work sometimes. We'll actually say, what do you think about this? Now you let's flip let's flip and argue the opposite and see where we come out of that.
Rick:Well, in some ways, it's like the developer rubber ducky. Right? Explain your code to the rubber ducky and then you, like, see your bugs. Right? But so so, yes, there there is a shortage.
Rick:There is a shortage. I think there's a shortage too. Just really my theory on why. Right? You kinda sorta started in security, but you really started in technology.
Rick:Right? Yes. You, I assume, also started in technology and got to security?
Joe:Yeah. Security wasn't a department at the time.
Rick:I also did the same thing. None of us started in security. We all collected skills elsewhere, primarily technology, but then some other adjacent domains along the way.
Joe:How can you secure something if you don't know how it works is what I always say.
Rick:Right. But we have a bunch of kids in school coming out with security degrees
Joe:Right.
Rick:That don't have the adjacent knowledge around, oh, yeah. I've been part of the help desk, and I had to learn these systems, or, oh, yeah. I started as a d b like, I actually the more I think about this is entry level security gigs are not necessarily always entry level career gigs. Right? That's my take on why I think there's
Joe:a high security gap. That are out there right now. If you're graduating college and you are looking for a job, maybe it might be better if you wanna be in cybersecurity to apply for that entry level cloud position or the entry level IT position. Learn how this stuff works and migrate into a security role.
Rick:Right. I think I think you need to understand foundational, like, how it runs or how you manage it or even how people use it. Right? Particularly how people use it. Right?
Rick:How do people use networks, and how shouldn't they use networks? Okay. Now I can secure networks because I can leverage, you know, some of that experience. So, anyway, that's my take on why I think there's this gap between people that can do a whole bunch of stuff in the security realm that maybe grew from somewhere else and people that are graduating in college and go, oh, no. And, like, and and they they can't quite do the security role as posted that might have ridiculous requirements anyway.
Rick:Mhmm. Right? That's a whole other thing. Yeah. Yeah.
Rick:But but they're like, oh, like, in people interviewing, I was like, I don't know that you can do this job. Yeah. I know you have a degree in it, but, like, I don't I don't believe you can do it because you can't answer these simple questions. Well, they're simple to me because, like, well, I grew up doing helped us study all these other things. So I I think there's a there's just a problem there.
Joe:A funny comment is I recently seen a job description that said needs seven years experience in a technology that's only been out for two years. Yeah.
Rick:Yeah. Yeah. I got that. Stuff all the time. But Let
Joe:me put a little context around this. So one of the one of the, quotes I picked up from, something was cybersecurity employers can't find experienced workers and new cybersecurity workers can't find their first job. And so it's leading to, the metrics are US shortage right now is approximately 450,000 professionals and globally 4,800,000. And so that's, I I believe those metrics Yeah. Are probably close.
Joe:And so I do agree there's a talent shortage, but I really think and we've been calling it out. Unrealistic job Mhmm. Expectations are being set, and nobody will ever be able to meet that, so you'll never find the right person. And then when you add to that, that, you know, you can't use a subcontractor. It needs to be full time employee.
Joe:And then when you add to that, we've gone back to the office. Yep. And you need to now go on-site with all the competing companies that will still let you work remote. It's going to create a huge challenge for somebody Yep. To bring in a person of that higher experience.
Rick:But I I think the worst expectation from a hiring perspective is that they're gonna start on day one. And I think this gets back to the thing that you said, like, hire a brain, hire a critical thinker. The experience I mean, it's great if they have adjacent experience and all that stuff, but look, I think a lot of organizations where they fail from a hiring perspective is they're like, we want you to have all the things so you can hit the ground running. Right?
Joe:Nobody hits the ground running.
Rick:Nobody hits the ground running. So don't have them start
Justin:on day one. A senior executive. Like Yeah.
Rick:Have them start on day 100. Make your plan. You need a ramp up plan, and honestly, the way particularly security, the way every organization is, I mean, there's some foundational
Joe:Every consultant we bring in
Rick:Everyone's different.
Joe:Three months of at least just figuring things out before you get assigned to, like, real dedicated work.
Rick:Exactly. And so I think these organizations are like, oh, we need a compliance professional or we need a security analyst or whatever it is, but we can't find anyone. It's like, okay. But are you planning on investing a hundred days of training to, you know, three whatever it like, right around there. Right?
Rick:To to get them to where they need to go. Yeah.
Justin:Because it's not even that. It's also the searching. You know, that added on to it too. Like, how long are you gonna
Joe:You'll go go six months a year with those Yeah. Exactly. Sure.
Justin:So imagine just with all that time saying and, like, I hate anytime I have to hire somebody. I love it because, you know, I feel like, you know, Teams are growing as a resource at home, but the thought of me going through the hiring process again is just Painful.
Joe:Yeah. Which goes back to what you said in the last conversation, which is you need to keep the pipeline up. Right. I have so many different thoughts that are percolating here. One is, why don't we instead of trying to, fill that cybersecurity role from an outside person
Justin:Mhmm.
Joe:Why don't we just get somebody who's operating in an IT operational role, bring them over, close the knowledge gaps on security. Right.
Rick:And this is where
Joe:I backfill that.
Rick:When I talked about, like, cross training and apprenticeships and all those things, like, maybe, like, on that that list of primary and secondary, maybe your secondary should be in different teams because maybe that's your feeder for some of those processes. That's a
Joe:good point. And then tying back to the first conversation, if people are being let go from other companies, look build a process to go and recruit the heck out of them. Absolutely.
Justin:Yeah. You should always I mean, if you have the budget for it, you should always be recruiting for top talent. Oh, yeah. You know, time to take again, you need to have that open, you know, for Yeah.
Rick:You need the resources to to do it. But I but if you don't, again, if if you kinda hit it at the source and you're competing for top talent, then, you know, you'll get a couple. If if you're not even playing in those realms, like, well, good luck filtering through those resumes. Right. And I think I've said this before on one of these podcasts, but, like, I also hate the I think the process by which resumes are filtered and all that stuff is just wildly broken.
Rick:And, again, it's why I get back to the hire someone for their ability to think critically, for their ability to assimilate information, for their ability to apply things rapidly, and reasonably quickly and correctly. The best security hires I've made in my entire career, neither of them came from a, security background. One came from a public service background. She's she's an incredible GRC person, who's doing awesome things now. And the other one was initially a PM, and then he moved into networking, and then I stole him onto the security team.
Rick:So, like, neither of them were, like, security college grads or anything like that. They're just bad great brains and Right. You get them where where you
Justin:they need to go. Right.
Joe:You just made me think of something. Let's flip it a little bit. If you're looking to get a job Yeah. And we we've covered we this is, like, a recurring topic for us. If you're looking to get a job, and I learned, in the last year that the way the AI that screens resumes before it gets to you is so broken that if you don't have a certain number of occurrences of a certain topic Yeah.
Joe:Like, for example, I heard that there was one of the the country's leading identity and access management experts
Rick:Mhmm.
Joe:Out there looking for a role. They came from one of the major companies that sell software to do it, and the resume was so well groomed. And I used to be in the mind of saying, let's make sure your resume looks really good and doesn't have a lot of you know, keep it short, concise, not a lot of repetition. And I now for a manager's eyeballs. Right?
Joe:Yeah.
Rick:Yeah.
