Episode Cover Image

245- Demystifying DoD Cybersecurity: Larry Furman on Achieving CMMC Certification

Dissecting Popular IT Nerds
Dissecting Popular IT Nerds
245- Demystifying DoD Cybersecurity: Larry Furman on Achieving CMMC Certification
Loading
/

Larry Furman

Larry Furman is an IT leader with over 25 years of experience driving technology initiatives. He holds the rare Project Management Professional certification and recently led his company in attaining CMMC Version 2 Level 2 compliance. Furman has spearheaded numerous security, infrastructure, and disaster recovery projects for organizations ranging from financial services firms to the US Military. His technical expertise combined with strong communication skills make him a sought-after speaker and trusted advisor to IT executives and decision makers.

Demystifying DoD Cybersecurity: Larry Furman on Achieving CMMC Certification

Get ready to dive into the complex world of CMMC compliance with IT expert Larry Furman. In this engaging episode, Furman takes us on an in-depth tour of DoD cybersecurity requirements. He breaks things down in an accessible way, providing the nitty gritty details behind locking down data and attaining CMMC certification. From encryption tools to physical security, Furman covers it all. If you want to strengthen your organization’s security posture and become CMMC ready, tune in. Furman lays out best practices and tangible takeaways you can apply. Expect great insights that cross the cybersecurity T’s and dot the compliance I’s. Our minds will be expanded and skills sharpened as we discuss the ins and outs of CMMC mastery.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

245- Demystifying DoD Cybersecurity: Larry Furman on Achieving CMMC Certification

3 Key Takeaways

Episode Show Notes

Motivation for CMMC compliance [00:03:06]

Physical security and clean desk policies [00:04:55]

Encryption tools for secure communication [00:06:22]

On-site tech support in the 1980s [00:08:49]

Setting up a network in Tokyo [00:21:27]

Confusion over a mysterious food item [00:23:45]

Disaster recovery training globally [00:24:32]

Troubleshooting failed disaster recovery [00:26:36]

Disaster recovery exercises with virtualization [00:29:53]

Importance of planning and flexibility [00:31:55]

Speaking stakeholders’ language [00:34:13]

Knowing your audience as CFO [00:50:10]

Transcript

Speaker 0 | 00:08.302

Welcome to another Dissecting Popular IT Nerds, where we’re allowed to geek out with our fellow nerds. Today, I’m proud to introduce Larry Furman, who has the rare PMP certification and has recently achieved CMMC V2 L2 certification at his organization. Larry, please introduce yourself, tell us a little about yourself, and then talk to us about the fun of the CMMC V2L2. Sure.

Speaker 1 | 00:39.099

Hi, Mike and everyone. I got into computers. I majored in biology, got a bachelor’s, went on to grad school, and in grad school, I had to choose between learning to read Russian, German. or French to read research papers or program computers. And growing up on science fiction with intelligent machines, you know, Asimov and Heinlein and everybody, programming computers seemed like a no-brainer. And it was. I got my first job in computers doing tech support at an insurance company. And one of the things, and my recent job at Linearizer, a big part of it was running the tech support team and building a white glove support organization. As well as what you mentioned, CMMC version 2 level 2.

Speaker 0 | 01:52.232

Yeah, that CMMC, man, I keep stumbling on that. I was able to do it during the intro, but…

Speaker 1 | 01:59.797

So does everybody.

Speaker 0 | 02:01.178

Yeah.

Speaker 1 | 02:02.859

It stands for Cybersecurity Maturity Model Certification, and the Department of Defense requires contractors and subcontractors to be compliant with one of the three levels. Contractors need to be compliant with level three, subcontractors with level two, and even the plumbers and HVAC contractors and electricians and the people who mow the lawns and shovel the snow in the winter need to be compliant with aspects of level one. And we do that.

Speaker 0 | 02:48.718

Go ahead.

Speaker 1 | 02:50.019

The DOD does that because.

Speaker 0 | 02:51.520

you know we kind of live in a dangerous world and there are threats um cyber threats coming in all day yeah so um quick question the uh organization that you helped achieve this for um were they already of that security mindset or did this compliance driven by business i assume um because they’re a contractor or a subcontractor um was Did the security come because of the business or did the security come because they wanted to make sure to protect their assets?

Speaker 1 | 03:29.573

The security came because of the business. They wanted to protect their contracts, their assets. But they were of a security mindset. They understand the threat landscape. I was in… in instrumental in bringing them to this compliance but they were you know ready to go so it was like oh like an you get in an uber and you say okay take me to the airport they know they want you the passenger wants to go to the airport the driver it’s the driver’s job to get them there yeah

Speaker 0 | 04:06.545

because it’s really an organizational thing it’s not just an it thing correct it you know you have to have

Speaker 1 | 04:15.272

You have to log people who come into the facility. We used both a paper log and an electronic cloud-based log. You have to print badges. You have to designate people who are U.S. persons, i.e. citizens or with a green card, and foreign nationals, whether they’re from Europe or Canada, an ally or a non-ally. And physical security is part of it. Clean desk policies are part of it, which are not IT. A clean desk is not what you’d see if you come into my house. But it is what you see when you come into my office.

Speaker 0 | 05:03.216

Yeah, well, and it doesn’t necessarily, it just means none of the protected materials out in the correct. You know, I can still have a stack of material just as long as it’s not anything that’s protected or critical. Correct.

Speaker 1 | 05:19.762

Confidential, yes.

Speaker 0 | 05:22.383

But, you know, there’s so many aspects of CMC, especially level two and the NIST 800-171. are um so it focused you know the mfa um encryption the uh encryption for pro or for communication protocols all of that there’s yeah it’s a lot so typically we as it leaders end

Speaker 1 | 05:50.077

up being the head or the lead on those projects yes yes absolutely um and some of this you can achieve with outsourcing or with certain cloud services. We used a tool called Prevail, which is built in the Amazon Web Services GovCloud for encrypted email and encrypted file sharing. The alternative to that would have been… an Amazon Web Services GovCloud email address for everybody, or a Microsoft Azure GovCloud email address for everybody in the entire organization, which would have been significantly more expensive. I don’t know if you want me to name companies and vendors that we used.

Speaker 0 | 06:57.848

Oh, that’s fine. I just want you to be careful of anything that would step on any toes involved in your career. We’re allowed to talk about any vendors that we want to and in whatever method that we want to, but I tend to try not to step on people along the way.

Speaker 1 | 07:16.744

So let’s rephrase that and say we used some tools that enabled us to have encrypted. end-to-end encrypted email and end-to-end encrypted file transfer with our our clients and our supplier yeah those are for itar compliance uh purposes itar is the international traffic and arms regulation okay

Speaker 0 | 07:43.146

but this also made it where you didn’t have to pay for those types of accounts for everyone you could do it for just specified individuals or yes about 35 out of the uh

Speaker 1 | 07:55.004

out of 100 so 35 okay yeah which 65 savings then yeah um cmmc has 11 basic control families from access control which is physical access as well as logical access um and and awareness and training because the individual is is you know the weakest link

Speaker 0 | 08:24.448

So, you know what, let me take a different tack on you real quick and talk about what it was like doing tech support in the 80s. You know, you’re talking about working at an insurance company in New York City. So, what, I can’t,

Speaker 1 | 08:40.192

you know,

Speaker 0 | 08:40.472

I look at how tech supports changed in the 20 years that I was involved, and that was 20 years after you were doing it. So,

Speaker 1 | 08:49.794

what was it like? It was all on site.

Speaker 0 | 08:51.635

All on site.

Speaker 1 | 08:51.955

It was often face-to-face. or occasionally over the phone. I was helping secretaries using WordStar and accountants using Lotus 1-2-3.

Speaker 0 | 09:05.065

Oh, man. Those are, yeah. It’s been a while since I’ve heard those names.

Speaker 1 | 09:13.172

A blast from the past, right?

Speaker 0 | 09:15.234

Right.

