Episode 15: Community Building, Art of Convincing, and GTD Strategies
Welcome to Distilled Security Podcast. My name is Justin Leapline and I'm here with Rick and Joe and we have a new person on podcast, James. James, welcome to the podcast, man.
James:Thanks for having me.
Justin:Yeah. So we'd like to start off with new people joining the podcast. If you would just kind of go over how did get into cybersecurity? What are you doing now?
Justin:Sure.
James:Yeah. So my name is James Ringgold. I currently work for Microsoft. I'm a Technical Solutions Director working with, right now, products that we are trying to get customers to consume that they already own.
Justin:Okay.
James:I got interested or involved in information security back in 1995. I was working in the call center of a company that is now part of a pharmaceutical benefit management company by the name of Express Scripts, you may have heard of. Back then they were called Diversified Pharmaceutical Services, and I was a customer service rep, and their director of security gave me a chance because I had some potential and said, Hey, there were no other applicants for the job and made me a security analyst doing RACF and And ACF might get
Justin:to step back and you didn't Right, right.
James:Yeah. We were doing RACF and ACF II, installed my first Sidewinder firewall and CyberGuard firewall, And then went on to get a bachelor's degree in technology management, MBA from the University of Minnesota. And then most recently prior to coming to Microsoft, I was the Chief Information Security Officer at Westing Hills Nuclear here in
Justin:Pittsburgh.
James:So that's what brought me to Pittsburgh.
Justin:Yeah, great. Well, we're happy to have you on here for a little bit of the experience here. One thing so diving right into the topic here, and this is actually, we'll cover B Sides Pittsburgh first. Yeah. So, Joe, b sides Pittsburgh just happened.
Joe:Well, so I ever tell you about the one where a thousand hackers walk into a casino? So, yeah, after months and months of talking about this, it finally happened. A couple of Fridays ago, had B Sides Pittsburgh, and I've been told it's the best one we've ever had. For me, it was amazing. The number of problems were so minimalistic.
Joe:I in fact, I got up in the morning, decided to walk over. I'm walking through. I had my coffee. I haven't had breakfast yet. Just waiting to have to solve a problem.
Joe:And I start walking around and everybody's looking at me like I'm like, well, what can I do? What do you need? Nothing. It's all good. So I walked to the next place.
Joe:Same thing. I'm like, that's great. So I walked back to the hotel and decided to eat breakfast because they had it totally under control. Somebody came up
Justin:to and was like, where's Joe at? It's like, I think we ate out at breakfast.
Joe:Yeah. But Yeah. It was it was amazing. I think in total, we had eleven eighty tickets sold. Okay.
Joe:Right around a thousand attendees. And I think we're up on the number of women in attendance, about 35%. I think that's about the highest.
Justin:That's what it was. About
Joe:thirty five Three three
James:hundred three hundred to 400 women.
Joe:Yeah. And it was and and as I'm walking around, I'm like, wow. This is a more diverse crowd. This is awesome. And then so what do we have?
Joe:Over 20 talks and lightning talks, several villages and events. People really love the capture to fly again. And then we had this radio ops wireless village, and people kept talking about that. So thanks again to those volunteers who did that and ran with it. I kinda pointed them in right direction and said, do wanna do this last year?
Joe:And they did a little bit. And they said, we're gonna make it better Yeah. This year, and they did. And then this year, I heard them say, here's how we're making it better next year. So I'm super excited.
Joe:But anyway, so guess how many pastries were eaten that day?
Rick:I know the answer.
Justin:Does the casino actually keep count?
Joe:Well, we, you know, we ordered and they were all gone.
Justin:Oh, okay. Well, that's that's an easy calculation. Right?
Joe:Yeah. We had 600. 600 pastries, 700, and 20 cookies. Oh, wow. We're we're eating.
James:I guess we like the sweets in Pittsburgh.
Joe:We do. And and 700 drink tickets were all gone by the end of the the happy hour at the end.
Justin:So Jen saw the interview that I did with you at the beginning of it. She's like, I wish I knew there was a cookie table. I would have gone. There you go.
Joe:Let's put that on our advertiser. I think it might be in the clip we're doing.
Rick:I will say the food is always spectacular. We always get the like highest package available and people are typically pretty happy with that.
Joe:Yeah. And we can only really make this happen because of our sponsors. We had about 31 different sponsor tables. And for the first time ever, sold out. We sold every sponsorship table that we had.
Joe:First time ever. We always used to have a couple slots that were never taken. The really highest one was never taken before this year. And then there are always a couple left at the end for tables. People are coming up to us in the last two weeks before b sides.
Joe:I'll pay full price. I just want to get there. And it's great. So That's amazing. Something to look forward to is I think Rick, myself, and one of our other organizers later this week, maybe are going to sit down and work on the sponsor packages for next year.
Joe:Okay. So we're hoping to have those out in September. We're probably going to do a little bit of advertising about it in August. And what I'm hoping is, like, in September, we can put some of these out. And if you have budget money or you just want to get in and get that sponsor slot that you want to steal or just get from, you know, get it off the list right away, you know, be ready.
Joe:Yeah.
Justin:And I get it going.
Rick:Yeah. Not a sales tactic. Some of the sponsors were actively asking about sponsoring next year and when that would happen.
Joe:When can I get it and what slots can I get? But I'm
Justin:sure that helps, if you have end of of year budget, you know, Absolutely. They're always looking at the like throw that somewhere, you know, and if they could pre buy what you already know, you're going to a conference.
Rick:Especially if it's valuable. Yeah, without a doubt.
Joe:Yeah, we can't do it without that. But I will say that none of the money I always disclaimer this. None of the money for this ever goes back to anybody personally. And I think that's what makes b sides the kind of event it is, is because it's all out of the love of getting everybody together and really just throwing a nice event for a thousand people in a community they want to go to.
Justin:Yeah.
Joe:And nobody's doing it for the reasons that some of these other conferences do it, which is a for profit for them. It's their business. This isn't our business. We do this because
James:we love it. That's the inception of B Sides, like back when it first started in 02/2009. Like back when it was, hey, we didn't get into Sides or we didn't get into DEF CON or we didn't get into Black Hat out in Vegas and, you know, so, hey, we're just going throw this conference for ourselves. Yeah. So it goes back to that's what BSI's community has always been about.
James:So I'm super happy that this is right, that we're finally getting the momentum that it really needs in Pittsburgh. Yeah.
Joe:Yeah. So that's the summary, and I'm just super happy how well it went. Yeah. And thanks, everybody, who made it happen.
James:Well, I remember, like, we've grown a lot in this community. I remember the first, besides Pittsburgh, I went to was in the little like town hall room down Left Field?
Justin:Yeah. Yeah.
James:And it was like the food trucks are outside and you might be able to get a drink if you're okay with the dirty glass.
Justin:The thing I loved, because I never showed up on time to that, but you show up at nine, 09:30, and the elevator was in between the crowd and the speaker. And you're like, oh, everybody's looking at Left Field.
Joe:You might even be talking about spirit. Spirit.
James:Yeah. Was right
Justin:now. Okay.
Joe:So that was a couple years in. We moved the Spirit when we outgrew Left Field Meeting Space. So that place held maybe a 120, a 150 people. And then our first beat size, we had 80 people show up on a 120 register. And we did that for a couple years.
Joe:That was like next PNC Park. And then we ended up going to I think we had a one one year in a college and that was okay. And then we went back
Justin:to That was worse than you had my opinion.
Joe:Yeah. That's why. It was only okay. And and then we ended up going the spirit, which everybody loved the underground part and the dirty glasses.
Justin:Kinda felt like b sides Cleveland at the hog shop a little bit. Yeah. Yeah. Had that kind of feel Cool. Crunchy feel to it.
Justin:Yeah.
Joe:And then
James:we outgrew it.
Justin:I'll say
James:is a good thing.
Rick:For this next year, have like two pages full of, you know, ways to improve, right? Even though it was excellent, there's going to be some We're always tinkering and changing and improving. So, yeah, keep showing up. We'll keep building momentum. Yeah.
Rick:It'll always be a fun time.
Joe:And we've been talking about what the super secret thing was. So if you didn't we actually had an arcade there. It was one of the villages. Yeah. And we had a whole bunch of retro games that we rented.
Joe:And I think what do we have? Galaga, Pac Man, and a couple other things. And then people had brought a number of old video game consoles with the old cartridges.
Rick:Yeah. Was like an old
Joe:set of out of it. Yeah.
Rick:There's an air hockey table.
Justin:You tell me that the casino was like, Well, what games are you bringing in? You're bringing in a video blackjack? No. Yeah, that was pretty funny.
Joe:Anyway, so yeah.
Justin:Yeah, was great. Then a little shout out for Distilled. We did a number of different interviews while we were there. They're posted already up on our YouTube channel. So go check that out.
Justin:I think we did 11 total into that. Don't quote me on that, but they're all great. We did a whole bunch of speaker focus and then you did one on the conference itself which was really well put together, five, ten minute long, good segments diving into it. So check those out
Joe:as well. Thank you again for coming and setting up And and doing we're actually working that into how we can do that again next year. And we might even I actually want to bring this up now, but I think we'll talk about this as part of the sponsor packages. Can we maybe get Distilled Security to interview some sponsors ahead of
Justin:time of
Joe:what to look for when what who to visit? And then also, you know, we'll see if maybe we can do the speakers even earlier. Yeah. We can get a
Justin:And then we can actually do some promote things. Yeah.
Rick:That'd be good.
Justin:Yeah. I think we have a lot of options for that. Like, I know, when I was setting it up, there was a lot of, like, RSA type stuff. I was looking at, like, they did like a live broadcast every day and then people sat down every day. Obviously, we're not RSA size.
Justin:Not yet. Yeah, right. But they have a very professional way of doing stuff. Was like, Yeah, let's set this up. Let's have, you know, a sit down interview.
Justin:And yeah, we brought all the equipment in. And thank you to Buzzy again for clipping that all together and getting it out before the end of the day. That was a lot of work. And we even came in the day before to make sure everything worked, you know, because You guys
Joe:were getting them out within what, an hour of the recording?
Justin:Hour or two. We had like segments where we were like back to back. So we didn't like for a couple hours, we didn't even get the videos off the recorder, like off our SSD drive and everything. But yeah, as we had breaks, we basically took it off and then patched it all up together. And then Jesse that works for me, she did all the LinkedIn posts, know, for just Those were great.
Justin:Yeah. She even quoted like some of the people and all that stuff.
Rick:I heard some interest in potentially maybe attending a lightning talk about how to start a security podcast. There are a couple of people that said they'd be interested in that. So, see you
James:did that
Justin:and got denied.
Rick:Oh, really? I wasn't on the reviewer panel. I didn't know it got submitted. Well, try again.
Justin:Oh, okay. Gotcha.
James:So now there's demand built up.
Justin:Yeah, right, exactly. Individual We need community voting into this.
Rick:The individual who drives a lot of the speaker reviews is actually saying, Hey, can we open up even a fourth track next year? So I think whether or not that'll happen, I don't know. But yeah, there's a lot of demand.
Justin:You guys got room, right? I mean
Rick:I think we do now. Yeah.
James:Yeah.
Rick:Now that it's both sides.
Joe:We might be able to.
Justin:Yeah.
James:Oh, it was both sides again?
Joe:We had a whole This year, we were able to get it in advance far enough rented, so we got the whole top of the casino. Nice. All three spaces.
Rick:And we even had a surprise live DJ in one of the sides for the whole day too,
Justin:which Do is they give you like first pick for like next year, like for renewing and everything?
Joe:I we we already
Justin:You're right. But the yeah.
Joe:We already got a date that we've asked for. We haven't signed any paperwork yet, but it's about the same time. I think has a pirate schedule come out yet? Because we gotta check that out.
Rick:That's We're
Joe:trying to avoid the having there at the same time as the chaos of a pirate game. But, you know, save the date. Right now, tentative, July 10.
Justin:Okay. But do they, like since you've already been a part of the conference, do they give you like, somebody can't sneak in and take it or can they?
