Cyber909: Episode 1 with Aaron Wurthmann: Intro to 909Cyber

Transcript:

So let's start the session with some cheers. Yeah, just one. So everybody, welcome. Hey, this is Cyber Nine-Nine. our first ever podcast and I'm your host dan jones you may recall me from such amazing podcasts as get it started get it done with band insecurity um after their acquisition with sonic wall then we decided we'd start our own company doing uh cybersecurity consultancy and a few other gems. One of the gems though is the sister company, our podcast. So we're going to keep doing the podcast. The podcast is going to be a little different this year. We're going to do some cyber stuff. A lot of leadership stuff, a lot of other interesting things in your life. So don't be surprised if you get some other goodies along the journey of the Cyber Nine to Nine podcast. So our first guest for episode number one is one of my partners in crime, Mr. Werthmann. Why don't you introduce yourself? Aaron Werthmann. about twenty five years in IT and security. I had the pleasure of being on one of the previous podcasts and Dan was foolish enough to invite me back. Imagine that. So not only invite you back to the podcast, but as we introduce the company, which is Nine-O-Nine Cyber, actually the sponsors of today's episode, why don't you explain your role in Nine-O-Nine Cyber and a little bit about your background in the industry? Sure. So I'm a advisory CISO at Nine-O-Nine Cyber. I think I'm going to slip up on that name as Cyber Nine-O-Nine podcast goes on. Yeah, probably. I think you might actually. Now, just so you guys all know, we're not only podcasting, but we're playing some tunes. Yeah. And this is vinyl. Just so everyone knows, vinyl is this stuff. It's a little different. Sorry, Mr. Portman. So... advisory see so advisory see so so you've been a cio a ciso why don't why don't you explain some of the companies that you've worked for before sure so uh I've worked for uh companies in seed stage I've worked for fortune fifty I've worked for retail retail I've worked for software I've worked for sas um I had the pleasure of working with you at adobe Was that pleasure? It was a pleasure for me. It wasn't for me, actually. With you. It wasn't a pleasure at all. It wasn't a pleasure? No, it wasn't. That's why we're doing happy hour. So that we can dull our senses from the pleasure that that was or was not. So, anyway, we do digress a little. So, Outside of the podcast, we've just started this company called Nine-O-Nine Cyber. Now we were just explaining to a friend of ours earlier that we're not very good at coming up with names. So if you can imagine, I used to name servers as I was a server admin about there years ago, and I could never come up with a name for the server. That was before you had thousands of them and naming standards. I could build a server quicker than I could come up with a name for the server. So the company name, A, the domain was available. B, all the social medias were available. And C, apparently no one gives a shit about nine to nine. So other than Roland. Well, I think we need to get this out of the way right now. Yeah. It is not an area code. Everybody asks me that. I think it is an area code somewhere. Well, I'm sure it is. Okay, fine. It is an area code somewhere, but that's not where the name comes from. Where does the name come from, Dan? So there's a drum machine that I used to own called the TR-Nine-O-Nine. Not to be mistaken with the TR-Eight-O-Eight or the TB-Three-O-Three, which are other Roland gear, but the first record I ever released, the whole backbone of the tune was the TR-Nine-Nine drum machine. not to be confused with the nine nine because apparently the accent kind of screws up the nine oh nine thing so yeah so we didn't get that domain but whatever um so yeah it was a drum machine oh and the first vinyl was uh up there on the wall what maybe the audience doesn't know this about you why why is uh why is it important that uh that it's nine oh nine uh rolling nine oh nine and and what's the what's the music background So House Techno Trance from nineteen ninety four was the first record we released. I think back those days you were tagging buildings, actually. Ninety four. Ninety four. I was doing both. I was tagging buildings and throwing raves. Yes. Yeah. So one of the cool things. So When you're choosing people to work with, it's a really good thing to choose people with ethics, morals, but just some level of craziness that matches your craziness. And for us, we're both music guys. We love music, DJ, the vinyl and stuff. So that's a big thing for us. The music scene, the music culture, that's always been huge. And the funny thing is, is in tech, So many people we know in tech are also music technologists or into music in some way. So it's really a big theme throughout our career. A lot of people I've met in the Valley, while they're either technology people, they're big music people. So it's a big thing. Peace, love, unity, respect, I think is a big thing. Whoa, he busted out the blur. From the rave scene, you know. Some of us may have