How to Get CISSP Certification with a Mentorship
UNSECURITY Episode 22: Back Home, Toxic Coworkers, CISSP, Recent News
Brad and Evan are back at FRSecure HQ for episode 22. They discuss their recent travels, how to get CISSP certification with the CISSP Mentor Program starting this evening, industry news, and how to deal with toxic coworkers (as requested by a listener). Give it a listen and let us know what you think at firstname.lastname@example.org.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Brad Nigh: Good morning. This is Brad is episode 22 of the Un Security Podcast 22 to so uh with me is almost always Evan francine
[00:00:34] Evan Francen: almost as right. Almost
[00:00:37] Brad Nigh: 20 of the 22,
[00:00:39] Evan Francen: something like that. I think. I think maybe I’ve only missed one.
[00:00:42] Brad Nigh: Uh but because
[00:00:43] Evan Francen: I wouldn’t have missed that one, but you kicked me out so I couldn’t come.
[00:00:48] Brad Nigh: So, So April eight and we are back home.
[00:00:53] Evan Francen: Yeah, this is
[00:00:54] Brad Nigh: good week. This is nice. People are gonna I wonder what was going on with the audio of the last couple weeks with all the traveling and
[00:01:01] Evan Francen: write everything. Well now we’re in studio so hopefully the audio’s better. I mean, it’s one of those never ending pursuit. I’m not an audio file so I don’t understand really. You know, do some people just comes natural. It’s like, well you need a X, Y Z. Make sure thing and whatever
[00:01:20] Brad Nigh: the way I look at it, that’s now we know how the normal people feel when we talk security.
[00:01:25] Evan Francen: That’s a good point. Yeah.
[00:01:28] Brad Nigh: So last week we spent the week in new york and working on some projects. Uh lots of barbecue security stuff, barbecue all five nights, four different places. Yeah, it’s
[00:01:40] Evan Francen: good. Yeah. Uh yeah, I mean this morning when you were telling one of our guys, you were like, you almost sounded like that was too much.
[00:01:51] Brad Nigh: It was getting to be a bit much, but I wasn’t complaining. I needed some variety. A little little roughage. Except your pictures on your blogger upside down.
[00:02:01] Evan Francen: Oh yeah. You got to stand on your head.
[00:02:03] Brad Nigh: We did, we did to eat that much barbecue. It was it was so good. Right?
[00:02:08] Evan Francen: Yeah. 55, five Meals. 5 nights of barbecue In four different places. And then I smoked hamburgers. I sent, I sent you a picture while over this weekend of I smoked, uh, hamburgers. Yeah, I’ve never had smoked
[00:02:24] Brad Nigh: hamburgers. Never done that before.
[00:02:25] Evan Francen: Either. My wife invited a bunch of people over to the house and uh, they all liked it. So that’s good.
[00:02:32] Brad Nigh: Yeah, we have to try that. Maybe not this weekend. We’re gonna be digging out from another. No, God storm,
[00:02:40] Evan Francen: 27″. They said
[00:02:42] Brad Nigh: You have 14 to 20 something is
[00:02:44] Evan Francen: the, this is insane Minnesota. Can
[00:02:47] Brad Nigh: I know. Well, last year with the blizzard on the 14th, it was like
[00:02:52] Evan Francen: 14 and that was the day, uh, that was the day after my surgery. So I went on friday morning at seven a.m. for people don’t know, I had cancer. They took out my kidney seven a.m. on Friday. They took up my kidney and then That snowstorm happened. We got like 20 what, 3″ or something. Remember? And I’m not a guy that likes to be in the hospital. So this, you know, sunday saturday, like morning. They’re like, well, yeah, you know, if everything goes good, we can let you go home. I was like, all right, that’s cool. And then uh like, well, but your wife can’t get here because of the snow like snow. What the hell are you talking about? So you know, she opened the window and or not, you know, opened the blinds and 23″ of snow. So bad. Some neighbors came over and shoveled my walk for me though. That was really cool. They did a better job than I did do. Yeah, that’s how I remember. That was April 14.
[00:03:51] Brad Nigh: Yeah. Yeah.
[00:03:53] Evan Francen: And it’s eight today, right
[00:03:55] Brad Nigh: Boy. It’s almost almost a year to the day. Alright. So work. We did do some work just a little bit. You did. No, you did your fair shirt. I think one of the things that I really wanted to talk about was how passionate this client was, was about improving the security program and how proud they were in the amount of evidence that they were like, oh yeah, we’ve got this. We’ve got this and you know, we did some more from, well, we being you a couple of years ago and uh there’s a bunch of recommendations and you know, they really did address almost all of them. You know, there’s still gaps are still areas for remediation, which is to be expected. But you know, it’s really good to see like we see a lot of times it gets frustrating sometimes because customers don’t take those things seriously or they’re not getting buying and you know you’re working with I. T. And they’re not getting buy in from the executive level and they’re frustrated and it’s really hard to make progress and to see the successes when somebody actually does get buy in from the top and does take these things seriously. It was it was inspiring. It was really exciting and energizing.
[00:05:13] Evan Francen: Right? Well yeah excuse me. And that’s the point right? I mean the point of doing consulting the point of you know being an information security consultant is to help people get their security programs better. Right? And there’s always something you can do this better. I’ve never I’ve never seen a perfect information security program and we never will. But this yeah this was an organization to a couple of years ago just had did you know security was an afterthought. It wasn’t part of their business. They had it’s an enterprise customer right? Big. But they you know they have amazing leadership and and it really comes down to that their leadership took the recommendations that we had and took them all really seriously and put plans in place and made sure that things got done and it’s really cool to come back a couple years later and look at things and yeah it’s night and day different. You know I mean, they may have been a two on a scale of 1 to 10, you know, two years ago and They’re like an eight, you know what I mean?
[00:06:20] Brad Nigh: That’s great. I think that like I said, even even with all these improvements are still pockets, right? They still have some, some areas that present some pretty big risk. Oh sure. But the address, you know, they prioritized and they’ve just been marching forward and not, not getting frustrated with, oh my gosh, this is never gonna end, right. They’re like almost celebrating those successes as they check them off.