Speaker 1 | 09:15.734

But in that role, too, I learned that you can’t really… communicate effectively with a non-computer person using technical jargon you you can say like with lotus if you want to print something you go to file print i think right um and you can explain okay this is what they call a range it’s a group of cells it’s either one column wide or And, you know, a couple of columns deep or several columns wide or several columns deep, which is the same as in Excel. Right. And again, with WordStar. And today with Word, a typical problem is how do you do a table of contents? If you do it the brute force method, which is, you know, you go to your document and you say, okay, this is page five. I’m going to start a new chapter on page five. And you open up a new page and you say, chapter two, page five. Well, what happens when you add a couple of, you know, paragraphs to chapter one? Chapter two then starts on page six. and chapter three then starts on page nine are you gonna manually edit every line no you’re gonna use um microsoft’s built-in table of contents or libra office if you’re not using microsoft yeah

Speaker 0 | 10:48.665

well hopefully you know there’s so many people who still today just brute force all of this stuff yeah yeah

Speaker 1 | 10:57.948

and get all the content and then then create the table of contents afterwards once once they finalize things and hopefully they get everything right or the editor catches it i i worked for a law firm in new york for nine years from the 2005 to 2014 and one of the founders is a writer He’s retired. He’s 83 years old. He still writes. He’s got a Mac. And he’s writing a couple of books. He does a chapter at a time. And each chapter is a different file. So he has to kind of manually, well, he doesn’t generate the table of contents. He sends the entire chapter, the entire book as a zip file to his publisher who assembles it. and does all of that for contents and stuff it’s uh he it’s a it’s it’s a i like it’s a challenge working with him you know it’s a lot of fun actually in the up until covid when i was in this in new york i would stop by his office his house after work and i’d fix his problem whether it’s a new printer or some funky thing going on in the in the computer and then we would sit and talk about a politics so what you can’t beat that yeah yeah that’s that’s it’s always a nice way to finish and interaction is to sit

Speaker 0 | 12:38.210

back and relax and have a drink and just talk with them and yeah on a personal level instead of just the uh well help me do this okay now leave yeah yeah yeah absolutely

Speaker 1 | 12:50.792

There are people in every company, in every nation that look at IT as a service and don’t want to look at an IT person as a person. They’re just a techie. But then there are people everywhere, whether it’s a law firm or an engineering company or accountants. That will look at IT people as people.

Speaker 0 | 13:25.050

Yeah. Well, and I think some of that’s changed over the years. Because I think back to when I was a kid and like the Revenge of the Nerd, that movie. And how they looked at IT people within that movie. And what I look at and what I see as mainstream IT people today. And… they’re no longer classified into that non-physical non um you know the nerds wearing the glasses with the tape in the middle of it um you know with the the pocket protector and they’re no longer that yeah there’s a lot of guys that are out that out there that are in i.t that are extremely um health conscious and and spending lots of time in the gym and and doing those kinds of things and and it’s It’s now so pervasive in everything we do, technology that is, that almost everybody has to have some degree of understanding of technology anymore. You know, my kids have no clue when it comes to networking, but they live and breathe because of that networking. You know, they’re connected everywhere they go, and they don’t even think about the complexities behind it. It’s just taken forward.

Speaker 1 | 14:47.462

They also may not think. about the cybersecurity ramifications of the networks they’re connecting to.

Speaker 0 | 14:54.490

Oh, yeah. Oh, yeah. And or what they’re doing in social media and things like that. You know, I’ve been watching some stuff about… Like there was a financial group, and I want to say it was in Germany, that took a picture of a child, someone that was like five years old, advanced her in age, and then did an advertisement in a movie theater to her parents who were in the movie theater about the digital footprint that they were leaving of their child today and how it could affect her in 10 years.

Speaker 1 | 15:31.388

Holy cow.

Speaker 0 | 15:32.449

Yeah, I’ll have to send you the link for that afterwards, and I’ll probably drop it as a comment on the podcast when we go because it’s a really interesting video. It’s something that I got from an FBI interaction that they were talking about our digital footprints and what we’re leaving behind.

Speaker 1 | 15:54.263

AI.

Speaker 0 | 15:56.245

Yeah, the AI stuff because they used AI to advance their age and then use… to change her voice. And because they had a recording of, they had this recording of like a five-year-old made her 20 years old and said, mom and dad, look at what you’re potentially doing to me.

Speaker 1 | 16:14.954

The, some of the, well, American Express has it, its fraud detection system is built on an AI model that they started working on in about 2010. It’s very effective. It’s built in part on our digital signatures or for American Express, our commercial signatures. When you buy something at a local restaurant or a chain restaurant, whether you’re shopping at Hall Foods or Trader Joe’s or a local. regional grocery, they know. And so if something steps out of the ordinary, they’ll either reject it or they’ll call you up. So if you get on a plane in Newark, New Jersey, and you fly to California, and you drive to the airport, and you park your car, or you take an Uber to the airport or another taxi to the airport, they know that transaction. You buy a cup of coffee or a sandwich in the airport, they know that transaction. You bought the airplane ticket, they know that transaction. When you land in California, they know they’re expecting you in California, and you buy something in California, and they’re like, okay, Mike’s in California now. But if your credit card shows up in Vegas. or in Albuquerque or San Francisco rather than Los Angeles, they know something fishy is going on.

Speaker 0 | 18:06.915

Well, and it depends on the type of product too, because there’s lots of times now with our purchases, those purchases are being registered all over the country or the world. Yeah. And just depending on what you’re purchasing. But like one of the triggers that I’ve heard of is purchasing gas and buying tennis shoes right afterwards. Doing those two things are like a red flag to most of the credit card companies of somebody getting a hold of your credit card because they go fill up their tank and then they go get those high dollar Nikes that they could never afford themselves. And that seems that it was an anecdote that I’d heard. I can’t remember exactly who it who I heard it from, but it’s something that it’s almost guaranteed. American Express, Visa, MasterCard, they’re all watching for for that. kind of set of transactions pattern yeah they’ve already identified the patterns of people who when they steal the your credit information and they start getting into it that they they recognize patterns of behavior testing the card to see how much whether

Speaker 1 | 19:15.257

a transaction goes through and then making a large purchase almost immediately right right right all the credit card companies are doing this yeah and they can also a way to detect fraud is If there’s a user with no credit history, someone makes up a social security number and then goes and gets a credit card and they don’t have a credit history.

Speaker 0 | 19:44.024

Yeah, they’re pretty low. Usually.

Speaker 1 | 19:49.229

Well, you would see that, I suppose, from. An immigrant from a third world country, a very poor country. Right. No bank account, no credit.

Speaker 0 | 20:04.402

Yeah, somebody comes into the country and then they start making their credit history at that point. But they’re not going to give them a $20,000 or $30,000 credit limit right off.

Speaker 1 | 20:16.052

You would presume they wouldn’t.

Speaker 0 | 20:17.633

Yeah, exactly. I would presume.

Speaker 1 | 20:20.536

You would hope not.

Speaker 0 | 20:21.657

Yeah. Well, considering the fact that we all get to pay for it and the prices of all of our goods to help cover that. So I noticed in your history a little bit of. of chances to go into different places across the world. Talk to me a little about that. How did IT help you get to all of the different places that you’ve been? And tell us about a little of that experience.

Speaker 1 | 20:48.124

So I was working in New York at a financial house that was owned by a Japanese bank, a derivative shop owned by a Japanese bank. And they wanted us, the bank back in Tokyo, wanted to see what we were doing. So I got to go to Tokyo for two weeks, set up this, and set up a simple five or six or seven workstation network built on SunSpark 20s or Spark 5s, Sun, you know, architecture. This was back in the 90s. Got to Tokyo for two weeks, took the bullet train to Kyoto over the weekend, had a lot of sushi. It was interesting.

Speaker 0 | 21:41.846

Hopefully you liked sushi at that point.

Speaker 1 | 21:44.068

I liked sushi at that point.

Speaker 0 | 21:45.769

Okay, good.

Speaker 1 | 21:46.669

Although after the trip, I’d had a little bit more sushi in too short a time span. So it was a while before I had sushi again.

