Episode 7: Certifications, Mentorship, and Auditor Missteps
Welcome everybody to Distilled Security podcast episode 7. My name is Justin Liepline. I'm here with Rick and Joe, and we have somebody new on the set here, Brandon Ecker. Welcome, Brandon.
Brandon:Thank you. How are you?
Justin:Good. Good. Good. So being that you're new here, why don't we start off, introduce yourself, talk a little bit about how you got into security, what you're doing now, and everything. So
Brandon:Sounds good. Like Justin said, my name is Brandon Eckert. I am currently the director of product security for a software, company in Pittsburgh, specializing in healthcare
Justin:software. Renaming Nameless?
Brandon:It will remain Nameless.
Justin:You can look that up on LinkedIn. Exactly.
Brandon:So a little bit about my career, and I'll actually rewind back to my mid to late teens before I actually got a job. I very much liked being the typical nerdy teenage boy. At one point, a friend of mine sent me some picture on ICQ. And, of course, I opened up the picture and a picture came up, but then my CD drive started turning on or opening. Things started opening up on my computer, sounds would play.
Brandon:And after I yelled at him and asked him what he did, I realized he had sent me it was either sub 7 or netbus, remote admin tool.
Justin:Mhmm.
Brandon:So I decided I wanted to teach myself Visual Basic 6 at the time. Seemed to be pretty easy to learn, and I mainly taught myself that to make a sub seven clone. After I finished developing developing it to work locally on my computer, I had to teach myself like what actual networking is because I just want to control something remotely. So a lot of the the foundational knowledge about IT in general, I kind of just taught myself going to, like, the equivalent of of darknet forums back in the day, source code repositories. Fast forward a little bit, I got a job as a software developer at a tool and die company in my hometown of Meadville.
Brandon:Worked there for 3 years, a lot of generating reports, migrating off of crystal reports, a lot of custom software to interact with the presses, a lot of the machinery, did a an inventory system, through all of the lots. Moved away from that job and surprisingly in Meadville, software developer makes less money than a help desk tech. So I moved from software developer to a help desk technician.
Justin:It's usually the reverse.
Joe:I I know. I know.
Justin:You start off in help desk and then go software development. Yeah.
Brandon:It was quite a quite a raise. Did the help desk thing for about 2 years at that company, until the head of infrastructure, thought that I'd be a good fit for moving into a sysadmin role. Oh, okay. So a lot of stuff with migrating our physical infrastructure to virtual software with VMware, migrations to Office 365 and such. After about 6 years, I'd say, at that job, I kind of hit my peak of Meadville.
Brandon:I very much enjoyed the job, but on a whim, I applied at a job at a financial institution headquartered in Pittsburgh, came in as a systems administrator, within a year or so. They created a security engineer position.
Joe:So for this time you haven't been in the security position specifically, it was all developer, help desk, and now what was the last one? Another sysadmin. Okay.
Brandon:Yeah. And all the time, like, I really wanted a security role, but like I said, growing up in Meadville, you either have to go to Cleveland for that or Pittsburgh or somewhere around there if you wanted to kind of escape the general idea. An hour
Justin:one way or the other.
Brandon:Exactly. Exactly.
Joe:About what year was that that you started at the Financials?
Brandon:It was early 2014. Okay. Yeah. So came in, as a SIS admin, migrated over to a cybersecurity engineer position, did a lot of cool stuff with automating some reporting from, IPSs, for example, enhancing and enriching the data. For a period of time, I was still doing some sysadmin work, but took over managing, antivirus, for example.
Brandon:We onboard an MSSP, so a lot of work with endpoint protection. And really the job at the financial institution, is kind of what piqued my interest to getting certifications.
Joe:So you didn't have any up to this point?
Brandon:Up till that point, I had a plus and Network plus.
Justin:Okay.
Brandon:Nothing directly security specific. It touched on some security stuff with Network plus of course, But that's really when I kind of started with a lot of the SANs training
Justin:Okay.
Brandon:Which I started out Which
Justin:we have them all, I hear.
Brandon:I I have
Joe:quite a
Brandon:few,
Rick:SANs. Pokemon.
Brandon:Right. Yeah. Yeah.
Joe:Well, that's that will be our next topic. We'll really dive into, certifications, but, so what happened next?
Brandon:So at the point of, Tri State, I ended up getting promoted up to senior vice president information security officer. So head of
Justin:That's like a CISO equivalent. Correct. Into that. Yeah. Yep.
Justin:Got it.
Brandon:So, the head of the cybersecurity program Yep. Worked directly with the enterprise risk management team, a lot of, the IT team as well.
Justin:Still to get your hands dirty in that role
Brandon:or I still got to some. Okay. Luckily, I was able to, recruit for a hands on practitioner.
Justin:Okay.
Brandon:To kind of take some of my hands on role very quickly. I realized that he was a very skillful person. He had that same passion and curiosity that I had that I might not know the answer right now, but I'm not gonna lie about it, and I'm gonna find out something, and I'm gonna come into this conversation tomorrow with way more information than I never I ever would have thought. I I still very much miss this employee, and also recruited for an information security risk analyst position. So same thing with him, I very much enjoyed working with him.
Brandon:My company ended up getting acquired by a very large financial institution, Fortune 400. I ended up moving over to that company, Right around the time, it was actually perfect timing, or imperfect timing, my wife and I were expecting, ended up deciding I wanted to accept the position, told my manager on a Friday, and I was like, Monday, I'll put my formal letter in and everything, and then my wife's water broke. So it was peace out and then on paternity leave. Yeah. So when I came back, I was at the company that acquired us, and I was an associate director of security assurance testing.
Brandon:So responsible for their entire security assurance testing program. So pen testing, purple teaming, red team engagements, web app pen test security reviews.
Joe:So did you go from getting your hands dirty to more of that leadership role, which I still get a sense you got your hands dirty, but probably because you found your way into, systems of play with. And then, at the new role, were you more back in a more technical position? I I would say
Brandon:I was able to get, my hands dirty a little bit more, which I very much enjoyed. The team, that that was reporting to me at this company, very very curious people, very intelligent, younger people. And I I think that that was great for me just to be able to be able to to lead teams that were different than the ones that I had been able to lead before. Different skill sets, different curiosities, different strengths and weaknesses, and I was in that position for probably about 10 months, I believe. And then I had seen the, job posting for the company that I'm currently at.
Brandon:Reached out to the hiring manager, asked him just information about it. Bluntly, I was like, do not just regurgitate what the polished age art job description says. Talk to me about the role. Pros, cons, what am I really getting into? The hiring manager did a phenomenal job of describing what the company is and, again, the curiosity in my head kind of went off, and I felt that I would be able to learn certain things that I might not really know to begin with firsthand, be able to utilize a lot of my preexisting knowledge, and be able to move things forward.
Justin:Yeah. Because that is a a hop going from the Fintech area to health care and everything like that. Yeah. Different interest groups, different technologies, all that stuff and everything. So did
Rick:you ever get revenge on your friend, or is it still does he live in fear as you get more and more deep into security?
Brandon:I I never got revenge on him. Any of the stuff that would have been young, dumb, and stupid Brandon is probably past the statutes of limitations.
Justin:So you
Joe:guys enter the ethics podcast.
Brandon:Yeah. Yeah. The I At least
Justin:he's not dumb enough to record it.
Brandon:You know? No. No. Exactly. Exactly.
Brandon:I I'd say the the one thing that I kind of missed and I wanna go back to, I was very lucky when there was some leadership changes within my last company, the one that I came into 2014, that really kind of promoted me into moving over to cybersecurity. The leader that I had and was reporting to is the one that actually introduced me to the local Pittsburgh security community. Introduced me to a fellow. I think everyone knows his name, Joe Wynne. Yeah.
Brandon:Went to my first b sides. I don't
Joe:know.
Rick:B sides. Yeah.
Brandon:Yep. Nice. Yeah. So I was introed to just the the caring nature, especially of the Pittsburgh cyber community. Really by way of being able to meet Joe, I was introduced to both of you, other people in the group as well, and it's one of those things that, like, everyone in the community believes that there's no stupid questions, and I might be able to to to help someone with a question on something that maybe they're unsure of or they've never touched upon.
Brandon:The same way that I could reach out to you you, or you, and say, hey, I'm kind of running running against this. What have you kind of thought about stuff like this in the past? How have you dealt with it?
