Transcript
Narator:
Welcome to Cyber 909, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer and Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for Cyber 909, episode eight with Bridget O'Connor.
Den:
Hey folks, welcome to another episode of Cyber 909, your choice location for some wit and wisdom. And I guess we'll try and keep the swear words to a minimum. That's probably more a meeting than my guests, but shit, we'll find out. So hey, I always somehow find some amazing guests and Bridget O'Connor from FortaLice Managing partner, I guess, is that the term you were with Theresa in the White House business? You had some stories there you shared earlier. So hey Bridget, why don't you introduce yourself and then we just dig straight into the front.
Bridget:
Yeah, sure. Well again, thanks Dan for having me. Yeah, so Theresa Peyton, who was our CEO and founder and probably some of your listeners are very familiar with Theresa's background, just being out there all the time as really a cyber spokesperson, I think, who brings it kind of down to earth and puts it really in layman's terms for everybody. We actually met, as you said at the White House, but it is a funny story, so please indulge me. I was actually already at the White House and my boss came to me and I was a glorified assistant at the time, and he said, I need to find a female CIO. We're wanting to expand our really just the cultural outlay really of the team and bring in somebody new, and I want this person to be from the private sector. So I started, and this is again before Google, so imagine I'm sitting here trying to use search engines.
I'm on Netscape, let's all take it back. And I'm trying to find, this is 2002, everybody, so sorry. So I'm trying to find a person and I come across Theresa Peyton and at the time she was a Bank of America, Barnett Bank had been bought and I found the phone number I had to go through, the White House operators are really good at finding people. So I call and her assistant answers the phone and I said, oh, hello, may I please speak with Ms. Peyton? And she said, well, who is this? And I said, well, my name is Bridget. I'm actually calling from the White House. And there's just this long pause you could tell her being like, okay, so I'm going to go ahead and cuss you. I'm sure. She was like, yeah, right. Okay, F me at this point you're really calling from the White House.
And I said, yep, I'll hold. No problem. So it must've been a good five minutes and she finally comes back and she says, she's going to have to call you back and you're going to need to give me your phone number because it's as unknown caller. And I said, oh yeah, Oliver of our phone numbers are blocked for the White House. So I said, but I have no problem. Here's my direct number. And I think two minutes later, call comes in and it's Theresa. And she goes, I'm really sorry, we weren't sure if it was real and we thought you were trying to scam me. And I said, no, no ma'am, calling from the White House and we'd like to have you come and interview. And I said, actually, just come and we'll give you a tour and all of that. And the rest is history.
She actually came and joined the team eventually, and we had the opportunity to kind of work together for a couple of years, but my journey kind of went all the way through to the end of George w Bush's term where I was actually part of the transition team to the Obama folks. And that was an experience. I think there was a couple nights, we actually just spent the night in the White House trying to get everything ready, make sure there was a smooth transition. So you can imagine having to wipe a thousand blackberries. At the time we were using Blackberries, there was desktop computers, so everybody bring back to Towers where carton loads around getting everything set up, and it was a great experience. So after that I actually went to Booz Allen for a little bit, and then I actually came back to the government and did a stint at the Office of Personnel Management. And during that time I got a call from Theresa saying, Hey, it's me. I'm starting my own business and I want you to come join the team. And I said, well, I just had my first child and I don't know, it sounds kind of stressful. And she said, no, no, no. I was like, okay, alright, watch. Nice, I get you. Not then it was part-time for about a week,
Den:
Four minutes.
Bridget:
I know she hooked me, she reeled me in, but I've never looked back actually for list just turned 10 years old. So we started out, it was startup days. There were times where we had an office space right outside of DC and people were sitting on the floor. We didn't have desks, they were working on their computers. I mean, it was very much a startup mentality there in the early days. And so I like to tell everybody we're kind of at that. There's still some people that I think love that startup feeling and never want to lose it. And then there's the other part that's like, okay, it's time to really buckle down. And we are an established firm, obviously with most of our clients, but I actually think the grit and the startup mentality we still have is what kind of propels us a little forward.
Den:
Yeah, I mean you still, that hustle is that
Bridget:
Hustle
Den:
Mentality. And you mentioned something that got my ears all exciting a minute ago. You talked about the transition team. So we're recording this just after an election, and obviously that's the time where the transition team begins to wind up. I mean, based on your experience, what do you think they're going through right now? I mean, this is a week or so later.