Joe:We hope that they wouldn't sell off under us now. We talked to them about
Justin:it. Yeah. Yeah. I I would figure I mean, they'd like you guys there and everything. Yeah.
Justin:Why wouldn't they?
Joe:Yeah. Yeah. And in fact, not even one person got kicked out.
Justin:So that was awesome. No issues.
Joe:Was good
James:sign at a casino.
Justin:No issues.
James:And the
Joe:B sides too.
James:They can't say that I haven't been kicked out.
Joe:But what a great community it is.
Justin:Yeah. Segue. Our big talk and the reason why we wanted to do kind of a B update, we usually shove that in the middle of our talk. But one of the things we wanted to talk about is building a security community. So, you know, Joe, you've been instrumental obviously as one of the founders of B Sides.
Justin:Rick, you've been helping out for the last few years into that. James, you're now involved with ISSA helping to build that up and everything. Been doing a great job, a number of great talks on a monthly basis. So I guess, you know, into this case, why don't we like, what does it take to actually build a community, you know, into this? Because for other people that might not be in the Pittsburgh area or something like that, like might be a little bit daunting.
Justin:You might only get like 10 people interested. Like, how do you kind of foster that engagement? How do you keep it going, you know, type of thing? How do you build a culture around that?
James:Yeah, I mean, you know, I took over the president of BSides Pittsburgh about a year ago.
Justin:I saw it.
James:Or ISSA, sorry.
Justin:Yeah, yeah.
James:Mike Sotis Oh, wait, wait, Did anyone tell you? Sorry. I got BSides on the mind. Yeah, yeah. Know, I'm going to BSides Vegas next, you know, two weeks from now.
James:But so I have to say, you know, Mike Sotis did a great job in keeping the community alive and keeping the reins it held. And he was a one person show. And so a year ago, he approached, you know, the community and said, Hey, he wanted to take a step back. We didn't think it was gonna happen up until Tyler and Doug and I met. So Tyler and I met at B Sides Las Vegas to sort of talk about like what does this really mean?
James:The bylaws, according to the ISSA chapter, require us to have three official officers. And so we had Heather for a while, then he had to bow out for professional reasons where she was getting a new job and couldn't spend the time. So then Doug helped us, Doug Sala, who you had on the show. Yep. And really, you know, the hardest part is keeping the attention and keeping relevancy with the diverse needs of the security community.
James:You know, one of the hardest things that we've had to do is just find speakers, and we continue to have challenges finding speakers. Thank you. Thank you. Right? I'm hoping you in the future can speak.
James:Again, we charge for speaking. We just say, hey, you have to have content that is relevant to the industry, and it cannot be a sales pitch. Like we're going off of the B Sides mantra of this isn't sales. This is you educating the community. If you want to come in and do a lab, we're happy to have you do a lab.
James:Again, it's got to be vendor neutral, right, kind of along the sands lines, right? Like most of the people on the board, with the exception of Doug, work for vendor communities, right? You know, I've got myself and Tyler and Heather and Dave, right? We all work for manufacturers of security technologies and none of us have talked about our companies, anything that we do. Like we gave shout outs to Palo Alto and to Gigamon and other companies because we are completely trying to be vendor neutral in what we're doing in that organization.
James:And it's really about finding the right connection to the community and what does the community want. One of the biggest challenges we've had is getting people to tell us what do they need out of ISSA? What do they need from like the next topic? This summer, we ended up doing, compliance as the summer and it worked out really well.
Rick:Thank you,
James:by the way, for your input in the PCI talk last week that we did. But a lot of it is just community involvement. The more people we get Did
Justin:you send out survey for that or just listen to people? How did you get like that input to, Hey, this summer is going be compliance or something?
James:Yeah, it just ended up the presentations and the people that asked if they could present just lined up as that's just how it worked out.
Justin:And then you tagged a topic like, this is the summer of compliance.
James:And we ended up, hey, we've got three talks in a row over the summer that are not hands on technical. They're not talking about threats and defense. It's talking about like policy and And so it just worked out that way. And that's kind of the way that I've been steering the organization. Doug and Heather and Tyler have been steering the organization.
James:Like, let's talk about things that are relevant. If somebody has a topic they want to about, let's have a conversation about it and vet it. And that's what I hope brings the community together is if the community has the needs, let's find a way to fill it. And if we can find the expert locally, great. If we need to source one from somewhere else, let's figure out how to do that.
James:But it really comes down to what does the community need? And I think B Sides fills that. Tris fills that need as well. There's a lot of great things going on here in Pittsburgh that, you know, that the community drives and the outside world doesn't know about. Yeah.
Joe:So let me ask you this. If somebody wanted to They have an idea of something they could talk about and they wanted to get in touch, could they look at Just Google ISSA Pittsburgh, find the website and then find a way to Yeah.
James:And the website is pittsburghissa.org or pittsburghissa.com because I can't type .org for some reason. So we redirect. Or the email address is contactpittsburghissa dot org.
Justin:Okay.
James:And we take anything. Like even if you're a manufacturer and you want to sponsor it and hey, you know what? We don't really charge for the sponsorship. It's you put down your card and buy pizzas for the meeting or sandwiches or euros or whatever it is. Like we don't charge you for the meeting.
James:We're not making a profit or making any money off of it. It's cover our costs. And for that sponsorship, you get like, hey, fifteen minutes to say who you are and what you do. But then after that, like the content has to be relevant to the community. It can't be like this is how you do EDR with this product or this is how you do compliance with this product.
James:If you want to talk to us about how you do compliance, what are the best practices around compliance, we'll gladly have that conversation and talk through as long as it's product, right, product
Justin:that you
Joe:Well, what about this? What if you had sponsor who wanted to sponsor but didn't have something they wanted to specifically talk about and they just wanted to sponsor the fact that somebody could come on from the community who's an expert in their own field and do a talk?
James:Absolutely. And I think we're having that happen not this next month, but the following month in September. We're going to have John
Joe:Oh, Frantelich. So
James:John Frantelich is going to speak and we're going to have a sponsor that sponsors that meeting. And so John will talk to us about his topic and then not to proceed because it's not on the website yet, it will be in the next week I hope. And then so yeah, I mean sponsors can come and they'll get their their name on the site, they'll get their logo out there, they'll get you know a thank you for sponsoring the meeting, they'll get their you know if they want to have a conversation in the first you know ten minutes of the meeting about what do they do and who do they contact, absolutely, right? Just to cover the costs of what it costs to have pizza or euros that meeting. But again, it's not, right?
James:We're not looking to make profit, same thing with B sides. We're not looking to make profit off it. We're looking to cover our costs so we can sustain continue to grow the community. Excellent. And the hardest part about growing the community is getting people to even sign up and show up.
James:We've been good enough. I think we started in November. We had about 50 people show up in November. And since then it's trailed off, but we have had, well December was 10, and that was partially a marketing fail, which we learned lessons from. The lesson is if you want people to show up to your meeting, have to tell them you're having a meeting.
Justin:Sure, sure. It's there. Marketing 101.
James:Right. So like we didn't do the meetup. We didn't do the email blast. We didn't do any of the LinkedIn, any of that. And it showed like people who were there showed up.
James:It was ten. We talked about probably a topic that wasn't a very good topic. But then we rebounded in the November meeting, and we had 30 to 40. And that's what we're targeting right now is 30 to 40. Any more than that in our space, we're gonna have to move.
James:But if we do the RSVPs and the RSVP is primarily there just so we know how much food to order. But like we don't charge at the door and we used to charge at the door. And now we don't charge at the door. It's just come show up, tell us what you wanna do. As a sponsor, if you wanna sponsor the meeting and pay for the food and the refreshments, please contact us.
James:If you wanna have a presentation, please contact us. And again, it's really about building this community, getting people to talk to each other. Afterwards, there's a bunch of us that go across the street to Mike and Tony's Heroes. Thank you. You know, shout out to our bartender.
James:You know, we just kind of sit around and continue the conversation. Again, it's about being social and making those connections now that we're after the pandemic. Yeah. All
Justin:right. So one thing you mentioned about like the vendors, I'm going to poke at you onto this. I mean, you work with a big cloud provider, obviously. I don't think it would be a bad thing having a focus like Microsoft March, how do you secure it from a corporation and everything? Just thinking about some big vendors, companies are dealing with that and that would be a good talk into there.
James:Yeah, it's very difficult to walk that line between how do you secure a product and how do you sell a product. And that's where I'm trying to not cross that line, right? Like as somebody who works for Microsoft, I could go in and give you the like, this is how you secure Azure Yeah. And this is how you should secure Azure. But it's a very fine line between that and hey, you should really use the Microsoft Cloud Security Suite because it's natively built in.
James:And I don't ever want to cross that line.
Justin:Yeah.
James:Right? And so
Justin:But you can give the like, it gives you more capabilities than if you're using like Wiz or something like that, you know, like
James:so I would much rather have an independent consultant give that talk
Justin:Yeah. On my
James:And if I happen to expense the refreshments for that in the beginning, that would work. Yeah. But I don't want me up there being a salesperson in front of me.
Joe:Gotcha. So there you have it. If you're an expert in Microsoft security, that's another thing. Reach out and come and do a talk.
Justin:Absolutely. Yeah. Because I've
James:been online. In AWS or in Google Cloud. Right. Or, right,
Rick:like Yeah, whatever it
Joe:is.
James:Doesn't matter if you're talking platform and this is how I secure that resource. That's what We we're looking don't want like this is how you use x product EDR.
Rick:Right.
Justin:Yeah. But if anybody's using like Identity, it's either you or Google Workspace.
James:Or Okta.
Justin:Yeah. Or yeah, Okta if you're, yeah, big enough. But I'm talking about like small to mid sized organizations. Any centralization, it's Workspace or Entra.
James:And I would love if there was a third party out there that wanted to give us best practices on how to secure identity and talk through the nuances and differences between Okta, Google Workspace, and Microsoft Because there are different capabilities. I would love that.
Justin:Yeah. Absolutely.
James:That would
Justin:be awesome.
James:Yeah. I would hug them probably.
Justin:Yeah. Great.
Rick:One of the things just on the community building topic, there was a thread that we had on the B Sides Organizers channel that I thought was really cool. And it really hit on I thought, consistency, right? So building a community doesn't necessarily happen overnight. And so oftentimes it's the rhythm and making sure you're consistent and making sure you're advertising.
Justin:Consistent in communication and Communication in the events themselves
Rick:and all those things, right? Have to, it's Same
James:time, same place.
Rick:Yeah, gotcha. Repeatable, understood. And so people can then start to plan for it or say, Hey, I didn't make this last month, but I want to make it next month or whatever the cadence is. But I thought that was a really interesting point, like consistency and also setting expectations that, you know, these things take time to build momentum. And it's not one of those things like, oh, I had my first time event and thousand people didn't show up.
Rick:What did I do wrong? Well, the answer might be nothing. Nothing at all. You just haven't built the momentum yet to have the number of people you're looking for. I thought that
James:was an
Rick:interesting topic.
James:It's like doing a podcast, Your first 100 episodes they say are terrible. And after that, you get into the rhythm, you get into the groove.
Justin:So we're on 15.
James:Well, you've got a little bit more production than most people's podcasts. But I'm just saying is, you get into the groove and you start talking about things, and that's the piece of it. Luckily, we had a good foundation to build on, right? Mike really set us up for success. So we just had to organize the pieces and then figure out what could we actually execute, to your Like, what can we execute consistently?
James:The first thing we did is say we're gonna pick a location. We're gonna have that location, right? Somewhere where it's easy to get to. For those of us, you know, we had to change from downtown because it was harder to get to. We had to change from over lunch because it was hard to get to.
James:Yeah. And so we just made it easy. And then like who doesn't want a free snack right at 04:30, 05:00? Right. Like, hey, I need something.
James:It's not going be dinner. Not a meal replacement. But, you know, come have a couple of slices of pizza and a Coke with us.
Rick:Right.
James:Like, if nothing else, you'll meet somebody new and maybe make some connections. And really, that's been the biggest part for me is just connecting with people in the community. I have people that before BSCI or before ISSA, I had no idea who they were. Like now I'll get an email from them every week asking a different question about something.