Joe:But now, I heard that there was a screening that if that if Identity and Access Management was not mentioned at least seven times, the resume wouldn't make its way on to the next person. Right.
Rick:It's like SEO, but resume version. Right.
Joe:Right? So if you're looking to get hired, it's not wrong. Go work with a recruiting company. Ask them this question. Ask them, what do you know about the AI systems that's gonna review my resume?
Joe:And what do I need to improve it so it gets back past those filters? Yeah. And make sure you're working with somebody who knows how to help you with that.
Rick:Well, and if you don't have a recruiter, at least, at a minimum, have, like, ChatCPT or Bing or something built it for you. Right? I'm not a big fan of recruiters, probably. Oh, okay.
Justin:I don't know. I've had very bad luck with them. Sure.
Joe:But use you don't have to you don't have to take the job that they find you, but they have a lot of knowledge on how the hiring processes work.
Rick:Oh, because they're incentivized to know how it works.
Joe:And you can leverage that to your advantage.
Justin:And and to be fair, I haven't utilized one in decade plus of time, you know, type of thing. But I remember, like, some of the times that I've been assigned a recruiter, like, between jobs and everything, and I was teaching him Mhmm. On how to get jobs. You know?
Joe:I'm not saying you started your own company just because you didn't wanna
Rick:be a good one.
Justin:He's like, wow. Yeah. Those are really good tips and everything. I'm like, who's paid you? Like Right.
Rick:But but I also think
Joe:Don't pay a recruiter. That's my other thing.
Rick:Yeah. But I also think and I think we I believe we touched on this before. Yeah. It's they can be a numbers game and understand how to craft your resume to get through the filters, stuff like that. I'm a big fan of skipping the line.
Rick:Right?
Justin:Mhmm.
Rick:I think you should go to b sides, meet Joe. Right? Talk to Joe. Meet Justin. Talk to Justin.
Rick:Yep. Meet Rick. Talk to Rick. And communicate somehow that you have a good brain, right, or that you're interested in the topic or whatever that is that sets you apart. What's your superpower?
Rick:Right?
Justin:Mhmm. % on this.
Rick:And because I I just think even if you get really good at the algorithm, man It's
Joe:still who you know.
Rick:You're chasing that dragon.
Justin:It's still who you know. And I would say even on top of that, like, if it's in person relationship, great. Best part. If it's not, go to LinkedIn. If you can find out who the hiring manager or close thereof, send them a note Yeah.
Justin:You know, type of thing. Yeah. Like, hey. I just applied to the job. I think I'd do really good into it.
Justin:Please let me know if you have any questions.
Joe:Better yet, ask them for a twenty minute call. Yeah.
Rick:Get on like that. Yeah. And and that'll feel weird. Right? That if you've not done that before, it will feel weird.
Rick:Do it anyway.
Justin:But all of a sudden, your name is in their head, you know, onto this, and I almost guarantee you at least get an interview out of that.
Rick:The cold calls I respond to are typically the ones where someone has a really tight, kinda clever, one to two minute video that captures my attention. I go, you know what? I just spent two minutes watching this person talk to me about whatever, this marketing thing or this tool or whatever. Sure. I'm gonna I'm gonna hit them back and say So
Joe:you're saying, applicants should record a, thirty to forty second clip?
Rick:Do a video cover letter.
Joe:And send it. Yes.
Rick:Why not? Right? I mean it's it's what sales people do to get in front of leaders in organizations. If you're an applicant, you're selling yourself.
Joe:Yeah. That's great. So, you
Rick:know, one
Joe:of the things, to think about, and this is for everybody out there who has trouble hiring, is your organization unintentionally excluding qualified talent by per by prioritizing experience over potential?
Rick:Yes. I have. Yes. Get rid of if you are a security leader, I challenge you to go to HR and tell them to get rid of as many filters as possible and actively work with them
Justin:I agree.
Rick:To get rid of those filters.
Justin:What if you get a thousand resumes you have to go through?
Rick:Then then you figure out a different way to prioritize them. Yeah. It's so hard. It's not easy, but look, finding the best again, you're fighting for the best talent.
Justin:And I would agree, and I agree with getting rid of the the some of the filters, you know, with that.
Joe:Within reason. Yeah.
Justin:You know, like, I went through and just hired a developer last year Yeah. And I got close to nine nine hundred, a thousand applicants. Mhmm. I was spending seconds per resume. One one thing that, like, threw it off was in the garbage.
Justin:Like, if they misspelled one thing in the garbage
Rick:Yeah.
Justin:If they, you know, if it was a messy resume in the garbage, like, anything to lean me a a way of getting this filtered through was in the garbage.
Rick:I I mean, I almost feel like you you end up with better results. Like, don't like, almost don't even post it. Just post it yourself on LinkedIn. Like, the people that Justin knows. Right?
Rick:Like, I mean, I did it with you guys today. I was, hey, do you guys know, you know, a DBA developer guy? Like, because we trust each other's judgment
Justin:and all that stuff.
Rick:And Well, yeah.
Justin:And that's where referral programs are actually, you know, pretty good, into that for the most part.
Rick:Yeah.
Justin:You know?
Rick:But like a corporate posting, I mean, I don't know. You're almost signing up for spam. Yeah. But I
Joe:think we, yeah. What were you gonna say?
Rick:No. I was gonna say, but but were there other tactical tips that you had because you were
Joe:no. That was, you know, basically, make sure that you're migrate people from within
Justin:Yeah.
Joe:From other roles, get them in there. One of the things that, you know, there there's, for anybody in the Pittsburgh area, Pittsburgh Tech Council has this Apprenti program
Rick:Oh, yeah.
Joe:Which is made for creating apprenticeship style offers for, you know, for cybersecurity and other IT roles.
Rick:Yeah.
Joe:And so they're actually helping to solve this problem by getting qualified people. But I'm thinking about it, you know, for this purpose is, you know, you have you're the hiring person.
Justin:Mhmm.
Joe:You're having trouble. Root cause analysis that just figure out what it is, and then see if you can't solve it some other way.
Rick:Yeah. Yeah. I I I really like the concept of, like, oh, you're looking for good security people, like, poach them from other parts of the org because they already understand how other IT team
Justin:is gonna hate you. Well, well
Joe:then help IT because
Justin:they have to then go through the hiring process.
Joe:You need
Rick:to manage those relationships. Well, that's that's true too. Yeah. Yeah. Not by D backfill.
Joe:Because take all the resumes you're getting that are probably good for that other role
Justin:Right.
Joe:And just cycle them over. Yeah. Because they're probably right for that.
Rick:Yeah. That gets stuck once a job.
Justin:Yeah. Yeah. Yeah. And I think a lot of the like, we talked about, like, what our experience going into cybersecurity was always from other backgrounds.
Rick:It started in IT.
Justin:I remember in high school giving a presentation on how the Internet worked, how a packet got from your computer to another computer somewhere else, and all the steps in between and how routing work and IP addresses and all that stuff. And nobody was like everybody was like, wow. This was in the nineties, of course. But I challenge, like, everybody like, I do a career class, sometimes to my kids. Yeah.
Justin:And one of the things I talk about with cybersecurity is usually there's always a air of curiosity Mhmm. On how things work. That's usually a common thing when you go into any type of cybersecurity. Like, we have lockpick villages. Why do we have lockpick villages?