[00:06:45] Evan Francen: Remember two years ago when I’d ask questions about, you know, this or that it was somber. It was just kind of almost like depressing, I mean, you’d go through the day and get back to the hotel and you just be exhausted. It’s time to take a nap. Whereas this time, you know, you go, uh, and they want to show you things because they’re so excited. They’re so proud of what they’ve built and they should be, They’ve done great work. Well, like you said, I mean, there’s always going to be things, there’s always going to be significant risks that need to be attended to and that’s almost, that’s almost acceptable. Right. It’s the fact that we are prioritizing, we are taking into account our entire program and I mean, they’re just really doing a good job. It’s, they built a security program that, you know, I would be proud to to run. And that’s, I mean, I can’t Less than five in the last 10 years. You know, I could say
[00:07:41] Brad Nigh: that about it’s probably one of the, One of the top 3-5. Probably in the top three. Yeah. But I’ve seen,
[00:07:48] Evan Francen: Yeah. It’s weird because I mean says security guys, you and I we’re like giddy, right? I mean, who gets giddy about this? Right. But that’s, you know, this was a unique trip for me in a number of different ways. One is the first trip that I’ve went went with on, you know, we went together. Right? So that was an adventure. I really enjoyed, you know, getting to know you more and just work together. Uh, we had projects that are not your canned projects out there. So it really required us to think out of the box, you know, the methodology for the project that I’m doing, I’m still sort of working through in my head how I want to because this company has a some issues with, I don’t know how to say it right without tipping it off. But
[00:08:37] Brad Nigh: um, it’s um, unique requirements that have been passed down to
[00:08:41] Evan Francen: them. Yeah. Yeah. And the one thing is, you know, uh, you don’t, I’ll just leave it that you don’t want your, you want your report to say the right things, but I never don’t tell the truth. You know what I mean? So this in this one project being that it’s so new and I don’t know if anybody else who’s done this kind of work before, it’s you know, just kind of wing it, that makes it fun to and the fact that they, you know, icing on the cake. Well, to icing on the cake, another icing on the cake is, you know, like you said that the company did such a great job and then barbecue every single
[00:09:15] Brad Nigh: night well, and the one I’m working on was was pretty unique and done by, it wasn’t done by us, but I’m done by another analyst and we were there and it was like halfway through the day or on, no, that was Tuesday, it was Wednesday Wednesday evening, so we’d go and be on site all day, go back to the hotel. I don’t know what for ish, when we finished on site, I’m gonna work on our, in our own rooms till dinner, go grab some barbecue, come back and then just, you know, and it worked together and you had a little sweet, so just hang out there and work, which is different for me when I go on these trips, it’s, you know, I don’t go out to a restaurant, it’s like, where can I get close, get back and working the room. Um but you know, halfway through, Oh, I see what he did and I was like, oh, well that’s not okay, none of the work I was doing got wasted but it was the one in apples to apples comparison and it took me kind of getting into the project and talking to them and getting their you know uh their impression their feedback on how things went last time to understand what that approach was. The analyst isn’t here anymore. I don’t I didn’t have that person to yeah to talk to you but to me that was fun. It was really like oh I got it okay now I can do you know take a left turn and get where they were at and went through that thought process fun it’s cool. Um Okay so before we get going really for the week we got word the C. S sp mentor program. It starts tonight tonight tonight it’s gonna be a big day to be a long eight weeks of monday’s.
[00:11:06] Evan Francen: I don’t know man I I dig it I kind of feed off the energy of the program itself. But yeah tonight today is going to be long because I didn’t sleep well last night so I was like and not because I’m like stressed or anything, it’s just my mind was going the the call for papers deadline for black hat is uh today okay. And I laid out and I laid it was laying in bed and it was like 11 o’clock and I’m like all right I’m kind of and I’m like oh crap never said yeah so I got up and I’m like I haven’t even started. So I got you know mostly outlined done and everything. But you know after that and some other things that put me at like 2:30 In the morning and then I got to get about you know got up at 5:30 so that we can get here and I was like just not a good not good planning.
[00:12:00] Brad Nigh: Yeah. Until we had unfortunately had a death in the family last week. I had to leave early friday to get to the funeral, the service friday night and the burial service saturday. We left To drive home yesterday. I got home at 8:00 with the three kids and getting
[00:12:18] Evan Francen: them all. So you have been gone for more than seven days straight.
[00:12:21] Brad Nigh: Yeah we left point I left. What time did you pick those for? five a.m. On sunday last sunday. So I was gone for yeah 7.5 days. You finally got to sleep in your bed? I did but there’s just so much to try and do. So yeah it’ll be fun. But anyway that’s not us complaining. It is
[00:12:40] Evan Francen: yeah. I think I think I think I heard you complaining. I think I was just blaming myself.
[00:12:44] Brad Nigh: I wasn’t really complain anyway.
[00:12:47] Evan Francen: I bring on all my own problems. Pretty much.
[00:12:50] Brad Nigh: Yeah it’s tough to complain when you do it to yourself but Go back we hit more than 400 registered students for students. 408 I think was the actual number? Yeah, Thursday,
[00:13:03] Evan Francen: I wouldn’t be surprised if there was maybe a dozen or so over
[00:13:05] Brad Nigh: The weekend. So I think our max for this current solution for the live broadcast is 4.50. So we’re almost
[00:13:13] Evan Francen: what’s our solution
[00:13:14] Brad Nigh: maxed out?
[00:13:16] Evan Francen: Are we doing? Go to go to meeting. I think so. Okay.
[00:13:20] Brad Nigh: We should probably figure that out because we start,
[00:13:23] Evan Francen: we have marketing.
[00:13:24] Brad Nigh: Yes, I’ve got an invite. I’ve got this stuff.
[00:13:27] Evan Francen: I just feel like Brandon’s pretty much got this like figured out or do we have
[00:13:33] Brad Nigh: that? I’ve got, I’ve got the link and all that stuff to record and do all that stuff. So Okay. I hope so.
[00:13:39] Evan Francen: Why did they finish the slides yesterday for Class 1?
[00:13:42] Brad Nigh: Yeah, it would be good.
