Evan and Brad talk about the vCISO role and responsibilities as well as discussing what someone would have to do to become one. The guys also chat about Evan’s recent trip to Bulgaria and make an exciting announcement.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[

[00:00:23] Evan Francen: All right. Hi folks, Welcome to the un security podcast. This is episode 45 joining me as always is my good friend Brad Nigh. Brad will say, hi,

[00:00:35] Brad Nigh: hi Evan and listeners.

[00:00:37] Evan Francen: Right? Yeah, I know we forgot that last time. Uh, it’s good to be back in uh, in the office again. We tried to record this yesterday and I was in Washington D. C. In a hotel room and you were here sitting right where you probably at right now exact same spot. And uh, yeah, the quality was terrible.

[00:00:58] Brad Nigh: Yeah.

[00:01:00] Evan Francen: But here we are. I’m sitting across from my buddy. I can see him and I could look him in the, in the eyes and we can talk about security things and such. Let’s do this. All right. Let’s start off by just catching up. These are the show notes that I wrote last week. So I want to just sit, sit down and catch up. We’ve got lots of things going on. Um, I know it was, you were so busy last week that you had to cut your friday short and get some rest. I

[00:01:27] Brad Nigh: kind of overdid it a little bit, I think had been a couple of weeks of uh kind of building up and yeah, but it’s good for them much better and took the weekend and kind of just recharged, spend some time with the family,

[00:01:41] Evan Francen: it’s good, it’s so easy to get unhealthy in this industry, you know, it’s doing what we

[00:01:46] Brad Nigh: do. Yeah, yeah friday. I came in about six and about 9 30 I was just like uh I’m not gonna get anything done today, I just, I just can’t focus, just hit a wall, just just done, luckily I had the day blocked for some internal work, I didn’t have any meetings or anything, so that wasn’t, that was pretty good. But yeah, it was,

[00:02:12] Evan Francen: it happens, oh yeah, absolutely, it happens to all of us and I think uh you know, I was just, I was thinking, you know, I’m going to be on the panel today, you know, we were just talking about a couple hours and one of the shirt, I was thinking about wearing a t shirt under under a sport coat because these are like corporate, corporate um people and so being up on the panel with a t shirt. But I wonder where that mental health hackers shirt because uh it’s, man, if you don’t keep an eye on it, I think this job will kill you.

[00:02:46] Brad Nigh: I think part of it is is just our personalities that kind of get drawn into this and where you just just focus, right? And yeah you just lose track or we were talking, you know, the I r, you know, Oscar was saying he was up a couple weeks ago looking at uh some malware memory dumps and stuff until like three a.m. And realized oh man I gotta I gotta get some sleep. You just you know, I’ve done the same thing where you’re We were looking into it and I got up and it was like 11:00. I’m like I haven’t moved out of this chair for like eight hours gets away from you. It’s not not the best thing but

[00:03:23] Evan Francen: no. Speaking of Ir how’s that, how’s that going there? Still ongoing. The wonderful ongoing talking about for weeks.

[00:03:30] Brad Nigh: Yeah, still ongoing. Um Mostly contained. Now we’re just trying to do some troubleshooting to eliminate, you know how if they put a new machine up it’s getting infected. It’s uh I can’t really give details but

[00:03:50] Evan Francen: no. Okay so if you know brad personally give him a call and asking me if you can tell you in private.

[00:03:56] Brad Nigh: Yeah well we we have asked for some assistance and are waiting on it. Okay. Yeah, this is this is what it is.

[00:04:05] Evan Francen: So in this in this ir it’s been kind of funny. Not funny but entertaining somewhat in a can I I don’t know that’s probably not the right word either. It’s but just watching almost like unfold with this whole

[00:04:20] Brad Nigh: thing. It’s kind of like, you know when you see like a car wreck on the side, everybody stares. It’s kind of

[00:04:26] Evan Francen: but this is like car wreck with like the mother was having an affair and they were arguing in the car. It was you

[00:04:33] Brad Nigh: know? You know? And I do feel bad for some of the people involved with this that are working. That we’re not involved in creating the environment, right? And where they’re at and having to go through, but

[00:04:48] Evan Francen: only when we already have a job casualty. Yeah,

[00:04:52] Brad Nigh: at least at least

[00:04:53] Evan Francen: one. So at least one. Yeah. Bummer. All right. So yeah, that that continues to go well. Last week I was in Bulgaria. I I didn’t listen to the podcast, so I have no idea if I even came across on the you turned

[00:05:07] Brad Nigh: in a couple of times.

[00:05:08] Evan Francen: Okay. I was sitting at a coffee shop outside of in Sofia and It was a great place. 50 cent uh espressos.

[00:05:19] Brad Nigh: I said, I think my comment was Evan’s heart rate is roughly that of behind me. Birds.

[00:05:23] Evan Francen: Yeah, man, I had like a lot of moving $1, bill is going to get me like 10 espressos. Are you kidding? Yeah, it was awesome. And then I learned that culture, there’s just so much different if you ever get a chance to go to eastern europe and maybe we’ll bring you and I can go sometime because it’s weird. It’s not, it’s weird, but not weird. I mean it’s just uh there’s no bs. They’re you know, everybody pretty much told me what they thought. Yeah,

[00:05:53] Brad Nigh: I

[00:05:54] Evan Francen: know, right? You didn’t have any any window. you don’t like, What are you really saying? Uh Dinner’s worth three hours long. I didn’t like that. I’m a five minute guy.

[00:06:06] Brad Nigh: Uh I’ve eaten dinner with you. You don’t mess around. No man, get her done with you.

[00:06:13] Evan Francen: So yeah, it was good. But you know, eight hour time difference. You know, a bit about 20 hours each way and travel yesterday there last week. That kind of just sort of killed me. And then like yesterday in Washington, D. C. Just for a couple of our meeting

[00:06:29] Brad Nigh: was saying, you don’t know what time it is at this point?

[00:06:31] Evan Francen: No, but that’s okay. It’s good. I love being here. This is my favorite place to be. But we’re both embarking on this huge travel schedule. I mean you’re going to be traveling a lot here soon.

[00:06:42] Brad Nigh: Yeah, I think I figured out like basically 11 of 32 four days coming up,

[00:06:49] Evan Francen: 34 work days are just

[00:06:51] Brad Nigh: 34 days. 34 business days. I’m sorry, 34 calendar days. Yeah. Okay. There’s some weekend trips. You know,

[00:07:00] Evan Francen: when when does that travel start? And

[00:07:03] Brad Nigh: when does it? Uh basically into september through october end of october. It’s not too bad. No. Yeah, that’s where you you feel bad for the life.

