vCISO Framework and How to Hire One

Unsecurity Podcast

The episode centers around the goings-on behind their travels. They’ll also add to the recent ongoing vCISO framework discussion with John’s perspective—as he’s hired many vCISOs over his career.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hey, oh, it’s me. Evan Francen. This is episode 48 of the Unsecurity podcast and the date is monday october 7th 2000 and 18. It’s hard to believe it’s already october. Brad’s on a plane somewhere. Maybe or maybe he’s in a hotel somewhere. I don’t know. All I do know is he couldn’t make it because he’s really, really busy in Brad’s place this morning is my good friend. John Harmon care to say hi John.

[00:00:50] John Harmon: Yeah, a little good morning. Thanks for having me.

[00:00:52] Evan Francen: You do have a nice voice.

[00:00:53] John Harmon: Yeah, I know. I worked really hard at that.

[00:00:56] Evan Francen: Yeah. All right. Well john’s leader, he has the liberty to say what he wants. So, uh, yea.

[00:01:02] John Harmon: Am I allowed to swear?

[00:01:04] Evan Francen: Well, yeah, I think they just edit it.

[00:01:06] John Harmon: Okay. Just get brain and something to do.

[00:01:09] Evan Francen: We don’t swear much. Anyway.

[00:01:11] John Harmon: He was like a beep or does he just like black it out as you use like car horns or something.

[00:01:15] Evan Francen: Like I have to ask him. I don’t even know. She put them to the test. I just send him the, the audio and I never listened to it. Do you ever listen to it?

[00:01:22] John Harmon: Yeah. Okay. You guys all the time?

[00:01:24] Evan Francen: I never listened to it. I can’t stand listening to myself. All right. So this was sort of last minute I texted Brad on Friday. I texted him Friday night like 7:30. I’m like, hey man, you want me to put together the show notes because a lot of times he’s really busy, you know? And so they texted me back and says, oh yeah, crap. I’m in san Diego. He’s got a board of directors presentation to give. I think on a sunday, do that weird to boards of directors meet on Sundays?

[00:01:57] John Harmon: This one does, it’s a larger company that’s not totally out of the ordinary.

[00:02:03] Evan Francen: All right. So that’s, that’s sort of where he is. And you know me, I’m really, really good at planning. So I plan that playing these shows out like weeks, months in advance. Uh, so then I texted you think on saturday, I’m like, john what are you doing? Monday morning at well 6 45. But then you say you have an interview at seven for somebody. So you wanted to meet at 5 45. So it’s 5 45 in the morning on monday and we’re going to talk about security.

[00:02:35] John Harmon: That sounds

[00:02:36] Evan Francen: fantastic. Something is wrong with us

[00:02:38] John Harmon: or something very, very right of it.

[00:02:41] Evan Francen: I suppose there’s two coin, two sides to every coin. I like, I like that. I like how you’re usually positive when I’m negative, your positive and hopefully the other way around works

[00:02:51] John Harmon: too. That’s why the roadshow is gonna work just great.

[00:02:54] Evan Francen: I know. Yeah. Well that’s kind of where I wanted to start, you know, I know that last week on the show brad and I talked about the roadshow brad’s not brad so busy on the fr secured things and you know you and I are out on this road show last week was the first week of the roadshow we survived, we thrived. We

[00:03:15] John Harmon: did thrive. It’s a wonderful place.

[00:03:19] Evan Francen: Yeah, even philadelphia wasn’t too bad.

[00:03:21] John Harmon: No, we found that awesome barbecue place, I mean we got in and out of Philly pretty, you know said let’s

[00:03:28] Evan Francen: see how that one rated. Did you, did you look at the ratings yet?

[00:03:33] John Harmon: Yeah, I was just looking at it. So my uh I didn’t get to your, your full ratings but that was the first one that we hit was in philadelphia. So we landed sweet lucy and that was, we went straight there right away when we landed and the first thing we did when we landed in pennsylvania and that was my favorite up until the very end.

[00:03:56] Evan Francen: Really? Okay, so you’ll have to rate the barbecue joints too because I rated them on, you know, I wrote that week one recap uh and I read it it actually number four out of four. Really? Yeah, well four out of five, but the one place, shakedown barbecue wasn’t open on thursday which then and aid themselves to zero

[00:04:21] John Harmon: you know, very disappointing because there was so much hyper on that one too, there was well separately recommended that one.

[00:04:29] Evan Francen: Yeah. Like you got to go here

[00:04:30] John Harmon: and it wasn’t like it was down the street. It was a good half hour from where we were. Yeah, I was expecting greatness

[00:04:37] Evan Francen: and we even had a guy was closed. We even had a guy called the owner because he was friends with the owner. This anyway. Yeah. You have to look at the uh how I rated um what I rated uh Divine Swine number one. So they were the weak one champ Who got number two, Number two was mission barbecue. Even though it was a chain. I couldn’t get over the serviceman. The service there was so awesome.

[00:05:07] John Harmon: You know what though? I know we you know and the sausage was good like to you know, bag on the chain once, right? They tend to get a bad rap. It’s like I was just chain. It’s a chain. It’s a chain but there might be a really good reason why it’s chain good point. You know I mean and it’s not uh it’s not like it was fast food type stuff. I mean really good. Everything was made in house and you know they take they seem to take pride. They mentioned it anyway that they had right fresh ingredients and everything is prepared on site and they give you the whole introduction of what you’re about to eat. I mean it was fantastic from a service standpoint Mission barbecue was a plus Absolutely.

[00:05:45] Evan Francen: Yeah. I’ve never been treated so nicely at a barbecue joint before. And then I gave it to read says number 3 uh

[00:05:54] John Harmon: places school, very definition of the hole in the wall. Right?

[00:05:57] Evan Francen: Yeah, they got the worst on service. I gave him a five on service just because those two ladies spend more time talking to each other than

[00:06:03] John Harmon: they were like arguing about stuff like the operation of the place and everything is kind of awkward.

[00:06:08] Evan Francen: Maybe I was just hard on lucy’s. I thought the yeah, I don’t know, be interesting when you, when you read it because that one had the best atmosphere. I thought,

[00:06:17] John Harmon: yeah, I, I guess that the experience really, really got me on that one. I liked a lot. The food was okay. Yeah. You know, barbecue was okay. It wasn’t great. I don’t like when they like premixed barbecue and with things barbara sauce. So that was a little bit of turn off. But it wasn’t bad. I mean it was still Good. Yeah, but yeah, I think uh, we’re both in in full agreement on divine swine, it was definitely the best one. Yeah.

[00:06:45] Evan Francen: So not only do we get to do this security stuff, which is really cool. I mean we went to uh, besides the inaugural, besides Harrisburg conference went to that cybersecurity conference. We had, we did a lot of good security talks outside of that with some, you know, potential partners for security studio. But then we also got to have awesome barbecue. Yeah. I mean like what’s not good about this?