Bridget:
Yeah, so it's intense. So the meetings start right away with the outgoing team and the incoming team. So for us, I remember very specifically, I think within a week of the election, the chief of staff on the Obama side obviously reached out to the Bush chief of staff and said, okay, these are the things and the people that we're wanting to meet with, these are the offices. And within a week, I remember my boss and I were in a meeting in the West Wing with the Obama head of transition as well as two other folks who were actually taking our jobs literally. So it's kind of this interesting, like you said, handing over of power, peaceful power that I don't think people actually have any insight into in terms of how peaceful and organized it actually is. So we had a meeting, we had an agenda.
In fact, the meeting went so well in the subsequent meetings that they actually said, would you and some of your team stay on during the transition? Yeah, because so much of what we did, which was we were political appointees, but we were providing a service so we know where all the office furniture is. For example, we know who works behind the scenes in terms of maintenance, the IT people, all of those things. And they just did it and rightfully so want to be caught off guard with anything. And so it was a very peaceful process and I'm sure they're going through the same thing right now. I think it's difficult in this situation because you don't want to be, because this President Biden was only in for four years. Sometimes there's that expectation, oh, maybe I have another four years, so maybe I didn't start preparing all my
Den:
Documents.
Bridget:
So because back in Bush's when he ran for reelection, there was still some of that too. There's always the potential you could lose and then you'd be not only out of a job, you'd also be behind on doing any preparation of any documents or anything that's needed. So yeah, it's probably fast and furious. I understand that the Trump team had already kind of started, so that's fantastic because they have to place 10,000 appointees. I mean, when you think of the sheer magnitude of people,
Den:
They love that. Yeah, you're building a company really, I mean
Bridget:
You are
Den:
From the ground. Yeah, I wouldn't say from the ground up. I mean a lot of these people over months and months of being in the background, working on their documents and stuff like that. I was going to say, what's the emotion? You're almost handing over your baby and getting kicked out of the house at the same time? Right.
Bridget:
Sad. It's sad. I remember I actually got a document, an official government HR document, essentially telling me I was terminated as, yeah, I forget, it's a form number X, XX, I can't remember it, but it was one of, and I'm sure for this administration, outgoing, very hard because it wasn't totally expected. And even when it's a different person, the party, usually some of those people are still going to stay the right party. But from my perspective, it was one of sadness in that we had done so much in the eight years and we had formed these relationships with people that were unlike other work relationships, frankly, many of them, I've gone to their weddings, I'm still friends with them because you really were baptized and fire together and you don't walk away or what everybody says. It's like shared trauma, A lot of shared trauma. Yes. Because now I wasn't there on September 11th, but I know people who were, and those are people that they lifelong bonds. So it was sad. It was one of excitement. Sometimes people would say, oh, are you going to act negatively towards this was another party coming in? And I said, well, president Bush squashed that from the very beginning and said, this is going to be a very smooth transition. So none of that stuff. So
Den:
We
Bridget:
All knew, hey, we're here to do this and it's a privilege to be able to do it and we'll do it well. But there were times where it was like, this is really weird because how am I being judged on this? I still need to do my best.
Den:
But there
Bridget:
Was, yeah,
Den:
There's no performance. There's no performance review at the end of that one. Right.
Bridget:
And a lot of us had already been recruited by companies because they knew who was leaving and most of us had jobs. And so whoever wasn't worried about going to a new job or not having a job, they were just focused on getting everything done in an order. But it is a very strange feeling. And at the end I felt, I think it took me months to recover. I think I was terribly burnt out. And so when people talk about burnout within the cyber industry, I was just kind of thinking back like, wow, the worst I ever felt was after the transition. I went to Hawaii for two weeks, which I definitely needed and just sat and enjoyed some my ties and felt like I can't believe I just went through that. But then when I came back, the reality was, gosh, I'll never work at a place like that again. And that reality sets in and it really hits you because you worked with very high performers and very smart people in a very efficient place. And then to go anywhere else, you're like, oh,
Den:
Well, it's funny as well because people don't, you just use some very positively strong words there, right about a government organization, high performers efficient, but the media and people looking on the outside, they don't feel that because their experience with government tends to be the DMV,
Bridget:
Correct.
Den:
Or by tax forms, otherwise, otherwise you're looking at local services, which is entirely different operation and level of running a business than the court of government. So not that I know much about it, but
Bridget:
Well, no, I think it's a great commentary because you said it best. It's like running a business. So really if you couldn't cut it, you were gone. I mean, there was no, and if you weren't there from six to eight every day, 6:00 AM to 8:00 PM you were not dedicated. Oh, really? Shit. I mean, I was getting in when it was dark and leaving when it was dark and it very, and I had work to do it as if I was just sitting there. There was always things to do. I'll tell you what the thing is, then it's being mission driven and not bottom line.