Joe:Oh, that's awesome. It's building
James:that communication and building that network. And you know, we don't discriminate even against the students, right? Bring the students in. They have great ideas. I would love for students to give us some more presentations about things they're researching, what they're doing for their internships, things like that.
Justin:There was a large student population at B sides. They kind of stuck out a little bit because they're all dressed to the nine.
James:Trying to get jobs.
Justin:They moved in groups often. But that's one thing I was actually thinking about bringing up into this is we're all kind of old bloods into this and we all know everybody. If we don't know somebody in the community, we actually question like, have they been here before? Are they not very involved? Whatever.
Justin:Know, we don't introduce ourselves. Who are you?
Rick:Yeah, exactly. Right.
Justin:But how do you get like new blood to kind of backfill that? Like we had some of the college students, but sometimes like, I don't know, maybe it's just me, like I don't know a lot of new faces coming in sometimes, you know, type of thing, but it's not like a wave like we all go to a conference, we all see each other, you know, type of thing. But I don't notice that at least following us into that. Is that true? Is it my bad perception into that?
Justin:In terms
Rick:of a large number of students or
Justin:Yeah, like just younger blood following us into coming every B sides or ISSA or something like that. There are new faces. Don't get me wrong type of thing.
Joe:But are you saying how do we get more?
Justin:Yeah. Like how we fill our shoes you know, into that where like we're known people, you know, in the Pittsburgh community. I often say Pittsburgh is like three steps of bacon to seven. Like if we don't know somebody, someone we know knows us. That's absolutely right.
Justin:You know, type of thing. But like, is that really Are we like going to expire at some point? Or do we have a generation to fill our shoes?
James:So I think that generation exists, but they're still in that phase of life and phase of their professional history where they're focused on things that they're focused on, right? Like when I came to Pittsburgh ten years ago, I looked around at the community and I tried to do outreach. I tried to get my team to really embrace the community. And there were barriers in that place, not that were set up by the community, but just they themselves, right? I have to go home for my kids.
James:I have to go home to do this. So it's just like when you get to a certain stage professionally, you naturally start to break through that and start to lead. There's still a fair amount of leadership and a fair amount of people in the industry here in Pittsburgh that are in that phase of like, I just, I can't, I have this, this is my schedule, this is my thing, this is my do, this is their pattern. And so getting them into and trying to get them, and a lot of it is back to consistency, right? There are people I know I bother and they likely don't read my emails when I'm sending them emails, soliciting them to try to do talks and hey, like you're an expert in this.
James:You know Security Onion way better than I do. Why don't you come and talk about this at my conference or And at my I know they're deleting the emails because it doesn't come back as read in the metrics that I get. But it's just that consistency. Eventually in six or seven months, know we're going say, you know what, let's do it. And if I have to co present, great, I'll
Rick:co present.
Justin:You think it's a hesitation on public speaking or?
James:Public speaking, right, they don't want to be targeted out as somebody that might be giving information away or they may be competitive, right? Hey, I need to keep this information because it might be something that an adversary could use against my company. There's a whole bunch of reasons like the laundry list is. At the end of the day, an adversary isn't coming to Pittsburgh ISSA to learn about your company.
Rick:You use this product? I'm not What
James:they're doing is they're going to go to the marketing website of the product and they're going to see your logo out there
Justin:just search LinkedIn and what tech stacks their engineers are actually
James:What group memberships they have, what professional affiliations, where do they attend conferences. Mean all that information is out there. It's not like it's secret. But it's just this like, you put up the privacy walls. And some of it is you have to get introverts to be extroverted.
James:And you have to get extroverts to coach them how to be extroverts.
Rick:I think that's such a key. Like, one, you have to meet people where they are in terms of knowing, like to your point before about marketing and stuff, knowing the things happening and consistency and all that. And then two, I'm always such a fan of the concept of not just mentorship, but like chain of mentorship, right? So like if there's someone in the community that I'm like mentoring that is, you know, kind of managerial level or about to be manager or trying to make their way to director or whatever, that's great. But I also want them to have people they're mentoring that are students coming into the space or analysts trying to hit their manager thing.
Rick:And I think if in that chain you encourage down a level, that should filter down another level and down another level. And I think that's really the way it should work. And whenever those chains break, that's when you have these gaps, large scale of roles not being filled. So to your point, I think some of it really is about if you have these people in the community that are coming up that you're close with saying, Hey, you know what? When was the last time you gave a talk?
Rick:No. Or when's the last time you went to this event or that event? Or did you know about this thing? Or are you active on PitSet Slack? And okay, well, if you're not, what are you gonna do about that?
Rick:Well, maybe just try and post once a month or whatever, right? Some super reasonable goal to try and get people out there. Because I think a lot of times, especially with introverts and trying to get them to be extroverted, a lot of times like that has to happen in baby steps. Just come to the event. Oh, now you've come three times.
Rick:What would you think about speaking at the event? And now that you know everyone, you're going to the bar afterwards, all that stuff.
Joe:Yeah, and who are you bringing next time?
Rick:Right, and who are you bringing exactly that. And go
Justin:out afterwards because that's when relationships are made.
Rick:Lobby con is such
Justin:Don't a just come in and out type of thing. Engage in conversation type of thing.
Joe:Well, that's a really good point is like we we we put it out there. There we got the after party for B sides, and then we've been saying there's usually an after after party. Just get in touch with one of us. Yeah. We're more than happy for you to come along.
Joe:But the other thing I'm hearing is it's on us to answer your question. How do we replace ourselves? We need to bring and start inviting that next level of of people in. So who who are each of us going to bring and encourage to to come along? And what were
James:And you gonna I wanna put a challenge out there a little bit. Like if you're hiring students and hiring interns and you're bringing them into your organization, like put one of their development goals to do a presentation.
Rick:Absolutely.
James:They don't have to actually get responded to or even accepted, but they have to put forth the effort to submit a call for papers or a call for presentations. Like that should be part of their review process.
Rick:Or even
James:I manage a team of eight right now. Every single one of them has it in their review. They are required to submit a talk. Yeah. Doesn't matter if they get accepted or not.
James:They have to put forth the effort, put through that piece of it, right? This year I did one for well last year I was accepted to B Sides Las Vegas. This year I didn't get accepted but I put one in, right? Lead by example. But those are the things that you have to put in, right?
James:If you're a CISO in Pittsburgh, have your staff as part of their review for next year. Must submit a talk. That's the only way we all get better. We start to learn each other. There is already a little community here in Pittsburgh between the banking industry, right, between the APT1 victims back in 02/2008.
James:Like there's a little bit of that shadow community already and we just need to get them to tell us their expertise, right. There's no shame in being a victim to APT-one. The company that I worked for in Minneapolis was like it's just the way it was in 2000
Justin:Those are battle scars. Those are battle scars. That's valuable experience.
James:That helps you to bond and bring people together, right. You and I have had the same experience. We fought the same actors. We have the same stories. Like we're brothers.
James:We're brothers and sisters. Like we know those things. We have the same experiences. Like we are now better for it.
Justin:Yeah, without a doubt. It's amazing sharing those stories, there are some things that you learn. You're like, I didn't realize I was much of a target, but the way some of those actually get performed, you're like, wow, they went the extra effort to just do that. Hearing some behind the scenes just breaches and everything is amazing. You're like, I did not think that would be the case, but then you hear it and it's like, oh man.
Justin:One thing too, said submit the presentations. You can even start smaller. If people actually have a public speaking, do it in a meeting, do a presentation. Actually early in my career in like mid-2000s, I was a little nervous about public speaking so I went to go volunteer at the Cranberry Library to teach computer classes to older people in the community. That was like, all right, so I want to get into more presentations into that.
Justin:That was my first baby step.
Rick:I'd also say co presenting is such a great way. Like, hey, you're not sure about doing this yourself or where to start. Okay, well do it with someone who's done it before.
James:Right. You be the brains, I'll be the pretty face.
Rick:That's exactly right.
Justin:Do the Captain Morgan.
Rick:But think to your point, oh, if you want more students in the community, like, well, yeah, go get them. I don't know why I keep thinking about, like, you know, Mac's business model, like in the nineties, like, we're just gonna give a bunch of schools a bunch of computers.
Justin:Right.
Rick:And then what happens, right? Yeah.
Joe:Yeah. They learn how to use those
James:They kind of learn how to use what you put in front of them.
Rick:Yeah. Absolutely. That's the thing. So I mean, I think you gotta you force them into the situation a little bit. Yeah.
Rick:Try and make it fun. Try and co present if you need to co present. But yeah, it's And probably up to us to go get
James:there's of a capabilities and a lot of things that are in the industry that need research and need research again, right? Like there are topics that have been done, but there's always continuous improvement. There's always new ways to attack that. Like you can give somebody, go learn everything you need about network IDS. It's still a relevant topic.
James:Everyone says, oh, the cloud is the thing. Guess what? You have to get from your PC to the cloud over a network somewhere. Yeah. The network is still relevant.
Rick:Well, and I'll also say for people that haven't spoken before, this was a thing that someone had to tell me before I went, Oh. It's like, well, don't have anything new to say. Why would I It's like, well, that's fine. You have a bunch of experience that's relevant or you went and did a bunch of research that people in your peer group haven't done yet. And so it doesn't matter if it's new, there's gonna be a set of people that need to hear the thing that
Joe:you
Rick:want And to it's
Joe:gonna be new to them.
Rick:It's gonna be new to them. It doesn't have to be new new.
Justin:And that's the thing more in the development community. It's like building public. I hear about your failures to where you eventually got to success. What are the hurdles? What are the confusing things?
Justin:What did it take to get from point A to point B? Exactly. And all that stuff. And people like hearing that story, not just here's how you do it type of thing. Well, yeah.
James:And the stories are how you build that relationship. Right. The stories are how you
Justin:Build trust
James:in them. You understand and realize, oh, they've had a similar experience. We now can actually communicate and connect.
Joe:Yeah. Yeah. So that all makes sense for getting community built. The other thing I'm hearing is having like the reason that you're doing and having it be pure. And I think that's like B sides, ISSA.
Joe:Mean, No. Why are we doing any of None of us are going be rich doing running the Pittsburgh ISSA. Right? Right. But why do you want to Fortunately,
Justin:you're doing that wasn't
Joe:your goal.
James:Well, I mean, independently wealthy, like maybe lottery winner or something like that. I'm not sure. Like for me, it goes back to the way I entered the industry, right? Like, you know, somebody gave me a chance and saw that I had some potential. And that's the piece of it that I still come back to, right?
James:You know, twenty five years ago, twenty years ago, I founded or helped found a consortium conference in Minneapolis called Secure360, right? It was ISSA, at the time Information Systems Forensics Association, ISFA, and, you know, InfraGard and all of those organizations came together like Tris is here in Pittsburgh. And that was twenty years ago, right? They had their twentieth anniversary just this last summer.
Justin:That's awesome.
James:And like the things and the connections I made going through those experiences, getting involved as, at the time, I think it was three or four years into industry helping that, you know, shape that and build that community. There are intrinsic values and intrinsic things that bring you together and do that. And at Pittsburgh, we have the same opportunity, right? I mean, besides is now nine, ten years?
Joe:Yeah, we just had the it started in 2011.
James:Yeah. Right, fourteen years. So yeah, I mean, 2011. Yeah. So fourteen years.
Justin:Minus one.
James:Well, right. Yeah. Years not
Justin:The year that will not be named.
James:And again, it's like bringing those communities together and realizing that we all can share knowledge and make everyone better. Even if we're competitors, even if we're competing for the same job, we're still doing the same thing, trying to advance each other and make each other better.
Justin:And that's one of the things that's great about the security community. I found that throughout my twenty, thirty years into this is everybody's out to help their own companies, but you could do that by sharing into that. All the retailers that are competitors technically to one another, they're like, how can we beat these bad guys better? What are the fraud you're seeing? Here's what we're seeing on our side, you know, type of thing.
Justin:They're, you know, an open book into that, you know, specific
Rick:Yeah, it's frenemies. I don't know anyone whose business model is like, don't share security knowledge to try and help them get hacked so we don't. Like that's just not in a business plan.