tattoos that are music related. Some of us may not. No tats. I don't know what you've got. No tats, no visible tats. I think you probably, no visible ones. No visible tats, mind your business. So your ass is Mickey Mouse or something. I think that's what it is. Nope, mind your business. Sure. That's for after the... Hey, we'll have the adult version of the podcast. That was a different name, but we'll do that later. Cyber-Nine-O-Nine After Hours. Yeah, yeah, yeah. We'll do the After Hours one. And by the way, in the studio, we also have Jerry Sastry, who's part of the team as Nine-O-Nine's recruitment division. So, Jerry, you may hear him laugh in the background. He is also... Got a refreshment. I think it's just lemon water though. We're not sure. So yeah, so nine nine cyber, we said this, so there's three divisions of it. We've got consultancy, we've got virtual CISO, and we've also got recruitment. So let's talk a little bit about each of those. Jerry's over here, so we're gonna get to his shit at the end, actually, maybe we'll let him pop his head in, but we don't want to scare you. So the consultancy stuff, we're really focused on what, anything? No, I mean, I think, I think as we talk, as we've talked to clients in the last, I want to say we've been talking to clients for, I want to say almost two months now. right, just to feel out the market, understand what people are looking for. And what we've heard is that there's a need for practitioners like ourselves, people that understand the greater strategy, people that have put hands on the keyboard in the past to advise early stage companies, pre IPO companies on their security strategy. Yeah. And one thing I think is like, One gripe. Can we do one gripe? I got one gripe and I want to hear your gripe. My first gripe is people who are new to the leadership role of a security organization, they go do their science course, they come back and they're like, we need to do the science top-ten, and then they start spinning up programs covering all these things, they start buying tools, and then before long, eight months later maybe, the lifetime of a CISO, about eight months to years, They bloody leave because they didn't get any results or they spent too much money. And the CEO of the company is sitting there with fifty million tools and they've got five employees that look after these tools. I think in a tools assessment, if you do one, generally you'll find you've probably got about two tools per employee. they're not very well deployed. So the biggest gripe I got is stop spending money on shit. And for us, our ethos is regardless of the engagement that we're gonna do, we're gonna also actively look to see where tools and technology have been deployed or processes have been deployed that aren't to the benefit of your company. So they're maybe expensive, but they're not reducing the risk or they're not having the perceived value or someone convince you that that risk is a big risk, but the reality is it's probably not. Yeah. That's one of my gripes. I got a lot of gripes, but that's one to start. Do you have a better gripe? Yeah, I think it's sort of related, I would say, is risk level. The company has a risk tolerance. The company has a risk level that it wants to meet or that it... that it thinks it should meet in order to function as a company. And sometimes security practitioners don't align with that. And so they buy too many tools to have a call back to your tools. Or the security practitioner or the risk practitioner will argue with the business. on that and that's just a bad place to be the the both of these parties need to come to a mutual agreement on the risk tolerance on the risk acceptance level yeah um and that needs to be part of a conversation and both parties need to feel like they they are collaboratively came to an agreement And I think that's it. So security organizations really need to be a business partner and a business partner rather than a thou shalt. And I think the reality is, is a lot of technology people, IT and security, they grow up with that ego of saying, I know better than you. And yeah, I've been in engineering companies like Adobe where the engineers think we are lower than the people that serve food in the cafe. So the reality is depends where you are, which company, your ego could be trodden on or you're the king. Well, oftentimes you come up with that God complex because you had sysadmin or you had root. before you became a cyber security practitioner or whatever, right? And so you feel like I have all this ability, thou shall do as I say, right? But the reality is that you have to find the balance there. Like someone with the ability to put key loggers on lots of devices and read other people's emails. I mean, sometimes you gotta do what you gotta do to protect the business. Yeah, yeah, that's what he said. So I look at it like, I mean, look, there's a couple of things about security professionals or practitioners that I'm almost like, I see our role now walking into organizations and actively looking for ways to make them more profitable while reducing the