Episode 61 welcomes recurring guest, Ryan Cloutier, as he begins his new venture with SecurityStudio. We go behind the scenes of writing a cybersecurity book together, Ryan, Brad, and Evan (calling in from sunny Cancun) recap 2019 and look ahead to 2020. Give it listen and let us know what you think!
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Brad Nigh: All right. Welcome to the first Unsecurity podcast episode of 2020. We’ve got a jam packed show for you today. It’s monday january 6th 2020. I’m Brad Nigh and joining me in studio is the newest member of our team. Ryan Cloutier. I just said I was going to call him every single option before we started. You choose. Good morning Ryan.
[00:00:39] Ryan Cloutier: Good morning.
[00:00:40] Brad Nigh: Uh, joining us by phone from joining us by phone from Cancun. Mexico is my usual co host Evan Francen. Hi Evan.
[00:00:56] Evan Francen: Hi guys,
[00:00:58] Brad Nigh: I was house Cancun.
[00:01:01] Evan Francen: It’s nice. You got here on saturday. I think it’s monday. Um, yeah, the weather’s nice. I got no complaints other than I, I can’t find a quiet space to call. Somebody gets back on its what’s up.
[00:01:17] Brad Nigh: Well, you know, you are joining us from Cancun. So yeah, it was what we call a sweatshirt weather here yesterday like 37 and sunny, windy though.
[00:01:27] Ryan Cloutier: It was a little windy. It wasn’t too bad.
[00:01:29] Brad Nigh: All right. Make Evan feel bad for like ditching us for the mid 70s.
[00:01:35] Ryan Cloutier: It seems like every time I’m on the podcast. Evan has somewhere else to be
[00:01:39] Brad Nigh: Yeah,
[00:01:40] Evan Francen: yeah, I know it was like podcast was 27. I was in Anaheim California. It was the last time you were on my 44, I was in Bulgaria. Beyond in Mexico.
[00:01:51] Ryan Cloutier: Well, you’re slowly getting closer to Minnesota over.
[00:01:56] Evan Francen: Yeah. All right. It’s sort of for these things. I’d rather be there with you guys, but you know, I’m not from this one.
[00:02:04] Brad Nigh: Yeah. All right, So, we’ll get to why you’re in Cancun here in just a minute. But you know, first of all, we’re gonna welcome Ryan and uh you know, kind of give him the, was it the 10th degree or whatever, whatever the question level are here. So, uh welcome Ryan. We
[00:02:22] Evan Francen: are, you know, Does he know he’s going to put on 10 lbs?
[00:02:26] Ryan Cloutier: Oh, is that how this works?
[00:02:29] Brad Nigh: Lots of barbecue and start,
[00:02:32] Evan Francen: Yeah, we have uh you know, free of what today? You guys are gonna have pizza because we’re bringing pizza everything.
[00:02:39] Brad Nigh: You know what that was cute for. I don’t know if that’s gonna happen today and it was just for q for
[00:02:46] Evan Francen: my boss man. You want me to make it happen?
[00:02:49] Ryan Cloutier: Yeah, Well, I know, I know when I was here, you know, last Evan uh fed me a fair degree of smoked meat. So I definitely had the meat sweats later on that day,
[00:02:58] Brad Nigh: but you’ll get used to it
[00:03:00] Ryan Cloutier: because it did you just build a tolerance? Is that is that what it is?
[00:03:06] Evan Francen: Have you, have you ever been to figure you wanna
[00:03:08] Ryan Cloutier: Um well, for the first time in my life, I’m starting to actually put on a little weight, turns out the closer you get to 40 a little bit bigger? That belly starts to get. So, uh, we’ll see how it goes. I’ve been about a buck and a half pretty much my whole life. So We’ll see if you can get me up to 160.
[00:03:27] Evan Francen: That was a bucket half at 14. Yeah. Well, put on 10 lbs.
[00:03:36] Brad Nigh: Yeah, we’ll walk you up. Don’t worry. I’m excited. It’s like the freshman 15 is the info sec 10. All right. So a couple of questions will start with here Ryan. So go with the traditional office space. So what would you say you’re doing here?
[00:03:51] Ryan Cloutier: Well, yeah, great question. You know, um, I think what I’m doing here and maybe even I’ll have a different idea. But I think what I’m doing here is um, continuing to pursue my passion for information security, right? Um, really love what you guys have been doing. Been keeping an eye on you for quite some time. And um, so an opportunity to partner with some passionate folks that I think we all share a vision of making the world a better place and you know, using our gifts and info sec to be the vehicle in which we do that. And so just in, in continuing dialogue and discussion, it just presented itself to be the right opportunity. And so mainly I’m here to help and I’m here to serve and, and hopefully in doing that, make a, make an impact on the world
[00:04:35] Brad Nigh: Evan. Do you agree we’re gonna put him on the spot.
[00:04:39] Evan Francen: Yeah, I do that. He’s, uh, lines often the United see information security so much the same way just like you and I brad, you know, it’s gonna be a great addition to the team’s going to evangelize, you know, our mission, which is, you know, to fix the broken security industry to focus a lot. I think in two through 12 was super strong and those tons of people very well respected in that industry. I think small, local governments, probably another area of focus. So he and I um, yeah, and people, he’s got a real passionate, a real passion for people. So I think we’ll work on how people good information security habits. So all the above.