Brandon:And
Joe:And you find the Pittsburgh security community to be very, like, mentoring to each other.
Brandon:Exactly. Well, you've done
Rick:a great job, I mean, giving back to that community both with your time and, like, in tactical ways and prizes and things like that.
Justin:Thank you.
Rick:Super appreciated.
Brandon:No. That that's one of the reasons that I do like the the b side CTF prizes. I feel that I'm in a position that I can give back to the community.
Justin:That's awesome.
Brandon:One of these days, maybe I'll I'll do the prizes and compete in the CTF, but we'll see we'll see what happens. But I definitely just wanted to to mention especially the local Pittsburgh security community.
Rick:Nice.
Joe:It's awesome. So your current role, kinda compared to your technical fit and what you're really, like, excited to do these days, it's less of the head of security side and more of the get your hands dirty again stuff. Right? Yeah.
Brandon:It is.
Joe:So, any, you know, any any reflections in a month, or so about just, you know, the funness of your role?
Brandon:The more I dig in, the more I get that smile on my face that I had when I was younger, just being able to dig into things, getting to and especially now that I'm in the kind of knowledge that I have in my head of being able to look at something and question something, and be able to, in some cases, try attacking something. I very much like that I can open up my Cali box on on my computer and bang away at things and see what the outcome is. Really, I know we touched on, like, the SANS trainings and g g act certifications, but the last, I'd say, 3 years of certifications have been really OfSec related. So I started out with the OSCP, which is a bear. I had a very rude awakening when I took the OSCP the first time.
Brandon:Going back to all of the hack the box stuff that I had done previous Mhmm. And just stuff in my younger years. I'm like, I'll knock
Justin:this out.
Brandon:I failed miserably and it was I kind of went into it with the wrong mindset.
Brandon:Mhmm.
Brandon:I had my notes up on my screen, but you kind of get tunnel vision with offsec exams specifically. They're all hands on practical exams, so you're not just answering multiple choice, you are hacking at systems. You're you've got a set target list. And it's crazy how that tunnel vision will make it so you don't know your notes are here or you're not taking into consideration taking breaks. Before I knew it, I'd looked out the clock, it'd be 9 AM.
Brandon:And I I felt like 15 minutes later, I looked down, and it's 11 AM.
Rick:Wow. Yeah.
Brandon:So after I failed miserably, and by that, I mean, I think I got 5 points out of the passing 70, I immediately rescheduled the exam for 3 weeks later. I gave myself some time to kind of decompress. I don't wanna think about hacking. And a week from the training, I just started going through my notes again, Ended up getting every single one of the boxes on there.
Justin:So that's a big shift from that. Yeah. Yeah. What was the main pivot point that, like, going from 5 to passing at that point, like, was the big shift at?
Brandon:Alcohol intake.
Justin:Oh, okay. Yeah.
Rick:More or less?
Brandon:I I I, I had quite a bit of bourbon.
Justin:On the first one or the second one?
Brandon:The second one. See, that's where I was going at. A little looser. A little looser. Focus.
Brandon:It it helped me focus. Yeah. And the the OSCP exam itself is 24 hours for the exam, 24 hours for report writing. I think when I passed it on the second attempt, I got all of the boxes in like 16 hours, I believe. That's amazing.
Brandon:So moved over, ended up doing the OSWE from OfSec, which is the offensive security web expert, so web app pen tests. The thing that I like with OfSec and that I try to do with OfSec trainings is you can buy certain lap time, so, like, 60 days or 90 days, or you can buy a year plan. I don't like doing the year 1 because I feel personally if I know that I have a year to do something training wise.
Rick:Yeah. The deadline. Line.
Justin:There's You'll wait till the last 2 months
Brandon:to Exactly. Yeah.
Brandon:So what I would typically do is do the 60 day trainings, and I would purposely handicap myself a little bit. I'm purchasing it right now. The time starts right now. I'm gonna start in 2 weeks. Mhmm.
Brandon:Just because I know that I have that deadline that's coming up, and I can learn better on things. I can allocate the time to do the studying more, knowing that if I don't get it, that I'm gonna spend more money.
Rick:Yeah. Strategic procrastination. Yep. Yep.
Joe:So, was the OSCP your first offensive security, certification?
Brandon:I would say the first that directly ties to it Okay. The GAC, certified incident handler, the, SEC 504 was kind of, like, the incident handling and incident response part of security, But they also came at it before.
Justin:Yeah. Okay.
Brandon:But it also came at it from the attacker's perspective. So, when I did the GCIH, actually, I did a SANS community training in Pittsburgh, and our team actually won the challenge coin from it. So the CTF itself was a typical CTF. Yep. Connect to this switch here and bang away at system.
Joe:Yeah. I I I think there was some OSINT done on you, and I think, I I think everybody came up with 16 certifications
Brandon:Yep.
Joe:That you have. And OSCP, do you remember, like, what how many you had before then and how many after?
Brandon:Probably 12 certifications before the OfSAC ones that I had started.
Joe:And then you, got those, next 4?
Brandon:Yeah. Yeah. Did the OSWE, OSEP, which is the experience pen tester. The one I very much enjoyed, again, taking me back to my roots a little bit, was the offensive security exploit developer.
Brandon:Mhmm.
Brandon:So a lot of looking at x86. Right. And actually using Windows debugger and finding where vulnerabilities Where
Joe:was that in your path?
Brandon:That was last year.
Joe:Oh, that was 1 month? 2023. Okay. Okay.
Brandon:Yeah. Yeah. 2023.
Brandon:So
Rick:And have oh, go ahead.
Justin:Go ahead.
Rick:I was gonna say have they all so all these certifications, have they generally have you felt like they've built on one another, or are they mostly somewhat isolated, or is it a mixed bag?
Brandon:I think in some cases there is some isolation, but I'm one of those believers that, like, if you I know there's, like, the governance aspect. There's, like, the blue team and the red team side, but red team really does inform blue team on things and vice versa. I can't tell you how many times just me going through a defense type of a certification or forensics one kind of made my brain think a different way when taking on something from an offset perspective Mhmm. And and vice versa. And I I know that, the the one individual on my on my previous team that I referenced earlier, he's a blue teamer, true and true.
Brandon:And I managing him, I never told him he needed to take a certain training. I would make proposals on what might benefit him, what might be fun to him, But I talked him into, doing the OSCP and he made me very proud. He was very nervous to take it. Again, blue teamer true and true never did offense. And I was proud when he called me up the morning after the exam and he said he passed it the first time because especially with the OSCP there is such a huge failure rate.
Justin:Right. Right. That's right.
Brandon:It made me so proud.
Rick:That's awesome.
Joe:Did you have a question?
Justin:Yeah. I want to know how much you pay for, the CPEs every single year. That's fair. Do most of your certs have, like,
Brandon:All all of them. I will say the way that the timing for all of my SANS ones has has happened. So my GAC certifications, most of mine are the GAC ones. And if I go to a training this year
Justin:Mhmm.
Brandon:It'll it'll complete, like, 36, CPEs. So I use that on the previous one.
Rick:So, like, the boot camp for the training you're you're for the cert you're doing now Yep. Addresses all the prior cert.
Joe:Exactly.
Justin:So is that one of your motivations of getting, like, another cert is that
Brandon:No. I I have to have passion in what I'm going after. I I have to feel that it'll benefit my current job, and it'll benefit me in the future whether or not I'm in the current job.
Joe:Well, you're starting to answer the next question. Maybe we should go to the next topic, which is, individual certifications, and how does somebody use them, and how have you found them useful? What would you add to that question?
Justin:No. That's a good yeah.
Brandon:I I think what really helps is take the certification out of it and just take it at the training level.
Brandon:Mhmm.
Brandon:I like being able to read the training material and not only apply it to what this type of training is or this certification, but stuff that I'm tackling that may or may not be related directly to that in my life as far as at work. So, like I said, when I took the GCIH, which I think was my second SANS training, like, I was just kind of in this weird position of being the security guy. I wasn't in a leadership position at that time. I was just the hands on security person. So I was taking that training and kind of disseminating it in my head.