[00:07:14] Evan Francen: I know man, my admin. Who is my wife? Uh We were talking, there’s one week in I think october where I am one day in Chicago? The next day in I think uh oh north Carolina and then the next day in Dallas

[00:07:36] Brad Nigh: see I can’t complain about my travel schedule. It’s Cruz is insane. It’s crazy

[00:07:42] Evan Francen: man. But I love it. Sometimes. I’m hoping, you know, I can bring my wife on one or two of those legs of the trip. Yeah,

[00:07:51] Brad Nigh: but anyway,

[00:07:51] Evan Francen: it’s the life we live and then heading back out to Rochester again to work with the big blue out there. I heard about that. All right. So we have other things that happened this week and then we’ll get to some some good stuff. Uh more Metro program success. Uh you know, we do the metro program, the ci city metro program here Done it for the last 10 years. It’s been so cool to see all the faces come through. You know, I remember when we had six, our first six, you know, 10 years ago this last year, 530 you’ve done, I think the last three with me. And it’s just, it’s like the gift that doesn’t keep doesn’t stop giving because people pass their test and then they tell you thank you. And

[00:08:36] Brad Nigh: it makes it really does make it worthwhile to hear that. So yeah, it sounds, I don’t know, maybe a little self serving, but it is it it’s it’s nice to hear that. So, you know, you know, I think, I don’t know if you have that same issue. I sometimes go am I really providing a lot of extra value for talking through this and I guess so. So it’s encouraging to hear. So

[00:09:02] Evan Francen: yeah, I mean it’s almost coming like once a week we’re getting once or twice a week we’re getting some sort of, hey, you know, thanks for the videos on Youtube. Hey, I just passed my test or you know, something. It’s really good. It feels like it feels good because it feels like you’re contributing. You know, we have this talent shortage problem and I’m not just sitting on my ass not doing anything about it.

[00:09:26] Brad Nigh: Train right? Yeah, exactly. Doing something and you know, being totally honest, it’s a good refresher for us to, I mean, I know every year it’s like I haven’t thought about that since the last time I don’t do it. So it’s a good, it’s a good way to stay, you know, fresh on the material and not, not forget things.

[00:09:50] Evan Francen: Well, how much is in what we do every day? How much is the basics? Like if you master the basics, oh,

[00:10:00] Brad Nigh: Like 85% easily, 90%.

[00:10:04] Evan Francen: So you know, going through those basics once a year, I think makes you so much better security person. I think every security person should just go back and revisit their CSP materials once a year.

[00:10:16] Brad Nigh: Just like I just felt like millions of people cringing or hundreds of thousands, I guess hundreds of people I don’t want to, but it is, it’s so it is so useful, especially in the domains you don’t work in. Right, right. And, and realistically people don’t work in all eight domains or in all areas of all eight domains might work across multiple. But nobody that I’m aware of works across all of them.

[00:10:48] Evan Francen: No, you just can’t. Information security is too broad. But anyway, that’s cool. So we got, you know, we’ve had people

[00:10:56] Brad Nigh: Approed 20 or 25 people ask us for endorsements or tell us yeah,

[00:11:01] Evan Francen: Yeah. And you think that means that there’s 20, people that passed at least at least. Right. Because some of them, probably no other people, they can get their uh, you know, endorsement from another one is, you know, we have short, I’m like everybody else. You know, you have this short term memory Thing, right? Just, we just did 9, 11. We just celebrated or remembered 9 11 Last Week. And it’s hard, it’s hard to believe, man, that’s been 18 years. I still

[00:11:32] Brad Nigh: Remember that. Right? Yeah, 18 vividly. Where was that? Crazy?

[00:11:36] Evan Francen: But you know, you go about your daily life and then you forget and one of the things I really missed about that time period was just how unified. Yeah, we were. But anyway, it’s this uh, it was only a few weeks ago we did this civic duty thing where we were asking or calling people to go and talk to their mayors, talk to their city administrators, county administrators, whoever to get answers on how they’re protecting themselves or the community from ransomware. Well you know then we all kind of go off on her. We saw a lot of activity and then you know things to take you away. But then one person that I just wanted to give some kudos to and he’ll know it when he listens uh uh he messaged me and linked in and he’s still going at it and I’m just so like pumped about that because it reminds me that yeah why did I just sort of stopped that effort? I need to go back out

[00:12:34] Brad Nigh: there. Yeah me too. I thought we had made some progress and then it just I was waiting to hear waiting here and yeah life happens and I haven’t done anything for

[00:12:47] Evan Francen: a couple weeks now. Have you seen this message? Because I think yes okay. Yeah. Isn’t that cool? So he’s still going going after it. And and then he did a little minor ocean uh you say did a little checking into the right to budgeting. And uh they mainly outsource the purchase of new equipment given this level I. T. Sophistication. I doubt they have anything formal in place. I think my next action is a series of phone calls. So this is somebody who’s respectfully I read his letter. It

[00:13:17] Brad Nigh: was very well written.

[00:13:19] Evan Francen: Yeah it means respectfully going and asking his town supervisor for information on what are you doing to protect me and uh the citizens in the town

[00:13:31] Brad Nigh: and didn’t just ask but also provided references and some hey if you’re curious here’s the stuff we’re seeing and how you can help prevent and stuff. So it’s really I thought it was really well we’re in.

[00:13:42] Evan Francen: That’s really cool. All right. So this is uh episode 45 of the un security podcast. We’re only seven away from a full year. Yeah. It’s cool to see. So you know you and I both geek out on numbers and so you know you do the trend of number of listeners from when you started back in last november to what it looks like now and it’s just really cool to see that grow. Uh But we always love hearing from our listeners to. So if there’s something you’d like to hear us cover um we’d love to talk about it. And that’s one of the things that we’re going to go into now is we get when we talked a few weeks back we talked about the V. C. So the virtual chief information security officer and I personally got Maybe four or 5 ah messages or emails about, hey you know I want to be a V. C. So that’s what I aspire to be. So it seemed to touch a nerve. So I just want to talk more about VC. So I wanted to talk about the opportunity in terms of VC. So it’s not going away that opportunity will certainly grow. There’ll be a need for many, many more. So

[00:14:54] Brad Nigh: we’re seeing not just the kind of that small mid size market. We’re starting to see larger companies come and say, hey we need we need to do this and we can’t justify the cost or all those, all those same struggles you hear from the smaller companies, we’re starting to see from larger, you know. Mhm. What you would consider more enterprise level, you know, organizations. So it’s kind of cool. I

[00:15:24] Evan Francen: Wish I could figure out how to turn off. I mean I probably if I was more technical I’d be able to figure out how to turn these notifications off 15

[00:15:31] Brad Nigh: years ago. You could have done it.

[00:15:33] Evan Francen: 0 15 years ago. Right. I could have done it without. I could have done just by

[00:15:37] Brad Nigh: uh

[00:15:38] Evan Francen: two keys on the keyboard shortcut somewhere. Yeah, but Alex Windows 10 and God knows Did speaking of Windows 10 just you know, because I’m always all over the place. You turn on facial recognition. We tried to have not I’ve been using it. I don’t know. I don’t know trees out. I like it because I have to take my best.