[00:05:19] Brad Nigh: It was funny right before the show was like, we just started going off and kind of peeking out, I was like, wait, shoot, we gotta call it and we’re gonna be late. Yeah, we
[00:05:27] Ryan Cloutier: got, we got a bit of a tangent about how we would go about fixing this industry. So
[00:05:32] Brad Nigh: it’s good. I’m excited. This is me fun to, to work with you and, you know, not kind of the whole sister company thing and yeah, I’m
[00:05:40] Ryan Cloutier: excited for the partnership. I think,
[00:05:41] Brad Nigh: you know, a lot
[00:05:42] Ryan Cloutier: of great stuff going on and um, really excited to just be part of a team that has passion. That’s, that’s what I’m saying that made me really attracted to you guys is, is, uh, you know, you and Evan have, have continually displayed, you know, a fire for fixing the problem and
[00:05:57] Brad Nigh: I think what you’re gonna find what’s amazing is just with all the analysts on the far secure side, just the, yeah, that passion top to bottom and just the knowledge and just having other people. So you’re not the only guy,
[00:06:10] Ryan Cloutier: right? Yeah, that’ll be good. I’m looking forward and hopefully, you know, I’d, I’d like to learn a thing or two. Um, you know, it’s one of the things that the last year or so I’ve been so mired in the administrative side of things that I haven’t had a chance to kind of play with some of the new toys. So always love when I get a chance to hang out with the analysts and they, hey, look what I just did with this new thing or this new IOT, I just hacked and so I’m excited for
[00:06:36] Brad Nigh: that. Yeah, they do a lot of really cool stuff and they come to me with a lot of really good ideas, so it’ll be fun. Um, you kind of answered it, but you know, what was kind of, what was the driver for, make you go and change jobs to come over here, you know,
[00:06:52] Ryan Cloutier: the main driver was, um, Increasing the speed in which I could affect change in the K- 12 industry and um, you know, security studio is poised with its tools and services to allow me to kind of accelerate the last mile if you will. Um, and in the organization I was with previous, we were making a lot of great headway, but that organization is a little more diverse and what they do. Uh, and so, um, we weren’t quite moving as quick in the security space and I saw a great opportunity to, to um, you know, potentially even partner with that organization to help move forward. So the really, what maybe come over here though at the end of the day was, you know, guys like you and oven. It really is, it’s the people side of it. It’s, it’s the passion that you have for solving the problem and um, that’s just, that was too attractive to pass
[00:07:44] Brad Nigh: up. Yeah, there’s definitely something to be said for, right, I could go one place and, and really improve one program or work here with this great team and improve infinitely more. Right. I can only do so much if I’m there,
[00:07:59] Ryan Cloutier: correct. Yeah, absolutely. And you know, just again to, I was working in an organization that was, you know, a little more diverse in the products and services. Um, so really excited to be back with an info sec team with an info sec focus.
[00:08:14] Brad Nigh: Uh, excuse me. Uh, what do you think some of maybe some of the biggest challenges are uh, facing K through tall specifically uh in your job? This they for see,
[00:08:26] Ryan Cloutier: I think the biggest challenge in the K- 12 space is the amount of help that they need to get to, what I like to call the start line. Um you know, asset inventory for a lot of districts is still a massive undertaking. Um and that’s also true in the private world, right? It’s not universal just to K12, but I think the biggest challenges is helping to accelerate them to a point where they can really start to do operationalized security, um working through those administrative processes um and and having to do that in a way that’s not as technical as maybe we would do with our private sector partners, so that a lot of translation work. Right.
[00:09:09] Brad Nigh: Yeah. What’s interesting working with some K through 12 is they do have some unique challenges. Right, asset inventory? Well, it’s not just their devices that the teachers use enough administrative staff, every student has something, yeah,
[00:09:23] Ryan Cloutier: You can have a district with, you know, that’s relatively small, have 40,000 devices and most of them go home and are potentially also then used as a, as a personal computing device in addition to a to a school device. So um you know, part of it is you got to work with the community, the parents. Um so you have more stakeholders if you will uh in AK-12 setting than you would traditionally in a business setting. And I think that’s that’s part of the the challenge but also the opportunity.
[00:09:51] Brad Nigh: Yeah and the other thing I’ve noticed you know is from the administrative governance side policy is a bad word because that’s a school board thing versus, yeah
[00:10:01] Ryan Cloutier: so Evan and I talked about this what was it Evan two weeks ago I think we had sat down for a chat um and we talked about how it’s not it’s just an accent right? So it’s not that it’s even a different language per se but it’s just the enunciation right? It’s an accent thing. So for them policy means something significantly different than what we have traditionally understood it to mean. And so they have a term that they prefer over policy which is a is a guiding principle or best practice or a guideline. Um And and honestly I’ve had great success with districts in navigating those waters and saying okay well then let’s make the school board policy about I. T. Policy simply say our I. T. Security policy says that we maintain a book of guidelines going over there to guide
[00:10:52] Brad Nigh: specific examples is, yeah and then they’re always stuck with you know they’re not funded. Well let’s be honest right at the end of the day your I. T. Staff that’s responsible for this typically does not have a lot of resources at their disposal.
[00:11:07] Ryan Cloutier: Yeah I think you know and part of that is because um tech traditionally has been viewed as an add on um, to the school and not necessarily a foundational.
[00:11:19] Brad Nigh: It’s a requirement just to keep the students and teachers happy that then that’s it.
[00:11:23] Ryan Cloutier: Well, exactly. And so I think part of that funding challenge lies in the community not fully understanding why that funding is needed. Um because you know, let’s be honest, security is a bit hard to um quantify. It’s, it’s kind of an intangible if you will write the value of data for a lot of people is is still an intangible idea that this, this invisible thing of zeros and ones could have a financial value. Um, so I think, you know, what’s on guys like us to continue to do what we do and talk about this um, to empower the community members, to educate the parents, you know, and in the approach I like to take is to do it in a non technical fashion. Um really make it what I call dinner table relatable. Um, but that’s, I think that’s how we overcome it. I don’t think it’s going to be a limitation for much longer, but we’ve got to do a better job of how we articulate the need for that funding and how that funding ultimately helps protect the child’s safety, not just their privacy privacy is a bit of a ethereal concept.
[00:12:28] Brad Nigh: Yeah, no, that’s good. I’m excited. Uh, Evan, I know you are as well and like the rest of the teams from what I’ve heard is pretty good excited to have you here. So
[00:12:39] Ryan Cloutier: I’m just excited to eat more bacon. Just lots of bacon.