[00:07:10] John Harmon: Right. Well we’re we’re those kind of guys, right? I mean we could go out, let’s find the best filet mignon in pennsylvania. Like no, that’s not us. I’m gonna go eat pulled pork and brisket and you know, the occasional uh, you know, a sausage or ribs or something like that. That’s what we’re looking for. Yeah, I like that about us. I like that. We’re going to stay focused on this. So watch out if you’re in any part of the world looking for barbecue, you’re gonna have a pretty darn good database and things to look at as a result of this road show. We’re together a lot were also a part, a lot going to be, you know, doubling up on some of these things should make this a separate like do a book or something.

[00:07:51] Evan Francen: Oh, I am an author. Did you know that? I

[00:07:55] John Harmon: knew that. Okay, maybe they’ll make a movie out of this one. All

[00:07:58] Evan Francen: this could be cool. Is that um that would be my dream job would be riding my Harley across the country eating barbecue,

[00:08:07] John Harmon: you could make that we’ll call the food network. If anybody’s listening at the food network, we’ll trade security for a show of barbecue show

[00:08:15] Evan Francen: and your wife, your wife would probably let you get a Harley for that. It’s life. I mean it’s work. You have to write. I mean, it’s like this, it’s the food network.

[00:08:25] John Harmon: I’m just not going to poke that

[00:08:27] Evan Francen: bear. Alright, well at the food network do it. Yeah.

[00:08:31] John Harmon: Okay. She’s listening to audio. I’m not gonna get motorcycle. Yeah, that’s that’s not happening. I promise

[00:08:35] Evan Francen: they have bummer. You look good on a bike man. All right. So, so week one, what we do? We uh, we got there, we had barbecue. Tell me about. So I wrote that that recap. Did you get a chance to look at that at all? It was pretty accurate, wasn’t it? I mean, it wasn’t like,

[00:08:57] John Harmon: no, it was good. I think, you know, overall, uh, the meetings that we had with people one on one. Even the calls that we took, you know, kind of in the times in between were at the event were really good. Um, it’s, it’s interesting to see given where we came from. I mean, when we first started working together, you and I mean, you know, banks and hospitals, there was all anybody cared about us. We’re in those industries and, and preaching the basics back then and trying to get people to listen, like build a good security program. And here’s our definition of information, security and all these years later, we’re now seeing glimmers of that elsewhere. This is the groundswell of support finally coming. We’re getting past the blinky lights were getting past the lipstick and mascara and we’re getting down to fundamentals and that’s coming through in the events and the conferences and the conversations that we’re having. So it’s like finally, you know, where it’s almost counterintuitive, like what we’re talking about is an innovative, it’s foundational. These are the things that are, like you say all the time, they’re not sexy, Right. Right, right. But for some reason everybody just glassed over and glossed over him and went right to the sexy stuff. And now we’re seeing this resurgence of no, let’s get back to basics uh, at besides conference, which tend to be, tend to be very technology focused and very um uh you know, very, I don’t know, a little more cutting edge on on that. Yeah. Well, yeah, absolutely on that and to hear those, that whole, the reception that you got on your talk, which is all about fundamentals and all about the s to score and just find a baseline of measure things and that was really, really cool. Um it was, it was good to see because to be honest with you, I was skeptical. I thought that there would be some push back that we weren’t, you know, talking about something gimmicky.

[00:10:57] Evan Francen: Right, yep. Yeah, I think it was um well, one of the things that kind of resonated this week too, you know, when you finally get out there and start talking to people and listening to what they’re saying. Um, you know, I had emphasised, you know, three words and what we’re trying to do with partners were trying to meet them, understand their business and help them grow their information security, consulting business. That feels sort of good to say say it that way because it’s exactly what we’re trying to do out there is help people. Um, and I was a little skeptical. Two of the B sides, you know, discussion because it’s, you know, you can’t make, I mean, you can try to make fundamentals sexy, but they’re just not. But you know, the problem we see everywhere is the lack of focus on fundamentals in going chasing these, these risks that aren’t your most significant risks and they’re spending tons of money. And I mean it’s just so uh illogical, you know, so, you know, I was, I was a little skeptical to that people would be like, where’s the sexy, where’s the sensational hack of something? Um, but everybody like you said, I mean, it was probably the best received talk I’ve ever given. There were what dozen people after the talk that came up and wanted to talk more. And it was uh, it was very, very good. The questions, I mean, normally when you ask questions at the end of the talk, you make it one or two, but I think we could have gone with questions probably the entire afternoon if they would have let us, I mean it was, it was really good. So I like that.

[00:12:37] John Harmon: Well you were getting, I mean you got mobbed after the, after the presentation, which is always a good sign. People are interested enough, they want to talk to you and not just uh hey, what do you think about this kind of thing? But really appreciating what you said, identifying with what you said, asking you questions about the security program. There were substantive conversations and we got a barbecue restaurant recommendation, which was good, which was closed, it was closed, but I appreciate the guy like hanging, I hung out there for a while just to be able to tell us about this because you were looking for barbecue. But do you think that you know this, this resurgence of back to basics, back to fundamentals is coming from um leadership and you know, people who don’t speak this language. Finally looking at the security community and saying no, no, no, the shock and awe is not good enough anymore. I needed measurable right now. I need to know I need you to communicate to me somehow in a credible way that were as good as I think we should be and they don’t even know how to do that. But um a lot of the questions that we got, it was maybe a theme, I may be connecting dots that aren’t there, but it seemed to be uh I’m having trouble communicating our security program. I know how it functions, you know, there’s really good and talented security professionals there, but it’s more a lapse in communication. There is a need to articulate these things to people who don’t speak this language. And it seems the getting back to the basics and just measuring the stable security program, where are we going? How much is it going to cost and how long is it gonna take to get there? That sounds like very much a business conversation, wondering if the business is starting to influence our our wants and needs from a security community standpoint. Yeah,

[00:14:30] Evan Francen: yeah, I think so. Um I think just everything fundamentals and basics makes sense. And I think with just how crazy everything is. I mean there it’s chaos, right? I mean, you read the news about information security, read about the latest breed, treat about the latest exploit or vulnerability. And I mean, I think the the industry has never been sort of more crazy, more chaotic and we just keep piling on more and more, you know, new innovations and IOT and digital transformation and ai and Blockchain and blah blah blah blah blah. Right? I mean it just goes on and I think it gets refreshing when you just think simple, let’s simplify. Let’s go back to the basics back to the fundamentals. Uh because you know, the truth is anything that’s insecure at the core will always be insecure. Right? So you always have to do the fundamentals, You can’t skip them and eventually you’ll come back to them that’s always been our belief here at fr secure. Uh, was, it’s okay if the customer says no, eventually they have to do it and eventually you have to get back to the fundamentals and so yeah, I think there’s, yeah, I think people like it, you know, I mean, just without the chaos, they can kind of just exhale a little bit, you know, when you talk about the fundamentals, so maybe that’s part of it, maybe, I don’t know, but I am starting to see the same thing, you know, certainly in the security community, there is much more focus on the basics, much more focus on the fundamentals. Yeah, um which is a good thing. But then that second conference that we talked, you know, that we went to the cybersecurity conference, the government one, you probably saw in my right up for that, uh my frustration. Uh so we’ll get to that in a second. But the, I thought the rest of the whole b sides conference for the first ever conference even, it was awesome. You would have never known this was their first

[00:16:35] John Harmon: oh, that’s right. And they had hundreds of people there. I mean, I’ve seen those, you know, and maybe non metropolitan areas, I mean, which, you know, Harrisburg is, you could say city, but it’s not philadelphia Pittsburgh, it’s, you know, it’s not the major, major hub in there. I’ve seen those held at restaurants, right,

[00:16:55] Evan Francen: right?