risk. And I don't see it as being security needs to be in the way of stuff. I also don't think startups or everybody wants a program like all that shit for me just blows my mind. It's like you don't need to follow every framework. Yeah, there's a lot of frameworks have been released over the years and people will be like, what framework do you follow? And I'm like, I don't. I follow the business strategy. And from business strategy, you come up with your technology people process strategy so that we can help the business be successful. Yeah. And I think most CEOs, most VCs, most founders, they actually are more busy trying to make profit and build a product. And until the product actually is very valuable, then they in their mind have nothing to secure. Now, I didn't come up with that. You were there when someone told us that. I was, and there'll be a blog posting on that exact conversation soon. Yeah, we'll look forward to the blog posting. So other than that, so we've got the consultancy stuff, and our ethos is very clear. Our goal is to reduce costs, reduce friction, and reduce your... tolerance for spending a shit lot of money, I think, on security. So there's risk, there's friction, there's money. Reduce those things. Now, on the other side of the business, virtual CISO, we actually started off thinking, hey, we're going to attack the virtual CISO market. The thing is, you spend a lot of time talking about the differences between a fractional and the virtual and the real CISO. So why don't you share just a few thoughts on What's the difference and why would maybe people want to call us to get involved there? Yeah, I think the funniest thing we heard during all this, because we've talked to a lot of different people and some of those people are marketing people, as you would expect when you start a new company and you want to understand the terms that are being used. And one of the things that we learned, I learned this, I think you learned this too, is the difference between virtual and fractional CISO. is the SEO. That's the difference. Probably, yeah. According to the marketing folks that we spoke with, that is the difference. The SEO. Did you know that, Jerry? That's the difference. That's the difference. So the SEO, I don't know if you know what SEO is, actually. Do you know? I didn't know. I didn't know. So SEO is the search. When people search for stuff, it's the search results. So what search is more common than another search? Right. search engine optimization okay see this is why he's here that's why he's here you and I have no idea don't worry about it we're just here for the dream he's here for the intelligence so this is the wit and the wisdom just saying by the way steve watson my old team he came up with that term so uh yeah I will always use it because I respected that guy and his jokes were as funny as mine So, sales up to you, something like that. Yeah, something like that. So, I did have one of my friends in Europe, he threw a whole article on LinkedIn and I've still not read it. But I got a sneaky feeling like a fractional CISO is one individual and they split their time against many companies. I think a virtual CISO is more likely a group of people, possibly, and they split their time against many companies. So I don't know. I've also seen people who said, we don't give a shit. Right. That is what I have heard. That is what we have heard. from our clients. What we did notice, though, in our conversations was you talk about virtual or fractional or CISO, the terms doesn't matter. You spend more time explaining what the term is before you get to the point of, hey, we can help solve your problems. I mean, at the end of the day, what we were saying is, look, we're executive leaders. We know problems. We've seen them. We've got the T-shirts. we can help and that was never shining through and the website like the nine to nine cyber website last week was more confusing by the way this is going to launch about nine oh nine so I'm saying last week as in the week we're taping it right so this week you go to the website it's very confusing it doesn't it's not very clear on the problems we solve so as we get into next week it's going to be a bit clearer. But the reality is, is for the consultancy, for the virtual CISO staff, it's all about us delivering products, a quality that I think people expect from accredited stars like us and our team. So if we say so ourselves, if we say so ourselves, yeah, we do. We didn't last at Adobe for all these years for no good reason. And their quality So, so ultimately we're not billing by the hour or billing by the result. One thing for me, when I was, when I was like leading teams, I'd bring in consultants and I'd begin these hourly bills. And the reality was, I just like, I just want the result. Tell me how much for the result at what quality. Right. And then we're good. Um, so now recruitment, cause Jerry's sitting there holding his tongue. He's, he's very enthusiastic. So he's taking notes. Holy shit. Um, so, so Jerry's on board, uh, executive from Adobe executive from zoom. Right. I don't know