Den:
And
Bridget:
What I realized, maybe it was because I worked there chicken before the egg, I don't know. But I crave that wherever I work. So before I came to Foris, I was kind of lost. I was like, what's missing? Because I love to work. I like to help people, I like to learn. And I felt it was really after reflecting and being at Foris and obviously working with Theresa and understanding we had that bond, it was being mission driven and not being like, oh, let me, what's the bottom line here? I mean, we all have to make money. It's a company, but I think the desire is to truly help people, and that's what I need to get up every day and log in.
Den:
Yeah, no, yeah. So moving to, can you explain just the culture? This is one thing I've met Theresa quite a few years ago now before Covid. So I mean I guess that must be more than four years. And just from an ethics perspective, a desire to help, can you explain to people that culture
Bridget:
And
Den:
That mission driven element of it? Yeah,
Bridget:
Sure. I like to say I'll even just start with what Fort List means, which means fortress and the concept of we want to protect people. And so sometimes people say, oh, that sounds nice, or that's a nice to have. But in all reality, one of the things that is so unique about olis is while we are constantly picked out as one of the top small cybersecurity firms, one of the things that's very important to us is we're completely bootstrapped. We don't have any outside investors. So there's no like, Hey, what do I owe you? Or can I do this? And the reason I'm highlighting that part is because Theresa has said very often, I like to be able to help. I like to be able to help. So for example, the National Center for Missing Exploited Children, we do a lot of work with them in terms of doing our open source intelligence training.
So a lot of the times, the tools that are available or some of the training they might not have access to, they're a nonprofit, but we actually went on site, we spent time doing that. But what was great was we brought the whole team. So it wasn't just the people that worked in the open source intelligence team, it was the people who do pen testing or risk assessments. And they thought, wow, maybe I could help. And it started to kind of open up this concept, in my opinion, of the holistic view of cybersecurity that afford is has not just isolating around one service line, but actually wanting to bring everything to bear, to have that protective outer layer frankly, and to get companies and individuals to be way more proactive with their cybersecurity than they are. And so when you talk about the ethics or the morals, at the end of the day, Theresa always will say, if I say, well, the client didn't pay us for that, or maybe we don't have, that's not in the contract, is the client happy and did they get what they needed?
And were we there for them? And those are just the intangibles that we freely say. And honestly, Dan, I've worked for other consulting firms and I've never felt that empowerment or it was lip service. So I will tell you from that standpoint, I do think we are truly unique and we're a small team. So sometimes I understand that some of our potential customers may go with a larger firm, but at the end of the day when they need help and they're not really sure who to call about a certain topic, that's who we want to be for them. And they typically do and we'll figure it out.
Den:
For me, there's people in the industry that I just love to be around and having my network because I would say there's a difference between people you work with that are colleagues, you need to, and then there's people that you work with because you want to, because the energy, the positivity, but the ethics, the morals, that side of it. And for me, but when I met Theresa, I was just like, shit, this is a live wire of a woman. She's smart as shit. She's fun to hang out with. You go grab a cocktail if you want and hang out and get stories and stuff. And literally from how do you work as a professional deliver delivering service. I've worked with Theresa. When I was at Cisco, you guys came in and you guys done the tabletop assessment, the tabletop, yeah, not assessment, the tabletop exercise.
And I thought it was very well run. I enjoyed the experience. It was great how the Cisco executives were all in attendance and everybody was blown away by the scenarios that you guys had worked up. And I thought for me that was great. Now it's funny is I've started my own consultant firm and one of the very first people I reached out to was Theresa, and I'm like, I get that you do this and I'm talking about me doing this and you can tell me go run and jump if you want. But she didn't. She still turned around and said, Hey, how can I help? And there's enough business to go around and just talking about the approach and how she's partnered and built for lace. It's a very well respected business. My thing for Theresa was I'm like, I'm not planning to do some of the stuff that you do, so I would love to partner and bring you in whenever I've got clients that need things that I think are more deep, I'm not doing the tabletops, I'm not doing pen tests, I'm strategy and execution, but I'm not doing some of those things.
I'm not doing incident response. So for me is like, do I want to partner with you guys? Absolutely. Because a great team. And so as I'm even building my thing, the thing that rings true for me and what you said about your culture is culture's important because culture's the thing that as a leader, we get to build a good one or a bad one or somewhere in between. But as we work with our clients, happy staff, happy team, and invigorated a challenge team, the right elements rub off on your clients. And the one thing you mentioned was empowerment, the ability for you to be empowered or your team to be empowered and say, look, the most important thing is the experience this client gets, is that what they wanted? And whether you pay for it or not, sometimes you might not make money on a gig, but it might be the right move just because it's an important client and you want to make things, you want to make sure they leave feeling great. And your profit margin might not be where you want it, but that's business.