Speaker 0 | 21:56.756

Understandable.

Speaker 1 | 21:58.237

Yeah. Then a year or so later, I started a job for a company that made backup software, which is where I started getting interested in disaster recovery. And my role in their professional services organization was to travel mostly across the United States. mostly to military bases, the Navy, the Marines, primarily, installing their software and training the users and the administrators in it. Well, I got to go to Cherry Point, North Carolina, and I also got to go to San Diego, California. And I embarrassed one of my colleagues in San Diego by asking the… the wait staff what this thing was. It was about the size of a small bagel. It looked like a bagel, but it didn’t have the right texture. So I said, what do you call this thing? And she said, well, that’s a bagel. And I said, no, it looks like a bagel, but it is not a bagel. And the guy who I was with, Texas, from Texas, he was like, You got to forgive him. He’s from New York.

Speaker 0 | 23:29.848

Yeah, he knows what a real bagel is.

Speaker 1 | 23:32.630

And pizza.

Speaker 0 | 23:33.731

Yeah.

Speaker 1 | 23:36.433

They also sent me to South Korea, to Seoul, South Korea, for a week to train their affiliate there. And I spent a lot of time in Canada, a lot of time in Mexico.

Speaker 0 | 23:49.402

And was all of this around that disaster recovery piece? And…

Speaker 1 | 23:53.942

helping implement that or was it yes yeah my role was once the hardware was set up to train the administrators in how to ex how to do a backup how to test that backups were actually working and how to do a restore we we were a unix based it was a unix based system Unix, you know, is case sensitive. Microsoft Windows is case preserving. So if you have a tool called Alpha, which is spelled capital A-L-P-H-A in the Unix environment, well, we had to back it. We had to define that in Microsoft Windows as capital A-L-P-H-A. One of our… One of the administrators actually at a Navy base in D.C. made the mistake of using all lowercase. And so the backups appeared to work. because there were no error messages. But it didn’t back up any data, because it was looking for a directory for a folder called alpha, uppercase A. And there was no alpha, uppercase A. It was alpha, lowercase A. So there was nothing there to back up. And the software was like, okay, no data to back up. I’m good.

Speaker 0 | 25:29.713

Yeah, I ran my process. All’s well.

Speaker 1 | 25:32.416

Right. Then they went to restore.

Speaker 0 | 25:35.390

oh it wasn’t so good and they called me to troubleshoot and i was like well i’m sorry but you know we’re out of luck so this was in a true disaster scenario then it’s not yeah not a testing of the system this was a oh things went bad we need we need and oh man well that’s one way to learn the lesson there are

Speaker 1 | 26:04.370

At the law firm that I was at in the early 2000s, we lost two drives in a rate array more or less at the same time because the first drive failed. The guy, I was off that day. The guy working for me turned off the machine, put in a spare drive, turned on the machine. The rate array is supposed to rebuild itself. But the amount of reads and writes that…

Speaker 0 | 26:32.630

Killed the next drive.

Speaker 1 | 26:33.550

Processing on the drives clobbered another drive. It’s like driving a car with four bald tires on a bumpy road full of potholes. You get one flat and you’re driving 50 miles an hour and it’s a 35-mile zone and it’s a bad road. You get one flat, you put on the spare, and you keep going 50 or 60, you might very well get another flat.

Speaker 0 | 27:01.318

I was going to ask you, with your history in disaster recovery, if you had ever found a solution to one of the problems I could never figure out, which was besides being able to take one of the disaster recovery systems and put it into full production so that you have it under full load, how could you test? Did you ever find a way of testing the throughput and the… throughput is the best way I can put it, of a system. So like one of the systems that always had a lot of chatter for us was EDI, so electronic data interchange. You know, we’re passing files back and forth. But until you’re in that production environment and you’re actually passing those files back and forth, I couldn’t figure out a way to play that throughput of data and the interaction with the primary system, the ERP, Um, and, and be able to test a system under load when trying to test that, that disaster recovery and that business continuity plan. Um, cause you know, if you set it up and you throw a single transaction at the system, the system handles it great. Kind of like what you’re talking about with those drives, how, you know, one drive fails, you pull it out, you throw in the replacement drive and now everything’s trying to balance. But here was another drive that was shaky, like you’re talking about. And right. You just pushed it over the edge so it drops, and now you can’t rebuild the array because you had to finish to get everything balanced so you can lose one drive.

Speaker 1 | 28:39.996

Right. I don’t know. With virtualization and the cloud, or virtualization on-prem, it’s resource-intensive, but you can… implement a disaster recovery exercise or a business continuity exercise, but you have to stand up those virtual machines and run them. You may not have to stand up everything simultaneously, but you can do them one at a time, so that way you can do this with fewer resources. But- Yeah,

Speaker 0 | 29:23.242

the only way that I’ve found, like with clusters, the only way to make sure that that cluster for sure works- is to take one side of the cluster down and then bring it back up, get it balanced, and then take the other side down.

Speaker 1 | 29:35.667

But you can’t do that.

Speaker 0 | 29:36.508

And put everything under load.

Speaker 1 | 29:38.848

Yeah, and you can only do that at night or on weekends. Yeah. You can’t really do that on Monday morning.

Speaker 0 | 29:47.791

Yeah, you take down your whole disaster recovery system. So in case something actually goes bad while you’re testing things, now what? Kind of like lowercase a versus uppercase a. That’s all it takes to destroy backups. Man. No, not destroy. to subvert.

Speaker 1 | 30:08.154

Yeah. You need redundancy. So, there’s a book called Alpha Project Management, or Alpha Project Managers, What the Top 2% Know That Everybody Else Does Not, by a guy named Andy Crow. He also wrote the PMP answer book.

Speaker 0 | 30:30.272

Okay.

Speaker 1 | 30:30.692

No, I’m sorry. He wrote the PMP exam, how to

Speaker 0 | 30:35.016

pass on your first try and um the key is planning and uh and communication developers tell me all my developers say the exact same thing the key is planning we have to plan it out first good

Speaker 1 | 30:54.643

well we do but you also have to be flexible enough to know when you have to change the plan that’s that’s the difference between agile and uh waterfall With waterfall, you have a cast iron plan or a cast in stone plan. And with agile, you have scrums. And you say, okay, what’s going, what do we need to do? What did we not foresee?

Speaker 0 | 31:19.067

Right. Of course, it’s a little more complex than that. But those are primary or fundamental differences between the two.

Speaker 1 | 31:27.352

Yeah,

Speaker 0 | 31:28.152

because with the waterfall, you don’t take that time to go, okay, what did we not foresee? until you’ve completed the plan.

Speaker 1 | 31:36.796

Yeah. Which is not the pace in which we do business today.

Speaker 0 | 31:41.858

Not anymore. Not anymore. We got to, yeah, many iterations fail fast. So, what are some of the barriers that you’ve run into along the way? So, what are some of the things that have challenged you in your career? And, you know, what’s the dark side? What did you not like around? in your career that you’ve run into?

Speaker 1 | 32:06.827

Working as a DBA or as a developer on technical teams, it’s okay to use jargon. It’s the shortcut. It’s effective to use jargon. Right. But moving into management or even, or going down to, well, I shouldn’t say down or moving into customer support. You have to speak the language that your customer or your sponsor or your stakeholder understands. So if you’re talking to a lawyer or you don’t want to talk to them about MIPS, you know, what’s the difference between a central processor and a graphics processor? He or she isn’t going to care. A tool for AI. processing is going to use more graphical GPUs than CPUs because GPUs are designed for rapid processing of small algorithms, whereas CPUs are for rapid processing of much more complex algorithms. So you can have 500 GPUs running in parallel or 1,000 or 5,000 or more, whereas you only have… what, two CPUs, eight, 10, 20 cores next to your GPUs with hundreds or thousands of cores. But non-technical people don’t care. Right. They want it to work.

Speaker 0 | 33:53.904

It’s the brain. It thinks.