[00:12:45] Brad Nigh: All right. So Evan is down in Cancun starting another book. He’s getting it started and rumor has it that I am and maybe if he gropes you into it, if you’re a big enough sucker, like I am, you’ll be helping as well. I have, I have
[00:12:59] Ryan Cloutier: also heard this rumor. Um, yeah, I’m excited for that opportunity as well. Right? Um, it’s actually something that’s always been on my bucket list to do is to, is to write a cybersecurity book. And so, um, even if I just do a little bit of reading and thought, you know, I do edits for my wife, she runs a blog for women’s, uh, vaginal health. And so that makes for some interesting reads. Um, but I act as her editor. And so it’ll be, it’ll be interesting to see what happens when a real author, you know, write something
[00:13:33] Brad Nigh: lots of made up words. So, uh, even about the book, what is the point of the cybersecurity book?
[00:13:41] Evan Francen: What’s that? I’m sorry,
[00:13:42] Brad Nigh: what’s the point of the book?
[00:13:45] Evan Francen: Oh, it’s uh, you know, paper and felt words. Thank
[00:13:50] Brad Nigh: you. Just wanted your name on something else.
[00:13:53] Evan Francen: Uh huh. Now the part of the book is, You know, what parts, you know, it’s building out the Chapter one and more of the first book where you know, we talk about this language problem that we have in our industry, how, you know, something as simple as what is information security. So just the understanding of that is so different, you know, and certainly in the underserved markets, when you talk about F and B. Small to medium sized businesses, K through 12 local governments, we saw last year how they just got hammered last year or so. I feel like we sort of always to those markets to give them more. So this book is, you know, it’s just a manual, if you read the book, traction Juno Rickman, which is a great book. This build off that same uses that same sort of framework that he used, because it was so successful. Certainly an S and leads, we’re going to do the same sort of thing with information security. Give people Emmanuel, help people structure it, help people uh understand how do I set up meetings? How often should I have meetings, what should I call the meetings? Just all that stuff. So, it’ll be a really good book, hopefully. Um and the part I’m down here this week, just writing uh sort of the outline, I’ll start putting some meat into it and then, you know, bringing you guys into the mix. Uh you know, I thought your areas of actually teach globally, in my opinion, I don’t know anybody who could write better On K through 12, then Ryan, So why not invite him and to write the book? Uh as far as I know one of the people. Well, one of the people that extra just about more than anybody talking, jesus. Uh did you get there? Yeah, we’re here. Yeah. It’s not hard cartel battle or anything. So that just dropped a big thing in garbage. Uh what we’re doing. Oh and you uh bread with what you’re going to write on the smb each face uh and being able to also translate over into Keep 12 because you certainly worked there and local government, I think it’s just gonna be a really good book. Yeah, it will help the
[00:16:14] Brad Nigh: industry. Yeah. I’m excited. Like like said it’s, you know, the focus thing could be, We could, there’s so many 3-4 million business. Isn’t that 10 to 2500 employee range about? Is that about right, Evan?
[00:16:30] Evan Francen: Yeah. Actually, yet in 20 to 1000 employees and that’s just businesses. Right? And we’re not talking about non profit. We’re not talking about K-12. When I’m talking about local government just in business, There’s 3.1 million companies in that 20-1000 space. and the sad sacks are 90% of those companies aren’t doing fundamental risk assessments and you and I have built plenty of security programs over the years. There’s no way to build a security program, at least not one with any direction or strategy if you don’t have a risk assessment. So we’ve got to do something about this.
[00:17:06] Brad Nigh: Yeah, yeah. I think, you know, there’s no way we could possibly hit all those as a company. I mean, it’s just the reality of the numbers game. So this is a way to get that message out there, get help, the mission move forward. So, uh, it’s what, since Ryan and I haven’t written a book. What have we gotten ourselves into? What’s it like to write a book?
[00:17:30] Evan Francen: Well, it’s not too bad. I think the first time I had no idea what I was doing, so I came down here thought I’d live out a book in two weeks and be done with it. Uh, that didn’t happen. Um, there’s a lot more to it. It’s a, but it’s like, it’s like wrestling yourself. The experience is super rewarding. It’s funny just down here in Cancun, I met some people that I have human previous years, One of the guys I met on the airplane, I want to write a book. Can you tell me how to write a book and like we’ll just start writing. Yeah. You know, you just start writing, you just start putting things down on paper. Ah, it’s like a big lump of clay that doesn’t make any sense. And you start kind of molding it into something that hopefully somebody will understand. But I think it’s, it’s an expression of yourself, right? It’s a, like a teacher, you know, it’s just, it’s just art. You just throw it out there and as long as you’re happy with it, then don’t worry so much what the audience thinks, Right? It’s you. So it’s pretty hard. But I think it will be a lot easier when you’ve got a couple other people to write with because we’ll bring different perspectives, hopefully reach a wider audience. It won’t be kind of so lonely, but it’s it’s a cool strength. You guys are going to like it.
[00:18:50] Ryan Cloutier: Well, I mean, absolutely, I’m looking forward to going to Cancun and you know, right, book gone
[00:18:57] Evan Francen: down, man.
[00:18:59] Ryan Cloutier: I’ll tell you what I’m really actually quite stoked about this. Um and you know, I’ve done a little bit of writing, not not a whole lot couple articles here and there, but no, I think, I think the collaboration element for me is what I’m most excited about because the best ideas come out of groups, right? Small groups. Right, right. We know we know herd mentality, right? We start getting too many cooks in the kitchen
[00:19:22] Brad Nigh: and it goes, goes off the rails. But for me, you know, you’re doing articles and blogs and stuff like that. You you get to a point where you like, shoot, I don’t what to put here, you have to like leave. Well now, you know, I’m hoping it’s, it’s kind of like, well take some of that pressure off because now you’ve got other people to kind of come in and even if it’s just, oh, what about this? And you’re like, oh yes, and then you go, right, it’s gonna help out,
[00:19:47] Ryan Cloutier: you know, um I was actually just doing uh an edit um last night for my wife’s latest blog post and my edits actually inspired her to create additional content. So it was really interesting because I just said, you know, hey, turn of phrase here and instead it turned into, well that’s a whole new section, so hopefully we don’t create too much work for Evan by uh by helping, I
[00:20:12] Brad Nigh: think we’re gonna create more work for the editor to go come back and be like, guys, you wrote like six books worth of stuff here. Uh,
[00:20:21] Evan Francen: I think another, another thing about writing a book together is hopefully for me, you’ve got kind of contagious, so maybe you guys will catch the bug to and and write additional books. I think Ryan, you could write a couple of books about two through 12 and you know, brad, I know you and I know you’re passing your history and then you’ve got so many experiences that you can bring to bear and I think help other people and books too. So maybe this is just the beginning, I think um it takes the pressure off a little bit too to have three people writing a book together. But then I also think that it helps with accountability, right, if one of us haven’t finished are part of the book yet. Well then the other two are going to be like, hey, what’s up?