Brandon:Okay, there's the blue team aspect of things that I'm going to learn. Then there's also the the hacky stuff I'm going to learn, and just being able to kind of put those together. And even like when I did like some of the, the GAC, certified forensics examiner, I'm still going back to stuff that I learned in previous exams and trainings, and it just kind of helps bolster and step up that mountain of of knowledge. I'm also one of those people that, like, when your SANS training or your GX certifications renew, they give you an option to repurchase the courseware. So I will repurchase them.
Brandon:I'll look to see what's changed in the last couple of years between the training that I took and the books now, And I'll actually reread the new books and not whole books, but just the sections that have changed. So I very much like that.
Justin:Now do you find, like, I mean, you're now in a senior leadership, you know, position, have been for a little while. You're doing a lot of tactical certifications. Does that still help you? You just did a job search. You know, do you felt like that had a relevance to the job, you know, that you were going for, or was it just kinda he has a lot of certs and they just kinda blend all together?
Brandon:I I think for the job that I just, have have started at, I I think specific certifications did help.
Justin:Yeah.
Brandon:I'd say a lot of the offensive security ones, especially geared towards cloud, but also some of my defense related ones in forensics did touch on multi cloud as well. Okay. I also like one of my biggest pet peeves when I was kind of coming up through the ranks was having a manager that didn't understand the hands on practitioner and what they're going through, and there was just a big disconnect between manager says this and doesn't know what they're talking about or doesn't understand how to operational operationalize it. And I told myself I didn't wanna be that person. No matter how high I went up the totem pole, I wanted to be able to offer guidance outside of just a manager saying something to people to report to me.
Justin:Yeah. Yeah. And I guess I have a little bit different aspect to certifications. I think they're more just can pass the HR block type of thing. Like, that's what I recommend people because out of the gamut of people I know have certification, I've met brilliant people that have 0.
Justin:Mhmm. And I've met some of the dumbest people that have an alphabet soup and everything in between, you know, type of thing. So it's not a measure of, you know, like, how smart that is. They pass the test, and
Brandon:they have a little
Justin:like, there's a little bit that, obviously, they had to regurgitate it, but most of them are multiple guest questionnaire, you know, type of thing. It's not most, like, a lot don't have a practicality aspect to it. I do like the OACP and, you know, some of the other ones that have that testing. Yeah. You know, it means more, you know, than just answering a multiple choice question.
Brandon:Yeah. And that's one thing I do I will give GIAC props for is they're starting to implement the practical portions of exams. It's not just, oh, it's an open book test. I can lug all 5 or 6 books in my index, and I know a 100% that you could go into a g act or a g act certification exam with your books, just do an index, and you could not know anything and still pass. I know They
Justin:used to call that cheating in other tests.
Brandon:I know I know I know someone that that did that and I'm like, why? Like your your company is giving you this money and it's going to benefit you now. It's gonna benefit you in the future. Why would you just like quickly go through your books and
Justin:pass? Mhmm.
Joe:Well, what I love about what you said was
Justin:you
Joe:do it for the learning experience Right. Which the certification is just somebody else's stamp of approval or something you wanted to know anyway. Mhmm. Which is actually something I say about people who go get ISO cert, and SOC 2. Yeah.
Joe:But, from that aspect, you've built your knowledge base using this as a tool in order to, like, help you force you into learning
Brandon:Mhmm.
Joe:In a particular way.
Rick:Yeah. Yeah. I I was gonna say something very similar. I really like the the concept of, like, so many things. Right?
Rick:You're gonna get out of it what you put into it. Right? And so if you go into this saying, oh, I just want the checkbox. Okay. You can do the index and get the certification and move on.
Rick:But if you're like, oh, I want the knowledge. Mhmm. Alright. Well, the natural outcome of that is likely gonna be the certification, but then you also have the knowledge, which is super cool.
Brandon:Exactly. And, again, I keep my wife hates me for it. I have bins and bins and bins of all of, like, my my SANS trainings.
Justin:Mhmm.
Brandon:And within a second, if I need to remember something or remember certain commands, certain tools, a, I can just look at my OneNote, but I also have all these books that I just And
Joe:those books aren't small either. Nope. No. Very thick.
Brandon:Yeah. And it was a it was a pain when I, moved in with my wife. Heavy bins. Yeah. Yeah.
Brandon:It's very heavy.
Joe:So one of the things if and if you watch what I like to ask when we're talking about stuff is, well, what can other people take away from your experience having gotten all these certs? And, I think the way Justin framed the topic was, like, how should somebody use them? So kind of pulling that all together, and if somebody's listening to this and they're thinking, alright. Well, Brandon came out of Meadville, hit as much as he could in that small town, and then moved to the the big city and, started to really progress, but also started to have a motivated way to learn as you went. If somebody's starting now, any advice for them that would help them kinda get from point a to point b?
Brandon:As far as trainings and certifications, I'll go back to what I said a little earlier. Go into it knowing that you have, or being aware that you have certain problems within your organization that you're facing, and talk with management as far as how how training specifically, can maybe help. I really feel
Justin:that k a, do you pay for it? Is that what you're saying?
Brandon:On that certification route, yes. But it it's surprising. And I I feel so bad because SANS training, as much as I love it, it is Buku dollars.
Justin:It's a little pricey.
Brandon:It's expensive. Even though I went the SANS route and I was, I'd say, privileged working at the financial institution that I worked at that they gave the budget for that, everything that I learned in SANS, you can find elsewhere on the Internet. And I'm not talking about pirated books. The same content exists in multiple places.
Justin:Oh, isn't that the Goodwill Hunting? Yeah. I know. We've seen out of there who's like, you know, you know, I you could learn all of it with, you know, a dollar, you know, 40¢ of late fees in the library. Yeah.
Justin:You know, type of thing. He's like, but I'll have a degree and you won't. Yeah.
Brandon:Exactly. And the time that it takes you to go through 30 different resources to try to find what's in a single SANS training, for example, or even on the off-site side of the house. What what does the OSCP cover? You can find those resources other places. And even if your company won't pay for a training, A lot of times they will pay for a certification.
Brandon:I've also worked places before that they'll pay pay for a training, but not the certification. In some cases I did invest in myself. There were trainings that I wanted to take that I didn't want to like keep going to my employer and being like, hey, can I can I gain some more knowledge? Can you give me some more money?
Justin:This is the 5th time I've asked you this year.
Brandon:So there were trainings that I personally paid for in the attempts. Even when I was younger, and I'll go back to like the the help desk position, my employer didn't pay for my network plus training or certification. So I just kind of took it upon myself, a, to to get a book, but also find different resources online that would help me with that. And at at the time, and this is this is young stupid Brandon, I was car I was car broke.
Justin:I was
Brandon:helped us with a brand new Corvette.
Justin:Car poor. Yeah.
Brandon:Yeah. Yeah. So I was like, I just I won't go out to lunch for a couple weeks, and that's how I saved for the Network plus.
Joe:Yeah. Are there any certs that you, that are common that you just aren't interested in getting?
Brandon:The CEH, certified ethical hacker.
Justin:Oh, I have that one.
Brandon:Yeah. Do you
Brandon:do you have the CISSP? I surprisingly, no. Yeah. No. I recently saw
Justin:So you are my exact opposite. Mhmm.
Joe:I recently saw a post, somebody made. Just wondering, like, everybody out there says, oh, go get your CISSP, and then somebody's questioning that. And so I'm just curious if there's, like a reason that that's hasn't really been one that's a common one.
Brandon:Full transparency.
Joe:Mhmm.
Brandon:So I went to the SANS boot camp for the CISSP. Mhmm. And I did take the GISP, GISP, certified information security professional. The problem I had was I had a haircut the night before, which I got there and she's like, hey, I'm running behind. Can you give me another hour or so?
Brandon:I said, okay. So I went across the road and had dinner and then drank a lot of wine, and I took, I shouldn't say this, I I took that exam completely hungover Oh. To the point of I thought that only a couple minutes went by and, like, 30, 45 minutes went by and I had only answered 2 questions. And that realization in my head, like, got my hangover out of my head real quick and I ended up passing it. Which one was that?
Brandon:It was the g act version.
Joe:The g act c s p. Gotcha. Gotcha.
Brandon:I think at some point, I likely will take the CISSP. I I think that I want that. You want it? I don't think it'll help a lot.
Joe:I was wondering. Yeah. At this point, I was, Yeah.
Justin:I don't think it would help. Yeah. Again, to my methodology, it's to get past the HR block. And so when you said, do you recommend people getting that, I say yes because that's a more sought after. So Mhmm.