[00:16:56] John Harmon: And they rented out four floors of a university to get this thing done. It was, it was impressive. And the organizers, um oh man, what? They were all great, everybody was organized. It was, and what a great, great experience that was.

[00:17:10] Evan Francen: It really was. So yeah, shout out to Harrisburg University. There was a lady named julie Goolsby who was kind of the director, uh she was the one that we worked with, she had to have had a huge hand in putting all this stuff together. Um I thought that the, the keynote by um, by ken Bechtel was uh was pretty good. Uh you could tell it was his first ever keynote, so he was struggling, you know, but my heart went out to him because he’s a pioneer in uh really malware research, you know, I don’t know how uh and I know he’s looking for a position, so I posted, you know, uh linked to his linkedin profile, uh but he’s pretty opinionated too and I think maybe that sometimes goes against him when he’s, may be interviewing because he does have so many years of experience and uh, I don’t think he has a lot of respect for the shortcuts that people make today, you know, because he kind of remember the old way of doing things. Yeah,

[00:18:13] John Harmon: but you know, I respect that I do too from uh you know, if I’m, I’m thinking about ken, and the talk that he gave, I mean the act of giving a presentation to a large group of people is not a natural act. Not a lot of people are very comfortable with it. It takes a lot of practice. It takes a lot of, um, you know, messing it up. You know, it’s a lot of that, but the attitude that he has about security and his chosen profession, I mean, he is unbelievably qualified to happen is that he has, and, and frankly, you know, I don’t, I tend not to trust people who don’t put their stake in the ground, right? He believes something and he’s going to tell you about it. You might disagree with them, but that doesn’t waver his beliefs is not going to pander to anybody. So, you know, I appreciate that about him. I appreciate that about you as well. You know, it’s kind of, you know, you can, you know, lawful around and be politically correct and, you know, all this kind of stuff. But if you really believe something, you should stand up and say, this is what I believe and, and that’s how that from that starting point. Um, you know, if you’re not getting constructive feedback, it’s coming for the wrong people.

[00:19:19] Evan Francen: Yeah. So I had a lot of respect. I mean, I, and I sat down and talked with him for a good 20 minutes, you know, half hour afterwards. Uh, just about kind of what he’s looking for and what he’s, what he’s been up to and it was a good talk. Um What else do we do? We went to a cool coffee shop. Remember that coffee shop in Columbia pennsylvania. Yeah. Cafe 301.

[00:19:42] John Harmon: Because we went to a different one. At first they look more like an art gallery or something. We’re looking each other like now this is not our kind of yeah, we don’t do our calories. Yeah, we went uh went around the corner and found a really nice place. Um And uh we did actually a phone call in there. Yeah, I got for a good long while. Yahoo’s

[00:19:59] Evan Francen: that phone call with uh servant. X E R V A N T. Right? That was a company in north Carolina.

[00:20:06] John Harmon: Yeah, I really like them. Yeah,

[00:20:09] Evan Francen: that was a good talk. We had the whole coffee shop to ourselves to it was a huge place. I don’t even know where the workers went. Remember like towards the end I was like where we’re the only two people in this place right

[00:20:19] John Harmon: now or in the back there was something, I don’t know what was going on. But no, it was it was cool. But it was it was kind of dead when we got there. There were a few people there, but I feel like it was just kind of a kind of a hot muggy day. Many people were looking for.

[00:20:33] Evan Francen: It was hot that day. It was hot. A couple more shout outs that I had from that from B sides. Was Ray baker did open source intelligence. 11 finding information on anyone. I thought uh she did a fantastic job, kind of giving um the lay of the land with ascent and uh you know where beginners can get started and that was really good. Brandon keith, I thought was a pretty good guy Appalachia technologies, Is that where he’s from?

[00:21:03] John Harmon: Yeah, I remember he was when he was like the guy who put it all together. Yeah. You know, he was really behind the success of that that conference in a lot of ways.

[00:21:11] Evan Francen: I liked everything about him except for wearing suit. Yeah, sorry,

[00:21:17] John Harmon: I don’t like I don’t know it, he wears it well, he does very well, but yeah, we said it on one of his, you know, more technical sessions. Uh he was sharing some tools that help enumerate Active Directory and and figure out what some of the issues are, but also were used in a pan testing context. So that was pretty neat to see. Um yeah, raise talk was fantastic. I was thinking about changing careers is very inspiring.

[00:21:42] Evan Francen: Well, I told my wife about it because you know, my wife wants to get into a cent more. She wants to uh you know, help fight child trafficking or you know, sex trafficking. Uh so yeah, I turned her on to her talk to uh you know, Ray baker’s talk for my wife. Yeah, it’s a great career, right? Um ascent and it really opens your eyes to a bunch of things. I don’t know how many things you can actually do anything about, right, because a lot of your stuff is already out there and good luck getting it back at this point, maybe create a separate identity, which a lot of innocent practitioners will do, you know, and and do all the work under that and keep that completely separate from the real identity. But there’s all kinds of strategies you can do um for us in, but it was cool that she did a great

[00:22:32] John Harmon: job. What I really liked about it was, you know, you think there’s some like master technology that can just correlate all this stuff, you know, like IBM Watson is out there just doing all the o sent for us, but it requires a human, human brain and human ingenuity and intuition to be able to correlate the kind of things that you find out there. And um it was really, she had a great way of kind of putting that together and yeah, making it stick with people who, I didn’t know much about it, honestly, I knew I know what it is, but I didn’t, even though one oh one depth that she went through, there was a lot of things, I was like, oh, that’s interesting and I never thought about that, that just tells me that when you get to the 4th, 5th 6th level down, like there’s got to be some really do want stuff. That’s pretty cool.

[00:23:16] Evan Francen: Yeah, for sure. And some of these fr secure guys and the technical services team are all sent masters because typically, you know, a first step in a red team type exercise would be to do some most and try to understand what your target is. And yeah, it was really good.

[00:23:34] John Harmon: And we call it recon which is a part of the uh s tour assessment. Getting this is where you do some some recon which, you know, I wouldn’t go so far as to call it a scent maybe. But it, you know, I tell customers like we’re gonna go to the internet and find all your dirty laundry, right? It’s a kind of a quick brush of like what surface level that we can all be fine. It’s kind of the beginning to sort of stuff resonate, right? Um and it’s it’s important to understand even at that level, you know, there’s some risk out there, you should account for, right?

[00:24:08] Evan Francen: For sure. Then we went to the that was Wednesday and then we went to barbecue again at Red’s BBQ and Carlisle. You know, it’s pretty good. The next day was the cyber cyber security awareness of it, which was all primarily government, right? Federal state. Yeah. The uh and I thought, I always think that those are interesting conferences, especially when you have one followed up by the other, right? Because the first one is primarily private sector. So, um and the more techie type people,

[00:24:43] John Harmon: there’s a lot of teams

[00:24:44] Evan Francen: there.