[00:21:02] Brad Nigh: So, I guess the next question is uh when can people expect to see this come out? What is, what is our deadline to get this done?
[00:21:13] Evan Francen: Well, you know, we’re all not only are we all, I mean we’re all full time employed, right? We’re all busting our butts, working 50, 60, 70 hours a week at our day jobs. We’ve all got families, were all married and got, you know, kids to take care of and all those other things. So I don’t want this to get in the way of everything else that our priorities. But hopefully by third quarter, you know, 2020 this book will be, you know, in people’s hands and you can start working from,
[00:21:45] Brad Nigh: I guess it depends on how much work we give the editor and how much they
[00:21:48] Ryan Cloutier: come back with. Like,
[00:21:49] Brad Nigh: what are you guys doing?
[00:21:52] Evan Francen: I learned a lot on the first book. I my uh my ghost writer. So my first book, Chapter one was like a book by itself because I just kept rambling and rambling and rambling and rambling. And so the editor was like, yeah, I think we have too much editing to do on this book. So we’re going to get a ghostwriter To help you kind of rewrite a little bit of Chapter one. And so uh when I to go start and finish that. Yeah, you know the book release party, he’s like, Yeah, I’ve been doing this for 20 years. You almost killed
[00:22:28] Brad Nigh: me.
[00:22:32] Evan Francen: Like, sorry about that. So I learned a lot about that. So I think the editing process should go much quicker.
[00:22:38] Brad Nigh: Yeah. Yeah, I think, yeah, that’s the biggest thing is don’t over explain. Just keep it to sink and short
[00:22:44] Ryan Cloutier: less is more. Yeah.
[00:22:48] Brad Nigh: All right, Well, I’m excited. I know Ryan and Evan are excited. This would be good. Um, so something to look forward to and hear updates throughout the course of the year of, you know, you can tell, you’ll be able to tell when monday’s come around and Evan and I are dragging that we’ve been putting in extra hours on it. All right. So last week, um, We looked at kind of all the things that were not so good. And so now we’re trying to be a little bit more positive. So we’re going to look forward to 2020. But um, looking back at 2019 for some positive news. Uh, you know, we talked about all the breaches and everything last week. So, um, let’s try and figure out and get some positive momentum in the new year. Uh, I think, you know, I speak for Ryan an Evan, we said we love what we do. We love this industry. There’s, there’s so much that’s broken. But there’s so many people that really are doing amazing things. Um, you know, Evan as you put in there, you have a uh saying information security isn’t about information or security as much as as it is about people And using this, what good things happened in 2019 that we can be proud of. So, you know, having you put some some notes in there, but I’m gonna let you start on this and give us something that something positive that that you have from last year or not. Yes.
[00:24:12] Evan Francen: Yeah. Well, one of the things I saw last year, you know, we’ve all been in this industry for a long time. It was such a white male dominated industry for so long and it probably still is one of things I’ve seen emerged in the last year or two that has been really exciting for me is seeing more women and more uh minorities in our industry, emerging leaders. So, you know, on twitter, you follow a lot of people and you see some of the things that are putting out, I think diversity has improved vastly in 2019 and hopefully we can continue that the progress that we’ve made. Uh that’s been really, really cool for me this year.
[00:24:55] Brad Nigh: Yeah, I agree. I think you definitely see, and I think it’s more acceptance of that diversity to that’s a big part of it. What about you, Ryan, what’s something positive? You
[00:25:06] Ryan Cloutier: Know, it was more towards the end of 2019, but one of the positives that I’ve seen that I think will continue into 2020 is the home consumer has become more aware than ever um that there’s a problem that there’s potentially a role for them to play. Um, you know, and we’re starting to see a little bit of vendor accountability. We look to what happened with ring, I know myself during the holidays and during the last couple of family functions that I’ve had leading up to the new year, you know, everybody’s coming up to me, I’ve gotten Alexa, I’ve got a ring camera in my house, I got to do what do I do about this? Um, at a, one of the groups that I speak to is the rotary club and I just got a communication from them saying, hey, listen after christmas and the holidays and we saw some news stories and we’re all terrified. Can you come back and talk to us about how do we secure this stuff? So I think that for me I see is a really positive trend Because those are the small business owners, those are the parents of the kids in K12, those are the teachers and administers and also the C. E. O. S if you will have a big company. So I’m just excited to see it become more of a, of the household topic.
[00:26:13] Brad Nigh: Yeah. And well in mind is it really plays off of that, Is that like I started seeing, especially like you said second half of the year, more companies coming to us being proactive, right? Not hey we have to do this because of its we want to do this because I don’t know right, right. I need to start somewhere. What can we do? So I think and it goes hand in hand with, with yours uh positive there. I think that’s, that’s really good. You want, you want people to be proactive ahead of the game vs well we had an incident, how can you help us?
[00:26:48] Ryan Cloutier: Right. It’s always easier to prevent the mess
[00:26:50] Brad Nigh: than clean it up. Um So how about job prospects for information security? I know we talked with, oh my gosh, I’m driving a blank on his name. Uh, ken yeah, ken Bechtold, yep. Yeah. So uh you know, some of the guys that have been around uh longer that maybe are out getting put out and trying to find jobs and all that. Uh what do you think the job prospects are looking for? Those people? Um start with Ryan this time john spot.