[00:13:44] Evan Francen: It’s so cool man because the metro program. Sorry. Good. It’s so cool because the mentor program, we started in 2010 and we had six students and to see it, this is our, I was just sitting on the, the stoop. Do have a stoop, maybe have a stupid home. Yeah, maybe. I was sitting on the stoop with my wife yesterday and evening and it kind of, it kind of hit me for the first time like This has been, this is year number 10, 10 years. I’ve been doing this. And I’m like, So you know, I said to my wife, I can’t believe it. I mean where did all the time go? 10 years and how many people, you know, come through this thing? I don’t I hope it catches more uh you know, catches more steam. You know, other people started doing it. I I first for the first time I got somebody outside of fr secure uh volunteer. I have to talk to you about that later. He’s a good security guy. So I’m thinking how will we use him to help us, you know, in this mentor program? But anyway, yeah, it’s just so cool.
[00:14:52] Brad Nigh: Well, you know, we we started getting referrals from, you know, I don’t want to throw out names of companies, but large companies where we’ve had people go through the class and gotten reported back to us that there they got requested and said, hey, what did you do? How did you pass it? And so yeah, America, well, I did the first secure inter program.
[00:15:16] Evan Francen: Yeah, it’s really because people, I think the biggest thing is people think or that I’ve heard, it’s like, what’s the catch? Right?
[00:15:24] Brad Nigh: Like there’s no catch. I mean you have to listen to us talk for two hours a night for like 14 classes, but
[00:15:29] Evan Francen: you don’t even have to do that, right? I mean every class, you start with, you know, a number of people and you know, you’re you’re good to have 30 to 40% right At the end of the 13, 14 weeks or 13, 14 sessions. But yeah, it’s, there’s no catch, it’s free who truly is and we’re not selling anything. The only time you ever really have to hear about if our secure and what we do is tonight, it’s in the first class. Just an introduction to whoever here is. Other than that there’s no sales and
[00:16:04] Brad Nigh: stuff. There’s, there’s examples and stuff like that. But you know, it’s, that’s giving back.
[00:16:11] Evan Francen: Well, that’s what, and that’s what the mentor party is, right? It’s examples like this is what I ran into latin just this last week and this is how it applies. So even though you’re reading this thing in the book and it doesn’t seem to make sense to you. This is a practical way that it, I just, you know, I just used it yesterday, you know. Right. So those examples are good, but we never, I suck it sells. So I don’t say anything. You’re good at sales that I am just a pretty good
[00:16:39] Brad Nigh: job. Just telling the truth though.
[00:16:41] Evan Francen: It’s always the truth. That’s exactly right. That’s nothing. I started today crap. I’m taking you all off. Sorry. I started uh today is the first day Of 100 Days of Truth. Yeah, on twitter. Uh so the hashtag is 100 days of truth and I figured for the next 100 days I’m going to write, I’m going to post one truth about information security. So the first one goes out and I schedule them. You know, I use a, I can’t remember the name of the tool, but so every day at eight o’clock fire something. It’ll fire something off to linked in and to twitter with a, you know, basically a truth about information
[00:17:24] Brad Nigh: satirical. That’s way better than what Renee put together for ops, which is the plank challenge because that’s
[00:17:31] Evan Francen: beautiful. You know, I thought about that this morning when I got out the shower. I’m like, God, I hope she doesn’t ask me if I’ve been doing it because I haven’t,
[00:17:39] Brad Nigh: I haven’t, the last 2.5 weeks have been tough with all the travel and being busy all the time. Not that that is an excuse because she’s not gonna buy it. But no, 90 seconds today is not going to be fun. No,
[00:17:53] Evan Francen: it’s 100 days of truth will see you and I have no idea what’s going to happen. I’m sure I’m gonna piss people off or something.
[00:17:59] Brad Nigh: Try and fail. It’s better than not trying at all. Right. So you never know. All right. Um, So sick students 2010. Okay, so last week we talked about the bully customers. Uh, we actually got feedback from listeners, which is always good. I love that. We actually get some because I, there are times when I’m like, are we just talking to ourselves here. Uh, so again, listeners, please do do send us feedback. We do listen to what we do read
[00:18:29] Evan Francen: it. Please almost sounded desperate. Please, please don’t make Evan come up with another topic.
[00:18:35] Brad Nigh: What Yeah. Side note if you send us listener feedback makes our jobs easier. Now. It is really good help. Uh, and good to do. Like Evan and I are both very clear. We we don’t know everything about this podcasting thing. I’m sorry. What if we can
[00:18:52] Evan Francen: say? I don’t know everything
[00:18:54] Brad Nigh: about podcasting. Oh, just about
[00:18:57] Evan Francen: Okay.
[00:18:59] Brad Nigh: But no, the feedback is fantastic and it’s the only way we’re gonna continue making this better and easier to listen to. True. So yes, indeed. Uh, send lead back feedback listeners and feedback kind of early man combined there. All right, so the, the recommendation was we talked about bully customers, which is a good topic on its own. Uh, and interestingly you could be dealing with toxic co worker someone you cannot escape so easily. So toxic. We’re leading with the leading the show where all the travel was like who I’m going to take that and run it go. It really does flow nicely. Kind of with the health um, discussion that you and Sean had a couple weeks ago then the bully customers. And it kind of I think it it flows nicely and a lot of times in think well, regardless of your industry, you’re going to have toxic coworkers. But a lot of times I would think with insecurity where, you know, there’s so much less,
[00:19:59] Evan Francen: I
[00:19:59] Brad Nigh: don’t know, you can’t get rid of people easily, right? There’s such a shortage of, of not
[00:20:06] Evan Francen: legally. Okay. Right.
[00:20:08] Brad Nigh: And justifying from a business perspective, hey, we know there’s nobody else out there to hire. We just have to keep this person because they’re good at their job. But even if there may be a disruption to the organization. So let’s talk about some toxic coworkers
[00:20:24] Evan Francen: by name.