[00:24:44] John Harmon: Yeah, like technical teams, security teams, you know, the people on the ground to other work.

[00:24:50] Evan Francen: Yeah. And then you go to the cyber security awareness summit and it’s much more, oh my gosh, how many suits did we see? Yeah, everybody’s wearing, you know, suits and looking

[00:24:59] John Harmon: good, you know, a little overdressed that besides being dramatically underdressed

[00:25:02] Evan Francen: at the cyber school. Right? Which was awesome. That’s just how we roll.

[00:25:05] John Harmon: I make no apologies, but

[00:25:07] Evan Francen: no, so I sat through uh, I don’t know the first about as much as I could, I think, um you sort of, so we had to welcome, which was, you know, from the President of Harrisburg University, we had the opening remarks which was uh, the C I. O. For the commonwealth of pennsylvania and then we have the security challenges confronting government and schools and benefits to collaboration and N A S C I O S cybersecurity state of the State’s report. That’s a hell of a long title.

[00:25:40] John Harmon: Deloitte.

[00:25:41] Evan Francen: True. Thank you. That’s exactly. Well, that and that was uh so I got through that and, you know, I think you got through that too, then maybe somewhere in the middle of that, you went and looked for more partners, I think. Right?

[00:25:55] John Harmon: Yeah. So I stuck around for that and, you know, I’ve read that report every time it comes out, I’ve read it and then it it’s good information, I think the presentation, if I’m being honest and I, you know, did give us feedback directly to one of the presenters, you drawing conclusions based on data without really referencing, you know, because that that reports then a long report, you know what I mean? And I felt like there were some things that were correlated, some assertions that were made that were reaching a little bit, you know, they were they were looking for certain things in the data rather than letting the day to speak for itself um that’s how I felt, but obviously that’s an incredibly nuanced thing, putting all that together and make drawing those conclusions and everything and just kind of felt like a I don’t know if I would have come to that conclusion, but then who the hell am I, I’m not a data scientist, what do I know, right? Just kinda my practical experience, just kind of felt like they were reaching for some conclusions they were hoping were there

[00:26:55] Evan Francen: When the sad thing too is like you said, that report has come out every years, I think since 2010, so she had been the 10th or 11th year that report’s been out and I’m really just kind of frustrated by the lack of progress, it’s like the same, excuse me, I was going to say a bad word, it’s the same crap every time, right? And it’s like, okay. And then they put another word, you know, another theme to it. Like, the theme for even the conference was the theme for the conference was caring and sharing to safeguard our citizens cross, collaboration among government and education makes pennsylvania safer and more secure.

[00:27:33] John Harmon: What well and yet, yet the necessary doesn’t work from the commonwealth in that particular case, was that they’re not doing that and they need to do more of it. So we didn’t get to see a lot of, you know, in practice, examples of how that’s working, right? It was all just we need to do this, right? Okay, great. You know, we’ve we’ve identified how exactly are we going to do

[00:27:55] Evan Francen: that?

[00:27:56] John Harmon: And it was more like they were asking the audience, like, so if you have any ideas for us about how to do this, this, that’d be great. It’s like, wait a second, right? You know?

[00:28:04] Evan Francen: Well, yeah, and so I like, so eric Avakian is the sea. So, uh, for the commonwealth

[00:28:11] John Harmon: and he was good.

[00:28:12] Evan Francen: He was good. And I, and I Yeah, and in an impossible job. True, man. It’s hard. It’s a

[00:28:19] John Harmon: hard work against the Yeah.

[00:28:21] Evan Francen: And then, uh, one The Deloitte Guy, Uh, Sweeney, this is where I went on a rant a little bit in my notes. Uh yeah, I just don’t know. And maybe maybe I’m just overreacting, but I hate when we he he just kept cyber cyber cyber cyber cyber. I mean how many more damn times are you going to say the words cyber? You know, because I don’t even know if you know what the hell that means, you know? And that was kind of the point of the talk the day before was, you know, and you were there, I asked all these information security people, give me your definition of information security. That that one in that talk was the best attempts I had at people giving me definition of of it than probably any talk I’ve ever given. But cyber cyber cyber, like that’s the same thing as information security, like that’s the same thing as cyber security. I mean it’s so I don’t know, I just got off on a Mhm. When I keep hearing that it just totally distracts me. I’m not listening to anything else you’re saying because I keep hearing you say is cyber, and I keep saying is hearing you say it is because you want to sell me some crap or something? Uh When did it become like un cool, Has it always been un cool to use like more syllables in words? I mean what are we gonna call it, next? Just sigh. Yeah,

[00:29:45] John Harmon: I think, you know, it’s a branding thing, right? I mean it’s one of those things that is becoming cliche, right? It’s indicative of the language problem that we have our industry, but also its coaching people to narrow their gaze, which I don’t like no,

[00:30:02] Evan Francen: right? If you have been fighting forever to make this a business issue, not an I. T. Issue.

[00:30:06] John Harmon: Right, Well, and to cover all areas of of information security, not just the I. T. Stuff, right? But you keep branding it as an I. T. Issue by using words like cyber and you know, the only solutions that we have and that we point to our technology solutions, you know, it’s those kinds of things. We’re digging a hole, we’re not actually helping dig out,

[00:30:30] Evan Francen: you know, and you’re a leader, right? I mean you’re the risk and financial advisory lead at Deloitte and using the word cyber. Like it’s cool. I mean it just rubs me so much the wrong way, right? Because I don’t think people understand the difference between cyber cyber security, information security and how they really are different things. Um and then uh I mean does it just make you sound cooler when you can just use cyber? I mean, I don’t know, it frustrates the hell out of me. So anyway, I ranted a little bit on here and uh and actually put it in words on my rant if if you want to look at the the pot or look at the

[00:31:14] John Harmon: blog, you know, there’s a nice graphic in there but that there were between, did you like my photographic I put that together. Yeah. Words matter use them correctly. Right? They do. Um and that’s a heck of a pulpit to, I mean if you have that kind of title and you’re, you’re out there talking about this stuff and trying to solve a greater problem, you know, start to flip the script on that, you know, corrected, you know, just right along

[00:31:36] Evan Francen: right for sure. And then the last one that I actually made it through was the one from Sisa. Uh, lisa is the cybersecurity and infrastructure security agency. Um, and the talk was cybersecurity research is resources for state and local governments. And this was Benjamin Gilbert uh, one of the cyber security advisors for cisa. I really liked him. I liked to talk um, one of the things that I sort of got out of that was my God, there was a lot of acronyms, which is what the government does, right? Everything’s got an acronym, which is I think again sort of confuses things because not everybody speaks this sacrament acronym language that we do, but it also sort of come came off like Sisa is trying to do everything.

[00:32:27] John Harmon: Trying to boil the ocean a little bit. Yeah. Also pick a different acronym. You don’t know what a certified information security auditor is.

[00:32:34] Evan Francen: Right, where is that?