[00:16:00] Brad Nigh: I don’t know myself. I still have issues around biometrics as your I know you do.

[00:16:07] Evan Francen: I know you do and and and valid too by the way. Let’s make that a discussion maybe for next your next show is

[00:16:13] Brad Nigh: identification poor authentication can’t change it. It’s not a good, yeah.

[00:16:19] Evan Francen: Right. So the VC. So, um, I like the sea. So I think the sea so is healthy. I think it’s healthy for a customer. I think it’s healthy for as long as you’ve got a good VC. So as long as they’re being held accountable for certain things that are accomplishing those things, they’re moving your security program forward. And I think it’s healthy for the VC. So themselves because one of the things, one of the biggest benefits and I, you know, I don’t do it anymore. But when I was doing it, um, it was nice because I can drive this security program, but I don’t have to own it.

[00:16:54] Brad Nigh: Yeah,

[00:16:56] Evan Francen: I act like I own it, but I don’t really own it. The company owns it, you know, and I have that saying, I’ve said it many times in two hours I’m getting on a plane and I’m not going to think about you again until the next meeting.

[00:17:07] Brad Nigh: It’s funny we have, you know, so we were talking about what makes a good one. How do we do it and all that? And we have, there’s some people that just get that and understand it and there’s other than that we brought in that are phenomenal and security that struggle with. It’s not my program. Right. I ultimately, I can’t make that risk decision for the customer. I can give them all the guidance. All the recommendations. All the tools, all the templates, if they’re not going to do anything with it, I can’t make them and there’s people that struggle with that. It’s a hard and it’s a hard thing to do

[00:17:45] Evan Francen: well in the sea. So without the V carries a lot of stress. I mean they’re in the Bs there in the mind all the time. They’re dealing with the politics of the company and and everything else. And uh, you know, it’s, it’s sort of cool. So I was out in new york yesterday and you get so much more respect. It’s not probably good, but you get so much more respect as a VC. So they do as a C. So it seems

[00:18:11] Brad Nigh: it, I, I use that all the time where it’s like, hey, I get it. I’ve been in the situation where I’ve been saying, we’ve got to do this, we’ve got to do this, we’ve got to do this 10, 12, 18 months and then um you get consultant comes in for a day, half a day and goes, hey, you should do these things that he’s been saying for six months or eight months or whatever and like, oh yeah, it’s way more fun to be that guy to come in and help you. But the flipside is when we’re talking to like get where people are coming from, Everyone here has been in that position and we want to help out and do the right thing. So it’s a good partnership with. typically it, I mean realistically it’s usually it that we’re working with it is a good partnership because everyone here is kind of been through that and understands it and and knows a lot of that.

[00:19:06] Evan Francen: Well I think it also another benefit. So I think it’s healthier to be a V. C. So that it is to be a. C. So because I’ve been both see so you know you’re carrying with you all the time as a V. C. So I get to go from spot to spot and I’m involved, I own it but I don’t live it there. You know what I mean? I got stuck in it. But then I also get to take all the great ideas of things I see from all these different companies and steal them and make them my own. So I can if I see something like wow that’s really cool the way company B. Is solving that problem, I take it over to company

[00:19:41] Brad Nigh: A right one and that’s part of our value is now company is going to get is going to benefit from what all of our other customers that are doing things well and all the tips and tricks that we’ve seen. They’re going to get that knowledge being able to be passed on to them. Yeah.

[00:20:00] Evan Francen: So I think being a VC. So versus a C. So is healthier. I don’t think, I think it makes you a better security person um that the the market certainly isn’t going away. We have this severe shortage of security people in our industry. So a lot of companies can’t afford it. I was just out in D. C. Like I said yesterday and I was having a conversation with no the chief legal officer for this company. And uh she said, well, you know, as we were going through this thing, our director of security or whatever left and we’ve been trying to hire for like the last, You know five months

[00:20:43] Brad Nigh: in D. C.

[00:20:45] Evan Francen: Right? Exactly. Well in the last one they had they were negotiating salary and he asked for Like $1 million dollars of equity in addition to you know, very healthy salary. And it’s like, wow. Holy crap. Nobody can until they couldn’t afford it. Like. Yeah. Sorry. So and that’s that but out in D. C. Are dealing with a lot of government. You know, people coming out of the government which government and private sector two totally different things. So they are still struggling. So I’m like, well, do you need a full time? See? So I mean kind of VC. So can somebody who’s partial take ownership and run this thing for you? She’s like, yeah, I guess we never considered that. And I’m like, well that’s something to think about.

[00:21:31] Brad Nigh: And the other thing what we’re saying is the successful companies that really just take that concept and run is they’re doing that VC. So and then using that savings to hire some more maybe entry level or mid level security staff to get the tactical, so you get this Yeah, the hands on done and also train them up, right? You’ve got access to people with, you know, decades of experience in some cases. Yeah, let’s make use of that. So I think that’s a really successful approach that we’ve seen multiple places.

[00:22:10] Evan Francen: Yeah, yeah, I agree. And I think the way we do it works really well too because we put you RBC says are put into a system, you know, and you work within the system, not that you can’t be creative and think of other ideas, but those ideas that you think of those things that we should put into the system,

[00:22:29] Brad Nigh: we get asked that a lot in terms of that. And my analogy is we have a framework think of it as a playground, right? The structure is there, how that VC so uses it as soon as a kid using a playground and the monkey bars, do they go across it correctly? Do they hang from their knees, whatever the crazy thing is, but the same foundational structure is not changing. Same really? The same concept.

[00:22:54] Evan Francen: That analogy, I’ve never heard that from, you know, There you go. See

[00:22:59] Brad Nigh: creativity of wisdom. Wisdom. I mean the reality is that’s really what, you know, what we try to do is right, you know? And and I think overall it works pretty well. We’ve had some customers push back and say, well Then you don’t have consistency. Well, no, because you totally have consistent. Every and every organization is different. Do you want me to tell you, let’s just say you’re, you know, 500 employees in manufacturing to have the exact same security program as a 300 person bank. But that doesn’t make sense. But you need the same structure. But how we actually, you use it. It has to be different.

[00:23:38] Evan Francen: Yeah, exactly. Because, you know, we, and that’s one of our truths, right? It’s one of our principles that security and security is not a one size fits all. So what works over here is not going to work the same way over there. Right. The only way they could ever even possibly be true is if you had all the same business processes, he had all the same data and all the same people, you had all the same, you know, same physical location and that’s just not true.

[00:24:02] Brad Nigh: Right? But, you know, I would say there’s a lot of similarity across banks across. For sure, hospitals versus clinics versus right. There are similarities and verticals. I mean, that’s just the reality, but if there’s still no to security programs that are the same. Never.