Speaker 1 | 33:55.966

Right. Then. Some managers would want to sit down and have a face-to-face conversation. Others want an email or an email to their secretary. This was especially true. Well, this was obviously true in the law firm. One of the guys, founder of the company, stopped practicing law when his company got to a sufficient size that all he needed to do was focus on making sure the company ran well. So he would call me up and say, come into my office, talk to me. The other guy at the next law firm, and this really got me in trouble, didn’t want me to walk into his office. He wanted me to talk to his secretary or talk to his other lieutenants. He was busy billing and interrupting his billing cost him money. It took me a while to figure that out because… They didn’t realize, I didn’t know this. There’s no crystal ball. How do you know what the rules of the game are if nobody tells you?

Speaker 0 | 35:09.300

right yeah so you’ve got to observe it you’ve got to watch it but and you but you still have to be cognizant enough to catch the nuances because you know all you’re trying to do is communicate so you’re still just trying to communicate do your best to communicate and and you think that it’s important for the highest levels to know and they’re shunting you to the uh the receptionist wait what well they had an executive director who was not a lawyer

Speaker 1 | 35:40.077

They did not tell me that he was my boss. I was supposed to guess, I suppose. So I went from one law firm where the hierarchy was executive managing partner, me, to another one where it was managing partner, executive director, me. But you can’t intuit that, you know? How do you know?

Speaker 0 | 36:08.641

And if they didn’t tell you, yeah, how do you know?

Speaker 1 | 36:12.504

That’s water under the bridge. Right. And, you know, like a lot of people in IT, my social skills were not as developed as my technical skills.

Speaker 0 | 36:28.097

Yeah, and hopefully we’ve gotten rid of that stigma. You know,

Speaker 1 | 36:33.581

when I was talking to Nick Hall,

Speaker 0 | 36:35.143

the pocket connector.

Speaker 1 | 36:36.972

There are no pocket protectors because people don’t wear button-down shirts with pockets.

Speaker 0 | 36:43.536

Amen. But nor do they use pens that much anymore.

Speaker 1 | 36:49.260

Yeah. Or neckties.

Speaker 0 | 36:51.782

Yeah. Yeah. Yeah, definitely not that. So talk to me about a success from failure. What’s something that at the time seemed like it was a failure? that ultimately, as you’re able to turn around and look at it with that 2020 vision, that actually turned out to be a success?

Speaker 1 | 37:16.410

So as a grad student in biology, I had to learn to read French, German, or Russian, or program computers. I chose to program computers. Assembler was really hard. PL1 was easy. COBOL was

Speaker 0 | 37:33.369

Yeah, I was. I had the programming. Go ahead.

Speaker 1 | 37:37.873

Then I got a job selling computers and then doing computer tech support for this insurance company. And went back to school to study computer science. Wound up with the equivalent of another bachelor’s. And, you know, that’s where my career was. And the science background, too, is very useful in understanding and troubleshooting and getting to root causes of problems.

Speaker 0 | 38:16.345

Tell me a little more about that. How do you mean? I mean, I can correlate a couple of pieces of it, but I want to hear your thoughts on that, on how scientific backgrounds correlate into troubleshooting.

Speaker 1 | 38:29.088

Well, you need to establish a hypothesis. Then you need to establish a test pattern or a set of tests to test that hypothesis. This is actually A-plus certification troubleshooting. Develop a theory of what the problem is, test the theory, test the solution based on the theory. If that fixes the problem, then you want to write it up so that what you have Actually, what PMI, the Project Management Institute, calls an organizational process asset. New knowledge based on understanding of problems. Last year, we had another situation where we had problems with one of the VMware machines, one of the VMware hosts. And in restoring… After restoring the host, we had to rebuild the VMs that were on the host. Unfortunately, that was made a little bit more challenging because vCenter and Veeam, the backup solution, and the production VMs were all originally on the same host. This was with VMware 7 Essentials. So you… We had vCenter, but again, that had to be reinstalled. And after looking at this, I said, okay. We have two hosts. We have a production host and a backup host. Instead of allocating them that way, maybe we should say consider both hosts production and both hosts backup and put the production VMs on one machine, vCenter and Veeam on the other machine. So if we lose the production machine, we have the replicas on the backup machine. If we lose… what we used to call the backup machine, we still have vCenter, we still have the production machine, obviously, and we have backups or replicas of Veeam and vCenter on the other machine. Not really a stroke of genius or a lightning bolt from on high, it’s just applying an inquisitive mindset or an engineering mindset to solve problems.

Speaker 0 | 41:05.272

Right. It’s experiencing the problem. And then recognizing a new solution, utilizing available resources.

Speaker 1 | 41:13.657

Yeah, yeah. Another time, one of the engineers I used to work with, a guy who’s retired now, he was a director of R&D for a company that evolved out of Bell Labs. Spent 40 years doing network design. And he said to another person, he said, look, you should… talk to Larry, he’d be good for this job. And he said, Larry has an engineering mindset. He’ll look under the surface of the problem to find the root cause of the problem, rather than just treat the symptom. And it works. And with Google, and now with AI, with Bard, you know, and chat GPT in… In Bing, there’s a whole lot more. It should make troubleshooting and finding information easier, although you have to verify the information that you find.

Speaker 0 | 42:19.012

Yeah. Yeah, and now we’ve got to watch out for what I’m starting to hear this term more and more often, hallucinations.

Speaker 1 | 42:27.417

Right, right.

Speaker 0 | 42:28.938

You know, the AI coming up with a hallucination, creating the hallucination, not just suffering from it.

Speaker 1 | 42:36.622

I asked, we were having a conversation about classic rock. And for one reason or another, we wound up going to chat GPT and asking it, but it apologized and said, I’m still learning.

Speaker 0 | 42:59.091

No, it’s not. It stopped learning in 2001, or at least 3.5 did.

Speaker 1 | 43:06.026

uh now four and and i’m hearing word about gpt5 now coming out too so yeah i don’t know i think i think a lot of the concerns are real i don’t know about the concerns though about ai writing music or novels i don’t think it could write anything remotely as complex as a dylan song or

Speaker 0 | 43:35.082

empathy for the devil yeah and and actually i i wonder how well it would handle the where you started all of this with um asmof and heinlein man you i meant to get back to that much earlier in the conversation because you mentioned two of my favorite authors those guys have written some great things sure the moon is a harsh mistress yeah foundation um i robot yeah yeah you Talking about AI, you know, and where he took it to. And he hadn’t even seen what we’re starting to do today.

Speaker 1 | 44:12.720

No, he wrote those books in the 1950s. Yeah.

Speaker 0 | 44:17.805

So as we come closer to the end of the podcast, is there anything you want to leave our listeners with? Is there any takeaways from your career and all of the experience that you’ve had within IT? the different organizations you’ve been to, the travels, starting off as a biology major and then going into IT. Anything you want to leave the young’uns with? Anything you want to impart to them that you wish somebody had told you that’s still relevant?

Speaker 1 | 44:51.263

Yeah. Understand your stakeholders. If someone wants a text message, don’t send them an email unless… If someone wants a text message, don’t send them an email. If someone wants an email, send them an email. You might want to send them a text message if it’s urgent. Although if it’s urgent, you might want to make a phone call. Yeah.

Speaker 0 | 45:15.749

It is called a phone for a reason.

Speaker 1 | 45:18.911

Office politics has bitten me over and over throughout my career. I never understood it. I probably never will.

Speaker 0 | 45:29.515

Yeah, I understood it. I just didn’t want to play. And I found that to be a detriment too.

Speaker 1 | 45:36.418

Yeah, yeah. That’s why God invented lawyers.

Speaker 0 | 45:43.405

And you’ve worked for enough of them.