[00:20:24] Brad Nigh: No, Well, I mean, we can, we can as
[00:20:28] Evan Francen: long as there’s this one person. So, and so, and so, and so address,
[00:20:30] Brad Nigh: I’ll use use the name Evan in this example. Hey, I
[00:20:35] Evan Francen: mean what we should docks them to, no, I can’t do that. No, that’s not what we do.
[00:20:41] Brad Nigh: Yeah. So,
[00:20:42] Evan Francen: so toxic coworkers. Yeah. We’ve, you know, over the years I can definitely think of at least a handful.
[00:20:51] Brad Nigh: Yeah. I was sick about this this weekend and you know, and the flight and everything, There’s, there’s always a couple like I’ve worked with, um, security officers that were very, that very militant black and white my way or the highway, but we’re incredibly hypocritical, right? That’s toxic. It does, it just eats away at at morale when you see a very hard, no, you can’t do this and hope you’re gonna get written up for just minor little things that, and then they turn around and are blatantly ignoring policy and executives turn their head because they don’t think they had fired. Find somebody to replace them.
[00:21:34] Evan Francen: Yeah. Well, the biggest thing for, I mean that I can almost tolerate some of that, you know, for a while. Even uh, the type of toxic corker that I can’t tolerate is the one who tears other people down. Yeah. You know, because or or or you know, the one who I guess kind of like yours doesn’t tell the truth. two faced. I hate that. I’m like, right, where you never really know where you stand with somebody because to your face, it’s a great relationship and you’re just everything’s hunky dory. And then, you know, you hear later on about this or that you like, I’m sorry. What? That’s that’s that’s the opposite of what I just talked about. And I was operating under this assumption that this is what was true. And so then trust serves to erode. And I think the thing with toxic coworkers is their disease. It’s like a cancer. Yeah. The sooner you can because the only thing you can do with cancers kill it. Right.
[00:22:37] Brad Nigh: Well, I was reading, you know in uh attraction book, the 36 hours of pain approach.
[00:22:43] Evan Francen: You read that book? I’m sorry. You read that book in a Flight two flights. It was
[00:22:49] Brad Nigh: to hell I over
[00:22:51] Evan Francen: Take me three weeks to read that.
[00:22:53] Brad Nigh: All right. Go ahead. Yeah, it’s a gift. Yes. Um, No, but it makes sense. But the problem is you have to have the buy in from the top, right? Just because, you know, hey, this is the right thing to do. We gotta cut this out. Doesn’t mean, you know there is an HR issues and all these other things that you know, you have to deal with and try and these quotes build a case because of kind of the litigious society right now, wrongful termination and all these different things.
[00:23:27] Evan Francen: So, yeah, I think so. So are you saying like at the top that’s where culture is set, right? I agree with that. And I know from my own experience and I learned every day, right? I’m a security guy who ended up being, you know, where I am in a company. Uh, I’ll never be. I mean, I never planned on being a ceo again. I mean, I’m not a management guy who wants to learn management for that purpose. I want to learn management because they really care about this company. Because on the other side, even though, you know, I could certainly step in when I see something that’s toxic and stop it. There’s also this thing like uh, call it political capital where I only have so much of that. Everybody only has so much of that. And so if one of our executives vouchers for an employee, even though you you your gut is telling you, I think this is not gonna end well, you make that known to the executive. But then let them make the call. Ultimately.
[00:24:34] Brad Nigh: You have to trust your team, right? You don’t trust your team, then you become toxic,
[00:24:39] Evan Francen: right? Yeah. Or at least viewed as being toxic. I mean you’re micromanager, you’re not letting you know empowering me because we had, that happened last year uh and everything works out right at the end. I mean you don’t have to stress about it too much. But and I think what I learned now and both me and the executive uh, is to be more aware of these red flags next time before
[00:25:07] Brad Nigh: we ever That’s I think a big part of it is is learning from it, right? You don’t just go in blind or continue making the same mistakes. Everybody is going to make the mistakes. It happens. Especially, you know, uh in this experience were growing very quickly, very fast. Hey, we need a position to do this. I think they can do it okay, learn from that and understand, right? You know, what should we be looking for? What shouldn’t we be or what should be we looking? You know, be aware
[00:25:36] Evan Francen: of looking to try to avoid. Yeah. Well that’s why I think I love I absolutely him so much behind our current executive management team because it’s all about our core values, right? It’s all about, you know, number one core value is, you know, we tell the truth, right? That was a great way to start your relationship with people and we don’t compromise on those things. No,
[00:26:04] Brad Nigh: I think, yeah. And I think that’s a big mm benefit here is there is open communication top to bottom. If I’m doing something wrong, I’m gonna hear it from above and below, which is great because I don’t want to be doing things wrong or if there’s a problem right, how can I improve it? Because I don’t want to be upsetting the analysts doing their job. Hey, you need to fix these things for having problems around this. They don’t tell me that. I just continue thinking, hey, this is great. And then they get their getting upset and frustrated and they want to leave or whatever. That’s a and that will become the toxic problem. I think so. A lot of this comes back to telling the truth and and being honest. Um Yeah, yeah. Where are you going to say? Someone was thinking about? Yeah, well I was going to but I decided that might give away a little too much about not here in the past, but I had a moment there. Uh
[00:27:09] Evan Francen: Yeah, because you looked like you had a moment where you’re gonna know, blurt something out. But
[00:27:13] Brad Nigh: I call myself your filter? Where’s the mute button?
[00:27:16] Evan Francen: Well, I think your filter works probably better than mine does sometimes Because you know like three. What was it three weeks ago? Maybe four weeks ago? I can’t remember exactly, but It was maybe it was like five or 6 because it was a week when I was here every day. You know, I wasn’t traveling anywhere because I had every one of my management meetings that week, you know, it was just great because every morning, you know, I have coffee with a different executive, right? Mondays are even over security studio Tuesdays are James, President of security studio Wednesday is peter thursday is Renee friday is john Herman. And so the, the theme that entire week was I was just amazed by the fact that we have so many really, really good people and we have no excuse my language, we have no dickheads here. None. Yeah. And man, that feels good when you don’t have any.