[00:24:20] Evan Francen: No. So, All right. So let’s talk about how to become a VC. So, so for somebody who’s not a VC. So today and let’s let’s start with somebody who’s not experienced or it just doesn’t have a ton of experience, what would we, you know, because I got those questions this last couple of weeks and I was thinking, yeah, what, where should we take them? Right. And I think chris christoph, you know, to get into the industry, that’s a great thing. But then figuring out your career path once you’re in to become a B. C. So I

[00:24:50] Brad Nigh: think, you know, so the way I look at it, I think you’ve got to pass either when you get into security, either go into the governance and management up to see so or you go technical for pen testing. Mhm. What speaks to you? I mean at the end of the day, you kind of got to make a decision if do you want to go more management route or stay very technical and and hack things. So, you know, like that’s your first first decision. What do I want to, what, what do I want to do do want to deal with policies, procedures and people or, you know, breaking things,

[00:25:27] Evan Francen: praying things more fun

[00:25:28] Brad Nigh: without a doubt.

[00:25:30] Evan Francen: So how the hell did I find myself here?

[00:25:32] Brad Nigh: Yeah, no

[00:25:33] Evan Francen: excuse my wings.

[00:25:35] Brad Nigh: So I think, you know, from, from that, once you decide that I think and how do you decide that? Just personally? I did. I coming up? I knew I wanted to, you want to, I don’t want to say I didn’t want to stay in one place forever. But I also knew the more experience I had at the more places the better I would be. So you know his realistically you know historically 2-4 years and look at somewhere from an I. T. Or you know kind of coming up for some consulting in the back In 2-5 years somewhere in that range and kind of different industries and different markets and just understanding what’s out there that the variety really served me well

[00:26:29] Evan Francen: this one well and for me yeah and I think that you and I are that a lot the same in our take on this but it depends on how new you actually are. I mean if you’re new new uh immerse yourself in security you won’t know what path to take until you sort of explore many of them right? You might go down and you know I think well I want to be a pen tester because that’s you know looks cool. It’s a subculture. It’s yeah I want to be one of those guys or gals and so you get on that path and then you’re like yeah no I don’t like sitting in front of a council for hours and hours and hours trying to figure out this one little piece that I just can’t seem to figure out you know what I mean? It’s just it’s not for everybody but then you know exploring areas of policy process procedure training and awareness you know, all those things that go into that. I think once you sort of find your path, because I think you can start because I started out technical and you know, and I think it’s easier to come from a technical background than it is to come from like an audit background. So, uh but both ways go like Pat Joyce the Sea. So for Medtronic, uh I know him pretty well and uh he came up through the audit. Okay. Path. So he’s not super technical, but, you know, over time he’s learned enough things about technical to speak, you know, to understand how that fits into his vision for security. Uh So that’s one way. But then you’ve also got people like me and you who came up from a technical way and work their way through

[00:28:09] Brad Nigh: and, you know, I think that’s a good point. If you’re coming technical, you’re going to have to learn how to speak to the business and the business side of things. And that’s been, you know, that’s been my biggest challenge. The technical piece comes pretty naturally. Right? So I think to become a good C. So or V. C. So you have to know both sides, so if you’re coming from an audit background and you know, the governance and you understand that do some technical starts do even if it’s just like network Plus or C sienna or EMC Microsoft, EMC S A E or a or whatever, they’re one is now. It’s not going to hurt you to do those. It’s only gonna make you better. The more well rounded you can be to understand both because I see so you have to know both sides for sure. I mean if you don’t, you’re not going to be successful. So or at least no one like he said no enough to say okay or have the people to understand what they’re telling you if you’re have no technical background and they’re talking about V lands and segmentation. Did you just gloss over your, it’s not going to go well

[00:29:22] Evan Francen: Right. Yeah. And being self aware enough to know that, you know, to, to look at yourself and find the gaps.

[00:29:31] Brad Nigh: Right. Right. Yeah, constantly.

[00:29:33] Evan Francen: What did I hear too? You know? Because it’s not even today. Well it’s not like nobody’s ever mastered everything. Speak for yourself well other than you and I know that some

[00:29:45] Brad Nigh: other person, you know, they claimed it

[00:29:47] Evan Francen: even in a meeting yesterday, I heard something, some technology I never heard of before and I was like, okay. So I took a note research this so it’s not that I need to master what that technology is, but I’ll need to know enough of it to know how it fits into the puzzle.

[00:30:03] Brad Nigh: That’s that all the time. They’re like, well what about, oh, how do we get asked of scientology’s storages encryption I’m like, I’ve never used it, I don’t know, but I can look it up and I understand enough about encryption and storage to go and say, oh yeah, okay, this is what that’s looking at. All right, That makes sense.

[00:30:26] Evan Francen: Yeah. So I think if you if you’re starting at and if you’ve already identified, so if you’re new, are newer and you’ve already identified that this is what you want to do in your career, you want to be a VC. So you’ve done some research on it, you’ve talked to other Bc. So s and you’re pretty set. I don’t know, things keep happening. I know right? I’m very popular. Uh if that’s what you decide that you want to do, well then talk to more Vcs does spend time with us, ask us questions uh so that we can sort of coach you along the way because in some instances depending on who you’re going to be a VC, so for, right, if you’re going to be a VC so for a Fortune 500 company, because csos also can use VC Sosa VC so can make a C. So look really good. Right? So it’s not just well that companies really got to see, so so they’re not going to need a v C. So that’s not necessarily true.

[00:31:21] Brad Nigh: No, I actually had just had a call recently. Uh so our program we do see, so are vcs apart, kind of a more senior person and then we have an associate who’s learning sit in and take notes and do follow up is a great way to write mentor and bring someone up and after the call uh victoria. So because she was like yeah because we’re talking about how great that this customer is and you’re just like a safety blanket for them. He’s just sometimes he’s using you as a like a sounding board some accountability making sure. And I’m like yeah it’s it and it’s great for for me it’s a you know but that’s a perfect example I mean and it’s somebody who’s aware that You know I’ve got a good program. Their score was over 700. Yeah I still need I don’t I don’t know everything I need access to I want or I want access to somebody who can help or you know they had some issues a couple of months ago. Hey what should I be doing? Here’s what I was thinking sanity check. And having been in that position when you’re the only one. Oh it’s invaluable to have that resource to reach out to and be like because we do it internally all the time here. I mean we we did it with you and the I. R. And like what are we missing? What are we doing this right? Having that resource available. Just yeah really good.

[00:32:57] Evan Francen: Yeah I grew with that completely. The so depending on what type of V. C. So you want to be. So if you’re looking at a V. C. So for S. And B. S. That looks sort of this way if you’re looking for as a VC. So for fortune 500 or fortune, you know a large company

[00:33:16] Brad Nigh: enterprise publicly

[00:33:17] Evan Francen: traded or that looks different so um and you can grow from one end to the other. I think we haven’t VC. So is is a newer practice where we haven’t seen that a lot. We haven’t seen a lot of Vcs who started at SMB move into the enterprise, but I think we’ve clearly a path there somewhere.