[00:32:35] John Harmon: To be confusing to the private sector for sure. So

[00:32:39] Evan Francen: right, well they’re trying to reorganize everything and I mean if you look at all the services that Sisa provides, it’s like, oh wow. You guys do everything, which they don’t, I mean they do, but they do most things probably half asked because you can’t do everything. Um You know, just getting a penetration test from caesar which is free for a government entity. Uh might have a 12 to 18 month um backlog, right? You might have to be on a waiting list for a while. Well, if I need a pen test like yeah. You know, ideally you do be doing pen tests on a perpetual basis, but for sure like but maybe quarterly, you know something. And so it just, it just wouldn’t happen if you relied on C says you’re only

[00:33:30] John Harmon: yeah, resource for that. If they had a certified information systems auditor on staff, they would maybe be able to audit that process and figure that

[00:33:38] Evan Francen: out. See there you go.

[00:33:41] John Harmon: I’m kidding. No, I just can’t let that go. Actually. That was the moment when he when he was like yeah, with lisa. And I was like, okay, I’m gonna go like I’m out of here. Yeah. That is that is when you left was that’s what I kind of popped up and I was like, yeah, clc after the talk

[00:33:54] Evan Francen: when I I really like what they’re trying to do. I mean, I think their hearts in the right place. It’s just I don’t think that approach is going to work. I think it’s going to get super duper expensive for all the taxpayers and I think you won’t get anything better than what you got now

[00:34:09] John Harmon: to be honest. I mean, we’re talking about, you know, $5 fix for a million dollar problem, right? It’s too big. And I hope, I hope, you know, based on what you told me that they will start engaging some organizations to help them with this and, and you know, focus on maybe bringing people together, helping out with the language problem. You know, that kind of thing, rather than providing one off services, county by county or state by state, you know, city by city. Uh, because, you know, there’s certainly in a position to do that. We’ll see. I liked him though, I talked to him afterwards. Good.

[00:34:42] Evan Francen: Yeah, for sure.

[00:34:44] John Harmon: Oh my God, trying so hard. I mean,

[00:34:47] Evan Francen: he’s working his

[00:34:47] John Harmon: ass off too.

[00:34:49] Evan Francen: So that was, that was week one of the roadshow, so, um which was good. That was a fun week, productive week. Very successful. I think he’s exceeded my expectations. Did it come close to yours or exceed yours?

[00:35:04] John Harmon: Yeah, very much. I think. And you know, the purpose of the road show is to get more awareness around security studio to get more awareness around specifically the S tuareg assessment as to score. Getting organizations include into the fact that, you know, you can shift money from measuring the problem to actually fixing things by, you know what we’ve done and making the assessment free. Uh and you know, in that way, if we’re measuring it by that um by that, you know, measuring stick, I guess we had What about 20, new account set up last week. And this is just from your talk. We don’t we don’t go to the sides, you don’t get a list of attendees, you don’t get all the chapter members to be able to market to. Um and you know what I mean? This is just people that were there, we got all that and uh we had meetings with four very awesome partners. I think you’re gonna be able to help people were kind of in this, you know, in the spot where were, you know, talking to companies and getting them to adopt this, But when they get stuck or when they need help or when they need, you know, help with radiation or they need somebody to come in and validate the assessment. We don’t know, we have to build relationships the people in these areas so we can point them in the direction of qualified professionals to help them out. And in that way the meetings that we have partners are very positive. Was very encouraging to see that there are good companies out there, like Appalachia, like B I. G like, you know, the other ones that we talked to.

[00:36:32] Evan Francen: Yeah, it was cool. All right, well, shifting gears a little bit. Um we get one of the most popular, I think topics on the show, at least it has been every time we’ve we’ve brought it up has been that of VC. So the virtual chief information security officer, um we receive emails every week from listeners and they ask us good questions about it. Uh this past week, one of the two of the questions that I thought were sort of interesting was uh can you help me with some VC so materials? And then the second question, which was kind of a play off of that one is like a framework of where to start. So this is a good opportunity because brad and I talked about this quite a bit. Um but you’ve hired vcs. Os you’ve, you know, been here uh long enough to see us kind of build that practice together. Um What would you give? I mean, what do you look for when you hire a VC? So I mean, is there something specific that you guys are looking for?

[00:37:34] John Harmon: Yeah. So from from the business side of things. So as I’m looking for people that I would, you know entrust our customer relationships with. I’m looking for exactly that I’m looking for somebody very relationship driven as much as there’s a technical process, you know, kind of side to how do you get started as a VC. So, and walking through all the steps of the engagement and kind of what’s on the contract. Uh you got to have people who want to be in a relationship, You have a heart for service. Um you know, you gotta have the right background. You got to pass the mustard in terms of your chops to be able to do this. And when I say that uh I’ve never, I think given any preference to anybody who’s actually been a. C. So right. That’s not what I’m looking for necessarily. I want to be able to tell customers, hey, you know, this is this is a very personal relationship. We’re not assigning you to Team Orange. Right? This is your person. You should feel comfortable texting them, emailing them, calling them. It should be a good personality fit, right? They should want to understand and want to help you and you should always feel, you know, supported in that way. And so when I’m talking to potential candidates for our R. V. C. So team from my part because I’m not going to be the technical validation piece of this. I want to know that you’re interested in customer service. I want to know that you’re interested in relationship. I want to know that your collaborative. I want to know that you’re not going to go off on your own little island and do it your way that you’re going to work with our team and help make us all better. That’s that’s what I’m looking

[00:39:09] Evan Francen: for. Yeah, that makes sense

[00:39:11] John Harmon: that those intangibles, right? We talk about those a lot around here. Right?

[00:39:14] Evan Francen: Right. And the way I’ve always approached, you know, Bc. So engagements is you know the same way I would approach it if I was the sea. So right. Um in any I think good see so would start with an assessment. I mean, you just can’t yeah, you can’t fix what you don’t know, you you have to diagnose the problems, you know, or validate the things that are actually working really well. But I think every C so you know, has a vision for what the security should look like, you know, in an organization. And so it’s playing that vision out now if you don’t have that C so experience which most people don’t. Right? I mean there aren’t, you know, there’s not a ton of Csos out there.

[00:40:02] John Harmon: Right. A big problem in our industry. Right? Just short short of hands.

[00:40:06] Evan Francen: Yeah. So, and that was one of the reasons why we went down this path of creating the S to Oregon, creating the roadmap and everything like that was to enable people that don’t have awesome seesaw skills to be a VC. So, right, so do an assessment. The assessment is measurable. It scored its communicate herbal, um and then build a road map from that assessment. And the way you build a road map is every single risk that’s in uh your assessment. That’s called out in your assessment. You make a decision. Do you accept mitigate transfer avoid? Right. Those are the only four decisions you get to make and then plot them out. Those ones that require some action, meaning the ones that are going to be uh mitigate transfer or avoid require somebody to do something, the ones that were, you just accept the risk. You’re just saying whatever. I don’t care, I’m gonna live with that. Well then those things put on a quarter, what quarter are you going to be able to accomplish this by? Right? So you start doing some prioritization uh and then you assign it to somebody who’s gonna do it. Some of those things, you know, are appropriate for a C. So or VC. So to do some of those things are not. Um So it’s all just road mapping, right? And then just execute uh and then continue to update, you know, whoever the leaders that B. R. Uh you know, where you’re at, where you’re going, when you’re going to get there and how much it’s gonna cost. I mean, simplify it, don’t don’t overcomplicate things. Um And that’s that’s just, I mean, it’s so it’s a simple approach to being a V. C. So it’s not, I’m not looking for a specific framework, you can get really crazy quick, you know, if you’re going to say, you know, start throwing it on a bunch of acronyms and see how that works with your Ceo, right. You know, I guess that’s who you’re pierre is or that’s the person you’re reporting to or you know what I mean, depending on the structure of the organization. You know, if I start throwing around and I. S. T. S. P. 853 and N. I. S. T. C. S. F. And Colbert and I. So and gone right and just shadow on myself. You know that whole, you know what I mean? It’s not going anywhere. But if I can explain to them in every organization is different. So I think if you’re looking for a handbook on this is how you do it and every organization, every organization is different. You have different relationships. So you have to be flexible. Um You have to you have to identify with whoever you’re working with. What motivates them. Is it the mission? Is it money? Is it what? Right. Um So yeah it all comes down to the relationship. There is no specific framework. But you know what brad and I are writing a book on this?