[00:28:13] Brad Nigh: Yeah, so I’m part of the interview process, you know, bringing people in and and that’s one of the things people ask about, and I said, you know, it’s amazing how well self policed management doesn’t have to do it. It’s the other analysts. I’ll call you out, right? And not in a mean way, but When you’ve got people that have been doing this for 2030 years and you come in thinking, well, I know everything you’re either going to realize very quickly, you don’t right? And I’ve got things to learn or it’s not gonna work. And like, I mean that in a really positive way, we don’t have that toxic environment. I don’t I can’t think of a single toxic person
[00:29:01] Evan Francen: here. I know, you know,
[00:29:03] Brad Nigh: everybody works incredibly hard. There’s everybody who is willing to do anything for anyone. You know, it’s really an amazing, you know, environment,
[00:29:14] Evan Francen: there’s so much integrity here, but which I think, I think also, so to your point, you know, if you have a culture like this, somebody who’s toxic will stand out really quick, right? I mean, it would be like so obvious, right? And then if you have the open communication that you strive to have, people will hold you accountable for doing something about it, right, come up to you and say, hey, are you going to do something?
[00:29:44] Brad Nigh: You know, where is this? Why is this not?
[00:29:46] Evan Francen: Right? And that’s the stuff that and I think Peter did a really good job when he first came here by, you know, sending out those surveys all the time. And uh you know, we go through those every, every time we do one, we go through them at the executive leadership team because we really want to know you kind of don’t want to know because it’s like, oh God, do I do I suck or am I good? But then, you know, you go through them and you’re like, okay, because you know, well that’s another thing about us. We hold we all hold ourselves to such a high standard. I get nervous that, You know, in my in my 4.5, I really want to be a five. You
[00:30:26] Brad Nigh: know, there is a lot of a lot of that. There’s a lot of very high lofty goals. Yeah.
[00:30:33] Evan Francen: So how do you deal with them?
[00:30:35] Brad Nigh: You know? You know, I think part of it would be his depending on where they’re at and be honest with, Yeah, your management, Hey, this is an issue, but you have to do it in a non accusatory way, right? Um, I’ve worked at places where it’s just like, nope, I’m going to get another job this person had as buying from management or right? Like I mentioned, you know, they’re, they’re, they’re very secure in their job and just gonna not go anywhere. Um, you know, I’ve worked at places where, uh, sea levels for trying to let someone go multiple different sea levels and we’re told by executive above them, nope, don’t, they’re gonna stay. And in both cases are in that, you know, and in those cases, the sea levels left. All right. Well, if I, if you’re not giving me control my staff, right? I’m out, right? Um, and you know, but I didn’t take long to follow, right? That’s how
[00:31:48] Evan Francen: many employees are we now,
[00:31:49] Brad Nigh: 70, something like that.
[00:31:52] Evan Francen: Because I think that that is one of my biggest fears is that will lose this uniqueness, but it’s good that it remains a fear because if it remains a fear, it means that I’m gonna keep aware of it because I don’t want politics. I don’t, we don’t, we don’t have any time for those games were not serving our customers well and not serving our mission well, we’re not serving each other. Well, it’s just
[00:32:15] Brad Nigh: stupid. I think what’s great is you do have people that are fiercely loyal and protective of the culture we have and we’ve had people that technically were overqualified. They weren’t the right fit. You just passed right. You know? Yeah, we definitely could have used that person, but it would not be worth the disruption and kind of the headaches that would have come along with it and you know, it’s not the right fit right now. Thank you though. Right? So, you know, I think that’s really important. You know, you’ve got Peter and myself for an A and yeah, Oscar on the tech side and just just bought in and understanding
[00:33:03] Evan Francen: bought in altogether awesome. I mean every one of you guys has just great integrity. Yeah.
[00:33:09] Brad Nigh: But I think all of us have worked with those toxic coworkers and have seen, yeah, the dissension and the problems that that can bring and you know, I think just having talked with the different analysts and everything, they’re okay with being maybe short, uh, an analyst or two if it means not bringing in somebody who’s going to cause a bigger disruption, right? They know that there’s, we’re looking, we’re know whether we’re trying. I think we have a pretty good track record. Overall everyone makes mistakes, right? We’ve had some turnover. But when
[00:33:44] Evan Francen: you look at the industry turnover, it’s like a minuscule.
[00:33:47] Brad Nigh: Like low single digits on on that side, it’s industry averages what, 25, or something, something really than 10. I think we’re closer to like, yeah, five. So you know, it’s cool. That’s my, you know, it kind of sucks from the advice of either you can, if management, if you have management’s here, you have some trust and a good open relationship with your management, talk to them about it. Hey, we’re having issues here, but I can’t do it in that. You know, Evan has to go, he’s causing a problem. It’s, hey, I’m strong, you know, very, I like to go after it as a learning experience for myself and frame it that way. How can I better deal with this situation? I’m having issues here how, and that’s where they’re going back to mentors, right? And hopefully your bosses are a mentor to some degree, they have to be, to be successful. All right, here’s the situation. What can I do to improve it from my standpoint or if that’s not gonna happen, leave.
[00:34:50] Evan Francen: Yeah. Yeah. Well you bring up a really, I mean, there’s some really good wisdom and I think and all that one is because I’ve seen other organizations where maybe even the executive, the Ceo or whoever sees that they have a toxic culture. Um, and maybe, you know, something they’ve got a change of heart, You know, it’s been going on for some time, You know, and they finally decide that they’re going to confront it, and they try to change it overnight that never sticks. Because culture comes from a genuineness, right? It’s not something that you change overnight. It’s either it’s really a reflection of I think of who you are, you know, as a person. So, you know, so that’s one thing, you know, if you have poor leadership, you have poor leadership, right? And unless there’s some, you know, massive conversion or something, uh, it’s gonna stay that way. And I think the other thing that you, you know, sort of alluded to is a lot of how you deal with a toxic co worker is dependent upon where you’re at in in in the company. So if your management do something, don’t sit on your hands, don’t don’t just wish it away and make decisions that are best for the company, not best for you, not best for any individual person. It doesn’t matter if so and so is going to be offended. It doesn’t matter if the whole group is going to be offended if it’s toxic, it’s toxic and it’s affecting everybody. So you have to make those tough decisions. I might really really love this person, but I’m sorry, everybody else’s suffering.