Justin:When the keywords of HR go past, they're gonna look for the CIS, the CISA, the CEH. You know? Like, you pick the, like, what's on the popular list, and you pick those. You know? Yeah.
Justin:Because those are the most likely what HR is gonna be looking for.
Brandon:Yeah. And that was what my big aversion to the CEH was. Yeah. That and I actually went through the training for the CEH, actually I want to say it was before I moved to Pittsburgh for the job at the financial institution, and I went into it thinking, oh, this is gonna teach me how to be a hacker and improve my skill sets, and it really didn't.
Justin:No. It was like 60 well, so when I took it, it was in 2003, and there was, like, there's some stuff it has, but it was, like, which is a secure port? FTP, telnet, SSH, or, you know, POP 3 or something like that. Yeah. I was like, okay.
Brandon:But if you look at so many job postings to your point
Brandon:Yeah.
Brandon:CEH is there, and it's such I'm I'm not a fan of it. With that said, I do like some of what EC Council has been putting out lately. They do have some more practical exams. I was personally a fan of the certified CISO, training that I went through EC Council. Gotcha.
Brandon:I went into it not having high hopes, but I thought that they did a very good job in the time frame of the training of building out certain domains that you would typically see and be responsible for as a chief information security officer. I was very much impressed by that personally.
Justin:Yeah. You still have 0 certs. Right?
Rick:Yes. I would say as someone with no certifications, I've gotten some annoying rejections in my past. So, but but in general, I've been extraordinarily fortunate to be in the right place at the right time and know the right people at the right times enough that I don't know that it's hampered me all that much.
Joe:They knew you. They knew your background. You didn't need some the search speaking
Justin:But then HR is like, he doesn't have a SIS.
Rick:Yeah. If you if you can if you can jump the line but I do think it's true, like, the the network can be, and it's not a guarantee, certainly, but it can, in some cases, be a proxy for certain certifications or certain requirements. But if you're just going in blind or if you're earlier in your career, you haven't built as much of a network yet, it can be really it can be a grind. I think it's a grind anyway even if you have the certs. Potentially, job applications in this market are pretty broken, but it can be even more of a grind if you don't have some of those letters because the HR filter is gonna catch you.
Justin:And that's why I originally went down it, like, early in my career with I said 2,003 is when I got my CIS and my CH, and then I got my CISSA in 2005. And the reason I went down that route, I was at kind of a, a fork in the road, and I wanna go down full time security, but I didn't have a college degree. And I'm like, well, I need something behind me that says I promise I know what I'm doing. You know, something with that. And I'm like, do I go down the cert certification route, or do I go back to college, you know, and get the the degree?
Justin:And I'm like, well, it's way cheaper and more relevant to do the certification
Rick:route. Faster?
Justin:Yeah. Exactly. So, yeah, I paid myself. I actually went through intense school, which was like a boot camp type class, and they were actually phenomenal. Like, I was working the the SIS week was one of the hardest weeks I ever had.
Justin:Like, I was taking notes. I switched from highlighting to actually filling out pads of papers, getting cramps in my hand. Yeah. And literally our day was like, we woke up at 8, broke for lunch, broke for dinner, came back at, like, 7 o'clock and studying until 10 or 11 o'clock all week. And, like, Saturday, we took the, like, the afternoon off, and Sunday was the test.
Justin:Like, it was a grind, a 100%, like, that week, all week, you know, that type of thing. But it was worth it at the end, and we had some great people, you know, with that. The CEH, I was helping the instructor at night craft an exploit. Something came out during that week, and we were trying to do kind of a chain, you know, to where we could use this exploit to actually get full system access into this and everything. So, yeah, it was cool for that experience being in the boot camp.
Justin:I would agree with you. The test was nothing, you know, type of thing. But the experience of being in class with other people, and we it was around DC when we went war driving around DC. This is 2003. You know, all having our laptops open on a little bus, you know, type of thing.
Justin:I was like, oh, I got this. You know? Oh, yeah. We drove around the NSA building. We drove around
Brandon:and get all this
Justin:stuff, you know, seeing what's out there. Yeah. Yeah.
Brandon:And it's it's amazing if you go to, like, any of the trainings around the DC area, like, especially the Sands ones. They're typically in hotels. Mhmm. What do students do after the training? Sure.
Brandon:You go to the hotel bar, and it's crazy how many of the people that are likely three letter agencies, have stuff like this and Mhmm. Their lips just get loose. Oh, yeah. And it's like, why are you saying that? But it's nice to have another perspective of what you're saying and like how things are actually happening.
Brandon:But that I'd say that's also another reason that I kind of like did a lot of certifications because I too did not have a college degree. Again, I put myself in a horrible situation of being car broke,
Brandon:when
Brandon:I got my first job and I also just I didn't really want to leave the Meadville area where my parents were and my friends were and it just never worked out. With that said, I probably will at some point do a degree.
Justin:Oh, really?
Brandon:I want to. Yeah. I've been looking at, WGU. Okay. I like them because with all of the certifications that I have
Justin:Oh, they honor you and give you credits? Yeah.
Rick:Oh, so
Justin:they're getting you're just gonna get an honor. You're gonna dream
Rick:for your bachelor's. Exactly. For for a bachelor's back in.
Joe:Yeah. For a
Brandon:bachelor's, I think really the the COMTIA ones won't won't go over just because of their age, but I'll I'll have to take general education, couple intro to computing and databases.
Justin:So all those MS DOS classes you have aren't relevant
Brandon:in anything? Nope. Nope. Nope.
Rick:That's fine.
Joe:No. That's great. Wow. What a fantastic career and background from where you came to, what you're doing. And, you know, if you were to, you know, kinda sum it up, what I'm hearing is don't just go for that cert, don't just go to get it done.
Joe:Figure out what's gonna get you to that next level of your job, and then try to get the training. You might have to work your employer on, will you pay for the cert? Will you pay for the training? And whichever way gets you past that, you know, take advantage of it.
Brandon:Yeah. A 100%.
Joe:Yeah. Like What else?
Brandon:I I think that they're they're very beneficial if you go into it with the right mindset and the right reasons for wanting to get the certification.
Justin:And they're cheaper than college.
Brandon:They are cheaper than college.
Joe:And what I love about
Justin:it can apply to college too, apparently. Yeah.
Joe:Yeah. Who knew? And, you know, what I love about it is that you, when you do your, renewal without taking the test, you go through the books again, and you just, take the extra effort to, figure out what yeah.
Brandon:Yeah. I I'm I'm a huge fan of that because, like, everyone has been in technology for a while. Like, things change Mhmm. Rather quickly, and stuff that you might have done 3 years ago, you might do completely different or just slightly different now. And just being able to get an understanding of what has changed and and how everything kind of intersects now, I think very much helps things.
Brandon:Yeah. Plus, I'm just a giant nerd and I enjoy reading stuff.
Joe:Hey, well
Brandon:Sounds fair.
Joe:Yeah. Join the crew. Yeah. Hey. So cheers.
Joe:Cheers.
Rick:Good to get to know your gutters. Cheers.
Justin:Cheers. Delicious.
Brandon:What are
Joe:we drinking here, Justin?
Justin:We are drinking a refill is what we're doing. So I can
Brandon:maybe have
Justin:a top off. Today, we got widow Jane black opal.
Rick:Thank you.
Justin:This is if you're not familiar with widow Jane, you need a little bit?
Joe:A little
Justin:bit. They source all their
Brandon:I'll take a slash.
Brandon:Yeah.
Justin:All their alcohol from different, distilleries, and everything. This is their oldest to date, with this. So age 20 years. It just actually came out. And one of the special things about this is it's actually, finished age in the Japanese oak.
Justin:Did you do well? Miser I'm gonna screw it up. Miseruano oak, which adds a lot of different complexity. The what's the other one? The I have another bourbon in there that has, like, the copper top.
Justin:It does the same thing with some of the oak. So it's a very expensive oak to put it in, but it adds, like, tobacco, toffee notes, everything like that. And being that it's 20, 28 g with this, it's what do you guys say, guys? Fantastic. Yeah.
Brandon:I like it a lot.
Justin:It's Everybody started saying they wanted ice, and I don't think anybody actually need ice.
Joe:No. It
Rick:did not need ice. I don't think they
Brandon:do, but yeah.