Justin:Oh, how does it work? Can I bypass it? Like, it's a curiosity nature of the
Joe:That is absolutely true. And speaking of Lockpick Village
Justin:I was gonna do the same segue.
Joe:Yeah. Yeah. It's segue time. And speaking of Lockpick Village and speaking of giving presentations, you know who really has an awesome Lockpick Village but also needs people to come present? Besides Pittsburgh.
Rick:That's
Joe:true. Besides Pittsburgh, so this is a quick reminder to everybody out there listening. Besides Pittsburgh is Friday, July 11, Rivers Casino. And this year, we're aiming for our biggest event ever, which is gonna be really tough because last year, we sold over a thousand tickets and we need to beat that. Yep.
Joe:So, we got some improvements lined up for this year. Last year, we had two tracks and we only had two thirds of the casino space.
Justin:Mhmm.
Joe:This year, we have the entire casino space, for the presentation. So we're looking to, end up with three tracks
Justin:Yep.
Joe:Of talks ranging from twenty minutes to fifty minutes, so we can get those shorter ones in. We can get the normal, you know, speeches in. We're working on fixing the congestion. Last year, we learned a lot of lessons. GM's up hallways.
Justin:So we've done work first year that the new build out with, like, getting rid of the cafeteria and everything.
Joe:They took the, buffet and Beautiful.
Justin:You know, into that, but obviously
Rick:New space and biggest event ever. There was some there was some crowded channels.
Joe:And we went from the full space that we had to the year before. Yeah. But this year, we had to put, like, sponsors on two sides of a wall. We figured we can only put them on one side this year, and we have the room to do it. Yeah.
Rick:Even if you didn't think it was bad, it'll be even better. Okay.
Justin:Yeah. Yep.
Joe:And then the capture the flag is moving back. Does anybody who went to the c t, capture the flag this past year? It was in a new room. This year, they're getting back to the old I think it's called the Ohio room, and it's the one with the windows and
Justin:Oh, yeah.
Joe:The sound, and it's, everybody loves it there. The, oh, and then another thing is is that, I wanted to point this out. I heard from so many people that we failed to put on the schedule the after party from five to seven. Mhmm. So we have an after party from five to seven.
Joe:I mean,
Justin:shouldn't you just assume that?
Joe:You should, but not in
Justin:your money now. Yeah. Yeah.
Joe:And we didn't put it there. And then for those of you that are daring enough, if you find the right ones of us, there's usually an after after party.
Justin:That's true. I wanna go back to that bar. We will. Okay.
Rick:I suspect we will.
Justin:Yeah. Yeah. And, come
Rick:to the after after party if you
Justin:know the bar. After after party.
Joe:Yeah. Yeah. And if you are looking for a job and you network with the right people, you never know. Right? Yeah.
Joe:Another thing I wanted to point out is that if we get enough sponsors again this year, we're gonna opt for the best food option again, the best buffet that the casino has. We had that last year. We got so many great comments on, on that. So a couple of things to point out. The call for papers is open.
Joe:We need more talk submissions.
Justin:Yes.
Joe:As of a week ago, we had a good handful, but we want more.
Rick:Mhmm.
Joe:Out of those, I think there were only maybe two women submitters.
Rick:Yeah. Very few.
Joe:We need more. Right?
Rick:Yeah. Absolutely. Yes. Yeah.
Joe:And by the way, we I'm
Justin:not saying I'm a woman, but I was thinking about submitting.
Rick:Well, definitely submit and and also tell everyone in your network
Justin:as well. Also, I think I told you guys this, but a question to our audience too. I was thinking about doing a lightning talk for starting up a cybersecurity podcast and kinda go over our kinda adventure and equipment and ideas and format and, you know, what tools we use, you know, with that. I thought that might be an interesting it would be very interesting. You know, thing on, like, here's how we do, here's what our numbers are, you know, here's how
Joe:You know, just talking to somebody who said
Justin:cut, you know, all that stuff and everything.
Rick:I was
Joe:just talking to somebody, and I got to look at my notes, see who it was. And sorry if you're listening. I don't remember. But they said they want to learn how to do a oh, I remember who it is. I'm not gonna say it.
Joe:They wanna learn how to do a podcast. Yeah. And, they would be very interested
Justin:in that. That'd be cool. So, yeah, if you're interested, comment, you know, to us and everything. If we get, you know, a few, You know? I may submit that.
Justin:It's a I thought it'd be interesting. It's a unique experience. And if anybody's considering it, like, I'd give you all the Yeah. You know, what to consider pricing because these guys know me. But anytime I'm interested in something means, like, dozens of hours in front of YouTube.
Justin:So Yeah. Before we did this and I proposed, you know, to Rick and Joe that we get together and do this, I've done dozens of hours of research and and equipment and
Joe:And you can carve all that down to a twenty minute talk.
Justin:A twenty minute talk, you know, type of thing.
Rick:Well, and so if Justin, if you don't mind, let's put the CFP in the show notes. Okay. That'd be great. Yeah.
Justin:I'll do. Yeah.
Rick:And then everyone listening, if you don't mind blasting that out, it'd be greatly appreciated.
Joe:One other thing is, we have some women speakers from before. What I'm trying to say is, if you have at all any reservation because this is the first time you wanna speak and you're not sure what to do, reach out.
Justin:Yes.
Joe:We will tie you together
Justin:with person. Over the CFP?
Joe:You can yeah. Just email the email that, email info@bsidesspitzburg.com. Mhmm. And let us know that you want to,
Rick:You're looking to be paired up with a mentor.
Joe:Well, you wanna do your perfect. Yeah. Go to pitsec.com, get into the b sides channel, and start, chatting with people about it. So Yeah. Couple other things.
Joe:We need more sponsors. There's a ton of great benefits for being a sponsor. I think and I haven't found anybody to dispute this. We have the largest cybersecurity, conference in Pittsburgh, and we, none of the money goes to anybody's pocket. It all goes back into the event so that we can take every bit of funding and turn it into the best conference ever.
Joe:This gets so many awesome people there. So if you're a sponsor who's listening, go to the sponsor page of bsidesspitzler.com, apply for sponsorship. Most sponsors who apply get accepted to to do this, and they get put in front of so many qualified buyers.
Rick:Well and I'll also say, I walk around each year, and I know, Joe, you you make the rounds as well, and the the the individuals who are at the sponsor tables are generally very, very happy with the event.
Joe:Everybody gets we get rave reviews for that.
Rick:Yeah.
Joe:One other thing, register now. For the first time ever, we're doing something different with, the tickets. Mhmm. They we've kept them super cheap or probably the cheapest while being the best cybersecurity conference in Pittsburgh. They're $20 a ticket, but we've added an early bird, and it ends on April 14 because, and then the price goes up.
Joe:And the reason we did that is because we need to buy t shirts, we need to buy food, we need to make sure we have great counts. And so many half of our, tickets were sold in the last month, and we had to super negotiate with the casino, in order to get the food handled. And there was a ton of people who were disappointed they couldn't get a t shirt. Right. But we already ordered them.
Joe:Right.
Rick:So we wanna encourage everyone to to order early. Right?
Joe:Yeah.
Rick:And it's and to your point, it's it's an escalating cost because, it just becomes more challenging.
Joe:Yeah. That's
Justin:a big expense too. Like, you don't wanna order too many t shirts that, you know, you're not dishing out.