Bridget:
Well, you make a great point there that I can't count probably on two hands how many times, like you said, maybe we didn't make money or maybe the client called or someone like yourself who said, Hey, I need some advice on something and we don't have a contract. Yeah, no problem. Or even there. And it's more of like, yep. Let me tell you my thoughts on, for example, we have a lot of clients calling about the latest CMMC regulations coming out of DOD. And I say, I have no problem spending 15 minutes just giving you our rundown of it because at the end of the day, then I can't tell you how many clients we've had who leave that organization go to another organization and think of olis. That's actually all I want them to do. I want them to think of us. So I mean, what is it made me making a couple hundred dollars on an hour of consultancy or a really large contract and Oh, go ahead.
Den:
No, sorry. Well, I was just going to say it's like I've been a practitioner for 30 years and just because a vendor has some shit they want to sell you doesn't mean I have a problem, but when I do have the problem, you want to think of, you want to be top of mind. And that is it. And I tell salespeople this all the time, stop worrying about the immediate deal, build a relationship, build a trust, and build a credibility.
Bridget:
Because
Den:
When I have a problem that I think your thing solves, you're going to get the call, especially in the consulting game. The consulting game for me, I would hang my hat on probably three or four people in the industry that I would call
Bridget:
Same. And I think that as Theresa said to you, right, there's plenty of work for all of us. I would actually caveat that with there's plenty of work for all of us who have the right intention and like you said, have the right compass in terms of, for example, I can't tell you how many times somebody will call and say, I need a pen test. And then we get into the conversation and I'm like, we'll be in your network in two minutes. You don't need a pen test. We actually, that's a waste of money, but do you need it for, is there a assessment? Is this a requirement? And we'll get into the conversation. No, somebody just threw it out in a meeting and I think I need it. And I thought, well, I'm not going to charge you 40 or $50,000 when I'll be in your network and then you'll think you didn't get anything from me.
I said, why don't we actually start out with some more fact finding? Let's actually build up a program a little bit. Now sometimes people will be like, no thanks. But at that moment, that's when I actually realized to your point, you were talking about salespeople. We don't have salespeople at four us. A lot of our work is usually sold by Theresa or myself or Melissa, the other partner, because our belief is that I need to know you, like you said, and I want to hear what are your pain points? Because maybe through that conversation it will reveal something you didn't even know you needed or that I could provide that will make you look, one will actually make your network better, but two, make you look really good to your senior leaders. And that's the way we always look at those interactions. But a lot of times they'll say, I need this pen test, and I say, I don't want to waste your time and I don't want to waste your money because I'm not the cheapest person, but I'm not the most expensive either. But I want to tell you why at that moment, if they stay with us for that conversation then and they're like, okay, they're usually in. But I do get people who will say, no thanks. I called you and I just wanted this.
And it becomes very transactional versus like you said, having that relationship, I'd rather they say no to me and then come back and ask for something else. Because I know the majority of afford list clients today, we have clients that have been with us for nine of our 10 years. That's incredible. As a cybersecurity consulting company, what an honor. And those are the people we've built the relationships for and they refer us, they refer us all the time, and that's how we drive the business. So I can't stand salespeople, particularly consulting products even worse, but consulting, I always feel they miss the point of a relationship. And with Covid and the virtual stuff, that has made it even more and it's really kind of depressing, frankly. And I was telling Theresa that the other day. I said, wow, it's like going to meetings, lunch meetings again with people and actually sitting across from them learning their story and then being able to actually build something or say, Hey, I know you like so-and-so did you see the concerts coming or all those types of things that we used to do and have these great relationships with people.
And now it's become like, Hey, did you get my email? Did you read it?
Den:
No, the bar has shifted, right? I mean, that's it. And I spoke to one of my sales buddies. I mean, it's funny, I look at it like 30 years I've been doing this nonsense, and I probably have 10 if I'm lucky salespeople in this industry that I have respect enough for to say, I'll meet you for lunch and a drink without giving a shit about your sales thing. But good people are hard to find and in the sense of, I'll meet you for lunch or whatever, and I don't have any ask of you. Most of the people, especially in the valley, there's always some angle and shit like that. I'm sure in the DC area is probably just as bad or
Bridget:
Worse. You get it from the contractors or the people that want to partner with you or prime the contract with you. It's ironic because I'm from DC, but when I go to those events, I'm just totally repelled because it's so disingenuous and it's not actually about, they are mostly obviously as you know, service-based and wanting to have these multi-year contracts and things like that, which is everything. That forward list really is not in terms of butts and seats type contracts, it's not really what we do. So it's very hard to have these conversations. I'll tell you what's interesting. When I tell them we also do private sector work, they're like, really?