[00:33:39] Brad Nigh: We do have internally a path where if you’re a new analyst, if you’re doing VC, so work, you start at Companies under 50 and then once you’ve kind of proven and gotten your feet wet, you then move up to the next step. We do have that built in uh yeah kind of like based on you know company size and stuff because the bigger the company the more complex and the more issues typically you’ll face. But that being said it’s also a very different Approach from the s. And be like that small business market again we’re going to call that under 50 employees where you know maybe one I. T. Person one, it’s not truly an I. T. Or they have yeah whatever but it’s it’s a really good pathway that we, you know we build out here as well.

[00:34:32] Evan Francen: Yeah that’s good point and I think you know sometimes people they may not want to move either. I mean if you’re a VC. So for like a consulting company like fr secure um If you’re serving enterprise clients you may only have 23, maybe 55 at the time. Whereas if you’re in the sMB it’s just less time consuming.

[00:34:56] Brad Nigh: I so so are probably many more. We try to keep it between five and 10. So the bigger customer, if you have bigger customers is going to be probably you know three ish VC says plus maybe two or three other projects maybe that are ongoing. Yeah. If you’re going to keep you fresh if you’re focused on a small business or the smaller businesses. Yeah you can expect to have 8 to 10 customers. Yeah but they’re easy but there are a lot less,

[00:35:25] Evan Francen: I don’t know what easy but

[00:35:26] Brad Nigh: there are a lot less complicated. Yeah. Time involved, simpler. Yeah. Yeah simpler.

[00:35:32] Evan Francen: So if you’re if you are new and you want to explore this VC. So path uh talk to the V. C. So you reach out to brad and I we’ve got you know, I don’t know bunch of the Csos here who are out doing this. Talk about their experiences because it may look like this is the thing you want to do but then if you get into it you might find out how crap I wish I would have done this. I’ve never seen that but no the risk is there

[00:36:00] Brad Nigh: we’ve got a, we’ve got a couple that when that came in and are really good at that and then said, you know, I’ll do this but it’s not where my heart is. I want to do. I really just want to be on the technical side. Alright, well let’s make that happen. We figure out a plan to to move across with good employees. You don’t want to lose them. There’s a spot, let’s let’s do it. So it does happen. But

[00:36:25] Evan Francen: how long would it take, do you think from somebody who had zero experience? Maybe career transition who hears about, you know, I want to be a VC. So how long do you think that path is before day? You know, the first day they’re sitting there across from a client.

[00:36:42] Brad Nigh: I would say. So kind of our our process internally if you came in as associate analyst one entry, entry level injury level with No, we’ve got professional experience but not, maybe not in security. Uh you know, we kind of think if you’re going to be a VC, so you have to have your CSP or five years and realistically it’s Probably because you’re getting a crash course in those five years. Uh you know, I would say that five years is probably closer to 10 years of real world as it were experience because you’ve got, so you’re seeing so much more, you’re working with associates work with far more customers than our CSOS Vcs is our analysts. Um So I would I think five years, but there’s progression up. So you start to associate one then two, then three and the time you get 23, maybe you can do uh you know, some fisa small business with, you know, with some help with from an analyst. So you’re going to be getting more responsibilities and growing. But I mean here yeah, I think five years is probably

[00:37:56] Evan Francen: just to get just to get in the door as an associate that would be and then you’ll need to you’re

[00:38:01] Brad Nigh: gonna have progressions and your kind of growth

[00:38:03] Evan Francen: from there.

[00:38:04] Brad Nigh: But before your I think before you’re ready to and you know, you don’t want to put people in a position to fail either. So you rush them, well then nobody wins and they get frustrated or they leave because they’re they’re not successful. Like

[00:38:21] Evan Francen: that’s a good point. But

[00:38:23] Brad Nigh: don’t rush having a good progression and and make it, you know, let them know. There is. There’s a lot of you’re not just stuck doing meeting minutes for five years. No, that’s not that’s not the

[00:38:34] Evan Francen: case. Let’s see. So hell. All right. So if uh okay, so that that’s good. I think that’s really good wisdom for people

[00:38:43] Brad Nigh: and our associates are just now we’re going to listen to this and you get knocked on my door later, like. Really? Okay, well, it is what it is? I’m kidding. I think we’ve been good about communicating with them.

[00:38:55] Evan Francen: Right. What communication is key? Uh All right, so now I’ve had some discussions with experienced Csos. These are Csos uh because not everybody who is a V. C. So has been a C. So nor will they and that’s okay, you know, need to get that off of your kind of out of your brain that you can’t be a VC. So, unless you’ve been to see so somewhere before and

[00:39:22] Brad Nigh: I think I don’t a lot of our analysts have not been named that had all the sea so or anything because Yeah, but they’ve done the security work.

[00:39:34] Evan Francen: Well, that’s the thing. So if you’re if you’re operating within a system that has been developed by Csos that, you know, is working that, you know, it, you know what I mean? And then it’s been refined and everything, you get to take what you what we try to do here is to take the things that Csos no, put them into a system so that everybody can use it. Right? So then you get to leverage the experience of, because it’s not just me, we’ve talked to many Csos as we’ve been doing our things and we take their input and like, yeah, that’s a great idea, We should put that into the VC. So program, so you start taking these things from all these other Csos and you put them into a system or process. So then uh, you know, somebody who’s never been a C. So maybe has 7, 10 years of security experience can outperform a C. So with the same level of experience, you know what I mean?

[00:40:27] Brad Nigh: Well, I mean speaking personally I’ve been doing security related stuff in it for, you know, looking back realistically almost my entire career, right? And I would say I’ve probably learned almost as much in the three years or just three plus years I’ve been here that he did and all that time. Just because like I said, you’re exposed to so many more things and and I’m like I said, I made it a point to to make sure I had a wide variety of background experience and different things and it’s I love it.

[00:41:04] Evan Francen: I know that that’s the cool thing if and I think you can do that if you’re not because there’s certain makeups of people that are resistant to learning and change. You know, they have this ego thing that because that leads into our my next thing to talk about is what about these experienced CSOS these seats? Those who have, you know, take Pat Joyce for instance or take the sea. So for Domino’s uh, you know, CSOS that I’ve talked to um to have boatloads of experience, right? Right? And you put them into a VC. So team and then you just would it just work or not because I don’t think it does. It

[00:41:45] Brad Nigh: depends on the person. I mean realistically, you know, you I’ve seen and worked with Csos are ISOS whatever the top security position in the company that are you know, kind of that what how do I wanna put it kind of that stereotypical kind of my way or the highway.