Speaker 1 | 45:47.327

Also, you’ve got to listen. And just as they need to see the stakeholders that are not in IT need to look at IT as people, we in IT need to look at stakeholders as people. So it’s not… fat fingering it’s not a liveware era it’s not a grayware era it’s a human being who who doesn’t know how to do a particular thing on a computer pebcac id10p you

Speaker 0 | 46:22.121

know all of those things where where we just move just just let me sit down you know all those things yeah you gotta we gotta watch out for those and and you’re right And we just need to do that in general. It’s not just an IT thing. We just need to treat each other as people. You know, I continue to talk about my coworkers, not my employees. And, you know, and back to what you were saying about, you know, know your audience or know your stakeholders. The CFO, CFO doesn’t want to know about the flops. He doesn’t want to know GPUs, CPUs. He wants to know the. bottom line and what the how much it’s going to what he’s going to get out of that he wants to know what the investment is yeah yeah dollarizing wants to know what the return is yeah yeah his the

Speaker 1 | 47:19.342

accounting system needs to be correct the backups need to be available right whatever however you want to call them it all needs to work all right well thank you very much

Speaker 0 | 47:33.316

for your time today, Larry. It’s been a very interesting conversation and it’s been great to talk to you. So as we come to another close on another discussing popular IT nerd, I’d like to invite all of our listeners to comment and rate the podcast on the iTunes store or wherever you’re grabbing your copy of the podcast from. We really appreciate the support of the program and the time you’ve invested into listening. to dissecting popular IT nerds.

245- Demystifying DoD Cybersecurity: Larry Furman on Achieving CMMC Certification

Speaker 0 | 00:08.302

Welcome to another Dissecting Popular IT Nerds, where we’re allowed to geek out with our fellow nerds. Today, I’m proud to introduce Larry Furman, who has the rare PMP certification and has recently achieved CMMC V2 L2 certification at his organization. Larry, please introduce yourself, tell us a little about yourself, and then talk to us about the fun of the CMMC V2L2. Sure.

Speaker 1 | 00:39.099

Hi, Mike and everyone. I got into computers. I majored in biology, got a bachelor’s, went on to grad school, and in grad school, I had to choose between learning to read Russian, German. or French to read research papers or program computers. And growing up on science fiction with intelligent machines, you know, Asimov and Heinlein and everybody, programming computers seemed like a no-brainer. And it was. I got my first job in computers doing tech support at an insurance company. And one of the things, and my recent job at Linearizer, a big part of it was running the tech support team and building a white glove support organization. As well as what you mentioned, CMMC version 2 level 2.

Speaker 0 | 01:52.232

Yeah, that CMMC, man, I keep stumbling on that. I was able to do it during the intro, but…

Speaker 1 | 01:59.797

So does everybody.

Speaker 0 | 02:01.178

Yeah.

Speaker 1 | 02:02.859

It stands for Cybersecurity Maturity Model Certification, and the Department of Defense requires contractors and subcontractors to be compliant with one of the three levels. Contractors need to be compliant with level three, subcontractors with level two, and even the plumbers and HVAC contractors and electricians and the people who mow the lawns and shovel the snow in the winter need to be compliant with aspects of level one. And we do that.

Speaker 0 | 02:48.718

Go ahead.

Speaker 1 | 02:50.019

The DOD does that because.

Speaker 0 | 02:51.520

you know we kind of live in a dangerous world and there are threats um cyber threats coming in all day yeah so um quick question the uh organization that you helped achieve this for um were they already of that security mindset or did this compliance driven by business i assume um because they’re a contractor or a subcontractor um was Did the security come because of the business or did the security come because they wanted to make sure to protect their assets?

Speaker 1 | 03:29.573

The security came because of the business. They wanted to protect their contracts, their assets. But they were of a security mindset. They understand the threat landscape. I was in… in instrumental in bringing them to this compliance but they were you know ready to go so it was like oh like an you get in an uber and you say okay take me to the airport they know they want you the passenger wants to go to the airport the driver it’s the driver’s job to get them there yeah

Speaker 0 | 04:06.545

because it’s really an organizational thing it’s not just an it thing correct it you know you have to have

Speaker 1 | 04:15.272

You have to log people who come into the facility. We used both a paper log and an electronic cloud-based log. You have to print badges. You have to designate people who are U.S. persons, i.e. citizens or with a green card, and foreign nationals, whether they’re from Europe or Canada, an ally or a non-ally. And physical security is part of it. Clean desk policies are part of it, which are not IT. A clean desk is not what you’d see if you come into my house. But it is what you see when you come into my office.

Speaker 0 | 05:03.216

Yeah, well, and it doesn’t necessarily, it just means none of the protected materials out in the correct. You know, I can still have a stack of material just as long as it’s not anything that’s protected or critical. Correct.

Speaker 1 | 05:19.762

Confidential, yes.

Speaker 0 | 05:22.383

But, you know, there’s so many aspects of CMC, especially level two and the NIST 800-171. are um so it focused you know the mfa um encryption the uh encryption for pro or for communication protocols all of that there’s yeah it’s a lot so typically we as it leaders end

Speaker 1 | 05:50.077

up being the head or the lead on those projects yes yes absolutely um and some of this you can achieve with outsourcing or with certain cloud services. We used a tool called Prevail, which is built in the Amazon Web Services GovCloud for encrypted email and encrypted file sharing. The alternative to that would have been… an Amazon Web Services GovCloud email address for everybody, or a Microsoft Azure GovCloud email address for everybody in the entire organization, which would have been significantly more expensive. I don’t know if you want me to name companies and vendors that we used.

Speaker 0 | 06:57.848

Oh, that’s fine. I just want you to be careful of anything that would step on any toes involved in your career. We’re allowed to talk about any vendors that we want to and in whatever method that we want to, but I tend to try not to step on people along the way.

Speaker 1 | 07:16.744

So let’s rephrase that and say we used some tools that enabled us to have encrypted. end-to-end encrypted email and end-to-end encrypted file transfer with our our clients and our supplier yeah those are for itar compliance uh purposes itar is the international traffic and arms regulation okay

Speaker 0 | 07:43.146

but this also made it where you didn’t have to pay for those types of accounts for everyone you could do it for just specified individuals or yes about 35 out of the uh

Speaker 1 | 07:55.004

out of 100 so 35 okay yeah which 65 savings then yeah um cmmc has 11 basic control families from access control which is physical access as well as logical access um and and awareness and training because the individual is is you know the weakest link

Speaker 0 | 08:24.448

So, you know what, let me take a different tack on you real quick and talk about what it was like doing tech support in the 80s. You know, you’re talking about working at an insurance company in New York City. So, what, I can’t,

Speaker 1 | 08:40.192

you know,

Speaker 0 | 08:40.472

I look at how tech supports changed in the 20 years that I was involved, and that was 20 years after you were doing it. So,

Speaker 1 | 08:49.794

what was it like? It was all on site.

Speaker 0 | 08:51.635

All on site.

Speaker 1 | 08:51.955

It was often face-to-face. or occasionally over the phone. I was helping secretaries using WordStar and accountants using Lotus 1-2-3.

Speaker 0 | 09:05.065

Oh, man. Those are, yeah. It’s been a while since I’ve heard those names.

Speaker 1 | 09:13.172

A blast from the past, right?

Speaker 0 | 09:15.234

Right.