if you want to like poke your head in or. Or not. I mean, oh, there's Jerry. So, yeah. So he's here, really is here. So Jerry's partnered with Nightline Cyber. He has his own firm, but we're going to partner together. And I think the difference that we are able to offer in our partnership is the ability to turn around and say, look, when you want to engage with our recruitment firm, We're going to be in a position where we are working with our practitioners so that as the recruitment team engages with clients, if they need us to help build a job description, if they need us to reach into our network. Remember, we get a network of thousands of CISOs and thousands of practitioners. So we know people that are looking for work who have a job. You might not know that, but we know that. And we know people who are good versus the one who can bullshit their way into a job. We know people with high say-do ratios and people with low say-do ratios. Yeah, yeah. Now, say-do, so that could be a new term for someone. So I'll say it but not do it or say it and do it? I mean, you want those things to be even. In Scotland, we'd say walk the walk and talk the talk. Yeah. A lot of people talk the talk and they're full of shit. You know, I look in the mirror sometimes. I got that. But I also deliver results. Actually, I don't do shit. People that I work with deliver results. That's why he's here. So the reality is, is we've all encountered those people. And actually, famously, In Adobe, our CIO years ago with an HR executive suggested I should not trip up candidates in an interview because I famously, long before you joined Adobe, Jerry, famously tripped up a candidate and said, you're lying to the candidate. Yeah, I did. This was about two thousand and three. But I was I was really well known for being someone that I can read people. So I was really pretty well known for like, yeah, yeah, that you're lying. I don't know if you mean to lie, but you are. They complained to H.R. after the interview. And needless to say, H.R. and the CIO had a conversation with me that went along the lines of you shouldn't say that. And I said, okay. But then I followed up with, I also don't need to interview people in other teams in IT if you don't want me to. Like it wasn't my team. I was doing someone else a favor and I have to do that. I read my job description. It doesn't say that. Did you really? Yeah. Yeah. Didn't give a shit. I didn't give a I mean literally it was like hey do you do you want me to interview or not and I think the reality is when you're now by the way just so you guys know I'm way more politically correct now that was a year two thousand and four jerry this is twenty years later this is a refined mr jones Could you imagine? The twenty years ago me, I would stroll in with flip flops and soccer shorts and a soccer t-shirt and I'd be like, what's going on? My ego was bigger than this ego, trust me. And this one's pretty big. So yeah, so literally I didn't give a shit. I was just like, you're lying. And you're wasting my time. That's it. Done here. Wow. You don't want to hear my vendor management stories. They're worse. A lot better now, though, but way back then. So anyways, so the recruitment thing, I'll probably not be involved. But I think the reality for us is we have the ability to not only have practitioners engage as part of the recruitment cycle, but we can also work with the clients on building the right job description, what really matters. And then the other stuff is we reach into our network. We have got thousands of people in their network. They reach out to us on a regular basis. And we'll build a database of candidates of people who are not looking but are looking. So you get a lot of them because I've had a lot of them call me in the last two months. know who you are well and I think the important thing there too is that when we engage with a client we're not going anywhere we're there we're there for the long haul so let's say we engage with somebody seed stage and we get we start their program with them and then they you know progress to a and maybe they need to start thinking about their sock too and they progress to b and they maybe need to start thinking about their iso twenty seven thousand one and then they're, you know, C and maybe then they're thinking about bringing on their actual staff. Maybe then they're thinking about the CISO or maybe they're thinking about, you know, security manager or something like that. We can help with that process. We're there with you throughout your maturity stages. We're there with you. We're not going anywhere. And most startups is also just focused on that demographic for a minute. Most startups, they need people. The minute they get funding, they need people now. They got the funding. Actually, every company I've ever been in and worked with, The minute the budget's approved, all the spending starts and then they get towards the end of the quarter, they're like, oh, slow down, you don't spend too much. So I think the big thing for us is we recognize that a client that calls us, they've just had their