Joe:It opened out really nice without a trip of ice.
Justin:So, yeah, it has kind of a, like, a good toffee caramel on the nose, and then it kinda, like, settles into a little bit of fruit, like a plum plum type fruit and everything like that. I don't
Brandon:know if
Rick:you guys do this, and I don't know if you're really supposed to or not. I think someone told me about it. Like, if you, like, warm it up even a little bit, it can open it up sometimes. So, like, I'm trying to hold it, like, in my hands like this and it actually gets a little warmer. And I actually before I mentioned to you that, like, I have a terrible palate and so, like, I'll get, like, the big notes like, oh, this is like, you know, leather or oh, this is tobacco.' But when I, like, warm this up a little bit, I actually do start to get, like, the fruits and stuff like that.
Rick:Yeah, it's
Justin:almost like a little bit of candy on the back of the sweets.
Brandon:I I do taste a little sweet.
Justin:The toffee candy, type of thing. So, yeah, it's delicious and everything. It's a little pricey, but it's definitely a rare treat.
Joe:Can you just get it down at the local store?
Justin:Right now, you can.
Joe:You can.
Brandon:Oh. Yeah.
Joe:I thought it was gonna be
Brandon:a trip.
Brandon:I might
Rick:I might,
Justin:get a trip tomorrow. Yeah. Yeah. But yeah. So it's a little I had a little issue actually, ordering it.
Justin:I'll tell it after the episode. But, but, yeah, it's, you can find it right now, but it'll probably go pretty quick. And once it's out, it's
Brandon:gone,
Justin:obviously, out, you know, type of thing.
Rick:There's not a lot of 20 year aged No. Juice out there. So
Justin:In, like, typical fashion, they put in a funky metal Fancy case. Box that
Rick:Oh, that's a cool box too.
Brandon:I like that.
Joe:That case looks like it costs more than the normal bottle of bourbon I buy. Yeah.
Justin:I like that. Basically. You're why they charge so much for it.
Rick:You have to find another use for that.
Brandon:I think that you could put like an LED in there. Maybe, like, backlight it. Yeah.
Justin:Hack the box. I mean, you're welcome to have it. I actually bought 2, so it might tickle back. I like your placement. Because, you know, when you, I'm always the, what was the, not the sphere, the one with Jodie West, you know, where they're, they got the instructions from the aliens, and they're like they bought they're building that ship where they traveled to go talk with the aliens, but then their terrace blew up the 1.
Justin:They're like I was like,
Brandon:she could
Justin:build a second. He's like, why do we build 1 when we could build 2?
Rick:So they built 2, like
Justin:they built another one in Japan, and then they used it. And that's that's kind of my philosophy with bourbon. It's like, this is I
Brandon:I like that philosophy. I have one when
Rick:I can have 2. Yeah. Right?
Brandon:If you
Brandon:don't like it,
Joe:you always give it away. Yeah.
Justin:Right. Exactly.
Brandon:That's true.
Rick:This is great.
Justin:Yeah. Cheers, guys. Cheers.
Joe:Cheers.
Rick:Alright.
Justin:Next topic.
Joe:Yeah. So who knows, about auditors? And have any of your auditors given you a great story or even your worst auditor stories?
Justin:I mean, I have several, but anybody else wanna go first?
Rick:I have one worst auditor story, but I'm self reporting from when I was an auditor. And I was the worst auditor.
Joe:Oh, really?
Justin:Oh, that sounds
Joe:a unique take.
Rick:Yeah. Yeah. So, fresh out of college, working for a big four, and, you know, they send you everywhere when you have, like, some book knowledge, but zero experience about how anything works. And, I remember really vividly, and I'm doing, like, the IT portion of a financial audit, right? So making sure that the books are reliable
Justin:Yeah. Yeah.
Rick:Based on the fact that the, the security program is good enough.
Justin:Was this a SAS 70?
Brandon:It was not. It was not.
Rick:But and this was it feels like a zillion years ago, but before a lot of the health care consolidation was really even a thing. Right? So I was at a regionally local kind of independently owned hospital, essentially, and, and I remember this vividly. So I'm I'm brand new. The the prior auditor, I don't know if they either moved on or wasn't on that client anymore, so it's me.
Rick:So I have the benefit of the prior year workpapers, couple years' worth. And I find some things as I'm asking them all the questions about the controls they're supposed to have, and there are a couple things they don't have. And, and I remember this so, so vividly, writing this email, and I agonized over this email because I'm like, well, they're gonna be annoyed, but I need to, like, stand firm because they've had these same issues for, like, 2 or 3 years. And they got warned last year if they didn't fix it, they were gonna, you know, they were gonna have, like, you know, probably escalate from a deficiency to a significant deficiency on their financial statements. And, like, for anyone who isn't, like, deep in audit speak, there's kind of, like, 3, like, types of demerits in audit world, and, like, the least one is deficiency.
Rick:The middle one is a significant deficiency, and the biggest one is a material weakness. And so they're gonna escalate from sort of the the lowest, which is still not always great to, like, the mid one. So agonize over this email because I'm like, well, they're gonna push back, but I'm gonna, like, stand firm. And, I remember I send this email, and, and we have a conversation the next day. Like and we kinda, like, they they paused the audit more or less.
Rick:They're like, we're not gonna do, like, the thing.
Justin:We're gonna just
Brandon:just talk to you for a minute. And we basically spend the next
Rick:hour of them walking me through their actual operations and, like, their actual financial summary. Like, almost like pulling back the the veil. So, like, yeah. Yeah. Yeah.
Rick:You wanna ask these questions because you have your script fine. We're actually just gonna tell you what's really happening here. And they do all that, and the gist of it was, yeah, they had these issues, but they've made material choices to continue to have these issues because they could have paid for these issues to go away, or they could have bought, like, an additional MRI machine to replace their failing one. And they're like effectively, they were like, we chose to save, like, you know, a 127 lives as opposed to, like, fix your password issue. If you need to report us, you do you.
Rick:But so then I I I remember very visibly, like, going to my leadership and be, like, we've done the wrong thing, but I'm glad we started doing the wrong thing because I know a lot more about how life and the way things work now as an Otter. So I was a dumb Otter. I don't know if it's, like, their worst audit story ever.
Justin:A dumb otter?
Rick:No. Yeah.
Justin:Let let's say did you write them up for a significant?
Rick:No. They we we gave them a pass because I mean, essentially, they made the original risk based decision
Justin:or whatever.
Rick:Right? I mean, it was like, well, you this was, like Considered. Yeah. Absolutely.
Joe:Absolutely. Top leadership there was transparency to top leadership.
Rick:Well, that that was the thing that really, like, I think, opened my eyes. And the reason I say it's the worst audio story is because I really went into that thinking, oh, my script is the rules, and that's, like, that was my universe. Right? So when that happened, I was, like, oh, wait. There's a business operating here.
Rick:And not just a business, but, like, a hospital operating here. It's not just about my security controls. It's about, like, in context of everything else.
Justin:And isn't that I mean, a lot of the times I think about that, I've had bad Otter situations. It's typically Otter's that's never been in that business mindset. Like, they've never been a practitioner. They've never run a company. They they have their, this is best practices, and why aren't you doing that?
Justin:You know? Like Mhmm. This is simple. Why don't you just do it? Absolutely.
Justin:You just patch over, you know, a 100,000 machines. You just hit apply, and it works. You know? Like, I
Rick:have 10 other clients that do this. Why can't you? Yeah. Yeah.
Joe:I didn't have a worst auditor story come to mind, but I had the experience of and it is so funny because it's almost like you were reading my, thought Oh, your notes? Wrote down. Yeah. It's a strangest where just generally, the internal auditor at a place I was working was taking the approach that they knew what was best for you.
Rick:Yes.
Joe:And it was always a write up, always a thing with no other context.
Brandon:Mhmm.
Joe:And we had, I mean, the CIO would always explain to their executive VP why we would and wouldn't do something. Mhmm. And it was, we're not gonna fund that, we're gonna put money into this other thing, and we're just not gonna fix this problem right now. And Considered intentional. We have, other compensating controls.
Joe:Yep. So it's not the worst thing in the world. But the auditor following the script, you know, just to you weren't my auditor.
Justin:No. I was.
Brandon:No. No.