[00:36:38] Brad Nigh: It’s just not the right, right? But it’s not a personal thing, right? Just not right for the
[00:36:43] Evan Francen: organization, right? And ultimately, this organization exists for a reason, right? We have a mission and nothing comes before the mission, it’s the whole reason why we’re here, right? And it’s our mission is to fix a broken industry and if somebody or something gets in the way of that, we have to do something about it. It’s from an executive standpoint right now, if you’re a co worker and the person sitting next to you is toxic. My advice would be to try to give management an opportunity to deal with it, to try to ah I wouldn’t necessarily try to deal with it directly because, you know,
[00:37:25] Brad Nigh: that tends to be higher. It could get
[00:37:28] Evan Francen: bad but take it up with your manager unless your manager is also toxic. And if you feel sort of trapped, like you said, leave, if I can’t affect this culture and make it better and I just can’t get around it. You know, you need to leave and when you do leave, hopefully it’s more healthy for you. You go to a place where you’re not treated like dirt or whatever. And hopefully it’s a wake up call to the manager, right? Because when somebody leaves an organization like, well, why did they leave? You know, people start asking questions and hopefully they asked the right ones, the taxi corker’s just suck for everybody
[00:38:07] Brad Nigh: and it’s tough leaving, right? That’s that’s the big risk you take. You know, it’s kind of the here’s what I know what I’m in and what am I getting into moving. But yeah, I think when, when you take that chance and you get into the right situation, it’s it’s so freeing and so uplifting and just energizing to be like, oh, this is what it should be. Like, okay, I shouldn’t go home every day feeling like I’ve just been trampled on and hating life,
[00:38:42] Evan Francen: right? Yeah. Yeah. So we’ve, you know, yeah, we’ve had we’ve had, you know, I think you guys do a fantastic job like you said, of waiting that out, you know, at the hiring process. So, You know, and we learned every time, right? I mean, I can think of to in particular maybe three. It’s been 10 years, like three, maybe four. And I have a different view of toxicity. Is that the right word toxic city toxicity? I can’t say the word toxicity where I almost view like if if you’re incompetent and other your teammates have to continually always carry you. Uh to me that’s toxic to, right? So it’s not always like a malicious, toxic uh, and you run the risk here, You know, NFR secure? We we really pride ourselves on growing people. So I was just thinking again last night when I was talking with my wife In the 10 years, how many, how many of those people came through these doors and worked here? You know? And it’s like, I mean, so he took people with like very little information security experience and not certified. Maybe maybe they have some experience, but and then, you know, you found the ones that wanted to, they were attracted by your culture and you were attracted by their integrity and they came and worked here and look at him. I mean, they’re just amazing people. So, you know, I yeah, I think it’d be, it’d be so obvious now if we had a toxic worker here, it would be like, yeah, we’d, we’d get him out of here pretty quick probably because you can’t change them either, right? I mean, there’s
[00:40:37] Brad Nigh: no, well
[00:40:39] Evan Francen: sometimes you can, I mean if they’re going through a bad spell maybe in their life,
[00:40:43] Brad Nigh: well, and I’ve had experience is another good example. They had no idea.
[00:40:48] Evan Francen: Oh, they didn’t know they were toxic.
[00:40:49] Brad Nigh: They didn’t realize it. And so, you know,
[00:40:52] Evan Francen: you brought it to their attention. They’re like, oh, really?
[00:40:54] Brad Nigh: Well, yeah, I didn’t, but it went, I went to the management and said, Hey, I’m just really struggling with this. This is happening. And yeah. And there I went to him and said, Hey, did you know, these are, didn’t call me out because that would be a problem too. But, and it was like a light a match of flip the
[00:41:19] Evan Francen: switch brad said you’re being a jerk, right?
[00:41:23] Brad Nigh: You know what, whatever. But it was, it was like overnight there like changed And it was, it turned out they had no idea that what they were doing was, yeah, it wasn’t, it wasn’t hitting, hitting it. They were just kind of coasting, right. They didn’t realize it was causing issues for others. Yeah. And I would think,
[00:41:46] Evan Francen: yeah. And I would think in, you know, specifically in our industry to how important it is to not have toxicity, right? I mean, I think if you it’s real easy, that kind of mired in uh, you know, negativity, difficulties, we carry a lot of stress whether we show it or you know or not. I mean we securities are different animal than any other industry. And I think when you come back to the office and then you have to deal with, like let’s say you just get it gave a delivery or you run into a security program. That sucks. Like that ever happens, right? Never. Right. So you’re frustrated that, you know, working with a client, then you come back to the office. You like, you just need a reprieve and you got some jerk, you know, in the cube next to you. You know, just being toxic. I mean, it just, it just kills everything.
[00:42:40] Brad Nigh: Yeah. And I think as you’ve been talking, it reminds me of things and it doesn’t have to be a malicious activity, right? I was uh, anything back to was a systems admin managing active directory servers, backups all this stuff and they hired somebody to help me is a kind of a junior level person. And after about six months I went to my boss is like, it is causing me more work. It’s not helping me. It’s actually making it worse because they don’t know what they’re doing. They’re making mistakes that are for what they claim they knew and could do they, you know, extent of users wrong, they’re doing groups incorrectly. Things are just are breaking and it’s in any of causing more work and luckily they listened and repeat mistakes gave them, you know, that improvement plan and whatever and it didn’t work out and they lasted less than a year. But if they hadn’t done that, I wouldn’t have stayed for that. It’s like I’ve already overworked. You you’re basically giving me another half job to fix all the things they’ve broken, trying to help me.