Joe:Right. Well, we only order for the number of people that we have tickets. So we actually manage that risk by only ordering if you've signed up by the date that we need to get the orders in
Rick:Right.
Joe:Which is at least over a month before.
Rick:And food too. We have to put in those orders early.
Justin:Yeah. Orders. Yeah. Yeah. I thought it was interesting.
Justin:It separate item was sorry. I thought it was the other b sides I just signed up for. It's in, April and everything. I just signed up, this week. They're already out of T shirts for, like they only have small stuff.
Justin:Oh, interesting. Really? Like, they're like, yeah. We're out of T shirts. Mhmm.
Justin:Oh,
Joe:so they ordered ahead and Yeah.
Justin:I guess so. Yeah. Anything else? Any other details?
Joe:What's that?
Rick:Any other details?
Joe:Just a reminder, submit a talk.
Rick:Yep.
Joe:We need sponsors. Go get registered. If you have a sponsor if you're working with a vendor and you love that vendor and you think they should be there, go tell them. Go tell them about it. Yeah.
Joe:And then, some other things that are going on. We have the various villages. We'll have Lockpick Village. Well, the wireless village. We got some surprises coming up that we can't talk about until, that.
Joe:Rick and I know about it because we're the organizing committee. Justin doesn't even know about it.
Justin:I don't know about it.
Joe:Yep. And we're not telling him.
Rick:That's gonna be fun.
Joe:So all kinds
Justin:of stuff. Something's finicky. That's all I know. It is not. That way.
Rick:I, one other note that I'll say is if you are 21 or you have people that are 21, just be aware there's some extra processes to go through with the casino. So even more important that you register early, or register those individuals early so we have all those counts right and and all that stuff. So Absolutely. Definitely tell your friends it's a great time. Attend, learn a bunch of stuff, do a bunch of networking.
Joe:Yeah. Hey. Cheers to that.
Justin:Cheers. Yeah.
Joe:By the way, last year, we asked the casino to open the bar as early as possible, and they did.
Rick:I saw that in the planning notes.
Joe:Yeah. Yeah.
Justin:Yeah. And to the this year. Right?
Joe:This this'll happen every day.
Rick:Yeah. There's a new standard. Yeah.
Joe:And speaking of I don't care
Justin:about pass. I
Rick:yeah. Right.
Joe:Speaking of having a drink, what are we drinking?
Rick:Yeah. Rick. So we are drinking Lady of the Glen. They are an independent bottler out of Scotland. I, recently got to do some work in Scotland.
Rick:If I got to hang out with you in Scotland, you are awesome. Everyone that I hung out with there was super cool, so shout out to them. I also where I bought this, Aberdeen Whiskey Shop. And I met an individual named Brian who was extraordinarily knowledgeable, very generous with his time, and I did not spend nearly enough as much time as I wanted there. Or money?
Rick:Or well, yeah. You can only bring home so many bottles. But You didn't bring
Justin:a suitcase just for the bottles? I did not. No.
Rick:I did not. But, but Brian actually, has a history in IT. So we're meeting more and more people that are these kindred spirits of, you know, IT and security folks that, so, anyway, shout out to Brian. Thank you. You're awesome.
Rick:But we're drinking this Lady of the Glen. So what they do is they go around to various distilleries in Scotland, perhaps some other countries nearby as well, but they'll they'll find a unique or interesting cask, and then they'll do a bottling of that cask. So it's not just Ardmore who who produced the spirit for this.
Justin:So they'll buy a barrel and then put it under their own label
Rick:and everything. And they might do some extra finishing. They I don't think they always do but they might sometimes.
Justin:Got it.
Rick:You know, the rules with scotch are a bit more broad, I think, in terms of, like, how you can manipulate the juice. But yeah.
Justin:And I thought that was interesting. They so it's 10 old. Yep. It's a higher proof. We were a little bit surprised on first sip.
Joe:Got much nicer once I added a couple drips of water.
Justin:Yeah. 57.1% alcohol. Yeah. So a little bit on the the hotter side and everything. But the finish is in a it was like Like, Orsolo.
Justin:Olor solo.
Rick:Cherry cask.
Justin:Yeah. Essentially, that's what it is. It's a sherry cask, but, I never heard the Olor solo, finish, which actually you can actually taste that. Oh, yeah. I have a harder time with scotches because I'm not used to it, and the peat just hits you.
Justin:And this is a higher peat, you know It definitely is. You know, flavor with this. So with such a dominant flavor to get, like, some of the subtleties out of a dominant flavor I'm not used to, it's hard to pull out some of those.
Rick:But This is the less smokey of the two that I brought back, so you're welcome.
Justin:No. You know what? I don't mind, like, doing this, you know, on an occasion. But when I'm trying to pull out notes, it's hard when I'm not used to, like, a peat always be in there. I get a lot of cough
Rick:I do get the coffee. You get you coffee grounds? I feel like I do. And then, like, a bunch of honey.
Justin:Yeah. So they said, Tasty Notes is chocolate raisin, coffee grounds, and honey on toast.
Joe:Okay.
Justin:Yeah. So and I actually get like, I taste more of the, the sherry. Yeah. You know, into that as kind of the finishing note into it. So But
Rick:fun. So so this typically doesn't, doesn't leave Scotland unless you, like, buy it from a website or something like that. So you can't Okay. Generally go.
Justin:But you bought it for The UK market.
Rick:Well, it says for The UK market because they put that on things that
Justin:are produced in The UK. I don't know how to put ours where.
Rick:But, anyway, Brian was awesome. If you happen to be in Aberdeen, go to the Aberdeen Whiskey Shop. They have a bunch of stuff. They even had a bottle, that that I got for, another friend of mine that you can only get in that specific whiskey shop, which is pretty cool. But these are are very, like, local to the region.
Rick:So yeah.
Justin:We don't
Joe:have to edit any of this out because, of export laws. Right? You didn't No.
Rick:I went to your customs. This is all good.
Joe:It's all good. I'll I'll get you. Good. You didn't sneak it in, through your luggage? Okay.
Rick:I mean, it
Joe:it it
Rick:was not snuck, but it was in my luggage. Yeah.
Justin:Yeah. Very good. Very good. Yeah. Well, I like your ride.
Justin:Cheers. Thanks for bringing this. Alright. So what else?
Joe:Well, I'd like to introduce the next topic. Yeah. Something I keep running into. So, high level. Is your c suite cyber crisis ready?
Joe:So how many of us, and I think we'll all raise our hand and a number of listeners will too, have gone through your IT and IT security tabletop exercises. So we do that. Yeah. How many times do you go through the exercise and you talk about things in generalities or assumptions of what is gonna have to happen at the c c c suite level, but you're not quite sure. And what I'm proposing is now is the time to bring your c suite into your crisis management program and, your tabletop exercise.
Joe:And, again, like we said earlier, all risk, all cyber risk is business risk. Let's bring that in and start getting the c suite involved in your tabletop exercises.
Rick:Yeah.
Joe:So, who has ex have you guys, gone through and had CEOs and the such, be part of your tabletops?
Rick:In prior roles, yes.
Justin:Yes. Mhmm. And, obviously, in prior roles, you know, type of thing. I'm actually curious who doesn't do that. Oh.
Justin:And I'm sure there's a number, but I can't imagine that taking over a security, leadership role right now and not consider that.