How do you do that? And I'm like, I don't know how you stay in government and wait two years to be awarded a contract. I can get awarded the next day. It's just things like that that are very apparent. But they are very much about who walking the halls. And like you said, I don't know if it was, was it you who told me the story about somebody saying, can you meet a salesperson for lunch? I forget who told me the story, but I thought this was so great. And this person kept writing and saying, can you please meet? I want to talk to you about this. Finally, the person that their target responded and said, Hey, so-and-so always great to hear from you. I'm happy to go to lunch with you and hear about how you and your family are doing, but if this is just about you closing a deal, I can't meet. And has anybody ever actually taken the time to actually write back to somebody and say that, but at least they were being sincere to say that to your point,
Den:
Yeah, it wasn't me, but it sounds like something I would say, except there was probably three swear words missing in there. I probably would've added shit or something along the lines. So you're a very successful businesswoman. You guys have got a great firm, you've gone through the ranks of the White House, which I look at it, you're a successful woman in what I would probably say is two old male dominated establishments. Totally. So you can share that horror story if you want, but what I'm really, I'd love to prize for the audience is a lesson like the lesson that you learned or if you could do something differently. So yeah, I'd love to hear the positive spin on the thing or the wouldn't do that again, but I would think of this again. So
Bridget:
Can
Den:
You share some insights there?
Bridget:
So I will often look back at my time when I was younger and think that I probably was experiencing varying levels of misogyny or various commentary from men, like you said, being in male dominated areas. But for me, I had a certain level of awareness I think about what was going on and was able to say, okay, this isn't right, or I'm not really sure why this person felt they could do that because I was a young female at the time, and I remember speaking to, I've had the privilege of having extremely wonderful female mentors in my life. And I remember sharing a particular incident with my mentor at the time, and she said, that culture is going to the wayside. She goes, that is what I was at the time. She was in her fifties and she was telling me that was the way she had grown up in it.
And she said, the most important thing you can do is not to give up or not let it get you down and not to also make you bitter because there was something I could learn from everybody. And honestly then I haven't experienced in the last 10 years many moments of that put down of a female in cybersecurity. But I did experience it a few months ago and I was on a client call with a new client, and at first then I didn't even know what was going on. It was as if it was so foreign that the world had come so far. And then all of a sudden it was as if I went like, and I was transported teleported back in time and I thought, wait a minute, is this really happening? And I remember sitting in the call because I was answering the questions and I was being cut off when speaking. And at one point the person said, do you even consider what you do cybersecurity? Because I was talking more about the human element that we always talk about at how the human element forgotten. And I said, well, I absolutely do. I said, what are we without the human interaction? And I thought at that moment, lean in, sorry to use that expression. I typically hate it.
I thought I actually meant lean in literally because
Den:
Lean into the microphone
Bridget:
Because sometimes in situations like that, you might have the tendency to shy away or not. And I thought there are other affordable employees and young women on this call. I'm not going to just not going to one back away.
Den:
And
Bridget:
Two, I'm going to answer the question because if that's where he's coming from, he may be expecting me just not to answer or give kind of a made up fluffy answer. And I just went right for it. And I started going through our capabilities and I just leaned into it honestly. And afterwards I was mad. I was mad and I was talking to, I talked to Theresa about it, of course, and she's experienced it so often, obviously when she was a lot younger too. And she said, the best thing you can do is you just keep showing up. Because some people would say, I don't want to work with that person again. I don't want to get on another call. I want to avoid them. Don't avoid,
Den:
Yeah, don't.
Bridget:
Because that's what they win if you do that. And I never had looked at it that way. So I felt, geez, I just see people for who they are and you like somebody because, or you think they're knowledgeable because of the way they're speaking about topics. It should have nothing to do with the way they look. And so I will tell you, it has become more rare, but I still see it. And like I said, I almost didn't even recognize it.
Den:
So in the moment when that's happening, how do you regroup emotionally to not lose your shit, not lose your cam, because obviously there's that whole, I might want to just lash out and rip you a new one and call you out in your bullshit, but you handled, it sounds like you handled it very professionally. So emotionally, how did you set yourself up for that?