funding round. They've got a sense of urgency. They want it now. And the good thing about that is actually we have so many people in our contact list that we know everything from interns to CISOs. That's true. And we have. That are either looking for work or they're in a great job, but we know them personally, so they might be tempted to bail. Yep. Yep. I'm glad you said that. We absolutely know students. We know students that are looking. So interns or students that are just starting their careers and then folks that maybe want to come on part time or folks that want to get out of their current job. yeah yeah and and seesaws who are sick and tired of being seesaws and actually maybe just want to be advisors yeah so we got we got the mix we got the blend so I know I don't even know because see from here I can't see what the time says but I'm sure we've been talking for a little bit um let's cover a couple of things as we wrap up arm so recently there was a breach A data broker got breached. Just one breach? Well, you know, there's been a few, but let's pick on the one where all the people in America got their social security numbers stolen and a bunch of other data. So if you were going to give an advice, let's say this is just for the American audience, because, you know, I know that we're probably the third best podcast and who gives a shit, Bill, but But for the American people out there where this matters, what advice would you have for them and what can they do to protect themselves? Yeah. So as somebody whose data has been breached a few times, you have to sort of start with those credit companies. Experian, Equifax, and TransUnion. Start there. Go freeze your credit reports. I'm a big fan of doing that on a regular basis. Subscribe to some app or service for you, preferably. I'm not going to shout out any names, but subscribe to some app. Not until they sponsor the podcast. Call me. Call us. We'll shout out names if you call us. and track credit inquiries into your credit reports. That's important. And then on top of that, let's see what else. You got freeze, you got track. You can also go to, there's some government websites for identity breaches and you can follow the steps there. Maybe we'll drop a link. Yeah, we can do that. We'll drop the link to that. We've got the Have I Been Pwned website. Have I Been Pwned, you absolutely have to do that. That's a fun one. Everybody has to do that. Now, we're also about to release a little booklet on personal security. Yeah. We're at about twelve pages in on that one. I think it's going to be about twenty pages by the time we're done. We'll have that release in the next couple of weeks, I hope. So we cover all of that there. When he says pages, it's because we're going step by step. It's not because it's like... go do this and then you know one two three four five six seven it's not a hundred things to do it's just because we are being thorough we want to make sure that we cover we cover certain topics from password managers to freezing your credit one one thing there is how do you know like how can you spot someone's trying to like scam you yeah spot a scammer so what do you do there uh and it's targeted towards the normal person that doesn't do the for living yeah so like my mom or or jerry yep yep my mom or jerry or what some of our sales people might be able to read this and and I I ideally understand it so because I think the reality is is enterprises do security training a lot and a lot of it for compliance to have to do it. But the thing about compliance is they're not prescriptive on what has to be in the training. They'll call out some stuff, but the reality is what I learned at DevCon about ten years ago from some woman social engineer in the social engineering village, which is my favorite village there. She said, train your employees on how to look after themselves, their family and their friends. They will take that back to work. So at Banyan, when we were doing security training, we actually, our onboarding training was about your personal stuff. The annual training was the other nonsense that we could track with HR, but it was pretty scaled back. Yeah. Since you told me that story, I have gone to the village. That's true. But also I've adopted that as well. yeah it's it's good I mean it's really good now we're going to leave you guys with one thing there are unicorns behind us we know there's bloody unicorns we know there's a unicorn in the logo what we want you guys to do is uh tell us in the chat thing somewhere here oh no wait it's there I don't know whatever they put that by the time they record this tell us in chat why the unicorn might be in the logo Thank you very much, everybody. Have a great week. Uh, nine Oh nine day is around the corner. Hopefully that's the day that this drops. And, uh, thank you very much guys. We'd love your feedback. This is the first ever. We got the next one recorded next week. We're not going to blow the surprise on who the guest is, but it's going to be a fun one. And he actually swears a shit lot more than me. Impossible. Thanks guys. Peace out.

‍