Rick:Well, I think there are times where sort of executive leadership is uninterested in engaging either for historic reasons or, just because maybe the the risk communication dialogue isn't as mature as it should be.
Joe:So do you think that executives are
Justin:I usually tend to say, I don't care. You're participating in this anyways because something's going to happen. You know, I usually say it's not if it's when. You know?
Rick:So But you're also equipped to have the mature risk acceptance dialogues, Whereas I think in some some organizations, if they haven't been exposed to leaders with that mindset
Justin:Right.
Rick:Right, that have either forced the issue or encouraged the issue, you know, they just might not be there.
Justin:And you need to be very respectful. Obviously, you know, these are these meetings get expensive very fast. And if you don't have your ducks in a row, you will get beat up and out the door very quickly.
Rick:You won't get another shot.
Joe:However, if it's done right, the consequence of not doing it
Justin:Oh, yeah.
Joe:And the lost revenue that probably will happen
Justin:Yeah.
Joe:When the leadership is not prepared is gonna be so much more significant than what those, three hours Right. Equaled.
Justin:And any leader worth I don't care who it is. Any leader worth their salt know this is important to run through and have a generic game plan to go through.
Rick:Again, if if they've been communicated to appropriately. I've seen a couple organizations where they're operating under, you know, a false sense of security or they've had, you know, sort of the the the bad CSO, perhaps, that has hidden problems in the past. Oh, no. No. No.
Rick:I got this. I got this. I got this. And then you know? So so I think there are it's very real that there are organizations that have not engaged in that way.
Rick:And I agree with you, but it can be a journey to get executives that are of one mindset into the the next
Joe:level. Executives at the c suite level are treating cyber incidents with the same urgency as other business crisis issues.
Rick:I I think I think they need to be framed as such. So I'm a huge proponent of, like, even and this might be a step too far for some organizations, but I don't even like calling it incident management from a cybersecurity perspective. I it's all emergency management.
Justin:Right.
Rick:Right? In a cybersecurity incident, a business continuity thing, a disaster recovery thing, a PR thing, and from my perspective, I always encourage emergency management.
Joe:Yeah. I would say they're called crisis management.
Rick:Exactly. And and I and it should be one in my opinion, it should be one thing with a bunch of different playbooks.
Justin:Yeah. Oh, I can agree more. Yeah. Where you layer it up to the right level of engagement. Exactly.
Justin:And and because know, depending on the issue.
Rick:I've seen some some early maturity organizations that invent all their silo specific emergency plans, and then everyone's trying to be like, hey, mister or missus executive, do you know what you do if there is a PR issue? Do you know what you do if there's a legal issue? Do you know what you do if there's that? And it's like, well, why do I have 30 different plans for dealing with a major emergency? There should be a major emergency plan.
Rick:You get the right experts in the room, and they help walk
Joe:the processes.
Justin:But sometimes that that is so look at UnitedHealthcare, a month's long issue, you know, type of thing. Like, that's not just let's meet for a few hours and figure it out. You know?
Rick:Oh, no. Like, you need I I mean, again and there are many again, organizations of a certain size have kind of parts of the organization dedicated to, right, business continuity or crisis management or all these things. I think the cybersecurity component of that needs to be integrated into the larger Yeah.
Joe:Don't get me wrong. The couple hours is really performing a tabletop to start uncovering where the disagreements are. And so one of the things that Yeah. Yeah. But I think this
Justin:was saying, like
Rick:Building it out.
Justin:Build it yeah.
Joe:Oh, no. That's not a couple hours.
Justin:No. Yeah.
Joe:That's a lot of collaboration. Yeah. So I've experienced where everybody thought the leadership were on the same page with what they're gonna do for paying a ransom. Once we got them in a room and started talking about it so, practically, how do you get this done is, we've taken your normal tabletop that you might have in IT security for Everybody likes to use a business email compromise that turns into ransomware. Right?
Joe:So we start the exercise at the point where IT and security have been working on a problem for about a half a day, and we realize where it's going. And that's where we tell the executives we're starting.
Rick:We need to ask.
Joe:And we sit there with them and say, here's the situation. We're already up to here. What are we gonna do? And I've observed, top leaders who we who they all thought they were on the same page with how they're gonna pay a ransom and how much they're gonna afford to pay and what they're gonna do, starts debating the different opinions. And that became a really quick time to say, looks, we don't have a decision here.
Joe:Let's put this on a to do list and then move on to the next, part. And it was so clear to them. They had clarity like they never had before coming out of the other side of this that they need to focus on building some better plans and do what we call I call strategic preparedness.
Justin:Mhmm.
Joe:And so we take it from that point, which was a lot what you guys are saying. It's one plan
Rick:Yep.
Joe:But then it has its parts Right. In different playbooks.
Rick:Yep. Exactly that.
Justin:Yeah. That it needs to be a modular, you know, type plan where you can execute these different parts and everything because some issues might need a PR, you know, thing. Some might need a legal aspect. You know?
Joe:I would say they all need all of that. In fact,
Justin:I think the consideration, but not always the execution of it is, I guess,
Joe:what I'm talking
Justin:about. If you catch
Rick:it depends
Justin:on the issue. Yeah.
Rick:Well, let
Joe:let's look at it this way. The whole purpose of a good IR plan is it never gets to a certain point. A good IR plan
Rick:Right.
Joe:Lets you identify a problem before it gets to the point of being a breach. So incidents, you'll have them. A breach, you might have enough, preparation to stop the breach from happening because you catch something. When you don't stop it from happening and you are breached and that data is out there and your systems are, encrypted, that's where PR is gonna be super important because now you have customers that can't have access, and somebody's gotta get on
Justin:Right.
Joe:Out and talk about this.
Rick:Yeah. Legal is always my fault. Privacy might matter. Compliance p like, contract people, like, yeah.
Joe:So what I urge everybody to think about is if your company has already talked about, what are we gonna do if there was some kind of ethical misconduct? How many companies have had a leader stopped out, stepped out because of harassment or some kind of executive problem and they decided to resign.
Rick:Yep.
Joe:We know they're not really resigning. They are asked to leave. And those become major incidents.
Rick:Oh, yeah.
Joe:Well, they already have plans for that. They already are talking about what they're gonna do to, get and and do the PR work. So for the same purpose, if there's a cyber crisis that makes its way all the way to the point of being so so much of an interruption that you need to have your top leaders get out in front, call your best customers, tell them what's gonna happen, tell them what your plan is. I mean, who how many companies you work with that actually have a separate dark website already set up and prepared so they can turn it on really quick? Because if you're gonna start to do that process while you're dealing with the incident Alright.
Joe:It's too little, too late.
Rick:Right. Yeah. Well and I agree.
Justin:And I There's legal firms that you can actually outsource that all too. Oh, yeah. You're gonna pay more of a pretty penny, obviously.
Rick:And then integration with insurance companies and all these different things. Right? So there's all these parties that are internal and external that are potentially in play, but I I I think any anyone who's listening that sort of maintains their own cybersecurity response plan, like, get that thing if you have a larger parent, like, crisis plan or emergency plan that's different for some reason, start having those conversations to get them integrated.
Joe:Two things that, come to mind. One is, let's talk about the cyber insurance. How many companies that like, lots of companies are getting cyber insurance. How many do you know that are getting on the phone with the cyber insurance carrier and taking advantage of everything they offer? Well, we'll call it for free, but it's already paying for it.