[00:27:27] Ryan Cloutier: Yeah. So you know, are you referring to maybe more of our senior senior
[00:27:33] Brad Nigh: Yeah, gets turned over cost cutting
[00:27:36] Ryan Cloutier: correct. So I think you’re going to see their prospects start to shift and a lot more private consultancy I think because you can’t replace experience and while companies may want to try to save a few dollars by, you know, trying to turn that employee over and we see this in all job functions, right? The more senior the staff, the higher the pay well, hey, we’ll just, we can get to people at half the price, especially in this industry experience is invaluable. If you haven’t lived through it, you don’t know where it came from. Um it can really be a challenge and you can’t see that pothole up ahead because you’ve never driven the road before. So I think the prospects for them, um probably a lot more if they’ve done enterprise going to medium businesses maybe for a pay cut, but to stay in the game and I think for the ones that that won’t take that pay cut, I think you’re gonna see a lot more entrepreneurship.
[00:28:30] Brad Nigh: Yeah, yeah, we definitely see more, you know, people coming to us that are aren’t out or they’re done with that and kind of having a little bit more control over their career in their life and Come in and consulting with people because yeah, that experience, you just, you can’t replace 20 years of experience. It’s just
[00:28:51] Evan Francen: right, you can’t do it. Like most things in our industry, you hear so much about, You know, how we have, you know, three million open positions, you have a severe talent shortage, all those other things, you know, that’s a negative way I think to look at it, there’s also the positive, like man, what a great opportunity for the next generation of Kids, you know, so where Ryan’s going on K through 12 or where we’re going with K through 12 and post secondary education, what a great opportunity to reach these people. Such a Greenfield opportunity. He’s hurt teaching these good habits. So much of information security is his habits right? It’s building good habits. So I think there’s just a great opportunity for anybody who wants to get into this industry and it’s not, you know, there’s this misconception, especially with the younger generation that it’s, you know, I’m going to be a hacker, right? I’m going to get, you know, leaked and do all this. That’s not what security is, right and that’s a part of security, but it’s, there’s other things. So if you have a passion for people and helping people, even customer service skills can apply really nicely in information security. seven is a great opportunity. The older generation, I think sometimes, uh, some of the struggles that they have, yeah, there’s tons of experience there machine a couple of times now he personally where the industries, they got stuck in one spot for so long that the industry sort of passed them by and then they get out in the job force again and the fight, I can’t get a job, well maybe it’s time to write you a little bit, get current with some of the things that are going on in our industry, but the prospects are great, right? The numbers tell you something.
[00:30:33] Ryan Cloutier: Yeah. And I would say I’ve, I’ve had an increase actually in folks that aren’t in the I. T. Industry but are maybe nearing the late forties, early fifties that have approached me to say, you know, I’ve been I’ve been an accountant all my life and I I’m just I’m done with it. I’ve done it for 25 years and it’s not that I don’t love it, but it’s I’ve done the same thing for 25 years. This looks exciting to me. But I don’t know much about computers and that’s when I will, you know, kind of say, hey, just to the point, Evans that Evan just made, it’s there’s so many jobs within the info sex fear that aren’t technical jobs, you know, being a risk manager Has very little to do with technical stuff, right? And and we know that risk is a huge part of security. And so uh I fully expect us in 2020 to see an increase in the number of open risk management type positions. Um because he was juggling the mess right? How are you managing all this stuff? Um And I would, you know, tell senior account managers and people like that that that might be a good segue for them. But I’ve definitely seen an increase in that it’s the youth that I’m trying to reach because they see this as work and there’s something in this in this newer generation that if the word work comes up, there’s all of a sudden allergic reaction. Um So it’ll be interesting to see how that pans out.
[00:31:57] Brad Nigh: Yeah it is interesting I think like you’re right, there is so many different non technical roles. Not having a technical background will help in a lot of it. But business continuity, risk management, I mean even things like vendor risk management, you don’t have to have a very technical background, you just have to understand enough to be able to assess the risk and no you know, what kind of what kind of information do they have, what do we need to have in place around that? So uh that’s a big one is yeah, don’t be afraid as well. Just
[00:32:37] Evan Francen: the reasons why I’ve always liked, you know the C. I. S. S. P. For better or worse is it just gives you that broad view of what information security is and then you can pick whatever it is you want to specialize in. And it’s even good for if you’re a pen tester, write a blog view that way you can put the work that you do every day into perspective of everything else that has to run together with what you do. So you know, within that broad spectrum of what information security actually is and there’s jobs for trainers, their jobs for customer service, there’s jobs for risk managers or shops or pen testers. God you name it, there’s a
[00:33:17] Brad Nigh: job, I mean even writing policy, it’s not a technical thing, governance piece. It’s no
[00:33:25] Ryan Cloutier: it’s a painful thing.
[00:33:26] Brad Nigh: Try to help on that. But yeah being having writing skills, being able to communicate
[00:33:33] Evan Francen: like some of the best people I know aren’t technical
[00:33:37] Brad Nigh: some um well that’s a good segue for the next one as our ceases emerging Israel business leaders in greater numbers and yeah. Many. Yeah, it’s hit or mess.
[00:33:54] Evan Francen: I think they in general they are I mean they’re starting to see more Csos. It’s no it’s not going anywhere near fast enough. We’re making progress where seashells are actually getting a seat at the table. More agree with that. But you got a long way to go,
[00:34:09] Ryan Cloutier: you know, and I think it for for what I’ve seen in the businesses that have already embraced the concept that their digital business that does something other than digital. Um And I’ll pick on domino’s for a second. Um About two years ago they came out and they said we’re digital business that makes Pizza in organizations that have that mindset, I think the sea so has got a stronger table I think. And then and then those organizations the sea so is more likely to be a peer within the business suite, within the C suite because they’ve already embraced the idea that going forward. It really doesn’t matter the widget in which manufacturer you’ve got to use computing and and computers and the internet and, you know, all these mobile devices and things to to deliver your goods and services to your customer. I mean, think about the pizza tracking app. Right. Right. Yeah, They did it. And within what, six months every pizza place in town has a track your track your delivery.