Justin:Yeah. And that's I mean, that's the whole purpose of all the ice ax, you know.
Rick:Right. Absolutely. Like sharing. Yeah. Yeah.
Rick:And people smell authenticity and they respond well to it.
Justin:Yeah. Mhmm.
Joe:I like that. Authentic. Yeah. I think we're very authentic with what we're trying to do and give back.
Justin:Yeah, and I think that's how you build trust, you know? Like, if you're not an authentic person, you're not going to build that trust, you know? You're just another AI generated, you know, thing out on the Internet.
James:Well, that's, you know, that's funny, you know, that you say AI generated. Like, you know, Dave Spihar and I did a conversation or did a talk, and the presentation was 100% AI generated. But the personal touch we gave was our experiences interpreting that result, right? We could give credibility to the information that AI generated. It was, we took the three threat reports.
James:This was in, I think, December. I can't remember.
Joe:Yeah, I want that
James:one. We That was took the three major threat reports. We compiled them together with three different AI engines. And we had it spit out the talking points and what we should talk about.
Justin:Oh, okay.
James:And literally, was your annual threat briefing one Yeah. 100 But we gave it color. We allowed ourselves to give the experiences and to resonate with like, yes, this isn't just some machine spitting out things that it found and regurgitated on the internet. No, these are actual things. We acknowledge this slide was 100% created by AI and then gave it color because we had the experience around it and it wasn't just text on a screen.
Justin:So you did slide roulette essentially what they had.
Rick:Well, it gets back to what you said before about stories are important, right?
James:The experiences
Justin:and stories. Yeah. Great. Anything else on building a community?
Joe:I just think that Just a little callback to a couple of things. If you have people in your organization that aren't going to events or aren't going to these free local events, encourage them to go. Like I used to say is what, the third?
James:The third Tuesday of every month at five p. M. At the Hackers Guild.
Joe:Yeah. And the Hackers Guild is in the North Hills Of Pittsburgh.
Justin:And you send stuff over Meetup, correct?
James:We send stuff over Meetup. We have a mailing list and it's on LinkedIn.
Justin:Yeah. So sign up for one of those, all of those, get the notification.
James:The Meetup is about a thousand people. The mailing list is about 600 and I have zero idea how many are followers on LinkedIn.
Joe:And so there's that. I don't know if there are other events besides ISSA that happen
Justin:On on monthly monthly basis?
James:Yes. So ISC2 had or has a monthly meetup.
Justin:Yep.
James:Is it SEC Cyber? Siber's?
Rick:I was gonna say bar sides?
James:Bar sides.
Justin:Cyber and cigars.
Rick:Cyber and cigars.
James:ISC Squared. What's the other one?
Joe:So there's a number There's
James:like five or six Yeah. Of have a list of some of them on the ISSA, the pittsburghissa.org website. And then there is the SEC PGH Discord. And then there is also the meetup group. And the meetup group has more events in it than I can remember.
James:Right. You go
Joe:to pitsec.com That's
Justin:a Slack. You said this is Discord.
Joe:Also has an event list on it. And then you can get to the Slack.
Rick:I wonder if we should get some of the group heads together and talk about mix some of the communities, do some like takeovers. It's like ISSA takeover of Barsides or Barsides takeover of Cyber and Cigars or something like that.
James:That'd be amazing. Yeah.
Rick:It gets on
Joe:cross invites going. It's great.
Justin:Start some wars. Some French alliances. Alliances.
James:It's us against them. Whoever them the hackers are.
Joe:Sean, I can't think of anything
James:else Sometimes them is us. No. All right.
Rick:If nothing else, it's a great opportunity to swap stories and drink some booze and
Justin:spank Wait, a wait, final thought. One of the things that I think it's big to take away from this, build those relationships. No matter what, get those relationships and buy them on LinkedIn, talk to other people into the community. Honestly, that's going to be the biggest difference in your career. I can speak personally, I'm sure you guys can Totally agree.
Justin:On different people who had influence into your career and everything. And it's the people you met and those, you know, the friends through friends and everything. Cheers. So we got for the first time on the podcast, two bottles because one was not enough. Is one really enough?
James:I'm glad I brought a chauffeur.
Justin:Yeah, right. So, Joe, would you mind going over a little bit of this?
Joe:Yeah, these whiskeys are from Grand Traverse Distillery in Michigan. And I was out there a couple weeks ago, visited a tasting room at the Riverplace shops in Frankenmuth, Michigan.
Justin:Did you make vacation just for this?
Joe:Just for this. I went on vacation and ended up running into this. And you can't run into a tasting room and not going in taste when you're on the Distilled Security podcast. So after tasting a number of different ones, I settled for these two. I really liked them.
Joe:One is a twelve year old American single malt whiskey. The
Justin:this one here. And,
Joe:yeah, that one they say has notes of tobacco, nutty vanilla, honey, cinnamon, oak, and baking spice. Finishes with hints of anise and leather. And so that's their oldest whiskey to date being 12 years old.
Justin:Okay. And it's a 100% single malt whiskey. So I take that as a 100% of the mash is just single malt. I think yeah. Yeah.
Joe:That would
Rick:be my interpretation. Yeah.
Joe:And then the other one is the Old George, but it's their double barreled.
Justin:So mhmm. This is, what, the second time that we're not having a bourbon. Oh. Yeah. I suppose.
Justin:Yeah. So I don't know if whiskey still, you know, falls into that.
James:Oh, it's distilled. It's distilled.
Justin:Yeah. Yeah.
Joe:Yeah. And this the second one, the Old George is also 50% alcohol hunter proof. And what they do is they take their original Old George rye whiskey, which is 95% rye and 5% molded rye.
James:Are you
Joe:sure about that? Mashville. Website versus may have changed.
Rick:Yeah. The recipe may have changed.
Justin:It says a 100% straight rye onto this. Yeah.
Joe:Well, rye and then molded rye mash.
Justin:Oh, so they Yeah.
Joe:It's all rye. The difference with the molded rye mash I had to look this up. What does rye mash mean? Oh, it means that they let it germinate a little bit, right? Yeah.
Joe:So Did you see that video?
Justin:That was cool.
Joe:Yeah. Watched that.
Rick:You should post
Justin:that in the show notes. Yeah. Yeah.
Joe:So the video was a place that actually does it for a local distillery here.
Justin:Yeah. A local distillery, Wiggle, they have a malting room, a floor malt that they do. And they basically let it germinate over the floor and they basically have, what is it, rakes or shovels?
Joe:Shovels that
Justin:They kind flip turn it and everything, but they actually showed like it actually sprouts, you know, things coming off of it. And that's when they use it, you know, into the mash build and everything.
Rick:But I think it's really interesting. I don't see many. I don't know if I can recall any double barrel rise.
Joe:Well, yeah, what they do with this one is after They don't say what the age is, but then after they do that, they do an additional I read six to eighteen months in a French oak barrel.
Justin:Yeah. Six to eighteen.
Joe:Okay. Six to eighteen, which brings, notes of smoke, caramel, and stuff to the already matured old George whiskey.
Rick:Yeah. I really like both of these.
Justin:Yeah. They have, so the rye one, especially has had, like, I mean, rye is very strong. Yeah. So you get that strong rye. But I like I think it's maybe it's because it's double berry.
Justin:It ends smooth. It ends very smooth. You know, kind of caramelizes out of it. Yeah. You get that heavy rye into the taste.
Justin:Yeah. But it's not like that bite that you would normally get off of a 100% rye.
Joe:It's a nice peppery flavor. Yeah. And then it's smooth.
Rick:Yeah. And and and the malt is, like, nice and sweet. It's just tasty.
Justin:Yeah. Yeah. Well, thank you, Joe for all bringing these.
James:Thank you
Joe:very much. What do what do you each like better between the two? The the malt or the rye?
Justin:So I'm not a huge I can do rye, like, now and then, But I like
Joe:That's the rye.
Rick:Yeah. I think I prefer the rye. I like I like I typically like rye's, though. Yeah.
James:That's the malt camp.
Justin:Malt? Yeah.
Joe:Like the malt? Yeah. I like the rye.
Rick:They're both really nice. I
James:wouldn't like, I wouldn't say no to either.
Justin:I'm drinking a malt
James:right now. Yeah. Would say
Justin:I like the rye a little bit better at least.
Joe:Yeah. Hey. Well, cheers. Cheers.
Justin:All right. So our next topic, you have it in front of you. So why don't you introduce it?
Rick:It's the perfect segue.
Joe:Well, you've really convinced me to do that. Yeah, I know. Yeah. It's the art of convincing your audience.
Justin:I love that.
Joe:So, And, you know, part of it, you know, security, is it really as much of a tech problem as it is a persuasion problem? So what do you think?
Justin:Yes.
James:You know, it's an interesting dichotomy between the two. Technology is what causes the challenges. And then we, as people, exacerbate it by the decisions we make. So like some of it is like, okay, we wrote the software and the software has flaws in it because we're humans and we're not perfect.
Justin:But
James:then we exacerbate it because, well, we can't take the downtime to patch it. We can't do the things to protect it. We don't have enough money to run it. We can't like, there's all these things around it. And so as you grow in your profession in any place, you get from, I don't know what I'm doing.
James:I'm just looking it up in the manual to, Okay, now I have to convince the business that the car really does need an oil change, right? Right. And that's where you start to move into like, Okay, it's not just a technology problem, right? It's not just that the engine of the business machine is broken. It's I need to take the time and I need to understand how can we fix it, right?
James:If you don't do the preventative maintenance and you can't convince the business that a downtime is necessity, you can't convince them they need to spend the money to have redundant systems to allow you to do that maintenance on the left one when the right one is still running. Like it's where it becomes that challenge. And persuasion, if you will, or like the human element comes back into it. And it's one of those challenges we've had for twenty five years. I hate to say that I've been in the industry.
James:Like, well, okay, thirty, crap. Like I got my start in 1995. Yeah, meant
Justin:just years for numbers. Yeah, got
James:my start in 1995, you know, back when it was like Windows three eleven just moving to a Novell NT, Novell four eleven. Internet servers sitting under desktops and there was no firewall, right?
Justin:And they all had public IP addresses. All was the way smart. To the Better could be accessed from anywhere. And all
James:of that took either an event, an incident, or something to convince the business that they shouldn't do Like it that we're still creating and solving the problems that we created ourselves.
Rick:But I think it's important to note too that I personally think that technology as like a domain is different than other critical to the business back office functions. Why? Because legal, as a for instance, like the heart of it, absolutely knowledge needs to increase. Well, in technology, knowledge needs to increase. But legal doesn't have this other and legal processes need to increase.
Rick:Well, in technology processes need to increase over time as well. But there's not this third tower, which is just the straight technology and updating it and fixing it. The tools. Yeah. Exactly.
Rick:Same thing with accounting. Same thing with all these things. Right? There's still people in process. Right?
Rick:And in those hard sort of knowledge and process oriented domains have all the people in process. But this third leg that actually also supports all of those other legs, IT gets all of that. And then you end up having to convince people that, Oh, no, no, no. Yes, I need time and resources and money and stuff for people. And yes, I need it for process just like everybody else.
Rick:But I need this third thing. And I need it not only for us, but for everybody else as well. So the convincing game, I think, is inherently a little bit different because you're gonna end up coming with asks either a little more often or in a different way than people are historically used to hearing it because tooling like this, like, is still relatively new on the grand scheme of things.
Joe:So how do we influence executives to invest in security and to invest in the stuff we need?
James:Well, so part of it is, right, experience, right? The experiences that have impacted the business. We learn from the experiences of others, right? We see breaches in magazines and things like that. Like we learn from those experiences.
James:We have those experiences ourselves, right? Whether it be a breach in our own company or a ransomware event, things like that. Like those tend to be epiphanies in the business. And if you don't have one or if you're ignorant to them happening or it just doesn't impact your business, you're like, hey, I don't, right, the system didn't go down, we don't care. We didn't lose the data.
James:It didn't get encrypted so we still had access to it. Then you may not have as fast of a learning curve. But at the end of that piece of it is really more about like that experience. When you're looking at influencing the business and how people grow in their profession, it is gaining that experience, right? I understand how that works because I've lived it before.