Bridget:
Well, I have definitely matured. I am known a little bit as I can be a little bit passionate and a bit of a hothead, but one of the things same mentor had told me when I was at the White House was, your body language is very strong and when you're in meetings it's like flexing my jaw or doing something else. And she said, it's very obvious when you're upset. And she's like, the reason I'm telling you this is because, not because there's anything wrong with you being upset, but because you're showing your cards to people. And she said the best way to do it is to just listen to the words they are saying, tell yourself does this stop? Listen to the words they are saying and watch their body language. And she said, because if you get in your head and you're getting all amped up and f this guy and what the hell?
And I want to flip this desk. She said, you've already lost. So in that moment, I actually was very proud of myself, not to be dismissive of myself at all, but my initial reaction sometimes on these calls is just be like, I don't really need to spend my time with you. I have a bunch of other clients, but in that moment I thought, he's new. I've actually worked with this client for five years and I've built a rapport with the other people on his team for list has done wonderful work for them. I'm not going to let my feelings get in the way here or my emotions. And so I was able to just kind of sit forward and yeah, was I mad? Sure was I like steaming? Yeah. And if I could, then I would use those. I'm the youngest of four, three older brothers, so I'm not shy about using my vocabulary either,
Den:
But
Bridget:
I did realize that sometimes what's that going to get me? And what I really wanted at the end of the day was for him to become Aless fan. That doesn't mean I want to talk to him or hang out with him personally.
Den:
Yeah. So that's brilliant because I think the lesson for anybody that is listening is really, there's decompartmentalize the situation from the emotional feeling
And recognize. And I think there's two things. And I had some guys that I respected and used to work with back in Adobe and I was at a social event and they turned around to me and said, oh, you only got what you got because of your accent. And I know it's not the same because we don't, as a white guy, we don't get abused very often and I didn't put, but I don't give a shit what people think of me really. I mean, I do what I do and I think I do well, but I think I place it. I actually then turn around and think of the guy and how he spoke to you and how these guys speak to me and anyone that's on the receiving end of bullshit like that. I'm always like, if you can emotionally keep your calm, keep yourself above level and how you respond and just put your best foot forward.
And you're not trying to be best friends with these people, but let your game win. And by that it's just more a case of you're professional how good you are, you do what you do. And I think that's brilliant. And it's funny, we blew over my normal, oh my gosh, sorry. No, it's funny. Most of these pods I've been doing recently, you're getting in there very good conversation and you're like, shit. Because there's all these little nuggets that I think people can take away from this and it's interesting. Yeah. When you think of the business that you're in, where do you see from a security perspective, I try not to worry about the breaches and all that stuff. There's a lot of podcasts that cover all of these things, but from a security perspective, the way the industry's going from a diversity perspective, then there's the AI thing. But just from the human element of our industry, where do you guys think this is all going to play out?
Bridget:
Well, I take the position of where I want it to go and where I want it to play out, which is always human centered design and everything we do. And I laugh about, I had a client who was like, oh my gosh, hey, hi. And they kept using their hands and they were getting really upset and it was as if it was this new concept and I thought, take a deep breath. And I said, oh my gosh. I remember when we were moving to the cloud or the cloud was brought up and people were breathing in paper bags and I thought, we're all going to get through this together. Also, this is not necessarily needs to be this new novel concept. It's about how do you manage risk and introductions into your environment and are you being proactive and not waiting for the technology to command you what to do? So that's the one thing that bothers me the most is I've had clients say, we're just going to block all of these AI tools. So people have phones at work, I mean master of the obvious type stuff that they think by being some overlord, you're going to be able to control this. And my quote is often, I love Jurassic Park. Nature always finds a way.
So people will always find a way to do these things. So why are you not one? Educating more so back to the human-centered design can't stand when, like you were saying on the breaches and stuff, it's always like, who are we going to throw under the bus?
Let's find our victim and shame them. And it was some person in accounting and those people, they click the link and I always get so mad because that's on us. Did we educate them? Did we tell people, please don't keep highlighting on QR codes. Please stop. And then we are putting 'em out on the Super Bowl and we're making people feel comfortable with the concept and then wondering why these things happen. So education, but then the idea that we are putting so much on technology within cybersecurity, I can't tell you then how many incident responses we do where we get on and the client starts rattling off all the tools they have, but they don't know how they're configured. They don't know how to pull the logs, they don't know all of these other things. And they think, well, we spent all this money, are we safe?
Den:
We must be safe.
Bridget:
No. So I hope for, I do see the light at the end of the tunnel. I think that companies are waking up to maybe the tooling and all of that. We need to do the education. We need to do the appropriate amount of training. I think the economy, it's been hard for companies to maintain the level they need to be maintaining, but I do hope with AI being used smartly to make things more efficient, to catch more of the anomalies that I know some of these companies are having to deal with. And that's kind of my hope, honestly.