[00:42:08] Evan Francen: Yeah,

[00:42:10] Brad Nigh: authoritative, authoritative. Yeah, dictator. This is how it’s going to be too bad. We’re into story. Yeah. And no, I would I would never hire the any of those people

[00:42:21] Evan Francen: well. And I think there’s other CSOs to because I’m thinking of another person in my brain of somebody who I think is just an awesome person. But I think there think they’re crappy. See so to be honest. And so uh because there’s some CSOs at big companies that have tons of experience and nothing more than a figurehead. And then there are others who actually understand how security works. They put in the work, they understand that these puzzle pieces have to fit together. Then there’s others who are just really good at the political game and they can’t play anything else. And so you’ve got all these different and I think there’s room in a VC. So program to take these people and put them in. You know like keep using Pat Joyce but take anybody like that uh Worked 15 years, 14 years at a big company had to deal with all the stress regime changes politics all this crap all the time. Can you take that person because one of the things I’ve been saying to some of these larger CSOs is why don’t you think about becoming a VC? So take all that awesome experience that you’ve learned over the years? Take the stress away and go work as a virtual chief information security officer.

[00:43:35] Brad Nigh: So the one thing I think I would say is again, it depends on the person, right? Because if they’re going to come in and say, well again, this is how I’ve done it and this is how we’re going to do it. It won’t work. It won’t. If they come in and say, hey, here’s my, here’s my experience, how are, you know, and learn like that’s a big one. Come in and understand how we what our framework is. Say, okay, well why are you doing it this way? Here’s my experience. If there’s more collaboration, collaboration, we’re totally open to that. Like we will fully admit we don’t have a perfect program. I think we have a really, really good one. But does that mean there’s not room for improvement? No, there’s always room for improvement. Yeah, we get it all the time. Even from, you know, the associate analyst make suggestions and it’s like, I never even that’s a great idea, right? Like, so, you know, if they’re willing to be open and learn new things and be collaborative and and understand that when you go home at the end of the day, you go home at the end of the day, like sleep well. Yeah, you don’t we don’t get a lot of like emergency policy calls on the weekends, you get your weekends back. We had one jane

[00:44:53] Evan Francen: And HR didn’t do her training and awareness. Oh my God, you’re not gonna get that three am

[00:44:57] Brad Nigh: right. You know, it just doesn’t happen. We’ve had a couple say, yeah, after a couple months, how’s it going? And I was like her around a lot, you hear all the time, what’s going

[00:45:10] Evan Francen: on to start traveling

[00:45:11] Brad Nigh: again? So, you know, I think if they understand that, yeah, there’s some trade offs, you don’t own the program. That is and it’s a hard thing for people to understand. You can air quote own it and drive it and truly care about the company and I think every one of our analysts does at the end of the day, it’s not yours, it’s their program. Like if you do the work for them, they’ll never learn to be there to go coach them and guide them and give them all the tools that you can to help them be successful, but let’s get them standing on their own. So that

[00:45:48] Evan Francen: Yeah, for sure.

[00:45:49] Brad Nigh: Right?

[00:45:51] Evan Francen: Yeah. So if you are an experienced C cell, there’s room. Absolutely. I would encourage you if you’re the right kind of person, meaning a person who is collaborative, wants to learn, can fit in a team in a framework, You know, I think one of the challenges is sometimes Csos, you know, have been if you’re the C so the top of the head when you’re a V. C. So you’re not really top of the head, you’re part of a team for whatever company you’re working for as the C the VC. So you might be sort of a semi top of the head for the clients, but it’s different.

[00:46:27] Brad Nigh: Yeah, we’ve had people struggle with that. I remember one specifically that I was in a Cuban was like, this is so weird. I’m used to the corner office with the windows. It’s surprisingly didn’t

[00:46:39] Evan Francen: last, you know, if you’re that kind of guy or gal.

[00:46:42] Brad Nigh: Yeah, it’s not going to work if that’s what you’re about. Yeah.

[00:46:46] Evan Francen: No, if it’s about status for you, if it’s about, you know, having that corner office. Ah

[00:46:53] Brad Nigh: Yeah. Yeah. If you’re if you’re about helping the customer helping your teammates and understanding that you’re part of something. I mean realistically it sounds kind of cliche you’re part of something bigger here. Exactly. It’s worth it. And I think, yeah, it’s very rewarding.

[00:47:11] Evan Francen: It is. Yeah. Well it’s

[00:47:13] Brad Nigh: super, you help so many more people than you could possibly help at one. If you’re at one place.

[00:47:18] Evan Francen: Totally true, totally. All right. So the yeah, that’s that was the talk about the VC. So uh if you have more questions or specific things that you’d like us to cover uh brad and I have both been uh doing this for a long time and we we’ve seen other VC. So programs and I think we can answer those questions if there’s a question we can’t answer, we’ll go find

[00:47:41] Brad Nigh: it and make it up. Yeah, yeah, we’ll find it, we’ll find it. There

[00:47:45] Evan Francen: you go. Yeah, like brad, because he’s probably right. Anyway, uh new book announcement, I wanted to talk about this because you know, it’s time it’s time to get the ball rolling here because um now with what security studio is doing in terms of the s to Oregon making that free. And now we’ve got the road map into the tool and we’ve got these things sounding building. That’s right, let’s teach people. And I think our target. So here’s the announcement, brad and I are writing a book together. It’s gonna be awesome, man. It is, I’m actually excited I am to we’re going to change the world. Uh and anybody else who thinks that they can’t change the world. That’s Bs. You can, everybody’s got an opportunity somewhere exactly to make a difference. So in this book, brad and I are, our focus is S. And B. S. Right? It’s a book that can be read by the larger companies, but it’s really focuses on S. And B. S. And it’s taking everything that we’ve learned in all of our years of helping smes build good security programs and maintain good security programs, How do they do it? Here’s what’s a manual, what’s a what’s a book. So like I’ve we’ve used the analogy of like traction geno Wittmann wrote this awesome book about traction on how to run a business a system. Let’s do the same thing on security. Right? And so we’ve we’ve had fr security use what’s called the fact system. And in that fact system is this is how you build maintain run measure, communicate all those things, a security program. So now let’s put it in a book. And the point here is not to um the point here is to take the things that you and I have learned things that and make it available to everybody.

[00:49:35] Brad Nigh: It’s publishing our playground, so to speak and go back to where we were talking about

[00:49:41] Evan Francen: earlier. Yeah. And I want people to copy it. I want people to copy our facts system and call whatever system you want to call it. You know, there’s four million companies that we need to somehow reach. And I don’t know how many customers we have here. We have a lot 1500 maybe customers. And yeah, so we’re only scratching the surface and there I know that there are other systems um in the market and it’s not that one system is better than the other. But we just need to figure out a system that we can all buy into, that we can all operate by

[00:50:13] Brad Nigh: and everyone, I think it goes back to everyone is so closed on their their system, they don’t want to share with anyone, and that doesn’t that doesn’t help solve anything.