[00:35:04] Brad Nigh: So we’re online and track it. Yeah. Well, I think, yeah, my initial response was because it’s not everywhere. The yeah, the the ones that are able to communicate to the business. What that why they should have that. Yeah, absolutely. You’re starting to see more. I think the biggest issue we’re still having is that they’re not all of them have that message or are able to communicate it. Well, all right. So like that’s an opportunity for us to help and help craft that message and and be able to explain. Here’s how you get this
[00:35:43] Ryan Cloutier: across. Yeah, I would add to that. It’s it’s Security is a business differentiator in 2020. Yeah. And the more companies that wake up to that fact, um, I think, I think we can accelerate, Right? And, and that’s why, um, you’ll hear me, you know, as we work together a lot, you’ll, you’ll hear me try to put pressure on the consumer because the consumer then in turn puts pressure on the business. So if I’m, if I’m only going to buy product from companies that have met a particular standard, then all of a sudden everyone’s going to want to meet that standard. And so part of that is the work we’re doing, you know, to educate and part of that will be this book and other things too, To humanize this topic, right? To, to make it to where everyone understands. If you’re, if you’re in 2020, you’re living a digital life, This is what the, you know what this means. We hold our automakers accountable, we hold our airplane manufacturers accountable, we hold our food manufacturers accountable because we understand that there’s impact in consequence if things go wrong with those products. And I think we’re just at the very beginnings of starting to see a similar model get applied to technology That we’ve, we’ve kind of woke up, it’s been about 12 years since the iPhone 12, 13 years
[00:36:57] Brad Nigh: now. So I gotta
[00:36:58] Ryan Cloutier: and, and so I think we’re finally just settling in to go, wow, this thing really had an impact on our world and it’s really changed how we do everything we do. And so, um,
[00:37:10] Brad Nigh: I think we all know like is a general rule, businesses are slow to change. I mean it’s right. If it’s been working, why change it right? And the ones that are getting ahead of the game and going, like I said, hey, we realize that this is a critical piece of our business information security versus those that don’t pay attention to, you know, the, well it hasn’t happened to us yet. So don’t worry about it that like you said, there’s gonna be a differentiator here in the next year or two of who’s successful, who sticks around and who is doesn’t
[00:37:45] Ryan Cloutier: make it right. And, and I mean, I think the other, the other thing there is, you know, consumer trust, um, bigger topic than it’s ever been before. You know, if we think about how we’ve treated consumer safety in the past and the trust that goes along with that, you know, we have recalls, well, how do you recall the vulnerability you put out a crappy iphone now needs to get patched or crappy android or whatever. I’m not gonna pick on any particular record, but you know, something, something no good happened and now you’ve got to fix it while in the physical realm we do recalls. You know, they mess up your car, you go down to the repair shop and they put a new part in, you know, and so I think as the insurance companies this year start to change how they operate because of the pain of last year and all the payouts they had to do. I think you’re gonna start to see a higher degree of accountability from insurers, from risk. You know, um, assessors and that ultimately should translate them down, you know, hopefully to safety into the
[00:38:43] Brad Nigh: consumer IOT might actually have a patch management program in place to
[00:38:48] Ryan Cloutier: rumors. I’ve heard rumors,
[00:38:50] Brad Nigh: just get it out there, we’ll figure it out later.
[00:38:52] Ryan Cloutier: Well, you know, just, just remember if you can see it on your cell phone, we can see it on your cell phone.
[00:39:01] Brad Nigh: Having any thoughts on
[00:39:02] Evan Francen: that businesses that get this right, are the ones that treat information security risk. Like they treat other risks like they treat financial risk like they treat, you know, reputational risk, regulatory risk, right? It’s, it’s another risk. It’s another seat at the table that has to be considered in business decisions and companies that get that right, give it that appropriate attention. On the foot side. I think some of the photos that are really successful are the ones that understand that that information security is another risk that the businesses to consider. It’s not double risk. Sometimes we get so passionate about security that we forget that we’re a risk, not dull risk. And I think CSOS that’s one of the things that they can really helped to elevate is this is just another risk that we need to consider. And businesses need to make sure that they’re considering that risk. It just seems like that’s kind of happening more, but a long way to go.
[00:39:59] Brad Nigh: Yeah, I see. So it’s my job to bring attention to the risks and the business is to make a decision on, right? You bring the risk and recommendations. Business makes the decision on what’s gonna happen. They may accept the risk and you go, oh, okay, I’ve done my job. I’ve educated them, giving them the, hey, here’s the risk, the threat of the vulnerability, Here’s what potential impact is, here’s my recommendation, it’s your call,
[00:40:24] Ryan Cloutier: right? Right. And ultimately it is on the business, Right? And you know, I don’t know if that’s a saving grace in the security world or not, but I’ve, I’ve been there and I’ve had to, you know, just like you, I mean, you hand over the information, you deliver it in the best way you can. But ultimately the business does have to make that decision
[00:40:41] Brad Nigh: and document it got a little sign offs are always help.
[00:40:46] Evan Francen: Yeah. You know me, I like to keep it simple. So I always say the cells have two jobs wanted to consult on information, security, risk the other implement those risk decisions as fast as possible. That’s her. Yeah,
[00:41:01] Brad Nigh: Yeah, I think and yeah, a lot of security professionals struggle with that because it’s not always the quote unquote air quotes, right thing to do. Well. And
[00:41:12] Ryan Cloutier: I think part of that too, um and you guys have seen this as well, there’s a little bit of fear. So I told you the risk and you accepted it, but I know that you Don’t maybe 100% really know what you just said Yes to. And I know that even though you said Yes to it now when the problem happens later, it’s my office, you’re going to be standing and screaming, how did this happen? So I think there’s a little bit of that and the more burned out to sea. So is I think the the greater that fear
[00:41:38] Brad Nigh: is, but it’s almost like a you know, that death spiral? Right? So then, you know, if you’re burned out, you’re not communicating while you’re shutting off the businesses and now you’ve lost that seat at the table. So it’s it’s a really, it’s a nasty cycle if you’re not
[00:41:53] Ryan Cloutier: really careful about it. Right? And I think that, you
[00:41:55] Evan Francen: know, when those things happen, you have to sort of wonder, you know, how good of a consultant am I to the business? If they’re accepting risk, they don’t understand.