James:I understand how that works because I've done that before, right? And that is the key piece of it is, right, you grow that expertise by experience. You communicate that expertise and the outcomes understanding what those business influences are, and that's where you ultimately have that, right? Everything we do in security is about risk management. Companies have been doing risk management as long as insurance has been a thing.
James:It's just a matter of what's the difference between technology risk and physical systems risk or a physical plant going down. They're the same. We just don't talk about them that way. As security professionals, we talk about patches and vulnerabilities and attackers and hackers and data loss. But the business wants to understand is what's the monetary impact?
James:And we have to start to trade. And we have to, over 25, have learned to have those business conversations and influence the business the business way. And that's ultimately where we get stuck because most of us get into security because we really like the technology. And then as we mature and grow experiences, the light bulb goes out and we go to business school and we go, oh, a minute. The reason this matters to the CEO is because if we don't take that eight hours of downtime, yes, it sucks to pay for that eight hours of downtime or oh, we don't have these redundant systems to allow us to patch one while the other one is still running.
James:If we don't spend that money, we're going to lose the whole company's money for twenty four to forty eight to seventy two hours while I'm investigating a security
Rick:issue. And then the long term implications because these clients are unhappy or there's this regulatory Yeah. All that.
Joe:So I'm hearing storytelling. I'm hearing framing loss aversion and opportunity Yep.
James:Yeah.
Rick:I think that's right. I think the trick is meeting people where they are in terms of, like, talking to them about what's important to them in the language that they understand.
Justin:I think that's absolutely right. Like that's one of the things when I go into a new organization, it's been a little while, but you know, like you become a new CSAIL, one of the things I make a point to is meet with all the leaders and say, What are you most concerned about? What can I do to help you and what are the things you're most concerned about? And then if you bridge that, you're going to have success. That's such a critical point.
Rick:Like you mentioned it for building community relationships, But it's the internal thing too, right? It's building the relationships, building the trust. I think that can't be overstated. You're absolutely And
James:the other piece of it is don't accept the technology answer when you know that that's not the right answer. If you're talking to the chief HR officer, if you're talking to the chief legal officer, if you're talking to the chief revenue officer, and they're talking to you about systems downtime and outage, that's not really
Justin:what they
James:care about. Like you have to ask the but why question.
Justin:Like
James:what is the impact to revenue if this system is down? Like why do we really care about it? Like if payroll is down, okay, we only batch process payroll once every two weeks. Why does it matter if it's down every single day versus like a system that's developing revenue or bringing in revenue, right? Your sales system every single day, that's how you record sales and that's how you get money from customers.
James:There's a completely different piece of it. Unfortunately, what we've done in the industry is we treat them all the same.
Joe:I'm laughing because my team is doing a number of business impact analysis But right just by going in and saying, we're gonna do a business impact analysis, immediately, brains start to shut off. They hear those three words, and they're like, that doesn't even sound fun. Yeah. That doesn't even make any sense to me. I don't even know what we're gonna talk about.
Joe:And what I heard James saying is, let's not talk about it that way. Rick said, let's meet them where they are. So let's we can do a business impact analysis. Don't use those words. I totally agree.
Joe:Talk about what what will what will bring this company down? What is the thing in your life that you think will destroy this business? And then on the back end, go and do all the things you do for business impact analysis. That's it. And start mapping out, well, if we lose a system and how can we lose a system?
Joe:Now you start doing a risk assessment. You don't need to tell them you're doing all these technical security things, but you then can go back and explain to them what could go wrong, right?
James:Well, and that's the credibility piece, right? As security, we don't have credibility because we seem to be this like crystal ball, right? We're looking into this might happen. This could be the happen. We could, oh my gosh, the whole business could go down.
Joe:Yeah, sky's going to fall.
James:Right. Actuality, what we haven't done is we haven't had those conversations with the appropriate business people to talk about their business and then talk about what are the technology pieces that support that. And that's the influence piece, right? Is, okay, we're mapping this business, this criticality, this amount of money to these systems and these pieces of technology. And the people who operate those technology pieces and who do the things in that sphere don't necessarily understand the business.
James:And the people in the business likely shouldn't. And if they do, they're probably in over their skis a little bit, don't understand the technology pieces. It's a rare find. And yes, there are millions of them across the planet, but there's a rare find that there's a person that can cross the two. There's millions of people across the planet that can do that, but they're not amassed in one
Joe:Now, you've seen some of the best presidents of organizations started in like the accounting part of the IT department. Right. They understood the IT systems. They worked in IT and they made their way all the way up to being very good at running that business Well,
James:it's not in every company that they have.
Justin:No, and they're often tackling ROI, you know, from a financial, you know, in the IT. They're like, okay, we're buying a new product. When is it going to actually like pay dividends? You know, if we own it for two years, if we own it for one, you know, when's a breakeven, like breakeven and then go into that type of thing. So we mentioned about like going down or something along that lines.
Justin:What about like efficiencies or just like maintenance and everything? Like how do you kind of go at that? I have my answer, but
Rick:I mean, depends on Why don't everyone look at me? Because you started talking first.
Justin:Because I'm angled this way.
Rick:That's right. Well, guess it depends on like what's the ask really, right? And again, this comes back to what's the impact on the business and the language they understand, right? So, hey, do we need to do maintenance where we need a regular outage window that takes you down for these periods of time? Do you need to We need to
Justin:update Oracle. What is the actual It's Move to the cloud. Eight hours of downtime, you know.
Rick:Well, but I think ultimately, and this is probably part of the trick as well, is you never come with just one thing, right? So you start by understanding the business and then you say, Hey, look, I understand your needs are this and this and this. Would you prefer that we have an outage every month? Or can you help me get the backing to get the high availability system so you never have to take an outage, right? Rarely have never say never.
Rick:But you don't have to take an outage every month periodically, and we can patch in this way, right? So I think giving them the optionality of what's possible with technology is a huge part of the job.
James:And that is what builds the credibility.
Justin:Yeah. Right?
James:If you come to them with a, you have to do this, you have no choice, you have to do this, nine times out of 10 they're gonna say no. However, if you give them those like, hey, could do this, or we could do this, we could do this, they'll make a suggestion
Justin:or And here's make a a cost. Tiers for each
James:of Right. Because that's what the business wants to do. That's what leadership wants to do. They want to make those decisions. If you come to them with the decisions and a recommendation, you're more likely to get what you need and less likely to have those friction.
Rick:And you tie your whys to their whys, right? So we know that you cut payroll, right, only once a month in this way. So yeah, we're not focused on this. We're focused over here. So we think we should update this system first in these ways.
Rick:Does that sound right? And if not, you know, maybe an option B is this or an option C is that. But understanding what's possible is like, that's where we should be keeping them out of the weeds, right? We should be those visionaries on what's possible for them from a tech side.
Joe:And I would even suggest you don't go in thinking you know all the answers. You go in and say, I I believe it's close to this. Where am I wrong? Mhmm. Because people love to tell you when they're wrong.
Joe:And when they start telling you when you're wrong
Justin:I'm so sure like and they
Joe:start building Yeah. And they start contributing to it, it goes from being yours to both of yours. And when it becomes both of yours, now you have buy in.
Justin:Yep.
Joe:And one of the choices could be, well, look, you you could actually do nothing. And I have this nice little risk waiver here I need you to sign to take accountability for what will probably happen at some point. I don't know if it will, but at some point, if you do nothing, it'll probably be down for a week.
Rick:Boy, it's funny too when you start asking people to sign their name to accepting that a bad thing might happen, how they go, Well, actually, maybe we should just pay for the thing. Right? Because they think a lot of
Justin:times it's somebody else's problem. It's security's problem. Absolutely right. You know, type of thing. Like, you're not patching?
Justin:Well, that's not mine. Know, type We're stewards. My guys are busy. Why aren't you doing that?
Joe:You know?
Rick:Right. But to your note too about asking them, where am I wrong? I love that. There's literal cognitive science around this. It's easier for people if you ask someone, why is this thing this way?
Rick:It's oftentimes hard for them to pull that out of the air. They're starting from scratch. But if you ask them, Hey, I kind of think this and this and this, can you tell me if that's right or not? Right? Now they're revising the page as opposed to starting from a blank page.
Rick:And it's much easier for them to bring up the knowledge of, Oh wait, no, this should change in this way, this should change in
Justin:It's this easier for them to point out contradictions. You're like, That won't work, know, type of thing. Then it'd just be like, yeah.
James:But it's also important to dig into that. Tell me why that won't work.
Justin:Oh, Oh, yeah.
James:Why won't that work? And then the follow-up question is, what can we do to make it work? How do we fix it? Now you start to build them into that decision making and into building the solution, and it gives them skin in the game or
Justin:It's partnership.
James:Business benefit. You're now partnering with them rather than You get into business discussions in that same way, right? If I tell you you have to patch a system, it's not going get patched. If we talk about all the things and all the benefits around why it should be patched and like it's really not that hard, you'll patch it.
Rick:Well, and there's traps on both sides of that happy medium, which is you're not their boss, right? And you're not their vendor, right? You're also a steward of elements of the company. So you really need to say, Hey, I'm your partner. I have worked to understand through these conversations what's important to you.
Rick:My entire job is understanding what's important from a technology and security perspective. I think this and this and this. What do you think? And then you can move forward together.
Joe:Oh, yeah.
James:If payroll doesn't run every two weeks, I don't get paid either.
Justin:Right. Right. Exactly.
Joe:Well, going back to your parenting tip, one of the things that I used to do as part of convincing is when my kids were were somebody's house, they were having a great time playing. I wouldn't say it's time to go. I would say ten minutes before I wanna leave. Do you guys wanna leave in five minutes or do you wanna leave in ten minutes?
James:Yeah.
Joe:They would always pick ten minutes. And then when we're about nine minutes, I'd say there's one minute left to that ten minutes. And then be like, okay, dad. And then I'd be like, it's time to go. And I got so much less resistance
Rick:Oh, yeah.
Joe:Than the days before, the years before when I would say, it's just time to go. We're not done playing.
Justin:Mhmm. That's an interesting thing.
Rick:Yeah.
Justin:So one thing we haven't really talked about, I think we kind of hinted around it, metrics and data. Where does that come into play when you're trying to influence people into doing something?
Joe:I think it goes strong in the storytelling.
James:Yeah. Well, it comes into building credibility and building right? If I come to you and say that system was going to be hacked and you don't believe it, it doesn't matter how many pieces of information I put out in front of you. If I tell you this system has this many vulnerabilities that have these exploits, it doesn't build that case for you. What you need to do is go back to, there's a probability that this system being exposed to the internet will have a downtime associated with it.
James:We can reduce the probability of that downtime by doing these things. But getting into like the more technical data doesn't actually build your credibility in that space. So you really have to come back to what matters to the business and what are those metrics, right? The downtime, what's the cost of the downtime? What are the impacts if that system goes down?
James:Or what's the value of that data to your environment? Like if the data is no longer available to you or if the data is leaked to the public. Like again, let the business make those decisions. But getting more data around, oh, this system has 375,000 vulnerabilities in it, doesn't make a difference or if it has one. It's really like what's the probability of this risk being realized?
Joe:I was just rereading some parts of how to measure anything in cybersecurity, is an awesome way to reframe. You go. It was an awesome way to reframe metrics in the very way that you're describing.
Justin:And of the things I like to, especially if you can get some type of security committee established, let the data tell the story and you're just the messenger into that. So if you're pulling, let's say, vulnerability data on a per business unit perspective into that and they both have all their operational teams, now you can just say, Hey, here's the story. And more than likely psychology puts into play that nobody wants to be the worst unless you're all above a bar that's acceptable. Nobody wants to be at hitting 32% SLAs into doing patch management or something like that. They're like, no, no, no.
Justin:I don't mind being in the middle. I don't want to be the one at the bottom type of thing because I'm going to get called out by my peers or senior manager director or whatever it may be type of thing. So letting data play in that and just like, I'm not calling anybody out, but here's what it is today.