Speaker 1 | 09:15.734

But in that role, too, I learned that you can’t really… communicate effectively with a non-computer person using technical jargon you you can say like with lotus if you want to print something you go to file print i think right um and you can explain okay this is what they call a range it’s a group of cells it’s either one column wide or And, you know, a couple of columns deep or several columns wide or several columns deep, which is the same as in Excel. Right. And again, with WordStar. And today with Word, a typical problem is how do you do a table of contents? If you do it the brute force method, which is, you know, you go to your document and you say, okay, this is page five. I’m going to start a new chapter on page five. And you open up a new page and you say, chapter two, page five. Well, what happens when you add a couple of, you know, paragraphs to chapter one? Chapter two then starts on page six. and chapter three then starts on page nine are you gonna manually edit every line no you’re gonna use um microsoft’s built-in table of contents or libra office if you’re not using microsoft yeah

Speaker 0 | 10:48.665

well hopefully you know there’s so many people who still today just brute force all of this stuff yeah yeah

Speaker 1 | 10:57.948

and get all the content and then then create the table of contents afterwards once once they finalize things and hopefully they get everything right or the editor catches it i i worked for a law firm in new york for nine years from the 2005 to 2014 and one of the founders is a writer He’s retired. He’s 83 years old. He still writes. He’s got a Mac. And he’s writing a couple of books. He does a chapter at a time. And each chapter is a different file. So he has to kind of manually, well, he doesn’t generate the table of contents. He sends the entire chapter, the entire book as a zip file to his publisher who assembles it. and does all of that for contents and stuff it’s uh he it’s a it’s it’s a i like it’s a challenge working with him you know it’s a lot of fun actually in the up until covid when i was in this in new york i would stop by his office his house after work and i’d fix his problem whether it’s a new printer or some funky thing going on in the in the computer and then we would sit and talk about a politics so what you can’t beat that yeah yeah that’s that’s it’s always a nice way to finish and interaction is to sit

Speaker 0 | 12:38.210

back and relax and have a drink and just talk with them and yeah on a personal level instead of just the uh well help me do this okay now leave yeah yeah yeah absolutely

Speaker 1 | 12:50.792

There are people in every company, in every nation that look at IT as a service and don’t want to look at an IT person as a person. They’re just a techie. But then there are people everywhere, whether it’s a law firm or an engineering company or accountants. That will look at IT people as people.

Speaker 0 | 13:25.050

Yeah. Well, and I think some of that’s changed over the years. Because I think back to when I was a kid and like the Revenge of the Nerd, that movie. And how they looked at IT people within that movie. And what I look at and what I see as mainstream IT people today. And… they’re no longer classified into that non-physical non um you know the nerds wearing the glasses with the tape in the middle of it um you know with the the pocket protector and they’re no longer that yeah there’s a lot of guys that are out that out there that are in i.t that are extremely um health conscious and and spending lots of time in the gym and and doing those kinds of things and and it’s It’s now so pervasive in everything we do, technology that is, that almost everybody has to have some degree of understanding of technology anymore. You know, my kids have no clue when it comes to networking, but they live and breathe because of that networking. You know, they’re connected everywhere they go, and they don’t even think about the complexities behind it. It’s just taken forward.

Speaker 1 | 14:47.462

They also may not think. about the cybersecurity ramifications of the networks they’re connecting to.

Speaker 0 | 14:54.490

Oh, yeah. Oh, yeah. And or what they’re doing in social media and things like that. You know, I’ve been watching some stuff about… Like there was a financial group, and I want to say it was in Germany, that took a picture of a child, someone that was like five years old, advanced her in age, and then did an advertisement in a movie theater to her parents who were in the movie theater about the digital footprint that they were leaving of their child today and how it could affect her in 10 years.

Speaker 1 | 15:31.388

Holy cow.

Speaker 0 | 15:32.449

Yeah, I’ll have to send you the link for that afterwards, and I’ll probably drop it as a comment on the podcast when we go because it’s a really interesting video. It’s something that I got from an FBI interaction that they were talking about our digital footprints and what we’re leaving behind.

Speaker 1 | 15:54.263

AI.

Speaker 0 | 15:56.245

Yeah, the AI stuff because they used AI to advance their age and then use… to change her voice. And because they had a recording of, they had this recording of like a five-year-old made her 20 years old and said, mom and dad, look at what you’re potentially doing to me.

Speaker 1 | 16:14.954

The, some of the, well, American Express has it, its fraud detection system is built on an AI model that they started working on in about 2010. It’s very effective. It’s built in part on our digital signatures or for American Express, our commercial signatures. When you buy something at a local restaurant or a chain restaurant, whether you’re shopping at Hall Foods or Trader Joe’s or a local. regional grocery, they know. And so if something steps out of the ordinary, they’ll either reject it or they’ll call you up. So if you get on a plane in Newark, New Jersey, and you fly to California, and you drive to the airport, and you park your car, or you take an Uber to the airport or another taxi to the airport, they know that transaction. You buy a cup of coffee or a sandwich in the airport, they know that transaction. You bought the airplane ticket, they know that transaction. When you land in California, they know they’re expecting you in California, and you buy something in California, and they’re like, okay, Mike’s in California now. But if your credit card shows up in Vegas. or in Albuquerque or San Francisco rather than Los Angeles, they know something fishy is going on.

Speaker 0 | 18:06.915

Well, and it depends on the type of product too, because there’s lots of times now with our purchases, those purchases are being registered all over the country or the world. Yeah. And just depending on what you’re purchasing. But like one of the triggers that I’ve heard of is purchasing gas and buying tennis shoes right afterwards. Doing those two things are like a red flag to most of the credit card companies of somebody getting a hold of your credit card because they go fill up their tank and then they go get those high dollar Nikes that they could never afford themselves. And that seems that it was an anecdote that I’d heard. I can’t remember exactly who it who I heard it from, but it’s something that it’s almost guaranteed. American Express, Visa, MasterCard, they’re all watching for for that. kind of set of transactions pattern yeah they’ve already identified the patterns of people who when they steal the your credit information and they start getting into it that they they recognize patterns of behavior testing the card to see how much whether

Speaker 1 | 19:15.257

a transaction goes through and then making a large purchase almost immediately right right right all the credit card companies are doing this yeah and they can also a way to detect fraud is If there’s a user with no credit history, someone makes up a social security number and then goes and gets a credit card and they don’t have a credit history.

Speaker 0 | 19:44.024

Yeah, they’re pretty low. Usually.

Speaker 1 | 19:49.229

Well, you would see that, I suppose, from. An immigrant from a third world country, a very poor country. Right. No bank account, no credit.

Speaker 0 | 20:04.402

Yeah, somebody comes into the country and then they start making their credit history at that point. But they’re not going to give them a $20,000 or $30,000 credit limit right off.

Speaker 1 | 20:16.052

You would presume they wouldn’t.

Speaker 0 | 20:17.633

Yeah, exactly. I would presume.

Speaker 1 | 20:20.536

You would hope not.

Speaker 0 | 20:21.657

Yeah. Well, considering the fact that we all get to pay for it and the prices of all of our goods to help cover that. So I noticed in your history a little bit of. of chances to go into different places across the world. Talk to me a little about that. How did IT help you get to all of the different places that you’ve been? And tell us about a little of that experience.

Speaker 1 | 20:48.124

So I was working in New York at a financial house that was owned by a Japanese bank, a derivative shop owned by a Japanese bank. And they wanted us, the bank back in Tokyo, wanted to see what we were doing. So I got to go to Tokyo for two weeks, set up this, and set up a simple five or six or seven workstation network built on SunSpark 20s or Spark 5s, Sun, you know, architecture. This was back in the 90s. Got to Tokyo for two weeks, took the bullet train to Kyoto over the weekend, had a lot of sushi. It was interesting.

Speaker 0 | 21:41.846

Hopefully you liked sushi at that point.

Speaker 1 | 21:44.068

I liked sushi at that point.

Speaker 0 | 21:45.769

Okay, good.

Speaker 1 | 21:46.669

Although after the trip, I’d had a little bit more sushi in too short a time span. So it was a while before I had sushi again.

Speaker 0 | 21:56.756

Understandable.

Speaker 1 | 21:58.237

Yeah. Then a year or so later, I started a job for a company that made backup software, which is where I started getting interested in disaster recovery. And my role in their professional services organization was to travel mostly across the United States. mostly to military bases, the Navy, the Marines, primarily, installing their software and training the users and the administrators in it. Well, I got to go to Cherry Point, North Carolina, and I also got to go to San Diego, California. And I embarrassed one of my colleagues in San Diego by asking the… the wait staff what this thing was. It was about the size of a small bagel. It looked like a bagel, but it didn’t have the right texture. So I said, what do you call this thing? And she said, well, that’s a bagel. And I said, no, it looks like a bagel, but it is not a bagel. And the guy who I was with, Texas, from Texas, he was like, You got to forgive him. He’s from New York.

Speaker 0 | 23:29.848

Yeah, he knows what a real bagel is.

Speaker 1 | 23:32.630

And pizza.

Speaker 0 | 23:33.731

Yeah.