[00:42:48] John Harmon: That’s right

[00:42:49] Evan Francen: yeah. For Smb s how do you do VC. So systematically measurably where you’ve got dual accountability? So the accountability for the sea. So and csos accountability of the client. It’s a two way street. Right? It’s just like any other relationship. So if everything is just the client expecting the VC. So to do stuff that’s not a good relationship, there also has to be accountability from the V. C. So to the company to do their stuff. That’s why it’s so important to have this assessment roadmap measurable. Itty. So then there’s this dual accountability back and forth. Right? So uh some see so so the first question, can you help me with some VC. So materials? Uh, it’s as simple as that. Do do an assessment, build a road map and execute on the road map.

[00:43:38] John Harmon: Now it’s just built in the security studio for a reason. Exactly. We know this works and we’ve seen it work, you know, hundreds of times and building security programs. I think people get too hung up when the well am I skilled enough for what do I need to know in order to build an effective, you know, security program? Well, that’s what the assessment helps. You understand, You know, if you’re the kind of person who, you know, has learned how to learn, you know, the assessment and the associated, you know, measurements of risk. It’s like, okay, if if the what boils to the top of the top of the list is asset management, okay, go dive in, go figure out how to get an inventory of everything you have, you know, your physical assets, your heart, software, your data, you know, all that kind of stuff. Um that’s not a difficult thing to do. But how do you know to do it unless you understand the associated risk of not having it. So start there and you know, that used to be a monumental task because there was, it was nothing out there, you know, other than a cobbling together of many tools and homegrown methodologies, you know, now you can simply log in and go get that info

[00:44:43] Evan Francen: right? Yeah. And some of the best, some of the best csos that I’ve ever interface with are not technical geniuses, they’re good people that understand relationships, they understand how to get things done, they understand how to build teams, uh so they have teams of technical experts in certain areas and they know how to build trust, they know how to delegate. I mean it’s just Leadership kind of Wanna one stuff in smaller mid-size companies where you know, you don’t have that VC. So you know, I still have to have those relationships, you just don’t maybe have to have those team building skills and all those other things, but you learn those as you go to. Um So yeah, I would say that if you are new to the whole VC, so thing go to security studio, create a new account, they’re free um create and do an S tuareg assessment of either your company or a fake company or whatever uh and then go through I think the roadmaps of premium features, so there would be a pay, you know, feed to that, but you can also take uh as a short, you know, if you don’t want to pay the fee, take the action plan which is one of I think the four or five deliverables that comes from the S tuareg take the action plan.

[00:46:04] John Harmon: Exactly,

[00:46:06] Evan Francen: and I think that would be a better way if you want to learn it as opposed to just kind of trusting you know online but uh yeah go do an S. Two or create a road map out of the results and then start execution,

[00:46:20] John Harmon: be speaking speaking from you know, kind of the sales and marketing and customer, you know, side of things too. Um the conversations that I am in and have been in around virtual sees or fact program at fr secure nine times out of 10 when we win those, the feedback is we liked it because it was so simple, simple, right? It wasn’t overcomplicated, It wasn’t, you know, it has precedent elsewhere. That’s also a big thing for people is that you know, we have an understanding of experience with this. It’s not like a, you know, it’s core to what you do. It’s it’s not a one off but also it makes sense to people. It’s like oh of course you would do it this way when when we finally lay it out there like oh that seems really simple. Like yeah it kind of is it’s it’s a basic framework but when we um you know, get into it a little bit, you’ll understand and and start to, you know, see how some of the nuance comes out but it doesn’t need to be mystical. No, it needs to be simple, it needs to be very straightforward to be understandable by people who don’t speak this language every day.

[00:47:22] Evan Francen: Well, it’s not just buzzwords? When I say complexity is the enemy of security. That’s the absolute truth. So get it in, you know, whoever get it into your head, that that is the truth. So wherever and whenever you can simplify something insecurity, that’s a win. So if you can take an assessment, take an assessment, simplify it. And really, when you look at the assessment, it’s not a simple assessment. What it produces is simplicity. Right? I mean, at the end of the assessment is a simple report, a simple score. A simple wrote, you know, roadmap.

[00:47:58] John Harmon: That’s the simple part, Right? I think it’s like, don’t don’t mistake simple with, you know, incomplete. It’s very comprehensive. It covers all the things that you wanted to cover. So that’s important. When we say keep it simple. It’s not to, you know, damage the integrity of of what you’re doing. Don’t don’t don’t ever compromise the integrity of um how comprehensive this this assessment or or the work needs to be. But it should be very easy to understand. It should be very straightforward. It should lead to the correct conclusions of where you should start building your program and that’s what you mean by simple.

[00:48:34] Evan Francen: Yeah. And I think in this industry we I wonder if we don’t purposely Complicate things, you know, because it’s like, my God, 10 steps to decommission a user account. How about to you know, I mean you just see that all the time where you see companies add additional steps for really, really no reason. And you see the same thing with technologies, you know, I was talking to a large global company and they were thinking about buying, they needed a technology to do something, I can’t remember what it was, but I was asset management. No, I can’t remember, but I was like um what technologies do we currently have? I mean what do we have a technology library, you know, or anything? Like just like uh an inventory, the tools that we use here. Oh no. So we might already have a tool and I’m guessing you probably do that does this thing that you’re asking to do rather than go out and buy another tool. How about we just see if we have a tool that already does it? Oh yeah, well then we came to find out that we had like three tools that did the one thing that they needed this, other that they were thinking about going to buy this other tool, I think it was user account commissioning Decommissioning something like that. I can’t remember exactly what it was. But anyway, you see that a lot where you know, let’s go and buy another tool, let’s go and buy another tool. Let’s go throw more money at it rather than like wait a second,

[00:50:02] John Harmon: that’s what they already have a

[00:50:03] Evan Francen: solution to this, That’s

[00:50:04] John Harmon: what the manufacturers have conditioned us to do, But you know, and um, I’ll say this to, you know, and kind of a parting complexity is the enemy kind of thing. And this is kind of a made up, you know, kind of be a story but illustrates, you know, the difference between knowledge and genius, right? Knowledge is understanding, you know, very complex things and being able to work within those things, build complex things. Genius is being able to simplify those things. Um, and the story that I was told and this was my God, It was early, early, early in my kind of childhood. I had a teacher at my church that used to say things like this and he said, you know that Nasa spent, you know, millions of dollars and all this research and you know, all these really smart people developing a pen that would write in zero gravity. They figured out that, you know, fountain pens are a disaster in space, right? You got to write things down. They invented this pen that wrote in zero gravity cost them all this money and all this time. You know what the Russians do

[00:51:03] Evan Francen: pencil, They use a pencil. Exactly.