Joe:But it's free after you made your payment. Not everybody takes advantage of those. Are you seeing
Justin:Well, a lot of it is garbage too. But In what way? Like, the I've seen, like, some templates of policies that are boilerplate garbage or some of the stuff. Some of the stuff might be good, you know, with it, but a lot of the insurance companies are like, here's all the free stuff. You know, put this BCP plan and just turn it on and you're good, you know, or something like that.
Justin:And it basically says call us, you know, or something like that.
Rick:But even it's bad, I think And they don't customize it
Justin:or anything like that. Yeah.
Joe:You probably customize it.
Justin:You still Well, yeah. No doubt.
Rick:You still should engage because, like, the more you're engaging with your insurance provider Yes. The the less recourse they have not to pay you the money because you haven't done the things that they've been doing.
Justin:Really need to understand good terms and conditions with what you're signing up for. Like, I think that's some of the most important and go through it. Like, one of the things I always love to do is go through it, like, scenario based when you're, like, really understanding your policy and saying, you know, what, you know, what what would we get reimbursed for? What are the things that would procure us from being reimbursed?
Joe:Like totally love that idea.
Justin:Type of thing. Like Right. If we get a back and we transfer the money out, do we get still reimbursed
Joe:for that? Right. Tabletop it.
Justin:Exactly. If we hit the send on the wire, is that counted a part of our policy? Yes or no? You know, type of thing. And make them actually answer serious questions about this.
Justin:Obviously, nobody wants to have that happen, but there have been several things where the presumption was we bought insurance for this case, and we submitted. They're like, no. You sent that money out yourself.
Rick:And your agent should be able to answer those questions in the way that you frame them, and that's the important part.
Joe:Even beyond the agent, a lot of the larger companies and I I'm I'm actually talking about your multibillion dollar companies that get the cyber insurance that costs several hundred thousand dollars premium a year. Mhmm. You're working with some of the best cyber insurance people out there.
Justin:Oh,
Joe:yeah. Those companies, they actually have dedicated people who are actually waiting to work with you.
Justin:Mhmm.
Joe:And the number of companies I talk to that are either say they're planning to do it and haven't done it yet or just didn't even realize it was an option is astonishing to me. And so when you call them, there's several things you wanna look for. One is you wanna take a look at the panel.
Rick:The and
Joe:if you don't know what a panel is, it's the preapproved vendors that the agency, the insurance company says
Justin:Right.
Joe:You can use. And what you do not wanna do on zero day is call them up and say, I have an incident, and they say, which one of the, people from the panel or companies from the panel do you wanna use?
Rick:Oh, my standard's with someone else.
Joe:I don't know. Or I don't know. Yeah. And so look at the panel, figure out is it, you know, which one of the IR vendors, I don't wanna mention names, are the ones on the panel. Call three of them up.
Joe:Make this a project to select one. Negotiate the terms, get it down, figure out who you're talking to, and actually involve them in your next tabletop.
Rick:Well, I'll also say though, And I'll
Justin:also say if you go with another vendor whether that's covered or not.
Joe:That's another topic.
Justin:That well,
Rick:that's what I was gonna say though. If you already are engaged with an IR provider or have a retainer with someone, oftentimes, it is within the agent's jurisdiction to get people added and removed to that list from your policy. So if you're already engaged with someone, you you're not necessarily completely required to move to someone else on the list.
Joe:%. In fact, I was, I have a customer, was on their executive steering committee for their cybersecurity program Mhmm. That had the CFO, other VPs on it. And what I learned is that they did a really good job. They got their cyber insurance.
Joe:They had their own attorney, their external counsel. They got them added. And so it is not impossible. You'll get pushback at first. You have to work the system Yeah.
Joe:To get them in, but you'd totally get them in.
Rick:Yeah. Absolutely. And so if you have existing relation but but it's critically important to get all that figured out in advance to your point. You don't wanna be using someone that's on a non approved list or whatever when you're in the middle of the issue.
Justin:Right. Yeah. The last thing you wanna discuss, why you're in the middle of an incident, whether it's gonna be covered or not. You know? Well,
Rick:it get well, it gets even messier though because if you have your own forensic experts come in mucking about with stuff and they're not on the list, well, now there's this potential divide between what was allowed to happen, who was allowed to work on this, and the people that did work on it, And it's just a lot to untangle in terms of trying to Yeah. Recover the cost.
Justin:And I've heard horror stories where they've actually brought in multiple forensics. Like, they didn't do the initial forensics, you know, with the, preapproved, then they had to bring in the preapproved, pay the money for the exact same thing.
Rick:Yeah. And that that's another thing that you can do sometimes too is if there are people on the list and if your agent doesn't or whoever the the insurance company doesn't let you switch to someone you wanna use. Well, you can set up situations too where you're just like, okay. Well, I'm gonna have this external incident commander, but they're gonna work with your approved firms.
Joe:Right?
Rick:Yeah. But but, again, you have to get all that coordinated in advance or else it's not gonna work.
Joe:All the time. We do that sometimes. Yeah. There are actually, I heard this story, and it seemed really good. There's a again, I'm not gonna name companies, but there's an excellent, managed service provider also does MSSP work in Pittsburgh.
Joe:And they have gone to the, point to their their incident response process is so good that once they explain it to the company, they're they're brought in. So the point from that is don't don't take no as your final answer from your cyber insurance, provider Mhmm. Until you had the conversation and really said, look at what they're doing Yeah. And tell me if this is not meeting your standards
Justin:Right.
Joe:And try to get it covered. Mhmm. Yeah. Yeah. So
Justin:Yeah. And and but this is all pre stuff. You know? Again, going through,
Rick:you know, the plan. Yeah. And and, again, in your cyber your cyber incident insurance, again, I I think it's all part of crisis management. Right?
Justin:Right. Absolutely.
Rick:What is is how different is it than than insurances of other types? Right? Your PR type insurances, your other business interruption insurance, those types of things. And when you're taught to your point earlier, when you're asking about, oh, would this be covered or would that be covered? Right?
Rick:Throw some blended issues at them. Right? Yeah. It's a cyber thing, but it caused a business interruption issue or whatever. How would that work?
Rick:What are our limits? How would, you know, how would that flow?
Joe:Right. So what we're seeing in practice is, companies, they run tabletop exercises, but I see the c suite is not involved enough. So that's one of the things we're seeing.
Justin:One thing I just wanna add, we really have I mean, we touched on a number of the modules and practicing it and insurance and all that stuff. I mean, one of the biggest things running through either incident response, crisis management, it's just settling on what your communication strategy is and the iteration thereof. You know? Like, a lot of people just assume email and or Teams is gonna be, like, there, but it's not agreed upon. It's not guaranteed.
Justin:If you're dealing with an active incident where your entire business is not collecting revenue, like, it's the bridge is open a %, and there's people leaving, coming back with more information, leaving, coming back. Like Well, let me throw a
Joe:twist into there. Yeah. I was on, so let's go with the assumption that what was actually compromised is you have no communication. Your email infrastructure is down. Right.
Joe:Your Teams is down. Zoom is down for you. None of these things you typically use is up. I was on two different calls this week
Justin:We're going back to our bridge. Typing in the code?