[00:43:56] Evan Francen: Yeah. Yeah. Well, I think, you know, in a way to uh just in our industry, I mean toxicity doesn’t have to be just in a company. I mean, you look at our industry, I was just because I was writing about this yesterday for the black hat talk on uh you know how, how easily, you know, kind of pride sneaks in. Especially when information security people are dealing with non information security people. You know, I don’t know if you’ve ever heard, you know, a security person say, oh, stupid users or you know what I mean? And that’s toxic, right? I mean, that doesn’t help that doesn’t make them want to participate with you that doesn’t make, that doesn’t fix the problem. You know, putting people down, you know, you’re looking down on them. Uh so I think it’s not even just at work because we have this culture and I think you could have a really healthy work culture, but if you’re all just a bunch of security zealots and then you go try to work with normal people to them, you’re totally toxic. It’s a good point, you know? So I think, you know, uh self reflection works, you know, to keep try really hard not to be toxic. I mean you just be yourself at the end of the day, but and hopefully people around you will, we’ll tell you Evan, I think you’re being a church,
[00:45:25] Brad Nigh: you know, and and even, you know, explaining on that the tearing down of other people and you know, you’ll see it on boards and twitter and yeah, you put yourself out there as that get ripped apart because people don’t agree with you or you’re not doing it their way or whatever it is, there’s a lot of of ego out there.
[00:45:53] Evan Francen: Yeah, well that’s the quickest unfollowed for me is when I see you because you can’t even engage in it online. You can’t, you know, if somebody is, you know, being a jerk to somebody else, you know, on twitter or something or whatever post something really disrespectful uh if you engage in that forum, you’re just gonna you’re
[00:46:14] Brad Nigh: just gonna be just feeding it. Yeah,
[00:46:17] Evan Francen: so, you know, it’s like politics to, I mean, I don’t know, for some reason, Security people think, you know, just like Hollywood stars seem to think their political geniuses, uh sometimes the political discourse to, you know, you keep it to security that helps, you know, and try to be respectful that, you know, somebody who’s reading your your post, you may not be as brilliant as you are, you know,
[00:46:48] Brad Nigh: and that’s the other thing, everybody has a different background. So even if you’re looking at the same problem, and at the end of the day, are going to have the end result, how you get from the problem to that final solution is going to be different just because your experience is different than mine and mine is different than, you know, whoever Isn’t that the beauty of one way? There’s not one right way,
[00:47:12] Evan Francen: right? And isn’t that the beauty of it? Yeah, I mean, I love teams that you put together that are diverse, not for the sense of diversity, but for the sense of the different perspectives to the same problem. Bring about really creative solutions. And uh yeah, so anyway, I could I think we can talk about toxicity all day because it’s there’s just like we were passionate about it. Yeah.
[00:47:36] Brad Nigh: Yeah. When you’ve dealt with it, it’s you do what you can to keep it out of the
[00:47:42] Evan Francen: under the environment for sure. And whatever you do, you know, God helped keep it at your family. You know, you could have the worst day in the world, figure out some way to not take that into your house.
[00:47:53] Brad Nigh: Yeah, I’ve done that. We take a really bad day. Just take the long way home, Take that extra 10 or 15 minutes and decompress and don’t don’t go home and
[00:48:04] Evan Francen: no. Yeah. Get into sucks.
[00:48:08] Brad Nigh: All right, that’s enough of the it said your idle chit chat. So some news. Uh, so this one is going to make Evans super uncomfortable because he hates the self promoting and stuff. But I don’t have any issue bragging about Evans cool stuff. So, you got featured in an article on CSO online by roger grimes. It’s very cool. That article was uh, let’s go to CSO online. These two books explain how to fix our broken security industry. Uh, so that it was funny, I was sitting next to each other when you read it and you’re like, uh, what? Really? So it’s really cool to to see how realistically how humble you are about this. So
[00:48:54] Evan Francen: I have a ton of respect for roger grimes. I mean, uh, I had I was, you know, and I say fortunate because, you know, you can’t you don’t get to meet everybody that you want to meet, you know, But I had, you know, met him, you know, we talk, I would consider us friends and then when I read in his article, you know, that he called, he referred to me as a kindred spirit, you know, and I’m like holy crap. That’s it means a lot to me.
[00:49:22] Brad Nigh: It’s a big honor.
[00:49:23] Evan Francen: Yeah. And then I love this next quote, which is going to be sort of in I think all my presentations now, not the successful part, but just the the less bullshit part. So, you know, because he’s quote and I’m saying it, I’m not swearing of my own volition, but what he said is I don’t think I’ve met a more successful guy in this industry with less bullshit. And if I if I could have that on my epitaph, is that what you call that when the thing, when you die? Yeah, So that would be sweet. Yeah, because I don’t hate B. S. You know, so that from that perspective, the fact that it came from him and uh it means a lot to me that that he would say stuff like
[00:50:06] Brad Nigh: that. And then yeah, you know, it was also mentioning the other book was Bruce schneier says,
[00:50:12] Evan Francen: oh yeah, that was crazy. I didn’t. Yeah, because yeah, because later on in that article, it’s like, yeah, if you read past the stuff he says about me, and then there’s like, Bruce Schneider’s click here to kill everybody and like, whoa am I in the same article as Bruce Schneier.
[00:50:28] Brad Nigh: Yeah, it’s pretty cool.
[00:50:29] Evan Francen: Yeah. Talk about not worthy.
[00:50:33] Brad Nigh: So really cool. Very good job. Thanks man. Um some other news, not even related uh drugmaker Bayer has blamed the chinese government uh a chinese government backed group for cyber attack. This is on silicon angle dot com. Uh They said it was the hacking group Wicked panda. Uh that was responsible for a cyberattack uh started early last year. There’s not a lot of detail in there, which I guess makes sense. But um
[00:51:10] Evan Francen: yeah, there were some, I think some follow up stories, you know, sort of after we we wrote this piece. But yeah, I think it’s interesting and I think it would be a lot more to it. A lot more will come out.
[00:51:21] Brad Nigh: It was interesting to me was the fact that it was using this the wind in t umbrella attack remote access trojan. But they said Um who was with five other German companies? May have been hacked using that since 2016 when Thyssenkrupp the elevator company was hacked in trade secrets stolen. So it’s interesting they’re targeting german companies.
[00:51:50] Evan Francen: I told you uh well I may have shared with you, You know two criminal cases that I was you know asked to be an expert witness and both of them dealt with uh chinese nationals stealing trade secrets. So yes they are going after your trade secrets, you know. Yeah, I mean yeah, they’re not going after bear for health insurance giggles,
[00:52:21] Brad Nigh: right? They’re not looking for the consumers and information. They’re looking for patents and trade type. Right? Yeah.