Speaker 1 | 23:36.433

They also sent me to South Korea, to Seoul, South Korea, for a week to train their affiliate there. And I spent a lot of time in Canada, a lot of time in Mexico.

Speaker 0 | 23:49.402

And was all of this around that disaster recovery piece? And…

Speaker 1 | 23:53.942

helping implement that or was it yes yeah my role was once the hardware was set up to train the administrators in how to ex how to do a backup how to test that backups were actually working and how to do a restore we we were a unix based it was a unix based system Unix, you know, is case sensitive. Microsoft Windows is case preserving. So if you have a tool called Alpha, which is spelled capital A-L-P-H-A in the Unix environment, well, we had to back it. We had to define that in Microsoft Windows as capital A-L-P-H-A. One of our… One of the administrators actually at a Navy base in D.C. made the mistake of using all lowercase. And so the backups appeared to work. because there were no error messages. But it didn’t back up any data, because it was looking for a directory for a folder called alpha, uppercase A. And there was no alpha, uppercase A. It was alpha, lowercase A. So there was nothing there to back up. And the software was like, okay, no data to back up. I’m good.

Speaker 0 | 25:29.713

Yeah, I ran my process. All’s well.

Speaker 1 | 25:32.416

Right. Then they went to restore.

Speaker 0 | 25:35.390

oh it wasn’t so good and they called me to troubleshoot and i was like well i’m sorry but you know we’re out of luck so this was in a true disaster scenario then it’s not yeah not a testing of the system this was a oh things went bad we need we need and oh man well that’s one way to learn the lesson there are

Speaker 1 | 26:04.370

At the law firm that I was at in the early 2000s, we lost two drives in a rate array more or less at the same time because the first drive failed. The guy, I was off that day. The guy working for me turned off the machine, put in a spare drive, turned on the machine. The rate array is supposed to rebuild itself. But the amount of reads and writes that…

Speaker 0 | 26:32.630

Killed the next drive.

Speaker 1 | 26:33.550

Processing on the drives clobbered another drive. It’s like driving a car with four bald tires on a bumpy road full of potholes. You get one flat and you’re driving 50 miles an hour and it’s a 35-mile zone and it’s a bad road. You get one flat, you put on the spare, and you keep going 50 or 60, you might very well get another flat.

Speaker 0 | 27:01.318

I was going to ask you, with your history in disaster recovery, if you had ever found a solution to one of the problems I could never figure out, which was besides being able to take one of the disaster recovery systems and put it into full production so that you have it under full load, how could you test? Did you ever find a way of testing the throughput and the… throughput is the best way I can put it, of a system. So like one of the systems that always had a lot of chatter for us was EDI, so electronic data interchange. You know, we’re passing files back and forth. But until you’re in that production environment and you’re actually passing those files back and forth, I couldn’t figure out a way to play that throughput of data and the interaction with the primary system, the ERP, Um, and, and be able to test a system under load when trying to test that, that disaster recovery and that business continuity plan. Um, cause you know, if you set it up and you throw a single transaction at the system, the system handles it great. Kind of like what you’re talking about with those drives, how, you know, one drive fails, you pull it out, you throw in the replacement drive and now everything’s trying to balance. But here was another drive that was shaky, like you’re talking about. And right. You just pushed it over the edge so it drops, and now you can’t rebuild the array because you had to finish to get everything balanced so you can lose one drive.

Speaker 1 | 28:39.996

Right. I don’t know. With virtualization and the cloud, or virtualization on-prem, it’s resource-intensive, but you can… implement a disaster recovery exercise or a business continuity exercise, but you have to stand up those virtual machines and run them. You may not have to stand up everything simultaneously, but you can do them one at a time, so that way you can do this with fewer resources. But- Yeah,

Speaker 0 | 29:23.242

the only way that I’ve found, like with clusters, the only way to make sure that that cluster for sure works- is to take one side of the cluster down and then bring it back up, get it balanced, and then take the other side down.

Speaker 1 | 29:35.667

But you can’t do that.

Speaker 0 | 29:36.508

And put everything under load.

Speaker 1 | 29:38.848

Yeah, and you can only do that at night or on weekends. Yeah. You can’t really do that on Monday morning.

Speaker 0 | 29:47.791

Yeah, you take down your whole disaster recovery system. So in case something actually goes bad while you’re testing things, now what? Kind of like lowercase a versus uppercase a. That’s all it takes to destroy backups. Man. No, not destroy. to subvert.

Speaker 1 | 30:08.154

Yeah. You need redundancy. So, there’s a book called Alpha Project Management, or Alpha Project Managers, What the Top 2% Know That Everybody Else Does Not, by a guy named Andy Crow. He also wrote the PMP answer book.

Speaker 0 | 30:30.272

Okay.

Speaker 1 | 30:30.692

No, I’m sorry. He wrote the PMP exam, how to

Speaker 0 | 30:35.016

pass on your first try and um the key is planning and uh and communication developers tell me all my developers say the exact same thing the key is planning we have to plan it out first good

Speaker 1 | 30:54.643

well we do but you also have to be flexible enough to know when you have to change the plan that’s that’s the difference between agile and uh waterfall With waterfall, you have a cast iron plan or a cast in stone plan. And with agile, you have scrums. And you say, okay, what’s going, what do we need to do? What did we not foresee?

Speaker 0 | 31:19.067

Right. Of course, it’s a little more complex than that. But those are primary or fundamental differences between the two.

Speaker 1 | 31:27.352

Yeah,

Speaker 0 | 31:28.152

because with the waterfall, you don’t take that time to go, okay, what did we not foresee? until you’ve completed the plan.

Speaker 1 | 31:36.796

Yeah. Which is not the pace in which we do business today.

Speaker 0 | 31:41.858

Not anymore. Not anymore. We got to, yeah, many iterations fail fast. So, what are some of the barriers that you’ve run into along the way? So, what are some of the things that have challenged you in your career? And, you know, what’s the dark side? What did you not like around? in your career that you’ve run into?

Speaker 1 | 32:06.827

Working as a DBA or as a developer on technical teams, it’s okay to use jargon. It’s the shortcut. It’s effective to use jargon. Right. But moving into management or even, or going down to, well, I shouldn’t say down or moving into customer support. You have to speak the language that your customer or your sponsor or your stakeholder understands. So if you’re talking to a lawyer or you don’t want to talk to them about MIPS, you know, what’s the difference between a central processor and a graphics processor? He or she isn’t going to care. A tool for AI. processing is going to use more graphical GPUs than CPUs because GPUs are designed for rapid processing of small algorithms, whereas CPUs are for rapid processing of much more complex algorithms. So you can have 500 GPUs running in parallel or 1,000 or 5,000 or more, whereas you only have… what, two CPUs, eight, 10, 20 cores next to your GPUs with hundreds or thousands of cores. But non-technical people don’t care. Right. They want it to work.

Speaker 0 | 33:53.904

It’s the brain. It thinks.

Speaker 1 | 33:55.966

Right. Then. Some managers would want to sit down and have a face-to-face conversation. Others want an email or an email to their secretary. This was especially true. Well, this was obviously true in the law firm. One of the guys, founder of the company, stopped practicing law when his company got to a sufficient size that all he needed to do was focus on making sure the company ran well. So he would call me up and say, come into my office, talk to me. The other guy at the next law firm, and this really got me in trouble, didn’t want me to walk into his office. He wanted me to talk to his secretary or talk to his other lieutenants. He was busy billing and interrupting his billing cost him money. It took me a while to figure that out because… They didn’t realize, I didn’t know this. There’s no crystal ball. How do you know what the rules of the game are if nobody tells you?

Speaker 0 | 35:09.300

right yeah so you’ve got to observe it you’ve got to watch it but and you but you still have to be cognizant enough to catch the nuances because you know all you’re trying to do is communicate so you’re still just trying to communicate do your best to communicate and and you think that it’s important for the highest levels to know and they’re shunting you to the uh the receptionist wait what well they had an executive director who was not a lawyer

Speaker 1 | 35:40.077

They did not tell me that he was my boss. I was supposed to guess, I suppose. So I went from one law firm where the hierarchy was executive managing partner, me, to another one where it was managing partner, executive director, me. But you can’t intuit that, you know? How do you know?