Joe:It almost exactly. Day. These companies now are creating these crisis management emergency communication systems, but they're actually, evolving it much more than so we had a really good one when I when I had a deal with a hundred thousand students at a hundred locations across the country. We had one and it had great functionality.
Rick:Yeah. Third third party app type thing.
Justin:Yeah.
Joe:Yeah. And it's all able to be done separately.
Justin:Yep. Mhmm.
Joe:You put in all the, information. The, I'm amazed by the, abundance of features that they're building into these now.
Justin:Yeah.
Joe:So you need to really look at them
Rick:Yeah.
Joe:Because you can you could store your BCP plan out there, all your crisis plans Mhmm. Out there on their system.
Justin:Like those vendors.
Joe:They have the ability to do things like pulling. They can just send a note to everybody. You can just hit one like I'm still alive. I I got the message. Yep.
Joe:And it's just, it's phenomenal
Justin:Yeah.
Joe:How much features there are.
Justin:We had that when I was at BY Mellon just for the employee thing. And you know what? It it's great, like, you know, not being just even being pulled on a crisis man 50, but what if we get hit with six feet of snow? Like, hey. The Pittsburgh office is closed.
Rick:I was gonna say the exact
Justin:exact One for acknowledgment.
Rick:It's act it's actually really good to find way if you if you can employ a system like that, it's great to find ways to utilize them more frequently. Okay? It's not a super crisis, but look, it's a snow day from, like, a work from home perspective. You know, people would come in, exercise it. Right?
Rick:It's useful to use because then you'll find, oh, wait.
Joe:Muscle memory.
Rick:Well, that and also, like, if there's, oh, yeah. The interns aren't in the system. Right? They occupy a different thing in HR. Oh, no.
Rick:No one told the intern. And then you're like, oh, well, that stinks. But but now it's solved if there's a real big emergency.
Joe:But, like, act last thing you want is that not to work during an active shooter situation.
Rick:Exactly right. Exactly right.
Justin:Yeah. So, yeah, I like a lot of the tools, but even like, that's one of the core components of any good crisis management is thinking about communication, iteration, and how you're gonna, you know, make active decisions, you know, during that time. And, I mean, if you've never been in it, it is hell. You know? People are stressed out, usually lack of sleep if it's going on day two, three, four.
Justin:It is not fun. It is high stress, and everybody's looking for answers that there's oftentimes none yet, you know, type of thing. So you need a good way to triage that stuff or back table it, you know, quickly. And, you know, there's things that you just can't answer immediately. You're like, I'm gonna have to send an engineer out to get that answer.
Justin:Like, how many records were, you know, like, compromised? Can we still do this function? I don't know. Let me let me go see, you know, type of thing.
Joe:So what takeaways do you have?
Rick:So, I mean, I I just keep coming back to that. If if there's a larger, broader executive level crisis plan already. Get make sure that your IT security plans are fully integrated, ideally components of that bigger thing.
Joe:I agree.
Rick:Right. That's really good. I
Justin:think we all agreed it should be essentially one big unified plan tiered out to the level of, you know Yeah. Yeah. Yeah. All the attention you need it to Yeah. Yeah.
Justin:Yeah. Modularize, you know, into that. Like, you know, you you mentioned it, like, it you call it incident response plan or whatever whatever term, it's just dealing with an emergency or crisis. You know?
Joe:In fact, sit down with the leadership and say, here's the gap. What do you wanna call it? Because we'll call it whatever the top leaders are calling it. We already talked about it. If we can get buy in.
Rick:Yeah. And I think that that's a key, and and we circled around this a little bit earlier too. Like, if your leadership's not engaged, right, you need to start having those conversations to figure out why are they not engaged. Is it a problem of understanding the actual risks and outcomes? Is it a problem of them not knowing, well, what would I do here?
Rick:Wouldn't, like, the security senior manager just deal with all that? Like, it like, where are the issues of why they don't think they need to be engaged? And, again, I think tying it to a broader plan can just be easy.
Justin:Like I mean, we've had several incidents where it's organizational wide, you know, type of thing. And, like, just, you know, like, last year, UnitedHealthcare, huge,
Rick:you
Justin:know, type of thing. Yeah. Like, somebody's saying, can't just the cybersecurity manager deal with that? I was like, no. You know?
Justin:Like, that's not a cybersecurity manager. You know? Yeah.
Rick:I mean, I I agree with you, but I we have to have those conversations.
Justin:Right. You know, type of thing. And, obviously, we we never want these instances to happen. Mhmm. But the better you practice this, the more than, Joe, you mentioned at this point, you're gonna minimize the impact to it.
Justin:You know? If you catch it early and often and have a well exercised plan, you're gonna minimize it. You're gonna triage it quickly and hopefully come out with a minimal impact with, you know, at least, damage to Yeah.
Joe:Bezos. If you're a multiple hundreds of millions to billion dollars of of a revenue company, and you're having an incident, and you have every company has a biggest client. Mhmm. There's gonna be the biggest one everywhere.
Rick:Yep.
Joe:Who are the top five biggest and who's calling them is hopefully, the CEO is going to make the call Mhmm. To the top five biggest, customers, their clients, and explain the situation and give them confidence that something's gonna happen.
Justin:Right.
Joe:And if you haven't talked about that
Justin:Mhmm.
Joe:Do you think it's gonna happen
Rick:Right.
Joe:As flawlessly as it could? It will not.
Rick:Absolutely right. Yeah. Well, and and and, yeah, and just the coordination, like, when you're really dealing with big stuff like that, like
Justin:the
Rick:legal coordination, compliance coordination, all that stuff, like, you really do wanna make sure that you have all the important heads of state thinking about this in advance so that the plan is not gonna go out of balance. Starts a
Justin:lot of it. Like, a lot are settling into three days you need to notify some of these
Rick:Yeah.
Justin:You know, legal, like, the
Joe:SEC stuff?
Justin:SEC, AGs of certain states. You know, just whatever it is, you know, New York DFS, three days. You know? Like, from when you, know it's an incident to when you notify us, you got three days, you know, type of thing. So you don't wanna think about that, like, why you're in
Rick:the middle of
Justin:still triaging the incident. Can. Go, like, who do we need to contact? You know, type of thing.
Joe:Have a list documented.
Justin:Yep. And that should be that should be on legal side to do that. You know? Like, they most likely will have nothing to do with, you know, containing and triaging.
Rick:But even the coordination, like, with the NYDFS stuff as a for instance, like, they have an electronic form they need to fill out with very specific information. So, like, how do they get that from IT? How do they make sure it's correct? How do they you know, all that stuff is you know, again, when you put people in the situation with the tabletop, if it's not in place, you recognize pretty quickly it's not in place as long as you're running it through the process. Right.
Joe:How many companies do you think during their tabletop is actually going to the DFS website? Getting the form and saying, do we know how to fill this out? That that's a takeaway for me today.
Justin:Oh, yeah. Yeah.
Rick:Yeah. Well, and because there's some fields on there where you're like, well, yeah, lawyer got, like, run some of these exercises recently. Lawyer got that, lawyer got that, lawyer got that. Wait. Lawyer needs that.
Joe:Yeah.
Rick:By submission, how are they gonna get it? Right. IT is gonna need x amount of lead time to pull that and understand that. Wait. So then we need to start the query or the the process at this point in time to make sure the lawyer has the data by this.