Joe:Right. One of my favorite things to do for when we help companies set up risk management committees is you get that established, you get those metrics out there, And then when you're you do these monthly, if you do them monthly, about two weeks before that monthly meeting, I like to go to each of the people who are owning the departments that have either
Justin:Give them their draft. Metrics.
Joe:Yeah. Nonconformities or breakdowns that have corrective action plans that are not being effective.
Rick:Just so you know, this is what's gonna come
Justin:up in the meeting.
James:Is gonna be
Justin:on the meeting.
Joe:I will never throw you under a bus. I'm gonna show you that bus is coming down the road and give you the option to jump out of the way. I'm gonna be standing over there off the road. Your choice. You stand on the road or not, I'm gonna give you fair warning and help you fix this before the meeting.
Rick:So there's a phrase that people I work with know that I use all the time, it's weaponized meetings. It's Isn't
James:that every meeting?
Rick:Well, if I'm trying to get someone to do something they haven't been doing it, eventually after two or three swings I'll go, hey, I'm setting up this meeting for this time a week from now, two weeks from now, whenever. And if it's not done by then, we're just gonna do it together on the phone. Right? So that's a weaponized meeting.
Justin:I thought you were gonna invite a higher up into that meeting.
Rick:No, typically not. It's just
James:like Escalation, you
Rick:mean. Yeah. I mean, we're gonna chew up this time and I don't need to do this thing, but you're gonna be wasting my time while I watch you do the thing. Yeah. Is the subtext, right?
Rick:And typically, I actually don't think I've ever had to actually have one of those meetings, but I probably set up hundreds. But what you're talking about, now there's a new frame in my head for weaponized data, right? Which is, Hey, here's the metric. You're the person responsible for it.
Joe:It can change before the meeting.
Rick:It can change before the meeting.
Joe:It's up to you whether you want this on the screen with your name saying it's ineffective. Right. Or do you want to be on track?
James:Yeah.
Rick:Right. We both want to show green on this slide.
James:There is a sense of competitiveness between business units, right? And even if it's within the technology teams supporting those business units, they have some competitiveness, like you said. Nobody wants to be the worst. But also it's a matter of playing that balancing act between what do I need to do to support my business and what do I need to do to reduce the risk?
Justin:Yeah, and if you just got like a new M and A and they were terrible, obviously they're going to be the worst on this scorecard, you know, type of thing. But yeah, I think I've got a lot of success by just bringing up the data in a collective spirit and then all of a sudden like you get traction, you know. Instead of going to them individually and being like, can you fix this? Can you fix this? Can you fix this?
Justin:You know.
Rick:Well, I like and we were talking about this a little earlier, like the concept of letting people draw their own conclusions from the current state of things or the information, right? Kind of a Socratic method of visioning what's next. I think that's pretty important oftentimes because sometimes you're not gonna get buy in if it's your idea. Yeah. Right?
Rick:Sometimes, and this is where the experience really matters. Like you need to know where the things you bring the vision and where the things you bring the information and let someone else reach the logical conclusion on your behalf. I also Go ahead.
Joe:I was going to say, I was going to switch it up a little bit, but I was going to say, well, what could go wrong when you're trying to persuade people? By pushing too hard? Have you ever experienced any of that?
James:Yeah. I mean, the biggest challenge there is that they will just say no, right? Like, if you're dealing with the business, right? They will invalidate and say, That risk is not valid. You don't understand the business.
James:You don't understand, right? We have to keep this system operating. It is what generates the revenue, This customer will be unhappy, right? The challenge there is that you can't predict unpredictable downtime. Like there are things like you're dealing with physical systems that do fail.
James:Yes, we're dealing in now in like solid state disk and things like that, which have a lot longer mean time to failure, but there is still a mean time to failure in these systems, right? Memory fills up, memory leaks happen, the software is not perfect. And those are things that you cannot predict. And the longer you go without fixing and doing, I mean, again, it's just like, well, it's just like a software based car, right? Like We are all familiar with those.
James:Sometimes the system doesn't do what it's supposed to do, and you have to turn it off and turn it on again. It's just the fact of how software works. And those are things that it's not a perfect science, but we're expecting systems to be perfect.
Justin:Yeah.
Rick:I mean, what could go wrong? I think the saying no, and oftentimes the saying no is either going to be related to friction, right, or money. Those are the nos You that don't think?
Justin:I guess friction. Friction would play into that. A lot of personality, you know, can go into, you know, the politics of it. Like, You say the worst thing is no. The worst thing is if you get an enemy out of it.
Justin:I've seen so many people, security tries to push something down and it's the last thing that they want to care about and if you force it down their gullet, now they hate you.
Rick:Yeah, think relationally Well, that's a permanent no.
James:Yeah, well, right?
Justin:Yeah. And then like anything comes out, it's like an instant They get an email from you and it's all of a sudden a negative tone.
Rick:But I think that's a third one. I actually think that's a fantastic third one. It's like the relational thing and then not enough money, right? And just not operationally this just isn't going to work. Like those are where the no's are going
Justin:to hit. I think Yeah, the last two are logical type of thing. The other one could be just that they just don't want to
Rick:do it. They each have different soles.
Justin:They have their nine to five job and any extra work adds to that type of thing. They just don't want to do it. And that goes back to the culture of a lot
Rick:Incredibility, of this right? If asked them to deal with a ton of pain that they felt is unnecessary four, five, six times in this past year because it hasn't been explained right, or maybe it really is unnecessary, right? You've spent that political capital, and of a sudden, you're going to have a real tough time getting anything So done from here on I think even if they say yes, making sure they understand the behind it's pretty important.
James:The other piece of it to kind of address that is it's just business.
Justin:If
James:you emotionally take it as a personal attack, you have to realize it's just business.
Joe:Well, that goes really in line with all security risks is actually just business Right.
Justin:Yeah. Like
James:when you and that person see each other at the ball field watching the kids play baseball or deck hockey or whatever, like don't bring that conversation up. It's not relevant in that It's just business. Like they have their agenda and their things that they need to do to make their business goals and to do what they think is right for the company. And you have your obligation to advise them on what they But should at the end of the day, like you could go get a different job if it's that much of an irritation.
Justin:Right,
James:absolutely. They could go get a different job if it's that much of an irritation. You have to take a step back and realize like what is their motive? What is their agenda? How do I advance as the security professional?
James:How do I advance their motives and their agenda? Because ultimately, they're the ones making money for the business unless the business is security consulting or that piece of it. And that's the line that we all have to draw. As a person who I work for Microsoft, do I care if my customers buy my product or buy a different product? Absolutely.
James:But at the end of the day, they have to protect their business in the way If they think is I don't agree with that, I still shouldn't get mad at them. And if they get mad at me for trying to have a conversation with them, show them the right
Justin:way. Right. Well,
James:but still a lot of people that will ruin that relationship because of that friction.
Rick:But there's still a least common denominator decision maker at the end of the day, right? I mean, there's always
Justin:an escalation. The business
James:is usually that decision maker.
Rick:Well, depends. It can be, right? But at some point you have a CIO talking to, right, a COO or a And CFO or whatever it is, if you're having a disagreement, and I guess I'm thinking more like business units or managers or your people that are trying to get the work done. Oh, can I patch this vulnerability? Can I do this?
Rick:Can do that? Right? Yes. There's gonna be escalation points, right? And if you really believe in something and you think a part of the business is taking on risk beyond what's in their purview to take on.
Rick:No, we can't take this SharePoint outage, right, to upgrade from 2010, right? Hypothetical situation. Hypothetical situation. No, we can't do that. Nothing that I
Joe:don't know what
Rick:you're talking about. I don't we can't do that. Well, at some point you're like, Well, I understand this impacts your corner of the business, and I'm not taking away from that, but I need you to understand that this could impact the entire enterprise, right? And oftentimes people say yes, if they still say no, you go, okay, well, let's agree that we disagree on this and let's get both of us out of the heat and eventually, right, there's gonna be a CIO or a board that makes a call.
Joe:I like that. Get us both out of the heat. So now you're framing
Rick:You're still partnering. You're partnering.
Justin:Yeah, because at the end of the day, security doesn't have ultimate decision. It's going be somebody in the business
James:at And some some the most externally intense discussions I've had in my professional career were actually where me and the other person were in agreement, and we were super excited about how we could solve this problem. And like people opened the door and went, Are you guys fighting? No, actually, we're in complete agreement 100%, and this is the solution to the problem. And we were just like, it escalated and escalated.
Justin:They're like, Keep it down.
James:Because we We're this place to celebrate it. Others probably.
Joe:Yeah. I've been in those. Those are great.
James:Everyone else in the industry or everyone else in building thought we were going to punch each other. And no, we actually solved a big problem.
Rick:Yeah. Yeah. I love that.
Justin:One other thing I want to bring up before we close out this topic is don't dismiss framing it in a different way. You mentioned it before, hey, oftentimes security is a net drain on the company. Has costs of doing business. We have to patch everything, But there are certain businesses that if you get in front of customers and customers say we care about security, all of a sudden the business leaders hear that, they're like they care about security? What does that mean?
Justin:Make it an enabler.
Rick:That is such a And key
Justin:I think it takes like a purposeful communication and intention into that. But I've had direct things where like when I was at Diebold, we got a bank's full ATM operation, remote banking and everything. The reason they cited we won over NCR was because of our security. They cited that. Then all of a sudden, the executive was like, because of our security, we have security?
James:Well, there's nothing better than that customer that comes in and says, you will follow ISO. You will follow whatever. You will follow, right, this. You will do these things. Your contract agrees that you will do those things.
James:At that point, you align your entire organization. Like, I'm sorry, they're our largest customer. We have to do that. Now you are a There business are ways to get there without those events. It's just a lot more persuasion, a lot more influence.
James:You have to be more delicate. We have to get back to those discussions of what is important to your business and how does security enable you to do your business faster, better, cheaper?
Rick:I love both of those. Being an enabler is so huge because so many times security is seen as the culture of no, where in reality, if you have good security, the business can go way faster.
James:The business can do whatever they want because
Rick:Here, I've set up guardrails. You're drive as fast as you want.
Justin:And This car is not going to then we get a security customer coming in. It's just like a highway pave for them. They're like, Yeah, we have all this stuff and everything. One of the first things, Diebold, sorry. First thing is when I came over ahead of GRC, the sales team owned all the answering to the security questionnaires that we're getting in from customers.
Justin:And one of the first things I was saying, they were like, Nope, this is coming to my team. We're centralizing it. We'll give you an SLA. Three days, we'll return it to you all filled out, know, type of thing. And first, we're able to gain a whole bunch of efficiencies.
Justin:Second, we were able to answer it right, you know.
Rick:By the way, you can spend a lot more time doing sales.
Justin:Yeah, exactly. And the sales team loved it. They didn't have to do security questionnaires And we answered in a consistent manner out to the customers and able to, articulate like some of the questions. We didn't ask that many questions. It was like, okay, who is the customer and what services do we provide to them?
Justin:Now we have context and now we know the control environment. We can answer the questions appropriately and we have standards and templates that we created to make it better and more in line and all that stuff, but that's some of the stuff that when you're convincing, it's like, hey, now I have metrics. Here are what the and we actually shared that to the security committee. We have metrics. Customers, hundreds of customers are asking us on an annual basis if we have this stuff in place for these services.
Justin:And sometimes it's difficult because we might not have an external certification. We might want to think about that.
Rick:Understanding your demand channels.
Justin:Exactly. And then we're able to put together and again, we're talking about influencing. Now I can paint a picture to say, it would be worth us to get an ISO, a SOC two, whatever you think is good to do that.
Joe:Stamp of approval.
Justin:And now we can build efficiencies and my team doesn't have to dedicate an FTE and a half to answering questionnaires all year type
James:of thing. And nothing builds that credibility with a business like walking into a customer or a government assessment or audit and sitting down and having the assessor or auditor across the table go, I don't know why we're even here. Yeah. You've given us this is a four day audit. I don't know why we are here for four days.