[00:51:05] John Harmon: You know what I mean? It’s like have that kind of mentality. Right?

[00:51:08] Evan Francen: Yeah, totally. All right, real quick. So, we got two more things before we wrap up the show and that’s always me. Uh one is where we go in this week and then to just three news stories. So first off john where are you going to be this week? What are you doing? This is week two.

[00:51:25] John Harmon: Yeah, week two. I’m heading to Madison Wisconsin steve Kraus and I are going to be uh with our friends that applied tech, they have uh, you know, kind of a gathering of, of their customers, a lot of business leaders would be a good kind of mixed group of technical and non technical. Uh we’re giving, I think it’s like a 30 or 45 minute presentation on the merits of risk assessment and you know, all of that kind of thing. They were good partner for us. They do a lot of assessments for for their clients currently and we’re kind of launching this, this new thing. So that’s where I’ll be uh and hunting barbecue out there as well. So if anybody has any recommendations for barbecue in Madison Wisconsin or on the way to from Minneapolis, I would love to hear them because the cross and I are going to get down on the barbecue.

[00:52:06] Evan Francen: Nice, nice. Well being orange county California. That sounds way warmer. It does sound warmer, but it also sounds a lot busier like, you know, that’s just like south of L. A. I know man, but you know me central part of the country is my kind of my people. I think everybody, I’ll eat this and I’m generalizing I get it. People at least are rude people in the west are crazy. So like, I just want to stay in the middle part of the country, so I’m going to, you know, in, uh, in my twisted mind, uh, crazy part of the world,

[00:52:44] John Harmon: my big brother who lives in, uh, Montana, you know, it’s where we grew up and you know, Montana state motto is go home, right, spending money and go home. They’re like, there’s more people in Minneapolis and there’s in the state of Montana, so they tend to get a little myopic. But um, he says, whatever you like about your particular part of the world, California has a better one. Yeah, because they have better legs, you like mountains, they have better mountains, beaches, they have better beaches, California is the most beautiful place in the most completely wonderful bit of nature on the planet. And he says, the problem is Californians, right? It’s like, dude, you can’t say that out loud. You know, two people you gotta watch, watch

[00:53:24] Evan Francen: what you say well. And it’s funny because every time I go to California, I love it. I mean, I really do, I always meet really, really good people and I don’t know why. Exactly. I don’t know if it’s just too many people or what, but my God, every time I just exhausted every time I go there, but I always have great experiences. People are always nice to me.

[00:53:42] John Harmon: I think in contrast to to, you know, where we live, it’s just like very dense, Right? The traffic is terrible. There’s people everywhere. It’s like you, there’s no solitude, right? It tends to be a little stressful if you’re not used to it. Yeah, but the people, I’ve never had a horrible or bad experience. Me neither California. There’s always, you know, there’s always people write their reports, the airport, whatever. But yeah, I think you’ll have a great time.

[00:54:06] Evan Francen: Yeah, I’m looking forward to it. I’m speaking at the Orange County chapter of Osaka, uh, one day I think tomorrow even. Um, and then I have a bunch of meetings. So I’m excited about that. I’m excited to meet new people and, you know, collaborate, you know, get some new partners and you know, all that stuff. So that’ll be a lot of fun. So just like john though, I’m also looking for barbecue in the Orange County area. Uh, yeah, but if you, if you don’t have recommendations for me, I’ll find it. I mean, we have ways

[00:54:40] John Harmon: well in that part of the country to a lot of people relocate, there was a very desirable place to live and they’re coming from places where there’s Austin barbecue, they tend to bring it with them. So we’re going to find some good stuff out there is uh, if you like food, Los Angeles is a great place to be. Yeah, yep.

[00:54:55] Evan Francen: All right. 3, 3 email are three news things quickly. The first one is uh, from zd net? It’s tax and P II. That stands for personally identifiable information because I’m an expert. You know, I was an expert, right?

[00:55:11] John Harmon: I don’t know. I’m an author. I’m gonna fact check that.

[00:55:13] Evan Francen: Okay, Texan P II records of 20 million Russians stored without encryption leaked online. I don’t know part of me, you know, being, you know, I’m still, I I grew up Cold war was still a thing so ingrained in me, the Russians are still enemies. Uh so a little but I mean I’m just being honest, right? A little part of me is like yeah,

[00:55:38] John Harmon: awesome. Yeah, there’s no war, man. Yeah, I know,

[00:55:41] Evan Francen: but the sad thing is, is citizens suffer at the end of the day. People are people and people do suffer when we expose information. Uh So an online database accessible to the public. This is uh Cybersecurity researchers from comparator check in partnership with Bob Dyachenko Uh said the unsecured server contained highly sensitive information spanning from 2009 to 2016. Uh This was in a W. S. Believe it or not not protected by any form of credential requirements or encryption. Uh So it’s bad. That’s bad. 20 million potentially affected assume roughly 20.8 million user records were involved including names, family connections, national ID numbers, dates of birth and financial data. So it’s not just the americans. The Russians also have their problems.

[00:56:43] John Harmon: Yeah, I I don’t know if I have any anything to add to this. It’s bad all the way around. It’s indicative of simple things not being you know implemented and accept the

[00:56:53] Evan Francen: fundamentals is what you’re

[00:56:54] John Harmon: saying that just a general lack of care if you’re going to be a custodian of this type of information, it’s your duty to protect it and if you can’t you said duty yeah if you can’t handle that responsibility then don’t take it

[00:57:08] Evan Francen: right agreed 100%. Next articles from silicon angle. If you put anne in there be silicone angle, totally different meaning

[00:57:18] John Harmon: for a website and don’t go to that website.

[00:57:20] Evan Francen: No silicon angle uh Iranian hackers target Trump 2020 re election campaign and just like uh man the whole political landscape for this country is so divided. So I’m guessing you know half of the country is yeah stick it to him and the other half is like what? But either way when you have a foreign um actors attacking Anything. So if the Russians attacked the 2016 election, that was bad. If this is true, this is bad, right? It’s always bad when you have a foreign actor interfering with state affairs. Uh but a hacking group tied to the Iranian government has been attempting to break in now from what I read earlier, they didn’t actually get anything but they’re targeting right? And this came I think Microsoft email was the primary attack Factor 2700 attempts to identify consumer email accounts. Uh then they targeted 241 accounts tied to the target Trump target Trump to the Trump campaign as well as current and former US government officials, journalists. Uh last I read i in this article this specific article, I’m not sure how many they got, but uh I’ve heard previously four accounts were actually compromised and none of them belong to the trump campaign, part of the phosphorus campaign.