[00:52:30] Evan Francen: Yeah. And then they take it back to the, you know to china because this stuff is all sponsored by the chinese government. It’s not like, you know, this wicked panda group is some, you know, splinter group off by itself just acting on their own. No, this all goes back to china and yeah, it’s it’s sad because you know, we were trying to help like manufacturing for instance, you know, even just in our own backyard here in Minnesota and it’s like, my God, the chinese, you’re such an easy target and they want your stuff.
[00:53:07] Brad Nigh: What do we have anybody would want? Very little lot.
[00:53:12] Evan Francen: So my heart goes out to those people if you have anything. Okay, now let me just correct that you do have something everybody has something that somebody wants. So don’t ever think that you’re not a target. Uh or you end up like bear. And what’s the other one? The crop one. Tyson christian Krupp and yeah, yeah,
[00:53:33] Brad Nigh: scary. Uh Next one was out of hackery dot com. New malware can modify cT and MRI scan results and actually saw this on a different site as well. But uh so disclosure. I was traveling and Evan put together some of these news stories. So in Buffalo. Yes. So thank you. But I saw this one, I meant to mention it to you. Uh So Israeli researchers have developed malware that can basically add a malignant tumor to MRI results or C T scan results before their red. So you might be clean. And they’re going to add something that looks like you’ve got cancer. The flipside is can they what else could they do if they can add images and manipulate this stuff?
[00:54:26] Evan Francen: Well and one of the things I mean social engineers love to play off of emotions and the fact that you know you’re not thinking clearly you’re going to make different decisions. You would make different decisions based on the assumption that I have cancer versus I don’t I mean I went through the same thing. I mean I went through this thing for real. I mean it was almost feel like it wasn’t even cancer because they just took the kidney out there fine. But that moment you hear cancer you know it’s like
[00:54:58] Brad Nigh: uh huh. And the other side of it is it says that they can remove the presence from the results. Yeah that’s even more I mean yeah that getting getting no yeah I’ve got cancer and all the you like you said you went through and all the emotion and everything and then finding out you don’t or it’s cleared up or whatever. That would be one thing but not knowing I know getting treatment is really scary
[00:55:25] Evan Francen: or losing trust in the whole system to begin with. To right. Yeah. So yeah there’s medical right? This is where they’re
[00:55:33] Brad Nigh: at. And and because I think goes back to your um predictions from last year of people that were headed that way unless things are better protected.
[00:55:46] Evan Francen: Yeah, it’s sad. I can’t imagine. I mean that there’s just a certain line that I would never cross if I if I was an attacker, I could never see myself crossing that one.
[00:55:56] Brad Nigh: Well. And I think in the end it says one of the reasons is that the uh the files aren’t digitally encrypted.
[00:56:04] Evan Francen: Right? That’s basic stuff. Right? But how much how often do you see that in health care?
[00:56:09] Brad Nigh: I know all the time. All right, last last news story after that uplifting one beta news dot com, 90% of critical infrastructure hit by cyber attacks and you know, I think not not terribly surprising quite frankly, Uh 90% of respondents say their environment has been damaged by at least one cyber attack over the last two years, 62% experiencing two or more attacks. Um and and the nice thing on this, so this is a study by attainable from the Parliament Institute. Um 80% of responders cite lack of visibility into the attack surface knowing what’s what they have
[00:56:56] Evan Francen: basics. No man also. And the thing is I think we’ll get so numb to these numbers, we get so numb to this percent of that, that percent of that, that I mean just take one of these and think on it for a little bit, let it let it simmer in your brain for a little bit. You know, take uh Take the 80% number, 80% of respondents. These are people that work in critical infrastructure Site, lack of visibility into the attack surface, knowing what systems are part of their it environments. That means they have no asset management program or its partial. 80%. So
[00:57:40] Brad Nigh: critical infrastructure
[00:57:43] Evan Francen: four out of five. It is my mind. Yeah, I mean four out of five and so, you know, great. Thank you for N I S T C S F. Did you see asset management on their, you know what I mean? Is this, this isn’t new. This is fundamental basic stuff. I can’t protect the things I don’t have. I don’t know, I have and nobody likes to hear it. Right. I mean, how many talks do you see a black hat or our essay about asset management? It’s not sexy. No, I know, right? Because it’s hard work. Oh my God, no blinking but lights, but somebody’s got to freaking do it and it’s so irritating because if you don’t get the basics, it doesn’t matter. The other stuff that you do DLP whatever else you want to put in your environment isn’t going to matter. Yeah. So yeah, I just it really? So if you think, I mean, that’s what, that’s the thing. I see so many stats. If you just take one sit on it. Really think it through and like, Oh yeah, that really sucks. Yeah. Yes,
[00:58:44] Brad Nigh: it does. It’s mind blowing. All right. Well, so many so many stories like this. It’s tough to it is tough sometimes to narrow it down. Um you know, sit down there. Be careful and do your best to keep your head above water. That’s
[00:59:00] Evan Francen: it. Some good advice.
[00:59:02] Brad Nigh: Any parting words of wisdom Evan?
[00:59:05] Evan Francen: Uh did I write something? I did I read something? Oh yeah. If you think there’s good in everybody, you haven’t met everybody now, do you think there’s good in everybody? You haven’t met
[00:59:18] Brad Nigh: everybody? Some people are just inherently bad.
[00:59:20] Evan Francen: Bad. Yeah, I eat toxic. Maybe interesting. Yeah, I’m not sure who said it, but there you go. I think I probably, I probably just googled, you know, give me a wise because I certainly don’t think I came up with myself. That’s why I had to read it to you.
[00:59:36] Brad Nigh: Oh man, that’s fun. Well, as you can tell, we are back home, it’s definitely a little bit more relaxed and thank God. Uh yes, very happy to be back for for now. Don’t forget you can follow me on twitter. Um my name is at brian and I and or Evan on twitter at at Evan francine and as always the mentioned earlier email us uh un security at proton mail dot com. Yeah. All right. Thank you all. And you talk to you guys next week.