James:You've given us everything that we could ask for in documentation, and you're doing all the right things, and you have all the pieces and processes in place. Like I did an assessment for a company I worked for with the Department of Homeland Security, and we were done in twenty five minutes. It was a four day audit. Like the government team of five auditors went home, and I sat around in Maryland doing nothing for five days because I didn't want to change my flight.
Justin:That's fantastic.
James:Are things like they
Justin:all
James:They
Justin:have good wineries down there and everything. Yeah.
Rick:I see.
James:And it was one of those things where now I can build rapport with the business. I can build that credibility. I can talk them through the things that we're doing that enable their business to move faster rather than spending five days under the thumb of a government audit.
Justin:Right.
Joe:Well, this is so awesome. I heard so many great takeaways. One of them that we didn't really say, but I think is important is that if you're a security practitioner, make sure that you know, and this goes back to what you said about your contracts, make sure you're partnering with your legal department, make sure you understand what your customers are putting in and then leverage that. I'm gonna use your weaponizing and then say, arm yourself
Justin:Yeah.
Joe:With the information you need about what your customer requirements are because you're legally bound
Rick:Oh, yeah.
Joe:With those contractual requirements. Mhmm. Use those as the basis for framing out your program. I mean, call those interested parties in the ISO 27,001 world. Make sure you know what those are.
Joe:What other takeaways do you guys have for the
James:When your customer comes in and says you will comply with ISO, take that as a blessing. Like that has built many company security programs under my watch because the customer said, I need you to align to ISO 27,000. Signed the check. Everything we did from that point aligned to that framework. We're doing all of these controls.
James:We're assessing. We're doing all of those things, right? No one can get in your way, or it's very difficult for them to get in your way once you have the customer say that.
Rick:Yeah. Another one I'd say nothing beats just regular catch up meetings in an appropriate cadence, right? Yep. With your peer set. And sometimes your peer set plus one depending, right?
Rick:All over the business. Yeah, across the business. Yeah, not within IT or security or whatever.
Justin:Just in security, yeah.
Rick:And if for, I think a lesson that many people learn over time is like the higher you go in role, the less time you spend with your team and the more time you spend with the broader environment, And so just nothing replaces that time of just catching up. And it can be talking about kids. It can be, right, when there's not scarier stuff to talk about or it can be talking about the scary stuff. But putting in those hours early will make you have to spend a lot less hours when stuff's going sideways.
Joe:Sounds like a lot of
Rick:our building a community It is 100% building a community.
James:Internally to your company. Absolutely.
Justin:I'll throw the one thing takeaway here. Start tracking data early and often. Know, even before you begin, you know, so that you have a good story to tell where you've been, where you're going, and where you're going to try to end up, you know.
James:And have the right people make that data business Yep. Like it doesn't have to be every vulnerability and every piece of it. Talk about the risk, right? If a system is vulnerable that is key and critical to your business, what are you doing to mitigate that risk so that it doesn't have an outage that is business impact?
Joe:Yeah, and related to business impact.
Rick:That's a key point. And just to add, I'd say you need to be fearless about communicating the current state of affairs regardless of who or what has come before.
James:Truth to authority.
Rick:Without a doubt. Sometimes people aren't going like hearing that, but you have to have some courage there. That's part of the
Justin:role. Great.
Joe:Yeah. So we're pretty far into this.
Justin:We are, but it's about minus five minutes. I think we have time for one more here.
Rick:We'll do a fast one. We'll do a fast one.
Justin:We'll do a fast one. Yeah. So to lighten up, not necessarily security related here, getting things done, GTD.
Joe:I like to call it GSD, getting
James:stuff done
Joe:except we don't say stuff at my company.
Justin:Yeah. So, how do you stay prioritized on your top tasks? How do you don't get into email hell, you know, into like some of that stuff? How do you make sure you're not booked out on ten hours of meetings every single day? Like, what is some of the stuff you guys do to kind of make sure you're always focused on the right stuff?
Joe:Oh, I love time blocking. Okay. And I keep a consistent to do list that is organized daily. In fact, I'll just go through what I do real quick.
Justin:Yeah. So what do you do with time blocking?
Joe:Well, before I time block, I first understand what's important. So what I'll do is I'll use ChatGPT and I'll tell it to give me my to do list. And I've already trained it what happens on a daily basis. So every day I have a checkbox on a list for check my project management system. We use Wrike and check my HubSpot to dos for any calls I need to make.
Joe:And those just show up and I'll take those and I'll put them in a list and I tell it to put that
Justin:So chat GPT has connectors into those systems?
Joe:No. No. They No. It just it just knows what goes on my list.
Rick:There's some
Justin:new lists.
Rick:Recurring tasks.
Justin:Yeah. Okay. Got it.
Joe:And I use OneNote. I've been using OneNote for so long that, you know, I'd love to switch to something like, I I love Notion. It's great, but I have so much data in OneNote. So when I go through OneNote
Justin:migration thing. There might be, but I
Joe:have so many I have my family on it.
Justin:Yeah. Yeah. Yeah.
Joe:So I've been using that for years. I'm gonna stick with that. But basically, I have a to do list that is for a whole month at a time. It lists every day of the month out. And in it, it just basically has the same repeating things.
Rick:Mhmm.
Joe:Even something as stupid as take vitamins. Yeah. I also forget. Yeah. And then I have it as a checkbox I put next to it.
Joe:And then I'll just use the OneNote checkbox, check it off.
Rick:Mhmm.
Joe:And I'll do that. And then at the end of the day, everything that's done is checked off. I put it into a different note, and I have that for the entire year. And I've been doing it for years. So I can go back and say, what did I do five years ago on this day?
Joe:And I'll have a reasonable sense. And so that's what I'll do. Then I'll have a I'll shift those. I'm like, I'm just not gonna get these things done.
Justin:Mhmm.
Joe:Never have I completed a whole list. Yeah. I was too aggressive. And so I'll push those to the next day and the next day, and I'll put them
Justin:And you prioritize that?
Joe:And then I'll prioritize it by day. And then when I really have something important to do, that's when I time box it. That means I go to my my calendar in Outlook and I'll say, oh, here's I I need like an hour and a half to get this thing done. I need a whatever to get this thing done. And I'll start mapping Yep.
Joe:Time blocks as meetings that I'll hold myself accountable to. And if just like if I had a meeting with Rick, I'm gonna show up on time. Yeah. We're gonna do the thing. I'll just show up on time for this meeting, and I'll do the thing that I'm supposed to do at that time, which gets my goal done for the day.
Joe:And that has increased my success of just GSD oh, I'm sorry. GTD tremendously. Yeah. That's what I do.
James:I cheat. I use Copilot for everything.
Justin:Okay. What does that Copilot.
James:So Copilot is built off of ChatGPT, but it's a Microsoft in in the Microsoft ecosystem.
Justin:Yep.
James:Rather than, right, having chat GPT ingest, Copilot is just built into OneNote, Outlook, Teams. So every morning I start off with a prompt that says What summarize my summarize yesterday's meetings and the task list that I need to do today. And it dynamically builds my task list for the day.
Justin:Okay.
James:Then I say, Timebox, build meetings around those tasks, and it will build those meetings around.
Justin:So it blocks off your calendar?
James:It will start to block off. If there's not space to do it, the next day, it just moves it forward.
Rick:Gotcha.
James:But I'm using that same prompt every morning. The same prompt every night is what are the things I need to do before I leave today, right? And it starts to build that list. But it takes into account automatically because I'm transcribing all my meetings in Teams, right? Everything that's in there, all my to dos, it's completely dynamically building that list.
James:Three months ago, I wasn't doing any of that. The injury has caused me to do that, right? Can
Joe:Oh, this no longer is new for you.
James:This is new. Can no longer multitask because I can't be on a meeting on a speakerphone and get Windows H and type at the same time. So I can't multitask in meetings. I have to be present in meetings. And then the text transcript of the meetings creates the notes for me, And facilitator keeps me on time for meetings.
James:So I'm no longer going over ten, fifteen minutes at the end of a meeting because facilitator tells me, hey, you're five minutes over. What's facilitator? Oh, facilitator's built into Teams. And it runs on Copilot if you turn on transcription. And it'll take notes for you.
James:It'll take tasks for you automatically. Like
Justin:you got five minutes And it'll
James:warn you, hey, you're thirty minutes in, and you only hit three items in your agenda. Like, do you want to schedule more time? Do you want to add another meeting? Do want to schedule another meeting? It's now getting smart enough that it can take the people in the meeting and actually schedule that second meeting later in the week or that third follow-up meeting.
James:So it's I getting to that
Justin:wasn't aware of that. That's very cool.
James:That is cool. Again, I cheat
Justin:because Well, the benefit of a single looking for the Cloud. Yeah.
James:And then like I also cheat. When I lay in bed and have insomnia, I will go back to that list and complete tasks until I fall asleep.
Justin:Your poor wife.
James:She's already asleep.
Justin:Yeah. It's fine.
James:As long as I talk hard. Yeah. Because I can't type.
Justin:Yeah. Right.
James:It's really hard to type way over here to the left.
Rick:Well, especially in like Only
James:a week left. Yeah.
Rick:Oh. So mine's, I think, super old school. I don't do a bunch of cheating. I basically put everything I need to do in the calendar in two ways.
Justin:Oh, okay. So I
Rick:have big blocks of time that are color coded as like, this is general administration, this is inbox zero, this is deep thinking, whatever. Then I have I use Notion for two things. One is Scratchpad. So everything new that comes in, it doesn't exist unless it hits Notion. That could be in a meeting, it could be an email, it could be whatever.
Rick:Hits Notion if there's a to do for me. And two, for backlog, right? So then what I do is every
Justin:And backlog like tasks? Backlog's just a whole bunch
Rick:of stuff that's like not urgent. But if I have a little bit of extra time, I go to the backlog and start So it's tough.
Justin:Yeah, tasks. Yeah, yeah, Okay.
Rick:And then every tactical thing I do gets kind of double booked. So like all my color coding time block is marked as free, right? That's just for me to deal with. Then every time I have a to do, I time block it out and I dump it into my calendar and I just use that for absolutely everything. So everything that's just like little miscellaneous general stuff, sometimes there'll be a time block of like recurring administration.
Rick:It's like, take my pills, do this, do this, right? And it's like three things in a thirty minute block and it doesn't really matter how I do it. There's always a little bit of free time in the day for crap that comes up or, you know, all that sort of stuff. But I have probably spent an obscene amount of time exploring like GTD systems and stuff like that. And it's just what works for me is I just dump everything in the calendar.
Rick:I have my backlog. I have my scratch pad, and I know where stuff goes. So like Friday mornings is financial stuff, and that's where I'm doing like invoices and questions and all that stuff. Like, that's just where it hits.
James:The hard part is how do you schedule time for your employees? Because they have needs that you have to take care of, and they're not always scheduled. And I look for you because I know you have employees.
Joe:Well, do. But I have done a couple of very awesome things on the last couple of years, which is delegate. So, you know who you are.
Rick:Besides conversation.
Joe:Yeah. Yeah. If you're listening, this is you, Eric. Almost everybody in CISO reports to Eric. And I look at his calendar and it's one on one, one on one, one on one.
Joe:And but what do we do? We so we have we have well, we use Microsoft Teams and we have various channels that are just for like group chats with everybody. And so we throw things out there. It's like almost like a constant sidebar of community building to go back to that. And then I'll just easily quickly one off a message to somebody and say, oh, by the way, like, here's the thing we have to do.
Joe:Are you comfortable taking care of this? And they're like, totally got it. Or do you wanna have a quick call and talk about this thing?
Justin:Yeah.
Joe:And I'll I'll sidebar. But I'm usually doing those are skip levels now for me.
Justin:Yeah. Yeah. Yeah.
James:I don't know if either of you have direct reports. I I have eight of them.
Justin:So it's Yeah. Yeah.
Rick:Like, I do. And it's just Well,
James:that's eight hours a week of just dedicated to them.
Rick:Yeah. I have one on ones where needed. But to your point, like I've done a decent amount of delegation in the past like month ish. But then in addition to that, there's just like, again, my free time block. So if someone's like, hey, need this or hey, I need this, it goes in the free time block.