[00:42:05] Ryan Cloutier: Oh, absolutely. And I think there’s a room to grow there with uh us as an industry. I think one of the things we need to fix as part of the broken industry is what what does that standard guideline look like? What does the best practice for sea? So to articulate risk. And is there any commonality or we all just kind of run around doing our own thing? The best we know how And then wonder why everybody’s confused
[00:42:29] Brad Nigh: following somebody was writing a book about that.
[00:42:31] Ryan Cloutier: You know, I were if there’s this guy
[00:42:33] Evan Francen: might be, it’s gonna be fun, Ryan, we’re gonna have a horseman. You need one more and we can have a
[00:42:42] Ryan Cloutier: great deal
[00:42:44] Brad Nigh: of information security apocalypse series. Alright. On that note. All right, moving on. Uh What about improved collaboration among information security professionals? Are we seeing uh better collaboration? Right? I think there’s uh all I pulled in Evan uh are we seeing better communication uh amongst the other professionals uh in the industry?
[00:43:16] Ryan Cloutier: I think there’s
[00:43:16] Evan Francen: um oh go ahead. Sorry. One of the, one of the things you said to me on friday brian when you and I were talking, there were two things that was stuck out to me. One was uh we sort of wish that we would have gotten together sooner, Right? I mean, the three of us, I think we even rather than, you know, we will do great things, but sooner would have been great. The second thing that you shared that really stood out to me was motivation, right? If you have the right motivation coming from the right place. So this collaboration thing, I think I think there’s more collaboration in our industry. One of the things I question is the motives behind the collaboration sometimes. I’m not sure there’s so much money to be made in this industry right now, so you’ve got to be really careful with the collaboration. You know, if you’re collaborating for the right reasons or, you know, let’s take advantage of something.
[00:44:12] Brad Nigh: Yeah, that’s a good point. Um I think from a an individual level, um I think we’re seeing more as people, you know, again, it’s it’s very hit or miss some of like the Csos and being successful, but there are more people that really are seeming to becoming two terms of I can’t do this alone and I need to work with other people.
[00:44:35] Ryan Cloutier: Yeah, I think, I think there’s a decrease in the fear, um, you know, one of the problems that we’ve had for many, many years is we don’t talk to each other and part of that is because hey, I’m not in the business of exposing the vulnerabilities, right? So I have these risks, I’m trying to work through, I have these maybe failings of the organization I’m assisting, I’m trying to work through and I need to talk to somebody about it, but in talking to you about it, I’m showing cards that I maybe don’t want to show. And so I think I’m seeing at least on like on twitter some of the pseudo anonymous feeds, if you will, that, that I follow, I’m seeing a lot more willingness to disclose some of the challenges um where I didn’t see as much of that maybe a year and a half ago where folks were actually giving like, or pro tips. I’ve noticed that the consultant community, there’s a little more of, hey, this is the tool, I used to solve that job and you know, just a willingness to share what’s in the tool kit too, I think
[00:45:37] Brad Nigh: well, and I think maybe part of it is being in the consultant side of things to be, you know, they have a relationship with us where they are now opening up because you know, hey, we see this, you know, hundreds of places versus there one. Right? So, hey, what, here’s a challenge I’m facing, Right, I had a meeting with someone, wow. I think last week I can’t even keep track anymore, but they’re like, you know, well, we want to put in multi factor, what do I look for? I don’t know where to start or casby or whatever it is, I don’t even know where to start. Can you help me? Yeah, absolutely. Ask.
[00:46:21] Ryan Cloutier: Oh yeah. And you know, as we do more in the K-12 space, you’ll, you’ll notice that that’s a group, uh, that loves to collaborate. But at the same time, even in K-12 there’s a little bit of competition if you will. So it’s, it’s interesting to see where those lines start to get drawn between. How much is collaboration and to Evans earlier point. Right, what’s the motive behind the collaboration? Are you doing it to further the world to, you know, enhance the greater good or you doing it too fat in your pockets and get one over on your competitor. Yeah,
[00:46:57] Brad Nigh: yeah. One of you know, one of the things that I’ll be working on this year, you’re more the innovation side of things and one of our analyst, ERIC had a really good, uh, kind of suggestion, we’re trying to come up with a mentor program and how do we expand on that to provide more value over the course of the entire year. Why don’t we sponsors hold industry round tables put some India’s in place and get people in here and talk.
[00:47:27] Ryan Cloutier: Yeah, I
[00:47:28] Brad Nigh: facilitate those conversations. Right. So, you know, I think there that’s definitely an area of uh Mhm. Yeah, that could be improved but is getting better. People are being less afraid to ask. All right. Um What about fundamentals? Are people focusing on the fundamentals? Are we still focusing on blinky lights?
[00:47:54] Ryan Cloutier: Mhm. I’d like to say uh that that there’s more of a focus on the fundamentals. I mean, you know, so the last couple of years I’ve been, you know, deeply deeply in the public sector in K 12 and so they’re absolutely but or even a step previous to that we’re teaching what the fundamentals are that need to be focused on. So, I mean, you know, you guys can speak more to the SMB and enterprise side in what you’ve seen is the same. You know, it’s kind of,
[00:48:23] Brad Nigh: It’s the same like Hey We spent $100,000 on our security products. Great. What’s your asset inventory? Right. Dead silence. How what are you protecting?
[00:48:37] Ryan Cloutier: Well, right. And I think, but I do think there’s a there’s a a trend that I’m seeing at least where there’s more of an increase on what are the fundamentals right to point. I think that you just made in a previous comment is folks want to, there’s there’s more folks reaching out now saying, hey where do I start and what does start look like. Um, and so I think about this only in Cancun, something about Minnesota winters makes my writing hand not work so good
[00:49:10] Brad Nigh: numb. I can’t feel it.