Joe:I don't think so. So that was, I've
Justin:been your auditor several times. I was wondering if the story is gonna be about me.
Rick:No. No. No. That's that's for after
Justin:the recording. Oh, okay. Gotcha.
Joe:So, well, I know you have some in mind. Do you have any, worst auditor stories you wanna share? I don't know if we really prep too much.
Justin:You can leave names, you can chases.
Brandon:I I can think of 1, and I I'm saying this one because the company is no longer in business. So it's none of my Pittsburgh life of a career. So the manufacturing company that I worked at and and again, I was software developer and then also did some general IT stuff. And we we had an audit, around not just some IT controls, but around a lot of the processes for how we actually manufacture things. A lot of our clients were big automotive companies, like Chevy Ford, what have you, and I kind of got thrown into meeting with the auditors because someone was sick, and the person that was supposed to also be meeting with the auditors from my company was also sick.
Brandon:So, there was a delegate for there. And this is again, when I didn't You had
Justin:the short short straw.
Brandon:I I did and it's like
Rick:We need a body. Exactly,
Brandon:And I didn't know a lot about security stuff and and security risk at the time, but I knew that the direction that this other person's delegate was going was very bad.
Brandon:Mhmm. And they
Brandon:were saying things that that weren't reality.
Justin:Yep.
Brandon:So kind of digging digging a grave for themselves. Mhmm. And then he was going to open up a web based application on the computer to show the auditor some stuff, and he started pulling out a notebook that had passwords on it. And I didn't know what to do. And like I said, I was very green in my career.
Brandon:So I purposely tipped my chair over and and fell chest first on the ground. I didn't mean to hit that hard. It knocked the wind out of me, and I proceeded to vomit on the floor. But they rescheduled the audit, like, that session, and
Rick:that's a scene from a movie, man. That's incredible. That had a twist I did not expect.
Justin:So wait. You intentionally did this to reschedule it?
Brandon:I intentionally did it for a distraction. He didn't know what would happen. Yeah. Yeah.
Joe:I don't think he expected to
Rick:throw up.
Brandon:I I didn't expect to throw up or knock the wind out of me. I just let let's pause the scene and see what happens.
Joe:I think we're getting some great lessons learned
Rick:from the audience here. Yeah.
Brandon:Yeah. But, surprisingly, like, I had talked to my manager after that, and he wanted me involved with the meeting. And the correct person that knew, like, what they were supposed to be talking about was actually in there
Joe:and got the person with a notebook full of passwords?
Brandon:No. No. So we ended up once they were going through the right direction which you know audit terms of the right direction is not always reality. It could be misguiding them. It was really the right direction of what processes were and they were supposed to be followed.
Brandon:So we went through that and I'm like, I knew something wasn't right. And then as soon as I saw that note, that handy dandy notebook, Blue's Clues style, I was like, I knew something was wrong. So that's that's my story.
Justin:That's a very good one.
Joe:That is so fantastic.
Justin:I've never puked on it, but, yeah, that's that's not like to get out of it. Yeah. I know. Right? This on
Rick:it is so bad. I'm gonna Yeah. That's funny.
Justin:Yeah. So, yeah, I got, I mean, the so many, in my career and everything. One of the classic ones that I I tell, we had a regulator, and, he was in our organization for about a month. And, I think you probably know this one, but, he came in. It was after lunch.
Justin:You know, we all took a break for lunch and, get a call from the front desk. He's back, you know, coming in. Go down to get him. He's like, hey, Justin. You know, I saw there's some solar flare activity, and they're saying that it could, like, disrupt some satellite communication and everything.
Justin:I was like, oh, yeah. I was surfing the Internet. I saw that too. He's like, what does your company do to, like, monitor that? And meanwhile, this is, like, a Fortune 500 company.
Justin:And so, like, I started laughing at him. Oh my god. And then he wasn't laughing back.
Rick:No. This wasn't anything.
Justin:I was like, you're you're serious about this. Yeah. Let me go to my BCPT. That that that was a big joke on the behind the scenes. Like, the head networking guy who's like, don't worry.
Justin:We're wrapping our devices in tinfoil right now, you know, to watch out for these solar flares and everything. But it was just like it was like, which companies, like, do this, you know, type of thing. We had, what was another one? We had a regulator, and I was acting as a virtual CSO at the time. And the main reason I got called in I came in to help this, credit union, a single branch credit union that was literally in the corner of a cornfield.
Justin:One branch credit union, you know, into there, and they called us in to, like, help them out because their previous auditor was so crazy. Like, they had the head of this was a woman, and they had her take a picture of a bike in her garage in case, like, Armageddon happened and all the roads were closed down, that she had a way to commute into work was literally the thing. And and she's like she's like, Justin, I'm not coming in to work if that's in the case. I remember when I
Rick:was at Del Monte, we had a thing that was basically like that. We were revamping the whole Doctor plan and stuff like that. And then at one point, the audit teams were asking, like, what do you do about this? What do you do about this? And then at one point, it was kind of like, what are you gonna do if, like, all the the primary and the backup data centers get, like, hit by meteors or there's, like, a nuclear explosion or something?
Rick:And it's like, no one's coming to
Justin:work. Yeah.
Rick:If that happens, I guarantee God wants you to die. Like, there's yes. That
Brandon:that that
Rick:there will be a supply chain disruption because we can we could we can certainly write that plan if you want. Nobody's gonna follow it. Yeah. But it's I mean We give up. We're gonna pause operations.
Rick:Like but it's true. I mean, it's it's legit. At one at some point, there's a thing that's like, that's too much. Like, it's
Justin:not worth that.
Joe:I like how his, we give up got translated to nice business speak. We're gonna pause off Yeah.
Justin:Yeah. Exactly. He's always been
Rick:It's automated to me. I can't I can't not consulting. Yeah.
Justin:Yeah. He knows. He's always been more PC than me, so Yeah.
Brandon:I know.
Brandon:I I just wanna know for the the solar flare thing, did you have your IT people, like, take pictures of the tinfoil wrapped equipment Yeah.
Justin:No. And supply those artifacts? This this was a federal regulator, so we made like, we pointed to something on our BCP plan at the end of the day, and it was like, oh, okay.
Rick:I feel like I want I want AI to, like, make me an image of, like, tinfoil wrapped racks now. Yeah. That feels like a meme that I'll get some use of.
Joe:But did you wrap the bicycle? Tinfoil. So it doesn't get affected by the, EMP.
Brandon:But, I
Justin:mean, some of this stuff, like again, it goes to that practibility. Like, this guy had never run a company. Yeah. Nobody even a Fortune 500 is not monitoring for solar flares. Like, they're monitoring for their network connectivity to go down and then acting, you know, accordingly.
Rick:Right. Yeah. You know? The the why behind it is, like, well, no. We have network redundancy.
Justin:Right. Exactly.
Rick:And we and we pay people that we trust to, like, make sure that they're thinking about that.
Joe:Right. When you're talking about BCP, it's a horrible idea to start thinking about all these things that can go wrong. But really, just gotta focus on what are you gonna do when you have no connectivity? What are you gonna do when the system's down?
Rick:Yeah. And what's critical path? Like, what are the what are the the things that must continue, which things, like, could be at risk of health and safety or are, like, legit business operations or regulated things? And it's like, okay. How do we make sure, like, if this company doesn't get it done for us, this other company does, or we have, you know, the redundancy or whatever.
Rick:Yeah.
Justin:So another story I have, more from the a a different type of auditor, PCI. So we had a QSA come in and, part of the organization, we're actually part acquirer. So we actually did a lot of processing for other people, other banks and everything. And, it's all run on mainframes, you know, as most of, you know, United States backbone of the financial system is, and everything. So the QSA came in.
Justin:He's asking our head mainframe guy, and to set this up, the QSA came from a, police force, physical background. Mhmm. You know, nothing against that, but
Brandon:your technical prowess on, like,
Justin:mainframes and encryption and all that stuff is technical prowess on, like, mainframes and encryption and
Brandon:all that
Justin:stuff is not there. He didn't have 16 certs. Yeah. He did not have 16 certs. You know, that
Rick:type of thing. So when we're looking at
Justin:cameras and physical security, all into that, you know, that type of thing. But when it came down to, like, encryption and mainframe and how to, like, actually measure that, it was totally over. Yeah. And the other guy, our mainframe guy, wasn't the brightest, you know, into this. So they're talking back and forth.