Rick:Or if it's like from the top rope type thing where it's like, Oh, the CEO needs this, the CEO needs that. I'm like, Oh, okay. What I'm doing right now moves to my free time block and I switch. But when people need stuff, it's like, well, they typically know it's like, Well, you get from, you know, two to four, you know, roughly most days, you know, and I can move stuff around pretty easily.
Joe:This is some of the reason well, I have no problem. I'm there till maybe seven at the office because I plan to do things.
James:Mhmm.
Joe:But as soon as I get a task from a team member, as soon as I get a chat, I'm like, you know what? Their me responding to them is probably more important than me doing this other thing that I could do a little bit later. Yeah. And so I'll just reprioritize that. I don't always do that because sometimes it's just it's an important but not, you know, urgent Yeah.
Joe:And I'll I'll schedule for the next day, but I never go longer than I try never to go longer than that next day.
James:Yeah. I mean, I I have I have staff that are or team members that are East Coast, Central Mountain, and and Pacific, and I will do specifically told them, I'm available until five p. M. Your time on Monday and Wednesday Pacific time. Feel free to schedule anything you want.
James:Right? Fridays, it's a little bit lighter. Tuesday, Thursdays, like, I got other things that I have to do in the evenings. But otherwise, like, they are my priority right now.
Rick:Yeah. Well, I think it has to like, if you're delegating, like, I mean, that's how things are happening. Right? Like, I mean, your job is to clear roadblocks. Like, that's the deal.
Rick:Yeah.
Justin:It's crazy. Keep in mind.
James:Last but not least.
Justin:Yeah. So for me personally, and then I also want to touch on some of the employee stuff and everything. So me personally, I have everything in Notion. I've actually started using their meeting stuff and everything. They can actually transcribe it right into that.
James:Do you trust them?
Justin:As much as any other AI stuff, you know, kind
James:of thing.
Justin:So, everything you like, taking notes, my task list is in there. I try to practice inbox zero. To be honest, I probably have 10 or 15 emails hanging out, you know, in my inbox right now. It's zero adjacent. Yeah, zero.
Justin:Zero achievable.
James:Inbox 100.
Rick:It's fine.
Justin:Yeah. But compared to a lot of other people, I'm pretty close. I'm closer to zero than a lot of other people. So, everything either gets deleted or archived. I don't have any other categorization to delete or archive.
Justin:If I think I need it, it's archived. If I for sure don't need it, it's deleted. Anything I can't typically get to immediately and it's like, hey, this is a two week thing or even if it's like, hey, ISACA is asking for CFPs, you know, for a Las Vegas conference, it goes into my calendar. It's like, and I'll put the CFP due date into there and that's a future thing, email goes away, you know, with that. I love that feature.
Rick:Yeah. It's huge.
Justin:That's ThePilot can do it too. Yeah. I mean anything can really do it.
James:Anything that reads for you in my email and has AI will Yeah. Be able to do
Justin:So that's how I keep kind of everything manageable. I am probably more protective than you guys are. I externally block all my mornings. Mornings is where I realize I'm more productive. So when I get up, I actually do like work tasks, you know, I'm building
Rick:So in my world, like, that's all focus time.
Justin:Yeah. So and there are a few times I'll shove in a meeting if there's like incompatibility if I'm working with somebody from Europe or somewhere like that. I have to accommodate into that. For general speaking, if I sending out like let's talk, you have Monday through Thursday, any afternoon of when I have open. Fridays are always blocked into that.
Justin:So just because one, like, well, first off, I hate having meetings like in Friday afternoon. Like the people that send four p. M. Meetings should be shot, you know, like It's like thing
James:for three a. M. Meetings.
Justin:Yeah. You know, type of thing. So but I just liked it open for whatever because there's a lot of times I'll reach out to you guys. So, like, hey, can we all meet for lunch, you know, for this? And I probably have more open than, you know, others.
Justin:That's why
Rick:I start furiously shifting my calendar. Yeah.
James:It's a Saturday. Yeah. Thanks for lunch on Saturday.
Justin:Right, right.
James:Bring your kids. It's fine.
Justin:But I'm protective of my calendar. And I know like the stuff I have to get done, I can get done in the morning way better and focus. And then in the afternoon, I can kind of focus on the meetings or whatever I have to do with I have two full time people for me. I touch base with them twice a week into that Monday and Thursday that we touch base to see where they're going, but I've often like to get more into the data driven where you don't have to have a meeting. You look at the status or do different updates throughout the week and then follow-up with them over chat or something along that lines.
Justin:Like, that's way more effective into that. I I would say, like, if your day, like, with Eric, I don't know how busy he is, but if it's filled with, one on ones, he should probably have less people and start delegating leads. I don't know how he's there into that. But the common rule I've heard is if you're at executive level, it's like five to seven. Five plus minus two.
Justin:Yeah. Something like that. And when you're at the executive level, it's not necessarily an every week, you know, I think. Could be every two weeks or a month. As you get the less experience, obviously, you need more attention onto their tasks and everything.
Justin:That would be more of a weekly touch base and all that. I do agree with you. If somebody needs to reach out, like, you deal with that, you know, type of thing. But I was just forget where it was. It was talking about delegating out.
Justin:I just listened to a podcast delegating out and it was just all about like, how do you phrase that? Like somebody's reaching out for you. It's like, well, how would you solve this instead of being like, just do this.
James:Know? Don't be the solution person.
Justin:Yeah, exactly. And if you get that in their mindset that you're always the solution person, they're always But going to come to if you start saying like, what would you do in this situation? Okay, go do it. Of a sudden you get and all that and then you're not the roadblock into this.
James:Two things that you reminded me of. One, I categorize my calendar and my inbox based on like what it is, right? Is this an HR thing? Is this a expense report? Is this a, right, reporting or meeting?
James:Is this a one on one?
Rick:Is that AI automatic?
James:AI is automatically doing And that then two, part of the prompt is how many hours did I spend in each category? For awareness so that I understand mentally, oh, last week I spent forty two hours in people management and I spent another twelve hours in, right, managing up or reporting. Like now I'm at fifty four hours. Like do I really wanna do that? But the other piece of it is then you get categorization around what you're doing.
James:The second piece of it is my manager had us read some of these Harvard Business Review articles. And one of them was like when somebody brings a task to you, do you take that task on or do you leave that task onto them or do you delegate it to a third party?
Justin:And like the rules
Rick:for when you do That each
James:frame, well, no. It's a matter of keeping track of how many tasks you have. If you continuously accept tasks, like you're going to be overloaded. If you are empowering them to complete it and leaving that task in their bucket, they're the ones that are empowered to solve it.
Joe:That sounds very much like what you were just describing. In fact,
Justin:kudos reminded me of it. Yeah.
Joe:Kudos to one of our team members. She's awesome. Lauren brought to her all hands this ten minute video for based on the book of Turn the Ship Around, True Story of Turning Followers into Leaders by David Marquette. And I'm like three fourths away through listening to that. And all you need to do is watch the ten minute video and you can all almost understand the concepts to start reframing.
Rick:Please show notes that?
Joe:Yeah. We can put that yeah. Yeah. I can get that. And the whole idea is when, you know, this is about a guy who ran a submarine Mhmm.
Joe:In the navy and instead of actually giving orders, said I'm never gonna give an order again. He said the only order I'll give is when we're gonna fire a missile that is going to impact human lives. I don't want that on anybody else. Otherwise, it's doing what you guys have said. Yeah.
Joe:Well, what would what do you suggest? Well, is that the
James:right thing to do? What Impact.
Joe:Yeah. You know, have you thought about, you know, what could go wrong? And those kinds of things. And let them work through it because they keep the ownership. You didn't take that task.
Joe:You left it with them. You're just an adviser asking them some questions based on your experience because that's why you're the captain of the commander of the submarine.
Justin:Yeah. So Yeah.
Rick:I have one other plug
Justin:Mhmm.
Rick:Which is the Cult of Dunn Manifesto, which I don't know if you guys have seen or whatever. I love it. It's like third Is that a movie? No. It's like a document and or, like, two infographics depending on which one you like.
Rick:There could be Say
Joe:that again?
Rick:The Cult of Dunne Manifesto. I'll show
Justin:notes. Oh, okay. Yeah.
Rick:Yeah. But it's like by Brie Pettis and I think Keo Stark. I don't know if I have the second name perfect. But it's basically like 13 rules around like, are you getting things done appropriately, quickly? Are you abandoning things quickly enough?
Rick:And it's just super pithy. And every time I've worked with a team for a sustained amount of time, we're starting to move from, like, good to great. I always introduce this to them and we go, hey, so this is how we need to start to, like, move to be a little more efficient and just keep this stuff in mind. So That's a good
Joe:I can't wait to read that.
Rick:It's it's super cool. It's a two second read.
Justin:The the other thing I really like, I think I gave you a book onto that, The Great CEO.
Rick:Oh, love it. Within? Within. Yeah.
Justin:It goes from the individual, which we talked a lot about the habits of getting things done. Then it talks about group habits, implementing and a whole bunch of things. But the great thing about this book, and if I ever write a book, I'm going to mimic the style. All the chapters are like three to five pages.
Rick:Yeah, it's so easy to
Justin:get It's so digestible. So when it talks about practicing inbox zero, it's like two pages, here's what you do, know, kind of thing. Practical, quick. It's not like here's a chapter and it's twenty, thirty pages long. It's like here's all the individual things that's going to help you improve and all digestible.
Justin:And the way it breaks it down is great.
James:Well, that's the other that's the other cheat is if there's a meeting, it gets transcribed and then AI writes the notes for me. Am present in the meeting, and then it follows up.
Justin:Right? If
James:there is a video, a corporate training, or things that I have to watch, if it has a transcription, I will prefer to get the notes and then the highlights and then watch it at one and a half to two times speed. Like, we don't have time So
Justin:you can get the quiz faster just answering?
James:Well, we don't have time to spend three to five hours in a meeting in listening to the same conversations, you have to be able to maximize that. There's just too much going on and not enough time to consume it all. If we were all still working ninety to one hundred hours a week, it would be different. But our demands don't require us and don't allow us to. Like I remember at one point in time, my most productive time was 9PM to 1AM every single day.
James:Monday through Sunday, there wasn't a week.
Rick:My free time between midnight and six.
James:Right. Yeah. And, like, doing these cheats and these hacks have allowed me to stop doing
Rick:those cheats. That's incredible.
James:Yeah. Like, I used to love working 9AM or 9PM to 1AM. Was my favorite time.
Rick:Because no one was bugging you. You could get sick. Right. Have My
James:kids were asleep. My wife's asleep. Now I don't do that. Now it's all looking at like what was in the transcription, what are the notes, what are my actions and to dos. And then if I have to watch the video, it's one and a half to 2x because I already have that transcription on the side.
James:I already have had copilot go through it and tell me what are the highlights. Where in that transcription are the highlights so I have to think about it and listen to those pieces and not all of the other things.
Rick:So do you consume transcribed meetings that other team members record so you can does that pseudo
James:automatically in Teams
Rick:and Yeah. Yeah. And it'll like flow it up. That's That's magic.
James:And that that's the piece of it that is the cheat code.
Rick:That's magic.
James:Like, because I'm in that ecosystem and every meeting is a Teams meeting and every meeting has transcription and facilitator Yeah. Like, it's it's a cheat code.
Rick:That's awesome. Yeah.
Justin:Awesome.
Joe:I've learned so much on this episode. Typically, I'm thinking we're all sharing common knowledge, but this was great.
Rick:This is excellent.
Justin:Yeah. I've learned a couple of I
James:appreciate it. Yeah.
Justin:All right. Well, I think that's a
James:wrap We'd love to come back. Thank you. Yeah, absolutely. Thank you again.
Justin:Yeah. Thank you everyone for tuning in. Don't forget to like, comment and subscribe. It really helps our algorithm into that. Stay tuned for next recording.
Justin:We might have a little shift, surprise into this. You'll see it in some of the media stuff. I think I authorized to post up some of the images I sent out, But thank you everyone and we'll see you later. Thank you. Cheers.
Justin:Cheers. Cheers.
Creators and Guests