Den:
Yeah. And you mentioned something there, which I've been speaking about at conferences for probably two years now, which is I look at people's strategies and I think so many strategies were cool in the nineties, but it's bullshit now, right?
Bridget:
Exactly.
Den:
And one of the things I observe is a lot of people, we buy tools, we buy tools, you go to a science class and then you're like, oh, do the sciences top 10 and you spin up this program, this program this. And then you buy tools, you buy tools, and eventually you've got two tools per person. And the problem is they're not configured correctly. You're not getting the value. So you're blowing your money and you're telling your board that you've just spent 20 million this year, and then you're looking at the risk and the residual risk at the end of it. You're not fixing shit.
Bridget:
No. So
Den:
Ultimately,
Bridget:
And your notes along, you didn't move it anywhere.
Den:
Yeah, you didn't move the needle. And I think our industry, I love compliant. No, fuck, I hate compliance.
Bridget:
I was going to say I I've ever heard anybody say
Den:
It. No, no. I've been lucky enough to dodge running compliance teams, but I've always participated in it. And at Banyan, we were responsible for their SOC two every year, and it's all great and stuff, but when someone says, are you doing incident management in the sense of, okay, I need to deploy a tool to record the tickets, and I'm like, no, you don't. You can use an Excel sheet and just record it in there and lock that down, right?
Bridget:
Yeah.
Den:
You don't have to go out and buy some ITSM tool and blah, blah, blah for all your security incidents. But when you're a big enterprise, maybe that does make more sense, right? So I think when you're looking at the situations and the companies, just because if you're a small company, I wouldn't talk about building a big security program. Again, my concept of pragmatic security, I'm like, I want to be very pragmatic about it. And if 80% of the breaches happen because people click links or their creds are stolen, I mean that's an identity and that's an endpoint security click and linky thing. So I look at it like there's three or four areas that you can go tight on and then there's three or four areas that you can be good enough.
Bridget:
Yes,
Den:
I am like, stop spending money on shit that you're not deploying and you don't even have the staff with the skills to look after.
Bridget:
I can't even tell you. I mean, it's alarming.
I think actually you hit, when you actually asked me something about diversity, the thing that concerns me the most is how understaffed these security teams are. And from a burnout perspective, it's quite alarming. I speak to them and I see the glazed look, right? I see all my boxes are blinking and I have no idea what this means. And is this a real threat? Understaffed, just totally. They've got the tools. And so the director will be like, I don't understand. Why aren't you doing this? Well, I was never trained on it. Some of these tools are not intuitive. And here's the other thing, cyber professionals, as you know, it's a specialty area. Why are we not just like we have doctors or pharmacists have to do ongoing education, continuing education, lawyers do it. We should be offering that to cybersecurity professionals because why is it on them? They're sitting there working in the soc. Oh, did you read the latest dark reading? Did you see the new tactics? Are you on the dark web in the forums? I mean, when would these people sleep? So that's the one thing that concerns me.
Den:
Yeah, it's funny. I remember at Adobe, I used to budget $5,000 per staff member per year
Bridget:
Training.
Den:
And even then, no, I had about 75 people in the team. So that was a fair amount of money. But even then, you're under pressure to reduce the budget. CFOs don't necessarily know the price of training, I guess, or they want to give you some LinkedIn training, which is cool. Some
Bridget:
Get you to watch some YouTube videos then.
Den:
Yeah, yeah. Watch some videos. Yeah. I'm like, that's great, man, that's cool. That's great if I want to learn how to fix my music shit, but not if I want to protect your company from nature.
Bridget:
Isn't that, it's just like, it's so mind blowing, but yet is it? Because then I think about home security and people usually only get a security system after being robbed.
Den:
Exactly. Yeah. It's an insurance policy. Now, again, we could go on forever. Let's wind up with, I mean, I think of Fort Lace and even the stuff that I'm trying to push at nine to nine, cyber as being like we want to be pragmatic. We recognize the human element is there, but you guys do an amazing amount of work to try and educate non-security people. Like on socials, you're pushing stuff out and there's the pre-election stuff with disinformation. There's all this stuff about protecting yourselves and your families and all of these things. You guys do a chunk of work there. And I think that, and I do something like that, although not at the scale you guys are doing, because I'm only three months old in my company.
Bridget:
You're
Den:
Still a baby. Yeah. The baby looks, and I look at it like that for me is something which I think a lot of companies totally miss a boat on, which is educate people about protecting themselves and their families.
Bridget:
Yes.