Speaker 0 | 36:08.641

And if they didn’t tell you, yeah, how do you know?

Speaker 1 | 36:12.504

That’s water under the bridge. Right. And, you know, like a lot of people in IT, my social skills were not as developed as my technical skills.

Speaker 0 | 36:28.097

Yeah, and hopefully we’ve gotten rid of that stigma. You know,

Speaker 1 | 36:33.581

when I was talking to Nick Hall,

Speaker 0 | 36:35.143

the pocket connector.

Speaker 1 | 36:36.972

There are no pocket protectors because people don’t wear button-down shirts with pockets.

Speaker 0 | 36:43.536

Amen. But nor do they use pens that much anymore.

Speaker 1 | 36:49.260

Yeah. Or neckties.

Speaker 0 | 36:51.782

Yeah. Yeah. Yeah, definitely not that. So talk to me about a success from failure. What’s something that at the time seemed like it was a failure? that ultimately, as you’re able to turn around and look at it with that 2020 vision, that actually turned out to be a success?

Speaker 1 | 37:16.410

So as a grad student in biology, I had to learn to read French, German, or Russian, or program computers. I chose to program computers. Assembler was really hard. PL1 was easy. COBOL was

Speaker 0 | 37:33.369

Yeah, I was. I had the programming. Go ahead.

Speaker 1 | 37:37.873

Then I got a job selling computers and then doing computer tech support for this insurance company. And went back to school to study computer science. Wound up with the equivalent of another bachelor’s. And, you know, that’s where my career was. And the science background, too, is very useful in understanding and troubleshooting and getting to root causes of problems.

Speaker 0 | 38:16.345

Tell me a little more about that. How do you mean? I mean, I can correlate a couple of pieces of it, but I want to hear your thoughts on that, on how scientific backgrounds correlate into troubleshooting.

Speaker 1 | 38:29.088

Well, you need to establish a hypothesis. Then you need to establish a test pattern or a set of tests to test that hypothesis. This is actually A-plus certification troubleshooting. Develop a theory of what the problem is, test the theory, test the solution based on the theory. If that fixes the problem, then you want to write it up so that what you have Actually, what PMI, the Project Management Institute, calls an organizational process asset. New knowledge based on understanding of problems. Last year, we had another situation where we had problems with one of the VMware machines, one of the VMware hosts. And in restoring… After restoring the host, we had to rebuild the VMs that were on the host. Unfortunately, that was made a little bit more challenging because vCenter and Veeam, the backup solution, and the production VMs were all originally on the same host. This was with VMware 7 Essentials. So you… We had vCenter, but again, that had to be reinstalled. And after looking at this, I said, okay. We have two hosts. We have a production host and a backup host. Instead of allocating them that way, maybe we should say consider both hosts production and both hosts backup and put the production VMs on one machine, vCenter and Veeam on the other machine. So if we lose the production machine, we have the replicas on the backup machine. If we lose… what we used to call the backup machine, we still have vCenter, we still have the production machine, obviously, and we have backups or replicas of Veeam and vCenter on the other machine. Not really a stroke of genius or a lightning bolt from on high, it’s just applying an inquisitive mindset or an engineering mindset to solve problems.

Speaker 0 | 41:05.272

Right. It’s experiencing the problem. And then recognizing a new solution, utilizing available resources.

Speaker 1 | 41:13.657

Yeah, yeah. Another time, one of the engineers I used to work with, a guy who’s retired now, he was a director of R&D for a company that evolved out of Bell Labs. Spent 40 years doing network design. And he said to another person, he said, look, you should… talk to Larry, he’d be good for this job. And he said, Larry has an engineering mindset. He’ll look under the surface of the problem to find the root cause of the problem, rather than just treat the symptom. And it works. And with Google, and now with AI, with Bard, you know, and chat GPT in… In Bing, there’s a whole lot more. It should make troubleshooting and finding information easier, although you have to verify the information that you find.

Speaker 0 | 42:19.012

Yeah. Yeah, and now we’ve got to watch out for what I’m starting to hear this term more and more often, hallucinations.

Speaker 1 | 42:27.417

Right, right.

Speaker 0 | 42:28.938

You know, the AI coming up with a hallucination, creating the hallucination, not just suffering from it.

Speaker 1 | 42:36.622

I asked, we were having a conversation about classic rock. And for one reason or another, we wound up going to chat GPT and asking it, but it apologized and said, I’m still learning.

Speaker 0 | 42:59.091

No, it’s not. It stopped learning in 2001, or at least 3.5 did.

Speaker 1 | 43:06.026

uh now four and and i’m hearing word about gpt5 now coming out too so yeah i don’t know i think i think a lot of the concerns are real i don’t know about the concerns though about ai writing music or novels i don’t think it could write anything remotely as complex as a dylan song or

Speaker 0 | 43:35.082

empathy for the devil yeah and and actually i i wonder how well it would handle the where you started all of this with um asmof and heinlein man you i meant to get back to that much earlier in the conversation because you mentioned two of my favorite authors those guys have written some great things sure the moon is a harsh mistress yeah foundation um i robot yeah yeah you Talking about AI, you know, and where he took it to. And he hadn’t even seen what we’re starting to do today.

Speaker 1 | 44:12.720

No, he wrote those books in the 1950s. Yeah.

Speaker 0 | 44:17.805

So as we come closer to the end of the podcast, is there anything you want to leave our listeners with? Is there any takeaways from your career and all of the experience that you’ve had within IT? the different organizations you’ve been to, the travels, starting off as a biology major and then going into IT. Anything you want to leave the young’uns with? Anything you want to impart to them that you wish somebody had told you that’s still relevant?

Speaker 1 | 44:51.263

Yeah. Understand your stakeholders. If someone wants a text message, don’t send them an email unless… If someone wants a text message, don’t send them an email. If someone wants an email, send them an email. You might want to send them a text message if it’s urgent. Although if it’s urgent, you might want to make a phone call. Yeah.

Speaker 0 | 45:15.749

It is called a phone for a reason.

Speaker 1 | 45:18.911

Office politics has bitten me over and over throughout my career. I never understood it. I probably never will.

Speaker 0 | 45:29.515

Yeah, I understood it. I just didn’t want to play. And I found that to be a detriment too.

Speaker 1 | 45:36.418

Yeah, yeah. That’s why God invented lawyers.

Speaker 0 | 45:43.405

And you’ve worked for enough of them.

Speaker 1 | 45:47.327

Also, you’ve got to listen. And just as they need to see the stakeholders that are not in IT need to look at IT as people, we in IT need to look at stakeholders as people. So it’s not… fat fingering it’s not a liveware era it’s not a grayware era it’s a human being who who doesn’t know how to do a particular thing on a computer pebcac id10p you

Speaker 0 | 46:22.121

know all of those things where where we just move just just let me sit down you know all those things yeah you gotta we gotta watch out for those and and you’re right And we just need to do that in general. It’s not just an IT thing. We just need to treat each other as people. You know, I continue to talk about my coworkers, not my employees. And, you know, and back to what you were saying about, you know, know your audience or know your stakeholders. The CFO, CFO doesn’t want to know about the flops. He doesn’t want to know GPUs, CPUs. He wants to know the. bottom line and what the how much it’s going to what he’s going to get out of that he wants to know what the investment is yeah yeah dollarizing wants to know what the return is yeah yeah his the

Speaker 1 | 47:19.342

accounting system needs to be correct the backups need to be available right whatever however you want to call them it all needs to work all right well thank you very much

Speaker 0 | 47:33.316

for your time today, Larry. It’s been a very interesting conversation and it’s been great to talk to you. So as we come to another close on another discussing popular IT nerd, I’d like to invite all of our listeners to comment and rate the podcast on the iTunes store or wherever you’re grabbing your copy of the podcast from. We really appreciate the support of the program and the time you’ve invested into listening. to dissecting popular IT nerds.

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

QR Code