[00:50:28] Evan Francen: I totally want to disrupt this whole Gm industry. I want to give away everything. You know what I mean? Just because you will make you’ll

[00:50:35] Brad Nigh: make your money right? We get I’ve gotten you collect your acorns somewhere, right? Well, and I’ve gotten asset like, well, if you you know, because talking about the book, if if you write and publish, here’s how we do this isn’t going to hurt your well, two things No, no one would know because you can’t replace the expertise we have implementing it, right? And then to if we can get our get that mission out there and understand the more people we can reach, the bigger our ideas of. Okay, so if we give it to 100 people that had never heard of us or wasn’t going to use us, and only 10 of those people say You know what, I want help from them that we’re better than we were, and 90 more people are better than they were. Right? How is that losing

[00:51:26] Evan Francen: 1? Give them the tools because we both touched on it, we’re talking about V. C. So it’s not my program, it’s your program, so you better learn, you need to learn what your role is in that and how you manage that, and if you decide to outsource some of that, the expertise or whatever. Fine, but you still need to own it.

[00:51:47] Brad Nigh: And what does that mean? If you do it inside here is the one thing if you outsource to a virtual see, so here’s what that means. Here’s what they should be held accountable for. Here’s what you need to do

[00:51:57] Evan Francen: in that way. You’re only paying me for something I’m actually providing value in. You’re not paying me to do the same. Stupid, not stupid, but the same. It’s sometimes stupid because I’ve done the same thing solar and over and over again, but I’m not doing the same thing over and over again, where I’m not really providing any value. You can do this yourself.

[00:52:15] Brad Nigh: Well in the flip side of that is we get asked what are you going to do my log reviews? So if you’re hiring a C. So if you had a C, so would you expect them to do daily log reviews? No? Okay.

[00:52:27] Evan Francen: Something you should find

[00:52:28] Brad Nigh: another role. So what, why are you expecting to pay a, somebody with 20 years of experience with all these shirts to look through remarks? Uh yeah, like that. And

[00:52:41] Evan Francen: plus we’re, you know that c so it is more expensive, right? You know, why would you pay uh

[00:52:47] Brad Nigh: hire an entry level person that wants to get into the industry? Because there are a lot of people out there don’t have absurd requirements and use us to help teach them what they should be looking for. Exactly. Anyway,

[00:53:01] Evan Francen: show me that. That’s the book we’re starting it like a crazy time. Let’s start at the busiest time of year. Fourth quarter

[00:53:08] Brad Nigh: when you’re about to go on like a big road show. No. Right. So I told my wife and her response was, are you insane? Yes. We’ve been married coming up on 17 years. I mean, you should know that by now. Right.

[00:53:26] Evan Francen: You really asking me that question? Come on.

[00:53:28] Brad Nigh: You know the answer,

[00:53:29] Evan Francen: But this is part of part of legacy to, right? I mean, it’s helping people and it will come out in the book to where our heart is in all of this, Right? It’s about and the cool thing about a book is somebody your kids will read it. Although your kids kids might

[00:53:45] Brad Nigh: read it. Yeah. My kids don’t give me any cut me any slack though. When I was on the news a couple of times, sick on again, my oldest one was like, what? You talk about acid rain has got robots in it and they’re going to hack you and blah blah blah. Like I love, I love that. They don’t give me any,

[00:54:03] Evan Francen: they don’t give you,

[00:54:04] Brad Nigh: there’s no respect is there? But there’s they don’t give me any any slack.

[00:54:10] Evan Francen: All right. So watch out for the book. We’ll be making more announcements as we get closer and closer. I think there’ll be a pre Whatever, you know, pre launch and all that good stuff and we should talk about to I’m thinking maybe Q1 towards the end of Q1, we should have a

[00:54:25] Brad Nigh: pretty good, you know, I

[00:54:27] Evan Francen: think most of it

[00:54:28] Brad Nigh: written it won’t Yeah, it’ll be interesting to see how this turns out because I think we’ve got a lot of it. Yeah. This isn’t starting from scratch on something. Oh no no no. It’s putting a into a format that others can understand and digest and right. Yeah. So it’ll be interesting to see how this

[00:54:46] Evan Francen: because because that’s why I think writing is so therapeutic, it’s taking this crap that goes on in your head that just spins around and spins around. It makes perfect sense to you and trying to put it on a piece of paper, right? It makes sense to other people. And it’s not like yeah, I mean it you know, it’s getting it out is

[00:55:06] Brad Nigh: right, that’s rewarding. Yeah. And so I will say before we get to the news, we’re hosting the hacks in Ops this week.

[00:55:14] Evan Francen: Oh that’s right, thursday, thursday come up to us Bank Stadium. If you go to hacks and hops dot com. Right?

[00:55:20] Brad Nigh: Uh there’s still a couple of, I think we had over 200.

[00:55:25] Evan Francen: Nice.

[00:55:26] Brad Nigh: I don’t know the exact number. I mean there were over 200 last

[00:55:29] Evan Francen: time I heard we got an awesome panel. I’m excited plus, you know, people who like to drink beer can drink beer

[00:55:34] Brad Nigh: and and we’ll have uh one of our, our managers will be up here and Oscar to be here. Oscar and tom are they really? Yeah, they’ll both be up here hugs. Oscar comes into flies in tonight and our, yeah, Oscar tonight and tom tomorrow. I think that’s super cool. Or actually no, you know what whatever they’ll both be here. That’s the important part

[00:55:54] Evan Francen: Thursday. Yeah, Thursday I think it starts at one

[00:55:57] Brad Nigh: right to,

[00:55:59] Evan Francen: I don’t know. All right. So, thursday

[00:56:01] Brad Nigh: afternoon, the important details. I’m sure we’ll

[00:56:04] Evan Francen: go to Jackson dot com and you’ll see

[00:56:06] Brad Nigh: it. Well Brandon make sure you put that in the, the notice when he sends out that is published. Sure. Yeah. They go Brandon. We’re going to see if you listen to the podcast before he sends it.

[00:56:18] Evan Francen: What time is it? It’s time do you start going here? Right. Excuse me. I have three news pieces. One has been all over the place. So the, this from Ars Technica on, it’s the title is checked. The scope Pen Testers nabbed jailed in Iowa courthouse break in attempt. These are 2 uh security folks from coal fire who on september 11th. I don’t know there’s any significance if there’s any just bad timing significance to the that timing versus you know, whatever. But they were nabbed in Dallas County Iowa now Dallas County Iowa, we’ve done work before for Dallas County Iowa, none of us, I don’t think we’re not not arrested and charged this. Uh Yeah. two guys um, from coal fire who now I’ve been arrested numerous times before. Uh, in these types of things. I’ve never been books are charged because because you had to carry the letter right. There’s either a letter engagement. There’s some sort of get out of jail free card. Some sort of, you know, whether you carry the statement of work or something that gets me out of jail. But there’s obviously some other communication issues here in terms of scope.

[00:57:38] Brad Nigh: Yeah. This is a big miss by somebody.

[00:57:43] Evan Francen: Somebody messed up somewhere.