Justin:I'm just, like, sitting in the, the meeting room kinda facilitating. The QSA asked our, head mainframe guy. He's like, can you show me, where on the drive it's at the cardholder data is encrypted? And the head mainframe guy is like, it could be anywhere on the platter. I don't know where like, I can't show you physically where that is.
Justin:And the the QSA looked at me as, like, a blank stare. He's like, like he's like, oh, okay. Like, is that the answer? You know? And I'm like this.
Justin:I went to went down. We're like
Rick:That's incredible. That's an incredible answer, though.
Justin:I he's talking about, like, the storage in the database where it's encrypted. And he was like, oh, yeah. Yeah. That's what I'm talking about.
Rick:Like, we're we're in the file system. Yeah.
Brandon:Exactly. Physical media.
Justin:Yeah. That's so funny. He's like,
Brandon:oh, yeah.
Justin:I could show that. It could be you were on the platters of
Rick:the gradients.
Justin:That's where your mind went to was like the
Rick:it's right here and right here and right here. Scattered into a 1000000 base.
Brandon:It's gonna
Rick:take a while. Goodness. That's funny. That's great. It's like, wow.
Brandon:That is great.
Justin:Yeah. I mean, and and you get a ton of, you know, just the misconceptions and all that stuff and everything, but it's it's Yeah. Funny.
Rick:Well and I think sometimes though that that that's actually a real it's a hilarious example of a real problem, which is, in the same thing that I did when I was the dumb auditor. Right? Which is, like, oh, you're gonna go ask these questions without always understanding precisely what they mean or what they're getting at. And so it's easy to pick on a lot of auditors sometimes because they're there to ask the question. They should know what the question means, but depending on their experience, where they're coming from, their training, they may or may not know what that specific question means.
Rick:And so they can be led astray, or they might come with some assumptions that are just totally Right. Incorrect.
Justin:Well and that's where I like to like, I just actually had a call today just on this topic where, their auditor for PCI PIN was telling them one thing. And then they're in training for PCI PIN, and they said the exact opposite thing. And so we got a talk, and we went through the regs. I showed them. It was like, well, here's where it says verbatim this.
Justin:So I'd lean to where you got in the training, not where your otter said. And the question he gave I was like, here's how you approach this. Ask them where the verbiage is that says that. Yeah. You know?
Justin:As soon as you got kind of a collective right here, then you can start breaking down, you know, into that instead of a mythical, I don't think you can do that, or it's interpreted that you have to do everything
Rick:Right.
Justin:You know, type of thing. It's like, no. No. No. Show me where exactly this in fact, it was funny.
Justin:I was doing a PCI card production, and this Otter and I, and so there's the high security area, and you can have a data prep area and a production area when you're actually producing cards and everything like that. And the auditor came down. He's like, well, you need 2 separate firewalls to govern this. And we had 1 firewall with multiple segments, so there were separate rule sets that governed it, but it was 1 physical firewall, you know, into that. And I'm like, what are you talking about?
Justin:Like, there's nothing in the verbiage that says 2 separate firewalls. Right. He's like, yeah. It it it's clear in the verbiage, but he couldn't, like I was like, show me where it is. You know, that type of thing.
Justin:And he's going through. K. Fine. And finally, he's like, oh, it's the picture. There's an example picture in the dock That's one example.
Justin:That had 2 of the brick, like, firewall images, and they were separate. It didn't have a verbiage that said that it had
Brandon:to be
Justin:a firewall. Yep. Separate firewalls. Mhmm.
Rick:The picture showed that it had to be a separate Just so he can do it that
Justin:way, doesn't he? Well, so it was funny. Like, I I was getting a little bit pushback because I was arguing with him for an hour. I was like, but it's not in the verbiage. Like, how can we, follow, like, a pitcher, you know, type of thing?
Justin:Do you want me to, like, make brick? Like, I was, playing with him at that point. I was like,
Brandon:do you want
Justin:me to build bricks, you know, like, in front of the wire? Like, because that's what the picture says.
Brandon:Yeah. You know? Oh.
Justin:You know, that type of thing. And finally, I went into our IT office. I was like, do we have a dummy firewall that you can put right here on the network map, start
Rick:offs are allowed.
Justin:With no rules. Like, no rules applied. Just put it right there. They're like, yeah. But that could be a failure.
Justin:I was like, I get it. I get it. Like, they're like, yes. We could. And the next day, they they put it in.
Justin:I was like, there's a separate firewall. And he's like, good.
Brandon:At least it looks like the picture.
Justin:Yeah. Exactly. 0 rules. Nothing applied onto that firewall, but, yep, there's this separate firewall.
Brandon:Well, that's
Joe:a fun topic, auditor stories. Any other auditor stories?
Rick:I have some I have one particularly good one. It's not even a story. It's, I guess, more of a relationship. When I was at Del Monte, what that's really where I learned to, like, we had a fantastic internal audit team. They were just really on top of it really really good and, and I had heard many many times before that experience, like, you
Brandon:know, don't trust the auditors.
Rick:You're the IT people. You're the security people. You're the you know, they're gonna ask they're gonna try and catch you. They're gonna do that. And, and it really built this frame in my head because they were so great at what they did, that, like, oh, well, in everyone's mileage may vary and every environment's a little bit different, but, internal audits like the good guys.
Rick:If you can if they're if they if they're They're competent. If they're competent. Awesome. Yeah. And you can build that relationship, That's probably my best advice for avoiding bad auditor stories because if you let them in, even to, like, the problems that you say, hey.
Rick:We're self reporting this. This is what we're doing about it again. Because they have a job to do too. Right? And if you hide everything and back off and wall them off, like, it's making it's just making their job harder.
Rick:If you proactively help them, proactively give them stuff they need, all that stuff Yep. They're gonna have your back when the less good auditors from external, you know, might come in or whatever. And even they are not, like, horrible. They have a job to do too, but they're gonna be able to really help balance that that risk profile and and really sell the stories. Like, yeah.
Rick:We're an independent group within this organization, and, you know, here's our interpretation. Speaking the language that you speak, aligned with the things that you want aligned with externally, you know, let us be the bridge, and we'll help make sure that the company is still cool. That's my best advice. Like Well,
Joe:the reason I love that and the reason it makes so much sense is because if you consider your internal audit an actual another part of your control for why your security program's working
Justin:Absolutely.
Joe:And this aligns perfectly with ISO 27,001's methodology Yep. Because they're looking for conformance. And when you have your internal auditor find something, well, the best thing to do is self report.
Brandon:Yes. Right.
Joe:Get that in. Get that into your nonconformity list, your corrective action plan. But if your internal auditor can find it before, the external auditor comes in, then you've logged it. Your management system is working. Right.
Justin:Yep.
Joe:Then when they come in and look at it, they're like, well, we would write that up, but you kinda got a get out of jail free card because you already found it within one of your other controls.
Justin:Right.
Joe:Yeah. And I just love that methodology.
Justin:Yeah. Yeah. That was one of the things when I was at Diebold, I made a point to be friends with internal audit. And we had a once a month meeting, between the head of IT audit and, myself and everything, head of governance. And we did a whole bunch of stuff back and forth.
Justin:Like, I got copies of all the IT audit reports Yep. To look at all the findings, you know, those being issued. There were times that I had some problems with some parts of the business, you know, on complying with certain things, and I said apply some leverage. I basically said, you may want to, as in your planning of your next 6 months Yeah. Put this on the list.
Justin:You know? Yeah. Absolutely, Ryan. Because the advantage
Joe:involved on that.
Justin:Yeah. Because, you know, the advantage that, you know, Infra Audit has, it goes up to the board. Management has to respond and fix it if it's, like, an actual legit issue. Like, whereas if it's coming from pure governance, you can ignore. You can, you know, play some games and everything.
Rick:And if and if you and your department is is known to be trustworthy and have the company's best interest at heart and you're not trying to hide things and all that stuff, you say, hey. You might wanna look about this or think about this. Right? They can apply their filter and determine, oh, is this big enough or not? But they're gonna at least pay attention to it.
Rick:Right? They're gonna at least consider it. And then if it needs bubbled up, they will and it's yeah.
Joe:Yeah. Well, this is fantastic. I think we hit, like, a number of good things in a time we have. Anything else you wanna hit on, or we're gonna have a nice little toast out here?