[00:49:14] Evan Francen: I want to get you guys down here. I’ll send you
[00:49:17] Brad Nigh: tickets. Maybe our wives, they’re not gonna be happy. Seriously. Um, no. So Evan, what do you think about that? The focus on fundamentals? Are we seeing people focus on those at, at this point or what’s your take?
[00:49:33] Evan Francen: Yeah, yeah. There’s just, you know, it’s always sort of embarrassed fight between the fundamentals and you know, and Ryan touched down into the work, right. Who likes work the fundamentals and you know, the money grab the blinking lights, the school bus words. There’s always been this back and forth between those, those things. The fundamental still are the fundamentals like you guys saying. I think a lot of people don’t know what the fundamentals are. So, I think that’s one of the illness is behind the book. Or is it on, I don’t know, plural bonuses. Ohlmeyer, whatever. We’re not there if you call whatever we want. Yeah, I’ve seen more people talk about fundamentals this year then I recall in the past, I know I’ve sat, I sat through or washed a couple of Latinos this year. Some, some pretty good fast conferences and the talk wasn’t all flashy lights. Cool. Hack stuff. It was more about, you know, focus on the fundamentals. So I think the industry is moving more in that direction, uh, you know, basic questions about your information security program, about qualification, about measurement, about, you know, I’ve asked, I don’t know how many times from Csos, what’s your definition of information security? How do you how do you communicate the state of your security program and those are fundamental things that you just have to put those constructs in place And it’s not as difficult as people made, make you, you know, feel like it is. But I’m definitely seeing a shift in that direction, which is really positive because you can’t build the rest of us stuff until you focus on that. It’s just a house of cards is going to come crumbling down. So I like that. I think we’re making problems.
[00:51:17] Brad Nigh: We’re talking about it. It’s not difficult, but it’s hard work. Right? It is fundamentals are pretty straightforward if you get them, but it’s not what
[00:51:29] Ryan Cloutier: it’s tedious work. It’s not sexy work. Right? Okay. Going through and interviewing the business as to why the assets important to them so that you can quantify whether it’s a critical asset or not critical, right? That’s not the sexiest work. Um, and so I think, you know, that’s that’s part of the challenge. And so that’s where I think, um, hopefully we can work together to uh vote. Do we lose Evan,
[00:51:54] Brad Nigh: I think we did all right.
[00:51:56] Ryan Cloutier: So, but uh, in closing out my statement, It’s, you know, tools, automation, you know, I think it’s the stewardship of of us too kind of lead the charge to say how can we simplify doing the fundamentals? How can we make that easier? Less tedious work to do. Um, and then I think we’ll see an acceleration in the amount of folks that are actually doing
[00:52:22] Brad Nigh: it. Yeah, It’s like you start with some policies, what should we be doing? Your policies define that, right? They don’t have to go any deeper than hey, we need to have an asset inventory program. Right? Okay.
[00:52:37] Evan Francen: Like
[00:52:40] Brad Nigh: I’m pulling in heaven with my notifications here. Um, anyway, yes, we lost seven, but that’s okay. Uh, so With that, let’s focus progress on 2020 and what should we be asking ourselves? So I think the two questions there that are on the show notes are, you know, am I making a positive difference? And are my motives focus on greater good or a selfish greed? And you know, it kind of comes back to what drives you what moot makes you go forward. And like personally, one of the things that I love working here is I feel like every day I go home I’ve made a positive difference. Right? And I’m not just banging my head against the wall and and how many people have been in those jobs and I know I have or just like I’m, I’m not moving forward. I’m not doing anything. I’m just fighting fires and running in mud and or is what you’re doing, making a positive difference.
[00:53:38] Ryan Cloutier: Yeah. And I think, you know, um, I think that’s a, that’s a really important question to ask. Um, you know, what’s my contribution? Right? Um, you know, is the effort I’m putting in truly moving the needle. So I might be, you know, having all the positive motivations and I might be making a positive difference. What am I moving the needle? Really making a a cumulative difference if you will?
[00:54:05] Brad Nigh: Yeah, that’s good. And then, um, you know, that’s going on, my motives focused on a greater good or selfish greed. That kind of goes back to the collaboration of why are we collaborating? And unfortunately there’s a lot of that money grab out there and it’s unfortunate to see, but well, that’s all
[00:54:21] Ryan Cloutier: right. We’re gonna, we’re gonna just keep doing this until our voices are so loud that uh folks can’t help but hear that, you know, if the businesses cash grabby, maybe that’s not the right vendor to do business with. You know, one of the things that I coach, all of all of my clients on is who are you doing business with and why? You know, and I think that’s an important that’s going to become even more important as we see all these third party breaches continue and third party of a third party of a third party of the third party, right? Well, if one of those parties is in it for the wrong reason. It can tarnish the reputation and relationship of all the other parties who might be doing it for the right reasons. So, you know, I think it’s important to ask, ask those questions, not just of yourself, but also of the folks that you’re working with, what are, you know, sort of kind of rephrase this is the work they’re doing. Making a positive difference. Are their motives focused on the greater good or greed? And I think, I think that’s important to ask of each other as well.
[00:55:23] Brad Nigh: Yeah, that’s a really good point. All right, Well, that’s a good note to end on a good job. I like it. Uh, so no news for today’s show, we’ve discussed a lot. Looking forward to another great year, wishing all the best to all of our listeners and let’s just kick some. But I don’t know if I’m allowed to say the other keep our rating. So we’ll kick butt together in 2020. I like it. Uh, as a rap for today’s show, thank you and welcome to the family Ryan.
[00:55:51] Ryan Cloutier: Well, thank you. I’m really excited to be here.
[00:55:53] Brad Nigh: I hope Evan stays out of trouble even though he dropped off. Um, next week we are going to start voting in 10 minutes out of every show to help someone who is looking for a job or career change. So if you are one of those people get in touch with us and we’ll feature is a feature you as a guest on a future episode. Uh you can get in contact with us through email at firstname.lastname@example.org. And if you’re the social type socialize with us on twitter, I’m @BradNigh Ryan can be found at, @cloutiersec and Evan is at his usual spot @EvanFrancen. That’s it. And talk to everyone next week.