[00:58:52] John Harmon: Yeah. So my theory on this and and is uh you know, dyed in the wool conspiracy theory um is that these attacks and and all of this, um all of the coverage and all of the sensationalism around elections and and foreign governments influencing is less about them actually influencing and more about chipping away at the confidence of the american people in our own systems, that’s it, Right? So if we if they’re saying yeah, yeah, hey, we we have proof that the Iranians got in or the Russians manipulated or whatever the impact of that given the disparate nature of our election systems uh is got to be, it just intuitively pretty small, but it’s coming from a loud place. And so if we don’t have confidence in our election system, then we won’t have confidence in our election officials. And I think that’s the aim. If I’m a foreign government is to manipulate the confidence of the american people by doing this kind of thing.

[00:59:54] Evan Francen: That reminds me do you remember that one lady who came up to me after my talk at B sides and said she’s a psychologist. Yes I can. And she asked me what her is there a role for somebody like her and information security was like hell. Yeah there is. I mean you’re talking right here about the psychology behind you know, attacking uh because there’s always more than just the One effect, right? You take like the terrorist attack on you know at 9:11. Yes, there hasn’t been another terrorist attack like that, you know. So you can say well, but look at all the other effects, right? How much money has it cost the U. S. Citizens to secure our airports the way we do it

[01:00:34] John Harmon: now and turn the whole world on it.

[01:00:36] Evan Francen: Right? I mean, so there’s more than just a a single cause and effect there’s many effects, you know? So you just mentioned one, you know, just the lack of confidence in yeah. You know, how much money did we spend on the Mueller investigation to investigate? You know, Russian interference. I mean millions of dollars. Right? And did they find anything? I don’t know. I didn’t read the report, but I know it costs have a lot of money and I have a lot of coverage

[01:01:07] John Harmon: and it was in every news cycle for long, right? It’s psychological attacks. It’s it’s disrupting confidence is disrupting our solidarity, you know, as as a country. Um you know, and I hope I hope I have faith I have confidence. I know some people don’t, I know there’s dissenting opinions on that, but I have great faith in americans. Overall things really get tough when, you know, where the rubber meets the road we stick together and you know, it’s um, you know, it’s gonna be just fine. All of this is just entertainment. It’s just theater. It’s just something for, you know, people that talk about at the dinner table or whatever.

[01:01:45] Evan Francen: Even if it’s not gonna be just fine, I’m a prepper. So

[01:01:48] John Harmon: yeah, right. You got your bug out spot. You know, all that kind of stuff. I know like my neighbors in my neighborhood is very widely varying, you know, perspectives on the world, but we all hang, you know, the flag outside of our house. Right? Yeah. Well, I pride

[01:02:05] Evan Francen: Last news I got is from a hack read .com and the question and the title is, can ordinary and this is an easy one. Can ordinary companies keep up with data compliance regulations. The answer is no spoiler alert. You know, there’s a lot of words in here. But ordinary companies, the answer is no. The ordinary companies, you know, 80 90% of them don’t even do risk assessments. So I can only imagine ordinary companies trying to keep up with compliance regulations when you’ve got, you know, G D P R CCP A hip hop, P. C. I. D. S. S, most of them don’t even know what these things stand for. I mean truly, if you get out there outside of the security industry, people talking amongst ourselves, this is one of the reasons why it’s so cool to go out on the road show too, is you get to have perspectives from people who don’t even have a clue what the hell I’m talking about. Normal people. Ordinary companies don’t know what this stuff means.

[01:03:07] John Harmon: Yeah, when and again, all the acronyms and all the, you know, hip what is it? 45 CFR 1 60 for, you know, all the the legalese around this. It confuses people, they don’t know what to do. And the thousands of meetings that I’ve had with people who were asked me about this when I explain it there, just like that’s it like yeah, they want you to think it’s confusing so they’ll, you know, you can spend all your money on it. Like it doesn’t need to be that. But

[01:03:37] Evan Francen: Well, in the way security works, if you do security, well, you’ll be compliant if you do compliance, well, you won’t be secure, so get get your order right. You know, so, I mean, there’s some good some good recommendations here, like how do you make data compliance or reality for your company, one appointed data protection officer. Most ordinary companies don’t do that. Don’t know how to do that to set security controls. Well that’s pretty open ended. So Mhm. I guess the basics, the fundamentals, three increased visibility into data access and uh yeah, so, I mean, it’s a uh what caught my attention with this article was, can’t it was the question, can ordinary companies keep up with data compliance regulations? Because immediately my my head, I’m like, hell no, they can’t.

[01:04:27] John Harmon: Yeah, so that would be a one word article for me. I

[01:04:31] Evan Francen: know, right? Uh And the article like I said, it’s it’s got good recommendations, but normal people aren’t reading this anyway. Ordinary

[01:04:38] John Harmon: company, if I can say the reason why it’s, nope right? It’s not because companies are stupid or they can’t, you know, keep up or whatever it is, that’s that’s not what it is. It’s an impossibility, right? That this is uh this is one of those things that the pursuit of its folly. It cannot be done. So it’s not not the state of our businesses and their inability to do things, right? Right. It’s that these laws and these rules and these compliance, these are absolutely ridiculous and impossible,

[01:05:09] Evan Francen: right? It’s true.

[01:05:10] John Harmon: So, if you can’t follow the letter of the law, follow the intent of the law, build a good security program at least be defensible and then make adjustments to compliance as you need to, yep,

[01:05:20] Evan Francen: that’s the way to do it. And we would say people were biased, but I think logically uh sound start with the next to or get an assessment done, build a road map, start managing risk, you know, get off on the right

[01:05:34] John Harmon: foot. All of this stuff is, you know, I use the word primordial ooze, right? All of this stuff comes from the same standards. It comes from the same primordial ooze. All of these compliance. These are just derivative of other things. So what are the source? Right. And that’s what, why we keep pushing and prodding people to do assessments and s to Oregon and you know, whatever. It’s because it’s all based on the same stuff. So do it on your terms, get your interpretation of it before you start following some other yahoos, you know, three steps removed. It’s like a game of telephone. They finally come to these conclusions and make you do things and they’re not helping security risk at all right. Yeah.

[01:06:12] Evan Francen: All right. Well there you have it. Uh, we’ve got another busy week ahead fixing the broken industry is actually have a lot of work

[01:06:20] John Harmon: rewarding work though.

[01:06:21] Evan Francen: Yeah, there are days, there are days when it is very rewarding. There are days when it’s like, I just need to go to Duluth and sit in a camper for a weekend. Uh I’ll see if brad is up for talking about the cybersecurity maturity model. Cm I’m sorry cybersecurity maturity model certification. The C. M. M. C. Which is really starting to gain steam. Uh yeah, we’ve had some people ask about us talking about that. Um, thank you for our loyal listeners. Thank you for your tips and feedback. Send your wisdom, questions, advice, whatever by email to UN security at proton Mail dot com. If you’re the social type socialist with this on twitter, I’m @EvanFrancen John is @HarmonJohn. So just your names reversed and also follow security studio. Uh, it’s @SecurityStudio. Again, another reversal. And uh yeah, and watch the S two roadshow. Hashtag so hashtag s two roadshow. That’s where we’ll be posting our next barbecue stuff and whatever else we’re doing right. That’s it. We’ll talk to you again next week.