Justin:Do a toast out,
Brandon:or we
Rick:can do the, turkey thing? Oh, the turkey thing's pretty quick. Yeah.
Justin:Let's hit that. Alright. So I think I'm the only one that cooks a turkey. Is that true in this? Well The wives all cook the turkey for you guys.
Joe:Cooked, but
Rick:I'm really not doing it.
Brandon:I've cooked turkeys before. Just not this Thanksgiving, I'll be in Mexico.
Justin:So Oh, nice. That's awesome.
Rick:Are you even gonna have turkey?
Brandon:I sure hope.
Brandon:You got
Joe:a turkey burrito? Yeah. A cobbler burrito?
Brandon:Yeah. Yeah. Oh, I love cobbleritos. That's a good one.
Rick:They're so good. So how do you cook a turkey? Yeah.
Brandon:Typically go between typical roasting and deep
Justin:fryer oven?
Brandon:Yeah. And I've deep fried once. Surprisingly, didn't catch myself on fire. So it was a huge
Rick:turn up?
Justin:Yeah. Oh, okay.
Brandon:No. It was rough.
Justin:I've attempted once, and my kids still remind me how awful
Brandon:it was. Really?
Justin:Yeah. Too much
Brandon:for what?
Justin:Deep fried and everything. And for whatever reason, so I you know, not the dumb, you know, frozen turkey in it. Nothing nothing crazy happened. But I had it outside on outside of my garage, and the I think there was, like, a breeze, with it. And as soon as I put the turkey in, it just dropped temperature and never recovered Oh.
Justin:And everything. So it it took forever, and it just Wasn't good at the Yeah. Exactly. So I I screwed up. I need to do it again, but it's a lot of work, you know, to deep fry a turkey, and everything.
Justin:A lot of oil, you know, in the consumption. So, yeah. So I never gave it a something a second attempt, but my kids still remember it. Like, you know, all the bad things, you know, they remember. But the past couple of times, I've actually, done more grilled, turkeys on
Joe:Grilled or smoked?
Justin:Well, it's on a pellet grill. So it's over a fire, you know, smoked and everything. And I typically do spatchcocked, which, if people aren't familiar, basically cut out the backbone, and you kinda lay it more flat. Oh, yeah. And it's better from a cooking standpoint because it's more even, you know, and it allows, like, the meat to actually get cooked a little bit more, a little better.
Rick:And I've And you don't have to cook it as long, and so the outside doesn't dry out Yeah. While the inside still gets cooked because, like, there's more service there.
Justin:And the nice thing about pellet grills, like a lot of people don't realize, is they are actually convection oven, and so they actually circulate the heat. So a lot of the the the fowl that we cook, chicken, turkey, everything like that, maintains moisture so well on it instead of a direct heat that will just, like, dry out. You know? Like, any type of foul, you know, dries out very fast. You know?
Justin:Oh, yeah.
Rick:So my brother-in-law always does Thanksgiving. It's his absolute favorite holiday. Okay. He has a fantastic job, and my sister-in-law as well. They the food is always exceptional.
Rick:Mhmm. So I texted him and I said, hey. What do you do with your turkey? Because I'm gonna get this question. So, he said, oh, yeah.
Rick:It's like it's a wet brine, you know,
Justin:all that stuff.
Brandon:Doing a
Justin:wet brine overnight wet brine.
Rick:Wet brine overnight. Exactly. Yeah. And then, and he said, and then it really just goes in the oven. He goes, but the main secret he's like, there's 2 secrets.
Rick:Okay. The first one is if you're gonna do an oven, it must be a convection oven. Okay. If it's not a convection oven, his experience is that the outside it just takes kind of longer, and the outside doesn't get crispy. Okay.
Rick:And the crispiness kind of forms a barrier of sorts, and then the inside stays moist. Whereas if it's just like a normal oven, it's kind of slower and the air is not going over it and it doesn't have that barrier and so it dries out a lot quicker. So he said that was the one secret. Then he said the other secret is he just drinks a ton of wine while he cooks, which is kind of like your testing secret.
Brandon:Exactly. It really does help.
Justin:So we're just realizing alcohol is the solution that, like, everything.
Rick:Alcohol is a solution.
Justin:So I do, so with the spatchcock and everything, one thing I didn't talk about is I'll also season, both sides of the skin. Oh, yeah. So I'll actually, like, work my hands to separate the skin from the actual turkey, and I'll season underneath and over top, with that. And I've done dry brine before. They actually said after wet brine, sometimes people put it back in the fridge for, like, another 6 hours and let it dry out Oh, interesting.
Justin:To get a little bit more crispy on the, outside. I'm not gonna do that. I I it it's alright. You know? A lot of people like their crispy, you know, turkey on the edge.
Justin:And it still gets crispy, but not as, you know, type of thing. But, yeah, it it to be, delicious. I was I'm following Isha recipe, and the color on it is immaculate. I'm trying a new seasoning too.
Brandon:Oh. So
Brandon:Everyone's making me very hungry.
Justin:Yeah. Yeah. So what's your favorite, thing out, Thanksgiving
Rick:meal wise? Mine's a turkey.
Joe:Mine's a stuffing. The stuffing? The stuffing is my favorite. The way that it gets made, my wife does a fantastic job. There's like diced potatoes in it.
Joe:Oh, that's interesting. Yeah. And and you take the, the bread and you brown it in, butter in the in the pan first.
Justin:Okay. And then
Joe:add the potatoes and do all that. And then some of it fits in the bird, some doesn't. I like the stuff that comes out of the bird for
Justin:some reason.
Rick:Oh, okay. But it changes the flavor for sure.
Joe:It does.
Rick:Absolutely does.
Joe:That's my favorite part. So mostly stuffing on my plate. Some turkey, gravy over all top of that.
Justin:No. Okay.
Joe:And then, if there's sweet potatoes, that goes on there. And then I'll eat some green vegetables if I made to.
Rick:Cranberry? No cranberry.
Joe:I'll have some. And it won't be in the dog food can. So Not
Rick:the jelly?
Justin:No. My wife is crazy cranberry. They'll have, like, 7 different dishes, all different cranberry. They'll have, like, cranberry out of the can, cranberry marshmallow stuff, cranberry there's just, like, 7 different dishes all focused on cranberry.
Rick:I'm super into that. Yeah. That sounds awesome.
Joe:So is Thanksgiving on Thursday here? Yes. Set an extra place.
Justin:Yeah. Okay.
Joe:I'll be
Brandon:there. Yeah.
Rick:That sounds incredible.
Justin:My favorite thing, I I I'm one of those ones, like, with the turkey mashed potatoes gravy, I'll do, like, the fork all across the plate, you know, and get everything Get everything.
Rick:The the the fork.
Justin:Yeah. I'll have some
Joe:good mashed potatoes on there.
Justin:That's, that's my kind
Rick:of I love the left like the leftover sandwich though. Practically nothing's better. It's like give me the roll from the prior date, and I'm gonna put every ingredient on it,
Brandon:and Right.
Joe:There's stuffing on top of
Rick:the bread for the sandwich. Yeah. And turkey.
Joe:A little bit of gravy.
Brandon:I am a huge fan of the, leftover turkey sandwich.
Joe:Yeah. Yeah.
Brandon:But I'm a huge fan of the stuffing as well. Mhmm. I love stuffing. If I had
Rick:to pick a favorite, it's definitely stuffing as well.
Justin:I'm the only guy I don't care for stuffing.
Joe:Really?
Rick:Never have. Or for me.
Brandon:I never used to when I was younger. I was always just give me dark meat and and the cranberry dog food can stuff.
Justin:Yeah. I don't mind the jelly.
Brandon:And then my tastes kind of Evolved. Evolved.
Rick:Yeah. Fair.
Brandon:Much like bourbon and stuff.
Justin:You could afford it after, like, you got carport.
Rick:You get out. That's true. That's true.
Justin:Alright. We call it a wrap?
Joe:Let's do it.
Rick:It's a good one. Alright.
Justin:Cheers.
Brandon:Cheers. Good
Justin:answer, guys. Yeah. Cheers. Thank you, everybody, for joining us. Don't forget to like, subscribe, and comment.
Justin:Tell us what your favorite is for, turkey dinner and everything, and we'll see you back here for the next episode. Thank you all. Bye.