[00:57:45] Brad Nigh: I read this and send it to been and Oscar it’s like I’m glad that says on us because that’s going to be right. I mean that’s a okay

[00:57:57] Evan Francen: and this isn’t coal fires first rodeo, right. I mean thousands of assessments

[00:58:02] Brad Nigh: and so somebody messed up pretty big on

[00:58:04] Evan Francen: this. Yeah. Where the mess up happened. You know, I don’t know if it was a mess up on the part of the client or part of coal fire are part of both are part of, you know, these two. It’ll be interesting to see, I don’t know if we’ll continue to get updates on this. But I do know that it was checking yesterday that just the court records for one of the, one of the two defendants. Gary dima curio Gerri de Macario, $50,000 bail. He’s got an a court appearance next week.

[00:58:34] Brad Nigh: Uh, yeah, I think the big thing is, is it states in there that um, you know they company was hired by the state court administration to test the security of the courts electronic records and attempt,

[00:58:50] Evan Francen: so somewhere there was a mix up.

[00:58:52] Brad Nigh: Yeah. They attempt unauthorized access to court records through various means, but they did not intend to anticipate these to include forced entry into a building to me that forced entry like well you better have it in writing that that’s okay.

[00:59:06] Evan Francen: Like it’s one thing to to have like social engineering. We do a lot of social engineering. Pen physical pen tests.

[00:59:13] Brad Nigh: Yeah, like it states in so we’ll do the physical pin test and then in the in the call we have a with before we do anything the analysts on the call with a client to say what’s acceptable.

[00:59:25] Evan Francen: Yeah. Something was totally missed him. Very very, very rarely do we do a burglarized type of forced entry pen test. You really have to have your eyes dot and your teeth crossed. If you’re going to do something like that,

[00:59:41] Brad Nigh: it would be like, hey, these are susceptible to these types of attacks, right? We don’t to do the attack.

[00:59:48] Evan Francen: Yeah. One of you were like I said, yeah, that’s fine, but you better have it it in terms of your statement of

[00:59:55] Brad Nigh: work that forced entry is acceptable or whatever. But I mean realistically that could have turned out way worse. I mean they’re lucky they just shut. Yeah, they just got arrested because they’re in a courthouse.

[01:00:09] Evan Francen: Well, they both bailed out so I couldn’t have to have the court appearances making. I think

[01:00:14] Brad Nigh: that’ll

[01:00:15] Evan Francen: be a story. I think it’s, I think it’s Gary the one defendant. I think he’s out of florida. So he’s got to come away backed up to Iowa

[01:00:25] Brad Nigh: state to parents got a colorado or something. So

[01:00:29] Evan Francen: yeah. So I feel bad for those two uh sort of, I mean I do because somewhere somebody messed something up with the risk management, sales, project management, something got screwed up. And for some reason, I’m guessing these two thought that, hey, this is in scope is going to be fun. We’re going to meet up in Iowa and we’re going to, this is how we’re gonna plan it. I mean, there’s so much player

[01:00:54] Brad Nigh: they don’t care there. I know. Well,

[01:00:57] Evan Francen: assuming they even had one, You know what I mean? Because it looks like the courts are saying, yeah, this was not authorized to do

[01:01:05] Brad Nigh: but used to break in. Mhm. If you’re going to do a physical breaking, why would you not make sure you have that letter that you think gives you the the the okay to do it. Yeah. Either way. Not not fun for those guys that long weekend.

[01:01:23] Evan Francen: Yeah. Exactly. All right. So the next piece of news is the U. S. Treasury. So this is from security affairs. Uh the U. S. Treasury places sanctions on north Korea linked A pt groups. There’s a lot of them, there’s a lot of North korean linked, a pt groups and if you don’t know what A. P. T. Has advanced persistent threat. Uh Yeah so security affairs, it’s a good right up, you know, I don’t think it’s it’s surprising. Um Yeah so you know, there’s no sanctions on North korean linked hacking groups in case you didn’t know the U. S. And North Korea are not allies. Uh Yeah, potentially the long list of sort of all these uh if you do more research on these North korean, North korean linked a pt groups. There’s a lot of them, you know, and there are a lot of A K. S. A K A K. A. Uh So that’s all but I had for the news, that’s interesting. Yeah, interesting. Not not something like, oh my God, I gotta do something about that. No, the last one news before we wrap up the show is uh this comes from G. B. Hackers on security Net Cat. New attack allows hackers to steal spy and steal the data from intel. CPU remotely. This is sort of interesting. Uh huh. The law is called Net Cat, which is also a popular tool I used to use back when I was fantastic, which I haven’t done for a very long time. Mhm. But affects the intel CPU allows Attackers to steal sensitive information from untrusted clients. Net Cat here is short for network cash attack. That’s the name given by the researchers and every exploit any type of attack. You have to give a cute name to it. I don’t know if you know that and usually uh like a cartoony looking sort of logo help as well. I haven’t seen if there’s one for this, but the vulnerability resides in the intel feature called D D I O. Data direct I O uh input output due to the flaw. Network devices and other peripherals can perform side channel attacks. So it’s not

[01:03:55] Brad Nigh: interesting. They’re, you know, they’re allowing the network devices or other peripherals to access the CPU cache directly.

[01:04:03] Evan Francen: Yeah, it seems like a design flaw. I don’t know if there’s any is there any patch the test uh in this same article, uh researchers from Vucic, they did successfully test the Net Cat attack and like the arrival time of individual network packets in an ssh session via the side channel. The I don’t know how you patch this.

[01:04:30] Brad Nigh: I don’t

[01:04:31] Evan Francen: know. It seems like an architecture

[01:04:33] Brad Nigh: uh tells, you know, I kind of wonder if manufacturers to start looking at A M. D. This is the third major physical flaw in the intel chips

[01:04:47] Evan Francen: and also goes to the point. Right? We knew we’ve got this thing that we always say that something that’s insecure at the core will always be insecure. And so what what’s more core to a computer than the CPU that process is everything

[01:05:06] Brad Nigh: peripherals directly. access to cash.

[01:05:08] Evan Francen: Yeah. So you’re going through until security gets considered. You know, it’s step one in the process and really gets integrated into things than things like this are more popular or possible. So I don’t know any workaround for that. You can read about it. I don’t expect you, you know, I don’t expect anybody to be hacked anytime soon using this exploit. But it is interesting and it shows that there’s just another flaw. Mhm. That’s it. Uh There you have it. Thank you for another great show brad. Seriously, it’s cool to be sitting across from you. Thanks man. Uh Special. Thank you to our loyal listeners. We love your feedback. So seriously, if if you’ve got more feedback for it for us on anything we talk about or something you’d like us to talk about. Send it to un security at proton mail dot com. Uh fear social type socialize with us on twitter. I’m @EvanFrancen and brad’s @BradNigh. And I anything else to add brad before we wrap this up? I have a great week. All right, have a great week. Thank you.

vCISO Role and Responsibilities + How to Get Started

Evan and Brad talk about the vCISO role and responsibilities as well as discussing what someone would have to do to become one. The guys also chat about Evan’s recent trip to Bulgaria and make an exciting announcement.

About

Work with Us

Resources

Contact