Rick:Like, it's it's just the, you know, plan forward and backward type thing.
Joe:I love it.
Justin:So, yeah, it's a lot of difference. One thing I wanted to ask you guys to kinda finalize this topic here. What do you think, and this is generically speaking, the right amount of time to pull in the c suite for this crisis management? How many time how many times a year? How how long do you think?
Joe:Realistically so I'll tell you what I wish would happen, and then I'll tell you what's gonna happen. So I wish you were at least getting twice a year.
Justin:Yeah.
Joe:But damn it. I really hope you can get that one year, time. And when you do, it needs to be so valuable that they see Yep. Why it makes sense for them to prioritize this, stuff. And if you're not tying it to business risk, not tying it to potential overall corporate funding revenue loss, once you do that, they're gonna see the value in it, and they're gonna understand it.
Rick:Right. I think that's right. I the I'll just bring it back again. I think part of the value of, like, fully integrating into business layer crisis plans or emergency plans is that those things are gonna be exercised for different reasons. And if you can attach an IT inject, right, or a or a cybersecurity inject to the PR crisis or to these other things that are occurring, you might be able to get a couple additional reps.
Rick:Right? Because if legal has one or, like, ethics has one a year and IT kinda gets a Doctor thing every year and whatever, you can probably find ways to at least exercise elements of this as part of Yep. Other people's full on plan exercise.
Justin:I can't
Joe:remember when I said this earlier today in this conversation because it came up three times today. But when I was at the, Department of Homeland Security CSUS session this morning, somebody made a great comment. And it's that even on the physical security side, everything is cyber.
Rick:Yes.
Joe:So you can go back to the fact that everything is IT and cybersecurity in every one of those examples you gave.
Rick:They're the tools that underpin everything. And so, yeah, if you have you have a financial crisis, you have a vendor crisis, you have whatever, you can figure out is again, as long as you're integrated appropriately, I think you can figure out ways to get additional reps on the cybersecurity side if you're if you're locked in
Justin:that way. Yeah. I would agree with you. Two to three hours a year, place a year, ideally.
Joe:If you can get it.
Justin:If you can get
Joe:it. So how do you so position it so that they are asking for it.
Justin:They're asking for it?
Joe:Is that possible?
Justin:It would take I mean, usually, where's my book on nudging? Oh, it's gonna come to take Yeah. I mean, that takes usually a while for slipping education and, you know, bringing up other people's missteps, you know, or even successes. You know? I I mean, I've mentioned United a few times, you know, because that was such a massive incident that lasted so long, you know, type of thing.
Justin:And, obviously, they didn't do a lot of things, you know, great, you know, into that, but they did their response fairly good. You know? Like, they didn't drop the ball after the incident. You know? I think they did a lot of coordination.
Justin:They had a lot of calls. They did a lot of reach out, and it it the way they did it wasn't at spare of the moment. Like, you could tell they at least had some of the stuff and pillars in place, you know, into it. If you can point, like, some of those successes out and, again, you can't force people to take it seriously. But if they say, like, you know, if you give them the the case and I you know, like, that's one of the things I think a lot in security, especially new leadership, your job there isn't to prevent.
Justin:It's to minimize incidents. You know? And I'm all I always say, like, there's gonna be an incident at some point.
Rick:Yeah. You
Justin:know, type of thing. Like, if we prepare planning for an incident, we're gonna be better off, you know, into that. And, you know, as we get senior leadership into that, you know, when it goes up to that level, like, if I can handle it at my level, great. You know, I'm gonna do it and just let them know, hey. This happened, you know, type of thing.
Justin:But that's not always the case. You know? If it's impacting revenue and customers and and legal and,
Rick:you know, regulatory stuff. Need to know about that.
Justin:Yeah. Like, this is going beyond my pay grade. You know? This is a multi department company response, and we need to be all on the same page Yeah. You know, into this.
Justin:Perfect.
Rick:Like, how you get them to ask for it? I think it's gonna be hyperdependent on the state of the business, the personalities of the executive team, the politics that play at any given moment. I think the real way to do it, and it's a generic answer, but you really need to understand what's important to them. And to your point before, everything is cybersecurity tools at the end of the day. Right?
Rick:So figure out what's important to them. Figure out what risks they're worried about or figure out what message they wanna deliver to the board or to the market or whatever. And frame your exercise is a way that they're preparing to hedge against certain risks or dealing with political situations or whatever.
Joe:Every risk is a business risk.
Rick:Right. So I think the real way to get them to ask for it is to make sure that you're well in tune with what's important to them in the moment, but them being executive leadership team, in making sure that they understand that you can provide a tangible benefit or a tangible path forward in a way that, is is gonna help them outside of just the cybersecurity thing. Right? Help them with the problem they're concerned about even if it's not the cybersecurity problem that you're concerned about.
Joe:Right. Business continuity. You wanna see the business continue. Rewind this video back to the part where, I talked about how do you bring, the executives to the point of wanting to make sure that they understand how they're gonna communicate to, to the to their customers Yeah. What's going on.
Joe:And if you can get all of this process, down so my my takeaway is plan out your next, tabletop, figure out what went well in your last cybersecurity tabletop. Pick a point in that where you say now is the time we need to bring leadership in and convince them to join the meeting. And then when they go through the exercise and you properly run them through the steps And if you need help, call one of the three of us. We know how to do this.
Justin:Not me.
Joe:Alright. Call the two of us. We know how
Justin:to do this.
Joe:I got people who know how to do it.
Justin:Yeah. Yeah.
Joe:And we will walk you through how to engage that executive in a way that gets them thinking about what they haven't thought about before and what has what I've seen happen is that you're no longer you're no more than just a month or two past that exercise and the CSO starts getting questions.
Rick:Oh, yeah.
Joe:When are we doing the next step on that crisis stuff we talked about?
Rick:Mhmm.
Joe:And when that happens, you are now in a winning position because you now have leadership wanting it. What happens when leadership wants it? They find the budget.
Rick:Oh, yeah. They help
Joe:you get things done. You tell them what you need to solve the problem that they recognize.
Rick:That's exactly right.
Joe:And you will be in a successful position as a business leader. Cybersecurity risks are business risks. Cybersecurity leaders are business leaders.
Rick:Absolutely right.
Joe:Let's figure that out.
Rick:Yeah. And I I would just add one thing to that for consideration is partner up with another department. If it makes sense to do so on these crisis things. Right? Make it a a nested, multilayered thing.
Rick:Right?
Justin:It has to be,
Rick:doesn't it? Well, often it is, but it'll be it'll be executed. It'll be driven by, say, a cybersecurity team. Right? Allow it to be the ethics complaint, but you're partnering from a cybersecurity perspective with the ethics team to run the executive, you know.
Rick:Yeah.
Joe:Don't make it a BEC compromise that started it started with something
Rick:else. Right. Right.
Joe:That's interesting. I like that.
Rick:Yeah. Yeah.
Joe:So what else we're gonna do today?
Justin:I think we're pretty much out of time here. So I think this has been a good episode. This is great. We've talked about a lot
Joe:of fun. Conversation.
Justin:Yeah. A lot of good, conversations here. Thank you everybody for joining us for episode 10. Don't forget to like, comment, and subscribe, especially on some of the, questions we had today. Please, feel free to chime in, and we will see you next episode.
Justin:Thank you all.
Rick:Bye.