Den:
So what do you guys, I mean, I think, I know you're taking it, but what do you guys think on that side
Bridget:
Of this? Yeah, this is a real passion area for me. So what we've consistently said recently is the personal email compromise is the new business email compromise. And where I'm going with this is there's been, yes, you should obviously be worried about your own cybersecurity, your kids if they're online, their safety. But from a corporate security perspective, companies should be very, very invested in protecting their employees online, LinkedIn, social media, the fact that we have repeatedly had incidents that are very sophisticated threat actors who lie in wait for a long time on a big fish. They've gone on LinkedIn, they've pulled off lots of fascinating information. I'm always amazed at how open people are on LinkedIn or bragging about their backgrounds. You can easily put two and two together, and that's what they're doing. These bad actors. And our Osint team does a lot with this where I'll put rocket reach, I'll open that up next to my LinkedIn, I'll be able to pull, even if they've blocked their email, I can get their email address and I can go over to Wikipedia, I can find out how much the company's worth business, CEO, what's their net worth?
Then I can just go and start looking for breached passwords. And more often than not, as you know, this is not rocket science. They use those passwords and then well, bingo, I'm in the company's network. So this break between, I don't want to necessarily educate you about how to protect one your home. Oh my gosh, your home network. How many times we found stuff on home routers for CEOs, for anybody. It's amazing. To me it's just this, I call it the doggy door
Den:
Of
Bridget:
Security because it's like, Ooh, look, what if some of these people that are not smashing grab artists within cyber, but they are people that are truly waiting for the big fish. This is what they're looking to do. And they got all the time in the world. And that's where we come in and we say, we're not here necessarily to scare you, your employees, but we want to do a few things. Show them how to lock down their accounts. You don't need to be sharing this information then let's take it seriously when we do a digital footprint on you. And I find out you have all of these passwords and I have all of these things. Let's actually take that seriously and get these remediated. So we would like to see corporations take this more seriously, offer it to their employees. And I think it's kind of that thing that's just sitting out there and it's one that a lot of people don't want to address
Den:
For
Bridget:
One reason or another.
Den:
Well, I think it's because it costs more money for them to do that. But I actually look at that annual cyber training that you do for your compliance. When you look at the control, it's not that prescriptive on what needs to be in the training.
Bridget:
Yeah, it's really not.
Den:
I could sit there and talk about password managers for your family, your credit school. You could add that stuff into corporate training and maybe make it a little bit more sticky because it can be more personalized. And I call bullshit on the corporate training stuff. Everyone just does that while they do something else.
Bridget:
Oh yeah. The clicking through,
Den:
Oh, there we go. And I'll pass my little test. You throw a little shitty test in there as if it's like rocket science. Yeah. So for me, I'm like, we can do better.
Bridget:
You said a good point there. And Theresa, as you know, is one of the best at this. She's been doing recently for a lot of our clients. She's been doing this training at a very high level talking about the trends, but then we'll have a piece in there about personal security. As you said, it's a keystone afford list. And she'll actually show the deep fake videos. And the people sit there and they're like, really? I mean, it's really just removing the scales from the eyes. They're blown away. Or she'll walk through how she got chat GPT to lie to her. And that's like people are sitting there like somebody actually, but they're like, isn't this information vetted? And she goes, wow. Right. People actually think this data being pulled in here somehow vetted by a person.
So it's more the illumination I think, of really what we're talking about and stop using. And the media loves this, the big words ai, and we like to conflate things with movies and things like that, but what are we really talking about? We're talking about data lakes. Right? And it was so funny. She did that and she got so many questions. She had to cut off the q and a because they said, oh my gosh, I've been totally ignorant on the issue. So to your point, I agree. Why not make it interesting for people? Not only is it going to be sticky, they're going to be paying attention. They're going to learn something. They might be the person who stops a breach.
Den:
Yes.
Bridget:
You never know.
Den:
Hopefully they may be. So Bridget with that, I thank you. Amazing. Wow. I don't even know about looking at the clock any longer. I appreciate it. You guys are doing some amazing work. It's a great team. Great to hang out with you guys. And yeah, hopefully in person we can catch up with
Bridget:
This. Yeah, I look forward then to your new company. I know your baby, but we're here to help and share lessons learned, but looking forward to it, and thanks for having me.
Den:
Hey, thanks Bridget. Really appreciate it. Thanks, everybody. Take it easy.
Narator:
Thanks for listening to Cyber 9 0 9. Subscribe wherever you get your podcasts, and don't miss an episode of your source for Wit and Wisdom in cybersecurity.
To learn more about Fortalice, please visit their website: https://www.fortalice.com
.svg)
.svg){kind=icon}
